API RP 781-2016 Facility Security Plan Methodology for the Oil and Natural Gas Industries (First Edition).pdf

1、Facility Security Plan Methodology for the Oil and Natural Gas IndustriesAPI RECOMMENDED PRACTICE 781 FIRST EDITION, SEPTEMBER 2016Special NotesAPI publications necessarily address problems of a general nature. With respect to particular circumstances, local, state, and federal laws and regulations

2、should be reviewed.Neither API nor any of APIs employees, subcontractors, consultants, committees, or other assignees make any warranty or representation, either express or implied, with respect to the accuracy, completeness, or usefulness of the information contained herein, or assume any liability

3、 or responsibility for any use, or the results of such use, of any information or process disclosed in this publication. Neither API nor any of APIs employees, subcontractors, consultants, or other assignees represent that use of this publication would not infringe upon privately owned rights.API pu

4、blications may be used by anyone desiring to do so. Every effort has been made by the Institute to assure the accuracy and reliability of the data contained in them; however, the Institute makes no representation, warranty, or guarantee in connection with this publication and hereby expressly discla

5、ims any liability or responsibility for loss or damage resulting from its use or for the violation of any authorities having jurisdiction with which this publication may conflict.API publications are published to facilitate the broad availability of proven, sound engineering and operating practices.

6、 These publications are not intended to obviate the need for applying sound engineering judgment regarding when and where these publications should be utilized. The formulation and publication of API publications is not intended in any way to inhibit anyone from using any other practices.Any manufac

7、turer marking equipment or materials in conformance with the marking requirements of an API standard is solely responsible for complying with all the applicable requirements of that standard. API does not represent, warrant, or guarantee that such products do in fact conform to the applicable API st

8、andard.All rights reserved. No part of this work may be reproduced, translated, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission from the publisher. Contact the Publisher, API Publishing Service

9、s, 1220 L Street, NW, Washington, DC 20005.Copyright 2016 American Petroleum InstituteForewordNothing contained in any API publication is to be construed as granting any right, by implication or otherwise, for the manufacture, sale, or use of any method, apparatus, or product covered by letters pate

10、nt. Neither should anything contained in the publication be construed as insuring anyone against liability for infringement of letters patent.This document was produced under API standardization procedures that ensure appropriate notification and participation in the developmental process and is des

11、ignated as an API standard. Questions concerning the interpretation of the content of this publication or comments and questions concerning the procedures under which this publication was developed should be directed in writing to the Director of Standards, American Petroleum Institute, 1220 L Stree

12、t, NW, Washington, DC 20005. Requests for permission to reproduce or translate all or any part of the material published herein should also be addressed to the director.Generally, API standards are reviewed and revised, reaffirmed, or withdrawn at least every five years. A one-time extension of up t

13、o two years may be added to this review cycle. Status of the publication can be ascertained from the API Standards Department, telephone (202) 682-8000. A catalog of API publications and materials is published annually by API, 1220 L Street, NW, Washington, DC 20005.Suggested revisions are invited a

14、nd should be submitted to the Standards Department, API, 1220 L Street, NW, Washington, DC 20005, standardsapi.org.iiiContentsPage1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15、. 11.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16、. . . . . . . . . . . . . . . . . . . . . . . . . 12 Normative References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Terms, Definitions, Abbreviations, and Acronyms . . . . . . . . . . . . . . . . . . . .

17、 . . . . . . . . . . . . . . . . . . . . . . . . . 23.1 Terms and Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23.2 Abbreviations and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . .

18、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Security Management System (SMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Security Risk Assessment (SRA) . . . . . . . . . . . . . . . . . . . . . . . .

19、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Introduction to Facility Security Plan Concepts (FSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

20、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96.2 Common elements included in an FSP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96.3 Record of Change . . . . . . . . . . . . . . . . . . . . . . .

21、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96.4 Distribution List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106.5 Security Administration an

22、d Organization of the Facility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116.6 Security Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136.7 Drills and Exercis

23、es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156.8 Record Keeping and Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166.9 Resp

24、onse to Change in Alert Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176.10 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25、 . . . . 186.11 Site Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196.12 Network Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26、. . . . . . . . . . . . . . . . . . . . . . 196.13 Security Systems and Equipment Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206.14 Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27、. . . . . . . . . . . . . . . . . . . . . . . . . . . 207 FuturesAdditional Integration of Cyber and Physical Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Personnel Surety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

28、. . . . . . . . . . . . . . . . . . . . . . . 228.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228.2 Background Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238.3 Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238.4 Contractors . . . . . . . . . . . . . . .

30、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238.5 Audit of Personnel Surety Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Security Measures for

31、 Access Control, Including Designated Public, Controlled, and Restricted Access Areas249.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249.2 Visitors . . . . . . . . . . . . .

32、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259.3 Deliveries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33、 . . . 259.4 Government Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259.5 Screening, Searches, and Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

34、. . . . . . . . . 269.6 Restricted Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279.7 Security Countermeasures for Restricted Areas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35、. . . . . . . . . . . . . . 2710 Security Measures for Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2811 Key Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

36、 . . . . . . . . . . . . . . . . . . . . . . . . . 2912 Security Incident Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29vContentsPage13 Audits and Security Plan Amendments . . . . . . . . . . . . . . . . . . .

37、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3013.1 Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3013.2 Audit Amendments . . . . . . . . . . . . . . . .

38、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3013.3 Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Annex A (informa

39、tive) Example Security Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Bibliography 70Tables1 Example Elements of a Security Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

40、 . 102 Record of Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Facility Security Plan Methodology for the Oil and Natural Gas Industries1 Scope1.1 GeneralThe purpose of a facility security plan

41、(FSP) is to provide the framework to establish a secure workplace. The plan provides an overview of the threats facing the facility and describes the security measures and procedures designed to mitigate risk and protect people, assets, operations, and company reputation.This standard was prepared w

42、ith guidance and direction from the API Security Committee, to assist the petroleum and petrochemical industries in the preparation of a Facility Security Plan. This standard specifies the requirements for preparing an FSP as well as a discussion of the typical elements included in an FSP. 1.2 Appli

43、cabilityThis standard is intended to be flexible and adaptable to the needs of the user. It is noted that the content of an FSP can vary depending on circumstances such as facility size, location, and operations. This methodology is one approach for preparing an FSP at petroleum and petrochemical fa

44、cilities. There are other security plan formats available for the industry. It is the responsibility of the user to choose the format and content of the FSP that best meets the needs of a specific facility. The format and content of some FSPs should be dictated by government regulations for covered

45、facilities. This Standard is not intended to supersede the requirements of any regulated facility but may be used as a reference document.This standard should be limited to the preparation of the FSP. It is recognized that the FSP is only one part of a comprehensive security management system (SMS).

46、 The FSP should be prepared after a security risk assessment (SRA) is conducted. The SRA is a process to identify and assess the threats, vulnerabilities and consequences facing a facility. It is important to understand the risks facing the facility before a comprehensive and effective FSP can be de

47、veloped. The FSP should incorporate procedural, physical and cyber security measures for a holistic and comprehensive plan. In an era of rapidly advancing technology, no FSP would be complete without inclusion of Information Technology and Operational Technology Security considerations and reference

48、 to security measures developed and maintained by these organizations. The interdependence of physical and logical security, as evidenced by the “Internet of Things” (IoT) underscores the criticality of preparing a single, common security strategy to mitigate risk and assure an organizations resilie

49、nce in the face of dynamic threats. 2 Normative ReferencesThe most recent editions of each of the following standards, codes, and publications are referenced in this RP as useful sources of additional information. Further information may be available from the cited Internet World Wide Web sites or references included in the Bibliography.API Manual of Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries6 CFR 27.230 1, Chemical Facilities Anti-Terrorism Standards, Risk-Based Performance Standards33 CFR 105.100415 2, Maritime Transportation Security Act of