Table of Contents

Executive Summary
1.0 Introduction
1.1 Scope and Objective
1.2 Organization of the Document
1.3 Underlying Basis of this Guidance
1.4 Other Guidelines and Security References
2.0 Overview of Terrorism and the Petroleum Industry
2.1 Background on Terrorism and Security
2.2 Threat to the Petroleum Industry
3.0 Threat Assessment
3.1 The Value of Threat Assessment
3.2 Threat Assessment Process
3.3 Security Alert Level Systems
      3.3.1 Introduction
      3.3.2 Department of Homeland Security Alert System (HSAS)
      3.3.3 U.S. Coast Guard Maritime Security Levels
      3.3.4 International Ship and Port Facility Security (ISPS)
             Alert Levels
4.0 The Security Management System Process
4.1 Initial Screening
4.2 Data Gathering
4.3 Initial SVA
4.4 Example Elements of a Security Plan
      4.4.1 Security Administration & Organization of the
             Facility
      4.4.2 Personnel Training
      4.4.3 Drills and Exercises
      4.4.4 Record and Documentation
      4.4.5 Response to Change in Alert Level
      4.4.6 Communications
      4.4.7 Security Systems and Equipment Maintenance
      4.4.8 Security Measures for Access Control, Including
             Designated Public Access Areas
      4.4.9 Protected/Controlled/Restricted Areas
      4.4.10 Security Measures for Monitoring
      4.4.11 Security Incident Procedures
      4.4.12 Audits and Security Plan Amendments
      4.4.13 Security Vulnerability Analysis (SVA) Report
5.0 Security Vulnerability Assessment (SVA) Concepts
5.1 Security Vulnerability Assessment Overview
5.2 Steps in the SVA Process
5.3 Estimating Risk Using SVA Methods
5.4 Definition of SVA Terms
      5.4.1 Risk Definition for SVA
      5.4.2 Consequences (C)
      5.4.3 Threat (T)
      5.4.4 Vulnerability (V)
      5.4.5 Target Attractiveness (A[T])
5.5 Characteristics of a Sound SVA Approach
5.6 First Step in the SVA Process
5.7 SVA Strength and Limitations
5.8 Recommended Times for Conducting and Reviewing the SVA
5.9 Risk Control and Mitigation
5.10 Risk Screening
6.0 Security Conditions and Potential Response Measures
6.1 Low Condition-Green
6.2 Guarded Condition-Blue
6.3 Elevated Condition-Yellow
6.4 High Condition-Orange
6.5 Severe Condition-Red
7.0 Information (Cyber) Security
7.1 Introduction
7.2 Specific Security Guidelines
      7.2.1 Security Policies, Standards and Procedures
      7.2.2 Security Awareness and Education
      7.2.3 Accountability and Ownership
      7.2.4 Data/Information Classification
      7.2.5 Security Vulnerability Assessments
      7.2.6 Physical and Environmental Security
      7.2.7 Access Controls and Identity Management
      7.2.8 Network Security
      7.2.9 Systems Development
      7.2.10 Change Control
      7.2.11 Viruses and other Malicious Code
      7.2.12 Intrusion Detection and Incident Management
      7.2.13 Business Continuity, Business Resumption and Disaster
             Recovery
      7.2.14 Regulatory Compliance
      7.2.15 Audit (Compliance and Assurance)
Appendix A Security Regulations Affecting the U.S. Petroleum
           Industry
Appendix B Glossary and Terms
Appendix C Communication of Security Intelligence
Appendix D References

Abstract

Describes general guidance to owners and operators of U.S. domestic petroleum assets for effectively managing security risks and provide a reference of certain applicable Federal security laws and regulations that may impact petroleum operations.

General Product Information

Published
Document Type	Standard
Status	Current
Publisher	American Petroleum Institute
Pages
ISBN