Earlier this week I had an interesting question from a long
time reader; he asked:
I was wondering if you had any news
and/or statistics on how many entities with approved SSPs/ASPs have done their
annual audit?
At first I thought that he was talking about the compliance
inspection that DHS is supposed to do one year after the site security plan is
approved, but he corrected my misconception by reminding me about the
requirements of 6
CFR 27.225(e):
“A covered facility must conduct an
annual audit of its compliance with its Site Security Plan.”
This is pretty standard language for a large number of
Federal programs that require companies to develop a plan on how to do
something. It requires that the company goes back and verifies that they are
still complying with the plan on a recurring basis. Many companies overlook
this type requirement since there is no requirement to submit any data or
reports about the audit. Even companies that make an honest effort to follow
the spirit and letter of the law seldom do more than a proforma look at their
existing plan to ensure that they are still in compliance.
If a facility wants to do a real audit of their SSP, what
are the types of things that they need to look at? Lacking any specific guidance
from ISCD (and your Chemical Security Inspector would be a good person to talk
to about any current guidance), here are some things that you might want to pay
particular attention to (WARNING: This is my opinion and has not been verified
with ISCD):
Status of planned security measures
– If the approval of your SSP included any planned security measures you need
to ensure that the agreed upon plan for their implementation has been followed.
You are certainly required to report deficiencies in that implementation plan
to ISCD.
CVI certification – Fortunately the
CVI certificates that were obtained at the beginning of the CFATS process are
all still good. But, if any new people were added to the program administration
(people with significant responsibilities under the SSP) you need to ensure
that they have also obtained CVI certification. If they haven’t, geterdone.
Training files – Ensure that your
other training files are also up to date. This specifically includes awareness
training for all new employees and contractors.
Exercise files – Remember that
plans (both security and emergency response) that are not exercised are likely
to fail in a real situation. Make sure that you document the exercises and the
after-action reviews. If those reviews indicated that changes were required for
your SSP, those changes would need to be approved by ISCD.
Cybersecurity – A lot has changed
in the cybersecurity world in the last year, particularly in the realm of
control systems. This would be a real good time to have a cyber-security
consultant come in and take a fresh look at your system. If you’re fortunate enough
to have your own cybersecurity experts, this would be a good time to do a CSET
review.
Verify your CSAT Team – Go back and
verify that the Authorizer, Preparers, Submitter and Reviewers are still the
people that you want in those positions. Update as necessary. BTW: It
looks very bad if one of the people currently listed in these positions with
ISCD no longer works for the company. If you don’t know who all is listed,
contact the CFATS Help Desk {Phone (866) 323-2957}.
Review the threat landscape – The facility
security officer should have a good relationship with the closest fusion center
and local law enforcement. Talk with them about their view of the current threat
landscape in your area.
There are other things that should be looked at in the
audit; actually everything should be. But, if you hit the above list hard and
do a standard read and review of the rest, you will probably be in good shape.
Posts
No comments:
Post a Comment