MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0



Similar documents
ISO Controls and Objectives

ISMS Implementation Guide

REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES

National Infrastructure Protection Center

University of Sunderland Business Assurance Information Security Policy

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Section VI Principles of Laboratory Biosecurity

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Winning Initiatives and Best Practices for Physical Security

Abu Dhabi EHSMS Regulatory Framework (AD EHSMS RF)

ISO27001 Controls and Objectives

Data Management Policies. Sage ERP Online

Committed to Environment, Health, & Safety

Palm Beach State College Security Plan

Procedure for Managing a Privacy Breach

CISM Certified Information Security Manager

INFORMATION TECHNOLOGY SECURITY STANDARDS

Your Agency Just Had a Privacy Breach Now What?

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Select Agent Program Workshop November 16, Agricultural Select Agent Program (USDA/APHIS) CDC Select Agent Program (HHS/CDC)

A Risk Assessment Methodology (RAM) for Physical Security

HIPAA Security COMPLIANCE Checklist For Employers

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Supplier Information Security Addendum for GE Restricted Data

Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries. May 2003

OH&S Management Systems Audit Checklist (NAT, E3)

Shell s Health, Safety and Environment (HSE) management system (see Figure 11-1) provides the framework for managing all aspects of the development.

Risk Management Handbook

Business Continuity Planning and Disaster Recovery Planning

White Paper on Financial Institution Vendor Management

Title: Rio Tinto management system

INFORMATION SECURITY PROCEDURES

Oil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach.

SECURITY VULNERABILITY CHECKLIST FOR ACADEMIC AND SMALL CHEMICAL LABORATORY FACILITIES

Intel Enhanced Data Security Assessment Form

PII Compliance Guidelines

NSW Government Digital Information Security Policy

Security Management Plan

Performing Effective Risk Assessments Dos and Don ts

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

No. 33 February 19, The President

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Virginia Commonwealth University School of Medicine Information Security Standard

Guidelines for Setting up Security Measures to Stop Domestic Violence in the Workplace

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Guidelines 1 on Information Technology Security

A Comparison. Safety and Health Management Systems and Joint Commission Standards. Sources for Comparison

Implementation of a Quality Management System for Aeronautical Information Services -1-

Summary of CIP Version 5 Standards

Overview of Business Continuity Planning Sally Meglathery Payoff

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

October Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition

ENVIRONMENTAL, HEALTH & SAFETY MANAGEMENT SYSTEMS MANUAL

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Music Recording Studio Security Program Security Assessment Version 1.1

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

NIST National Institute of Standards and Technology

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Risk Management. Policy

Legislative Language

RiskManagement ESIEE 06/03/2012. Aloysius John March 2012

Emergency Preparedness Guidelines

FSIS Security Guidelines for Food Processors

UF Risk IT Assessment Guidelines

Security Vulnerability Assessment

Ten Tips for Completing a Site Security Plan

CTR System Report FISMA

State of Vermont. Physical Security for Computer Protection Policy

Information Security Program Management Standard

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Supply Chain Security Audit Tool - Warehousing/Distribution

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Todd & Cue Ltd Your Business Continuity Partner

SYRACUSE CITY SCHOOL DISTRICT

Homeland Security for Schools: Threat Status Alert Worksheet

June 2010 HEALTH, SAFETY, AND ENVIRONMENT MANAGEMENT SYSTEM (HSEMS)

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

Business Continuity Planning for Schools, Departments & Support Units

Table of Contents ESF

CRITICAL/NON CRITICAL INCIDENT MANAGEMENT AND REPORTING PROCEDURE

Operational Risk Publication Date: May Operational Risk... 3

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Jonathan Wilson. Sector Manager (Health & Safety)

Supplier Security Assessment Questionnaire

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

SCS1. UNIT TITLE: MAINTAIN HOTEL SECURITY

IOWA LABORATORIES FACILITIES PHYSICAL SECURITY PLAN

Oil and Gas Industry A Comprehensive Security Risk Management Approach.

The anglo american Safety way. Safety Management System Standards

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Human Services Quality Framework. User Guide

R000. Revision Summary Revision Number Date Description of Revisions R000 Feb. 18, 2011 Initial issue of the document.

SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL

Transcription:

MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control: Version Date Author Change Description Rev. 0 June 13, 2008 Tom Munro Originating Document

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 CONTENTS PAGE 1.0 PURPOSE... 3 Security Governance... 3 2.0 SCOPE... 3 3.0 RESPONSIBILITIES... 3 3.1 Major Projects Safety Department... 3 3.2 Major Projects Safety Coordinator... 3 3.3 Project Management (Off-Site)... 3 3.4 Project Management (Site)... 4 3.5 Project Craft Inspection Staff... 4 3.6 Project Safety Inspection Staff... 4 4.0 REFERENCES... 4 5.0 DEFINITIONS & ABBREVIATIONS... 4 5.1 Definitions... 4 5.2 Abbreviations... 7 6.0 STANDARDS... 8 6.1 Security Management Program... 8 6.2 Security Risk Management... 8 6.3 Security Incident Management... 10 6.4 Physical Security... 12 6.5 Site Specific Security Plan Requirements... 13 6.6 Change Management Process... 14 6.7 Validation and Evaluation... 15 7.0 ATTACHMENTS... 16

1.0 PURPOSE Security Governance The Enbridge Major Projects Security Plan is intended to reduce the vulnerability of employees, contractors, and facilities to security threats. Security governance involves setting organizationwide policies and procedures that define how the Security Management Plan should be appropriately integrated into the overall management systems of Enbridge and the Prime Contractor. Security governance includes management commitment and accountability. Security Policies and Procedures provide clear direction, commitment, responsibility, oversight and define the security environment for Enbridge and the Prime Contractor. 2.0 SCOPE This Standard applies to all Enbridge Major Projects. 3.0 RESPONSIBILITIES 3.1 Major Projects Safety Department Make provisions for continuous improvement, oversight, and review of the construction Security Management Program. Develop and maintain Standards and Templates that provide clear direction, accountability, and oversight for the construction Security Management Plans. Review the Project Security Management Plan prior to distribution 3.2 Major Projects Safety Coordinator Coordinate the development of the Project Security Management Plan by Enbridge Project Management. 3.3 Project Management (Off-Site) Ensure full implementation of all provisions of the Enbridge Inc. Enterprise Security Policy. Verify a Project Security Management Plan is developed for each project. Review the Project Security Management Plan prior to distribution Verify that the project is compliant with the standards contained within the Project Security Management Plan through auditing and observation Make available sufficient resources to provide ongoing technical support and training for the Prime Contractor in the identification and implementation of project-specific requirements pursuant to the provisions of the Security Management Program. Page 3 of 16

3.4 Project Management (Site) Develop and approve the Project Security Management Plan prior to mobilization. Complete regular revisions of the Project Security Management Plan as project conditions change. Make Contractors aware of the standards in the Project Security Management Plan. Sufficient resources to ensure that the Prime Contractor is in compliance with the overall Security Management Plan. 3.5 Project Craft Inspection Staff Review, implement and maintain the standards in the Project Security Management Plan 3.6 Project Safety Inspection Staff Coordinate the implementation, coordination, distribution and communication of the standards in the Project Security Management Plan. Make certain the Project Security Management Plan is current 4.0 REFERENCES Enbridge Inc. Enterprise Security Policy Enbridge Inc. Security Vulnerability Assessment Methodology and Physical Security Survey Guidelines Security Guidelines for the Petroleum Industry - American Petroleum Institute (API), 2003 Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries - American Petroleum Institute (API)/ National Petroleum & Refiners Association, 2003 Security Guidelines Natural Gas Industry Transmission and Distribution - Interstate Natural Gas Association of America, American Gas Association, American Public Gas Association, September 6, 2002 5.0 DEFINITIONS AND ABBREVIATIONS 5.1 Definitions The following definitions apply in this Standard: 5.1.1 Access Control The control of persons, vehicles and materials through entrances and exits of a protected area: an aspect of security that often utilizes hardware systems and specialized procedures to control and monitor movements into, out of, and within a protected area. Access to various areas may be limited to place or time, or a combination of both. Page 4 of 16

5.1.2 Adversary Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to critical assets. An adversary could include intelligence services of host nations, or third party nations, political and terrorist groups, criminals, rogue employees, and private interests. Adversaries can include site insiders, site outsiders, or the two acting in collusion. 5.1.3 Alert Levels 5.1.4 Asset Describes a progressive, qualitative measure of the likelihood of terrorist actions, from negligible to imminent, based on government or company intelligence information. Different fixed or variable security measures may be implemented based on the level of threat to the facility. Any person, environment, facility, material, information, business reputation, or activity that has a positive value to an owner. The asset may have value to an adversary, as well as an owner, although the nature and magnitude of those values may differ. Assets in the SVA include the community and the environment surrounding the site. 5.1.5 Asset Characterization The systematic identification and ranking of facility assets that, if destroyed or damaged due to criminal activity or other hazards, could potentially result in significant adverse consequences to the owner/operator. Asset characterization can include surrounding and supporting infrastructure. 5.1.6 Countermeasures An action taken or a physical capability provided whose principal purpose is to reduce or eliminate one or more vulnerabilities. The countermeasure may also affect the threat(s) (intent and/or capability) as well as the asset s value. The cost of a countermeasure may be monetary, but may also include non-monetary costs such as reduced operational effectiveness, adverse publicity, unfavourable working conditions, and political consequences. 5.1.7 Critical Facilities Systems and assets, whether physical or virtual, so vital to the company that the incapacity or destruction of such systems and assets would have a debilitating impact on people, the environment, property, or the economic viability of the company. 5.1.8 Critical Infrastructure Systems and assets, whether physical or virtual, so vital to Canada that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters. Page 5 of 16

5.1.9 Intrusion Detection System A system combining mechanical or electrical components to perform the functions of sensing, controlling, and announcing unauthorized entry into areas covered by the system. 5.1.10 Perimeter An outer limit or boundary that protects another area 5.1.11 Physical Security 5.1.12 Risk Security systems and architectural features that are intended to improve protection. Examples include fencing, doors, gates, walls, turnstiles, locks, motion detectors, vehicle barriers, and hardened glass. The potential for damage to or loss of an asset. Risk, in the context of process security, is the potential for catastrophic outcome to be realized. 5.1.13 Risk Analysis A detailed examination including risk assessment, risk evaluation, and risk management alternatives, performed to understand the nature of unwanted, negative consequences to human life, health, property, or the environment; an analytical process to provide information regarding undesirable events; the process of quantification of the probabilities and expected consequences for identified risks. 5.1.14 Security Governance A documented management framework to ensure that security threats to business operations are identified and associated risks are managed with appropriate safeguards and response procedures to minimize the impact of security occurrences adversely affecting people, property, the environment and economy. 5.1.15 Security Management Program An on-going process to ensure that security threats and associated risks are identified and managed with appropriate mitigation and response procedures to prevent and minimize the impact of security incidents adversely affecting people, environment, property and the economic stability. 5.1.16 Security Incident A security-related occurrence or action likely to lead to death, injury, or monetary loss. An assault against an employee, customer, or supplier or company property would be one example of a security incident. 5.1.17 Security of Information Information obtained or developed in the conduct of security activities. Page 6 of 16

5.1.18 Security Vulnerability Assessment (SVA) A systematic, analytical process in which potential security threats and vulnerabilities to facility or system operations are identified and the likelihood and consequences of potential adverse events are determined. NOTE: 5.1.19 Threat SVAs can have varying scopes and can be performed at varying levels of detail depending on the operator's objectives. For information on an industry specific SVA methodology see the American Petroleum Institute Security Guidelines for the Petroleum Industry at www.api.org Any indication of impending harm or danger, circumstance, or event with the potential to cause the loss of, or damage to an asset. Threat can also be defined as the intention and capability of an adversary to undertake actions that would be detrimental to assets. A threat can also be a declaration of an intention or determination to cause harm. 5.1.19 Vulnerabilities Any weakness that can be exploited by an adversary to gain access to an asset. Vulnerabilities can include but are not limited to building characteristics, equipment properties, personnel behaviour, locations of people, equipment and buildings, or operational and personnel practices. 5.2 Abbreviations The following abbreviations apply in this Standard: SCADA...Supervisory Control and Data Acquisition SMP...Security Management Program SVA...Security Vulnerability Assessments Page 7 of 16

6.0 STANDARDS 6.1 Security Management Program Enbridge Major Projects and the Prime Contractor shall have a documented Security Management Plan to ensure that security incidents and threats to business operations are identified and associated risks are managed with appropriate safeguards and response procedures to minimize the impact of security incidents adversely affecting people, property, the environment, or the economic viability of Enbridge and the Prime Contractor. The requirements of this Security Management Plan are intended to be applicable to Enbridge, the Prime Contractor, and all third-party Contractors regardless of their role in a construction project. These requirements shall be integrated into the overall construction management system for Enbridge and the Prime Contractor. The Major Projects Safety department will be responsible for the construction Security Program, including program development and oversight. Each project will be responsible for development of a Project-Specific Security Plan, and its effective implementation. The Enbridge Corporate Security department will provide specialist advice and support to Major Projects as required. 6.1.1 Prime Contractor Accountability The Prime Contractor shall establish a framework of security management leadership accountability. This framework shall establish roles and responsibilities for the control, review, continuous improvement and approval of the entire Security Management Plan across pipeline and facility construction projects based on the Enbridge Security Vulnerability Assessment methodology and Physical Security survey guidelines. 6.1.2 Baseline Practices The Prime Contractor should establish security governance practices that include: a) Contracts and Agreements with external entities that address the Security Policy of the Prime Contractor with business partners and third parties b) Other policies and procedures, as needed to ensure coordination and integration with the Security Management Program. 6.2 Security Risk Management General The Risk Management process is a regimented environment which allows for proactive decision making in addressing risks to both Enbridge and the Prime Contractor. The loss or impairment of an asset is assessed systematically and regularly, and appropriate security measures are implemented and monitored. Assets are categorized into levels of importance. The Prime Contractor identifies and classifies security risks in order to develop and implement strategies and security controls to eliminate or mitigate risks to assets. Risk is continually assessed during the construction project by determining likelihood of potential threats, and impact if realized. Page 8 of 16

6.2.1 Risk Management Process The Prime Contractor shall develop, communicate internally, and at regular intervals review/update: a) a formal, documented Risk Management process which includes policy, purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance with regulatory requirements b) formal and documented procedures to ensure objectives of the Risk Management process are being achieved. 6.2.2 Methodology Enbridge shall identify and implement a Security Risk Management methodology which incorporates asset characterization, threat, vulnerability and risk assessments. The methodology shall include security countermeasure strategies to eliminate or mitigate risk, with the Prime Contractor also having the ability to progressively react to security needs commensurate to the threat environment. The methodology shall include a process for determining criticality of assets. This will include an evaluation of criticality (dependence) of each asset by taking into account people, the environment, and economic stability. This process shall: a) be reviewed at regular intervals and updated as necessary. b) be linked to the threat assessment, recent security incidents having occurred, or as changes within the construction project are made. c) identify assets and ascertain the impact to the Prime Contractor and Enbridge if any assets considered critical to the construction project are damaged, destroyed, or lost by any specific hazard, including assets considered critical to the construction project. d) include criteria to establish levels of consequence, whereby a value is assigned to the dependence on the asset. This process should: a) identify and address any critical requirements, such as contractual, regulatory, or legislative requirements. b) consider time factors if certain assets become more important at different times during the construction project. 6.2.3 Threat Assessment Enbridge shall develop and implement a documented process to identify any current and potential threats which could result in the loss or damage to an asset. A threat assessment shall: a) consider all relevant information from both internal and external sources. b) be reviewed and updated at regular intervals, or as circumstances require. Page 9 of 16

6.2.3 Threat Assessment Enbridge shall develop and implement a documented process to identify any current and potential threats which could result in the loss or damage to an asset. A threat assessment shall: a) consider all relevant information from both internal and external sources. b) be reviewed and updated at regular intervals, or as circumstances require. 6.3 Security Incident Management General Security Incident Management addresses the capability of the Prime Contractor to respond to security-related threats and incidents. Security Incident Management is dependent on implementing processes and procedures for incident response, monitoring, handling, reporting, and recovery. This component of the Security Management Plan shall describe or reference the site-specific security response, Emergency Response Plans, and any Business Continuity Plans where applicable. 6.3.1 Process The Prime Contractor shall develop a formal, documented, Security Incident Management process that specifies how the Prime Contractor will respond to, recover from, and de-escalate security-related threats or incidents. 6.3.2 Planning Security Incident Management planning shall include: a) providing employees and third party Contractors with Security Incident Response procedures, which may include bomb threats, mail handling, suspicious packages, workplace violence, theft, securing evidence, trespassing, asset destruction, or other security-related incidents. b) notification procedures to be followed in the event of a suspected threat and address specifically how to report the incident, who to notify, and what response should be undertaken. c) identifying appropriate local, provincial, and federal agencies to contact in the event of a suspected security threat or incident. d) creating a communication plan that details communications procedures, capabilities, and resources, and containing a telephone list of various contacts, including regulatory and Enbridge contacts requiring notification in a security emergency. e) creating an incident report log and records preservation system to serve as an official record of actions and lessons learned for the post-incident review. f) an outline on how the Prime Contractor will coordinate with other agencies, including with Enbridge, in response to a security incident. Page 10 of 16

6.3.3 Incident Documentation The Prime Contractor shall document security-related threats and incidents which will be maintained for inspection by the appropriate local, provincial, and federal agencies, and Enbridge. 6.3.4 Records and Documentation The Prime Contractor shall manage all security records and documentation for compliance to the Company s security and privacy policies, as well as appropriate legislation and regulation. The Prime Contractor shall ensure all material records and documentation; maintain a controlled auditable inventory that provides for appropriate event logging. 6.3.5 Incident Response The Prime Contractor shall develop and implement a mitigation strategy that includes measures to be taken to limit or control the consequences of a security related incident. 6.3.6 Incident Reporting The Prime Contractor shall develop and implement security incident reporting criteria and procedures to notify the law enforcement agency of jurisdiction, and other appropriate agencies, and Enbridge of security related incidents. All incidents will be reported following the incident reporting protocols outlined in the Construction Safety Manual. 6.3.7 External Reporting Enbridge and the Prime Contractor shall follow the Suspicious Reporting Criteria provisions of the Enbridge Inc. Enterprise Security Policy. Any incident that has the potential to disrupt the schedule of the project or the integrity of the system shall be reported to the regulator immediately. 6.3.8 Security Threats Enbridge and the Prime Contractor shall have a process in place to communicate to employees and on-site personnel information related to potential security threats. The Prime Contractor and Enbridge shall follow the Threat Warning Criteria as detailed in the Enbridge Security Vulnerability Assessment Methodology and Physical Security Survey Guidelines. 6.3.9 Evacuation Planning The Prime Contractor shall include provisions to direct people away from the construction site, including provisions to account for personnel and visitors that have been evacuated from the construction site. All evacuation planning will be done in accordance with the Construction Safety Manual. Page 11 of 16

6.3.10 Investigations The Prime Contractor, with support from Enbridge, shall develop and implement incident investigation procedures for security-related incidents. 6.4 Physical Security Based on the security risk management process, the Prime Contractor shall consider and document decisions made with respect to the implementation of physical security measures for all phases of the construction project. The following physical security elements shall be included where appropriate, based on the risk management process: a) fences and gates b) appropriate signage stating No Trespassing should be posted, including signage at a main gate advising of a contact number for a designated construction contact c) lighting d) protection of critical inventory, equipment, and tools, including i. periodic inventories of equipment, tools, spare parts and explosives ii. proper locks on storage containers iii. key controls iv. anti-theft devices such as tracking systems and theft prevention locks on all pieces of heavy equipment v. weld the Prime Contractor company name and phone number on buckets, boom and frames of heavy equipment vi. wheel lock systems to prevent theft of compressors, generators, and lighting platforms vii. use of a pintle-hitch lock to a hitch to protect trailers viii. marking of tools for identification and proof of ownership e) construction site access control vehicles and people f) sign-in and sign-out procedures g) procedures for the management of deliveries and removal of inventory, equipment and other supplies h) after-hours security procedures i) visitor escorts j) the need for a contract guard force k) interfacing of security procedures with existing Enbridge Operations security requirements, pursuant to Operations and Maintenance Procedures Book 7: Emergency Response. Page 12 of 16

6.5 Site Specific Security Plan Requirements General Security measures should reflect the location, risk and criticality of the assets that require protection. Risks to people, the environment, assets or economic stability all need to be considered when determining the degree of physical security that is required. Where practical, the requirements of the security plan will be in alignment with the requirements of the Project Specific Safety Management Plan. 6.5.1 Responsibilities The plan will identify individuals responsible foe the development, implementation and review of the Project Specific Security Plan. 6.5.2 Orientation and Training Enbridge and the Prime Contractor shall establish, implement, document and maintain a security training and awareness process. The security training and awareness process will be provided to all appropriate employees and on-site personnel as part of the site-specific orientation 6.5.3 Incident Response The Project Specific Security Plan will identify specific project-related measures to be taken to limit or control the consequences of a security related incident. 6.5.4 Incident Reporting The Project Specific Security Plan will identify procedures to notify the law enforcement agency of jurisdiction, and other appropriate agencies, and Enbridge of security related incidents. 6.5.5 External Reporting Enbridge and the Prime Contractor shall follow the Suspicious Reporting Criteria provisions of the Enbridge Inc. Enterprise Security Policy. 6.5.6 Security Threats The Project Specific Security Plan will identify the process in place to communicate to employees and on-site personnel information related to potential security threats. The Prime Contractor and Enbridge shall follow the Threat Warning Criteria as detailed in the Enbridge Security Vulnerability Assessment Methodology and Physical Security Survey Guidelines. 6.5.7 Evacuation Planning The Project Specific Security Plan will identify provisions to direct people away from the construction site, including provisions to account for personnel and visitors that have been evacuated from the construction site in accordance with the Project Specific Safety Management Plan. Page 13 of 16

6.5.8 Investigations The Prime Contractor, with support from Enbridge, shall develop and implement incident investigation procedures for security-related incidents. 6.5.9 Employee and Third-Party Termination Enbridge and the Prime Contractor shall develop, document and implement processes and procedures around voluntary and involuntary termination of employees or on-site personnel. 6.6 Change Management Process General Change Management refers to activities that support both organizational and external changes that may impact the Security Management Plan. Change Management is a systematic process used to ensure that internal and external changes are continuously evaluated in order to assess the potential impact the change will have on the Security Management Program. Change should be considered in relation to all provisions of this guideline to ensure that Enbridge and the Prime Contractor can most effectively allocate resources to manage security risks and minimize adverse impacts. 6.6.1 Process Enbridge and the Prime Contractor shall develop, document and implement a process for the management of changes that could have a significant impact on the effectiveness of the Security Management Plan. These include those changes that are initiated by Enbridge or the Prime Contractor, such as: a) Organizational changes, such as changes to organizational structure and key personnel. b) Ownership change. c) Changes to construction sites, equipment and technology. d) Changes in construction procedures or practices, including maintenance activities. e) Changes in construction conditions that may affect security risk prioritization or mitigation. f) Changes in security methods, practices, or procedures. g) Any other changes initiated by the Prime Contractor or Enbridge. Those that are not initiated and controlled by Enbridge or the Prime Contractor, such as: a) Changes to industry standards, industry recommended practices or regulations. b) Physical environment changes. c) Any other changes initiated by others which could impact the construction project. Page 14 of 16

6.6.2 Structure The Change Management process shall include: a) the identification of any changes that could affect the Security Management Plan, including employee or third-party termination. b) setting responsibilities and authorities for the review, approval and implementation of changes. c) documentation of reasons for change. d) analysis of implications and effects of the changes. e) communication and timing of the changes to affected parties. 6.7 Validation and Evaluation General Regular Security Management Plan evaluation is necessary to ensure compliance with security policies, procedures, and responses. In addition, regular evaluation also ensures that the Plan actually provides the intended result. 6.7.1 Review Enbridge and the Prime Contractor shall conduct a formal review of the Security Management Plan at regular intervals during the construction project. The review shall verify the Plan s continuing suitability, adequacy, and effectiveness, and identify opportunities for improvement and the need for changes to the Security Management Plan. Enbridge and the Prime Contractor shall also conduct reviews following: a) any significant changes to the Security Management Plan. b) any significant changes to the construction project. c) any significant security incident at either the construction site or a similar construction site owned by another company. 6.7.2 Review Input The Security Management Plan review shall include information from: a) results of audits. b) internal and external stakeholder feedback. c) process performance and conformance to the requirements of the Security Management Program and specific project Security Plan. d) status of preventive and corrective actions. e) follow-up actions and recommendations from previous reviews. f) changes that could affect the Security Management Plan. g) recommendations for improvement Page 15 of 16

6.7.3 Review Output The output from the Security Management Plan review shall include any decisions and actions related to: a) improvement of the effectiveness of the Security Management Plan. b) compliance with all applicable regulatory requirements. c) implementation of the Security Management Plan. d) resource needs. 6.7.4 Control of Non-Conformance 6.7.5 Records Enbridge and the Prime Contractor shall establish and maintain procedures for defining responsibility and authority for handling and investigating nonconformance, taking action to mitigate any impacts, and for initiating and completing corrective and preventive actions. The process shall include a process for dispute resolution. Enbridge and the Prime Contractor shall maintain records of the formal review, including non-conformance and subsequent actions. 7.0 ATTACHMENTS Page 16 of 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information