Presentation is loading. Please wait.

Presentation is loading. Please wait.

Facility Security Documentation Requirements

Published byVerity Burke Modified over 6 years ago

Similar presentations

Presentation on theme: "Facility Security Documentation Requirements"— Presentation transcript:

1 Facility Security Documentation Requirements

2 Requirement All of the documents in the next slide are SSI and should be treated as such. If kept in electronic format ensure all of the following are recorded and protected accordingly.

3 Main Documents ASP or FSP FSA CG-6025A

4 All of the documents in the next slide are required to be kept for two years except for DOS which is to be kept for at least 90 days after the end of its effective period

5 Documents (1) Training records for facility personnel with security duties ONLY (those personnel covered in 33 CFR ) (2) Drills and Exercises (3) Incidents and Breaches of Security (4) Change in MARSEC Levels (5) Maintenance, calibration, and testing of security equipment (6) Security Threats (7) Declaration of Security (DoS) (8) Annual audit of the FSP/ASP

6 Documentation The Coast Guard cannot monitor every
facility 24 hours a day. Facilities must maintain records as proof of implementation of security measures. Records should also be viewed as a source of information for planning audits and exercises. Restatement of regulation text within the FSP or a reference statement in the FSP indicating documentation will be conducted in accordance with 33CFR is sufficient. Preferably this plan section will describe how records are stored and which records are stored. FSP would state that the FSO will keep records for at least two years and make them available to the Coast Guard upon request. FSP procedures which state all records will be kept at an off-site location and not at the facility is not acceptable unless the documents are available at the site through a computer network or the facility contains no infrastructure to provide storage and protection of documents. If records are kept in electronic format the FSP must state how the records are to be protected such as; Password protected on a computer or network system or copied to another media which will be kept locked and accessible to authorized personnel only. If records are kept in hard copy form the plan must reflect how the records are kept. Ex locked in a file cabinet in the FSO’s office

7 Training Records For each training you will record:
the date of each session duration of session a description of the training a list of attendees

8 105.210 Employees with Security Duties Training
The FSO will ensure that facility personnel with security duties are trained in accordance with 33 CFR Ensure that “appropriate” subjects match the reason the facility is MTSA compliant. It is acceptable to list this statement, or merely restate the regulation in this section. Facility Personnel - Does the FSP identify a process to ensure that facility personnel responsible for security duties have knowledge, through appropriate training or equivalent job experience?

9 105.220 Drills and Exercises For each drill or exercise record:
the date held, description of drill or exercise, list of participants, and any best practices or lessons learned which may improve the Facility Security Plan (FSP); Restatement of regulation text within the FSP or a reference statement in the FSP indicating Drills and Exercises will be conducted in accordance with 33CFR is sufficient. Preferably this plan section will describe drills and exercises to be conducted at the facility including the frequency and types of drills and exercises. The info that I would look for in the drills and exercises section is: Drills will be conducted every 3 months Exercises will be conducted annually with no more than 18 month’s between exercises. Illustration of documentation tracking the types of people that will be involved in the drill or exercise (EMT, Security personnel, LEO’s, etc.), description of the drill or exercise, involves communication how a drill tests a security system and uncovers any deficiencies, deficiencies uncovered and some timeline showing how deficiencies will be addressed

10 Incidents and breaches of security
For each incident or breach of security record: the date and time of occurrence location within the facility description of incident or breaches to whom it was reported description of the response

11 Change in MARSEC level For each change in MARSEC record:
the date and time of notification received time of compliance with additional requirements

12 105.250 Security Systems and Maintenance
These records serve the following purposes: It forces the FSO to take a look at ALL the security systems and equipment on hand and mandates that the equipment receive adequate maintenance. Ensures faulty equipment will be identified. Ensures the use of manufacturer’s recommended maintenance procedures. Security systems are a cost effective way to ensure the security of the facility and the vessels they serve. This section serves two purposes. It forces the FSO to look at ALL of the security systems and equipment he has on hand and Mandates that this equipment receive adequate maintenance to ensure operational readiness when needed. Emphasis must be placed on how faulty equipment will be identified, the use of manufacturer’s recommended maintenance procedures, and the plan for implementing temporary security measures while the equipment is being repaired.

13 105.250 Security Systems and Maintenance
You must have records on: Lighting. Intrusion detection devices. Cameras and monitors. Access control systems such as card readers. Fences, gates, and barriers. all security equipment is to be tested and maintained IAW the manufacturer’s recommendations. The four types of info to look for are: The equipment is kept calibrated on a regular basis. The equipment is checked for working status regularly. Ex: PM program to regular check equipment. The equipment is repaired in a timely basis. Facility personnel have established work-arounds. Preferably this plan section will contain a list of all security equipment. Some examples of these types of equipment are: Lighting and lighting controls Intrusion detection devices and controls Assessment equipment such a video monitors, camera and recorders Access control systems such as electronic card readers and badging systems Security system interface between IDS, Cameras, and alarms and monitors. Backup power supplies for security equipment Perimeter fencing and gates

14 Security Threats For each security threat record:
the date and time of occurrence how the threat was communicated who received or identified the threat description of threat to whom it was reported description of the response

15 105.245 Declaration of Security
The point where two security programs meet pose an ideal place for a threat to succeed. The Declaration of Security (DoS) identifies the required security specific tasks, as well as who is responsible for them. The DoS ensures the vessel and facility security plans mesh to ensure seamless security measures while the vessel is moored at the facility. The FSP is not required to include a sample Declaration of Security in the FSP but plan submitters are encouraged to develop and include sample DoSs in their FSPs. A Declaration of Security is not required to be implemented between a facility and vessels under the same ownership where the vessel is based at the facility and returns to the facility on a daily basis. FSP must include procedures for coordinating security needs and procedures and agreeing upon the contents of the DoS for the period of time the vessel is at the facility prior to the vessel arriving at the facility. Communication methods for coordination of DoS contents are often contained in the Interfacing with vessels section and/or communications section which has been deemed as satisfactory. FSP must include procedures and/or a statement requiring a written DoS to be signed by the FSO and VSO, or their designated representatives upon arrival of an applicable vessel at the facility. FSP must indicate that when a DoS is required, no vessel interface shall occur between the facility and vessel until the DoS has been signed and implemented. FSP must state the COTP may require, at any time, at any MARSEC Level, any facility subject to this part to implement a DoS with the VSO prior to any vessel-to-facility interface when he or she deems it necessary.

16 105.245 Declaration of Security
The time frames for a continuing DoS at MARSEC Level 1 is 90 days and 30 days for MARSEC level 2. Continuing DoS are only good for a specific MARSEC Level. The plan will have procedures for changing the DoS based on a change in MARSEC Level? The FSP will ensure a copy of all current, continuing DoS are kept with the FSP? For a continuing DOS The FSP must continuing DOS is valid for a specific MARSEC Level. Facilities may chose to implement a new DoS for each facility/vessel interface. Facilities are not required to implement continuing Declarations of Security for vessels that frequently interface with the facility. The FSP must state that the effective period at MARSEC level 1 does not exceed 90 days. The FSP must state that the effective period at MARSEC level 2 does not exceed 30 days. The FSP must state when the MARSEC Level increases beyond that contained in the DOS or continuing DOS, it is void and a new DOS must be executed. The FSP must state that all currently valid continuing DoSs will be kept with the Facility Security plan.

17 105.305(d)(1) The FSA Requirements
This section of the plan ensures that the owner / operator: Conducted a physical survey of the facility. Identified all the resources. Identified which resources require protection. Identified the security measures currently in place to protect those resources. Determined the adequacy of their existing security posture. Upgraded the shortfalls (mitigated the vulnerabilities). The amount of detail provided in these sections will vary by the size and type of facility. Does the FSA contain a summary of how the on-scene survey was conducted? The summary must answer the questions; when was the on-scene survey performed, and who performed it. FSA Requirements - Is there a list of the key facility operations that are important to protect? These operations are defined as key or critical if the destruction of one of them would cause a TSI. FSA Requirements - Is there a description of existing security measures. The description must include a general listing of all physical and electronic security equipment including lighting, fencing, barriers, access control and procedures, and assessment equipment such as CCTV cameras. Also included should be a description of any security patrols. Some of the following questions will better refine the existing security posture description. FSA Requirements - Is there a description of each vulnerability found during the on-scene survey? A vulnerability is defined as broken equipment, lack of equipment or procedures that may be exploited by an aggressor to cause a TSI. A scenario is a story developed to demonstrate how an aggressor might exploit a vulnerability, but is not an accurate description of a vulnerability. FSA Requirements - Is there a description of security measures that could be used to address each vulnerability? If the vulnerability is a lack of lighting in the southwest area of the facility, the corrective security measure might be to install new lighting in this area. FSA Requirements - Is there a list of identified weaknesses, including human factors, in the infrastructure, policies, and procedures of the facility? Union workers are not permitted to do security work, lack of training for existing workers, Fences and gates are in dire need of repair

18 CG-6025 Form must have all facility and COTP
administrative information: Name Address LAT / LONG coordinates Vulnerabilities. Mitigation strategies for vulnerabilities. Must match the FSA. The CG is form used by the MSO to provide the port facility section a snapshot of the security posture for the facility. It offers the port facility specialist administrative information as to the address and grid coordinates for the facility as well as highlights of the level of consequence, vulnerabilities, and capabilities of the facility. Key points to consider when reviewing these forms include: Has the facility provided all of the administrative information (i.e. Address, Lat / Long coordinates? Are their vulnerabilities listed based off of those resources that can potentially cause a TSI? Do those vulnerabilities have appropriate mitigation strategies listed for each MARSEC Level? Do the vulnerabilities and mitigation strategies match those found in the FSA? NOTE: The CG 6025 may only list the top 3-5 vulnerabilities the facility feels are the most important. Questions on the CG 60-25

19 Vulnerabilities Poorly Secured Chemical Storage
Why is this a vulnerability? 1 ton cylinders of chlorine gas. Water treatment example: Poorly Secured Chemical Storage

20 Poorly Maintained Equipment
Vulnerabilities Why is this a vulnerability: Barbed wire rocks against fence fence down vegetation Poorly Maintained Equipment

21 Vulnerabilities Poorly Designed Equipment
Rusty chain, but not in horrible condition [problem is gap under fence as well as being able to open the gate and slide through DOD/DOE use a standard intruder that is 5’0” tall, weighing 100 lbs., that can fix through an opening 96 sg. In., 6” in any one direction. Good rule of thumb to use Poorly Designed Equipment

22 Facility Security Plan (FSP)
(1) Security administration and organization of the facility (2) Personnel training (3) Drills and exercises (4) Records and documentation (5) Response to change in MARSEC Level (6) Procedures for interfacing with vessels

23 Facility Security Plan (FSP)
(7) Declaration of Security (DoS) (8) Communications (9) Security systems and equipment maintenance (10) Security measures for access control, including designated public access areas (11) Security measures for restricted areas (12) Security measures for handling cargo

24 Facility Security Plan (FSP)
(13) Security measures for delivery of vessel stores and bunkers (14) Security measures for monitoring (15) Security incident procedures (16) Audits and security plan amendments (17) Facility Security Assessment (FSA) report (18) Facility Vulnerability and Security Measures Summary (Form CG-6025)

25 Alternate Security Plans
Will be covered later The purpose of this class is to understand how to review facility security plans and assessments. The agenda of the class is to first, Understand the principles of security, Then we will look at how a facility security assessment is developed, Next , we will se how a facility security plan is assembled and how it relates to the FSA, Then, we will look at how the CG-6025 is developed. Then finally we will look at a FSP and review it.

26 105.415 Audits and Amendments The FSO will ensure the FSP is audited
and all amendments are completed in accordance with 33 CFR For each annual audit, a letter certified by the FSO stating the date the audit was completed For brevity sake, this statement, or restatement of the regulation is all that is required to approve this section. This does not however excuse the FSO from adhering to the regulation when conducting audits or amendments. In the event the FSP addresses this section of the regulation paragraph by paragraph, specific notes for this section include: Amend/Audit - Does the FSP identify that an audit shall be conducted on a yearly basis or when a change in ownership has occurred? FSP must indicate that the FSO will conduct or will ensure an audit is conducted annually. FSP must indicate that an audit will be conducted when there is a change of ownership or operator or there have been modifications to physical structures, emergency response procedures, security measures or operations. Audits conducted as a result of modifications to the facility may be limited to the plan sections affected by the facility modifications. An audit of the entire FSP is not required. Amend/Audit - Is the audit process defined in the FSP? Amend/Audit - Does the FSP describe who will conduct the audit? The FSP must include qualification requirements as listed in (i), (ii) and (iii) for those conducting audits of facility security measures. Facility security plans are not required to indicate specific names of those who will be conducting audits but must state the qualification requirements for those conducting the audits. By listing actual personnel by name the plan would require an audit if the listed personnel were to leave the employment of the facility or the task is contracted to an outside firm. Amend/Audit - Does the FSP describe the experience and knowledge levels of the person conducting the audit? Knowledge of security or audits is required. Amend/Audit - Does the FSP contain procedures for submitting amendments resulting from an audit? The FSP must state that if the results of an audit require amendment of the FSP, the FSO shall submit the amendments to the COTP for review and approval no later than 30 days after completion of the audit. A letter certifying that the FSP meets the applicable requirements of 33CFR 105 shall be provided to the COTP with submitted amendments.

27 Questions?

Download ppt "Facility Security Documentation Requirements"

Similar presentations

Emergency Preparedness and Response

Emergency Preparedness and Response
Course Material Overview of Process Safety Compliance with Standards

Course Material Overview of Process Safety Compliance with Standards
Maritime Transportation Security Act (MTSA) Towing Vessels.

Maritime Transportation Security Act (MTSA) Towing Vessels.
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.

Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Lecture 8. Quality Assurance/Quality Control The Islamic University of Gaza- Environmental Engineering Department Environmental Measurements (EENV 4244)

Lecture 8. Quality Assurance/Quality Control The Islamic University of Gaza- Environmental Engineering Department Environmental Measurements (EENV 4244)
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
NVIC VESSEL SECURITY PLAN OUTLINE

NVIC VESSEL SECURITY PLAN OUTLINE
Top 10 Security-Related Discrepancies ///MARSEC Corporation.

Top 10 Security-Related Discrepancies ///MARSEC Corporation.
Obligations of the Company

Obligations of the Company
1.2.1 > ISPS Module ISPS Code Responsibilities

1.2.1 > ISPS Module ISPS Code Responsibilities
TRAINING AND DRILLS. Training and Drills Ensure A comprehensive, coordinated, and documented program as an integral part of the emergency management program.

TRAINING AND DRILLS. Training and Drills Ensure A comprehensive, coordinated, and documented program as an integral part of the emergency management program.
Quality Assurance/Quality Control Policy

Quality Assurance/Quality Control Policy
Examine Quality Assurance/Quality Control Documentation

Examine Quality Assurance/Quality Control Documentation
Session 3 – Information Security Policies

Session 3 – Information Security Policies
ISPS 6. Ship Security Plan HZS ISPS 2006-2007.

ISPS 6. Ship Security Plan HZS ISPS
INTERTANKO ISTEC Meeting 26 – 28 March 2004. ISPS Code Areas of particular concern during Shipboard Verifications.

INTERTANKO ISTEC Meeting 26 – 28 March ISPS Code Areas of particular concern during Shipboard Verifications.
Network security policy: best practices

Network security policy: best practices
Instructions and forms

Instructions and forms

Similar presentations

Ads by Google