Documente Academic
Documente Profesional
Documente Cultură
Guideline for Security Risk Management and Asset Protection State-wide Distribution
Custodian/Review Officer: Director, Organisational Health Senior
1.
Purpose
This Guideline provides recommendations regarding best practice for assistance in the protection of Queensland Health assets: People, Property, Information, Activities and Reputation.
2.
Scope
Authority: Lyn Rowland, Chief Human Resources Officer, System Support Services Division
This Guideline provides information for all Queensland Health employees (permanent, temporary and casual) and all organisations and individuals acting as its agents (including Visiting Medical Officers and other partners, contractors, consultants and volunteers). This Guideline applies to all Queensland Health facilities, including employee housing.
Approving Officer
3.
Related documents
Occupational Health and Safety (OHS) Policy Implementation Standard for Security Risk Management and Asset Protection Protocol for Security Risk Management and Asset Protection Protocol for Closed Circuit Television Security Systems Protocol for Personal Protective Devices Safe Possession and Use of Protocol for Notebooks Possession and Use of
Key Words: security, risk management, asset protection, SRMAP, plan, strategic, major works
Page 1 of 7
Queensland Health: Guideline for Security Risk Management and Asset Protection Forms and templates
Nil.
4.
This Guideline details actions and processes pursuant to providing protective security services across all Queensland Health facilities and services. This Guideline (also refer to Attachment Chapters 1-17) provides information on the following practices: Protective Security in the Healthcare Environment Protective Security Personnel Security Risk Management and Asset Protection Security Incident Management and Investigation Security and the Physical Environment Identification Badges Prevention of Crime and Unwanted Behaviour Occupational Violence Prevention and Management Patients with Protective Status Legislation Relevant to Healthcare Geographically Remote Locations Security for Staff Working within the Community Protective Security in Clinical Areas Pharmacy and Pharmaceutical Security Protective Security in Non-Clinical Areas Protective Security of Helicopter Landing Sites Protection of Information.
5.
Term
Definition of Terms
Definition / Explanation / Details Workplace operations, processes or functions for the safe and effective delivery of healthcare services. An item or process that an individual, community or Government values and is important to supporting the expectations of those peoples, organisations or Governments outcomes and objectives. Source Queensland Health
Assets
Queensland Health
Page 2 of 7
Queensland Health: Guideline for Security Risk Management and Asset Protection
Assets are categorised as People, Property, Information, Activities and Reputation. Baton Any device (not being a toy or category M weapon under Weapons Categories Regulation 1997) constructed or designed as an expandable telescopic baton that, if used, is capable of causing bodily harm. Batons are a restricted item pursuant to the Weapons Act. The ability, experience and knowledge of a person, process or information to undertake the stated or claimed activity. This is commonly used in relation to the capability of a threat source Weapons Act Weapons Categories Regulations 1997
Capability
Queensland Health
Consequence
Queensland Health
Control
Measure that is modifying risk. Controls may include process, policy, device, practice or other actions which modify risk. Any action that reduces the probability of a risk occurring or reduces its impact if it does occur or both. A control applicable to specified threats
Counter Measure
Queensland Health
Covert surveillance is where: the employees have not been notified before the intended surveillance is conducted cameras or evidence of their existence are not clearly visible at the workplace there are no clearly visible signs at the entrance to the workplace to notify people that they may be under CCTV surveillance.
Queensland Health
Critical Assets
Assets which if destroyed, degraded, or rendered unavailable for an extended period will impact on social or economic wellbeing, activities, information or reputation of individuals or organisations. The importance or dependence that an organisation has on a person, function, process, item or infrastructure or specific facility.
Criticality
An incident or situation, which occurs in a particular place during a particular time Any physical infrastructure A measure of the number of occurrences per
Page 3 of 7
Queensland Health: Guideline for Security Risk Management and Asset Protection
unit of time Harm Death, disease, injury or disability experienced by a person. Destruction, damage or threat to the organisation, loss of or damage to the environment, or a combination of these. A situation or thing that has the potential to harm a person. Hazards at work may include: noisy machinery, a moving forklift, chemicals, electricity, working at heights, a repetitive job, bullying and violence in the workplace. The outcome following the occurrence of an event The confidence to carry out the stated or postured claim and the desire to carry out the action or activities Is the person or persons designated, trained to have, direct responsibility for the implementation of the policies, purposes and methods of control of a CCTV system, as defined by the owner of the system. Refers to handcuffs or similar wrist-restraints, classified as restricted items pursuant to the Weapons Categories Regulation 1997, but does not include other forms of restraint. Refers to the use of clear sight lines, lighting, landscaping and fencing, and reduction of enclosed locations to facilitate observation. The purpose of natural surveillance is to deter crime through increasing the perception of risk for abnormal users, and increasing the perception of likely assistance for normal users. An official security notebook issued to a security officer or authorised person by Queensland Health. Is the person specifically designated and authorised by the owner of a CCTV system to carry out the physical operation of controlling that system. A company, corporation, firm, enterprise or institution or other legal entity or part thereof whether incorporated or not, public or private, that has its own function(s) and administration. Is the legal person or entity designated as having overall responsibility for the formulation and implementation of the policies, purpose and control of a CCTV system. A measure of the chance of the risk occurring. Also known as likelihood in this document Queensland Health
Hazard
How to Manage Work Health and Safety Risks, Code of Practice 2011, Workplace Health and Safety Queensland Queensland Health Queensland Health
Impact Intent
Manager (Security)
Queensland Health
Mechanical WristRestraint
Natural Surveillance
Crime Prevention through Environmental Design Part A & B Guidelines for Queensland
Notebook
Queensland Health
Operator (Security)
Queensland Health
Organisation
AS/NZS 4801
Owner (Security)
Queensland Health
Probability
Queensland Health
Page 4 of 7
Queensland Health: Guideline for Security Risk Management and Asset Protection
Residual Risk Risk Analysis Risk The risk remaining after the implementation of risk treatments or controls Systematic process to understand the nature of and to deduce the level of risk Is the possibility that harm (death, injury or illness) might occur when exposed to a hazard. Queensland Health Queensland Health How to Manage Work Health and Safety Risks, Code of Practice 2011, Workplace Health and Safety Queensland Integrated Risk Management Policy (QH-POL-070:2011) Integrated Risk Management Policy (QH-POL-070:2011) Queensland Health
Overall process of Risk Identification, Risk Analysis and Risk Evaluation. Coordinated activities to direct and control an organisation with regards to risk. The preparedness, protection and preservation of people, property and information, both tangible and intangible. Any action that reduces the probability of a risk occurring or reduces its impact if it does occur. An existing process, policy, devise, practice or other action that acts to minimise negative impacts or enhance positive opportunities. Any event or circumstance involving or affecting the individual or organisation that causes or is likely to cause a loss (physical or otherwise), disruption, or fear arising from the deliberate activities of other parties. Where impacts are, or could potentially be realised against people, property or information. The plan of action the organisation intends to use to address its security risks based on the context in which the organisation operates and a thorough risk review it is one of the means by which an organisation will demonstrate a commitment to general risk management. Risk Security risk management is the culture, processes and structures that are directed towards maximising benefits and minimising adverse effects associated with the intentional, unintentional or unwarranted action of others against assets. Utilises multiple layers of shock absorbing foam with an interlayer of flexible puncture resistant material to enhance the shields protection capabilities incorporating the specifications in Attachment A. Refers to the use of physical barriers, locks, safes, screens or reinforced materials to reduce the opportunity for illegal access or vandalism to a property.
Security Control
Queensland Health
Security Incident
Queensland Health
Security Plan
Queensland Health
Security Management
Queensland Health
Soft Shield
Queensland Health
Target Hardening
Queensland Health
Page 5 of 7
Queensland Health: Guideline for Security Risk Management and Asset Protection
Technical Surveillance Refers to the use of electronic security equipment (closed circuit television or video monitoring) to monitor vulnerable areas. Are existing conditions, processes or systems that may interact with ongoing activities to instigate error. Threats can be expected, unexpected or latent. A source of risk or potential for harm to occur. A list of potential sources that could cause harm to an organisation. For example, vandal, criminal, terrorist Any weakness that can be exploited by an aggressor to make an asset susceptible to change. Queensland Health
Threat
Queensland Health
Threat Source
Queensland Health
Vulnerability
Queensland Health
6.
Page 6 of 7
Queensland Health: Guideline for Security Risk Management and Asset Protection
Emergency Preparedness and Continuity Management Guidelines Integrated Risk Management Guidelines Possession and Use of Notebooks training/resource document
7.
Consultation
Key stakeholders (position and business area) who reviewed this version are: Principal Occupational Health and Safety Consultant, Healthcare Security Principal Policy Officer, Policy and Performance
8.
1.1
Lyn Rowland, Chief Human Resources Officer, System Support Services Division
Page 7 of 7
1. 2. 3.
PROTECTIVE SECURITY IN THE HEALTHCARE ENVIRONMENT PROTECTIVE SECURITY PERSONNEL SECURITY RISK MANAGEMENT AND ASSET PROTECTION APPENDIX 1: PROTECTIVE SECURITY SURVEY (PSS) APPENDIX 2: PROTECTIVE SECURITY RISK EVALUATION (PSRE) LIST OF ANNEXES: A-M
4. 5. 6. 7. 8. 9.
SECURITY INCIDENT MANAGEMENT AND INVESTIGATION SECURITY AND THE PHYSICAL ENVIRONMENT IDENTIFICATION CARDS PREVENTION OF CRIME AND UNWANTED BEHAVIOUR OCCUPATIONAL VIOLENCE PREVENTION AND MANAGEMENT PATIENTS WITH PROTECTIVE STATUS
10. LEGISLATION RELEVANT TO HEALTHCARE 11. GEOGRAPHICALLY REMOTE LOCATIONS 12. SECURITY FOR STAFF WORKING WITHIN THE COMMUNITY 13. PROTECTIVE SECURITY IN CLINICAL AREAS 14. PHARMACY AND PHARMACEUTICAL SECURITY 15. PROTECTIVE SECURITY IN NON-CLINICAL AREAS 16. PROTECTIVE SECURITY OF HELICOPTER OF LANDING SITES 17. PROTECTION OF INFORMATION
1.5 Healthcare Protective Security Strategic Intents Queensland Health will be successful in the provision of quality healthcare protective security through five strategic intents: 1. People: Recruit, train and retain a highly skilled workforce Encourage and support staff to develop their knowledge, leadership and skills Be accountable and act ethically Promote healthcare protective security utilising sound risk management principles. 2. Information and Systems: Utilise integrated risk management processes to effectively manage healthcare protective security. 3. Environment:
Promote an organisational culture that supports healthcare protective security values including professionalism, teamwork, performance accountability, and quality and recognition Promote and implement situational crime prevention principles including Crime Prevention Through Environmental Design. 4. Activities: Be leaders in healthcare protective security through innovative practices and quality improvement Seek consultation with key stakeholders to achieve legislative compliance, create appropriate Queensland Health Policies, Implementation Standards and Protocols Meet or exceed minimum healthcare industry accreditation requirements Establish educational and awareness programs to support healthcare protective security. 5. Partnerships: Work collaboratively with our key stakeholders and others to integrate programs and activities which support and promote healthcare protective security. 1.6 Focus of Protective Security The provision of protective security services within healthcare is focused on four major objectives: 1. Prevention of unwanted activities and behaviours 2. Protection of persons, property and workplace activities 3. Response to security events 4. Recovery from security events. 1.7 Protective Security Awareness It is important that all staff are aware of their security obligations and of their facilitys protective security work practices, standards and procedures. Protective security awareness training should take place as part of induction with refresher sessions at regular intervals. Information fact sheets posted on notice boards and/or on web pages could also be utilised. It is imperative that staff also take responsibility for their own safety and security. Where security equipment is supplied (doors, locks, windows, barriers) it is imperative that employees use them effectively. The safety and security of others may depend on whether the door is locked, or window shut. Security and safety is everyones right and responsibility.
Use of contract security must be in compliance with relevant human resource and industrial relations instruments. Security officers, both employees and contractors, shall be appointed in writing as a security officer and/or authorised person pursuant to Section 163 Hospital and Health Boards Act 2011 (HHB Act). Whilst external security providers performing work for Hospital and Health Services shall hold the appropriate class of security license under the Security Providers Act 1993, QH Legal Unit confirms that employees undertaking security work in a Queensland Health Facility employed under the HHB Act are not security providers for the purpose of the Security Providers Act 1993; therefore there is no legislative requirement for these officers (employees) to be licensed. 2.3 Appointment of Security Officers and Authorised Persons All persons (employees or contractors) engaged at Queensland Health facilities to undertake a security role (or that of an authorised person) must be appointed in writing in accordance with the Hospital and Health Boards Act 2011. The HHB Act provides for the Health Service Chief Executive to appoint a security officer under s164 provided the appointer is satisfied the person is qualified because the person has the necessary expertise and experience. Contracted licensed providers (firms) of security must provide licensed security personnel (pursuant to the Security Providers Act 1993). In addition, the contract arrangements may require certain specialised competencies equivalent to Queensland Health employee training and education (for example, Aggressive Behaviour Management for Healthcare Workers and fire safety). These competencies or skills requirements must be clearly documented in the tender and contract documentation. 2.4 Selection of Staff Protective security officers in the healthcare industry require suitable personal qualities and behaviours to assist in the performance of their duties. Desirable personal attributes include good character, attitude and ability to interact with people in a positive and supportive manner, neat appearance and deportment, and a sound knowledge of the position role, duties and responsibilities. Where appropriate, healthcare protective security officers should be physically fit and be prepared to undergo further training. Self discipline, alertness and the ability to communicate orally and in writing are essential qualities in those considered for selection. It is important that attention is paid to the current minimum standards of competence and qualification of persons to be appointed as protective security officer or authorised persons. These standards will be set in response to legislative requirements and needs of the organisation. 2.5 Employment Screening Protective security staff shall be subject to a thorough investigation of their past employment history prior to their appointment in security positions. Screening will include relevant criminal history checks in accordance with Queensland Health Policy. 2.6 Tasks and Functions of Protective Security Staff Protective security staff are often the first contact person for patients, staff and others and may be required to: perform entry/exit control duties, for example identification and security pass checking monitor electronic surveillance and security alarm systems
perform security risk management tasks carry out inspections to verify the integrity of secure perimeters, security containers and areas controlled for reasons of security after hours, and lighting and security inspections patrol external areas and buildings patrol internal building areas to secure classified sensitive and valuable material (i.e. detection and reporting of breaches, including lockup procedures) escort patients, staff, visitors, cash in transit and tradespersons conduct staff protective security awareness campaigns and promotions manage small lost property items, deceased effects or valuables. Managing lost and found property in larger Health Services may be an administrative role undertaken by trustee or other person set up specifically to manage these effects provide assistance as directed during an emergency perform lockup and unlock duties of designated areas as required report security, fire and safety risks manage key and access controls check identification of persons respond to alarms and calls for assistance monitor and control traffic and parking on facility property keep a record of daily activities, including alarms and incidents assist in the location of missing patients assist and support the security coordinator as required.
2.7 Standard Operating Procedures and Work Instructions The duties of protective security officers should be clearly detailed in security work instructions or SOPs. SOPs should be available to all protective security officers however; work instructions should be stored in a secure area and should not be made available to unauthorised persons. More general documents about how Queensland Health employees sustain a secure workplace through processes such as key control, access control or notifying security departments of incidents should be readily available for all staff, for example, published on QHEPS. SOPs define the administration and security responses to topics including: access control, visitor procedures, after hours entry/exit procedures; guidance for checking doors, windows and other security features; the function and existence of security patrols; how to operate the security alarm system; response action concerning an incident or discovery of a security breach; documentation on relevant State or Commonwealth legislation, Queensland Health Policies, Implementation Standards and local procedures; protocols for managing occupational violence; and requirements for any special places or unwanted activities requiring additional awareness. 2.8 Staff Numbers The number of healthcare protective security officers employed by a facility will vary from site to site. A comprehensive security risk assessment (SRA) must be facilitated by the coordinator in accordance with Australia Standards Handbook HB167: Security risk management. Findings from the assessment will assist in determining correct staffing levels, resources and other forms of risk reduction as appropriate. 2.9 Employee or Contract Services Queensland Health will use employees rather than contract security where possible. Compliance with relevant industrial agreements must be maintained.
2.10 Training and Development It is essential that protective security officers undertake training commensurate with duties and responsibilities. Due to the diversity of the roles and responsibilities of protective security officers, each Hospital and Health Service will need to determine any additional training and competency needs. Training and induction must be provided to protective security staff prior to commencement of operational duties. AS4485: Security for Healthcare Facilities and AS4421: Guards and patrols provide detail for levels and competency required within general security and healthcare security. Security Risk Management and Asset Protection Protocol and relevant Australian Standards require that: effective training shall be delivered by suitably qualified or experienced staff; persons undergoing training shall be supernumerary to existing qualified staffing arrangements the performance of the person being trained must be assessed and where necessary, remedial training provided employee development training should be encouraged training records to be maintained for all job related training. All protective security staff are required to participate in specialised training appropriate to their role and responsibilities and may include: Aggressive Behaviour Management for Healthcare Workers fire safety and response emergency response local security systems and procedures. All protective security training must be: competency based recorded (including course content, assessment/competency standards, attendance and evaluation) and retained in employees personnel file maintained in a Training Register. Table 1: Brief synopsis of competency requirements under Australian standards
Australian Standard 4421: Guards and patrols a) Standing orders; b) Site orders; c) Administrative procedures; d) Communications; e) Field communications; f) Customer relations; g) First response fire safety; h) Occupational safety; and i) Legal rights and jurisdiction. Australian Standard 4485: Security for healthcare facilities Introduction to healthcare security: a) Healthcare facilities overview; b) Healthcare security: Organisation and structures; Roles, duties and responsibilities; and Public and community relations. c) Threat, vulnerabilities and risks overview; and d) Career and professional development. Protective security: a) Security overview; b) Physical security - defence in depth, locks, access control; c) Security technology - alarms, closed circuit television, detectors, duress alarms;
d) Emergency detection technologies (as appropriate); e) Fire indicators systems, EWIS, detectors, VESDA, fire suppression systems; f) Administrative and procedural security; g) Personnel security; h) Information security (See AS/NZS 4444); i) Identifying vulnerabilities; j) Traffic and vehicle management; k) Patrol techniques; l) Dealing with incidents; and m) Security officers equipment and personal protective equipment. Communications: a) Report writing; b) Records; c) Incident reports, records management; d) Notebooks; e) Methods and techniques telephone, fax, radio and public address; f) Media liaison (e.g. direction/control of unwanted media activities); and g) Verbal and non verbal communications. Security and the law: a) Law enforcement liaison; b) Preservation of the crime scene; c) Statements; d) Courtroom procedures and giving evidence; e) Power of arrests State legislation; f) Use of force (reasonable and necessary); g) Trespass; and h) Common and statute law, tacit consent. Emergency preparedness: a) Emergency responses for healthcare facilities (AS4083); and b) Emergency control organisation and procedures for buildings (AS3745). Computer skills: a) Word processing; spreadsheet and statistics. Interviews and investigations: a) Introduction; b) Interviewing techniques; c) Basic investigations; and d) Investigation reports and follow up. Presentation skills and techniques: a) Training presentation skills; and b) Adult learning. Dealing with disturbed patients, visitors and employees: a) Non violent crisis management; b) Management of aggressive behaviour; c) Psychiatric patients; d) Drug and alcohol facilities; and e) Accident and emergency patient restraint. Special security considerations: a) Narcotics and dangerous drugs; b) Currency and valuables; c) Confidentiality; d) Privacy; e) Patient and personnel records; and f) First aid (by facility or Registered Training Organisation).
3.
Security Risk Management and Asset Protection Program (SRMAPP) has been implemented to improve hospital and health service capacity to undertake effective security risk assessments (SRA) as part of the Protective Security Survey (PSS) and meet the intent of AS4485 Security for healthcare facilities. The methodology and assessment matrices used within the Security Risk Management and Asset Protection program align to QHRisk. Refer to: Integrated Risk Management Policy (2011) (Effective January 2012). The Security Risk Management and Asset Protection Program includes: Security risk management (SRM) framework integrated with Queensland Healths: a) Integrated Risk Management framework; b) Emergency Management Business Continuity; and c) Occupational Health Safety Management System (OHSMS). Alignment with all asset protection strategies, systems and processes across Queensland Health; Capability building through delivery of nationally accredited SRM training; development and implementation of consistent security risk assessments (SRA) tools and templates; Establishment and resourcing of protective security consultancy team/s to provide: a) protective security advice and support; b) evaluation of local and statewide strategic security performance; c) development and delivery of effective training programs in protective security; and SRM. Establishment and maintenance of protective security practitioners network; and Implementation of a risk management approach to ensure security risks are minimised through effective design of major capital works. Hospital and Health Service Responsibility Queensland hospital and health service shall have in place a SRMAPP in accordance with Security Risk Management and Asset Protection Implementation Standard (Implementation Standard) and Security Risk Management and Asset Protection Protocol. The program, as detailed in the above documents, has been developed in consultation with stakeholders ensuring that: assets and resources requiring protection are identified and categorised for critical value where reasonably foreseeable, all threats to assets and resources, both human and non human, are identified and assessed where reasonably foreseeable, security risks to assets and resources, both human and non human are identified and assessed, and are eliminated where practicable security risks to assets and resources are mitigated or treated where they cannot be eliminated all stages of the program are documented each Hospital and Health Service has a Security Plan (SP) in place which addresses security risks a facility SP is regularly monitored and annually reviewed
Security Operating Procedures (SOP) and work instructions exist which support the SP.
3.1 Security Risk Management (SRM) Cycle Queensland Healths SRM program is a four year cycle (refer Diagram 1: Risk Management Cycle) which aligns with the Australian Council on Healthcare Standards (ACHS) requirements. The cycle is a continuous process. Each HHS shall determine where, in the continuum its SRM process currently sits and continue in the cycle from that point. The PSS processes detailed in this Guideline are presented in modular format. The Annexes (Annexes A-M) provide flexibility to conduct each stage of the security risk assessment process in a systematic manner and over time. Diagram 1: Security Risk Management Cycle
FOUR YEARLY CONTINUOUS CYCLE
OHS CHECKLIST
Protective Security Survey (PSS) Critical asset identification Threat vulnerability Vulnerability assessment Risk assessment Risk treatment plan Security plan
OHS CHECKLIST
OHS CHECKLIST
Year 3
Year 1
Year 2
Protective Security Risk Evaluation (PSRE) Update previous PSS to ensure currency May include a security risk assessment on key area or function as required Review of security risk treatment plan and District Risk Register
OHS CHECKLIST
3.2 Protective Security Survey (PSS) A Protective Security Survey (PSS) is conducted initially and then on an ongoing four yearly cycle. The aim of the PSS is to: survey and validate security measures presently in force in a facility inform facility management of the present state of security and asset protection within the facility report on previous security surveys, security audits or security inspections including counter terrorism assess present security and asset protection strategies for suitability and cost effectiveness
identify vulnerabilities check current SRM arrangements are planned and executed.
Each stage of the PSS must be completed in full and in sequence. Refer: Appendix 1 Protective Security Survey (PSS). The PSS stages are summarised as follows: Stage 1: Preparation, Communication and Consultation Communication and consultation during SRM processes is essential for improving awareness and commitment to SRM activities being undertaken. The PSS team will establish the security, organisational and environmental context and validate the relevance of data and information collected. Stage 2: Asset and Resource Appreciation Identification of assets (people, property, information, activities and reputation) is a critical requirement to meet organisational objectives and outcomes. The PSS team and stakeholders will identify critical assets then assess and assign a value based on organisational importance and/or dependence upon the asset and respective support processes. Stage 3: Threat Assessment Identification of potential threats arising from the external and internal environments. An assessment is conducted of foreseeable threats (human and non human) which can cause loss of facilitys assets. Stage 4: Review Security Controls and Assess Vulnerabilities Identification of the current procedural, physical and technical security regimes is conducted and security system weaknesses evaluated. Stage 5: Risk Analysis A comprehensive assessment of threat, vulnerability and criticality in terms of likelihood and consequence is conducted to assess security risks to the facility. Stage 6: Develop and Recommend Risk Treatment Strategies In consultation with relevant stakeholders the PSS team identifies the risk owner. The risk owner with the assistance of the PSS team then develop and assess suitable security risk control options including elimination, avoidance, acceptance, sharing or reducing security risk. Stage 7: Present Findings, Monitor and Review The SRA report and developed recommendations for security risk control options addressing identified risks and risk owners are presented to the relevant authorised person as detailed in the PSS Terms of Reference. A security classification (e.g. Protected, Security in Confidence) must be assigned to the document. Ongoing monitoring and review shall be carried out at the local level to ensure: implemented security risk control measures are effective security risk control measures are being used correctly staff are aware of security measures and have received instruction and training as required no new hazards have been introduced into the workplace as a result of control measures being implemented. Security risks identified as very high must be recorded on the Hospital and Health Service Risk Register and escalated to Health Service Executive for appropriate response.
All risk management documentation must be retained in accordance with Queensland Health Records Management Policy. 3.3 Protective Security Risk Evaluation (PSRE) A Protective Security Risk Evaluation (PSRE) is to be undertaken two years after the PSS or in response to any significant change in the: environment facilitys role, responsibilities and function; construction or refurbishment of buildings or space occurrence of significant security incidents. In addition, a PSRE may be undertaken as a result of the ACHS accreditation process. The completed PSRE Report including all attachments shall be given a security classification and retained in accordance with the Queensland Health Records Management Policy. The working documents such as notes, emails and correspondence should also be secured as this may be required in the event of an investigation or enquiry. The PSRE was developed to minimise impacts upon HHS and facility resources whilst meeting the intent of AS4485 Security for healthcare facilities. The PSRE applies the same methodology as the PSS and consists of seven stages carried out in their entirety and in sequence. Refer: Appendix 2 Protective Security Risk Evaluation (PSRE). 3.4 Annual Review of Security Plan (SP) A SP is developed and implemented in response to the initial PSS and details actions to address the identified security risks. It is then reviewed annually during the remainder of the four year cycle when the SRM process recommences. Template: Annex J. 3.5 Security User Requirement (SUR) Prior to major capital works design, construction, refurbishment, acquisition, purchase or lease of buildings (including staff accommodation) being undertaken by, or on behalf of Queensland Health, it is a requirement that environmental design, and physical and technical security controls be considered. In accordance with the Implementation Standard, a risk management approach must be employed. This approach includes the establishment of a lead a security user group (SUG) consisting of relevant stakeholders (including end-users). The SUG will develop and document minimum security user requirements (SUR) based upon the assessed security risks, building classification and facilitys intended functions. The SUR forms part of the tender / planning documentation and prescribes minimum physical and technological security requirements. It is a requirement that persons who tender / plan for the major works shall, in writing, clearly demonstrate how the SUR will be addressed and provide a schedule of works to assist in coordinating inspections and evaluating SUR specific works. The SUG shall ensure inspections, reviews and evaluations of the works are undertaken in consultation with relevant contractors to ensure the SURs are being addressed in accordance with contractual terms and conditions. Upon practical completion of major works, the SUG in consultation with end-users, tendered and contractors will conduct a post occupancy evaluation (POE) to ensure: all security related requirements have been effectively met
defects are rectified opportunities for continuous quality improvement in design of healthcare facilities are captured.
A copy of the post occupancy evaluation report shall be provided to Health Planning Infrastructure Division to feedback relevant information and recommendations for continuous quality improvement in healthcare facility design and construction. 3.6 Strategic Security Review (SSR) A strategic security review (SSR) is an evaluation of an organisations current strategic security regime, for example, strategic protective security and technical security systems. Where a Health Service has been unable to undertake a comprehensive PSS during the two prior years, the hospital and health service chief executive officer may request the Principal Occupational Health and Safety Consultant, Security (Security Consultant) to conduct the SSR. Additionally an SSR may be initiated by the Director, Safety and Wellbeing Unit, having regard to changes to legislation, Queensland Health s health and safety requirements or work health and safety performance. The Security Consultant shall ensure the SSR is undertaken as soon as practicable. The SSR may include evaluation of: a) Strategic security regime incorporating: security incidents and reports current PSS (i.e.: undertaken within the previous 2 years) current SP and security SOP emergency management contingency planning security officer and authorised officer training compliant appointment of security officers and authorised persons security staffing / personnel security management management of contract security services (if applicable) security staff personal protective equipment staff security awareness and training other protective security issues. b) Strategic technical security systems incorporating: access control including electronic access control systems closed circuit television system security alarm system key control system duress alarm system identity card system. c) Capability building which can include: delivery of SRM awareness training mentoring the Health Service / Facility Security and Asset Protection Coordinator (or other relevant staff) ongoing security risk management and asset protection advice and support.
3.7 Integrated Systems The SRMAPP is an essential supporting element of the Queensland Health Occupational Health and Safety Management System, the emergency management business continuity programs and ACHS accreditation process. The PSS, PSRE, SP and review documentation contain highly sensitive information and must be given an appropriate security classification. Documents are to be retained in accordance with Queensland Health Records Management Policy.
External Stakeholders / Organisations: a) Emergency Services or other Government Departments and Agencys b) Police Intelligence for criminal threat assessment c) Neighbours d) State Emergency Service e) Other healthcare facilities which have recently undergone a review. Step Two: Documentation, building and floor plans Accessing and reviewing documentation and plans is a very important part of the PSS process. Previous security reports, Standard Operating Procedures (SOP), protective security work instructions, dangerous goods manifests, building and floor plans aid in understanding operations and facility layout. The documents also assist the PSS team (see Stage Four) to identify: critical asset locations underground tunnel systems hazardous materials storage locations utility supply lines including water, power, sewerage and/or gas buildings fabric and structure closed circuit television (CCTV) camera locations and coverage security alarm systems, both duress and intruder. A tool to assist with gathering information detailed in Stages One to Four of the PSS is at Annex B. The tool is not a definitive and all inclusive document and will require modification to suit the specific needs of the facility. Any information gathered should be treated as sensitive in nature and a security classification may need to be assigned.
Stage Two: Asset and Resource Appreciation In the protective security context an asset is a resource item or process that supports and allows an organisation to continue its day to day operations unhindered. It is not merely a list of physical property located at a facility. It includes an organisations people, property (tangible and intangible), information and activities. Assets may also include an organisations or an individuals reputation which is intangible and should not be overlooked. Property may be tangible (i.e. physical property) or intangible (i.e. knowledge or intellectual property) and is important when undertaking risk assessments in areas such as research facilities where the most valuable asset is often knowledge or research data. The PSS team should consider what an organisation or facility owns, operates, leases, controls, buys, sells, services, designs, produces, manufactures, tests, analyses, maintains or has custody or responsibility for its use. An individual within an organisation can list critical assets however the list may not fully cover what is actually critical to the organisation. Individuals view assets based on their particular knowledge, role or position and the activities which are their prescribed duties Asset owners and operators are generally the most important source of information about assets in need of protection. Wherever practicable the PSS team in consultation with asset owners and operators, who have a working knowledge of the particular area or function, should identify and assign a criticality value to the asset. Creating an Asset/Resource Register Using the template provided (Annex C: Asset / Resource Register) the PSS Team and appropriate stakeholders should list the critical assets within each category (i.e.: column) on the page. For example: Category Critical Asset People - Clinical /Admin/ Operational staff; patients; visitors. Property - Building; Medical equipment; Research knowledge. Information - Medical records; IT Information. Activities - Triage; Patient transport. Reputation - Local Health Services reputation; Individuals reputation. Assigning a Criticality Rating Once the critical assets have been listed by the PSS Team and stakeholders, a Criticality Rating is assigned. Table 1: Asset Criticality Value will aid in this process. Additionally, assigning a criticality value to assets will assist in determining the allocation of finite resources (financial, human and technical) needed for protection or remedial action. I.e.: what targets most require protection. The asset criticality value number (1-5) is based on the level of importance or dependence that the organisation or facility has on that particular asset.
Critical Asset
STAGE THREE: Threat Assessment Threat, in the protective security context, is an event that has the potential to cause harm, disruption or fear. Threat is the source of risk. If there is no threat there is no risk. It is important therefore, to understand the difference between a threat source; a threat and a risk. Threat Source: Potential sources that could cause harm to an organisation. Threat: Are existing conditions, processes or systems that may interact with ongoing activities to instigate error. Threats can be expected, unexpected or latent. Risk: Is the risk of death, injury, illness or damage to property and/or environment occurring as a result of a hazard or event. Security Risk: The chance of something happening that will impact on objectives. Examples of threat source, threats and risks:
Threat Source: Disgruntled staff Threat: Sabotage Risk: Loss of activity / function Threat Source: Violent patient Threat: Assault Risk: Serious injury to staff Threat Source: External criminal Threat: Bomb Threat Risk: Cessation of activities Threat Source: External criminal Threat: Break in Risk: Damage to critical equipment Threat Source: Earthquake Threat: Damage Risk: Cessation of activities Threat Source: Flood Threat: damage to critical equipment Risk: Loss of function Threat Source: External criminal Threat: Robbery Risk: Injury to persons Threat Source: Politically motivated group Threat: Release of laboratory animals Risk: Loss of research function Threat Source: Foreign intelligence Threat: Espionage Risk: Loss of corporate intellectual property Threat Source: External criminal Threat: Fraud Risk: Loss of financial assets Threat Source: External criminal Threat: Damage to property Risk: Loss of asset Threat Source: Issue motivated person Threat: Arson Risk: Loss of life
Conducting a Threat Assessment (TA) involves firstly identifying possible types and sources of threat that could harm the individual, organisation or facility. Security threats spring primarily from deliberate intentions rather than from accidental, natural or systemic causes. Hence people are the primary source of security threats (as opposed to acts of God, hazards, mechanical failures or management systems). This does not however discount the need to assess non deliberate threats such as natural events, hazards, acts of God and equipment failure which impact on an individuals, organisations or a facilitys ability to function. Threat sources are grouped into thee categories: 1. Internal Threat Sources 2. External Threats Sources 3. Non Human Threats
Completing a Threat Assessment (TA) A TA is prepared from information sourced from a wide variety of areas such as crime data, security incident reports, work health and safety incident reports, media articles and staff liaison. The frequency component of a TA is developed from actual incidents that have occurred either directly at the facility or in the geographic location. A systemic problem with frequency data is under reporting. A contributing factor to under reporting is how security and security related incidents are identified or perceived by individuals. Where data is lacking, consideration should be given to using staff surveys, patient surveys and so forth. This may also indicate persons perceptions of how safe or unsafe an environment is. Step One: List threat sources Using the Threat Identification Register, the PSS team in consultation with appropriate stakeholders list all reasonably foreseeable threat sources (internal, external and non human) that could cause harm. Security threats can be classified according to the source of origin: Criminals including visitors / patients (e.g. arson, robbery, violent acts against the person, intrusion , hostage, vandalism, murder, theft , destruction of property); Terrorists acts perpetrated by issue motivated group (e.g. bombings, sabotage, kidnapping, bio / chemical attacks) Foreign / Commercial / Industrial (e.g. commercial / industrial espionage, industrial action) Media (e.g. adverse publicity) Insider (e.g. arson, malicious acts by disgruntled employees, theft, espionage of classified material for others, sabotage, unauthorised disclosure of classified material, inadvertent loss of classified material) Natural (e.g. flood, tempest, earthquake) Other (e.g. loss of power, loss of water, fire, chemical spill). Example of an ED Threat Identification Register:
Step Two: Grade the threat source The listed threat sources now require grading using Table 2: Threat Assessment Matrix. This is used to rate how likely or how often a risk is expected to occur i.e.: Likelihood. TABLE 2: THREAT ASSESSMENT MATRIX Ref - Grade Descriptor
A - Almost Certain B - Very High C - High D - Medium E - Low Very likely; the event will occur in most circumstances Probable; the event will probably occur at least once Potential; the event might occur at some time Improbable; the event is not expected to occur Very unlikely; the event may only occur in exceptional circumstances
In grading the human threat sources (internal and external), it is necessary to ascertain relevant data such as incident reports; previous assessment and reviews; and Police crime statistics and calls for service data. This will provide a strong indication of the likelihood of the threat. Oft times, incidents are under reported making the grading of likelihood difficult. Undertaking a survey or interviewing staff, patients or others may illicit relevant information about the likelihood of events. Historical data and recollections of staff should be used to assess potential threat levels. For example, loss of power or water is often not reported in an incident database. Relying solely on incident report data, would fail to indicate the likelihood for loss of power or water. However local trades-persons may be able to provide evidence of similar events occurring over time. Where possible, the grading should not be made by one person but by the PSS Team and relevant stakeholders. This will provide a more balanced approach with less chance of criticism. Human Threat sources may also be graded by establishing intent and capability to determine the overall threat potential to the organisation / facility however, this requires gathering intelligence, some of which may or may not be outside the capability of the PSS Team. In conjunction with the threat definitions below, Threat Matrix at Tables 2 and 2A may assist in grading each human and non human threat. Capability Extensive: There is a very high probability that a group or individual is known to have the ability to defeat current security measures which pose a direct threat to compromise the confidentiality, or integrity, or the availability of a critical asset or capability. Moderate: There is a reasonable expectation that a group or individual with limited ability may pose a threat to compromise the confidentiality, or the integrity, or the availability of a critical asset or capability. Low: While a potential threat may arise, there is no information to show, or believe a current threat exists.
Intent Determined: There is a high probability that a motivated group or individual currently exists with the intent to conduct activities which pose a direct threat to the confidentiality, or integrity, or the availability of a critical asset or capability. Expressed: There is a reasonable expectation that a group or individual will attempt to conduct activities that may pose a threat to the confidentiality, or integrity, or the availability of a critical asset or capability. Little: There is little basis to assess that a group or individual has the intent to conduct activities that pose a threat to the confidentiality, or integrity, or the availability of a critical asset or capability. TABLE 2 A: THREAT ASSESSMENT MATRIX
Extensive CAPABILITY Moderate Low Little MEDIUM LOW LOW Expressed VERY HIGH HIGH MEDIUM INTENT Determined ALMOST CERTAIN VERY HIGH HIGH
STAGE FOUR: Review Security Controls and Assess Vulnerabilities PSS team undertakes a field inspection, by day and night, to carry out an assessment of the effectiveness of current security controls. Implemented security controls should employ the Protection-in-Depth principles that will DETER, DETECT, DELAY or RESPOND to an attack and RECOVER from an attack. The assessment will also aid in identifying vulnerabilities presently existing within the facility. Vulnerability: Is any weakness that can be exploited by an aggressor to make an asset susceptible to change. Vulnerabilities can include elements in design and construction of a facility, technological systems and the way the facility is operated. A vulnerability assessment (VA) identifies specific weakness with respect to how they may invite and permit a threat to be accomplished. The Vulnerability Identification List (Template Annex E) is used by the PSS team to document the identified vulnerability by location, describe the problem the vulnerability causes, what recommendations could be used to counter them and any general comments considered pertinent. A VA Guide (Annex I) provides guidance to the PSS team in assessing vulnerabilities. It outlines example security risk control elements and what they achieve. For example, physical controls (signage, fencing, lighting), people controls (security awareness programs, staff training), policy and process controls (inventory control, housekeeping), and technology controls (intrusion detection systems, mail screening, duress alarms). Diagram 2: Illustration of Protection in Depth
Examples of vulnerabilities are: Emergency Department administrative offices: There is no door which can seal off the administrative offices after hours and adversaries can wander in this area undetected. This could lead to a compromise of medical records and equipment. Nurse stations: There are no duress alarms to notify of an incident or potential incident in the area. There is no response capability in an emergent situation. Carpark: There are four lights not functioning at the southern end of the car park. This could lead to adversaries in the car park not being detected by staff and security patrols. Security procedures: Building 3 was not locked after hours. There is no deterrent or delay to adversaries entering the building. This could lead to vandalism, theft and damage to property.
STAGE FIVE: Risk Analysis Protective security risk analysis can be summarised as the systematic use of observations and data about asset protection to determine the likelihood of adverse events taking place and the magnitude of their consequences (impact or harm) in the event that the security threat actually takes place and risks are realised. There are three components in the risk analysis process which are summarised below: 1. Consequences Analysis This is an assessment of the consequence to the organisation or facility if a particular asset is lost, compromised or restricted. The relevant information that is needed to make an objective assessment by the PSS team will have been obtained during stages two to four of the survey. An important factor in making this analysis is critical lead time for replacement. This is defined as the period of time that an organisation will be without the use of the asset if that asset was to be lost, compromised, or otherwise restricted. It can be critical if it is an integral part of a businesses process. To aid in this process see Table 3 Consequence Table.
Table 3A: Example Consequence Table for Security and Work Health & Safety
TYPE OF CONSEQUENCE S Security (May include fraud/theft, unauthorised access and areas of suspected official misconduct) Work Health & H Safety 1 - MINOR Monitored by local Staff, some effect on routine operations DEGREE OF SEVERITY 2 - MODERATE 3 - MAJOR A security event that may threaten a program / service. An event requiring internal investigation. Major event that threatens a program / service across the wider organisation. Events requiring referral to Police / CMC 4 - EXTREME Extreme event affecting a program / service areas ability to continue its operation resulting in total shut-down
Permanent loss of A loss of life No lost time injury. Lost time injury First aid or medical involving a function treatment temporary loss of or disability function required or a notifiable event
2. Risk Likelihood Analysis This is the potential or probability for a threat to be realised against the critical assets. Table 4 Likelihood (Probability) Table provides definitions to assist in assessing likelihood. Analysis considerations include: If there are no threats to an asset there is no risk Vulnerabilities allow a threat source to exploit weaknesses and increase the likelihood of risks being realised Present security controls must be understood as they may actually reduce the opportunity for the threat to be realised and, with it, risks to critical assets. Suggested questions for the PSS team before analysing risk likelihood are: What are the current security controls that may prevent, control, detect and intervene to deter harm occurring to a critical asset? How effective have they been? What are vulnerabilities (weaknesses) in the security controls that can be exploited by a threat source and increase the likelihood of a risk being realised? What is the critical assets level of exposure? What is the threat assessment? How determined are the threat sources? How competent are the threat sources? I.e.: Do they have the capability and intent? What is the incident history of events occurring? TABLE 4: LIKELIHOOD (PROBABILITY) TABLE This table defines the likelihood or probability of the risk occurring, based on the information available at the time of assessment. Very unlikely; the event may occur in exceptional circumstances E - Rare Improbable; the event is not expected to occur D - Unlikely Potential; the event might occur at some time C - Possible Probable; the event will probably occur at least once B - Likely A - Almost certain Very likely; the event will occur in most circumstances
3. Risk Evaluation This is the process of evaluating a risks consequence and likelihood to achieve a risk rating and give guidance on what risks require risk treatment action. Table 5 Risk Matrix Legend provides level of risk determination for the risk register. TABLE 5: RISK EVALUATION MATRIX
Consequence Likelihood RareE UnlikelyD PossibleC LikelyB AlmostCertainA 1 Minor Low(1) Low(2) Medium(4) Medium(5) High(11) 2 Moderate Low(3) Medium(6) Medium(7) High(12) High(13) 3 Major Medium(8) Medium(9) High(14) High(15) VeryHigh(18) 4 Extreme Medium(10) High(16) High(17) VeryHigh(19) VeryHigh(20)
4. Completing the Risk Register PSS team now complete the Risk Register ( Annex F Template) Step 1. In column 1 - Record each identified threat source capable of causing harm to the asset. E.g. violent patient; Issue motivated group. Step 2. In column 2 - Record each threat and risk that is reasonably foreseeable (What can happen, how it can happen?) from the threat source. E.g. assault on other patient/ hospital staff; Damage to hospital equipment. Hint: Do not include risks that are not foreseeable (e.g. being struck by aircraft may not be foreseeable at most facilities. However if the facility is adjacent to an airfield, the risk may be real). Step 3. In column 3 - Document the adequacy of existing controls and identify vulnerabilities to assist in the likelihood analysis. Remember the higher the threat level and vulnerability the higher the likelihood of risk. Step 4. In column 4 - Record the consequences of the event occurring. E.g. minor injuries to staff requiring first aid assistance; little impact on operational capability. Step 5. In column 5 - Rate the consequence of each risk being realised using Table 3: Consequence Table. Remember the higher the criticality grading of an asset the higher the consequences will be from an impact event occurring on the asset. Step 6. In column 6 - Record evidence to support the likelihood rating. E.g. there have been two incidents of a similar nature in the past four weeks.
Step 7. In column 7 - Rate the likelihood of each risk being realised using Table 4: Likelihood (Probability) Table. E.g. B - LIKELY - Probable; the event will probably occur at least once. Step 8. In column 8 - Using Table 5 Risk Matrix, evaluate the risk. E.g. violent patient causing injury to visitor: CONSEQUENCE Minor (Work Health and Safety Consequence) LIKELIHOOD Unlikely RISK LEVEL Low (2). Step 9. In column 9 - Once all the risks have been identified and are graded, prioritise the risk for treatment from VERY HIGH (20) to LOW (1). Using the rating (and number in brackets) list the risks in priority of treatment. Where areas have the same level of risk, such as HIGH, the priority is given to the risk with the highest number on the Risk Evaluation Matrix. Table 6: Risk Matrix Level TABLE 6: RISK MATRIX LEGEND
Note: The higher the threat / risk level number, the higher the priority for treatment.
STAGE SIX: Develop and Recommend Risk Treatment Strategies Risk treatment involves the selection of one or more options for addressing the risks. At this stage it is essential to identify and involve the Risk Owner for each identified risk so that they are aware of the identified risks and may contribute to the development and monitoring of risk controls. Risk Owner is the person with the accountability and authority to approve any necessary controls to manage the identified risk. The risk owner should be identified in the risk treatment plan by position (not name). Developing risk controls: The Risk Owner, in consultation with the PSS team and stakeholders shall determine what, if any, risk treatment is to be instigated. Specialist advice may need to be sought regarding technical and structural issues etc. In determining risk treatment actions, the following may assist: Likelihood can be reduced through security controls and procedures that reduce an assets exposure to harm (creating a more physically secure environment that limits access to them or by promoting a workplace security awareness culture that reports suspicious activity, objects or activities). Consequences can be lessened by having contingency and continuity plans in place. If an event exceeds the level of protection afforded e.g. CODE BLACK emergency, the facility should have plans that allow it to reduce the immediate impact of the event and continue to operate at an acceptable level, or resume operations within acceptable timeframes. Minimum standards. Determining minimum standards requires researching legislation, regulations, organisational policies, standards, codes to ensure any mandatory or good current practice applies. Re-examine current security controls. Many of the risks will likely have been already identified and various security controls already applied. It is very important to look at these when developing treatment options to determine whether they are effective or require some strengthening (refer to the vulnerability assessment undertaken as part of the PSS). Determine workable treatment options. Once the particular risk treatment options have been decided, conduct a second analysis to again quantify the level of risk. The aim is to reduce the risk to As Low as Reasonably Practicable (ALARP). ALARP is not about eliminating every risk, but about reducing them to a level that is tolerable. Treatment options may include: a) Avoid. Avoid the risk by making an informed decision not to continue the activities that give rise to the risk event. In most cases this is not feasible. Consideration should be given to alternative activities that could produce the same result with less risk. b) Elimination. The most effective form of risk control is to eliminate the risk (threat, hazard, vulnerability) altogether, particularly at the design stage. c) Accept and Monitor. In some cases it might not be possible to employ the above options or they may not be cost effective to the risk event occurring. d) New Security Controls. This may include: Substitution. This involves replacing a hazardous risk with a non hazardous one such as replace normal glass in an ED with toughened safety glass.
Isolation. Use barriers, stand off distances and dispersed assets to isolate assets from a threat. Engineering Controls. In a security context this would include installation of barriers, access controls, alarms, lighting, locks etc. Administrative Controls. Includes development of policy, procedures and practices that reduce risk. Others include training programs, planning committees and Emergency Control Organisations. Personal Protective Equipment (PPE). It may be necessary for persons to be equipped with PPE. The scope of PPE in a security environment may include flashlights, restraints, batons etc. e) Business Continuity. Business continuity plans should consider alternative supply chains, alternate facilities, restoration, and repair of lost or damaged assets and the welfare of personnel. f) Share. Share the management responsibility with another party. Identify stakeholders that might be better placed and resourced to manage the risk. This is important in co-tenanted facilities. g) Retaining residual risk. It is not ethically acceptable to intentionally decide not to control risks to a persons health, safety and welfare. It should be noted that when risks are reduced to ALARP there is usually some residual risk retained. Emergency response and recovery. An example of retained risk is the risk of a catastrophic event which may occur as a result of a terrorist attack or natural disaster which could not be prevented or foreseen. When a crisis or disaster occurs, management must respond to minimise the consequences. This involves the detection of the event as early as possible, immediate containment, emergency response, longer term response and business continuity management. In order to manage this effectively, detailed recovery plans are required. Selecting appropriate treatments. The acceptability and likely success of treatment strategies will be dependant on a number of factors not the least of which is their likely impact on the activities of stakeholders. Potential treatment options must be reviewed with stakeholders. This is the ideal opportunity to gain stakeholder buy-in before specific strategies are developed. Stakeholder input to the development of specific treatments will increase the likelihood of these strategies being successful. A suggested way of selecting risk treatment options is to choose a mix of the following strategies - Must do; Should do and Could do.
In determining the most appropriate risk treatments, the PSS team needs to have regard to the layered approach to asset protection being the protection-in-depth principle, ensuring the protection of any target asset is not just reliant on one control measure. Ensure that the controls: 1. DETER an attack 2. DELAY an attack 3. DETECT an attack 4. RESPOND to an attack 5. RECOVER from an attack. Comparative and Cost Benefit Analysis (CBA) When recommending risk treatment strategies it is important to ensure that they are cost effective. A cost benefit analysis (CBA) is conducted to determine the feasibility and desirability of each of the risk management options. It allows options to be prioritised if required. A CBA can be conducted either as a formal or informal process
and should consider as wide a range of issues as possible, not just be restricted to financial considerations. The CBA should consider:
direct issues, such as benefits, arising from reduction in the likelihood or harmful consequences of the security risk; and costs, of implementing the proposed treatment and/or that could arise if the risk eventuates (e.g. loss of an asset); and indirect issues, such financial benefits arising from collateral effects of the treatment such as reduced insurance premiums, improved management and staff confidence, enhanced reputation and costs, arising from the loss of productivity, business disruption, diversion of management attention, loss of reputation or brand value.
Effectiveness versus Affordability It is recognised that eliminating all security risk is impossible. The aim however will be to reduce risk to an acceptable level - i.e. as low as reasonably practicable. ALARP is not about eliminating every risk, but about reducing them to a level that is tolerable. This ALARP principle considers: whether further risk reduction is impractical if the costs of further risk reduction would exceed the improvements gained instances where no suitable controls are available.
Effectiveness, affordability and acceptability are difficult tradeoffs and occasionally a seemingly ineffective solution to critical asset protection is chosen because of a lack of funding. Most major changes to the protective security regime, including the introduction of technologies are often brought on as a response to an undesirable incident. After analysing all the information above, the PSS team develops the Risk Treatment Schedule and Plan. .
Actions required in response to the level of risk after treatment: Risks with a residual risk rating of Very High (18-20) must be reported to QH Risk; Executive must consider the need for legal advice or guidance. If legal advice or guidance is required it must be reported to Corporate Counsel (or delegate); All notifiable events (as per the local policy or procedure) must be reported as directed; All incidents including near misses must be reported; and The risk assessment process is applicable to all processes and levels within the Department.
STAGE SEVEN: Present Findings, Monitor and Review There are a number of ways a PSS can be presented to the person/s authorising the completion of the survey. Initially at the completion of a site visit, it may be beneficial to provide an oral briefing that summarises the findings. This is particularly important if the team has identified any serious weaknesses or identified issues that could be subject to litigation against the facility or its members. The oral report must always be followed up by a detailed narrative report. The report should be forwarded directly to the person/s detailed within the Terms of Reference (TOR) only. A narrative report must be structured to allow detailed comments after the completion of the PSS. A PSS Report template is available at Annex H PSS Report Template. Information Security Classification The PSS Report and supporting documentary evidence must be given a security classification in accordance with Queensland Health Information Enterprise Information Policy, QHEPS document Identifier: 3485 and associated standards. On most occasions it will be classified as Security-In-Confidence or Protected. Refer: Information Security Classification Procedure: http://qheps.health.qld.gov.au/infosecurityandrisk/docs/standard_phase_3/class2595 8.pdf Information Security Classification and Control Standard: http://qheps.health.qld.gov.au/infosecurityandrisk/docs/standard_phase_3/std_3.pdf Monitor and Review Risk Control Measures Monitor and review the effectiveness of security risk controls to ensure: security risk control measures have been implemented and are effective security risk control measures are being used correctly staff are aware of security measures and have received instruction and training as required no new hazards have been introduced into the workplace as a result of implementation of control measures. Security risks identified as very high must be recorded on the Health Service Risk Register and escalated to Health Service Executive for appropriate management. All risk management documentation must be retained for a period not less than seven years. Any controls that are put in place to manage the identified risks should be regularly evaluated to ensure their effectiveness.
Stage seven is now complete. The Protective Security Survey is now concluded.
the highest level of the organisation and should clearly state, to whom the final PSRE report is to be presented (Annex A Terms of Reference Example). Step Two: Scope and Nature of the PSRE. The PSRE was designed to provide a simple but effective process to complement the PSS whilst meeting the intent of AS 4485 Security for healthcare facilities. Rather than undertaking a full security risk assessment (SRA) of the entire facility, the PSRE is used to: review the previous PSS conducted within the security risk management cycle may also be used to conduct a SRA on specific workplace activities (e.g. working in the community; Security patrols) or high risk area (e.g. ED; Mental Health). Step Three: Other parties. Once Step Two is complete a list of stakeholders is developed. Examples may include: a) Persons Nursing staff Medical Staff Administrative staff Engineering staff Security staff Neighbours Contractor / consultants b) Organisations Queensland Police Emergency Services (including State Emergency Service) Other Government Departments Other healthcare facilities Step 4 Review the last PSS. The PSRE team should review the previous PSS Report and evaluate the facilities protective security, regime paying particular attention to: legislative requirements mandatory Queensland Health requirements the recommendations of the previous PSS Report the Security Risk Treatment Schedule and Plan the Security Plan Standard Operating Procedures for the effective delivery of protective security services any other security risk management documentation such as inspections, reports or audits that have been conducted since the last review. PSRE Tool Template: Annex K. PSRE Tool Example: Annex L
Stage Two: Asset and Resource Appreciation and Review During this stage the PSRE Team should follow the same procedure as outlined in Stage Two of the PSS process to reassess the current asset register. Should the PSRE team identify new assets or determine that the CRITICALITY VALUE of any asset needs to be changed, the register must be amended. The amended Asset Register should now be attached as an Annex of the PSRE report and a copy of the register placed in the facilitys Security Plan. Stage Two is now complete.
Stage Three: Threat Assessment and Review During this stage the PSRE Team follows the same procedure outlined in Stage 3 of the PSS process to reassess the Threat Identification Register. The Threat Identification Register must be amended should the PSRE team identify new threat sources or assess that changes to the threat levels are required. The amended register should now be attached as Annex of the PSRE report and a copy of the register placed in the Security Plan. Stage Three is now complete.
Stage Four: Evaluation of Security Controls and Vulnerability Assessment Review Vulnerability can be described as any weakness that can be exploited by a threat source to make an asset susceptible to change. This includes vulnerabilities in the facilitys design and construction, its technological systems and the way the facility is operated. A vulnerability assessment identifies specific weakness with respect to how they may invite or permit a threat to be accomplished. The process outlined in Stage 4 of the PSS will aid the PSRE Team, in consultation with the risk owner in: identifying any additional vulnerability within the facility; and assessing the effectiveness of the current security regime. Security controls that have been or will be implemented should employ the principles of Protection-in-Depth which consists of mutually supporting layers of security risk controls intended to DETER, DETECT or DELAY an attack or facilitate RESPONSE and RECOVERY from an attack.
A Vulnerability Identification List template is at Annex E of this document and allows the PSRE team to: document the identified vulnerability by location to describe the impact to the facility should the vulnerability be exploited. A Vulnerability Assessment Guide is provided at Annex I and outlines security risk control element and the purpose for which they are intended. The PSS Vulnerability Identification List should be used by the Team in assessment and review. The amended Vulnerability Identification List should be attached as Annex to the PSRE report and a copy placed in the Security Plan. Stage Four is now complete. Stage Five: Risk Analysis and Review Security Risk Analysis can be summarised as the systematic use of observations and data about asset protection to determine the likelihood of an adverse event and the magnitude of their consequence, impact or harm in the event that the security threat is realised. There are three steps of the risk analysis and review: consequence analysis; likelihood analysis; and the risk evaluation. The PSRE Team should refer to, and apply the process detailed in Stage 5 of the PSS (Appendix 1). The newly identified and assessed security risks form part of the PSRE Report. The information detailed in the security risk analysis and review is used to inform the Health Services Security Risk Register. Risks assessed as very high shall be elevated to the Health Service Executive for appropriate management. Stage Five is now complete.
Stage Six: Develop and Recommend Security Risk Treatment Strategies Risk treatment involves the selection of one or more options for addressing the identified security risks. The Risk Owner and PSRE Team may wish to seek specialist advice on technical and structural issues. Reference should be made to Stage 6 of the PSS (Appendix 1) however a brief synopsis is detailed below. The following must be considered when developing security risk control options: a) Likelihood can be reduced through security controls and procedures that reduce an assets exposure to harm b) Consequences can be lessened by having in place contingency and continuity plans. When considering options for selection it is important to evaluate the following: Minimum standards Re-examine current security controls. Determine workable treatment options. The aim is to reduce the risk to As Low As Reasonably Practical (ALARP): Options included: a) Avoid the risk by making an informed decision not to continue the activities that give rise to the risk event. Consideration should be given to alternative activities that could produce the same result with less risk. b) Eliminate the risk (threat, hazard, vulnerability) altogether, particularly at the design stage. c) Accept and monitor the risks. In some cases it might not be possible to employ the above options or they may not be cost effective to the risk event occurring. d) Implement new security controls. This may include: Substitution. This involves replacing a hazardous risk with a non hazardous one eg. replace normal glass in a ED with toughened safety glass. Isolation. Use barriers, stand off distances and dispersed assets to isolate assets from a threat. Engineering Controls. In a security context this would include installation of barriers, access control systems, alarms, lighting locks etc. Administrative Controls. Includes development of policy, procedures and practices, training programmes, planning committees and Emergency Control Organisations. Personal Protective Equipment. It may be necessary for persons to be equipped with PPE. The scope of PPE in a security environment may include flashlights, restraints, and batons. e) Business Continuity. Business continuity plans should consider alternative supply chains alternate facilities, restoration, and repair of lost or damaged assets and the welfare of personnel. f) Share. Share the management responsibility with another party. Identify stakeholders that might be better placed and resourced to manage the risk. This is important in co-tenanted facilities. Retaining residual risk. It is not ethically acceptable to intentionally decide not to control risks to a persons health, safety and welfare, however it should be noted, even when risks are reduced to as low as reasonably practical, there is usually some residual risk retained. Emergency response and recovery. The risk of a catastrophic event, such as a terrorist attack or natural disaster may not be foreseeable or preventable.
Selecting appropriate treatment strategies The acceptability and likely success of treatment strategies will be dependant on a number of factors not the least of which is their likely impact on the activities of stakeholders. Potential treatment options must be reviewed with stakeholders. This is the ideal opportunity to gain stakeholder buy-in before specific strategies are developed. Stakeholder input to the development of specific treatments will increase the likelihood of these strategies being successful. In determining the most appropriate treatments the risk owner and PSRE team needs to have regard to the layered approach to asset protection (protection-in-depth principle) ensuring the protection of any target asset is not just reliant on one control measure. Ensure the controls DETER, DELAY or DETECT an attack, or facilitate RESPONSE to, or RECOVERY from an attack. Comparative and Cost Benefit Analysis. A cost benefit analysis is conducted to determine the feasibility and desirability of each of the risk management options. It allows options to be prioritised if required. A cost benefit analysis can be conducted either as a formal or informal process and should consider as wide a range of issues as possible, not just be restricted to financial considerations. The analysis should consider: Direct issues, such as benefits, arising from reduction in the likelihood or harmful consequences of the security risk; and costs, of implementing the proposed treatment and/or that could arise if the risk eventuates (e.g. loss of an asset); and Indirect issues, such as benefits, arising from collateral effects of the treatment such as reduced insurance premiums, improved management and staff confidence, enhanced reputation; and costs, arising from the loss of productivity, business disruption, diversion of management attention, loss of reputation or brand value.
Effectiveness V Affordability. After analysing all the information collated, the PSS team should develop the Risk Treatment Schedule and Plan. This lays out how the preferred options for the security risks are to be treated, risk rating after treatment, persons responsible to implement the treatments, the timetable for their implementation and how the treatment will be monitored.
Completing the Security Risk Treatment Schedule and Plan One page is to be used per identified threat / risk for treatment. Annex G The page is to be filled out as follows: 1. Priority: Place in the threat / risk priority for treatment from Stage 5 e.g. 1. Assault on after hours staff going to car park resulting in serious injury or disability. 2. Threat / Risk: Place in the Threat / Risk from Stage 5 e.g. HIGH, senior management attention needed and management responsibility specified to control the risk. 3. Likelihood of Occurrence: Place in the likelihood of the threat / risk occurring e.g. RARE - May occur in exceptional circumstances / may occur at least once in a period of five years or more from Stage 5. 4. Consequence of Occurrence: Place in consequence of the threat / risk occurring from Stage 5 e.g. MAJOR Permanent loss of function or disability. 5. Likely cost to the organisation: Place in a summary of dollar costs to the organization. 6. Recommended Treatment Strategies: Recommend treatment strategies to address the threat / risk including costs to do same e.g. install a duress alarm in Ward 6B cost = $ 650 7. Actions required in response to the level of risk after treatment: Risks with a residual risk rating of Very High (18-20) must be reported to QH Risk. The management must consider the need for legal advice or guidance. If legal advice or guidance is required it must be reported to Corporate Counsel (or delegate). All notifiable events (as per the local policy or procedure) must be reported as directed. All incidents including near misses must be reported. The risk assessment process is applicable to all processes and levels within the Department. The Security Risk Treatment Schedule and Plans should now be placed into the Security Plan.
Stage Seven: Present Findings, Monitor and Review There are a number of ways in which findings of a PRSE can be presented. Initially at the completion of a site visit it may be beneficial to provide management with an oral briefing that summarises the findings. This is particularly important if the team has identified any serious weaknesses or identified issues that could be subject to litigation against the facility or its members. The oral report must always be followed up by a detailed narrative report. It should be forwarded directly to the person nominated in writing on the Terms of Reference document. Annex M PSRE Report Template provides a structured format for the narrative report. Information Security Classification The PSRE Report and supporting documentary evidence must be given a security classification in accordance with Queensland Health Information Enterprise Information Policy, QHEPS document Identifier: 3485 and associated standards. On most occasions the PSRE Report will be classified, handled and stored as Security-InConfidence or Protected. Refer to: Information Security Classification Procedure: http://qheps.health.qld.gov.au/infosecurityandrisk/docs/standard_phase_3/class2595 8.pdf Information Security Classification and Control Standard: http://qheps.health.qld.gov.au/infosecurityandrisk/docs/standard_phase_3/std_3.pdf
Stage Seven is now complete. Protective Security Risk Survey is now concluded.
LIST OF ANNEXES ANNEX A. Terms of Reference Example ANNEX B. PSS Tool (Template) ANNEX C. Asset / Resource Register (Example) ANNEX C. Asset / Resource Register (Template) ANNEX D. Threat Identification Register (Example) ANNEX D. Threat Identification Register (Template) ANNEX E. Vulnerability Identification List (Template) ANNEX F. Security Risk Register (Template) ANNEX G. Risk Treatment Schedule and Plan (Template) ANNEX H. Protective Security Survey Report (Template) ANNEX I. Vulnerability Assessment Guide of Security Control Elements (Training Aid Only) ANNEX J. General Security Plan (Template) ANNEX K. Protective Security Risk Evaluation Tool (Template) ANNEX L. Protective Security Risk Evaluation Tool Example ANNEX M. Protective Security Risk Evaluation Report (Template)
ANNEX A
EXAMPLE - TERMS OF REFERENCE From: Ms Jenny Doe Director Corporate Services Johnson Hospital Rochedale South QLD 4123 To: Mr Henry Bloggs Security Manager Johnson Hospital Rochedale South QLD 4123
For Information: DR Joe Blood Director Emergency Department Johnson Hospital Rochedale South QLD 4123 Terms of Reference - Protective Security Survey (PSS) - Johnson Hospital Emergency Department References: A. Security Risk Management and Asset Protection Implementation Standard; B. Security Risk Management and Asset Protection Protocol; C. Security Risk Management and Asset Protection Guidelines; D. Occupational Health and Safety Incident Management Implementation Standard E. Occupational Violence Prevention Management Implementation Standard; and F. Johnson Hospital Security Procedure (insert details) The Health Service Chief Executive Officer, Johnson Hospital is committed to managing protective security risks. In accordance with References A - F, you are required to conduct a Protective Security Survey (PSS) of Johnson Hospital Emergency Department. The security risk assessment team (Team) will be facilitated by (Detail name) and consist of (Detail names). You are hereby authorised to have access to all areas of the facility and resources to complete the PSS. Key stakeholders have been identified and will be available to assist the Team in conducting the assessment. Specific details are: a. The PSS is to commence on (12 Feb 2010) and be completed by (30 Mar 2010);
b. Preliminary PSS findings are to be provided to the Health Service Chief Executive by (insert as applicable e.g. 30 Mar 2010) and will inform management of the present status of security and asset protection strategies, their suitability and cost effectiveness; and c. The PSS is to include the following: Review previous incident data, PSS, security surveys, audits or inspections and local crime statistics; Asset and resource appreciation; Threat assessment; Evaluation of current protective security controls and vulnerability assessment; and Protective security risk analysis.
The PSS does not include: a. (insert as applicable e.g. contents of medical records or personnel files); and b. (Insert as applicable e.g. a detailed assessment of fire safety systems). The completed PSS Report will be provided to (Executive Director People and Culture) so that the Risk Treatment Schedule and Plan and the General Security Plan can be developed and implemented at the local level. Queensland Healths Security Consultants will be available to provide additional advice, assistance and support. Assurance is given by (Dr I Gotcha, Johnson Hospital and Health Service Chief Executive Officer) that security risks assessed as being MEDIUM or greater are to be detailed in the Hospital and Health Service Risk Register and security risk treatment strategies implemented. Dr I GOTCHA Health Service Chief Executive Johnson Hospital Rochedale South QLD 4123 10 January 2010 I acknowledge the above Mr Henry Bloggs Security Manager Johnson Hospital
10 January 2010
PSS Team Name 1. 2. 3. 4. 5. PSS Facilitator PSS Team Leader PSS Team Member PSS Team Member PSS Team Member Position details Signature Contact Details - Email / Phone
Identification of key personnel Name Position Hospital and Health Service Chief Executive Officer Executive Director People and Culture Services Director Corporate Services Hospital and Health Service Security Coordinator Security Manager External Security Provider/s Physical Security Security Monitoring Hospital and Health Service Occupational Health and Safety Manager Building Engineering and Maintenance Manager Other key personnel (detail) Contact Details
Issues that may affect the PSS outcome or recommendations Are there shared facilities / tenancy which may contribute to security risks Are there known structural changes planned (Refurbishments, redevelopments) Are there any plans for the introduction of new technologies Are there known organisational changes (Changes to services, Org structure) Are there any other issues which may affect security risks General Information Number of staff within facility / area Number of beds within facility / area Number of ED presentations within a defined period (eg: Monthly) Is the facility / area designated as an authorised mental health service Number of Emergency Examination Orders (EEO) Number of EEO presentations admitted (number and as a percentage) Number of Involuntary Treatment Orders (ITO) Does facility have effective resources for safe care/control of mental health patient? Protective Security Governance Yes / No Yes / No Yes / No Yes / No Yes / No
Yes / No. (If No Detail what actions are taken? Eg: MH Patients transferred by aircraft to XYZ Authorised Mental Health Service)
Are roles and responsibilities of Security clearly documented Are security Standard Operating Procedures or work instructions: Documented Do they cover all relevant / foreseeable security tasks Are SOP available to relevant staff
Yes / No
Security Risk Management Incident Reporting Sight or obtain copies of previous: Security Risk Assessment reports Has Security Risk Assessment been completed within the last 2 years. Security audits Security reviews Is there evidence to support that relevant security incidents reported in the Security Incident database are uploaded to IMS and / or Prime so that data is captured Review and analyse security incident data Sight / obtain copy and review Security Plan Sight / obtain copy of Occupational Violence Risk Assessment Reports
Yes / No
Yes / No
Obtain police crime data relevant to healthcare facility Obtain Computer Aided Despatch (CAD) data (Eg: Calls for Service) What services can QPS offer the Health Service? What joint projects (Health/QPS) are or can be delivered to the community? Comment on Health QPS relationship and how to strengthen the relationships? OHS & Fire Safety Has the facility / unit completed its annual WHS Checklist Tool What is the date(s) of the last QFRS fire safety inspection report(s) covering all buildings? Fire Safety Implementation Standard. What is the date of the last QFRS Clearance Letter confirming the building is legislatively compliant? What is the date(s) of the Annual Occupiers Statement for the maintenance of fire safety installations covering all buildings - Fire Safety Implementation Standard Unit / Organisational Security Specifics Does an Emergency Preparedness and Continuity Management Plan exist? Yes / No Yes / No
Comments Sight Does the plan include Threat Level Escalation General Security Plan.
Specifics Is there compliance with Information Security Policy (classification guidelines) Does Hospital and Health Service / Facility have security officers (proprietary or contract) ? Are they authorised in writing by DCEO (Security and Asset Protection Implementation Standard) ? Is there a current Job Description for Security Officers Does the training or current competencies of Security Staff meet the task requirements detailed in the Job Description? Does Hospital and Health Service / Facility have Authorised Persons Are they authorised in writing by DCEO (Security and Asset Protection Implementation Standard) Is security training and awareness of general Staff appropriate? What training and what delivery methods used?
Yes / No
Yes / No Yes / No
Are documents marked with appropriate security classification marks ? Sight. Authorisation / register?
Yes / No
Yes / No Yes / No
Are there current JD / PD for security officers that clearly details roles and responsibilities of position and function. Records? Training matrices; Training needs analysis? Type and level of training, currency, frequency, appropriateness, provider (internal / external)
Yes / No
Yes / No
Security training for all staff (Induction; in-service etc); Posters, education materials
STAGE 2 CRITICAL ASSET / RESOURCE APPRECIATION (i.e.: What assets need to be protected?) Assets Undertake an appreciation of the assets and assess their criticality against organisational objectives. Note: The process of assigning a criticality rating is to determine the effect the loss of that asset would have upon the organisations ability to provide services or functions. Hint: Use facility and building plan maps to mark the locations of these assets where possible. The colour code should be used as it will give visual recognition of their location e.g. RED = MAJOR, ORANGE = IMPORTANT
R:\OHS Consultants\ Security\12. Forms &
Obtain site plan / building plan and mark location of critical assets. Examples include: Car parks Helipad Underground tunnels Utilities (Mains water; Power; Communications; Sewerage; Storm water) Hazardous materials storage Radiation sources Security - Location of CCTV, Intruder alarm systems, access control systems Pharmacy / S 8 Drug cabinets Paediatrics / Newborn Morgue ICU Radio active materials storage