Incorporating Transportation Security Awareness into Routine State DOT Operations and Training (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

6There are three key principles underlying transportation security awareness programs: 1. Security is everybody’s business. Security is not an occasional activity accomplished only by certain personnel or through security audits. Security is a shared responsibility that is part of everyone’s “day job.” Transportation employees and contractors are the best positioned to know what is usual and unusual, and can help their agency protect its employees, information, data, and facilities. Employees need to understand that they are an integral part of their organization’s security solution. 2. Talking about security is just as important as doing something physical about security. The greatest obstacle to effective security awareness is employees’ lessened vigilance due to infrequent security incidents. The most critical success factors for security awareness are consistency and perseverance. It takes a consistent effort to make security awareness part of the culture. 3. It is important that leadership supports and reinforces the security awareness program. Because an agency takes its lead from the senior executives, DOT leaders must demonstrate that security awareness is important to their agency. Reinforcing the program does not necessarily require a major commitment from DOT leaders. There are little things that leadership can do to demonstrate that security is an agency priority, such as telling employees to be aware—e.g., to say, “If you see something, say something”—at every opportunity. The main elements of a security awareness program are: • General Messages—conveying the need for security awareness. • Knowing the Risks—becoming aware of risks and understanding the potential consequences. • Recognizing and/or Observing Security Risks—knowing how to detect and identify potential security risks. • Reporting a Security Threat—knowing how to respond to and report a security threat. The following sections provide examples of messages for a transportation security awareness campaign based on effective awareness programs. Security awareness messages should be delivered in a manner consistent with an agency’s culture. The best messages have the right combination of spirit and structure— keeping it light while still reinforcing employee responsibility and commitment to security. Incorporating agency success stories or other positive examples S E C T I O N 3 “Security Is Everybody’s Business” This section provides examples of security awareness campaigns for transportation agencies based on effective awareness programs. Messages for each of the main elements of a security awareness program are provided: • General messages • Knowing the risks • Recognizing security risks • Reporting a security threat Effective Security Awareness Messages are: • Relevant and appropriate • Realistic • Consistent • Actual examples from agency

“Security Is Everybody’s Business” 7 increases the validity and effectiveness of the messages by highlighting to employees that secu- rity is important to the agency and that their role as observers/reporters is an integral part of maintaining a secure transportation system. General Security Awareness Messages • Security is everyone’s business. All employees contribute to an organization’s security by acting as “eyes and ears” in the field. • Security begins with you! All employees have a responsibility to help their agency protect its employees, information, data, and facilities. • YOU are the most effective security tool in your organization. • Be alert and be aware—you are the Eyes, Ears . . . and Mouths of the DOT. • Security is everyone’s job. Take it seriously! • Following security policies and procedures is important and helps to protect the lives and livelihoods of employees, contractors, and the public. • Observing and reporting suspicious people or behavior is important to the safety and security of everyone. • It is important for ALL employees to be vigilant for anything unusual at their workplace that could threaten security. Knowing the Risks One critical part of a security awareness program is making each employee aware of the secu- rity risks that exist in their workplace and the potential consequences to transportation systems and assets. Messages to employees about the risks can include a general overview of the risks to transportation agency systems and more specific, job-related messages such as highlighting risks to vehicles/maintenance equipment and facilities for maintenance employees. Common areas of concern for transportation security include: • Critical infrastructure such as bridges, overpasses, tunnels, and transportation management centers (TMCs). • State DOT vehicles, maintenance equipment, and maintenance stations. • Physical security of operations and information technology (IT) facilities. Potential security risks include: • Terrorism including chemical, biological, radiological, and nuclear weapons (CBRNs), and improvised explosive devices (IEDs). • Crimes such as trespassing, theft, vandalism, sabotage, and cyber-sabotage. • Workplace violence such as minor assaults, major assaults, and assaults with conventional weapons. • Bomb threats. • Hijack and/or hostage situations. Specific transportation security risks may include: • Unauthorized persons or vehicles in restricted areas. • Tampering with surveillance cameras, safety systems, machinery, or other sensitive equipment. • People photographing, videotaping, sketching, measuring, or taking notes on infrastructure, equipment, and facilities. • Unusual markings or unexplained damage on infrastructure or facilities. • Watching, visiting, or passing by a location repeatedly over time by the same person or vehicle. • Outsiders asking for details about infrastructure, equipment, or workplace.

8 Incorporating Transportation Security Awareness into Routine State DOT Operations and Training Recognizing/Observing a Security Risk How to detect and identify potential security threats is a key component of a security aware- ness program. There are basic, common-sense messages for employees about what they can do to recognize a security risk. • Be aware. Know the area, note suspicious activities and objects, and report things that do not seem right. • Avoid complacency and use common sense. • Observe the situation with all your senses. • Be prevention-oriented. Integrate security awareness into your daily routine. • Know your co-workers, your community, and your work environment. Be aware of unusual changes in your surroundings. Other recognizing/observing messages explain the importance of observing, identifying, and reporting suspicious people, behavior, or objects. Some provide additional information on what to look for, such as how to identify suspicious behavior and objects that might indicate potential security threats. • Observing and reporting suspicious people or behavior is important to the safety and security of everyone. • It is important for ALL employees to be vigilant for anything unusual at their workplace that could threaten security. • It can be difficult to know what “something suspicious” looks like, but trust yourself when something does not feel quite right. • It is better to be safe than sorry. Do not be afraid to report anything that seems suspicious. • Practice awareness by: – Becoming more aware of your work area and recognizing any usual changes in it. – Becoming more aware of people’s behaviors that may indicate attempts to compromise security. – Becoming more aware of what to do or whom to call if you suspect security may be compromised. • Observe and report people, activities, and things that are out of place or out of the ordinary. • Look for and report system security weaknesses such as broken fences or doors, malfunctioning locks, or inadequate or non-working lighting. • Learn to recognize suspicious behavior or indicators of criminal and/or terrorist activity. • Learn to recognize unusual or unattended objects. • If someone asks you for details about your workplace, smile and change the subject. Never discuss details about the transportation system or your workplace with outsiders. Security Awareness DOs and DON’Ts: Keeping Yourself Safe DO report unusual or suspicious people or items right away. DO record as many details as possible. DO NOT take risks that could harm yourself or others. DO NOT try to “handle it” yourself. DO NOT confront a suspicious individual. DO NOT touch, move, or cover a suspicious substance or object. DO NOT allow an unauthorized person access to restricted areas.

“Security Is Everybody’s Business” 9 Reporting a Security Threat Effective security awareness messages about reporting potential security threats or situations address whom to tell and what to include in the report. They are designed so that employees are encouraged to report unusual or suspicious activities immediately and understand how to make a report using appropriate agency security procedures. General reporting awareness messages include: • Immediately communicate anything unusual (following the agency procedures). • Find out in advance whom to contact if you see something suspicious. • Know how to report security threats, security incidents, and suspicious behavior or objects. Specific information on how to report security threats includes whom to contact, how to contact them, and what information to provide—the Who, What, Where, When, and details of involved persons, objects, or vehicles. Figure 1 provides an example of a reporting procedure flowchart from the Texas Department of Transportation. Posters, employee handouts, and wallet cards are ideal methods to distribute the specific reporting details throughout the agency. Figure 1. Security reporting procedure flowchart example.