Facing a site security audit might seem daunting, but proper preparation will help to meet the goals of enhancing security and reducing risk
What are the downsides of failing to pass a security audit or inspection? Is it the fear of reputational damage for not passing? Is it the added scrutiny and attention your location will receive from the corporate office? Will it result in a regulatory enforcement action by a governmental agency? Or will you fail to recognize a gap — a deficiency — in a component of your overall security systems plan? Such a gap could expose your business and employees to regulatory enforcement action or even worse — to intrusion, theft, harm or other subversive activity.
Passing a security inspection or audit should be an easy and straightforward process, provided that it is approached in an organized manner. The “5 Ps” adage — “proper planning prevents poor performance” — should be an organization’s background theme for the inspection. Furthermore, an added benefit is that the preparation and organizational activities you undertake ahead of time can help identify even the minor items that are often unforeseen gaps in your security plan. This article breaks down the security inspection or systems audit into five distinct components, and provides guidance for successful execution during each phase of the process (Figure 1).
Before the inspection
Proper planning is the top priority before the inspection. The time spent in preparation ahead of time will pay off during the inspection, including the assembly of the team. This team should include the security director and the facility manager, as well as their assistants, if these roles are filled. If there are cyber assets at the site, include the person in charge of them (Figure 2). If a corporate information technology (IT) or cyber systems manager oversees cyber activities from a different location and cannot attend in person, have them be available for a planning conference call. The same holds for human resources representatives.
Lay out the expectations for the inspection with your team. Clearly explain that everyone is expected to play a part in the inspection. This will demonstrate to the inspection team that your staff is actively engaged in the process. Do not give the impression that security is a one-person show. Instruct the team to answer any questions posed by the inspectors clearly and truthfully. Never guess if you do not know the answer, and when you are done answering a question, do not keep talking. It is important to avoid speculation and rambling thoughts.
Every inspection involves a review of documents. Some examples are procedures, impairment reports, incident reports, training records and even personnel records. Rather than collecting these items immediately before the inspection, employ a system where you can capture the necessary documents in real time as you use or generate them.
Work with your team to plan out the areas of the site that will be part of the inspection tour. Walk the route with your team, note any relevant security items in place and any that may be lacking or in need of attention. Assign responsibility for correcting any items that need attention. In the same light, note any improvements or additions made that enhance your posture. Write them down in your notes and be sure to share with the inspectors during the actual tour.
After the team completes the planning site walkthrough, reconvene as a group and go over everyone’s notes and comments. If you have any outstanding action items, spell them out. Determine who will take responsibility for them and when they will be completed.
If a required practice or piece of security equipment is on the “to be repaired” list, but will not be returned to fully operational status before inspection time, enact your impairment plan that addresses the shortfall. If you do not have an impairment plan that addresses the issue, develop one with your team, put it into operation and document it.
Notify site personnel and site security staff once the inspection has been scheduled, when it will occur, and by whom it will be conducted.
Inspection day
The inspection day can be broken down into the following four segments:
- Opening meeting
- Site walkthrough
- Document review and interviews
- Closing meeting
If the inspection is set to cover multiple days, these segments, with the exception of the closing meeting, may be intermixed in each day or could follow in sequential order. Be flexible, and remember the “5 Ps” approach described previously. Here is where it will greatly pay off.
Opening meeting
You never get a second chance to make a first impression, so start off on the right foot during the opening meeting. Welcome the inspection team and thank them for their attention. Up front, cover any “housekeeping” items, including the following:
- Site safety requirements, including required personal protective equipment (PPE)
- Agenda and timing; for instance, an outline or agenda from the inspector
- Locations of restrooms, telephones and how to access wireless connectivity, if needed
- Allow your team to introduce themselves and describe what role they play at the site, and in the inspection
- Allow the inspection team to introduce themselves and state their roles
- Readdress the intent of the inspection. If the site tour covers a large area, consider showing an overhead image of the area. Point out key areas. If it is within a large building, such as a warehouse, consider using a floorplan drawing. Again, remember to point out the key areas
If this is the inspection team’s first visit to the location, give an overview of the site. Items to include are products produced, services provided, number of personnel employed and company history. Be certain to allow the inspection team leader the opportunity to speak about their objectives and plans.
Site walkthrough
For a small group, do not overwhelm one or two inspectors with a dozen people from your team. Have your key team members with you and ask area-specific personnel that may be needed during the inspection to meet you when the tour reaches their location.
If there are a number of inspectors, and the plan is to break into groups, be sure to assign the appropriate personnel from your team to each group.
Follow the route you planned that covers the areas to be inspected. Do not stray or wander. If there is any work or maintenance-type activity that could pose a hazard in a certain area, use flagging tape to section it off. Be sure to point out that there is work going on in that area and explain why you are not entering the area.
Make a note of key security items or components. If a key item is out of service, be sure to point this out, coupled with highlighting the impairment activity you have underway to address the shortfall. Let the inspectors see that you are proactive and show them the impairment plan in action.
Team members should focus on the tour and the questions from the inspectors. They should not engage in sidebar or personal conversations amongst themselves. Likewise, they should answer questions pertinent to their area of responsibility. Remember, it is not a one-person event. Appoint someone from your team to act as the “sweeper” for each group on the tour. Their job is to round up any wanderers and keep the group together and orderly.
Make a written note of any questions asked that are to be addressed during the interview portion of the inspection. If the inspection requires photographs to be taken by the inspectors, be sure to take an identical photo with a company-supplied camera. This can be especially helpful if a question about something viewed comes up at a later date.
Document review and interview
Typically, the inspector, or inspection team leader, takes the lead during the document review and interview phase. Be prepared to answer questions regarding items or activities seen on the tour. Again, answer clearly, truthfully and to the point of the question. When you have clearly answered the question, stop talking. If you do not know the answer, do not guess, speculate or make something up. Offer to find the answer, make note of the issue, and be certain to follow through. If an immediate answer is required, take a break and locate the information needed to satisfy the question.
The team leader must ensure good communication. If you do not understand a question, it is not out of line to ask for clarification. Similarly, be sure that the message that you and your team are conveying is clear and is understood by the inspector. Avoid using acronyms, nicknames or local site jargon that may mean something to you and your team, but are terms unfamiliar to those not from the site. Along the same lines, if an answer involves a discussion of a more technical nature, ensure the inspector understands what you are trying to convey.
Any documents that are required to be reviewed should be on hand (Figure 3). If electronic versions are allowed, as opposed to written copies, have the necessary computers at the ready. The same follows for any required projection equipment. In your pre-inspection planning, you should have ensured that the most current version of any procedure, inspection report, maintenance log and so on is the version you have on hand.
If the inspector requires a copy of any document, be certain to note which document that is and be sure to retain a copy of the document they received. If notations were made to any photographs taken, be certain to add those notations to any duplicate photos in your possession.
Closing meeting
The closing meeting should include the same personnel that participated in the opening meeting. Generally, the closing meeting is led by the inspector or inspection team lead. They may note items that they felt are commendable and some that are even unique and noteworthy. Similarly, they will bring up areas or items that are not in accordance with requirements or for which they have further questions. If something was misinterpreted by the inspector, take the opportunity to politely clarify the issue and bring it to a resolution.
Be sure to recap any “to do” items noted during the inspections process, including followup action items, documents or images to be sent to the inspector or other promises made. These should all be recapped in the closing meeting, along with who owns the task and the date of delivery that was committed to. When delivery of these items is completed, document it.
Be certain to ask if there are any open issues or items. Take time to review your notes from the site tour to ensure any questions or items you captured on the tour have not been overlooked. Also, make an effort to note any followup or next-step actions to be completed. Thank the inspectors and thank your team.
When all is said and done, you should be able to look back and see that the organization of your records, as well as the planning and preparation that you and your team put into place before the inspection, yielded a smooth inspection and a positive outcome.
If you found yourself struggling to answer questions and locate documents, or not having every member of your team involved in the process, use the lessons learned to build a more robust document-retention program. Going forward, make efforts to work with your staff to become better organized and address the issues collectively. Build on the strengths of the group as a combined unit instead of individual efforts. Use the experience to not only strengthen your security posture, but also your management process. It will prove to be quite valuable in the long term. ■
Edited by Mary Page Bailey
Author
Ronald Razzolini is the director of business development at Telgian Management Technologies (4001 Kennett Pike, Ste. 308, Wilmington, DE 19807; Email: [email protected]). His experience includes over 35 years in chemical sector safety and a deep technical knowledge of safety and compliance programs and procedures. Razzolini also plays an integral role in chemical safety and security procedure development nationwide. His committee experience includes the American Chemistry Council Chemical Security Committee (2001–2018), where he acted as committee chairman from 2010 to 2013. This working group was chartered to protect the chemicals sector from threats of terrorism and coordinate activities among industry, legislators and the U.S. Department of Homeland Security. Razzolini also participated on the National Infrastructure Advisory Council, where he acted as a subject-matter expert on projects addressing information sharing between federal intelligence agencies and the private sector. Prior to joining Telgian Management Technologies, he was the corporate director of safety/security at PVS Chemicals, Inc. in Detroit for almost 20 years. Razzolini is a graduate of Medaille College in Buffalo, N.Y. with a B.S. in business administration.