Incorporating Transportation Security Awareness into Routine State DOT Operations and Training (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

4There are fundamental capabilities that must be in place for a security aware- ness program. This section provides the five key questions to ask to ensure that a transportation agency is ready and can support an effective security awareness program. 1. Is there management support for security awareness? Security awareness programs with top-level support are more successful. As with safety, security in a transportation agency is a “top-down” organizational activity. The rest of the agency takes its lead from the senior executives. Senior leaders act as role models and establish what should be focused on by the rest of the organization. Management must demonstrate to all employees that security awareness is important and can be integrated into normal daily operations and maintenance processes. If there is strong support, senior management participation can be incorporated in the program, e.g., the CEO can send out a message to the entire organization that briefly summarizes threats and states that security is the responsibility of everyone in the organization. 2. Has a reporting structure been identified and/or articulated, e.g., what gets reported and to whom? Establishing a reporting structure in advance—who to tell and how to describe something suspicious—is critical to a security awareness program. What are the internal reporting pro- cedures that should be followed? There are a number of reporting contacts, both internal and external, used by transportation agencies. Internal transportation agency contacts include an appropriate supervisor such as a dispatcher, immediate or designated manager, or designated internal security personnel. Based on the evaluation of the employee report, an internal agency contact may then contact law enforcement or the state or federal Department of Homeland Security. External contact options include calling 911 or a local designated law enforcement contact. Once a reporting structure has been identified, employees need to know: • Who should be contacted, e.g., internal supervisory or security contact, or external law enforcement agency contact. • How to contact them, e.g., using emergency hotlines, 911, etc. • What key information should be reported (the Who, What, Where, When, and details of involved persons, objects, or vehicles). S E C T I O N 2 Organizational Readiness This section focuses on key QUESTIONS TO ASK to be sure an agency is ready to implement and support an effective security awareness program.

Organizational Readiness 5 3. What awareness behaviors should be recommended and reinforced, e.g., what should employees look out for? It is important to focus security awareness on supporting business needs and processes. What are the agency’s priorities? What are the areas of concern for the agency? Common areas for transportation security include: • Critical infrastructure such as bridges, overpasses, and tunnels. • State DOT vehicles, maintenance equipment, and maintenance stations. • Physical security of operations and information technology (IT) facilities. Examples of common awareness behaviors include: • Recognizing and reporting indicators of criminal and/or terrorist activity such as trespassing, surveillance, theft, vandalism, and sabotage. • Recognizing and reporting unusual or unattended objects such as packages or vehicles. • Recognizing and reporting unusual or suspicious people or activities. The key to establishing the security behaviors as a part of everyone’s daily routine is to utilize common knowledge so users can exercise common sense. In addition, focusing on actions to accomplish is more successful than telling people that what they should not be doing. 4. Are there documented security procedures and reporting mechanisms in place? Integrating the reporting structure with existing internal security procedures can simplify and increase the effectiveness of a security awareness program. Are there existing security procedures in place? Have they been documented? Can the internal procedures be used for the employee security awareness program? 5. Are there existing organizational relationships with law enforcement, e.g., can employees call an established external contact number? Having employees contact external law enforcement is a common practice for security awareness programs. For example, the national Department of Homeland Security’s pro- gram If You See Something, Say Something™ recommends calling 911 to report suspicious behavior or objects. It should be noted that some transportation agency policies require employees to notify local or onsite security first so that they can coordinate a 911 response. If an agency has existing organizational relationships with local law enforcement, that may provide a reporting option to be utilized. Does the agency have an established contact number for law enforcement? Can employees use the established number to report suspicious people, activities, or objects as part of the security awareness program?