THE SEEBALD FACILITY SECURITY PYRAMID - The Capstone: Drills, Exercises, Audits, and Reviews
- Posted by Richard Sundland
We’ve covered the main layers of the facility security organization (FSA, FSP, FSO, PSD, AO) in previous blogs. This week we’ll look at what’s in the pyramid’s capstone.
Now that the FSA, FSP are completed and the training program is established, the FSO must not become complacent. The Capstone to the Seebald Security Pyramid consists of regularly conducted Drills, Exercises, Audits and Reviews.
DRILLS - How often do you conduct drills? We know a security drill is required to be conducted every 90 days, testing one element of the FSP. There are many elements to your FSP. If you meet the minimal drill requirements, then you will test at only four elements of your plan. That’s NOT how you become proficient!
We recommend you conduct drills at least monthly, and, for all the Seebald Platinum Members, use the drills sent out every month to improve your security awareness. Drills are meant to test at least one element of your plan, so remember to document observations and do not conduct training during the drill or you will never achieve an accurate assessment. Drills do not need to be complicated, nor time-consuming. You can get better at conducting drills by conducting more drills! And remember, you are required to document best practices and lessons learned.
EXERCISES - Exercises are a full test of your security program and must include substantial and active participation from the FSO. They’re required once each calendar year, not to exceed 18 months. Exercises maybe full scale or live; tabletop simulation or seminar; or combined with other appropriate exercises. Each exercise must test communication, notification procedures, elements of coordination, resource availability, and response. As the same with drills, you must capture best practices and lessons learned. To ensure you meet the frequency of required exercises, we at Seebald & Associates will conduct and document and exercise at your facility during your annual audit.
AUDITS - The FSP is required to be audited annually by a subject matter expert outside of your security organization. The FSO should choose someone who will be critical and honest, so you get an accurate assessment in how the FSP is being executed. After the audit, the FSO is required to address the discrepancies. Remember, the audit report is Sensitive Security Information for the FSO only, do NOT show your audit report to the Coast Guard. The FSO must sign an audit record that documents when and who conducted the audit. Place the audit record with your security documentation – this is what substantiates your audit for the Coast Guard during your annual inspection.
REVIEWS - FSO Reviews are crucial to building and maintaining a security culture and requires dedication from the FSO in making security a priority. Reviews should be part of the FSO’s regular routine – this is security management by walking around. The FSO should be reviewing the FSP on a regular basis and not once a year two weeks prior to the annual Coast Guard inspection. The FSO should use the FSP to develop and use checklists during these walk around reviews. These checklists can include but not limited to: perimeter fencing, lights, security gates & guard posts, technical systems, communication systems, and information technology/cyber systems. During walk arounds, the FSO can review items on their checklist, conduct security training by stopping and asking PSDs and AOs security awareness questions, or conduct drills. Taking the time and making these walk around reviews part of your routine will improve the security posture and awareness on the facility.
Overall – remember, the Seebald Facility Security Pyramid provides you with the organization to secure your facility - the rest is up to you.
THE SEEBALD FACILITY SECURITY PYRAMID - Personnel with Security Duties and All Others
- Posted by Richard Sundland
This week’s blog looks at Personnel with Security Duties and All Other facility personnel, with an emphasis on their roles in the facility’s security organization.
33 CFR 105 is a performance-based law, which requires that personnel not only know their responsibilities, but also demonstrate that they are capable of performing their roles. The FSO is responsible to ensure Personnel with Security Duties (PSD) and All Others (AO) have this required knowledge through training or job experience. This is where a lot of facilities receive discrepancies during their annual Coast Guard inspection, because employees do not receive regular training outside of their initial security training during orientation when first hired.
Building a security culture needs a security training program that is executed regularly and this falls on the FSO. PSDs are required to know 14 elements outlined in 33 CFR 105.210, and AOs are responsible for six elements outlined 33 CFR 105.215. This is where a thorough training program is needed and a dedicated FSO makes the time to ensure all the employees receive regular training.
An industry best practice known as a “Security Moment,” is similar to a Safety Briefing that occurs prior to many meetings at facilities whose culture focuses on safety. In the case of a Security Moment, a security awareness building requirement can be re-emphasized. The FSO can also take 10-15 minutes during All-Hands meetings and provide brief training on one or two of the required security elements. Another best practice is “Just in Time” training, such as sending reminder emails with required security information that will enhance security awareness prior to a scheduled Coast Guard inspection.
THE SEEBALD FACILITY SECURITY PYRAMID – The Facility Security Officer’s Role
- Posted by Richard Sundland
This week’s blog will explain the Facility Security Officer’s (FSO) role and build on the first two levels of the Seebald Facility Security Pyramid in which the FSO must ensure the FSA is conducted and the FSP is developed.
33 CFR 105.400 requires the FSO to be identified by name with 24-hour contact information because they are the primary custodian of the FSP and responsible for ensuring the plan’s security measures are carried out. The FSO is also required to have general knowledge, through training or equivalent job experience in 21 elements outlined in 33 CFR 105.205.
The FSO is also responsible for security awareness and vigilance of the facility personnel, ensure security training to personnel with security duties, ensure occurrences that threaten the facility security is documented and reported to the owner or operator, ensure maintenance of records, preparation and submission of required reports plus a lot more that will be covered in coming weeks.
The FSO’s security responsibilities are abundant and time-consuming, requiring dedication and security to be a priority. Creating a solid security culture starts with the FSO.
THE SEEBALD FACILITY SECURITY PYRAMID
- Posted by Richard Sundland
This month’s S&A blog series to start out a new year focuses on using the Seebald Facility Security Pyramid to create a solid security organization. Like any structure, your organization needs a strong foundation. Our Facility Security Pyramid must be grounded by a solid Facility Security Assessment, which leads to generating an effective Facility Security Plan.
Your Facility Security Assessment (FSA) is the first step toward building your Facility Security Plan (FSP). Subpart C of 33 CFR 105 lays out requirements for your FSA. The FSA is based on a collection of facility background information, a complete facility on-scene survey, and an analysis of information collected. Part of this assessment requires you to conduct a Risk Based Analysis (RBA). The RBA is scenario-based and focuses on risk components made up of threats, vulnerabilities and consequences, which assists you in developing risk mitigating security measures.
Your FSP must address the risks identified in your FSA. Subpart D of 33 CFR 105 provides the FSP’s format, content, submission & approval, amendment and audit requirements. The FSP documents security measures required to protect your facility. Your FSP defines the roles and responsibilities of all facility employees – FSO, Personnel with Security Duties and All Others. The FSP also describes security measures to be taken for each MARSEC Level as well as defines appropriate actions in emergency situations. The FSP is required for re-submission every five years on its anniversary date. Also remember, the FSP is Sensitive Security Information and must be protected per 49 CFR part 1520.
Drills & Exercises - Document, Document, Document!
- Posted by Brian Kelley
Documenting Your Drills & Exercises
You may remember our adage from our FSO and PSD courses that “If it’s not documented, then it didn’t happen.” This certainly applies to Drills & Exercises. Be sure to keep your documentation in a central location, such as an S&A Documentation Kit.
Drills and Exercises documentation is low-hanging fruit for a Coast Guard Inspector looking for compliance violations. It’s relatively easy to go through your records to find flaws. The first is to ensure that Drills and Exercises are conducted at the required frequency. For Drills, that means at least once every three months. For Exercises, it’s at least once each calendar year, with no more than 18 months between exercises. If you use an electronic system for your Drills & Exercises, we’ve found a best practice where FSOs print a copy of the Drill Log or Exercise Report and place it in their Documentation Kit.
For each Drill or Exercise, the documentation should include the date held, the FSP element tested (for Drills), a description of the Drill or Exercise, a list of participants, and any best practices or lessons learned that might improve your FSP. Describing the best practices or lessons learned is often the weak part of the documentation we see when we conduct facility security Audits. When I see “N/A” or “None” under best practices or lessons learned, it means to me that the person leading the Drill or Exercise failed in doing their job.
On a side note, when you find best practices or lessons learned in your Drills or Exercises, please share them with us at Seebald & Associates. We keep track of them and share them with our clients and students. They’re not attributed to you, unless you say it’s okay. We believe in this collaboration as a way to strengthen our Maritime Transportation System. We’ve started this compilation to augment our courses and build a “Good, Bad, and Ugly” session for our 2018 Facility Security Symposium.
That’ll do for this month’s blog topic. No blog next week as we turn to our families and loved ones to celebrate the holiday season. We at Seebald & Associates wish you the very best for safe, secure, and happy holidays – see you next year!