Maritime Company Assessment by qqu19633

VIEWS: 61 PAGES: 32

More Info
									    MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER




MARITIME SECURITY ASSESSMENTS
       GUIDANCE PAPER




                                                 Final December 2003
                                             Office of Transport Security




          Commonwealth of Australia. Use by permission only.
         MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER



   IMPORTANT NOTE : Maritime Security Assessments Guidance


                                DISCLAIMER

This Maritime Security Assessment Guidance paper has been prepared in
accordance with the Maritime Transport Security Act 2003 (the Act) and the Maritime
Transport Security Regulations 2003. All care has been taken to ensure that this
guide accurately reflects the requirements of the Act and Regulations. Prior to
submitting plans for consideration of approval, port operators, port facility operators,
port service providers and ship operators of regulated Australian ships should refer to
the Act and Regulations made. This guide will be updated if the Regulations are
amended prior to them being gazetted.




                                                                                      2
                Commonwealth of Australia. Use by permission only.
                          MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


Table of Contents
IMPORTANT NOTE : Maritime Security Assessments Guidance .................................. 2
1      Introduction .................................................................................................................. 4
2      General Guidance ........................................................................................................ 4
3      Relevant Skills and Experience .................................................................................. 6
4      Requirements of Security Assessments ................................................................... 6
5      The Security Assessment Process ............................................................................ 9
6      Details of the AS/NZS 4360 risk assessment steps. ............................................... 10
    6.1    Step 1 - Establish the Context ....................................................................................................... 10
      6.1.1    Threat Situation .......................................................................................................................... 10
      6.1.2    Identification of Key Assets, Infrastructure and Operations ....................................................... 11
      6.1.3    Risk Evaluation Criteria .............................................................................................................. 12
    6.2    Step 2 – Identify Risks – what can happen and how can it happen? ........................................ 13
    6.3    Step 3 – Analyse Risks – determine likelihood and consequence ............................................ 15
      6.3.1    Determine existing controls ........................................................................................................ 15
      6.3.2    Methods of Risk Analysis ........................................................................................................... 15
      6.3.3    Likelihood ................................................................................................................................... 16
      6.3.4    Consequence ............................................................................................................................. 16
    6.4    Step 4 – Evaluate Risks - identify risk priorities ........................................................................ 17
    6.5    Step 5 – Treat Risks – determining preventive and mitigative strategies. ................................ 18
    6.6    Step 6 – Monitoring and Review .................................................................................................... 19
    6.7    Step 7 – Communication and Consultation .................................................................................. 20
7      Further Guidance ....................................................................................................... 21
8      ATTACHMENT A ........................................................................................................ 22
    Key Definitions Used in this Guidance Paper ......................................................................................... 22
9      ATTACHMENT B ........................................................................................................ 27
    Skills and Experience Required To Undertake a Maritime Security Assessment ............................... 27
10 ATTACHMENT C ........................................................................................................ 28
    Security Assessment – Risk Summary Template - Example Only ...................................................... 28
11 ATTACHMENT D ........................................................................................................ 29
    Consequence Rating Table – Example Only ........................................................................................... 29
12 ATTACHMENT E ........................................................................................................ 30
    Risk Treatment Schedule And Action Plan - Example Only ................................................................. 30
13 ATTACHMENT F ......................................................................................................... 31
    Resource List ............................................................................................................................................. 31




                                                                                                                                                               3
                                     Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


1 Introduction

This paper provides guidance to port operators, port facility operators, port service
providers and shipping operators of regulated Australian ships who are required to conduct
Security Assessments under the Maritime Transport Security Act 2003 (the Act) and the
Maritime Transport Security Regulations. The paper is focused on security assessment
requirements for industry under the new maritime security regime. The linkage of security
assessments to the requirements for maritime security plans for port operators, port facility
operators, port service providers and ship security plans is also discussed. The
Department of Transport and Regional Services (DOTARS) has developed model
maritime security plans and ship security plans that provide further guidance.

The guidance is provided to ensure that the maritime industry complies with the Act which
implements new International Maritime Organization’s (IMO) preventive security
framework as detailed in the International Ship and Port Facility Security (ISPS) Code,
which will enter into force from 1 July 2004. Australia will be ensuring that it meets its
international obligations by June 2004 under amendments to the International Convention
of the Safety of Life at Sea (SOLAS) Convention 1974 which will establish the ISPS code.
This means that Australian regulated ships, ports, port facilities and port service providers
covered by the Act must have approved security plans by 30 June 2004.

The ISPS Code requires security assessments to establish threats, determine
vulnerabilities and treat risks to assets, infrastructure and operations. This requirement is
reflected in the Act which requires security assessments to be undertaken and security
plans prepared. This approach recognises that, in the Australian context, operators are
best placed to determine the vulnerabilities of their own assets, infrastructure and
operations as well as identify appropriate preventive security measures and procedures
and develop appropriate security plans.

The purpose of security assessments is to provide a solid risk based approach to the
implementation of preventive security planning to prevent potential unlawful interference
with maritime transport. Security assessments ensure that a systematic and analytical
process is conducted with the aim of identifying outcomes focused security measures
and/or procedures that reduce the vulnerabilities of assets, individuals and operations to
acceptable levels. Executive and senior management must also have this information in
order to make well-informed decisions regarding the implementation of preventive security
arrangements directed at countering terrorism.



2 General Guidance

Section 42 of the Act requires security plans to be prepared by port operators and port
facility operators as well as participants of a kind prescribed or a particular participants
prescribed in the Regulations. Port service providers are prescribed in the regulations as
requiring maritime security plans.

The Act requires that a maritime security plan for a port operator, port facility operator or
port service provider include a security assessment of their operations. It also requires

                                                                                                4
                      Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


regulated Australian ships to have a ship security plan which must include a security
assessment.

In accordance with Section 47(2) and 66(2) of the Act, operators should also ensure that
security assessments take into account any documents required in writing by the
Secretary and any matters prescribed in the Regulations. The Regulations, outline the
specific contact requirements of port, port facility, port service provider and ship security
assessments.

The section of the Act requires security assessments to be completed by ship operators of
regulated Australian ships including:

      passenger ships used for overseas or inter-State voyages or
      cargo ships of 500 or more gross tonnes used for overseas and inter-State voyages
       or
      a mobile offshore drilling units (MODUs) on an overseas or inter-State voyage
       (other than a unit that is attached to the seabed) or
      ships of a kind prescribed in the regulations.


To inform the preparation of their security plans, port operators, port facility operators, port
service providers and shipping operators should make arrangements to complete security
assessments as soon as practicable. Security plans with security assessments must
be submitted to DOTARS by 1 March 2004 to ensure adequate time for
consideration and approval.

Port operators, port facility operators, and port service providers are strongly encouraged
to work closely together to complete their respective security assessment and planning
requirements. In some instances, this could be reflected by an overarching security
assessment, which incorporates individual assessments of the port operator, port facility
operators and port service providers.

DOTARS encourages operators to prepare security assessments in accordance with the
Australian and New Zealand Risk Management Standard 4360 (AS/NZS 4360). On a case
by case basis the Department will consider the acceptance of security assessments based
on other sound risk management processes. For example, ship operators who are working
in a global environment may wish to ensure consistency of security assessments across
their shipping fleet.

It is recommended that operators who wish to use risk management processes other than
AS/NZS 4360 contact the Department to discuss whether their approach will meet the
requirements of the Regulations. Further, DOTARS also encourages operators to contact
the Department should they be considering combining different risk management
processes. For example, if they are considering using a combination of AS/NZ 4360 and
other widely recognised risk management processes.

DOTARS will meet its obligations under Part A, Section 15.2 of the ISPS Code by ensuring
a consistent approach is taken to the completion of security assessments by port
operators, port facility operators and port service providers and distributing information on
current threats and the maritime security environment. It is generally expected that ports,
                                                                                                5
                      Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


port facilities and port service providers will use AS/NZ 4360 to complete their security
assessment requirements and this guide outlines how to conduct a security assessment
using the standard.

Please refer to Attachment A for definitions used in this document.

3 Relevant Skills and Experience

Persons with appropriate skills and experience in the conduct of security based risk
assessments should carry out security assessments. This approach is consistent with the
ISPS Code Part A, Section 8.2 and 15.3 which requires persons undertaking security
assessments to have appropriate skills to evaluate ship, port and port facility security
respectively. General guidance on the relevant skills and experience needed to complete a
security assessment is at Attachment B.

The Regulations at 3.05(d) and 4.25(d) require security assessments to outline the skills
and experiences of the key persons who completed or participated in the assessment. It is
expected that port operators, port facility operators, port service providers and ship
operators will demonstrate that they either have the required skills and experience, or have
sought expert assistance to complete their security assessments.

If security consultants are to be utilised it is recommended that their qualifications and prior
experience be adequately checked prior to commencement of the security assessment. It
is not appropriate for DOTARS to recommend individual security consultants or provide a
list of potential security consultants for the purpose of conducting a security assessment.


4 Requirements of Security Assessments

The Act requires that security assessments must be included as part of maritime security
plans and ship security plans submitted to DOTARS for approval. The assessment should
demonstrate those risks and/or threats identified have been adequately analysed and
evaluated, and that appropriate preventive and mitigative security strategies have been
selected for action against unacceptable or intolerable risks or circumstances.

Security assessments and plans must be protected from unauthorised access,
amendment or disclosure due to the sensitive nature of their contents. The regulations
require port operators, port facility operators, port service providers and ship operators to
ensure that their plans are adequately protected.

It would also be expected that security assessments are presented in an easy to read plain
English format and that the key elements of the risk management process adopted are
clearly identifiable for review and assessments purposes by DOTARS. If security
assessments are not presented in an easy to read format then delays in approval of plans
may occur.

In accordance with Regulation 3.05 all security assessments submitted to DOTARS
with maritime security plans must include:

   the date when the assessment was completed or reviewed;

                                                                                                6
                      Commonwealth of Australia. Use by permission only.
                   MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


     the scope of the assessment, including assets, infrastructure and operations
      assessed;
     a summary of how the assessment was conducted, including details of the risk
      management process adopted; and
     the skills and experience of the key persons who completed or participated in the
      assessment


Under Regulation 3.40 security assessments to be included in maritime security
plans for port operators must also include the following matters:

     a statement outlining the risk context or threat situation for the port;
     identification and evaluation of strategically important assets, infrastructure and
      operations that needs to be protected;
     identification of possible risks or threats to assets, infrastructure and operations, and
      the likelihood and consequences of their occurrence;
     identification of existing security measures, procedures and operations;
     identification of gaps in port-wide security arrangements, including gaps arising from
      port infrastructure, human factors, policies and procedures, and
     identification, selection and prioritisation of possible risk treatments (for example,
      counter-measures and procedural changes that need to be implemented) and their
      effectiveness in reducing risk levels and including vulnerabilities.

Port operators who have control and responsibility for specific port facilities (e.g. common
user berths) and other port operations such as defined anchorages, channels etc, may
wish to assess them in conjunction with their security assessment of their port. Some port
facility operators and port service providers may also wish to complete their requirements
for assessments as part of a port-wide security assessment process. In both cases,
consideration should be given to the specific requirements of port and port facility security
assessments for both port and port facility operations.


Under regulation 3.110 security assessments for to be included in maritime security
plans for port facility operators must also include the following matters1:

     a statement outlining the risk context or threat situation for the port facility;
     identification and evaluation of important assets, infrastructure and operations that
      need to be protected;
     identification of possible risks or threats to assets, infrastructure and operations, and
      the likelihood and consequences of their occurrence,
     identification of existing security measures, procedures and operations;
     identification of weaknesses (including human factors) in the infrastructure, policies and
      procedures; and
     identification, selection and prioritisation of possible risk treatments (for example,
      counter-measures and procedural changes that need to be implemented) and their
      effectiveness in reducing risk levels and vulnerabilities).



1
    This requirement is consistent with the Part A Section 15.5 of the ISPS Code
                                                                                                  7
                           Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


Port facility operators may wish to conduct a security assessment covering more than one
individual port facility for which they are legally responsible. Port facility operators should
advise DOTARS of such an approach when conducting combined security assessments.
They should also consider the following:

   Are the port facilities to be covered situated within the same geographic location? – i.e.
    a single security assessment is not appropriate where port facilities are located in
    different ports.
   Who has legal responsibility for the security operations of the port facilities to be
    covered by the security assessment? – i.e. port facility operators legally responsible for
    security arrangements should be part of the security assessment process.
   Are port facility operations similar in nature or design or linked in some way to each
    other, such as via the use of similar equipment or services? – i.e. consideration needs
    to be made as to whether it is best to conduct separate security assessments where
    operations are significantly different.

Similarly, the requirement of a security assessment to cover individual port facilities does
not preclude the carrying out of a joint security assessment collectively by several port
facilities and/or port service providers within a single port. This approach could also
include shared port facilities, such as common user berths, for which port operators may
have responsibility to complete assessments.

Under Regulation 3.195 security assessments lo be included in maritime security
plans for Port Service Providers must also include the following matters:

   a statement outlining the risk context or threat situation for the port service provider;
   identification and evaluation of important assets, infrastructure and operations that
    needs to be protected;
   identification of possible risks or threats to assets, infrastructure and operations, and
    the likelihood and consequences of their occurrence,
   identification of existing security measures, procedures and operations;
   identification of weaknesses (including human factors) in the infrastructure, policies and
    procedures;
   identification, selection and prioritisation of possible risk treatments (for example,
    counter-measures and procedural changes that need to be implemented) and their
    effectiveness in reducing risk levels and vulnerabilities;

it should be noted that a port service provider may be located outside the boundary of the
security regulated port or inside the port. The definition of port service provider is intended
to capture, for example;
       a) a pilot boat that takes a pilot to board a ship at a location outside the security
           regulated port for the purpose of piloting the ship into the port;
       b) a barge that unloads cargo from a security regulated ship onto the barge, and
           carries the cargo into a security regulated port.

In accordance with Regulation 4.25, security assessments for regulated Australian
ships must include the following matters:

       the date when the assessment was completed or reviewed;

                                                                                               8
                      Commonwealth of Australia. Use by permission only.
                  MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


         the scope of the assessment, including assets, infrastructure and operations
          assessed;
         a summary of how the assessment was conducted, including details of the risk
          management process adopted;
         the skills and experience of the key persons who completed or participated in the
          assessment;
         the results of the examination and evaluation of the existing shipboard protective
          measures, procedures and operations;
         a statement outlining the risk context or threat situation for the ship, including
          consideration of trading routes;
         identification and evaluation of key shipboard operations that need to be protected;
         identification of possible risks or threats to the key shipboard operations and the
          likelihood and consequences of their occurrence;
         identification of existing security measures, procedures and operations;
         identification of weaknesses (including human factors) in the infrastructure, policies
          and procedures;
         identification, selection and prioritisation of possible risk treatments (for example,
          counter-measures and procedural changes that need to be implemented) and their
          effectiveness in reducing risk levels and vulnerabilities.


5 The Security Assessment Process

This guidance paper sets out an indicative process for security assessments based on the
AS/NZS 4360/1999 risk management standard. The paper has been reviewed by
members of the Standard Australia Risk Management Committee who consider the
document to be consistent with the requirements of the AS/NZS 4360/1999 standard.
However, ship operators, port operators, port facility operators port service providers may
wish to use different risk assessment tools based on the AS/NZS 4360 standard that have
been developed for their individual circumstances. References to the AS/NZS 4360
standard are mentioned throughout this document as footnotes to the text.

Operators who wish to use risk management processes other than AS/NZS 4360 should
contact the Department to discuss whether their approach will meet the requirements of
the regulations. Further, DOTARS also encourages other operators to contact the
Department should they be considering combining different risk management processes.
For example, a combination of AS/NZ 4360 and other widely recognised risk management
processes.

The main elements of the AS/NZS 4360 risk assessment process are2:

     Establish the Context
     Identify Risks – what can happen and how can it happen?
     Analyse Risks – determine likelihood and consequence
     Evaluate Risks – set risk priorities
     Treat Risks – determine preventive security strategies
     Communicate and Consult
     Monitor and Review
2
    Refer to the AS/NZS 4360/1999 Risk Management Standard – page 7 & 8 for further overview information
                                                                                                           9
                          Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER



Communication and consultation with internal and external stakeholders should occur at
each stage of the security assessment process. Security assessments should also be
regularly monitored and reviewed, especially in the context of a changing security
environment.

All security assessments should give particular consideration to the risk of a terrorist attack
and identify security measures that could be implemented in conjunction with or additional
to existing or required theft-based security measures. Examples may be the tightening of
access control arrangements or closed circuit television monitoring in addition to secure
perimeter fencing.


6 Details of the AS/NZS 4360 risk assessment steps.

6.1 Step 1 - Establish the Context

This step determines the strategic, organisational and risk management context of the risk
assessment to be undertaken3. Current and potential threat situations and the
identification of critical infrastructure help establish the particular context of the security
assessment. Key external and internal stakeholders should also be identified to assist in
the security assessment process.

To assist the Department to review security assessments it is requested that operators
briefly outline the nature of their business operations and physical operating environment
in their security assessments. The individual requirements for security assessments for
port operators, port facility operators, port service providers and ship security assessments
(as outlined on pages 6-9) should be considered when determining the scope of the
assessment to be undertaken. The coverage of the security assessment, the area of land
and/or water or the ship to be assessed, should also be outlined in the security
assessment submission.

Risk evaluation criteria ensure that security assessments are clearly focused on the
identification and treatment of the risks of unlawful interference with maritime transport
such as terrorist acts, as opposed to addressing other potential sources of risk, such as
the impact of natural disasters that may affect ports, port facilities or ships.


6.1.1 Threat Situation

When conducting a security assessment in the current security environment, terrorism
should be considered in all its possible forms. This approach enables a consideration of
actual and potential threats to ships, ports, port facilities and port service providers.

DOTARS has released a contextual statement on the current maritime security
environment in Australia. The statement provides information on the maritime strategic risk
context and the general nature of terrorist threats to the maritime industry. A copy of the


3
 Refer to the AS/NZS 4360/1999 Risk Management Standard – page 9 & 11 for more information on
establishing the risk context.
                                                                                                10
                       Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


Maritime Risk Context Statement (MRCS) can be obtained upon e-mail request to
transport.security@dotars.gov.au.

6.1.2 Identification of Key Assets, Infrastructure and Operations

The identification and evaluation of assets (physical and human) and infrastructure critical
to continued operations of ports, port facilities, port service providers and ships can assist
in the identification of risks. The process is important as it provides a basis for
determination of appropriate preventive and mitigative security strategies to ensure that
the most important assets, infrastructure and operations are protected from a security
incident, with the primary concern being the avoidance of death or injury4. Key
infrastructure may include port control facilities, channel access, main wharf port facilities,
cruise liner and container port facilities, petrochemical and liquid natural gas storage port
facilities5.

An example of a criticality assessment table that could be used or modified by port
operators, port facility operators, port service providers or ship operators for their individual
circumstances is at Table 1 below.

Table 1 – Criticality Assessment – Example Only6

Target–           Areas of              Impact of           Ability to          Criticality rating
Assets7/          Importance            destruction,        recover from        for port, port
Infrastructure    eg. commerce,         degrade or          terrorist attack    facility or ship
/ Operations      transportation,       unavailability                          operations
                  navigation;           of target for                           (Critical/Moderate
                  communications;       extended                                or Marginal)
                  surveillance;         period
                  general public
                  utility, etc.



(Note – at Step 2 – Risk identification - targets identified during the criticality assessment
process should be reviewed and risks identified in respect of each target – refer to
example of Risk Identification Table - Table 2)

The current National Counter-Terrorism Committee (NCTC) Strategy for Critical
Infrastructure Protection8 requires State and Territory Governments to identify Critical
Infrastructure (CI) within their respective jurisdictions and to maintain current information
on the preparedness of those ports and port facilities identified as CI. CI is infrastructure
which, if destroyed, degraded or rendered unavailable for an extended period, would
significantly impact on social and/or economic well-being or affect national security or
4
  Refer to ISPS Code – Part B Section 15.5 and 15.6.
5
  Refer to ISPS Code Part B, Sections 15.7 for further examples of assets and infrastructure considered
important to protect.
6
  Note – example table developed from US Coast Guard - Guidelines for Security Committees, and Port
Security Plans Required for US Ports – NVIC 9:02 Enclosure 3 –Criticality Assessment – pg 3 &4.
7
  Consider both physical and human assets as potential targets, including company staff, vendors;
contractors, ship passengers; site visitors, general public etc.
8
  http://www.ag.gov.au/www/CriptHome.nsf/AllDocs/CF33E0FF183F9F56CA256CF6007C220E?OpenDocument
                                                                                                 11
                       Commonwealth of Australia. Use by permission only.
                 MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


defence. State and Territory Governments have already identified some ports and port
facilities as CI and these are likely to have already taken part in a criticality risk
assessment as part of the CI identification process. They may also have commenced
security assessment processes analogous or complementary to the requirements of the
Act.

Ship security assessments should specifically consider the persons, activities, services
and operations that it is important to protect9. For example, the cargo – particularly
dangerous and hazardous goods; the ships stores; ship navigation, communication and
surveillance equipment and systems, as well as the ships personnel; passengers, visitors,
vendors; repair technicians; port facility personnel etc.

6.1.3 Risk Evaluation Criteria10

Security assessments should focus on the identification and evaluation of the risk to
assets, infrastructure and operations. Consideration should be given to particular risk
areas such as:

    Death or injury
    Social Impact
    Economic Impact
    Environmental Impact
    Symbolic Effect
    Business Disruption and Continuity
    Damage to Business Reputation /Public Image

(Note - these risk areas should be considered at Step 3 – Analyse Risks – when
considering the consequence of risks identified – refer Consequence Rating Table at
Attachment E)

Giving consideration to the risk context, the objective of security assessments could be to
identify, analyse and evaluate risks using the following risk categories.


    Extreme risk        immediate executive management action needed to prevent,
                          mitigate or avoid risk

    High risk           senior management attention needed to prevent, mitigate or
                          avoid risk

    Moderate risk       long term management action to prevent, mitigate or avoid risks
                          should be identified

    Low risk            risk can be managed using general preventive security planning
                          and procedures


9
  Refer to ISPS Code Part B, Section 8.8.
10
   Refer to the AS/NZS 4360/1999 Risk Management Standard – page 10 & 11, Section 4.1.5. for further
information.
                                                                                                       12
                        Commonwealth of Australia. Use by permission only.
                MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER



Risk categorisation is important as it enables organisations to respond appropriately to
risks identified as requiring specific actions. If the above risk categories are adopted it
would be expected that risks identified within the low to extreme categories would be
actioned according to the individual requirements above. (Refer to Step 4 – Evaluate
Risks – Identify Risk Priorities)

Decisions by port operators, port facility operators, port service providers and ship
operators concerning the treatment or tolerability of risks should be based upon
consideration of the risk assessment criteria, as illustrated above, as well as the need to
balance costs, benefits and opportunities. Risks identified that impact on ports, port
facilities, port service providers and/or ships, but are outside the full responsibility of the
individual operator should be noted. Specific risk treatment options and actions should be
adopted for all Extreme and High risks identified and adequately documented in
subsequent security planning processes. Low and Moderate risks can generally be treated
by normal preventive security planning and practices, and often specific risk treatment
options are not required. It is recommended that all low and moderate risks requiring
management action be documented in order to demonstrate that the risks have been
identified and to facilitate future monitoring and review.

6.2 Step 2 – Identify Risks – what can happen and how can it happen?11

This critical step is a well-structured systematic process that generates a comprehensive
list of events (what can happen) and considers possible causes and scenarios (how it can
happen). Possible risk events or acts that could threaten the security of assets,
infrastructure or operations and the methods of carrying out those acts or risk methods,
should be identified to evaluate areas of vulnerability to terrorist attack, and to
subsequently establish and prioritise security planning requirements12.

Facilitated risk identification workshops are a recognised method of risk identification. For
security assessments for port operators it would be expected that port security committees
would be included in or facilitate risk identification exercises. DOTARS also encourages
other operators to form security committees that include senior executive management
representation, in addition to their port facility and company security officers, to identify
core business risks and complete the security assessment process.

When conducting risk identification workshops port operators, port facility operators, port
service providers and ship operators should give consideration to the following general risk
areas:

    Arson;
    Blockage of port entrances, channels, locks, approaches, waterways etc.;
    Bomb or explosive device, including suicide bombings;
    Chemical, biological and/or nuclear attack;
    Hijacking and hostage sieges, including piracy;
    Hoax calls and scare tactics;
    Sabotage or vandalism;
11
   Refer to the AS/NZS 4360/1999 Risk Management Standard – page 12, Section 4.2 for further information
on risk identification.
12
   Refer to ISPS code – Part B, section 15.9
                                                                                                     13
                        Commonwealth of Australia. Use by permission only.
                 MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


    Smuggling of weapons or equipment, including weapons of mass destruction;
    Tampering with cargo, essential ship equipment or systems, or stores;
    Unauthorised access or use of a ship, including stowaways;
    Unauthorised access to a secure area within a port or port facility
    Use of a ship to carry those intending to cause a security incident and their equipment;
    Use of a ship, vehicle or port/port facility infrastructure as a weapon or a means to
     cause damage or destruction;
    Use of a ship or vehicle to transport explosives, hazardous goods or weapons; and
    Attacks on ships from seaward while at berth or at anchor, or while at sea

This approach is consistent with the ISPS Code Part B, Sections 8.9 and 15.11 that
respectively advise that ship security assessments and port facility security assessments
should consider all possible threats, and provides examples of specific security incidents.

The following risk identification template at Table 2 could be used to identify risk events –
sources of potential harm or situations with a potential to cause loss. An example of a risk
event could be an act utilising explosive devices undertaken at a port, port facility or on a
ship that results in death, injury and/or significant damage or destruction.

Having identified a list of risk events it is then necessary to consider possible risk
scenarios by which an event may be initiated. It is important that significant causes or
vulnerabilities are identified.13

Table 2 - Risk Identification - Example Only

Target–             Risk Events – (what           Risk Scenarios – (how it        Related Risks
asset14,            can happen) - sources         can happen) - outline
infrastructure      of potential harm or          specific examples of
or operations       situations that could         potential causes of risk
                    cause loss                    events – consider the
                                                  vulnerability of assets,
                                                  infrastructure and/or
                                                  operations to terrorist attack;
                                                  including possible manner,
                                                  location and timing.




Port operators, port facility operators, port service providers or ship operators conducting
the security assessments should endeavour to capture all key risk events. However, most
lists of potential risk scenarios will not be complete, as it is not practical to document all
potential situations that could cause loss. It is also not necessary to record excessive
numbers of similar risk scenarios. However, risk scenarios should be listed where assets,
infrastructure and/or operations are considered vulnerable to terrorist attack or other
unlawful acts.

13
   Refer to the AS/NZS 4360/1999 Risk Management Standard – Section 4.2 Risk Identification, page 12.
14
   Assets include both physical and human assets, including company staff, contractors, ship passengers;
site visitors, general public etc.
                                                                                                           14
                         Commonwealth of Australia. Use by permission only.
                MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER



It is expected that consideration will be given to the identification of risk events and
scenarios that identify vulnerabilities in physical structures, personnel protection systems,
processes and other areas that may lead to a security incident15. Risk identification should
consider potential risks arising from operations, structures or activities adjacent to ports,
port facilities or ships such as, potential risks due to the close proximity of storage and
refinery port facilities for hazardous or dangerous goods. DOTARS also suggests that
consideration of possible vulnerabilities described in Part B of the ISPS Code at Section
8.10 and 15.16 for ship and port facility security assessments should be taken into account
when identifying risk scenarios.

For port security assessments risk scenarios should outline any key vulnerabilities of the
port as a whole, with a view to subsequent identification of risk treatments (counter
measures) designed to reduce the vulnerability of port assets, infrastructure and
operations.

6.3 Step 3 – Analyse Risks – determine likelihood and consequence16

This step determines the presence of existing controls and their implementation and
analyses the risk events identified in terms of consequence and likelihood in the context of
those controls. It separates the minor acceptable or tolerable risks from the major risks by
combining consequence and likelihood scores and provides data (risk level scores) to
assist in the evaluation and treatment of risks.

6.3.1 Determine existing controls

When considering the consequence and likelihood of a risk event consideration should be
given to the presence of existing preventive security measures such as perimeter fences,
access control, domain awareness, security patrols and procedures and risks examined in
the context of these controls. It is recommended that security surveys and inspections or
audits of existing security control arrangements be conducted to determine their strengths
and weaknesses prior to an analysis of the risks identified17. It is also important to closely
evaluate how rigorously management and staff implement existing controls in order to
ensure the controls in place are effectively implemented.

6.3.2 Methods of Risk Analysis

A number of methodologies have been developed to analyse risks depending on the risk
information and data available. Qualitative, quantitative or semi-quantitative risk analysis
(or a combination of these) can be conducted under the AS/NZS 4360 standard, which
provides examples of qualitative and quantitative methods at Appendices E and F of the
Standard18. However, qualitative risk analyses are considered adequate for maritime
security assessment purposes as they can provide good general indicators of risk levels.


15
   Refer to ISPS Code – Part B Section 15.15
16
   Refer to the AS/NZS 4360/1999 Risk Management Standard – page 12 to 15 for further information on risk
analysis.
17
   Refer to the AS/NZS 4360/1999 Risk Management Standard – page 13, Section 4.3.2 - Determining
existing controls.
18
   Refer to the AS/NZS 4360/1999 Risk Management Standard – page 14, Section 4.3.4 – Types of analysis
                                                                                                      15
                        Commonwealth of Australia. Use by permission only.
                MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


An example of a qualitative analysis method that could be used to complete a port, port
facility, port service provider or ship security assessment is illustrated below at 9.3.3 -
likelihood analysis at 9.3.4 – consequence analysis. Through this process likelihood and
consequence risk ratings are assigned for risk events identified at Step 2 giving due
consideration to existing security control arrangements, including security plans,
procedures and operations, under both routine and emergency conditions19.

6.3.3 Likelihood

When determining the likelihood20 of an event consideration should be given to the
susceptibility or vulnerability of assets, including physical and human assets, to an act of
unlawful interference with maritime transport. The intent and capability of terrorists to
effect a terrorist act may also be relevant factors to consider in determining the likelihood
of a risk event.

The Maritime Risk Context Statement provides information on the current security
environment, including the known focus and capability of terrorists.

Table 4: Risk likelihood score table – Example Only


Qualitative measures of likelihood

Level       %      Descriptor            Description

A         95%      Almost certain        Is expected to occur in most circumstances
B         65%      Likely                Will probably occur in most circumstances
C         40%      Possible              Might occur at some time
D         20%      Unlikely              Could occur at some time
E         5%       Rare                  May occur only in exceptional circumstances



Likelihood risk ratings should be entered against each risk event identified in a Security
Assessment Risk Summary Template. An example risk summary template is at
Attachment C. It would be preferred if descriptor ratings are entered into the table for
ease of interpretation.


6.3.4 Consequence

A qualitative rating or score of consequence21 for each risk event identified could be
determined against consequence categories such as the five categories suggested
below22.


19
   This approach is consistent with the ISPS Code – Part B Section 8.7.
20
   Refer to page 6 for definition of Likelihood.
21
   Refer to definition of Consequence at page 6.
22
   Developed from Table E1 Qualitative measures of consequence or impact – Appendix E page 34, AS/NZS
4360/1999 Risk Management Standard.
                                                                                                  16
                       Commonwealth of Australia. Use by permission only.
                MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


       Catastrophic (5) – risk impact would result in disastrous consequences, such as
       long term disruption for the community and/ or business.
       Major (4) – risk impact would result in serious consequences, such as medium-term
       disruption to the community and/or business.
       Moderate (3) – risk impact would result in some consequences, such as short- term
       disruption to the community and/or business.
       Minor (2) – risk impact would result in few consequences, such as minor disruption
       to community and/or business, but of limited overall consequence.
       Insignificant (1) – risk impact would be negligible or no risk impact can be
       identified to community or business.

An example of a risk consequence ratings table that could be used to determine a
consequence rating for a particular risk event is at Attachment D. Individual risks may
have different scores for the different risk categories identified. These individual scores
should be considered together prior to determining an overall consequence score for a
particular risk event. The table can be used or modified by port operators, port facility
operators, port service providers or ship operators completing security assessments to suit
their own requirements23.

Final consequence risk ratings should be entered into a Security Assessment Risk
Summary Template for each risk event identified – refer Attachment C.


6.4 Step 4 – Evaluate Risks - identify risk priorities

Risk evaluation requires a comparison of identified risk levels to the risk assessment
criteria established for the security assessment. Qualitative risk scores for consequence
and likelihood for each risk event are compared against the qualitative risk criteria
previously established to enable prioritisation of risks for further action.

Likelihood and consequence risk ratings can be used to prioritise risk events according the
risk treatment criteria – Low to Extreme Risks. Table 5. below provides an example of
a qualitative risk analysis matrix that could be used or modified to complete a security
assessment.




23
  Refer to the AS/NZS 4360/1999 Risk Management Standard – Section 4.3.4 Types of analysis - page 14
and 15 for further information on alternative risk analysis methods.

                                                                                                   17
                       Commonwealth of Australia. Use by permission only.
                MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER



Table 5 : Prioritisation of risks for further action.


Qualitative risk analysis matrix

Likelihood       Consequences
                 Insignificant Minor               Moderate         Major           Catastrophic
                 1             2                   3                4               5
A Almost
                 H                 H               E                E               E
  certain
B Likely         M                 H               H                E               E
C Possible       L                 M               H                E               E
D Unlikely       L                 L               M                H               E
E Rare           L                 L               M                H               H

Risk Assessment Criteria - Extreme risk (E), High risk (H), Moderate risk (M); Low
risk (L)

6.5 Step 5 – Treat Risks – determining preventive and mitigative strategies24.

The treatment of risks involves the identification of options for treating risks that are not
considered acceptable or tolerable. Risk treatments can reduce the likelihood or
consequence of a risk, transfer the risk in whole or part, or result in the risk being avoided.

A list of preventive and mitigative security strategies should be identified for all risk events
identified. The objective is to ensure that the most effective security measures are
employed to reduce the vulnerability of ports, port facilities, ship/port interfaces and ships
to possible threats25. All risk treatment options should be considered at the local level by
port operators, port facility operators, port service providers and ship operators on the
basis of their likely effectiveness in risk reduction, practicality of implementation, overall
cost and benefits derived. In many cases, it is unlikely that one risk treatment option will
be a complete solution for a particular problem26.

Specific risk treatment strategies or security measures should be outlined for all Extreme
and High risks. However, it is also realistic to assume that some risks may need to be
tolerated on the basis that security measures are not feasible or cost effective. For
example, it may not be practicable to completely eliminate the potential of all waterside
risks to ships or infrastructure in some port facilities. However, it may be practicable for
some security measures to be put in place, such as an exclusion zone outlined by a
floating boom, to act as a deterrence to such a security incident. Moderate and Low risk
events may not require specific risk treatments. However, preventive security planning
procedures and practices should be reviewed to determine whether or not the risks have
been adequately treated.


24
   Refer to AS/NZS 4360/1999 Risk Management Standard – Section 4.5 Risk Treatment - page 16 to 20 for
more information.
25
   This approach is consistent with the ISPS Code – Part B Section 15.13
26
   Refer to AS/NZS 4360/1999 Risk Management Standard – Section 4.5.2 Assessing risk treatment options
– for further information – page18 and 19.
                                                                                                    18
                        Commonwealth of Australia. Use by permission only.
                 MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


In respect of security measures for ships, appropriate consideration should be given to
their possible impact on ship personnel who are required to remain on ships for long
periods of time. Consistent with the requirements of Part B Section 8.11 of the ISPS code,
particular consideration should be given to the convenience, comfort and personal privacy
of the ship’s personnel and their ability to maintain their effectiveness over long periods.

Following selection of preferred risk treatment options a schedule for implementation
should be documented. The plan, which should be approved by an accountable officer,
should identify:

     responsibilities for risk treatment actions;
     schedules for implementation of new security measures;
     the expected outcome of risk treatments applied;
     budgeting arrangements and performance measures; and
     a process to review the effectiveness of selected risk treatments27.

This schedule may also include a review of existing security measures. An example of a
risk treatment schedule and action plan is at Attachment E.

In the process of completing a security assessment it is suggested that reference be made
to the guidance on maritime and ship security plans for examples of security measures
and procedures that could be considered as possible risk treatment options.


6.6     Step 6 – Monitoring and Review28

It is necessary to monitor and review port, port facility, port service provider and ship
security assessments to ensure that they remain relevant to the current security
environment. Regular monitoring and reviewing is required to ensure that risks identified
are consistent with the current risk context, that risk treatments are effective, remain
appropriate and are properly implemented. It can also help to identify alternative and
potentially more effective risk treatment solutions.

The ISPS code requires that port facility assessments should be periodically reviewed and
updated taking into account changing threats and minor changes in the port facility, and
should always be reviewed and updated when major changes to the a port facility take
place29. For ship security assessment the ISPS code requires that assessment be
documented, reviewed, accepted and retained by ship operators30.

It is also expected that security assessments will be reviewed periodically or when
significant changes in the security environment or port, port facility, port service provider or
ship operations occur. Under the Act, the Secretary may require maritime industry
participants to review their plans should there be a change in circumstances that relate to
or could impact on maritime transport security.

27
   Refer to AS/NZS 4360/1999 Risk Management Standard – Sections 4.5.3 Risk treatment plans - page 19
and 4.5.4 Implementing treatment plans for further information.
28
   Refer to AS/NZS 4360/1999 Risk Management Standard – Section 4.6 Monitoring and Review – page 20
for more information.
29
   Refer to ISPS code – Part A, section 15.4.
30
   Refer to ISPS code – Part A, section 8.5.
                                                                                                   19
                        Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER



6.7 Step 7 – Communication and Consultation31

Communication and consultation with internal and external stakeholders is required
throughout the security assessment process. Executive management must be part of the
security assessment process if they are to make well-informed decisions regarding the
implementation of preventive security measures to counter unlawful acts of interference
with maritime transport.

The sharing of information, within acceptable bounds of commercial confidentiality,
between ports operators, port facilities, port service providers and ship operators is
encouraged to promote a common understanding of local level risks and to foster the
exchange of best practice security measures between ports, port facilities and ship
operators.

The security assessment process should also involve consultation with relevant authorities
overseeing infrastructure adjacent to ports and port facilities, infrastructure which could
cause a security incident or be used for the purpose of causing damage to a port or port
facility, or for illicit observation or for diverting attention32.

DOTARS will continue to communicate and consult closely with industry stakeholders,
peak bodies and State and Territory Governments to assist port operators, port facility
operators, port service providers and ship operators complete the required security
assessments and plans.




31
   Refer to AS/NZS 4360/1999 Risk Management Standard – Section 4.7, Communication and Consultation
page 20 for more information.
32
   Refer to ISPS code – Part B, Section 15.8
                                                                                                 20
                       Commonwealth of Australia. Use by permission only.
              MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER



7 Further Guidance

A list of references that contain useful risk management information is at Attachment F.

Additional information on the AS/NZS 4360 Risk Management Standard can be purchased
from the Standards Australia website at www.standards.com.au.

Additional information about the IMO ISPS code in the Australian context can be found at
http://www.dotars.gov.au/transsec/imo_isps_info.aspx

Copies of the IMO ISPS Code can be purchased via the IMO website at
http://www.imo.org./home.asp

DOTARS has posted a series of Frequently Asked Questions (FAQ) on the DOTARS
Transport Security web site at http://www.dotars.gov.au/transsec/index.aspx.

Direct enquiries to the Department for further guidance can be e-mailed to
transport.security@dotars.gov.au



Maritime Security Regulation Branch
Office of Transport Security
Department of Transport and Regional Services
December 2003




                                                                                           21
                     Commonwealth of Australia. Use by permission only.
                MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


8 ATTACHMENT A

Key Definitions Used in this Guidance Paper

Consequence – the outcomes of an event expressed qualitatively or quantitatively, being
loss, injury, disadvantage or gain. There may be a range of possible outcomes associated
with an event – eg. loss of life or public injury, damage to critical infrastructure, loss of
business continuity, police or other investigation etc33.

Likelihood – a qualitative description of probability or frequency. Probability is the
likelihood of a specific event or outcome. Frequency is the rate of occurrence of the event
or outcome. Likelihood can be measured quantitatively on an occurrence scale from a
‘rare’ event to an ‘almost certain’ event.34

Maritime Industry Participant (MIP)
      (a)   a port operator; or
      (b)   a port facility operator; or
      (c)   the ship operator for a regulated Australian ship; or
      (d)   the ship operator for a regulated foreign ship; or
      (e)   a person (other than a maritime security inspector or a duly authorised
            officer) appointed by the Secretary under this Act to perform a maritime
            transport security function; or
      (f)   a contractor who provides services to a person mentioned in paragraphs (a)
            to (d); or
      (g)   a person who:
            (i)     conducts a maritime-related enterprise; and
            (ii)    is prescribed in the regulations.

(NOTE – MIPs listed at (d) are not required to prepare security assessments or to have
security plans approved by the secretary of DOTARS.)

Risk - the chance of something happening that will have an impact upon objectives. It is
measured in terms of consequences and likelihood. 35

Security Assessments – means the part of a maritime security plan or ship security plan
that identifies, analyses, evaluates and treats risks and/or threats to maritime transport
security.


Security Officer - means a person designated by a maritime industry participant to
implement and maintain:
(a)   the participant’s maritime security plan; or
(b)   the ship security plan for a ship operated by the participant.

Threat - a source of possible danger or harm, including a situation with the potential to
cause commercial loss. In this document it refers to security threats, not other forms of


33
   Refer AS/NZS 4360/1999 standard – 1.3 Definitions, page 2.
34
   Refer AS/NZS 4360/1999 standard – 1.3 Definitions, page 2.
35
   Refer AS/NZS 4360/1999 standard – 1.3 Definitions, page 2.
                                                                                            22
                        Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


threats such as natural disasters or global economic downturns not related to security
incidents.

Unlawful interference with Maritime Transport

1. Any of the following done without lawful authority is an unlawful interference with
   maritime transport

a) Committing an act, or causing any interference or damage, that puts the safe operation
   of a port, or the safety of any person or property at the port, at risk;
b) Taking control of a ship by force, or threat of force, or any other form of intimidation;
c) Destroying a ship that is being used for maritime transport;
d) Causing damage to a ship that is being used for maritime transport that puts the safety
   of the ship or any person or property on board or off a ship, at risk;
e) Doing anything on board a ship that is being used for maritime transport that puts the
   safety of the ship or any person or property on board or off the ship at risk;
f) Placing, or causing to be placed, on board a ship that is being used for maritime
   transport anything that puts the safety of the ship, or any person or property on board
   or off the ship, at risk;
g) Putting the safety of ships at risk by interfering with, damaging or destroying
   navigational aids, communications systems or security systems;
h) Putting the safety of ships at risk by communicating false information.

2. However, unlawful interference with maritime transport does not include lawful
   advocacy, protest, dissent or industrial action that does not result in, or contribute to,
   an action of a kind mentioned in paragraphs (1)(a) to (h)

In respect of port security assessments the following definitions apply: -

Port
        (1)    A port is an area of water, or land and water (including any buildings,
installations or equipment situated in or on that land or water) intended for use either
wholly or partly in connection with the movement, loading, unloading, maintenance or
provisioning of ships.
        (2)    A port includes:
                      (a)    areas of water, between the land of the port and the open
                             waters outside the port, intended for use by ships to gain
                             access to loading, unloading or other land-based port facilities;
                             and
                      (b)    areas of open water intended for anchoring or otherwise
                             holding ships before they enter areas of water described in
                             paragraph (a); and
                      (c)    areas of open water between the areas of water described in
                             paragraphs (a) and (b).




                                                                                                23
                      Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


Security regulated port

       (1)    The Secretary may, by notice published in the Gazette, declare that areas of
              a port intended for use either wholly or partly in connection with the
              movement, loading, unloading, maintenance or provisioning of security
              regulated ships comprise a security regulated port.
       (2)    The notice must include a map of the port that shows the boundaries of the
              security regulated port.
       (3)    An area controlled exclusively by the Australian Defence Force must not be
              included as part of a security regulated port.

Port Security Committee – a framework for communication and coordination of security
arrangements. The Committee should be composed of the port operator, port facility
operators, port service providers, key ship operators or agents, and where relevant
government representatives – eg. Police, Emergency Services, Customs, Navy, AMSA,
state maritime safety agencies etc - with interests in protecting and improving the security
of waterfront areas and the port as a whole.

Port Security Officer – a suitably qualified security officer designated by the port operator
to facilitate the development, implementation, review and maintenance of a maritime
security plan and for liaison with port facility security officers and ship security officers,
where appropriate.

In respect of port facility assessments the following definitions apply: -

Port facility means an area of land or water, or land and water, within a security regulated
port (including any buildings, installations or equipment in or on the area) used either
wholly or partly in connection with the loading or unloading of ships.

Port facility operator means a person who operates a port facility.

Port Facility Security Officer – a suitably qualified security officer designated to facilitate
the development, implementation, revision and maintenance of the port facility security
plan and liaison with the ship security officers, company security officers and port security
officer.

In respect of port service provider assessments the following definitions apply: -

Port service provider For paragraph (g) of the definition of maritime industry participant in
section 10 of the Act, the following are prescribed:
       (a)    lighter or barge operator;
       (b)    line handling operator;
       (c)    pilot boat operator;
       (d)    tug operator.


Port Service Provider Security Officer – a suitably qualified security officer designated
to facilitate the development, implementation, revision and maintenance of the port service
providers security plan and liaison with the ship security officers, company security
officers, port facility security officers and port security officer.

                                                                                             24
                      Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER



In respect of ship security assessments the following definitions apply:

Company Security Officers – a suitably qualified security officer designated by the ship
operator to develop, submit for approval, and thereafter implement a ship security plan and
liaison with ship security officers, port facility security officers and port security officers.

On scene security survey – means an examination and evaluation of the existing ship
board security measures, procedures and operations.


Regulated Australian ship
       (1) A ship is a regulated Australian ship if the ship is an Australian ship that is:
            (a) a passenger ship that is used for overseas or inter-State voyages; or
            (b) a cargo ship of 500 or more gross tonnes that is used for overseas or
                inter-State voyages; or
            (c) a mobile offshore drilling unit that is on an overseas or inter-State voyage
                (other than a unit that is attached to the seabed); or
            (d) a ship of a kind prescribed in the regulations.

Regulated foreign ship
       (1) A ship is a regulated foreign ship if the ship:
            (a) is a foreign ship; and
            (b) is one of the following:
                  (i) a passenger ship;
                 (ii) a cargo ship of 500 or more gross tonnes;
                (iii) a mobile offshore drilling unit (other than a unit that is attached to the
                      seabed);
                (iv) a ship of a kind prescribed in the regulations; and
            (c) is in Australian waters; and
            (d) is in, or is intending to proceed to, a port in Australia.
       (2) However, the regulations may provide that a ship covered by subsection (1) is
           not a regulated foreign ship.


Ship
Each of the following is a security regulated ship:
           (a) a regulated Australian ship;
            (b) a regulated foreign ship.

Ship Security Officer –A security officer designated by the ship operator for ensuring that
a ship security assessment is carried out, a ship plan is developed, submitted for approval
and then implemented and maintained, and for liaison with the company security officer,
and port or port facility security officers.



                                                                                               25
                      Commonwealth of Australia. Use by permission only.
              MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


Ship Operator
      (a) the owner of a security regulated ship; or
      (b) if, under an agreement between the owner of the security regulated ship and
      another person, the other person is to be the ship operator for the security regulated
      ship for the purposes of the Maritime Transport Security Act.




                                                                                         26
                     Commonwealth of Australia. Use by permission only.
                MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


9 ATTACHMENT B

Skills and Experience Required To Undertake a Maritime Security Assessment
Prior to conducting a security assessment ‘in house’ or contracting out the completion of a security
assessment, in whole or in part, operators should consider the relevant skills and experience required to
undertake a security assessment.

Port security officers, port facility security officers, port service provider security officer and company
security officers should have appropriate skills and experience in the conduct of security based risk
assessments, or be able to access assistance to enable them to complete a security assessment.
Practical risk assessment training, such as in the AS/NZS 4360 risk management standard process, is
readily available from a number of training providers and educational institutions.

The following skills and experience are also considered necessary to conduct a maritime security
assessment.

   an understanding of the ISPS code and its application in the Australian context under the Maritime
    Transport Security Act;
   knowledge of port, port facility, port service provider and/or ship operations, design and construction
    relevant to the security assessment to be undertaken;
   knowledge of the current security environment, including methods of terrorist attack, characteristics
    and behavioural patterns of persons or groups likely to threaten security and techniques used to
    circumvent security arrangements;
   an understanding of and capacity to evaluate the strengths and weaknesses of existing security
    controls;
   an ability to determine and evaluate the criticality of assets, infrastructure and operations to port, port
    facility, port service provider and/or ship operations;
   a capacity to identify, analyse and evaluate security risks to ports, port facilities, port service providers
    and/or ships, including the ship/port interface;
   experience in the identification, evaluation and application of security risk treatments, including
    cost/benefit analysis;
   a good knowledge of basic security planning principles and the operational capacity and limitations of
    security and surveillance equipment and/or systems;
   some knowledge of the methods of recognition and detection of weapons, dangerous substances and
    devices may also be of assistance.

Operators are encouraged to seek expert assistance where they consider that their skills and experience
are limited. They may wish to appoint specialist security consultants with the relevant skills and
experience mentioned above to assist them to complete their Security Assessments. Alternatively, local
government representatives – eg. Police, Emergency Services, Australian Customs Service and Defence
– may be able to provide relevant preventive security and risk assessment expertise.

Port operators, port facility operators, port service providers and ship operators should also consider their
ability to maintain appropriate measures to avoid unauthorised disclosure of, or access to, security
sensitive material.




                                                                                                              27
                         Commonwealth of Australia. Use by permission only.
                                                MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER

10 ATTACHMENT C
Security Assessment – Risk Summary Template - Example Only

    Port, Port facility,port service provider or Ship Security Assessment                                               DATE
    General Risk Area – eg. Bomb and explosive devices*
    Risk Event                                   Likelihood        Consequence      Risk        Risk Treatments                             Risk Rating After
                                                                                    Rating                                                  Treatments ***




    Note *    A separate risk summary table should be completed for each general risk area – eg. bombs and explosive devices; arson;
              Hijacking and hostage sieges; sabotage; chemical, biological and nuclear weapon attack; hoax calls and scare tactics; and cyber attack etc.
          ** Clearly identify those security measures currently implemented and those measures to be implemented to reduce risk rating to acceptable levels
          *** Indicate potential risk rating after risk treatments are applied. Once risk treatments are in place, the effectiveness of the security measures selected should
          be monitored and reviewed to ensure to confirm the risk rating actually achieved. Additional or alternative risk treatments will need to be considered if measures
          and found not to be effective in reducing risks to acceptable levels.




                                                                                                                                                                          28
                                                        Commonwealth of Australia. Use by permission only.
                                                                  MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER

11 ATTACHMENT D
Consequence Rating Table – Example Only

                      Economic         Business Disruption        Death or injury        Social Impact           Environmental            Symbolic Effect                   Damage to Business Reputation/Public Image
     Descriptor*
                      Impact           and Continuity**                                                          Impact
                                       Severe disruption to       Numerous deaths        Severe ongoing          Complete                 Significant damage to or          Extensive damage to business reputation (possibly
                                       business activities for                           community               destruction of an        destruction of nationally         irreparable and crippling to business)with potential to
                                       an extended period –                              impact(s)               ecosystem over a         important symbol that is          destroy business
                                       greater than 1 month                                                      large area               internationally recognised        Serious impact on organisation’s public image
                      Greater than                                                       Potentially weeks                                                                  Significant and sustained media, community and
5    Catastrophic                                                                                                                                                           political scrutiny with possible international coverage
                      $10M
                                                                                                                                                                            Potential for intrusive police or other inquiry into
                                                                                                                                                                            security incident


                                       Major disruption to        Some loss of life      Major Community         Long term damage         Damage to an important            Major impact on business reputation
                                       business activities –                             impact (s)              to part of an            national symbol or                Major set back to organisation’s public image
                                       more than 1 week to                                                       ecosystem over a         significant damage to or          Adverse media, community and political comment,
                                       1 Month                                           Potentially days        wide area                destruction of a state symbol     national coverage
4    Major            $5M-$10M
                                                                                                                                          that is well recognised           Possible intrusive questions in Parliament, but no
                                                                                                                                                                            inquiry


                                       Some significant           Serious Injury or      Moderate                Medium term              Damage to a state symbol or       Some impact on business reputation
                                       disruption to business     stress requiring       community               damage to a part of      significant damage to a           Public embarrassment for senior management and/or
                                       activities – 1 day up to   hospitalisation        impact(s) and           an ecosystem over a      locally important symbol          security personnel
                                       1 week                                            source of               wide area                                                  Some adverse local media publicity
3    Moderate         $1-$5M                                      Permanent injury       annoyance

                                                                  Compensation of        Potentially hours
                                                                  injury

                                       Minimal disruption to      Injury requiring       Minimal /short          Short term damage        Damage to a locally               Limited damage to business reputation
                                       business activities – 1    medical treatment      term community          to an environment        important symbol                  Stakeholder and/or shareholder concerns
                      $100,000 to      hour to 1 day                                     impact(s) or            with localised impact                                      Limited adverse local media publicity.
2    Minor
                      $1M                                         Lost time due to       annoyance               on the ecosystem
                                                                  injury
                                       No or very limited         First aid treatment    Minor community         Very limited or small    Very limited or no damage to      No significant damage to business reputation
                                       disruption to business     required.              impacts or              scale damage to          a locally important symbol        Resolved by day to day management
                      Less than
1    Insignificant                     Activities – less than 1                          inconvenience           part of an                                                 No adverse media publicity.
                      $100 000
                                       hour                                                                      ecosystem eg. a
                                                                                                                 minor oil spill
Notes
*Preference should be given to use of descriptors rather than numbers for ease of interpretation.
* * Port authorities, port facility operators and ship operators should modify the suggested business disruption and continuity impact criteria for extreme to insignificant risks if they do not reflect an appropriate risk
continuum for their business operations.



                                                                                                                                                                                                                                29
                                                                           Commonwealth of Australia. Use by permission only.
                                         MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


12 ATTACHMENT E

Risk Treatment Schedule And Action Plan - Example Only


Risk Event                    Possible risk           Preferred Option –   Risk rating   Person or              Timetable for
– list in order of priority   Treatment               after cost/benefit   after         organisational area    implementation,
                              Options – list all      analysis             treatment     responsible for risk   monitoring and
                              relevant security                                          treatment              review
                              measures




Note – possible risk treatments could include security measures such as:

   adequate perimeter barriers to prevent unauthorised entry of people and/or vehicles.
   photographic and/or electronic identification systems for people and vehicle.
   close circuit TV surveillance and regular security patrolling.
   restricted zones on land-side around critical infrastructure.
   exclusion areas on waterside when high risk vessels are berthed.
   adequate lighting arrangements for port/ship interface.
   cargo authorisation and storage processes, passenger screening on cruise ships.
   detection and authorisation of vessels entering or within the port.
   staff security training, security management committees and defined emergency procedures and plans.
   security audits and exercises to test security arrangements.




                                                                                                                                  30
                                                    Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER


13 ATTACHMENT F

Resource List

Risk Assessment and Management Resources
AS/NZS 4360/1999 : Risk Management
This Standard provides a generic guide for the establishment and implementation of the risk
management process involving the identification, analysis, evaluation, treatment and ongoing monitoring
of risks. www.standards.com.au


HB 231:2000
Information Security Risk Management Guidelines
This Handbook provides a generic guide for the establishment and implementation of a risk
management process for information security risks.


Critical Infrastructure Emergency Risk Management and Assurance Manual
The handbook is an additional resource to complement AS/NZS 4360/1999 : Risk Management
standard which will be continually refined to become a repository of collective knowledge and wisdom of
the emergency risk managers in the infrastructure sector.
http://www.ema.gov.au/ema/emainternet.nsf/HeadingPagesDisplay/Research?OpenDocument#ermman
ual

Securing Queensland’s Critical Infrastructure: guidelines for owners/operators
General critical infrastructure protection document produced by the Queensland Government on issues
which should be considered when attempting to secure critical infrastructure.
http://www.premiers.qld.gov.au/library/pdf/infopackweb.pdf



Risk Management Process
Draft Guidance Manual for Infrastructure Operators
Tasmanian Counter Terror Review Team, Jan 2003

ANAO – Australian Government Audit Office
Business Continuity Management Guide
This guide presents a structured approach to business continuity management. The approach involves
identifying preventative treatments for continuity risks that can be routinely managed, and developing an
organisation- wide business continuity plan-to deal with the consequences should the preventative
treatments fail.
http://www.anao.gov.au/WebSite.nsf/Publications/4A256AE90015F69B4A2568EE0010062B

US Coast Guard Navigation & Vessel Inspection Circulars (NVICS)
http://www.uscg.mil/hq/g-m/nvic/


Maritime Security Resources
Australian Government’s National Security Website
www.nationalsecurity.gov.au

Department of Transport & Regional Services - Transport Security
http://www.dotars.gov.au/transinfra/tsd_description.htm

Australian Association of Port and Marine Authorities
http://www.aapma.org.au/index.php3



                                                                                                      31
                       Commonwealth of Australia. Use by permission only.
               MARITIME SECURITY ASSESSMENTS GUIDANCE PAPER

Australian Maritime Safety Authority
http://www.amsa.gov.au/amsa/abt.htm

Australian Customs Service
http://www.customs.gov.au/

International Organizations
Security of cargo
World Customs Organization (WCO)
http://www.wcoomd.org/

Seafarer Identification
International Labour Organization
http://www.ilo.org/

International Maritime Organisation
http://www.imo.org/home.asp

The IMO press release and an overview of the ISPS Code can be found at:
http://www.imo.org/Newsroom/mainframe.asp?topic_id=583&doc_id=2689


United States
U.S Customs
http://www.customs.ustreas.gov/

Container Security Initiative Compendium
http://www.customs.ustreas.gov/xp/cgov/newsroom/highlights/csi/csi_compendium.xml

24-Hour Rule
http://www.customs.ustreas.gov/xp/cgov/import/carriers/24hour_rule/

US Coast Guard
http://www.uscg.mil/USCG.shtm

US Federal Emergency Management Agency
http://www.fema.gov




                                                                                    32
                       Commonwealth of Australia. Use by permission only.

								
To top