API RP 781
Facility Security Plan Methodology for the Oil and Natural Gas Industries
|Publication Date:||1 September 2016|
The purpose of a facility security plan (FSP) is to provide the framework to establish a secure workplace. The plan provides an overview of the threats facing the facility and describes the security measures and procedures designed to mitigate risk and protect people, assets, operations, and company reputation.
This standard was prepared with guidance and direction from the API Security Committee, to assist the petroleum and petrochemical industries in the preparation of a Facility Security Plan. This standard specifies the requirements for preparing an FSP as well as a discussion of the typical elements included in an FSP.
This standard is intended to be flexible and adaptable to the needs of the user. It is noted that the content of an FSP can vary depending on circumstances such as facility size, location, and operations. This methodology is one approach for preparing an FSP at petroleum and petrochemical facilities. There are other security plan formats available for the industry. It is the responsibility of the user to choose the format and content of the FSP that best meets the needs of a specific facility. The format and content of some FSPs should be dictated by government regulations for covered facilities.
This Standard is not intended to supersede the requirements of any regulated facility but may be used as a reference document. This standard should be limited to the preparation of the FSP. It is recognized that the FSP is only one part of a comprehensive security management system (SMS). The FSP should be prepared after a security risk assessment (SRA) is conducted. The SRA is a process to identify and assess the threats, vulnerabilities and consequences facing a facility. It is important to understand the risks facing the facility before a comprehensive and effective FSP can be developed. The FSP should incorporate procedural, physical and cyber security measures for a holistic and comprehensive plan.
In an era of rapidly advancing technology, no FSP would be complete without inclusion of Information Technology and Operational Technology Security considerations and reference to security measures developed and maintained by these organizations. The interdependence of physical and logical security, as evidenced by the "Internet of Things" (IoT) underscores the criticality of preparing a single, common security strategy to mitigate risk and assure an organization's resilience in the face of dynamic threats