Part 1: ISO Rule Compliance Security Assessment

advertisement
Part 1: ISO Rule Compliance Security Assessment
Background
Yes
No
Comments
☐
☐
[Replace this text with information such as who approved the plan, when was it approved, when was it last
updated and was was the current/updated plan communicated to involved parties.]
Does the critical facility have an approved threat response plan
in place?
Documented
in the plan?
Reference
1.
A.
i.
FACILITY SECURITY
PROGRAM
PRELIMINARY ACTIONS
Site Information
Site description
Description
Includes surrounding
terrain, estimated value
of assets, maps,
schematics, aerial
photos.
Yes
No
N/A
☐
☐
☐
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Describe the name and
type of facility, estimated
value of assets, and
current list of critical
assets not directly owned
by operator. Also
describe surrounding
geography.
ii.
Key Personnel
Emergency contact
information for police,
critical staff
Identify personnel that
are critical to operations
and security, include 24hour contact information.
Page 1 of 21
Documented
in the plan?
Reference
B.
i.
FACILITY SECURITY
PROGRAM
Vulnerability Assessment
Assets
Description
Assets critical to
operations identified;
impact of
injuries/death/damage
assessed.
Yes
No
N/A
☐
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
Additional explanation on
capability to implement the
security measures
People Assets
Assess the risk of injury
or death, and the impact
to business, in the event
of an attack. Consider
employees’ links to
terrorism or organized
crime.
Material Assets
Assess the risk and
impact to critical assets
from possible attacks
(explosive, fire, cyber).
ii.
Access
Assess the level of
difficulty in gaining
unauthorized access to
facility.
☐
☐
☐
☐
☐
iii.
Attack
Consider the most likely
types of attack that could
be undertaken against
the facility. Consider the
worst case scenario
attack.
☐
☐
☐
☐
☐
iv.
HAZMAT
Maintain an inventory of
HazMat in use at the
☐
☐
☐
☐
☐
Page 2 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
Description
facility.
Yes
No
N/A
Separate security plan in
place; circulation
centrally controlled
☐
☐
b.
Record of past and
current problems
☐
c.
Security threat response
plan is layered
d.
e.
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Security threat response
plan allows for increased
threat level
☐
☐
☐
☐
☐
Periodic review of
security threat response
plan
☐
☐
☐
☐
☐
Consult company’s legal
counsel with respect to
rights of arrest, search,
use of force, etc., for
each level of security.
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Assess the impact of a
HazMat spill or fire as a
result of an attack.
2.
A.
i.
a.
PLANS, POLICIES &
PROCEDURES
Security Policy
Security Plan
ii.
Legal
B.
Communications
Page 3 of 21
Documented
in the plan?
Reference
i.
ii.
FACILITY SECURITY
PROGRAM
Protocols
Hardware
Description
Identify points of contact
with police, fire,
emergency management;
establish and test call-out
system for points of
contact as well as critical
employees
Yes
☐
No
☐
N/A
☐
☐
☐
Establish
communications control
centre, with alternate, to
be operational at and
above designated
security level.
☐
Establish security training
and orientation program
for employees that
covers awareness,
responsibilities, and
duties.
Facility exercises include
security incident; record
kept of past exercises &
Build redundancy into
communication system.
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
☐
No
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Where applicable, make
the following available to
security force:
Encrypted email, secure
fax and phone, satellite
phone, secure radio.
iii.
Control Centre
C.
i.
Training
Program
ii.
Exercises
Page 4 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
Description
lessons learned.
Yes
No
N/A
Landscaping enhances
security: screens points
of entry and critical
assets from outside
observations, does not
allow for hiding places or
climbing.
☐
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
3.
A.
i.
OUTER PERIMETER
Grounds
Landscaping
ii.
Road Barriers
All Thread Levels
Road barriers able to
withstand vehicular
collision and/or designed
to prevent unauthorized
vehicular access. Preplan delivery and
placement of additional
barriers at higher levels.
☐
☐
☐
☐
☐
iii.
Signage
Signage clearly indicates
directions for proper
access and designates
“no access”.
☐
☐
☐
☐
☐
iv.
Contingency for Higher
Threat Levels:
Close and secure
redundant access points
Increase number of
random patrols
Operate with a single
access point
Contingency plan to
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
a.
b.
c.
d.
Additional explanation on
capability to implement the
security measures
Page 5 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
Yes
No
N/A
Complete site exterior
perimeter fence
☐
☐
ii.
Fence equipped with top
guards
☐
iii.
Fence bottom flush with
ground
iv.
Able to
implement?
Yes
No
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Fence integrity - good
repair
☐
☐
☐
☐
☐
v.
Scheduled interval for
maintenance/integrity
checks
☐
☐
☐
☐
☐
vi.
Gate/gate corners flush
with ground
☐
☐
☐
☐
☐
vii.
Pedestrian gates unoperable from outside
☐
☐
☐
☐
☐
viii.
Vehicle gates locked
when site vacant
☐
☐
☐
☐
☐
Unused access points
are secured
☐
☐
☐
☐
☐
All identified repairs are
to be carried out.
☐
☐
☐
☐
☐
B.
i.
a.
Additional explanation on
capability to implement the
security measures
Perimeter Barrier
ix.
x.
Description
operate with a no-fly
zone in place
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Contingency for Higher
Threat Levels:
Page 6 of 21
Documented
in the plan?
Reference
b.
FACILITY SECURITY
PROGRAM
Description
Where warranted
height/topper of barrier is
increased.
Yes
☐
No
☐
N/A
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
☐
No
☐
c.
Intrusion alarms are
tested daily.
☐
☐
☐
☐
☐
d.
CCTV coverage of entire
perimeter is established.
☐
☐
☐
☐
☐
All access points are
illuminated, along with
the majority of the
perimeter where
practicable; parking lots
illuminated.
☐
☐
☐
☐
☐
Weather proof and
tamper resistant,
inaccessible from outside
perimeter and master
switches centrally
located.
☐
☐
☐
☐
☐
a.
Contingency in place for
additional/brighter
lighting.
☐
☐
☐
☐
☐
b.
All identified repairs to be
carried out.
☐
☐
☐
☐
☐
c.
Back-up power supply
established for security
☐
☐
☐
☐
☐
C.
i.
Lighting
Illumination
ii.
Controls
iii.
Contingency for Higher
Threat Levels
Additional explanation on
capability to implement the
security measures
Page 7 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
d.
Description
lighting.
Yes
No
N/A
Security lighting tested
daily.
☐
☐
Security force and check
in point are visible from
main approaches.
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
☐
☐
☐
☐
D.
i.
Security
Visibility
ii.
Reporting Policy
Security policy includes
procedures for reporting
non-ordinary activities.
☐
☐
☐
☐
☐
iii.
Monitoring
Regular monitoring of
alarms and CCTV;
secure storage of
images/video; backup
power.
☐
☐
☐
☐
☐
iv.
Contingency for Higher
Threat Levels
a.
Increase size of security
force.
☐
☐
☐
☐
☐
b.
Perimeter and grounds
inspected once/shift for
damage, suspicious
packages, etc.
☐
☐
☐
☐
☐
c.
Canine support included
at security check-in.
☐
☐
☐
☐
☐
d.
Inspect vehicles entering
facility.
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Page 8 of 21
Documented
in the plan?
Reference
4.
A.
i.
FACILITY SECURITY
PROGRAM
INNER PERIMETER
Structures
Systems
Description
Connections to utilities,
and back-up systems,
located in secure areas.
Yes
No
N/A
☐
☐
☐
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Where practical consider
fire and blast protection
enhancements.
Modify exterior wall to
prevent concealment of
destructive devices.
ii.
Doors
Doors to critical areas
should be constructed to
resist fire, explosion,
tampering, and forced
entry.
Security supervisor has
overall authority for
issue, changes, and
replacements of all
manner of door access.
Locks and padlocks
changed or rotated
annually.
iii.
Windows
Exterior windows can be
locked/alarmed.
Windows in place for
ventilation could be
replaced by smaller
Page 9 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
Description
opening or functionally
replaced by internal
ventilation.
Yes
No
N/A
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
Additional explanation on
capability to implement the
security measures
Windows in place for
illumination could be
replaced with smaller
opening coupled with
interior reflector.
Damage from shattered
glass can be reduced by
the application of a
protective film on the
interior of the window.
iv.
Other Access Points
Manhole covers, grates,
vents, skylights are
normally locked.
☐
☐
☐
☐
☐
v.
Lighting
Motion sensitive lighting
in critical areas; where
practicable, majority of
perimeter is lit; regular
maintenance.
☐
☐
☐
☐
☐
vi.
Alarms
Intrusion alarms installed
wherever practical.
Centrally monitored, tied
to CCTV system.
Connected to police.
Tested regularly.
☐
☐
☐
☐
☐
iv.
Contingency for Higher
Threat Levels
Critical areas are swept
☐
☐
☐
☐
☐
a.
Page 10 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
Description
for electronic
eavesdropping devices.
Yes
No
N/A
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
b.
Consider
closing/securing
minimum use areas.
☐
☐
☐
☐
☐
c.
Intrusion prevention
mechanisms increased.
☐
☐
☐
☐
☐
d.
Blast protection of critical
structures enhanced.
☐
☐
☐
☐
☐
Assess suppliers’
reputation and
dependability; drivers
and staff properly
cleared.
☐
☐
☐
☐
☐
Determine volume and
locations of HazMat on
site.
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
B.
i.
Commodities
Screening
ii.
Control Movement
Additional explanation on
capability to implement the
security measures
Dates of expected orders
given to security
personnel.
iii.
Redundancy
Secure procedures
followed upon receipt,
movement, and storage
of HazMat.
Keep updated list of
alternate suppliers.
Keep sufficient amount of
Page 11 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
iv.
Storage
C.
i.
Equipment
Storage/Movement
Description
supplies on hand for
higher levels of security.
Yes
No
N/A
Critical and HazMat
securely stored, available
on a need basis only.
☐
☐
Secure storage of
essential equipment with
same priority as essential
areas of site.
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Movement of essential
equipment controlled,
current inventory
maintained.
ii.
Identification.
Equipment identified via
barcode or engraving; ID
tied to inventory, updated
regularly.
☐
☐
☐
☐
☐
iii.
Maintenance
Off-site maintenance of
equipment done by
screened personnel.
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Plan to conduct
maintenance on-site at
higher threat levels.
iv.
Redundancy
If on-site maintenance is
routine, maintain
sufficient supplies/parts
on site.
Essential functions able
Page 12 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
Description
to continue in event of
equipment breakdown.
Yes
No
N/A
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
Additional explanation on
capability to implement the
security measures
Redundant units of
essential equipment
maintained on site, or
interdependencies with
neighbouring sites
established.
Plans for
repairing/replacing
essential equipment at
higher threat levels.
v.
Contingency for Higher
Threat Levels:
a.
Equipment used off-site
is inspected upon return.
☐
☐
☐
☐
☐
b.
Essential equipment
stored with 24-hr
surveillance.
☐
☐
☐
☐
☐
c.
Conduct all equipment
maintenance on-site.
☐
☐
☐
☐
☐
Critical operations
identified and prioritized;
vulnerabilities of each
assessed; consider
redundancy/mobility in
even of higher security
level.
☐
☐
☐
☐
☐
D.
i.
Operations
Prioritization
Page 13 of 21
Documented
in the plan?
Reference
ii.
iii.
FACILITY SECURITY
PROGRAM
Location
Description
Wherever possible,
locate critical operations
away from public areas
and far from exterior
walls/perimeter.
Yes
☐
No
☐
N/A
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
☐
No
☐
Contingency for Higher
Threat Levels:
a.
Relocate critical
operations to a secure
area.
☐
☐
☐
☐
☐
b.
Ensure financial plans
can meet security
requirements of higher
threat levels.
☐
☐
☐
☐
☐
c.
Shut down non-essential
operations.
☐
☐
☐
☐
☐
Background checks
conducted on new
employees and
contractors, to the extent
warranted by the
position.
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
5.
A
i.
Additional explanation on
capability to implement the
security measures
ACCESS CONTROLS
Employees/Contractors
Screening
Background inquiries are
conducted on new
suppliers.
ii.
Termination/Retirement
Policy exists for returning
keys, passes, locking
accounts. Lock/access
Page 14 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
Description
codes to critical areas
changed as required.
Yes
No
N/A
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
iii.
Roster
Maintain a list of people
that have access to the
facility that identifies
them by name, date of
birth, level of access,
home address and
contact numbers.
☐
☐
☐
☐
☐
iv.
Access Passes.
Employees & contractors
wear tamper-proof
photographic ID that
indicates level of access;
card administration
software on site; policy in
place for lost/stolen ID.
☐
☐
☐
☐
☐
B.
i.
Visitors/Customers/Deliveries
Access Passes
All visitors to wear
passes separating them
from
employees/contractors.
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
All passes are numbered
and are to be signed out
with name, company,
contact number, and are
returned on the same
day.
Missing and non-returned
passes are logged and
acted on.
Page 15 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
ii.

C.
i.
Vehicles/Parking
Vehicle Access
Control Movement
Description
Visitor access is limited
to that of the sponsoring
employee/contractor.
Yes
No
N/A
Visitors are escorted by
their sponsor.
☐
☐
All vehicles clearly
display a tag identifying it
as employee/contractor,
visitor, or delivery.
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Employee/contractor
parking tags linked to
license plates.
ii.
Parking Control
Where practical parking
lots are outside
perimeter.
Employee/contractor
parking is separate from
visitor.
iii.
Overnight Policy
Maintain record of
employees that have
company vehicles
overnight.
Implement policy for
securing company
vehicles stored off-site.
iv.
Contingency for Higher
Threat Levels:
Page 16 of 21
Documented
in the plan?
Reference
a.
FACILITY SECURITY
PROGRAM
b.
D.
i.
Shipping/Receiving
Control System
Description
Reduce parking to
minimum required for
essential employees.
Yes
☐
No
☐
N/A
☐
Allow access only to
employee shuttle,
security, and first
responder vehicles.
☐
☐
Identify number and type
of shipping/receiving
areas and minimize
where possible.
☐
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
☐
No
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Identify secure areas
away from critical
operations that could be
used at higher threat
levels.
Ensure communication
between security checkin and shipping/receiving
to confirm status of
deliveries.
ii.
Policy
Employees made aware
of suspicious package
policy.
Minimum number of
employees can authorize
deliveries.
New suppliers/carriers
Page 17 of 21
Documented
in the plan?
Reference
iv.
FACILITY SECURITY
PROGRAM
Description
are screened.
Yes
No
N/A
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
Additional explanation on
capability to implement the
security measures
Contingency for Higher
Threat Levels:
a.
Where practical use
inspection equipment for
packages.
☐
☐
☐
☐
☐
b.
Only allow deliveries
from known sources.
☐
☐
☐
☐
☐
Security personnel are to
review all plans and
policies periodically and
sign acknowledgement.
☐
☐
☐
☐
☐
Security personnel are to
be aware of the
employees responsible
for meeting a security
plan objective (i.e.:
receiving, on-site
repairs).
☐
☐
☐
☐
☐
E.
i.
Security
Policy/Plan Review
ii.
Familiarization
Security personnel are
/encouraged to become
familiar with employees.
iv.
Contingency for Higher
Threat Levels:
a.
Immediately report nonordinary activities.
☐
☐
☐
☐
☐
b.
Access points are to be
manned constantly.
☐
☐
☐
☐
☐
Page 18 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
c.
F.
A.
i.
INFORMATION
TECHNOLOGY
Computerization
Recovery Plan
Description
Yes
No
N/A
Radio communications to
be established and kept
open.
☐
☐
Ensure plan is current
and identify IT support,
listing emergency contact
numbers.
☐
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Establish back-up
systems such as on and
off-site hardware, power.
ii.
Protection and Access
Ensure firewall and antivirus are current and
allow for daily scans.
7
Inventory all hardware
and software.
Levels of access should
be implemented and
enforced if facility has
access to internet or
company intranet.
Restrict access to
unauthorized sites (e.g.:
downloading and
streaming services).
Employ user ID and
password when
Page 19 of 21
Documented
in the plan?
Reference
FACILITY SECURITY
PROGRAM
Description
accessing systems.
Yes
No
N/A
☐
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
☐
Additional explanation on
capability to implement the
security measures
Restrict remote access to
key personnel or certain
levels.
iii.
Policy
Only company-approved
software/hardware to be
used.
Foreign media are not to
be inserted into company
system unless approved
and cleared by IT
security.
Portable company
hardware (i.e.: laptops)
are to be signed out to
specific employees.
Employees and
contractors are to be
made aware of email and
internet policy.
iv.
Contingency for Higher
Threat Levels:
a.
Perform regular and
sporadic penetration
tests.
☐
☐
☐
☐
☐
b.
Restrict access to
intranet sites and
network drives to
essential personnel.
☐
☐
☐
☐
☐
Page 20 of 21
Documented
in the plan?
Reference
c.
FACILITY SECURITY
PROGRAM
Description
Yes
No
N/A
Ensure
sensitive/confidential
information is encrypted.
☐
☐
☐
If Yes, please provide description of the
security measure(s) applicable.
If No or N/A, please explain why and note the
compensating security measure(s).
Able to
implement?
Yes
No
☐
☐
Additional explanation on
capability to implement the
security measures
Page 21 of 21
Download