Employee: Refers to all regular full-time, part-time, temporary, casual and fixed-term employees of the Company.

Transcription

1 Policy Name: Corporate Security Policy Number: A140 Policy Owner: Director Global Security Policy Approver: Chief Legal Officer Approval Date: January 15, 2013 Policy Statement: The purpose of the Corporate Security Policy is to establish guidelines to assist management in the implementation of security initiatives designed to facilitate business, protect employees and contractors, limit corporate liability and safeguard Nexen property, business operations, reputation and proprietary and personal information from hostile or criminal acts. Nexen will take all reasonable steps to ensure that its security operations do not adversely affect the human rights of those impacted by its operations. Our security practices will be conducted in a manner that respects Nexen's Human Rights Policy (A105), the United Nations Universal Declaration of Human Rights and other international humanitarian law. 1. Definitions Employee: Refers to all regular full-time, part-time, temporary, casual and fixed-term employees of the Company. Chief Legal Officer The person holding the most senior legal position concerning legal affairs in the Company. Contractor (or Contract Personnel): Refers to any person or corporation who supplies materials, labour or services to the Company. Director, Global Security The person assigned to oversee and manage Nexen s security procedures. Security procedures: A series of security related actions or processes designed, developed and recommended for the implementation of this policy. Nexen (or the Company) Refers to Nexen Energy ULC and its majority owned subsidiaries and affiliates for which it has managerial responsibility. 2. Objectives The objective of this policy is to ensure that Nexen maintains a level of security in compliance with legislated requirements which: [NXID: ] Page 1 of 8

2 Safeguards its employees, contractors, and members of the public from harm, including hazards associated with trespass and intrusions at Company facilities; Safeguards the Company s reputation; Deters unlawful acts against the Company; Assists in the preservation of the peace; Prevents damage to and loss of Company assets, including proprietary and sensitive corporate information. 3. Persons Affected All Nexen employees and contractors must comply with the requirements of this policy. 4. Policy 4.1 Overview Corporate Security will provide management with assistance in the following areas to ensure business and security objectives are met: Development and implementation of physical and personnel security procedures, programs and plans; Employee and contractor protection; Security vulnerability assessments and security reviews; Training programs to increase awareness of security issues and regulations, including sabotage events; Investigations into security related incidents and criminal allegations; Crisis management; Liaison with law enforcement, intelligence agencies, military and security industry contacts; Procedures for communicating security issues and concerns, threats and sabotage events to appropriate parties; Preparation of guidelines for responding to security issues, threats and sabotage events. In order to ensure the above objectives are met, Corporate Security will: Conduct assessments to monitor threats and risks to the Company from within and from local, national and international environments in which the Company operates, including recommending appropriate counter measures; [NXID: ] Page 2 of 8

3 Provide advice to the executive and Nexen Energy ULC s Board of Directors on security issues and concerns; Develop profiles in relation to international operations for risk analysis purposes; Develop security programs and provide advice to both Division and Local Management and employees and contractors in order to ensure effective employee/contractor/dependent protection in all workplaces and particularly in medium and high risk zones; Conduct security inspections, audits, reviews and/or security vulnerability assessments at a minimum of every three years at all Company operations and properties, including subsidiary companies and non-operator joint ventures in which the Company has a significant interest. 4.2 Employee and Contractor Protection Employees and contractors are primarily responsible for their own security and that of their dependents. They are required to report all direct and indirect knowledge of actual or potential threats, security incidents or risks to the Company or its employees and contractors, to Company management, the locally established security department, or Corporate Security. Employees and contractors assigned to work in medium and high risk zones must comply with personal security directives and advice provided by the Director, Global Security, local security departments and local management. Management is responsible for ensuring that employees and contractors working in medium and high risk zones, individually or accompanied by dependents, are afforded adequate protection consistent with the threat. Corporate Security is responsible for developing security programs and providing advice to management in terms of effective employee/contractor/dependent protection in medium and high risk zones. The international security environment is dynamic. The risk profile of particular regions and countries is commonly subject to change. The Corporate Security Department will continually assess the international environment and designate low, medium and high risk zones. Corporate Security, as well as locally established security departments, will provide security briefings to employees, contractors, and dependents required to travel to locations in medium and high risk zones. Corporate Security will be advised by way of the automated TAR (Travel Approval Request) process or by other means of all international corporate travel to medium and high risk destinations. The department will ensure that travel security advice is available to all corporate travelers. The means of providing such advice will vary depending on the security assessment of the destination, and may include the provision of general [NXID: ] Page 3 of 8

4 travel security advice available on the Loop or specific travel security advice delivered by or by way of a personal security briefing. 4.3 Executive Committee Travel Protection Corporate Security will be advised of intended international travel by executive committee members as early as possible. The department will provide a security assessment of each executive travel destination to determine if the destination poses a low, medium or high security risk. If the destination is assessed as medium or high security risk, a travel security plan and briefing will be delivered to the traveler. If the destination is high risk, consideration, through discussion between the traveler and the Director, Corporate Security, will be given to the provision of executive protection (e.g. accompany the traveler and provide close personal protection). 4.4 Security Threats Proper response procedures to a variety of security threats will ensure that a safe and secure work environment is maintained for all employees and contractors, the general public and emergency personnel while safeguarding Company assets from damage and loss. Corporate Security will provide advice establishing consistent procedures and guidelines for responding to and communicating with management in regards to the full range of security-related threats. 4.5 Incident Reporting All security related incidents must be reported to Corporate Security where they are recorded in the Lotus notes database. 4.6 Investigations Corporate Security will investigate security incidents and criminal allegations, assist in investigations, review and monitor security violations and occurrences to determine security vulnerabilities and ensure corrective action is taken. The department will investigate threats to employees and contractors or property to determine their validity and the requirement for additional security. Preliminary enquiries into suspected unlawful or unauthorized activities, to determine basic circumstances, are the responsibility of local management. All such cases will be reported to the Director, Global Security, as soon as practicable. If there is any possibility that preliminary enquiries may adversely affect a subsequent detailed investigation, preliminary enquiries should be deferred and the matter referred to a locally established security department or Corporate Security. [NXID: ] Page 4 of 8

5 The Director, Global Security, is accountable for ensuring that appropriate investigations are conducted and for rendering reports thereof to the Chief Legal Officer. The Chief Legal Officer may direct the Internal Audit Department to participate in the investigation of any aspect of suspected unauthorized or unlawful activity affecting the Company. If preliminary enquiries or investigation indicate that an employee, supplier, customer, contractor or partner is a party to serious unauthorized, unethical or criminal activity in relation to the Company, no prosecution or disciplinary action will be taken against the person or Company without prior corporate review. Corporate review must be undertaken by the Chief Legal Officer; the Vice President, Human Resources and the Director, Global Security. 4.7 Special Security Measures Special security measures, including the engagement of armed security personnel, may be assigned to Nexen facilities as a result of a threat or increased risks based on a recommendation of division management and the Director, Global Security, and with the approval of the Chief Legal Officer. Special security measures may be applied to or assigned to employees and contractors, including their families, who are exposed to increased risks due to Company related responsibilities based on a recommendation of division management and the Director, Global Security, and with the approval of the Chief Legal Officer and the Vice President, Human Resources. 4.8 Security Guards The decision to contract security guard services rests with division or local management, in consultation with the Director, Global Security. Security guard contracts should conform to contract guidelines developed by local or corporate legal departments. As a general rule, security guards will not carry firearms in the course of carrying out their duties, unless; a. Approval in principle to carry firearms has been obtained from the Director, Global Security per 4.7; and b. Such guards have received firearms training to a level approved by the Director, Global Security. [NXID: ] Page 5 of 8

6 4.9 Facility Security Standards Division management or locally established security departments, in consultation with the Director, Global Security, are responsible for implementation of physical security standards. Corporate Security will provide management with consulting services as well as advice and expertise on the development and implementation of physical security standards Identification Cards All employees/contractors and consultants will be issued a security access card. A security access card request form must be filled out for each new employee or contractor. This form must be approved by the appropriate manager. At facilities where automated access control systems are in place, access control and approved identification cards may be combined. All Company identification cards will comply with the standard design developed by the Corporate Administration Department and Corporate Security Access Control Division management or local established security departments will develop and implement local procedures to effectively control the access and egress of persons, vehicles, equipment and materials from all operating facilities, as well as corporate, subsidiary and district offices. All persons are required to produce valid photo identification and local management authorization prior to accessing a Nexen facility. Corporate Security will provide management with consulting services as well as advice and expertise on the development and implementation of access control measures Information Technology Information technology and the supporting processes, systems, and networks are business assets that are critical for a safe, secure and reliable workplace. Information technology security is achieved by developing and applying sound security practices that are commensurate with the risks to assets to ensure specific security and business objectives are met. In support of IT Security, Corporate Security will conduct security vulnerability assessments and provide advice with respect to physical security measures for the Company s Information Technology infrastructure and site locations. [NXID: ] Page 6 of 8

7 4.13 Control Systems Security Control systems have characteristics that differ from traditional information technology systems. Security breaches can pose significant risk to people, damage to the environment, as well as have serious financial implications, such as production losses and the compromise of personal and propriety information. Control systems security is achieved by developing and applying sound security practices that are commensurate with the risks to assets to ensure specific security and business objectives are met. In support of Nexen control systems, Corporate Security will conduct security vulnerability assessments and provide advice with respect to physical security measures for the Company s control systems infrastructure and site locations Security Awareness and Training The Company s security programs rely on the diligence of employees and contractors to protect employees, contractors, assets, facilities and reputation from harm. Security awareness training will be provided on a variety of topics including: security threats and countermeasures, recognizing suspicious activities, persons or objects, bomb threat response plans, handling suspicious mail/packages and reporting security incidents. Training will be provided to all employees and contractors. 5. Roles and Responsibilities The Director, Global Security, has specific overall security responsibility and accountability for Nexen corporate security activities and operations. Division management, supported by Corporate Security, is responsible for implementation and maintenance of Nexen security systems and programs. Division management is responsible for reporting actual or potential threats or risks to Corporate Security as soon as possible after knowledge is received. Company management is responsible for ensuring that employees and contractors working in medium and high-risk zones, individually or accompanied by dependents, are afforded adequate protection consistent with the threat. Local management has the primary responsibility for implementing approved security recommendations. 6. Compliance All Nexen employees and contractors are required to comply with the Company s Corporate Security Policy. [NXID: ] Page 7 of 8

8 7. Location Specific Procedures The following Nexen global locations have security departments and site specific security procedures which provide further guidance in support of this policy: Long Lake, Alberta; Colombia; Yemen; Nigeria; United Kingdom. 8. Revision History: DATE REVISION # DESCRIPTION OF CHANGE June 18, th Revision - Administrative changes relating to name change to Nexen Energy ULC, board and executive title changes and dissolution of Board Committees where applicable. January 15, rd Revision - Content updated to comply with policy standards October 17, nd Revision - Miscellaneous changes September 25, st Revision - Miscellaneous changes January 1, 1995 Policy Creation - New Policy created and approved [NXID: ] Page 8 of 8