Part 1: ISO Rule Compliance Security Assessment Background Yes No Comments ☐ ☐ [Replace this text with information such as who approved the plan, when was it approved, when was it last updated and was was the current/updated plan communicated to involved parties.] Does the critical facility have an approved threat response plan in place? Documented in the plan? Reference 1. A. i. FACILITY SECURITY PROGRAM PRELIMINARY ACTIONS Site Information Site description Description Includes surrounding terrain, estimated value of assets, maps, schematics, aerial photos. Yes No N/A ☐ ☐ ☐ ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures Describe the name and type of facility, estimated value of assets, and current list of critical assets not directly owned by operator. Also describe surrounding geography. ii. Key Personnel Emergency contact information for police, critical staff Identify personnel that are critical to operations and security, include 24hour contact information. Page 1 of 21 Documented in the plan? Reference B. i. FACILITY SECURITY PROGRAM Vulnerability Assessment Assets Description Assets critical to operations identified; impact of injuries/death/damage assessed. Yes No N/A ☐ ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ Additional explanation on capability to implement the security measures People Assets Assess the risk of injury or death, and the impact to business, in the event of an attack. Consider employees’ links to terrorism or organized crime. Material Assets Assess the risk and impact to critical assets from possible attacks (explosive, fire, cyber). ii. Access Assess the level of difficulty in gaining unauthorized access to facility. ☐ ☐ ☐ ☐ ☐ iii. Attack Consider the most likely types of attack that could be undertaken against the facility. Consider the worst case scenario attack. ☐ ☐ ☐ ☐ ☐ iv. HAZMAT Maintain an inventory of HazMat in use at the ☐ ☐ ☐ ☐ ☐ Page 2 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM Description facility. Yes No N/A Separate security plan in place; circulation centrally controlled ☐ ☐ b. Record of past and current problems ☐ c. Security threat response plan is layered d. e. If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ Security threat response plan allows for increased threat level ☐ ☐ ☐ ☐ ☐ Periodic review of security threat response plan ☐ ☐ ☐ ☐ ☐ Consult company’s legal counsel with respect to rights of arrest, search, use of force, etc., for each level of security. ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures Assess the impact of a HazMat spill or fire as a result of an attack. 2. A. i. a. PLANS, POLICIES & PROCEDURES Security Policy Security Plan ii. Legal B. Communications Page 3 of 21 Documented in the plan? Reference i. ii. FACILITY SECURITY PROGRAM Protocols Hardware Description Identify points of contact with police, fire, emergency management; establish and test call-out system for points of contact as well as critical employees Yes ☐ No ☐ N/A ☐ ☐ ☐ Establish communications control centre, with alternate, to be operational at and above designated security level. ☐ Establish security training and orientation program for employees that covers awareness, responsibilities, and duties. Facility exercises include security incident; record kept of past exercises & Build redundancy into communication system. If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes ☐ No ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures Where applicable, make the following available to security force: Encrypted email, secure fax and phone, satellite phone, secure radio. iii. Control Centre C. i. Training Program ii. Exercises Page 4 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM Description lessons learned. Yes No N/A Landscaping enhances security: screens points of entry and critical assets from outside observations, does not allow for hiding places or climbing. ☐ ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ 3. A. i. OUTER PERIMETER Grounds Landscaping ii. Road Barriers All Thread Levels Road barriers able to withstand vehicular collision and/or designed to prevent unauthorized vehicular access. Preplan delivery and placement of additional barriers at higher levels. ☐ ☐ ☐ ☐ ☐ iii. Signage Signage clearly indicates directions for proper access and designates “no access”. ☐ ☐ ☐ ☐ ☐ iv. Contingency for Higher Threat Levels: Close and secure redundant access points Increase number of random patrols Operate with a single access point Contingency plan to ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ a. b. c. d. Additional explanation on capability to implement the security measures Page 5 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM Yes No N/A Complete site exterior perimeter fence ☐ ☐ ii. Fence equipped with top guards ☐ iii. Fence bottom flush with ground iv. Able to implement? Yes No ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ Fence integrity - good repair ☐ ☐ ☐ ☐ ☐ v. Scheduled interval for maintenance/integrity checks ☐ ☐ ☐ ☐ ☐ vi. Gate/gate corners flush with ground ☐ ☐ ☐ ☐ ☐ vii. Pedestrian gates unoperable from outside ☐ ☐ ☐ ☐ ☐ viii. Vehicle gates locked when site vacant ☐ ☐ ☐ ☐ ☐ Unused access points are secured ☐ ☐ ☐ ☐ ☐ All identified repairs are to be carried out. ☐ ☐ ☐ ☐ ☐ B. i. a. Additional explanation on capability to implement the security measures Perimeter Barrier ix. x. Description operate with a no-fly zone in place If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Contingency for Higher Threat Levels: Page 6 of 21 Documented in the plan? Reference b. FACILITY SECURITY PROGRAM Description Where warranted height/topper of barrier is increased. Yes ☐ No ☐ N/A ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes ☐ No ☐ c. Intrusion alarms are tested daily. ☐ ☐ ☐ ☐ ☐ d. CCTV coverage of entire perimeter is established. ☐ ☐ ☐ ☐ ☐ All access points are illuminated, along with the majority of the perimeter where practicable; parking lots illuminated. ☐ ☐ ☐ ☐ ☐ Weather proof and tamper resistant, inaccessible from outside perimeter and master switches centrally located. ☐ ☐ ☐ ☐ ☐ a. Contingency in place for additional/brighter lighting. ☐ ☐ ☐ ☐ ☐ b. All identified repairs to be carried out. ☐ ☐ ☐ ☐ ☐ c. Back-up power supply established for security ☐ ☐ ☐ ☐ ☐ C. i. Lighting Illumination ii. Controls iii. Contingency for Higher Threat Levels Additional explanation on capability to implement the security measures Page 7 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM d. Description lighting. Yes No N/A Security lighting tested daily. ☐ ☐ Security force and check in point are visible from main approaches. ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ ☐ ☐ ☐ ☐ D. i. Security Visibility ii. Reporting Policy Security policy includes procedures for reporting non-ordinary activities. ☐ ☐ ☐ ☐ ☐ iii. Monitoring Regular monitoring of alarms and CCTV; secure storage of images/video; backup power. ☐ ☐ ☐ ☐ ☐ iv. Contingency for Higher Threat Levels a. Increase size of security force. ☐ ☐ ☐ ☐ ☐ b. Perimeter and grounds inspected once/shift for damage, suspicious packages, etc. ☐ ☐ ☐ ☐ ☐ c. Canine support included at security check-in. ☐ ☐ ☐ ☐ ☐ d. Inspect vehicles entering facility. ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures Page 8 of 21 Documented in the plan? Reference 4. A. i. FACILITY SECURITY PROGRAM INNER PERIMETER Structures Systems Description Connections to utilities, and back-up systems, located in secure areas. Yes No N/A ☐ ☐ ☐ ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures Where practical consider fire and blast protection enhancements. Modify exterior wall to prevent concealment of destructive devices. ii. Doors Doors to critical areas should be constructed to resist fire, explosion, tampering, and forced entry. Security supervisor has overall authority for issue, changes, and replacements of all manner of door access. Locks and padlocks changed or rotated annually. iii. Windows Exterior windows can be locked/alarmed. Windows in place for ventilation could be replaced by smaller Page 9 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM Description opening or functionally replaced by internal ventilation. Yes No N/A If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No Additional explanation on capability to implement the security measures Windows in place for illumination could be replaced with smaller opening coupled with interior reflector. Damage from shattered glass can be reduced by the application of a protective film on the interior of the window. iv. Other Access Points Manhole covers, grates, vents, skylights are normally locked. ☐ ☐ ☐ ☐ ☐ v. Lighting Motion sensitive lighting in critical areas; where practicable, majority of perimeter is lit; regular maintenance. ☐ ☐ ☐ ☐ ☐ vi. Alarms Intrusion alarms installed wherever practical. Centrally monitored, tied to CCTV system. Connected to police. Tested regularly. ☐ ☐ ☐ ☐ ☐ iv. Contingency for Higher Threat Levels Critical areas are swept ☐ ☐ ☐ ☐ ☐ a. Page 10 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM Description for electronic eavesdropping devices. Yes No N/A If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No b. Consider closing/securing minimum use areas. ☐ ☐ ☐ ☐ ☐ c. Intrusion prevention mechanisms increased. ☐ ☐ ☐ ☐ ☐ d. Blast protection of critical structures enhanced. ☐ ☐ ☐ ☐ ☐ Assess suppliers’ reputation and dependability; drivers and staff properly cleared. ☐ ☐ ☐ ☐ ☐ Determine volume and locations of HazMat on site. ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ B. i. Commodities Screening ii. Control Movement Additional explanation on capability to implement the security measures Dates of expected orders given to security personnel. iii. Redundancy Secure procedures followed upon receipt, movement, and storage of HazMat. Keep updated list of alternate suppliers. Keep sufficient amount of Page 11 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM iv. Storage C. i. Equipment Storage/Movement Description supplies on hand for higher levels of security. Yes No N/A Critical and HazMat securely stored, available on a need basis only. ☐ ☐ Secure storage of essential equipment with same priority as essential areas of site. ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures Movement of essential equipment controlled, current inventory maintained. ii. Identification. Equipment identified via barcode or engraving; ID tied to inventory, updated regularly. ☐ ☐ ☐ ☐ ☐ iii. Maintenance Off-site maintenance of equipment done by screened personnel. ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ Plan to conduct maintenance on-site at higher threat levels. iv. Redundancy If on-site maintenance is routine, maintain sufficient supplies/parts on site. Essential functions able Page 12 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM Description to continue in event of equipment breakdown. Yes No N/A If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No Additional explanation on capability to implement the security measures Redundant units of essential equipment maintained on site, or interdependencies with neighbouring sites established. Plans for repairing/replacing essential equipment at higher threat levels. v. Contingency for Higher Threat Levels: a. Equipment used off-site is inspected upon return. ☐ ☐ ☐ ☐ ☐ b. Essential equipment stored with 24-hr surveillance. ☐ ☐ ☐ ☐ ☐ c. Conduct all equipment maintenance on-site. ☐ ☐ ☐ ☐ ☐ Critical operations identified and prioritized; vulnerabilities of each assessed; consider redundancy/mobility in even of higher security level. ☐ ☐ ☐ ☐ ☐ D. i. Operations Prioritization Page 13 of 21 Documented in the plan? Reference ii. iii. FACILITY SECURITY PROGRAM Location Description Wherever possible, locate critical operations away from public areas and far from exterior walls/perimeter. Yes ☐ No ☐ N/A ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes ☐ No ☐ Contingency for Higher Threat Levels: a. Relocate critical operations to a secure area. ☐ ☐ ☐ ☐ ☐ b. Ensure financial plans can meet security requirements of higher threat levels. ☐ ☐ ☐ ☐ ☐ c. Shut down non-essential operations. ☐ ☐ ☐ ☐ ☐ Background checks conducted on new employees and contractors, to the extent warranted by the position. ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ 5. A i. Additional explanation on capability to implement the security measures ACCESS CONTROLS Employees/Contractors Screening Background inquiries are conducted on new suppliers. ii. Termination/Retirement Policy exists for returning keys, passes, locking accounts. Lock/access Page 14 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM Description codes to critical areas changed as required. Yes No N/A If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No iii. Roster Maintain a list of people that have access to the facility that identifies them by name, date of birth, level of access, home address and contact numbers. ☐ ☐ ☐ ☐ ☐ iv. Access Passes. Employees & contractors wear tamper-proof photographic ID that indicates level of access; card administration software on site; policy in place for lost/stolen ID. ☐ ☐ ☐ ☐ ☐ B. i. Visitors/Customers/Deliveries Access Passes All visitors to wear passes separating them from employees/contractors. ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures All passes are numbered and are to be signed out with name, company, contact number, and are returned on the same day. Missing and non-returned passes are logged and acted on. Page 15 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM ii. C. i. Vehicles/Parking Vehicle Access Control Movement Description Visitor access is limited to that of the sponsoring employee/contractor. Yes No N/A Visitors are escorted by their sponsor. ☐ ☐ All vehicles clearly display a tag identifying it as employee/contractor, visitor, or delivery. ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures Employee/contractor parking tags linked to license plates. ii. Parking Control Where practical parking lots are outside perimeter. Employee/contractor parking is separate from visitor. iii. Overnight Policy Maintain record of employees that have company vehicles overnight. Implement policy for securing company vehicles stored off-site. iv. Contingency for Higher Threat Levels: Page 16 of 21 Documented in the plan? Reference a. FACILITY SECURITY PROGRAM b. D. i. Shipping/Receiving Control System Description Reduce parking to minimum required for essential employees. Yes ☐ No ☐ N/A ☐ Allow access only to employee shuttle, security, and first responder vehicles. ☐ ☐ Identify number and type of shipping/receiving areas and minimize where possible. ☐ ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes ☐ No ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures Identify secure areas away from critical operations that could be used at higher threat levels. Ensure communication between security checkin and shipping/receiving to confirm status of deliveries. ii. Policy Employees made aware of suspicious package policy. Minimum number of employees can authorize deliveries. New suppliers/carriers Page 17 of 21 Documented in the plan? Reference iv. FACILITY SECURITY PROGRAM Description are screened. Yes No N/A If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No Additional explanation on capability to implement the security measures Contingency for Higher Threat Levels: a. Where practical use inspection equipment for packages. ☐ ☐ ☐ ☐ ☐ b. Only allow deliveries from known sources. ☐ ☐ ☐ ☐ ☐ Security personnel are to review all plans and policies periodically and sign acknowledgement. ☐ ☐ ☐ ☐ ☐ Security personnel are to be aware of the employees responsible for meeting a security plan objective (i.e.: receiving, on-site repairs). ☐ ☐ ☐ ☐ ☐ E. i. Security Policy/Plan Review ii. Familiarization Security personnel are /encouraged to become familiar with employees. iv. Contingency for Higher Threat Levels: a. Immediately report nonordinary activities. ☐ ☐ ☐ ☐ ☐ b. Access points are to be manned constantly. ☐ ☐ ☐ ☐ ☐ Page 18 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM c. F. A. i. INFORMATION TECHNOLOGY Computerization Recovery Plan Description Yes No N/A Radio communications to be established and kept open. ☐ ☐ Ensure plan is current and identify IT support, listing emergency contact numbers. ☐ ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ Additional explanation on capability to implement the security measures Establish back-up systems such as on and off-site hardware, power. ii. Protection and Access Ensure firewall and antivirus are current and allow for daily scans. 7 Inventory all hardware and software. Levels of access should be implemented and enforced if facility has access to internet or company intranet. Restrict access to unauthorized sites (e.g.: downloading and streaming services). Employ user ID and password when Page 19 of 21 Documented in the plan? Reference FACILITY SECURITY PROGRAM Description accessing systems. Yes No N/A ☐ ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ ☐ Additional explanation on capability to implement the security measures Restrict remote access to key personnel or certain levels. iii. Policy Only company-approved software/hardware to be used. Foreign media are not to be inserted into company system unless approved and cleared by IT security. Portable company hardware (i.e.: laptops) are to be signed out to specific employees. Employees and contractors are to be made aware of email and internet policy. iv. Contingency for Higher Threat Levels: a. Perform regular and sporadic penetration tests. ☐ ☐ ☐ ☐ ☐ b. Restrict access to intranet sites and network drives to essential personnel. ☐ ☐ ☐ ☐ ☐ Page 20 of 21 Documented in the plan? Reference c. FACILITY SECURITY PROGRAM Description Yes No N/A Ensure sensitive/confidential information is encrypted. ☐ ☐ ☐ If Yes, please provide description of the security measure(s) applicable. If No or N/A, please explain why and note the compensating security measure(s). Able to implement? Yes No ☐ ☐ Additional explanation on capability to implement the security measures Page 21 of 21