Six tips for SVA success
1.Plan the activity well in advance; senior leadership should communicate to
Threat assessment. This determines the estimated general threat level, which varies as situations develop. Depending upon the threat level, security measures greater than baseline ones likely will be necessary. While threat assessments are key decision-support tools, always bear in mind that such assessments, even if updated often, might not adequately capture emerging threats posed by some adversaries. No matter how much we know about potential threats, we’ll never know that we have identified every threat or that we have complete information even on the threats about which we are aware.
Vulnerability assessment. The identification of security vulnerabilities underpins the validity of the whole process. Existing security measures must be evaluated to ensure they are being managed in a manner that provides the most value to the organization. Ultimately, the deliverable of this phase is the assessment of the level of effectiveness in reducing vulnerability and meeting applicable risk-based performance standards. This is the phase where your security professional should be doing most of the work.
Risk analysis. This includes a determination of the relative initial degree of risk to the chemicals of interest in terms of the expected effect on each critical asset and the likelihood of the success of an attack; it typically is represented in a matrix (Figure 1).
Improvement (risk reduction) is derived from identifying additional countermeasures that can be applied to:
- reduce the probability of a successful attack on a chemical of interest;
- enhance the degree of risk reduction;
- increase the reliability/maintainability of security;
- decrease the consequences of an event.
Risk is reassessed after proposed countermeasures are applied to the scenarios addressed in your SVA. Measures accepted by management must then be incorporated into your site security plan.
Figure 2. A form like this can ease data entry into CSAT.
Results of the SVA will be entered into CSAT and will form the basis of the site security plan. In fact all vulnerabilities identified in the SVA must be addressed in the site security plan, which is due 120 days after your SVA is complete.
It’s crucial to safeguard Chemical-Terrorism Vulnerability Information (CVI) from disclosure to unauthorized persons. While a company likely will certify only a limited number of employees as able to handle CVI, all employees must know enough about what to do if CVI documents are found unsecured. Staff must be taught how to recognize this information based on this labeling:
Chemical-terrorism Vulnerability Information
(Placed in the header of each page.)
Each cover page, title page and page within the document should have the following statement inserted: WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR 27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR 27.400(e). Unauthorized release may result in civil penalties or other action. In any administrative or judicial proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h) and (i).
Any documentation prepared due to your SVA should be labeled accordingly.
A start towards security
These new standards will substantially expand the security requirements for many chemical facilities that have never before been covered under government security guidelines. Clearly, it’s necessary to get a start on them. However, much work by both the private sector and the government will have to be done before all of the high risk chemical facilities in the United States can fully meet the standards.
Frank Pisciotta, CSC, is president of Business Protection Specialists, Canandaigua,
N.Y. E-mail him at firstname.lastname@example.org.
Deborah Allen, CPP, is director of product stewardship and security at Potash Corp., Northbrook, Ill. E-mail her at email@example.com.