Guideline for Security Assessment

8/2/2019 Guideline for Security Assessment

1/19

Guidelines for port security assessment Marine Department Headquarters, Malaysia

GUIDELINES FOR PORT SECURITYASSESSMENT


2/19


1 Introduction

1.1 This document serves as guidelines to Port Administrators and Port Facility

Operators whom are required to conduct security assessments under SOLAS 74,Chapter XI-2. These guidelines also provide for the establishment of port area and portfacility security plan in accordance with the security assessment carried out. A modelPort Area and Port Facility Security Plan is also included in these guidelines.

1.2 This document is to facilitate the compliance by Malaysian ships, ports and portfacilities by 1st July 2004 in view of Malaysia being a Contracting State to theSOLAS 74 Convention.

1.3 SOLAS Ch XI-2 and the ISPS Code shall apply to the following:

passenger ships engaged on international voyages;

cargo ships of 500 or more gross tonnes engaged on international voyages;

mobile off-shore drilling units (MODUs) engaged on international voyages; and

Port and port facilities that service the above categories of ships.

1.4 These guidelines for security assessment includes the criteria associated with

risk identification and management. The effectiveness of security assessment, riskidentification, development and management of the security plan require thecommitment of all level of management as well as implementers.The auditing process for certification will include the assessment and commitment oftop management.

2 Schedule of Submission

2.1 Security assessment and security plans should be submitted to certifying

authority by 1st May 2004. However, Port Administrators and Port Facility Operatorsare advised to submit as soon as possible to ensure certification by 1st July 2004. TheMarine Department is available for consultation in order to avoid any non-conformitiesand deficiencies prior to submission.

3 Key Definitions Used in this Guidance Paper

3. 1 Risk - the chance of something happening that will have an impact uponobjectives. It is measured in terms of consequences and likelihood.

3.2 Security Assessments are risk assessments conducted and prepared inaccordance with an internationally accepted risk assessment process. The assessmentwill provide the basis for preventive security planning.


3/19


4 In respect of port security assessments and plans the followingdefinitions apply: -

4.1 Critical Infrastructure

4.1.1 Infrastructures within the port area which is critical to the port operation whichwithout its presence can disrupt the operation of the port.

4.2 Security Designated Port Area

4.2.1 The Designated Authority shall declare areas of a port intended for use eitherwholly or partly in connection with the movement, loading, unloading, maintenance orprovisioning of security regulated ships comprise a security designated port area.

4.2.2 An area controlled exclusively by the Malaysian Defence Force must not beincluded as part of a security designated port.

4.3 Port Administrator the Regulatory Authority of the port.

4.3.1 For federal ports which have gazetted port authorities, these authoritieswill be the Port Administrator.

4.3.2 For Federal ports which do not have gazetted port authorities, the MarineDepartment will be the Port Administrator.

4.3.3 The State Authority will be the Port Administrator for those ports under statemanagement.

4.4 Port Area Security Committee

4.4.1 A framework for communication and coordination of security arrangements. TheCommittee, chaired by the Port Administrator, should be composed of the port areasecurity officer, port facility security officer, government institutions immigration,customs, quarantine, marine department, police, etc; port marine service providers,facility owner/facility operator and facility users key ship operators or agents.

4.4.2 This security committee is responsible for the development and implementationof the port area security plan.

4.5 Port Area Security Officer (PASO)

4.5.1 Port Area Security Officer (PASO) is a suitably qualified officer designated by


4/19


water, anchorages, waiting berths and approaches from seaward within a securitydesignated port area (including any buildings, installations or equipment in or on thearea) used either wholly or partly in connection with the loading or unloading of ships.The port facility area shall encompass the restricted water area and restricted landarea.

4.7 Port facility operator

4.7.1 Port facility operatormeans an organisation who operates a port facility.

4.8 Port Facility Security Officer

4.8.1 Port Facility Security Officermeans a suitably qualified officer designated bythe port facility operator to facilitate the development, implementation, revision andmaintenance of the port facility security plan and liaison with the ship security officers,company security officers, port area security officer (PASO) and other port facilitysecurity officers(PFSO).

5 ISPS Code and Designated Authority Requirements

5.1 The ISPS Code requires security assessments to establish threats, determinevulnerabilities and treat risks to assets, infrastructure and operations. This approachrecognises that port administrators and operators are best placed to determine thevulnerabilities of their own assets, infrastructure and operations, identify appropriatepreventive security measures and develop appropriate security plans.

5.2 Ports and Port facilities

5.2.1 Port security assessments will form the basis for port security plans, which areessential for the promotion and development of consistent preventive securitymeasures across the port and for the treatment of systemic weaknesses in securityarrangements within the port community. These assessments will determine high levelstrategic risks to assets, operations and activities within the port and could be used byport facility operators as the basis of their security assessment requirements.

5.2.2 This procedure will require the formation of Port Area Security Committees asthe first step in a coordinated approach by ports and port facilities to their respectivesecurity assessment and planning requirements. A Port Area Security Committee,chaired by the Port Administrator, should comprise representatives from port areasecurity officer, port facility security officer, government institutions - immigration,customs, quarantine, marine department, police, etc; port marine service providers,


5/19


assessment, which incorporates individual port facility assessments. This approachwould result in the development of a single security planning document thatincorporates a port area security plan and individual port facility security plans thatclearly identifies roles and responsibilities within the security designated port area.However, a one size fits all approach is not practical for security assessments orplans for the maritime industry and accordingly local security assessment and planningarrangements to meet the ISPS Code requirements should be determined by both portadministrators and port facility operators.

5.2.4 Port Administrators and port facility operators are also encouraged to considerthe identification, analysis and treatment of security risks associated with other port

marine service providers eg tugs, pilots and barges when undertaking a securityassessment. It is considered preferable that risks identified in respect of port serviceproviders be addressed in port area and port facility security plans.

6 Requirements for Port Area and Port Facility SecurityAssessments

6.1 Security assessment submissions

6.1.1 A completed security assessment is to be submitted to the Designated Authoritywith the respective port area and port facility security plan. The security assessmentshould demonstrate those risks and /or threats identified have been adequatelyanalysed and evaluated, and that appropriate preventive and mitigative securitystrategies have been selected for action against unacceptable or intolerable risks orcircumstances.

6.1.2 The approved security assessments will need to be included as an attachmentto port areaand port facility security plans. Security assessments must be protectedfrom unauthorised access due to the sensitive nature of their contents.

6.2 All security assessments submitted to the Designated Authority mustinclude:

the date that the security assessment was completed or reviewed;

specific details of the location of the port or port facility, or details of the shipto which the assessment applies.

a short summary of how the assessment was conducted, including details ofthe risk management process adopted;

the relevant skills and experience of the persons who participated andcompleted the assessment; and


6/19


6.3 Port Area security assessments must also include the following:

identification and evaluation of strategically important assets, infrastructureand operations that it is important to protect;

identification of possible high level risks and/or threats to assets,infrastructure and operations, and the likelihood and consequences of theiroccurrence;

identification, selection and prioritisation of strategic risk treatments (countermeasures and procedural changes) and their level of effectiveness inreducing risk levels (including vulnerabilities); and

identification and treatment of gaps in port wide security arrangements,including port infrastructure, human factors, policies and procedures.

6.4 Port Administrators who have control and responsibility for specific port facilities(e.g. common user berths) and other port operations such as defined anchorages,channels etc, may wish to assess them in conjunction with their port securityassessment. The individual responsibilities of port facility operators must also beclearly identified in security assessment submissions.

6.5 Port facility security assessments must include the following elements:

identification and evaluation of important assets, infrastructure andoperations it is important to protect;

identification of weaknesses, including human factors, in the infrastructure,policies and procedures;

identification of possible risks and/or threats to assets, infrastructure and

operations, and the likelihood and consequences of their occurrence, and identification, selection and prioritisation of risk treatments (counter

measures and procedural changes) and their level of effectiveness inreducing risk levels (including vulnerabilities).

6.6 Combined and/or joint port facility security assessments

6.6.1 Port facility operators may wish to conduct a port facility security assessmentcovering more than one individual port facility for which they are legally responsible.Port facility operators should advise the Designated Authority of such an approachwhen conducting combined security assessments. They should also consider thefollowing:

Are the port facilities to be covered situated within the same geographiclocation? i.e. a single security assessment is not appropriate where port


7/19


consideration needs to be made as to whether it is best to conduct separatesecurity assessments where operations are significantly different.

6.6.2 Similarly, the requirement of a security assessment to cover individual portfacilities does not preclude the carrying out of a joint security assessment collectivelyby several port facilities within a single port. This approach could also include sharedport facilities, such as common user berths, for which port operators may haveresponsibility to complete assessments.

6.6.3 It would be expected that security assessment submissions are presented in aneasy to read plain English format and that the key elements of the risk management

process adopted are clearly identifiable.


8/19


7 The Security Assessment Process

7.1 The port area security assessment (PASA)

7.1.1 Introduction

7.1.1.1 The Threat and Risk Analysis Matrix (TRAM) is a simplified risk-basedmethod and tool to assist in carrying out a PASA. It is but one of a number of tools andis given here by way of example.

7.1.1.2 Its purpose is to identify threats with a view to initiating andrecommending countermeasures to deter, detect and reduce the consequence of anypotential incident should it occur. Such an analysis may be a valuable aid to allocatingresources, forward planning, contingency planning and budgeting.

7.1.1.3 The TRAM should be updated as often as changing circumstances maydictate to maintain its effectiveness. This task would, normally, fall under the remit ofthe Port Area Security Officer or the Port Facility Security Officer.

7.1.1.4 In addition to the more obvious threats, the list of potential targets shouldbe as comprehensive as possible with due regard to the function(s) of the port, legal,political, social, geographic and economic environment of the country and the securityenvironment specific to the port.

7.1.2 Assessment process

7.1.2.1 Table 1 is a blank version of the TRAM, which is used to illustrate the

following explanation of the assessment process.

7.1.2.2 Potential targets (PT). Identify PT through assessment of functions andoperations, vulnerable areas, key points or persons in the port and in the immediateenvironment that may, if subject to an unlawful act, detrimentally impact on thesecurity, safety of personnel or function of the port.

7.1.2.3 Establish ownership of the identified PT. For example:

directly owned and controlled by the Port Administrator or Port Facilityowner;

directly owned by the Port Administrator but rented, leased, occupied andcontrolled by other parties;

owned, controlled and operated by other parties;


9/19


7.1.2.6 Threat scenarios (amongst many) that may be appropriate to consider:.1. Arson;

.2. Attacks on ships from seaward while at berth or at anchor, or while at sea

.3. Blockage of port entrances, channels, locks, approaches, waterways etc.;

.4. Chemical, biological and/or nuclear attack;

.5. Hijacking and hostage sieges, including piracy;

.6. Sabotage or vandalism;

.7. Smuggling of weapons or equipment, including weapons of massdestruction;

.8. Tampering with cargo, essential ship equipment or systems, or stores;

.9. Unauthorised access or use of a ship, including stowaways;

.10. Unauthorised access to a secure area within a port area or port facility

.11. Use of a ship or vehicle to transport explosives, hazardous goods orweapons.

.12. Use of a ship to carry those intending to cause a security incident andtheir equipment; and

.13. Use of a ship as a weapon or a means to cause damage or destruction.

7.1.2.7 Threat (column C of table 1). The probability of an incident occurringshould be assessed on the following scale:

3 = high;

2 = medium;

1 = low.

7.1.2.7.1 The allocation of a particular threat score may be based on specificinformation received or the known characteristics of the potential target.

7.1.2.8 Vulnerability (column D of table 1). The susceptibility and vulnerability ofthe PT to each threat may be assessed as follows:

4 = No existing security measures/existing security measures are noteffective (e.g. unrestricted access to target, target not monitored;personnel untrained; target easily damaged);

3 = Minimal security measures (e.g. restricted areas not clearly identified;inadequate access control procedures; sporadic monitoring; no formalsecurity training programme; target susceptible to certain types ofdamage);

2 = Satisfactory security measures (e.g. restricted areas clearly identifiedand access is controlled; formal security training programme; adequatemonitoring and threat awareness; target not easily damaged);

1 = Fully effective security measures (e.g. all of 2 plus, capable ofpromptly scaling to higher security level as needed; target difficult to


10/19


5 = Detrimental to security and safety (likely to cause loss of life, seriousinjuries and/or create widespread danger to public health and safety).

4 = Detrimental to public safety and/or national prestige (likely to causesignificant environmental damage and/or localized public health andsafety).

3 = Detrimental to the environment and/or economic function of the port(likely to cause sustained port-wide disruption and/or significanteconomic loss and/or damage to national prestige).

2 = Detrimental to assets, infrastructure, utility and cargo security (likely tocause limited disruption to an individual asset, infrastructure ororganization).

1 = Detrimental to customer/port community confidence.

7.1.2.10 Risk score. Score is the product of threat x vulnerability x impact.7.1.2.10.1 The highest score scenario will be:

Threat High . 3

Vulnerability No existing countermeasure. 4

Impact Potential loss of life/injury ..... 5

Risk score ... 60

7.1.2.10.2 The lowest score scenario will be:

Threat Low .... 1

Vulnerability Fully compliant ... 1

Impact Little .. 1

Risk score ..... 1

7.1.2.11 Action priority (column G of table 1). Tabulating and listing the scores

for each threat against each PT will assist in assessing the priority in which to deal witheach potential incident. The process should lead to indications of actions required todeter, detect and mitigate the consequences of potential incidents, resources availableor required and appropriate security measures.

7.2 Analysis of the Matrix

7.2.1 In assessing likely scenarios the history and modus operandi of illegalgroups most likely to operate in the area should be considered when identifying the PTand determining and assessing the most appropriate security measures.

7.2.2 This is an assessed reduction of the score for each scenario based onthe perceived effectiveness of the security measures when they have been put into


11/19


security measure. For example one or more PT close together may be contained withinone perimeter fence with one gate controller. It may be that a vulnerable operation in aremote part of the port can be moved into a more secure area. Every possible realistic

action should be considered.

7.2.4 The completed TRAM together with a consolidated summary of allsecurity measures that have been devised and are able to be implemented shouldform the basis from which the port security plan can be developed.

7.3 The port facility security assessments (PFSA)

7.3.1 For the Port Facility Security Assessment, the methods mentioned inparagraphs 7.1 and 7.2 are to be followed and similar matrix are to be used.

8 Assessment example

8.1 The following ten-step example (Table 1 below) is used to illustrate thepossible working of a security assessment using the TRAM for a specific threat

scenario destroy port authoritys communication tower by explosives.


12/19


12

Table 1. Blank Threat and Risk Analysis Matrix (TRAM)

Potential target: Person/place/location (identify each PT in the port area not covered by the PFSP or other officialsubordinate plan)

ScenarioNo

Threat Scenario Threat Vulnerability Impact Risk Score Action Priority

A B C D E F G

1

2

3

4

5

6

7

8

9


13/19


13

Step 1 List feasible scenario in column B

ScenarioNo


A B C D E F G

1Destroy port authorityscommunication tower byexplosives

Feasibility scenario as

determined by current portsecurity assessment

The tower is a critical component of port operational and commercial communications. Itsupports booster stations for local police and emergency service communications and, inaddition the tower supports mobile telephone repeater services for the area. Currentlythe tower is protected from casual access or interference by a 2-metre high razor wirefence of 15 metre diameter and is located in a non-restricted area approximately 200metres from the Harbour Masters Office. The facility is positioned on flat groundapproachable from all sides, and a service road, that is accessible from the public area

roads, passes within20 metres of the perimeter fence. Access to the compound is limitedto maintenance and servicing of the tower components as required and seasonal groundmaintenance including grass cutting by regular port approved contractors. There is amobile security patrol that visits and checks for signs of damage or intrusion once by dayand once by night. The tower could be easily damaged by an explosive device thrownover the fence, placed against the fence or a car bomb driven up to the compound orplaced on the service approach road.


14/19


14

Step 2 Assign a threat score to this scenario in column C

ScenarioNo


A B C D E F G


1

Threat score based on intelligence,security level, current deterrentmeasures and other relevantfactors

This scenario has been given a threat score of 1-low because no specific intelligencehas been obtained that suggests communications facilities are being targeted at thepresent time. A score of 2-medium or 3-high may be given based upon intelligence.

Step 3 Assign a vulnerability score to this scenario in column D

Scenario

No


A B C D E F G


1 2

Vulnerability is the susceptibility ofa potential target to a particular

threat

In this example, the threat is damage to the communications tower by explosives.Vulnerability is listed as 2-satisfactory security measures because the facilitysexisting perimeter fence and security patrol is considered a sufficient deterrent.


15/19


15

Step 4 Assign impact score to this scenario in column E

Scenario

No Threat Scenario Threat Vulnerability Impact Risk Score Action PriorityA B C D E F G


1 2 3

Impact is the consequence of anincident the effect on publichealth, safety or security, etc

In this example, impact is listed as 3-detrimental to the economic function of the portbecause there is no back-up communication tower, so its loss would shut down theport for some time until repairs could be made, thus causing substantial economicloss. Impact may be further reduced if there is redundancy to the potential target (e.g.a back-up communications tower) or if a target may be easily repaired. Conversely,impact may increase if there is no redundancy, or if a target would be difficult toreplace.

.

Step 5 Calculate the initial TRAM score in column FScenario

NoThreat Scenario Threat Vulnerability Impact Risk Score Action Priority

A B C D E F G


1 2 3 6

The initial score is calculated bymultiplying columns C, D and E)

In this example the initial score would be 6 (1 x 2 x 3 = 6).


16/19


16

Step 6 Determine the action priority in column G(typically performed following several scenario calculations)

ScenarioNo


A B C D E F G


1 2 3 6

The action priority is based oneach scenarios initial score

Establishing action priorities based on initial Risk scores is a quick way to distinguish

between the various scenarios, and can help focus and allocate scarce resources,particularly when a large number of scenarios are assessed.

Step 7 Determine new scores and action priorities base on changes to threat, vulnerability or impact

ScenarioNo


A B C D E F G


2 2 3 12

A variety of factors may change aninitial risk score

For example, an increase in threat from 1 (low) to 2 (medium), would raise the risk scorefrom 6 to 12, (column C increases from 1 to 2, thus 2 x 2 x 3 = 12; see above).When the threat score increases, persons involved in developing security measures can

use this table to recalculate how vulnerability or impact reduction measures may reducethe risk score. If 6 is deemed to be an acceptable level, then vulnerability reductionmeasures or impact reduction measures should be considered that will reduce thefigures in columns D and E so as to give a risk score in column F of no higher than 6 .


17/19


18/19


18

Scenario

No Threat Scenario Threat Vulnerability Impact Risk Score Action PriorityA B C D E F G


2 2 2 8

Step 10 Implementing measures to reduce vulnerability and impact

If both the vulnerability reduction measures and impact reduction measures discussed in this example were taken together, thetotal risk score would be reduced to 4, well below the initial score of 6.

ScenarioNo


A B C D E F G

1

Destroy port authoritys

communication tower byexplosives

2 1 2 4

The persons doing the security assessment and persons charged with implementing security measures must determine theeffectiveness of various vulnerability or impact reduction measures for their ports.


19/19


19

CATEGORISATION OF PORTS

5 types of ports have been tentatively categorised:

1. Type A Terminal with container liner service bound for trunk line and terminal handles hazardous materiali Monitors peripheral area, terminal area and water area of a facility by security guards and surveillance equipmentii In addition, access control will be automated by introducing appropriate identification system of the personnel anddelivery cars

2. Type B Terminal with liner servicei Monitor peripheral area, terminal area and water area of a facility by security guards and surveillance equipment.

3. Type C Terminal without regular servicei Peripheral area, terminal area and water area of a facility will be monitored by security guardsii Minimum security equipment will also be installed

4. Type D Terminal which rarely serves ships engaged on international voyagei Peripheral area, terminal area and water area of a facility will be monitored by security guards

5. Type PT Passenger Terminali Monitors peripheral area, terminal area and water area of a facility by security guards and surveillance equipmentii In addition, passenger baggage will be examined

Guideline for Security Assessment

Documents

Transcript of Guideline for Security Assessment