1. Make an explicit and visible commitment of the senior leadership to security.
2. Promote security awareness throughout the organization.
3. Assess vulnerabilities and periodically review and update vulnerability assessments to reflect changes in potential threats and vulnerabilities.
4. Identify security priorities and, on an annual basis, identify the resources dedicated to security programs and planned security improvements, if any.
5. Identify managers and employees who are responsible for security and establish security expectations for all staff.
6. Establish physical and procedural controls to restrict access to utility infrastructure to only those conducting authorized, official business and to detect unauthorized physical intrusions.
7. Employ protocols for detection of contamination consistent with the recognized limitations in current contaminant detection, monitoring, and surveillance technology.
8. Define security-sensitive information, establish physical and procedural controls to restrict access to security-sensitive information as appropriate, detect unauthorized access, and ensure information and communications systems will function during emergency response and recovery.
9. Incorporate security considerations into decisions about acquisition, repair, major maintenance, and replacement of physical infrastructure; this should include consideration of opportunities to reduce risk through physical hardening and the adoption of inherently lower risk design and technology options.
10. Monitor available threat-level information; escalate security procedures in response to relevant threats.
11. Incorporate security considerations into emergency response and recovery plans, test and review plans regularly, and update plans as necessary to reflect changes in potential threats, physical infrastructure, utility operations, critical interdependencies, and response protocols in partner organizations.
12. Develop and implement strategies for regular, ongoing security related communications with employees, response organizations, and customers.
13. Forge reliable and collaborative partnerships with communities, managers of critical interdependent infrastructure, and response organizations.
14. Develop utility-specific measures of security activities and achievements, and self assess against these measures to understand and document program progress.
1. Does a written, enterprise-wide security policy exist, and is the policy reviewed regularly and updated as needed?
2. Are incidents reported in a timely way, and are lessons learned from incident responses reviewed and, as appropriate, incorporated into future utility security efforts?
3. Are reassessments of vulnerabilities made after incidents, and are lessons learned
and other relevant information incorporated into security practices?
4. Are security priorities clearly identified, and to what extent do security priorities have
resources assigned to them?
5. Are managers and employees who are responsible for security identified?
6. To what extent are methods to control access to sensitive assets in place?
7. Is there a protocol/procedure in place to identify and respond to suspected contamination events?
8. Is there a procedure to identify and control security-sensitive information, is information correctly categorized, and how do control measures perform under testing?
9. Are security considerations incorporated into internal utility design and construction
standards for new facilities/infrastructure and major maintenance projects?
10. Is there a protocol/procedure of responses that will be made if threat levels change?
11. Do exercises address the full range of threats—physical, cyber, and contamination—
and is there a protocol/procedure to incorporate lessons learned from exercises and actual responses into updates to emergency response and recovery plans?
12. Is there a mechanism for utility employees, partners, and the community to notify the
utility of suspicious occurrences and other security concerns?
13. Have reliable and collaborative partnerships with customers, managers of independent interrelated infrastructure, and response organizations been established?
14. Not applicable.
Key features of an effective security program
