Source Security Management

RADIOACTIVE SOURCES SECURITY MANAGEMENTSECURITY MANAGEMENT

Name:FAEIZALALI([email protected])Section/Division:SEKSYENPERUNDANGANATOMICENERGYLICENSINGBOARD(AELB)MINISTRY OF SCIENCE TECHNOLOGY AND INNOVATIONMINISTRYOFSCIENCETECHNOLOGYANDINNOVATION

What is Security Management ?What is Security Management ?

Maintain the most cost effective and efficient security for an organization to protect its assets, information, intellectual property, operations, functions (radioactive material)

Takes into consideration the business and operations with a balance between minimum standards, compliance and risk management

Ensures security measures and systems function properly

S C f Security Culture is an integral part of security management

http://www.aelb.gov.myhttp://ansn.aelb.gov.my

Typical Management of SecurityTypical Management of Security

Compliance to obligations, regulation and governance Security Plan (Objectives)

Threat Assessment DBT increased threat scalability Threat Assessment, DBT, increased threat scalability Target Identification (Categories) Security Culturey Inventories and Records Efficiency and cost effectiveness

F ilit b i ti d l f t Facility business, operations and nuclear safety Contingency plan


Typical Security ManagementTypical Security Management

Organization Chart/Structure Security Plan Objectives

C li t bli ti l ti d Compliance to obligations, regulation and governance Policies Consideration facility operations, business & nuclear safety

Contingencies Contingencies Efficiency and Cost Effectiveness Review (Need & periods)

Threat Threat Facility Characterization Threat Assessment, DBT, increased threat scalability Security Risk Assessment/Category


y g y Target Identification (Categories)

Typical Security ManagementTypical Security Management

Personnel Security Roles & Responsibilities Authority Trustworthiness Procedures Adequate level of qualified staff

Access Access Only authorized persons unescorted Authorization, logging and monitoring Key and key control Key and key control

Training (Induction, awareness & education) - Staff and guards Security event and/or breach reporting system


Typical Security ManagementTypical Security ManagementDocumentation

Procedures Day to day operations (Staff, security & guards) Visitors and contractors Emergency Contingency (Media)

Control Information Security Information Security

Framework for types information (Polices, procedures, operations, etc) Use storage, transmission, distribution, carriage and destructiondestruction

IT Security Need to know Quality Assurance


Inventories and Records NM or sources

Typical Security ManagementTypical Security ManagementSecurity Systems

Detailed design Protection in depth Detailed design Protection in depth Hardware (security devices, physical barriers, access control/monitoring,communications, intrusion detection, etc) Procedures and operation

Repairs Routine preventative maintenance and testing Repairs, Routine preventative maintenance and testing Records False & Nuisance alarms - Performance Scalable measures for increased threat

Guarding and ResponseGuarding and Response Procedures Capabilities and resources Deterrence (prevention)

Monitoring detection assessment Monitoring, detection, assessment Alarm/Incident response Increased threat

Security Culture


Security Fundamentals P t ti i D thProtection in Depth

9Deterrence (prevention)9Detection9Detection

9Assessment9Delay

9Response9Response9Contingencies


g

Protection in DepthProtection in Depth


Protection in DepthProtection in Depth

9 Exterior & Interior Lighting9 Strong Rooms9 Information Security9 Audit Trails

9 Policies and Procedures9 Testing and Inspections9 Regulation & Governance9 Secure Rooms9 Audit Trails

9 Trustworthiness Checks9 Alarms

9 Secure Rooms9 Need To Know9 ID CardsSuccessful

9 Recruitment Checks9 Guards and Patrols

9 Logon ID & Passwords9 Perimeter Fences9 Guards and Patrols

9 Detection Devices9 Categorization9 Encryption

S f

9 Perimeter Fences9 Access Control & CCTV9 Legislation9 Locks

V lt


9 Safes 9 Vaults

What are we trying to do with S it ?Security ?

Administrative Measures Securely and safely manage sources by policies, proceduresand practices

Physical barriers to source, device or facility Separate it from unauthorized personnel

Deter delay or prevent unauthorized access or removal of a Deter, delay or prevent unauthorized access or removal of a source

Balanced Measures Efficient and cost effectivea a ced easu es c e t a d cost e ect e Physical Administrative Personnel


Information Security

Balanced Security MeasuresPHYSICAL -Physical Barriers-Secure areas and buildings

-Security technology - access control, alarms, CCTV-Secure storage-Secure storage-Guarding

PERSONNEL -Photo Identification Badges-Pre-determined trustworthiness-Security Education and Awareness-Authorized access and limit to need-Visitor and contractor supervision and control

ADMINISTRATIVE -Authorizations and Delegations-Policies and Procedures-Confidentiality-Key and badge controlFacility Security Officer-Facility Security Officer

INFORMATIONTECHNOLOGY

-Communications-Access Accounts, passwords, screen savers-IT Security Officer


TECHNOLOGY IT Security Officer

Security PlanSecurity Plan Prepared by the user and submitted to the regulatory

b d t f th th i tibody as part of the authorization

Outlines security objectivesy j

Detailed description of : Radioactive source/material inventory Radioactive source/material inventory Security arrangements and procedures Security roles and responsibilities

C ti i (i l di di ) Contingencies (including media)

Greater detail for sources in higher security groups


g y g p

ThreatThreat

Collect and organize threat data Identify threats and characteristicsy Formalize threat assessment and gain

consensus Define Design Basis Threat Scalability for Increased Threat Scalability for Increased Threat

- Administrative (procedures, access)Physical (walls buildings)


- Physical (walls, buildings)

Key Points for Typical Security C ltCulture Definition: Characteristics and attitudes in organizations and of individuals which

establish that security issues receive the attention warranted by their significance

9 OBJECTIVES9 OBJECTIVES9 AWARENESS & EDUCATION9 RESPONSIBILITIES9 ACKNOWLEDGE THREAT 9 POLICIES & PROCEDURES9 USER FRIENDLY SYSTEMS9 SUPPORT & ASSISTANCE9 HUMAN PERFORMANCE9 ACCESS & TRUSTWORTHINESS9 PERFORMANCE MONITORING


Security CultureSecurity Culture

OBJECTIVESUsually set out in Security Plan or PoliciesUsually set out in Security Plan or PoliciesEssential (necessary) to know security

Objectives Clear on what are we trying to doj y g Obligations, compliance & governance Legislation Responsibilities



AWARENESS & EDUCATION Staff understand why have security and what to do Aware of security arrangements and responsibilities Site Security Presence Site Security Presence

Security always there - 24/7 Contact numbers for reporting events (at all times) Events/reports/incidents Timely reporting to Senior Management (their responsibility too) Reporting process Remedial security actions completed

Given security tools including Training & information Handouts, manuals, intranet, staff briefing/seminars

Security contact email address


Security contact email address


RESPONSIBILITIESClear responsibilities from OBTL through lineClear responsibilities from OBTL through line

management to staffResponsible Officers for sources (RPO/RPS)p ( )Security is a shared responsibility



IDENTIFY & ACKNOWLEDGE THREAT Staff need to know generally what the Staff need to know generally what the

threats are - Theft or sabotageg Typical adversaries and methods Overt (open) or covert( p ) Insider (Passive or active)



POLICIES & PROCEDURES In place and available to staff In place and available to staffDetails organizations objectives, obligations

and responsibilitiesp



USER FRIENDLY SYSTEMS Systems easy to use

Allow persons with authorized access to Allow persons with authorized access to temporarily disable measures (such as locked doors)

Verify persons identity and access authorization Verify persons identity and access authorization Use badge and PIN to activate door control reader Key with effective key control Key with effective key control

Reliable systems Testing and maintenance


Periodic preventative (check, clean, service, adjust & walk test)


ACCESS & TRUSTWORTHINESS Authorized Persons

Unescorted access to sources Unescorted access to sources Access to sensitive information

Personnel Security - Staff and contractors Need access and information to perform their duties Need access and information to perform their duties Background checks prior to granting access

In accordance with national standards or as determined by regulatory bodydetermined by regulatory body Confirmation of identity, verification of references to determine the individuals character, integrity, reliability, willingness to comply



HUMAN PERFORMANCEOverall SECURITY RELIES ON PEOPLEOverall SECURITY RELIES ON PEOPLE

Behavior, Attitude, Honesty, Maturity Ability and willingness to carry out security

arrangements Staff properly trained



SUPPORT & ASSISTANCESecurity advice readily availableSecurity advice readily availableStaff must have support from line

managementgConsistency



PERFORMANCE MONITORINGSecurity incidents or faults reporting systemSecurity incidents or faults reporting systemTimely reportingMeasurement - Number and type of incidentsMeasurement Number and type of incidentsAnalysis of statistics and reporting


SummarySummary

Security management to ensure cost effective, efficient, balanced system with protection in depthdepth

Security Management ensures security measures and systems function properlymeasures and systems function properly

Security Culture is an integral part of security management

All persons in organization share the responsibility for security


Documents

Source Security Management