City of Kenner Homeland Security

Transcription

1 City of Kenner Homeland Security Community Continuity Guidelines for Business and Organization Facilities Risk Assessment/Risk Reduction and Emergency Preparation *This document was funded by the City of Kenner and prepared by the Center for Hazards Assessment, Response and Technology at the University of New Orleans.

2 Your business or organization is housed in or actually manages an office building, school, store, church, shopping mall, warehouse, manufacturing plants, government building, to name common facilities. Because of your location and responsibilities, you have a strong vested interest in identifying physical and biological risks that can threaten your site. You are also concerned with reducing the facilities vulnerability to risks. And, in the unfortunate situation that something serious might happen there, you want to be prepared for an emergency incident. To make the commitment to do these things is not easy. First, to identify risks before a serious event occurs is a psychologically and financially challenging effort. When nothing has yet occurred you ask, why should an investment be made of time, effort and organization resources? 9/11 and recent terrorist acts have unfortunately made this question less difficult to answer. Now it is clear that whatever risks can be reduced in a reasonable, systematic and efficient way (covering as many types of hazards jointly) with all due precautions to citizen rights, it is wise to consider doing so. While risk assessment/reduction activities are not so clearly compelling focused directly on saving lives) as is emergency preparation, the two types of efforts are strong allies. Whomever and whatever you remove from possible harm, will not need to be rescued and rehabilitated. In this spirit we offer you the following general guidelines for risk assessment/reduction and emergency response preparation. 2

3 General Risk Assessment / Risk Reduction* 1. Evaluate access to property. Evaluate access to property. This includes both clarifying number of needed entrances and reducing the number of unlocked entrances if at all possible while remaining in compliance with building codes and access laws. For Visitors: consider requiring all visitors to enter through one specific entry. For Employees: consider reducing the number of unlocked or unattended entries/exits they can use; limit the number of unlocked/ unattended doorways; discourage employees from propping doors open while unattended. For Suppliers/Vendors: consider requiring them to enter through one specific point. Determine if some exits can be converted to emergency only exits in which an alarm sounds if opened. Consider delayed opening on emergency doors where permitted. Have employees, visitors, clients, and vendors park in designated areas and control access to onsite parking. Require employees to display parking decals on their vehicles. If appropriate, require visitors, clients, and vendors to display a visitor parking decal. Consider enclosing property with fence and limited access gates. Access should be limited to those persons who have legitimate reasons for being 1 in the facility. The wearing of employee identification cards will help to insure this condition. Confirm that identification is collected from former employees as part of the employee exit procedures. Monitor access to facilities. Staff entrance(s) with greeters (the Wal-Mart method) to permit identification of appropriate users and to discourage others from entering because of the presence of the person. If necessary, utilize security guards or electronic locks. o Develop written standard operating procedures for handling unwanted guests. Distinguish between mandatory and optional procedures. Include legal staff in drafting these procedures to ensure that the correct language is utilized. o Train staff on how to follow standard operating procedures and how to enforce them. * Please keep in mind that the following recommendations are general in nature. Some of the suggestions may not be relevant to your business or facility. 3

4 Where appropriate, have visitors, clients, and/or vendors sign in and receive company visitor identification (for individuals and their vehicles). Where appropriate, have visitors, clients, and/or vendors escorted by an employee during their time in the facility. Consider implementing a key card system to restrict access to areas containing hazardous materials and/or confidential information. (Evaluate levels of vulnerability in your facility. Higher levels of vulnerability will need higher levels of security.) Consider the use of security cameras at all entrance points and inside the facilities (where there is no reasonable expectation of privacy) and realtime monitoring of these images by security personnel. Install alarms at all possible entrance points to also indicate any illegal entry. o Have security personnel monitor the facility s grounds and parking areas in addition to the facility s structure. Utilize good exterior lighting of building s (access points) and outdoor area to discourage unlawful entrance. Identify possible means of access to electrical and ventilation system. Take steps to prevent any unauthorized access to air intakes, exhausts and power source. Keep building plans secure from unauthorized access. Identify official responsible for storing plan and for maintaining list of who has copies of plan or access to its storage location on or off site. 2. Establish mail-opening procedures. Limit mail opening to employees only. Limit number of employees who open mail. Restrict mail-opening activities to specific area within the facility. If possible, place your mailroom close to loading dock to limit the transport of packages through the facility. All mail should be worked in a location that can be isolated both physically and mechanically (mechanically refers to HVAC systems) in the case of a threat or release. Educate staff to recognize suspicious packages and provide training on the proper procedures to follow if a suspicious package is identified. Refer to the U.S. Postal Service s recommendations for general mail operation. 3. Evaluate the condition and operation of the building heating, ventilation and air conditioning system (HVAC). Assess facility's ventilation system to determine how chemicals might be introduced into it. Secure access to such locations. Specify those employees who are authorized to access these locations and make certain that these employees are clearly identified in advance. 4

5 If a chemical were released into the system, determine if and how such plume could be quickly contained (e.g., emergency shut-down procedures). Identify and train employees to manipulate system to quickly clear or slow the spread of a chemical or biological agent. Establish or modify evacuation procedures such that, in case of an indoor release, employees, customers, visitors, etc. should know where to exit the building and congregate upwind at least 700 feet away. Create safe areas through modification of the air system in case of an outdoor hazardous release. Test modifications for functionality and retest on recommended schedules. Upgrade particle filters to reduce the risk of spreading biological agents via the air system and seal gaps to prevent other means of contamination. Consider separate air exhaust systems for high-risk locations such as mailrooms or loading docks to reduce spread of any hazardous agent. Weatherize the building by sealing any cracks around doors and windows to reduce possible outdoor contaminants from entering the building. Consider the energy conservation benefits in addition to security measures. 4. Consider the presence/circulation of onsite hazardous chemicals. Conduct and maintain a current inventory of hazardous chemicals that are stored on site such as cleaning chemicals, large amounts of raw materials, etc. If possible, consider alternate processes that would utilize lower quantities of or less dangerous hazardous chemicals or less pressurized systems. Ensure that chemicals are properly labeled and stored. o Verify that the labels include instructions in the event of an emergency. o Assess if the materials are still needed, or needed in the amounts stored. Ensure that there is not an excessive or inappropriate amount of hazardous material being stored. Restrict access to hazardous materials, where appropriate. Store in a secured location (locked) and limit access to designated employees. Keep a file of Material Safety Data Sheets (MSDS) on any chemical stored on site in a large or reportable quantity federal regulations. MSDS can be obtained through the chemical manufacturer. If reportable quantities of a hazardous chemical are stored on site, make sure to follow all federal regulations (e.g. SARA Title III, Tier II, 29 CFR , etc.) regarding the handling and reporting of these chemicals. 5

6 5. Develop data and computer equipment protection procedures. Establish procedures to backup and recover computer data. The computer equipment can be replaced but once lost, your data is gone forever without some type of backup and recovery plan in place. Utilize cds for long-term storage of data. Alternatively, data can be backed up across a network to a computer located at a secure off-site location. The latter option can be provided by a commercial service or another branch of the business. Consider the use of backup and recovery software that will automate the backup process. Protect backup media (cds or tapes) by storing in a fireproof container, vault, or at an off-site location. Daily backups should be performed on a rotated set of media providing multiple days of backups and a point-in-time recovery option. The following is a recommended media rotation schedule: Daily: Utilize one set of medial for each day of the week, Monday through Thursday. Backups should be made at the end of each day and clearly labeled. Weekly: Set aside a rotating set of media for five weekly backup sets. Backups should be made at the end of every week on Friday. Utilize new media for each Friday of the month. Recycle set every month. Monthly: Keep three sets of media for monthly backups that follow the same process as weekly backups. Backups are made at the end of every month copying over the oldest monthly media. Yearly: Backup data at the end of each fiscal and calendar year. These backups should be logged and securely filed. These backups should be kept permanent records and should not be recycled. Consider the useful life of media and systematically replace according to the manufacturer s recommendations. Test the backup and recovery process. Periodically verify that the process and media are in fact working by retrieving a file from the backup as a test. These tests will reveal any problems caused by deteriorating media or improper configurations of the backup software. Protect data against deliberate internal and external attacks. Create a firewall using software or hardware to protect against unauthorized entry into the network. This is especially critical with high speed always-on internet connections provided by cable modems and DSL. Configure all computers on the network to require passwords. Passwords should be considered confidential and should be changed regularly. Physically locate computer equipment in areas of controlled access to guard against theft and/or unauthorized access. 6

7 Protect against computer viruses. Microsoft releases frequent updates or patches to correct security loopholes in its Windows operating systems. Download and install all available patches and check for new ones often. Install anti-virus software and keep it updated. Avoid opening attachments from unknown parties. Avoid unnecessary downloading of information directly to the pc or file swapping with outside sources. Refrain from downloading free programs, screen savers, or other applications unless they are from known safe sources. Sometimes known as shareware, these applications may contain codes to capture keystrokes and otherwise monitor your activity, potentially exposing credit card or other personal information. Establish procedures to protect computer equipment. To protect computer equipment and peripherals from electrical power fluctuations, connect them to an uninterruptible power supply (UPS). In addition to providing protection against power problems, a UPS can keep a computer running during a blackout long enough to affect a controlled shutdown. To protect computer equipment in the event of extreme weather conditions, consider shutting down equipment and disconnecting it from power, network, and telephone connections. In addition, elevate equipment and cables and move away from windows and doors. Consider special fire suppression systems in records rooms where sprinkler systems (water) will destroy what is being protected. 7

8 General Emergency Preparation 1. Develop a written Emergency Plan that covers more than just fire. This will require the following steps: Establish a planning team (include all levels of management, labor, human resources, engineering and maintenance, safety, health and environmental affairs, public information officer, security, community relations, sales and marketing, legal and finance and purchasing). Establish a timeline for the planning and implementation of the plan. Develop a budget to include plan development, printing, training, and other necessary expenses including costs of research, seminars, consulting services, etc. Identify applicable federal, state, local regulations and organizational policies. Consider Occupational Safety and Health Administration (OSHA) regulations, environmental regulations, fire codes, transportation regulations, zoning regulations, and corporate policies if applicable. o Assess whether the facility conforms to these regulations and policies and whether these regulations and policies are adequate to manage the identified risks. If they are not adequate, determine what additional measures or resources are needed. Identify internal resources that could be utilized in an emergency and assign responsibilities. Personnel: o Who will be responsible for the following: directing evacuations; public relations; employee relations; onsite emergency operations (damage assessment, salvage and repair operations; fire suppression; internal hazardous materials response team, first aid, security). Equipment: o What support/backup systems are available: emergency power equipment; communications equipment (phone, fax, internet); fire protection and suppression equipment; warning systems; first aid supplies; preliminary decontamination equipment. Establish critical incident scenarios most likely to occur within the facility. Develop emergency plans based on the possible scenarios such as: o Facility partially destroyed due to fire, flood, or other event o Facility contaminated via ventilation system o Employees quarantined at home and unable to work for 3 weeks o Facility becomes part of crime scene investigation (e.g. shooting at work) 8

9 Consider location and other factors unique to the facility throughout the planning process. Determine if building is located within a vulnerable zone (near transportation lines, chemical plants, etc.) Include key employees in the planning stages. Keep all employees informed about the overall process including their roles in the Plan. Also include local emergency officials in the planning process. 2. The Emergency Plan should include: A list of Emergency Response Team members and their specific responsibilities. The team should be well trained on applicable emergency legal standards for emergency response (e.g., 29 CFR , NFPA 472, and OSHA standards). Specific responsibilities may include: o main decision-making (should the building be evacuated, etc.); o contacting authorities (fire department, police, etc.); o providing instructions to building occupants; o controlling the HVAC system as needed (to reduce spread of airborne hazardous materials), o establishing/coordinating first aid activities, o fire brigade, o hazardous materials response team o security o public information officer o coordinator with government representatives (in case of curfew, EPA hazards, OSHA concerns, etc.) A written chain of command for the Emergency Response Team including names and titles of employees responsible for each task. A Communications Plan. Create an emergency call list of all people on and off-site who would be involved in responding to an emergency. Each member of the Emergency Response Team should have copy of the contact list at work and at home. Post emergency 24-hour telephone numbers at facilities in highly visible areas. Provide these numbers to Team members and local response officials. Train employees and post procedures for communications during a potential emergency situation. o Develop and post procedures to warn employees, customers, visitors, etc. of a potential emergency situation. o Establish procedures for personnel to communicate with emergency responders and corporate office if applicable in the event of an emergency. Provide detailed directions on how to report various types of emergencies (include agency/person to contact and what information to provide). o Establish method for contacting employer to determine employee work status in the wake of an emergency 9

10 Plan for alternative means of communication in case phone system is down and cellular phones are not operational (e.g. runners, satellite phones, twoway radios). Building and site maps that include utility shutoffs, circuit breakers, and substations water hydrants, water main valves, water lines, gas main valves, gas lines, storm drains, sewer lines, location of building, floor plans, alarm and enunciators, fire extinguishers, exits, stairways, designated escape routes, restricted areas, hazardous materials o Including lists of any toxic materials that may be harmful to humans or the environment, storage procedures, handling/cleanup procedures, utilization procedures, and first aid procedures. The records and database for facilities and equipment should be located in one, secure location and a chain of command should be established for access with more than one person with access and familiarity of the documents. An Evacuation Plan. Develop and post floor plans clearly indicating emergency escape routes and safe areas. Make sure that plan complies with and addresses all fire codes (i.e. requirements for signage, lighting, storage). Include procedures for accounting for all individuals including non-employees in the facility. Designate a meeting site outside the facility for employees. Establish employee groups. Identify person(s) responsible in each group for accounting for members of that group. Provide copy of plan to appropriate employees and inform employees of location of the safely stored document. Share plan and information with other corporate locations. Regularly review plan and update as necessary to reflect current events and technological advances Evaluate existing emergency related policies and procedures. Does the organization have: A building/plant closing policy that contains clearly written instructions for shutting down equipment and other business activities and list those who are responsible for these tasks in case of an emergency. A hazardous materials policy that lists any toxic materials that may be harmful to employees, customers and surrounding area. Maintain Material Safety Data Sheets (MSDS) on these materials describing necessary precautions in handling, storing, and utilizing them. These Material Safety 10

11 Data Sheets will also contain related first-aid procedures. MSDS can be obtained through the manufacturer of the material(s). Regularly scheduled safety and health programs for all employees. Fire protection procedures to avoid potential fires and to extinguish them if possible. Finance and purchasing procedures for activities related to emergency preparedness including purchasing necessary equipment and training personnel. Identify those activities that be contracted for in advance of an emergency event such as transportation needs. Insurance programs that will allow a business to fully recover in the event of an emergency event. If these policies and procedures do not exist, it is recommended that they be created in conjunction with the emergency plan. 3. Conduct training and emergency drills/exercises. Require that all employees to attend regularly schedule orientation and education sessions. Provide information about threats, hazards, and protective actions. Review emergency plan with all employees and provide an outline of the plan to them. Inform employees of their roles and responsibilities during an emergency and survey each of them on their level of knowledge. Prepare checklists for all offices. Include local emergency management officials in presentation of plan to employees. Frequently conduct emergency drills. Types of drills include: Tabletop (discussion of plan in action) for Emergency Response Team members Functional Exercises (simulate real emergency in walk-through drill) Full-Scale Exercises (using actual equipment and in the case of very large organizations, local Office of Emergency Preparedness officials and first responders should be included) Evaluate drills for strengths and weaknesses. Determine if any additional resources are needed. Evaluate coordination efforts to reveal any means of improvement. Verify that the roles and responsibilities of each employee are clearly specified and understood. Determine if drills are conducted in a timely manner. Monitor responses in terms of incident command system. If necessary, revise plan to reflect lessons learned during exercises. 11

12 Acknowledgments We would like to acknowledge the assistance of the following individuals in the development of this document: Ann S. Angelheart, Hartman Engineering, Inc., William C. Nicholson, Solutient, Inc, and David Tibbets. References The Appropriate and Effective Use of Security Technologies in U.S. Schools: A Guide for Schools and Law Enforcement Agencies. National Institute of Justice Research Report. Critical Infrastructure Protection R & D. Critical Infrastructure Assurance Office. Emergency Management Guide for Business and Industry. Federal Emergency Management Agency. Emergency Response Guidebook. Department of Transportation. Emergency Responder Guidelines. Office for Domestic Preparedness. 1 August Hospital Disaster Plan. Wisconsin Department of Health & Family Services. Lawrence Berkeley National Laboratory. Advice for Safeguarding Buildings Against Chemical or Biological Attack. Indoor Environment Department. Millar, Fred. Ten Action Steps for Parents, Teachers and School Officials. Worst Case Scenario: Terrorism and Industrial Chemicals Solutient, Inc. October, Computer Systems Disaster Preparation and Recovery, Steps to Reduce Your Risk. United States Postal Service; ( Occupational Safety & Health Administration, U.S. Department of Labor 12