Policing and Security Practices for Small- and Medium-Sized Public Transit Systems (2015)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

74 The design of a security protocol should occur only after the performance of a risk assess- ment and the development of a comprehensive security plan. Until these first steps are com- pleted, insufficient data will be available to make good decisions about security strategies. In a perfect world, strategy is data driven. In business, it is a commonly accepted practice, e.g., “what cannot be measured cannot be managed.” However, the security industry has been slow to adopt the use of measurable factors in the reduction of risk. Fortunately, in the past decade or so, more and more transit systems have begun the process of managing security by formally adopting policies, processes, and procedures in which risk is evaluated. The survey of small- and medium-sized transit agencies confirmed that just under half of small and two-thirds of medium-sized agencies have previously conducted risk assessments and developed security plans. (See Figure 8.1.) Although the benefits of security planning cannot be overstated, the method by which assess- ments and plans are drawn can range from being marginally documented and ineffective to being well thought out and conceived. Post 9-11 and the homeland defense, homeland secu- rity impetus, literally hundreds of risk assessment and security planning methodologies were developed by government, practitioners, researchers, and the security industry. Some of these methodologies, such as the RAMCAP Framework: Risk Analysis and Management for Critical Asset Protection (ASME 2005) were broad based in approach, suggesting that risk assessment and planning could be performed in accordance with some type of universally applicable standards. Others were highly specific and developed specifically for a particular industry, or operational or functional area. On the government side, the surface transportation industry risk management method- ologies and practices were created by the DOJ, Office of Domestic Preparedness, DHS, TSA, and the FTA. Typically, the methodologies were tied to the acquisition of grant funding by transportation agencies that were (and still are) required to perform assessments and conduct security planning in order to access federal funding. Practitioners and researchers including AASHTO, APTA, and the Transportation Research Board’s Transit and National Highway Cooperative Research Programs (TCRP and NCHRP) contributed additional methods and private security industry businesses such as Science Applications International Corporation, ICF International Corporation, and ALION Science and Technology Corporation still further augmented the field of transportation risk management (see Table 8.1). In June of 2008, the General Accounting Office (GAO) released its report entitled DHS Risk-Based Grant Methodology Is Reasonable, But Current Version’s Measure of Vulnerability is Limited (GAO 2008). The report provided a graphic representation of a risk management framework divided into 5 phases: (1) setting strategic goals and objectives, and determin- ing constraints; (2) assessing the risks; (3) evaluating alternatives for addressing these risks; Security Plan Implementation and Management C H A P T E R 8

Security Plan Implementation and Management 75 (continued on next page) Agency Methodology Citaon DOJ, Office of Domesc Preparedness Transportation Risk Assessment Methodology (TRAM) Not Available DHS Naonal Infrastructure Protecon Plan, Transportaon Sector Specific Plans, Mass Transit Modal Annex hp://www.dhs.gov/sites/default/files/publicaons/NIPP%202013 TSA TSA/FTA Security and Emergency Management Acon Items for Transit Agencies (2006) www.tsa.gov/assets/pdf/mass_transit_acon_items.pdf TSA Baseline Assessment and Security Enhancement (BASE) Program Security Sensive Informaon Designaon, contact TSA for assistance FTA The Public Transportaon System Security and Emergency Preparedness Planning Guide (Balog et al. 2003) hp://transit- safety.volpe.dot.gov/Publicaons/order/singledoc.asp?docid=53 FTA 49 CFR Part 659 State Safety Oversight— System Safety and System Security Plans hp://transit- safety.volpe.dot.gov/Publicaons/order/singledoc.asp?docid=642 Table 8.1. Agencies, methodology, and citations. Figure 8.1. Number of agencies with a security plan. Y S es 29 66 7 mall- 61 M No 20 27 5 9 edium- 101 Unsure 12 8 6 Large -90

76 Policing and Security Practices for Small- and Medium-Sized Public Transit Systems Agency Methodology Citaon TCRP TCRP Report 86, Volume 10: Hazard and Security Plan Workshop: Instructor Guide (AECOM Consult, Inc. et al. 2006) www.tcrponline.org/PDFDocuments/TCRP_RPT_86v10.pdf NCHRP NCHRP Report 525: Surface Transporta€on Security, Volume 15, Cos€ng Asset Protec€on: An All Hazards Guide for Transporta€on Agencies (CAPTA) (Science Applica†ons Interna†onal Corpora†on and PB Consult 2009) hŠp://onlinepubs.trb.org/onlinepubs/nchrp/nchrp_rpt_525v15.pdf American Public Transporta†on Associa†on Recommended Prac†ce for the Development and Implementa†on of a Security and Emergency Preparedness Plan (SEPP), APTA SS-SRM- RP-001-09 RP: SEPP (2008) hŠp://www.aptastandards.com/ LinkClick.aspx?link=hŠp%3a%2f%2f www.aptastandards.com%2fPortals%2f0%2fSecurity_pdfs %2fAPTA_SS_SRM_RP_001_09%2520SEPP.doc&tabid=329& mid=1683&language=en-US FTA Transit Agency Security and Emergency Management Protec†ve Measures hŠp://transit- safety.volpe.dot.gov/Publica†ons/order/singledoc.asp?docid=439 TCRP TCRP Report 86/NCHRP Report 525: Surface Transportaon hŠp://onlinepubs.trb.org/onlinepubs/nchrp/nchrp_rpt_525v8.pdf Security Volume 8 – Connuity of Operaons (COOP) Planning Guidelines for Transportaon Agencies (Boyd et al. 2005) Table 8.1. (Continued).

Security Plan Implementation and Management 77 (4) selecting the appropriate alternatives; and (5) implementing the alternatives and moni- toring the progress made and the results achieved. Most above-listed methods follow this conceptual framework (see Figure 8.2.). Of particular note, widespread use of the TSA’s BASE assessment protocols is occurring in transit regardless of agency size. The BASE review was developed by the Surface Trans- portation Security Inspection Program (STSIP) and the Transportation Security Network Management (TSNM) office of the TSA in order to support the agency’s strategic goals of increasing domain awareness, enhancing prevention and protection capabilities, and fur- thering response preparedness efforts of transit systems nationwide. It is designed to do the following: • Baseline a transit agency’s internal security processes, procedures, and policies against TSA and FTA developed security recommendations. • Enhance a transit agency’s overall security environment through development of corrective action recommendations to remediate any security program weaknesses identified during the review. • Identify programs and protocols that might be “Smart Practice” models for other systems. • Increase TSA’s insight into universal security issues, concerns, and trends occurring nationally in order to inform future policy decisions and to target resources accordingly. BASE reviews are supported directly by TSA through an inspection program that includes field collection of data by TSA (surface) Inspectors. The collected data is reviewed and evalu- ated against TSA/FTA Security and Emergency Management Action Items (SEMAI) (see Table 8.2). BASE utilizes a checklist format that consists of approximately 200 line items. Each line item is assigned a score based on the evaluation. Once all scores are entered into the BASE checklist for each line item, a percentage is calculated for each of the sections. On completion of the field Figure 8.2. Conceptual risk management framework (GAO 2008).

78 Policing and Security Practices for Small- and Medium-Sized Public Transit Systems review, a copy of the completed checklist is provided to and reviewed with the assessed transit agency. Additionally, a copy is also provided to TSA Headquarters for analysis. In addition to high usage of BASE review methods, a very large number of transit agencies utilize and maintain security plans in accordance with FTA’s The Public Transportation System Security and Emergency Preparedness Planning Guide (SSEPP) (Balog et al. 2003). The guide contains the statement of purpose (Figure 8.3): ITEM ACTION 1 Establish wrien system security programs and emergency management plans. 2 Define roles and responsibilies for security and emergency management. 3 Ensure that operaons and maintenance supervisors, forepersons, and managers are held accountable for security issues under their control. 4 Coordinate Security and Emergency Management Plan(s) with local and regional agencies. 5 Establish and maintain a Security and Emergency Training Program. 6 Establish plans and protocols to respond to the DHS Naonal Terrorism Alert System (NTAS) threat levels. 7 Implement and reinforce a Public Security and Emergency Awareness program. 8 Conduct tabletop and funconal drills. 9 Establish and use a risk management process to assess and manage threats, vulnerabilies, and consequences. 10 Parcipate in an informaon sharing process for threat and intelligence informaon. 11 Establish and use a reporng process for suspicious acvity (internal and external). 12 Control access to security-crical facilies with ID badges for all visitors, employees, and contractors. 13 Conduct physical security inspecons. 14 Conduct background invesgaons of employees and contractors. 15 Control access to documents of security-crical systems and facilities. 16 Develop a process for handling and access to sensive security informaon (SSI). 17 Audit program. Table 8.2. TSA/FTA SEMAI for transit agencies. COMMIT to a program that enables the public transportaon system to: ⇒ PREVENT incidents within its control and responsibility, effecvely protect crical assets; ⇒ RESPOND decisively to events that cannot be prevented, migate loss, and protect employees, passengers, and emergency responders; ⇒ SUPPORT response to events that impact local communies, integrang equipment and capabilies seamlessly into the total effort; and ⇒ RECOVER from major events, taking full advantage of available resources and programs. Figure 8.3. SSEPP statement of purpose.

Security Plan Implementation and Management 79 The SSEPP describes security planning as “more of a process than a product.” This approach coincides with a vision of a security plan being a dynamic living document that is continually under review and subject to change. The key aspect of importance that should be reinforced in developing the security plan is the need for flexibility. Alternatives and options should be incorporated into the plan to make it flexible and capable of responding to various situations or unexpected events. APTA RP SS-SRM-RP-001-09, Recommended Practice for the Development and Implementa- tion of a Security and Emergency Preparedness Plan (SEPP) (APTA 2008), provides further guid- ance to transit agencies that have never completed a plan or that seek to update an existing plan. The RP “describes the process by which a SEPP may be developed, implemented and evaluated.” A template for transit agencies to develop a customized SEPP is provided in Annex D. Spotlight on Document Security A note about Sensitive Security Information (SSI): Designation, Markings, and Control, Resource Document for Transit Agencies (49 CFR, Parts 15 and 1520). “Sensitive security information (SSI) is information about security, operations, facilities or other assets or capital projects whose disclosure would be detrimen- tal to the security of transit employees or customers. Essential transit agency security program planning must include the designation, markings and control of SSI. By law, transit agencies are required to categorize and protect SSI. Protect- ing SSI means restricting its distribution and controlling access to it. By law, SSI is not subject to disclosure under the Freedom of Information Act (FOIA) or state “sunshine laws.” It is also not available under discovery in civil litigation, and it is not required to be part of the record in a federal rulemaking. Transit agencies should use this guidance as a resource in planning and developing policies and procedures for identifying, marking and handling SSI in order to control access to it. To the extent practical, agencies should integrate the designation, marking and handling of SSI into their existing security program procedures.” See APTA SS-SIS-RP-011-13, Security Planning for Public Transit (APTA 2013) for further information. Irrespective of what risk assessment process and security planning framework is utilized, the major issue regarding effectiveness is how well the program is implemented. TCRP Report 86: Volume 10, Hazard and Security Plan Workshop (AECOM Consult, Inc. et al. 2006) provides an excellent overview of the transportation security planning and implementation process. The doc- ument also presents a template for Hazard and Security Plan (HSP) development. The template is designed to help transportation programs and transit agencies implement what it describes as the 4 core planning development functions: (1) establish priorities, (2) organization roles and responsibilities, (3) countermeasures and strategies, and (4) plan maintenance. (See Figure 8.4.) Establish Priorities As indicated above, the starting point for plan development is to identify what the document is intended to do. Although the plan needs be sufficiently flexible to cover a broad range of secu- rity incidents, the best way to ensure plan effectiveness is to use a prioritized scenario-based list of critical event types to drive plan activity. This list should consist of events considered routine

80 Policing and Security Practices for Small- and Medium-Sized Public Transit Systems and most likely to occur as well as those that may occur less frequently but with far reaching consequences. The HSP identifies the objectives of this phase of security planning as to: • Create a written statement of purpose covering routine and emergency situations. • Define the situations that the HSP will cover. • Look at assumptions about the situations surrounding the use of the plan. • Discuss how an organization plan fits into the overall community security and emergency plan. Organization, Roles, and Responsibilities This phase of planning consists of determining key personnel and their security roles and respon- sibilities. Incident-based priority security tasks should be listed and assigned to a specific individual known as the primary or principal. Secondary responsibility should be placed in other individuals whose ability to perform will not be compromised by the loss of the primary. Interdependencies of functions should be delineated between departments and coordinating points established to facili- tate liaison in areas of overlapping responsibility. Planners should ensure that this section of the plan provides clear and concise direction to assigned personnel regarding their primary and secondary duties. The goal is to achieve the stated objectives and security requirements of the plan under all potential operating conditions or scenarios. The HSP identifies the objectives of this phase of the security plan as to: • Develop an organizational structure, with a clearly defined chain of command and designated roles and responsibilities, containing: – Responsibilities, – Continuity of services, including: � Designating lines of succession and delegating authority for the successors, Hazard and Security Plan Development Figure 8.4. HSP development (AECOM Consult, Inc. et al. 2006).

Security Plan Implementation and Management 81 � Developing procedures for the relocation of essential departments, � Developing procedures to deploy essential personnel, equipment, and supplies, and � Establishing procedures for backup and recovery of computer and paper records, and – Contact information. Countermeasures and Strategies Consistent with emergency management principles, the risk and vulnerabilities reduction measures and strategies associated with transportation sector security planning should follow the 5 stages of protection activity: prevention, mitigation, preparedness, response, and recovery. Security planners should select countermeasures, keeping in mind the concepts of system secu- rity, layered or overlapping security, and system integration. The HSP identifies the objectives of this phase of the security plan as: Part A: Prevention • Examine activities to reduce the likelihood that incidents will occur. • Establish safe and secure procedures for passengers, vehicles, drivers and facilities. Part B: Mitigation • Examine activities to reduce asset loss or human consequences (such as injuries or fatalities) of an incident. • Establish safe and secure procedures for passengers, vehicles, drivers, and facilities. Part C: Preparedness • Examine preparedness activities to anticipate and minimize the impacts of security-related incident and equip employees to better manage these incidents. • Establish emergency policies and procedures for passengers, employees, and management to follow in case of emergencies. • Keep training, drills, and contact lists up to date. • Establish and maintain mutual aid agreement with fire departments, emergency medical ser- vices, and emergency management services. Part D: Response • Examine activities used to react to security-related incidents and hazards and help protect passengers, employees, the community, and property. • Establish what information is to be collected by which employee. • Ensure that policies and procedures established in the mitigation and preparedness portions of the HSP are followed. Part E: Recovery • Examine policies to assist in recovering from incidents that have occurred so service can resume as quickly as possible. • Establish a review of policies, documents, plans, and vehicles. • Evaluate response and oversee recovery and restoration of personnel, service, vehicles, and facilities. Plan Maintenance In this final phase of planning, substantial emphasis should be placed on assuring that security plans remain current and responsive to the dynamic changes that can occur in the transportation operating environment. Equal emphasis should be placed on the creation of a process that will support plan consistency with the future needs of the agency. Optimally plans will be scalable

82 Policing and Security Practices for Small- and Medium-Sized Public Transit Systems and upgradable on a flexible timeline that has sufficient sensitivity to external security factors to allow for as-needed adjustments. As stated above, a large percentage of small- and medium-sized agencies report having com- pleted security plans. But, survey results disclosed that far fewer agencies were successfully updating and maintaining their plans and procedures (see Figure 8.5). The HSP recommends programmatic scheduled plan review periodically—at least every 6 months to a year. The document also provides guidelines for how this review should be conducted: • Identify areas to update. • Determine completeness. • Reassess roles and responsibilities. • Review factual information (especially names and phone numbers included in the plan). • Reevaluate employee knowledge and awareness (training assessments, for example). • Revise programs and procedures included in the HSP. The HSP also suggests that the occurrence of certain events may require planners to accelerate the scheduled conduct of a review. These include: • The addition of new members inside the organization and outside the organization who have specific roles outlined in the HSP (e.g., a new general manager or a new local fire chief). • New operations or processes that affect the HSP (e.g., a new bus line). • New or renovated sites or changes in layout (e.g., a new bus garage or office building). • Changes with outside agencies, new suppliers, vendors, etc. (e.g., a new memorandum of understanding, or MOU, signed with the local sheriff’s department). In some respects, the HSP Approach was well ahead of its time in 2006 when the planning pro- cess was presented. As opposed to a strict focus on security, which was notably the major focus of risk assessment and plan development at the time, TCRP Report 86: Public Transportation Security, Volume 10, Hazard and Security Plan Workshop: Instructor Guide (AECOM Consult., Inc. 2006) expanded its reach to address all manner of incidents, including natural catastrophes, earthquakes, floods, weather-related problems, and accidentally caused disasters, along with security concerns. Notwithstanding the purpose of this current research that is squarely focused upon security at small- and medium-sized agencies, there is a current evolution of thinking that a broader-based “All Hazards” and “Resilient” planning approach is preferable to processes based solely upon security risk. Last 12 months Within the last 36 months Unsure 13 9 3033 23 38 47 23 16 Last me Security Plan Was Updated Small - 52 Medium- 94 Large - 86 Figure 8.5. Security plan updating.