Communication with the appropriate authorities must be kept open at all times. Processes should be put in place to define when and with whom officials should communicate and how identified information security violations will be reported as soon as possible by organisations.Organisations that have been attacked over the internet may compel authorities to take counter-measures. Maintaining these connections may also be required in information security to assist incident management or business continuity and contingency planning operations. Contacts with regulatory authorities are also beneficial in predicting and planning for any changes in the rules or regulations that the organisation must enforce. You can consider to contact with your data protection regulator that is likely mandated in law, utility companies for power and water, health and safety if relevant, fire departments for business continuity and incident management, perhaps your telecoms provider for routing if lines go down.You are going to have to ensure that:
you identify and document what authorities apply to you
in what circumstances you would contact them
how information security incidents should be reported if relevant
understand what expectations these authorities have, if any
include relevant contact steps in your incident management processes
include relevant contact steps in your business continuity and disaster recovery processes
A 5.5 Contact with authorities
Control
The organization should establish and maintain contact with relevant authorities.
Purpose
To ensure appropriate flow of information takes place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities.
Guidance
The organization should specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner. Contacts with authorities should also be used to facilitate the understanding about the current and upcoming expectations of these authorities (e.g. applicable information security regulations).
Other information
Organizations under attack can request authorities to take action against the attack source. Maintaining such contacts can be a requirement to support information security incident management or the contingency planning and business continuity processes. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety [e.g. fire departments (inconnection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment)].
The organization needs to maintain useful contact information with appropriate authorities.The purpose is to ensure appropriate flow of information take place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities. An appropriate forum for dialogue and cooperation between the Company and relevant legal, regulatory and supervisory authorities must be in place.Obviously, with more significant organizations, the need for this is greater as the interruption of service to a larger part of the population increases. Particularly relevant to utilities, telecoms, banking organizations, and emergency services (and for smaller companies these might be on your list). It covers the requirement, purpose and implementation instructions on how to identify and report information security events in a timely way, as well as who and how to contact in the event of an incident.Where attacks stem from the internet various authorities and providers may need to be called to action in order to divert /suppress/mitigate the threat. You can’t fix everything, but you can be ready should the need arise. This will help with business continuity and security incident management. The objective is to identify which stakeholders (e.g., law enforcement, regulatory bodies, supervisory authorities) would need to be contacted in the event of a security event. It is important that you have already identified these stakeholders before an incident occurs.A protocol for engagement with law enforcement can be a part of the security incident response plan or a broader crisis management procedure for the organization. The plan should be clear about which situations require working with law enforcement, such as when laws are broken. The plan should also clearly state who contacts authorities and under what circumstances (e.g., when law enforcement should be contacted by the information security officer or safety officer). Contact with Authorities means that the organisation should establish and implement informal communication with authorities concerning information security issues, including:
Ongoing communication with relevant authorities to ensure that the organisation is aware of current threats and vulnerabilities.
Informing relevant authorities of vulnerabilities discovered in the organisation’s products, services or systems.
Receiving information from relevant authorities about threats and vulnerabilities.
The main objective of control is to establish the organisation’s relationship with law enforcement agencies as it relates to managing information security risks.To meet the requirements, it is expected that if an information security incident is discovered, the organisation should specify when and by which authorities (such as law enforcement, regulatory bodies, and supervisory authorities) should be notified, as well as how identified information security incidents are to be reported in a timely manner. The exchange of information with authorities should also be used to gain a better knowledge of the existing and forthcoming expectations of these agencies (e.g. applicable information security regulations). This requirement is designed to ensure that the organisation has a coherent strategy for its relationship with law enforcement agencies and that it has identified the most appropriate point of contact in these agencies. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organisation.
Appropriate contacts with relevant authorities must be maintained and the legal responsibilities for contacting authorities such as the Police, the Information Commissioner’s Office or other regulatory bodies should always be continued particularly relevant to utilities, telecoms, banking organisations and the emergency services. Where attacks stem from the internet various authorities and providers may need to be called to action in order to divert /suppress / mitigate the threat. All authorities can be listed and retained in an appropriately shared and access controlled repository. The ISMS coordinator can keep records up to date and identify which and when contact is made by the appropriate relationship owner with specific contact circumstances, and the nature of the information provided. It should clearly identify who is responsible for contacting authorities (e.g. law enforcement, regulatory bodies, supervisory authorities), which authorities should be contacted (e.g. which region/country), and in what cases this needs to happen. Specification of the manner and timing in which breaches shall be communicated to external authorities so as to ensure appropriate reporting.
The purpose of segregation of duties in ISO 27001 is to ensure that a single point of compromise does not have significant impacts on the business.Conflicts can occur when two or more employees have similar or different responsibilities towards a particular task. When this happens, the employees may end up doing the same thing twice, or doing different things that cancel out each other’s efforts. This wastes corporate resources and reduces productivity, which affects both the company’s bottom line and morale.In order to make sure that your organisation does not suffer from this problem, it is important to understand what conflicting areas of responsibilities are, why they happen and how you can prevent them from occurring in your organisation. For the most part, this means separating duties so that different people handle different roles in the organisation.
Conflicting duties and areas of responsibility must be segregated in order to reduce the opportunities for unauthorized or unintentional modification or misuse of any of the organisation’s assets.The risk being that if a single post is responsible for highly privileged actions and is not monitored or controlled, then compromise of that role could result in disastrous impacts to the organisation. For example, malicious system or network admins managing the network could greatly disrupt or leak highly sensitive data if not controlled and monitored through controls. The organisation needs to ask itself whether or not the segregation of duties been considered and implemented where appropriate.To be compliant with this requirement, the organisation must be able to demonstrate that highly privileged role functions and conflicting duties/areas of responsibility are sufficiently segregated. For example, this may be achieved by providing additional layers of authorization for privileged tasks such as issuing or revoking user accounts, or system management functions. A two-man rule might be appropriate in certain circumstances, in others it may be appropriate to provide an extra layer of authorization before a task can be carried out supported by enhanced monitoring of user operations. This provides a defense in depth approach and means that any unauthorized activity can be tracked, monitored and alerted upon.
A 5.3 Segregation of Duties
Control
Conflicting duties and conflicting areas of responsibility should be segregated.
Purpose
To reduce the risk of fraud, error and bypassing of information security controls.
ISO 27002 Implementation Guidance
Segregation of duties and areas of responsibility aims to separate conflicting duties between different individuals in order to prevent one individual from executing potential conflicting duties on their own. The organization should determine which duties and areas of responsibility need to be segregated. The following are examples of activities that can require segregation:
initiating, approving and executing a change;
requesting, approving and implementing access rights;
designing, implementing and reviewing code;
developing software and administering production systems;
using and administering applications;
using applications and administering databases;
designing, auditing and assuring information security controls.
The possibility of collusion should be considered in designing the segregation controls. Small organizations can find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision. Care should be taken when using role-based access control systems to ensure that persons are not granted conflicting roles. When there is a large number of roles, the organization should consider using automated tools to identify conflicts and facilitate their removal. Roles should be carefully defined and provisioned to minimize access problems if a role is removed or reassigned.
Segregation of duties reduces the risk of intentional manipulation or error and increases the element of checking. Functions that should be separated include those of authorization, execution, custody, and recording and, in the case of a computer-based accounting system, systems development, and daily operations. Segregation of duties is the concept of having more than one person required to complete a task. Today’s automated solutions and information and communication technologies allow a few people to handle a great deal of information and processes (e.g., stock exchange operators and air traffic controllers). While this is good to improve productivity, a potential side effect is that these few people may end up gathering excessive knowledge and/or privilege over the operating environment and, in case they are absent or have malicious intent, this can prove to be an unacceptable risk, which must be handled. This is a best practice, especially in cases where sensitive data is being handled. This is seemingly obvious, but often difficult to do in practice. Essentially try to eliminate processes or situations where someone can access, change or use information assets without detection. For example network access and logging should be conducted by someone different from those authorized to use the data. If in doubt – no-one holds the keys to something from which they could gain.
Segregation of duties is a control put in place by many organizations to mitigate the risk of an insider threat or accidental employee mistakes. Sometimes this isn’t practical or possible, but the institution should be aware of the risks of a single person having too much access. Ideally, critical processes or activities should be split up between multiple people. For example, the initiation of a process, its execution, and authorization should be separated when possible. When this is not possible, monitoring and auditing critical processes are very important. Segregation of duties refers to practices where the knowledge and/or privileges needed to complete a process are broken up and divided among multiple users so that no single one is capable of performing or controlling it by himself.
The main reason to apply segregation of duties is to prevent the perpetration and concealment of fraud and error in the normal course of the activities, since having more than one person to perform a task minimizes the opportunity of wrongdoing and increases the chances to detect it, as well as to detect unintentional errors. Wrongdoing requires three factors to be possible: means, motive, and opportunity. Extremely lean processes increase the risk of wrongdoing by concentrating means and opportunity (access to and privileges over the process). By implementing segregation of duties, an organization minimizes the risk by splitting knowledge and privileges. However, the benefits of segregation of duties to security must be balanced with the increased cost/effort required. By using the ISO 27001 requirements for risk assessment, an organization can identify the most vulnerable and the most mission-critical elements of the business to which segregation of duties will represent real added value to the business and other interested parties.
The principles that can be applicable to segregation of duties are:
Sequential separation, when an activity is broken into steps performed by different persons (e.g., solicitation, authorization and implementation of access rights)
Individual separation, when at least two persons must approve an activity before it is done (e.g., contractor payment)
Spatial separation, when different activities are performed in different locations (e.g., locations to receive and store raw material)
Factorial separation, when several factors contribute to activity completion (e.g., two-factor access authentication).
These principles can be used in isolation or together, depending upon the security an organization requires to protect its processes.
Segregation can be implemented by:
1.Identification of functions that are indispensable to the organization’s activities, and potentially subject to abuse, considering either business drivers or regulatory compliance (e.g., SOX)
2.Division of the function into separate steps, either considering the knowledge necessary for the function to work or the privileges that enable that function to be abused
Definition of one or more segregation principles to be applied to the functions. Examples of functions and segregation principles to be applied are:
authorization function (e.g., two people need to authorize a payment)
documentation function (e.g., one person creates a document and another approves it)
custody of assets (e.g., backup media creation and storage in different sites)
reconciliation or audit (e.g., one person takes inventory and another validates it )
Sometimes the segregation of duties is impractical because the organization is too small to designate functions to different persons. In other cases, breaking down tasks can reduce business efficiency and increase costs, complexity, and staffing requirements. In these situations, compensating controls should be in place to ensure that even without segregation of duties the identified risks are properly handled. Examples of compensating controls are:
Monitoring activities: these allow activities to be supervised while in progress, as a way to ensure they are being properly performed.
Audit trails: these enable the organization to recreate the actual events from the starting point to its current status (e.g., who initiated the event, the time of day and date, etc.).
All information security and its responsibilities need to be defined and approved by the management. The responsibilities can be general (e.g. protecting information) or specific (e.g. the responsibility for accessing particular permissions). Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Access to information security should be granted to relevant staff members for eg; CEOs, Business Owners, General Manager; HR managers; and Internal auditors. The auditor will be looking to gain confidence that the organization has made clear who is responsible for, and what is adequate according to the size and nature of the organization. For smaller organisations, it is generally unrealistic to have full-time roles associated with these roles and responsibilities. To protect information security one can choose relevant authority with in the organisation to-hold the responsibly and implementing the process.
A.5.2 Information security roles and responsibilities
Control
Information security roles and responsibilities should be defined and allocated according to the organization needs.
Purpose
To establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization.
ISO 27002 Implementation Guidance
Allocation of information security roles and responsibilities should be done in accordance with the information security policy and topic-specific policies. The organization should define and manage responsibilities for:
protection of information and other associated assets;
carrying out specific information security processes;
information security risk management activities and in particular acceptance of residual risks (e.g. to risk owners);
all personnel using an organization’s information and other associated assets.
These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Individuals with allocated information security responsibilities can assign security tasks to others. However, they remain accountable and should determine that any delegated tasks have been correctly performed. Each security area for which individuals are responsible should be defined, documented and communicated. Authorization levels should be defined and documented. Individuals who take on a specific information security role should be competent in the knowledge and skills required by the role and should be supported to keep up to date with developments related to the role and required in order to fulfill the responsibilities of the role.
Other information
Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of risks and mitigating controls. However, responsibility for resourcing and implementing the controls often remains with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection. Depending on the size and resourcing of an organization, information security can be covered by dedicated roles or duties carried out in addition to existing roles.
All information security responsibilities need to be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). Information security is the responsibility of everyone at the organization. It is important to establish roles and responsibilities for staff, managers, and contractors/vendors so that everyone knows what is expected of them when handling information.Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Some examples of the business roles which are likely to have some information security relevance include; Departmental heads; Business process owners; Facilities manager; HR manager; and Internal Auditor. Leadership is also very important, and many institutions have at least one person who is primarily responsible for organizing the information security program. Typically this is a Chief Information Security Officer (CISO), Information Security Officer (ISO), Director of Information Security, although the title may vary depending on the Organization.As such, clarifying specific information security responsibilities within existing job roles is important e.g. the Operations Director or CEO might also be the equivalent of the CISO, the Chief Information Security Officer, with overarching responsibility for all of the ISMS. The CTO might own all the technology related information assets etc. No matter what title is selected, there should be someone at the organization who can provide a high level of decision-making support to leadership when considering information security issues and solutions. It is also important to establish data ownership and data handling roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and document these roles within their information security policies and data management frameworks. The auditor will be looking to gain assurance that the organisation has made clear who is responsible for what in an adequate and proportionate manner according to the size and nature of the organisation.
Here are some of the vital IT security roles and the responsibilities associated with them. Don’t be surprised that sometimes, different roles share some responsibilities.
1) Information Security Board of Review
The Information Security Board of Review (ISBR) may an appointed administrative authority whose role is to provide oversight and direction regarding information systems security and privacy assurance campus-wide. In collaboration with the Chief Information Officer (CIO), the ISBR’s specific oversight responsibilities include the following:
Oversee the development, implementation, and maintenance of a strategic information systems security plan.
Oversee the development, implementation, and enforcement of information systems security policy and related recommended guidelines, operating procedures, and technical standards.
Oversee the process of handling requested policy exceptions
Advise the management on related risk issues and recommend appropriate actions in support of the risk management programs.
2) CISO
A CISO (Chief Information Security Officer) is the one whose task is to oversee corporate security strategy. The typical CISO’s responsibilities include:
Planning long-term security strategy
Planning and implementing data loss prevention measures
Managing access
Ensuring that the company implements proper safeguards to meet compliance requirements
Investigating any incidents and preventing them in the future
Assessing security risk
Arranging security awareness training
3) Security and Information Compliance Officers
The Security and Information Compliance Officers may oversee the development and implementation of the ISP. Specific responsibilities can include:
To ensure related compliance requirements are addressed, e.g., privacy, security, and administrative regulations associated with federal and state laws.
To ensure appropriate risk mitigation and control processes for security incidents as required.
To document and disseminate information security policies, procedures, and guidelines
To coordinate the development and implementation of a information security training and awareness program
To coordinate a response to actual or suspected breaches in the confidentiality, integrity or availability of information assets.
4) Data Owner
A Data Owner is an individual or group or people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, location or administrative unit .The role of the data custodians is to provide direct authority and control over the management and use of specific information. These individuals might be department heads, managers, supervisors, or designated staff. Responsibilities of a Data Owner include the following:
Ensure compliance with Organizational polices and all regulatory requirements. Data Owners need to understand whether or not any Organizational policies govern their information assets. Data Owners are responsible for having an understanding of legal and contractual obligations surrounding information assets within their functional areas.
Assign an appropriate classification to information assets. All information assets are to be classified based upon its level of sensitivity, value and criticality to the Organization.
Determine appropriate criteria for obtaining access to sensitive information assets. A Data Owner is accountable for who has access to information assets within their functional areas. This does not imply that a Data Owner is responsible for day-to- day provisioning of access. Provisioning access is the responsibility of a Data Custodian.
A Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc. Access must be granted based on the principles of least privilege as well as separation of duties. For example, a simple rule may be that all staff members are permitted access to their own health benefits information. A Data Custodian should document these rules in a manner that allows little or no room for interpretation.
Approve standards and procedures related to management of information assets.While it is the responsibility of the Data Custodian to develop and implement operational procedures, it is the Data Owner’s responsibility to review and approve these standards and procedures. A Data Owner should consider the classification of the data and associated risk tolerance when reviewing and approving these standards and procedures. For example, high risk and/or highly sensitive data may warrant more comprehensive documentation and, similarly, a more formal review and approval process.
Understand how information assets are stored, processed, and transmitted.Understanding and documenting how information assets are being stored, processed and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of approach, documentation should exist and be made available to the appropriate Data Owner.
Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of information assets. Data Custodians should work with Data Owners to gain a better understanding of these requirements. Data Custodians should also document what security controls have been implemented and where gaps exist in current controls. This documentation should be made available to the appropriate Data Owner.
Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of information assets. Documenting administrative and operational procedures goes hand in hand with understanding how data is stored, processed and transmitted. Data Custodians should document as many repeatable processes as possible. This will help ensure that information assets are handled in a consistent manner and will also help ensure that safeguards are being effectively leveraged.
Provision and de-provision access as authorized by the Data Owner. Data Custodians are responsible for provisioning and de-provisioning access based on criteria established by the appropriate Data Owner.
Understand and report security risks and how they impact the confidentiality, integrity and availability of information assets. Data Custodians need to have a thorough understanding of security risks impacting their information assets. For example, storing or transmitting sensitive data in an unencrypted form is a security risk. Protecting access to data using a weak password and/or not patching vulnerability’s in a system or application are both examples of security risks.
Security risks need to be documented and reviewed with the appropriate Data Owner so that he or she can determine whether greater resources need to be devoted to mitigating these risks. Information Technology dept can assist Data Custodians with gaining a better understanding of their security risks.
5) Data Users
All users have a critical role in the effort to protect and maintain information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider of the who is authorized to access Information Systems and/or information assets. Responsibilities of data users include the following:
Adhere to policies, guidelines and procedures pertaining to the protection of information assets.
Users are also required to follow all specific policies, guidelines, and procedures established with which they are associated and that have provided them with access privileges.
Report actual or suspected security and/or policy violations or breaches to IT. During the course of day-to-day operations, users may come across a situation where they feel the security of information assets might be at risk. For example, a user comes across sensitive information on a website that he or she feels shouldn’t be accessible. If this happens, it is the users responsibly to report the situation.
6) Application Security Engineer
The job of an app security engineer has two major aspects. Firstly, you will need to help developers to create more secure apps. Secondly, you’ll need to control third-party apps used by your company and ensure their safety. Some of the typical responsibilities and tasks include:
Configuring technical security controls
Conducting an app risk assessment
Whitelisting/blacklisting apps
Performing penetration testing
For app security engineers, it’s vital to control SaaS apps and the risks related to them. Risky and insecure apps should be blacklisted. To automate the job and remain time-efficient, he will probably need specialized software that helps with app security assessment and whitelisting/blacklisting.
7) Data Protection Officer(DPO)
Having a DPO may be one of the compliance requirements. A DPO must be appointed in organizations working with large-scale systematic monitoring or processing of sensitive data. Officers oversee corporate data protection measures and their effectiveness. A specialist, appointed to the DPO role, controls whether corporate security is of a sufficient level to meet compliance requirements, and recommends security upgrades if needed. That’s why an in-depth understanding of data security and compliance are essential skills. The DPO orchestrates, manages, and supervises all the activities that are aimed at protecting users’ data and communicates the status to both internal and external parties. This includes:
Creating an effective step-by-step privacy program
Supervising the entire implementation process of the program at all stages
Assuring that all the data processes are being conducted
Reporting to the management, stakeholders, and all the parties involved on how the implementation process goes
Reporting to the management on the potential threats to data security and general integrity, and what can be done to eliminate them
Educating employees on the matters of data privacy and data protection
Training staff that is directly related to or involved in the data collection, processing, or storing
Keeping track of and recording all the operations that involve users’ personal data and the reasons for these operations to take place
Auditing the data processes to assess their performance and address possible problems proactively
Reporting on the progress of the implementation and maintenance of the data privacy program in the company to the authorities, stakeholders, and public/customers
Being a connective link between the organization and data subjects (users/customers). Communicating with data subjects on how their data are being handled, what rights do they have, and addressing all their requests concerning their data
Communicating with supervisors and being a connecting link between the organization and authorities
8)Network Security Engineer
As the name suggests, a network security engineer’s job is to protect corporate networks from data breaches, human error, or cyberattacks. Engineers are responsible for:
Configuring network security settings
Performing penetration testing
Developing and implementing sufficient measures to detect cyber threats
Implementing network security policies
Installing and maintaining security software like firewalls or backups
Also, a deep understanding of cloud security may be required.
9)Security Administrator
An IT security admin is a role that includes a wide range of skills and responsibilities to manage the protection of the company’s data. Some of the most common admin’s responsibilities include:
Managing access
Ensuring that data migration is secure
Configuring security software
Monitoring data behavior for abnormal activities
Implementing security policies
Testing company’s systems to locate potential risks and vulnerabilities
Reporting security statuses and incidents (if any)
Using software tools to automate some of the tasks
An admin’s role is more significant than it may seem at first glance. An admin has to keep the whole organization’s security landscape in mind and ensure that even the tiniest processes are executed correctly. After all, even one careless click may be enough to initiate a cyberattack.
10) Security Analyst
What is the role of an information security analyst? This role is related to protecting corporate information against cyber attacks and insider threats. Generally, an analyst has to determine potential risks and vulnerabilities inside the system, so a deep understanding of data security threats and ways to prevent them is a must. As a security analyst, your responsibilities will include:
Analyzing and configuring corporate systems to improve their security
Analyzing data loss prevention measures
Looking for system vulnerabilities and ways to fix them
Monitoring data behavior for abnormal activities
Verifying security, availability, and confidentiality of corporate data
Also, the security analyst’s role requires an understanding of white hat hacking to design more advanced protection against cyber attacks. Analysts often work together with security architects.
11) Security Architect
A security architect is one of the senior-level IT security positions. An architect is focused on creating a secure-by-design environment. Unsurprisingly, this position requires a solid understanding of network, app, and hardware security, as well as experience with various systems. Generally, an architect’s responsibilities include:
Assessing the system’s security controls and processes to find potential security gaps
Planning changes and upgrades for corporate IT infrastructure
Maintaining system integrity
Implementing insider threat control measures
Choosing new security software if needed
Implementing disaster recovery measures
Analyzing previous incidents and creating an incident response plan
Analyzing the costs and benefits of security solutions
Of course, the exact scope of your tasks as an architect will vary depending on each organization’s unique infrastructure and needs. Often, an architect needs to assess corporate systems for meeting security compliance standards to decide what changes are needed to become compliant.
12) Security Specialist
An IT security specialist is a person responsible for keeping corporate data safe. Security specialists maintain and upgrade systems and procedures to prevent data loss or leakage. IT specialists have many sub-specializations. Depending on a specific environment, an information security specialist will have a stronger focus on cloud, network, app, database or device security. In some cases, especially in small businesses, an IT security specialist is an all-rounder with responsibilities combining many cyber security roles at the same time. That’s why a security specialist must have strong IT skills and a deep understanding of both software and hardware—and, of course, an ability to locate potential vulnerabilities and fix them.
Master list of external origin standards to be updated regularly.
Master list of external origin standards are reviewed by MR frequently
5
45
—
—
—
—
—
—
—
Quality Management System & Implementation
Master lists are not maintained properly
Affects the system
3
SC
Lack of awareness
4
Master lists to be updated regularly.
Master list are reviewed by MR frequently
4
48
—
—
—
—
—
—
—
Quality Management System & Implementation
Unintended use of obsolete documents
Affects the system
4
CC
Obsolete documents are not removed from all points of use
4
Obsolete documents are identified and seperated
By frequent checking
5
80
“Obsolete copy” is stamped in all obsolete documents for easy identification
Management Representative
Action taken to be verified after three months
4
3
4
48
Quality Management System & Implementation
MRM not conducted at regular intervals
Affects the system
3
SC
Improper communication
4
To follow the MRM plan
Verifying the conduction of MRM periodically
3
36
—
—
—
—
—
—
—
Quality Management System & Implementation
Internal Audits not conducted on time
Quality system failure
4
SC
Audit plan not followed
2
to follow the audit plan
Review of audit report
1
8
—
—
—
—
—
—
—
Quality Management System & Implementation
Management of change not done
Affect the system
4
SC
Lack of awareness
3
monitoring in review meetings
by reviewing the minutes of meeting
3
36
—
—
—
—
—
—
—
Quality Management System & Implementation
NCR’s not closed on time
affect the system
4
SC
Root cause analysis not done properly
2
Updated NCR tracking sheet
periodic review of NCR tracking sheet
4
32
—
—
—
—
—
—
—
Risk assessment of HR department
Process Function
Potential Failure Mode
Potential Effect(s) of Failures
sev
Class
Potential Cause(s)/Mechanism(s) of Failures
Occur
Current Process Controls Prevention
Current Process Controls Detection
Detect
RPN
Recommended Action(s)
Responsibility & Target Completion Date
Action Taken
Sev
Occ
Det
RPN
Human Resources – Competency
Training not conducted properly
Affects the quality and system
4
SC
Improper planning for training
3
Training to be planned appropriately and updated in the Annual Training Calendar
Verified by Top management
4
48
—
—
—
—
—
—
—
Human Resources – Competency
Non availability of competent personnel (or) Selecting unskilled personnel
Affects the quality and system
5
CC
Competence requirements are not defined for recruitment
4
Personnel recruited based on defined competence requirements
Verifying the personnel competence by process heads
5
100
Competency standard to be defined before the recruitment process
Human Resource personnel
Action taken to be verified after three months
5
3
4
60
Human Resources – Competency
Decrease in employee efficiency
Affects the delivery
3
SC
Improper communication and Employee not motivated
4
Motivate the employee through meetings to improve their efficiency
By reviewing the operator efficency reports.
4
48
—
—
—
—
—
—
—
Human Resources – Competency
Updation of Legal and other applicable requirement are not done
Affects the system
4
SC
Legal requirements are not checked periodically
3
Monitoring the master list of Statutory and Regulatory requirements regularly
Verified by Top management
5
60
—
—
—
—
—
—
—
Human Resources – Competency
Residency not renewed on time
Affects the operations & planning
4
SC
not reviewing employee file periodically
4
residency to be processed on time
Monitoring of the employee file regularly
2
32
—
—
—
—
—
—
—
Risk assessment of Sales
Process Function
Potential Failure Mode
Potential Effect(s) of Failures
sev
Class
Potential Cause(s)/Mechanism(s) of Failures
Occur
Current Process Controls Prevention
Current Process Controls Detection
Detect
RPN
Recommended Action(s)
Responsibility & Target Completion Date
Action Taken
Sev
Occ
Det
RPN
Sales
Wrong entry of size designation
Affects the quality
3
SC
Type Error
3
Reviewing of Customers’ purchase order by Commercial officer
Daily review of SOS order in plan usage
4
36
—
—
—
—
—
—
—
Sales
Order without contract review
Affects the quality and delivery
4
SC
Delay in releasing contract review
3
Perform contract review as soon as possible once the job is completed
Verified during operations planning
3
36
—
—
—
—
—
—
—
Sales
PSL Level, H2S Level, Material class, Temp not specified in customer PO
Affects the quality
3
SC
Customer requirements not clearly identified in the purchase order
3
Reviewing of customer purchase order against product requirements by Commercial officer
Review of requirements in Contract Review
4
36
—
—
—
—
—
—
—
Sales
Delivery date committed without proper planning
Affects the Delivery
4
SC
Date committed based on Customer requirements
3
Review the Customer Requirements against Purchase Order by Commercial officer
During operations planning
4
48
—
—
—
—
—
—
—
Sales
Wrong delivery address
Affects the Delivery
4
SC
Type error and destination not reviewed
2
Reviewing of delivery information against purchase order before disptach
Review before dispatch
5
40
—
—
—
—
—
—
—
Sales
Delay in invoicing of the job
Affects the cash flow
2
SC
commmunation gap
1
Communication through proper channel
keep record of all completed jobs in job register
5
10
—
—
—
—
—
—
—
Sales
no proper communication of the customer requirement
Delay in quotation submission
4
SC
No proper follow up
3
monitoring & follow up of all enquiries
Daily review of enquiry register
5
60
—
—
—
—
—
—
—
Sales
Customer complaints not handled properly
Loss of customer
4
SC
poor internal communication
1
Communication through proper channel
proper communication to avoid complaints
2
8
—
—
—
—
—
—
—
Risk assessment of Design
Process Function
Potential Failure Mode
Potential Effect(s) of Failures
sev
Class
Potential Cause(s)/Mechanism(s) of Failures
Occur
Current Process Controls Prevention
Current Process Controls Detection
Detect
RPN
Recommended Action(s)
Responsibility & Target Completion Date
Action Taken
Sev
Occ
Det
RPN
Design
Error in design inputs
Affects the product quality
4
SC
Inadequate operating conditions
3
Design inputs are to be reviewed based on the customer or standard requirements before performing the process to prevent errors.
During design input review
4
48
—
—
—
—
—
—
—
Design
Inadequate design outputs
Affects the product quality and delivery
4
SC
Relevant personnel was not aware about the requirements
3
Training to be given to the concerned personnel.
During design output review
3
36
—
—
—
—
—
—
—
Design
Error in drawing
Affects the product quality
5
CC
Necessary details not mentioned properly in the drawing
4
Verification of the drawing to be done before issue.
During design output review
5
100
During design output Machine shop Manager shall ensure that adequate details are available in the drawing and to be verified as per given the requirements.
Machine shop Manager
Actions taken verified
5
3
4
60
Design
Personnel competency
Affects the product quality
4
CC
Failure in design
3
Training to be given to the concerned personnel.
During design output review
4
48
—
—
—
—
—
—
—
Design
Selection of material
Affect the product integrity
4
CC
Product non conformance
4
Specifications / MTCs shall be reviewed during the design input
During design input review
3
48
—
—
—
—
—
—
—
Design
Tolerance level not mentioned properly
Affects the product quality
4
SC
Human error
3
All the design outputs are to be reviewed during design output review based on the inputs and to be verified before approval.
During design output review
4
48
—
—
—
—
—
—
—
Risk assessment of Procurement
Process Function
Potential Failure Mode
Potential Effect(s) of Failures
sev
Class
Potential Cause(s)/Mechanism(s) of Failures
Occur
Current Process Controls Prevention
Current Process Controls Detection
Detect
RPN
Recommended Action(s)
Responsibility & Target Completion Date
Action Taken
Sev
Occ
Det
RPN
Procurements
Supplier late delivery
Affects the delivery
3
SC
Delay in production process (Unavailability of Raw material)
4
Some amount of raw material to be maintained in stock
Regular checking of stock list
3
36
—
—
—
—
—
—
—
Procurements
Error in documents provided by the supplier
Affects the quality
3
SC
Typo error
3
Inform the supplier to prevent typo error
Verify the documents regularly once received from supplier
4
36
—
—
—
—
—
—
—
Procurements
Indent not raised in specified time interval
Delay in Receiving Raw Material. Affects the delivery
3
SC
Planning not done properly in Planning stage
5
Machine Manager shall provide the requirements to the procurement personnel in advance
During operations planning
2
30
—
—
—
—
—
—
—
Procurements
Quality requirements not specified clearly in the purchase order
Indent not raised in the specified time interval
5
SC
Material received with the wrong specification. Affects the Quality
4
Monitoring the PO before approval.
Based on the review during approval of PO.
5
100
Training given to concerned personnel about the quality requirements
Procurement personnel
Action taken to be verified after three months
5
3
4
60
Procurements
Improper identification of supplier
Affects the quality and delivery
4
SC
The Person who prepares PO was unaware of the quality requirements
4
Updating of such data to be done regularly
Periodic checking of supplier rating
5
80
Prepare supplier delivery performance and rejection quantity data regularly
Procurement personnel
Action taken to be verified after three months
4
3
4
48
Procurements
Specification not specified clearly in the purchase order
The specification should be as per standard requirements.
3
SC
Item Description not Created as Per Requirement
4
Delay in Receiving Bought Out Items. Affects the delivery
Before approval of purchase orders, Quality dept. verifies the requirements
5
60
—
—
—
—
—
—
—
Procurements
Supplier performance rating is not done periodically due to delay in preparing data (such as delivery time and rejection quantities)
Reliability of the goods and services
4
SC
Supplier evaluation not done before purchase of critical goods & services
2
Critical goods and services are identified.
Critical goods and services are purchased from the list of appoved suppliers only
2
16
—
—
—
—
—
—
—
Procurements
Material not available at regular supplier
affects the planning and delivery
4
SC
Dead stock at supplier premises
3
The goods and services are not considered as critical category.
Master list of suppliers
3
36
—
—
—
—
—
—
—
Risk assessment of Operation
Process Function
Potential Failure Mode
Potential Effect(s) of Failures
sev
Class
Potential Cause(s)/Mechanism(s) of Failures
Occur
Current Process Controls Prevention
Current Process Controls Detection
Detect
RPN
Recommended Action(s)
Responsibility & Target Completion Date
Action Taken
Sev
Occ
Det
RPN
Operation
Ineffective production plan
Affects delivery
3
SC
Improper planning
3
Production plan to be prepared effectively in advance.
By verifying Production Plan
5
45
—
—
—
—
—
—
—
Operation
Non Availability of Project Execution Plan
Affects Quality
3
SC
Project Process Sequence in is not in Correct Order
3
Awareness on Job Training to be given
Project Execution Plan
5
45
—
—
—
—
—
—
—
Operation
Non availability of equipments, tools and inserts
Affects production and delivery
4
SC
Periodic checking of tools and inserts used for production are not done.
3
Tools and inserts are to be maintained regularly in stock.
By reviewing required tool and inserts
3
36
—
—
—
—
—
—
—
Operation
Non availability of raw material
Affects production and delivery
3
SC
Material not available in stock
4
Some quantity of Materials are to be maintained in stocks.
By reviewing the stock list.
4
48
—
—
—
—
—
—
—
Operation
Internal non-conformance
Affects quality and delivery
5
CC
Requirements are not addressed properly in the daily production control sheet
4
Ensure that the requirements are to be addressed properly
By reviewing through in-process inspection
4
80
Verification of the Production control sheet by the Quality Engineer for the proper addressing of the requirements before the issue of the documents
Quality Engineer
Action taken to be verified after three months
5
3
3
45
Operation
Improper handling
Affects the quality
4
SC
Unskilled person
3
Training to be given for concerned personnel
By monitoring the personnel
3
36
—
—
—
—
—
—
—
Operation
Emergency requirement for any product / item
Difficulty in purchasing the items
3
SC
Improper planning
2
Minimum 3 supplier for the critical items to be identified
By verifying the Approved supplier list
4
24
—
—
—
—
—
—
—
Operation
Employee performance reduced (or) Not competent enough to perform a new activity.
Affects the quality and timely delivery
3
SC
Adequate training not provided
3
Required training to perform the job to be given for concerned personnels
Training Matrix
4
36
—
—
—
—
—
—
—
Operation
Shortage of work/office space inside our facility
Affects work
2
–
Adequate space not available.
3
Proper layout for the work space to be designed
By verifying layout
3
18
–
–
–
–
–
–
–
Operation
Requirement for changing of shifts
Affects the routine activities
4
SC
Improper planning
3
Required shifts to be arranged
By Production monitoring
3
36
–
–
–
–
–
–
–
Operation
Working hours affected due to Ramadan
Affects the timely delivery
4
SC
Improper planning
3
Proper planning to be done prior start of the job
By verifying production plan
1
12
—
—
—
—
—
—
—
Operation
Not enough knowledge to perform the operations
Quality of the work will be affected.
4
SC
Incompetent personnel on the job
3
Training to be given for concerned personnel
Skill competency matrix
3
36
—
—
—
—
—
—
—
Operation
Difficulty in identifying the parts of the assembly product in dismantled condition
Affects the product quality & delivery
4
SC
Part identification number not visible on the sub assembly parts
3
Identification tagging to be maintained throughout the processes with reference to production plan/Job Number
Identification on each item by either SRV # or Job #
4
48
—
—
—
—
—
—
—
Operation
Products damaged due to improper handling (within the facility / while transporting to the customer)
Affects the product quality
4
SC
Improper Handling of the material
3
Proper protection for critical components to be provided
By verifying at the time of dispatch
3
36
—
—
—
—
—
—
—
Operation
Unexpected Power cuts
Affects the delivery
1
–
Ministry issue
1
Alternate power source to be made available
Requested for alternate power source arrangement
2
2
—
—
—
—
—
—
—
Operation
Errors identified in the Manufacturer provided features.
Affects the customer satisfaction
4
SC
Poor quality of products delivered by manufacturers
3
Supplier evaluation needs to be conducted periodically
By supplier evaluation
3
36
—
—
—
—
—
—
—
Operation
Productivity effects due to Climate change
Affect the quality & delivery
4
SC
Additional responsibility & authority to be provided to on-site personnel
4
Identify contingency plan to mitigate climate change by identifying alternated production site
Additional responsibility & authority to be provided to on-site personnel
1
16
—
—
—
—
—
—
—
Risk assessment of Maintenance
Process Function
Potential Failure Mode
Potential Effect(s) of Failures
sev
Class
Potential Cause(s)/Mechanism(s) of Failures
Occur
Current Process Controls Prevention
Current Process Controls Detection
Detect
RPN
Recommended Action(s)
Responsibility & Target Completion Date
Action Taken
Sev
Occ
Det
RPN
Maintenance
Periodic maintenance not done
Affects cost and delivery
3
SC
Carelessness of the operator
3
Proper preventive maintenance shall be done as per the plan
Frequent checking to be done
3
27
—
—
—
—
—
—
—
Maintenance
Delay in completion of break down
Affects cost and delivery
4
SC
Non availability of spares
4
Maintaining minimum stock (spare parts) in store
Checking with break down register
5
80
Critical spares shall be identified and maintained in stock
Machine shop Manager
Action taken to be verified after three months
4
3
4
48
Maintenance
Delay in preventive maintenance
Affects cost and delivery
4
SC
Preventive maintenance schedule not followed
4
Preventive maintenance to be done as per the schedule
Frequent checking to be done
3
48
—
—
—
—
—
—
—
Maintenance
Improper preventive maintenance
Affects cost and delivery
3
SC
Checklists prepared are inappropriate to the machine to be maintained
3
Checklists are to be prepared as per the manufacturer’s specification
Checking with Manufacturer’s specification
5
45
—
—
—
—
—
—
—
Maintenance
Incompetent personnel
Affects quality & cost
4
SC
Selection criteria not defined
3
Skill competency matrix prepared
Review of training effectiveness
3
36
—
—
—
—
—
—
—
Maintenance
Delay in availability of machines spares
Affects cost and delivery
4
SC
non availability of spares locally
3
Plan to have spares in stock
Review of the suppliers list
4
48
—
—
—
—
—
—
—
Maintenance
Non availability of support from the manufacturer of the machine
affects cost and delivery
4
SC
Authorised services of manufacturer is not available locally
4
Outsourcing the service
Communication with service providers
2
32
—
—
—
—
—
—
—
Risk assessment of Quality Control
Process Function
Potential Failure Mode
Potential Effect(s) of Failures
sev
Class
Potential Cause(s)/Mechanism(s) of Failures
Occur
Current Process Controls Prevention
Current Process Controls Detection
Detect
RPN
Recommended Action(s)
Responsibility & Target Completion Date
Action Taken
Sev
Occ
Det
RPN
Quality Control/ Quality Assurance
Indication found in Mill TC
Affects the quality
4
SC
Typo error
3
Inform the supplier to prevent typo error while preparing Mill TC
By checking MTC during incoming inspection
4
48
—
—
—
—
—
—
—
Quality Control/ Quality Assurance
Instrument error
Affects the quality
5
SC
Improper handling of the instuments
4
Training to be given to conerned personnel about instrument handling
Monitor the personnel while handling the instruments
4
80
Instrument to be sent for calibration. Out of calibration requirements to be ensured.
QA/QC Engineer
Action taken to be verified after three months
5
3
3
45
Quality Control/ Quality Assurance
Some instruments are not calibrated beyond due date
Affects the quality
3
SC
Calibration plan not updated
3
Calibration due date to be checked by concerned personnel regularly
The objective of this procedure to identify type of information , classification and labeling at XXX so that all the personnel follow a common framework and understanding of Information security.The purpose of this procedure is to establish a framework for classifying data based on its level of sensitivity, value and criticality to XXX as required by the information security policy. Classification of data will aid in determining baseline security controls for the protection of data.
2.0 Scope :
This procedure applies to all the business processes, its information and information system.
3.0 Responsibility:
IT dept.
Users
Process Owners/HOD
4.0 Procedure :
The following procedures cover how to label, store, dispose of, communicate, physically transfer or copy different types of information, depending on its classification and media (e.g. paper, electronic transmission (email) or electronic storage/transfer).
The distribution of data should be kept to a minimum. However when data is required to be distributed it is required to be validated and have appropriate marking:
To the authorized recipient (a formal record shall be maintained and reviewed at appropriate intervals by the authorized recipients of data); and
Commensurate to its classification. That classification of data is split in to three categories as defined in the Information Classification and Handling Policy.
All information assets must be classified into one of three categories. The information asset must be appropriately labelled to ensure that its classification is readily identifiable.
Where information is grouped together, the highest classification shall be applied to all information in the group.
The agreed classification categories are:
Category
Information Category
Description
1
Confidential
Information is restricted to management approved internal access and protected from external access. Unauthorized access could influence XXX’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence or customer confidentiality clause. Information integrity is vital.
2A
Controlled (Internal – Department)
Information collected and used by respective department of XXX to the conduct its process and fulfill customer / client requirements. Access to this information is very restricted within the department. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
2B
Controlled (Internal – XXX)
Information that can be made shared to other departments within XXX without any implications for XXX, this information is not be shared outside XXX without authorizations. Integrity within XXX is important.
3
Public
Information is not confidential and can be made public without any implications for XXX. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.
LABELING
Document authors will need to ensure that classification status markings are applied manually to all documents using the appropriate classifications of ‘PUBLIC’,‘INTERNAL’ or ‘CONFIDENTIAL’.
All data must be marked with the appropriate classification clearly as a minimum in the document header prior to printing. If the material is already printed or has not been word-processed, the marking ‘PUBLIC’, ‘INTERNAL’ or ‘CONFIDENTIAL’ as appropriate, must be written, at the top of every page as a minimum. Multiple page documents must be stapled together.
Any information that is not specifically marked as being ‘INTERNAL’ or ‘CONTROLLED’ will be deemed to be ‘PUBLIC’. Therefore, the person responsible for processing or handling a document, particularly if consideration is being given as to whether a document should be disclosed, MUST consider the content of the document in determining how that document should be processed and not rely on its classification under this policy. The labeling of a document as Internal, Confidential or public does not override the XXX’s duties under the Data Protection Act or Information Act
Removable media such as CDs or DVDs, USB data sticks etc. used to store XXX information must always be classified as ‘CONFIDENTIAL’ and do not require individual labeling or marking.
STORAGE
Information should be stored in accordance with contractual or legislative requirements and in a manner commensurate to its classification, as follows:
PUBLIC data: Does not require any access restrictions or specific safe storage.
INTERNAL data: If information is removed from the xxx for use by home employee it must not be left unsecured in employee’s vehicles or left in public places. Information and data must be stored wherever possible, in a lockable area when at the employee’s home that cannot be accessed by any unauthorized person, including family members.
CONFIDENTIAL data: This information is sensitive information of which access must be restricted – securely locked away at the end of each working day or when no longer needed. This applies regardless of the format which this information is held on e.g. paper, disk, files, tapes, faxes, post.
When stored in an electronic format, data must be protected by the use of both technical and physical access controls. The following must be in place for:
CONFIDENTIAL Data stored on servers:
Servers must be located within secure rooms at XXX premises and access must be restricted to authorized personnel only.
Logical access controls must be used with authorized user ID and strong passwords.
Data stored in defined areas of the network must only be available to those authorized users with a need-to-know
Encryption must be employed wherever possible
CONFIDENTIAL Data processed on laptops:
Laptop hard drives must have full disk encryption applied
Only authorised users with XXX network domain credentials are authorised to use laptops.
Authorised users viewing restricted data on a computer screen must observe the XXX guidance with particular attention to preventing the possibility of ‘Shoulder Surfing’ or casual viewing by unauthorised people
Data must be moved from the laptop to a secure area on the XXX network as soon as possible
CONFIDENTIAL Data held in hard copy:
Within XXX buildings must be locked away in secure storage
Within Employees homes must be stored, wherever possible, in a lockable area that cannot be accessed by any unauthorised person, including family members
At premises other than XXX locations if used for reference by third parties must remain within the XXX employee’s line of sight/possession and only made available to those with a need-to-know before retrieval
In transit must not be left unsecured in employee’s vehicles or left in public places.
Data held on portable (removable) media, such as (but not limited to) CD, DVD, USB and Tape (including backup media) must have protection and encryption measures in order to protect against loss, theft, unauthorised access and unauthorised disclosure or;
When stored in an other form, must be stored only in a locked drawer or room or an area where access control measures exist to provide adequate protection and prevent unauthorised access by members of the public, visitors, or other persons without a need-to-know.
When verbally discussing Confidential information in public places or on public transport (including mobile phone conversations) care should also be taken in order that the conversation is not overheard. These rules also apply to verbal messages that might be left on answering machines or voicemail and also to information which is sent or received by email, fax, text or multimedia messages sent by mobile phone or other messaging services.
DISPOSAL OF INFORMATION
Information which is no longer required must be disposed of safely and securely and in accordance with its protective marking. There are many reasons why care must be taken when sensitive information is to be disposed as follows:
It may cause damage to the Council’s reputation if the information fell into the wrong hands;
It would be a breach of the Data Protection Act .
It could result in costly litigation and financial loss to the XXX
It could cause irreparable damage to individuals and families.
The ways in which we can prevent the above scenarios from occurring include the following disposal methods:
To ensure that all information other than PUBLIC is securely shredded
Any media (tapes, USB memory sticks etc.) must be securely destroyed through the XXX’s disposal procedure
Records must be maintained of all media disposals and must be made readily available
COPYING
Employees should be aware that they should not copy by any means, information which is marked ‘INTERNAL’ or ‘CONFIDENTIAL’ unless they are authorized to do so, under the ‘need-to-know’ principle.
This procedure applies to all information and documents produced by the XXX which have been deemed to have a security classification applied to them. The information covered in this procedure includes, but is not limited to, information that is either stored or shared via any means. This includes electronic information, information on paper, and information shared orally or visually (e.g. telephone conversations or video conferencing).
All XXX information has a value to the organisation, however not all of the information has an equal value or required the same level of protection. Being able to identify the value of information assets is key to understanding the level of security that they require. Once the appropriate level of security is identified the appropriate control can be implemented to prevent loss, damage of compromise of the asset, disruption of business activities, and prevention of the compromise or theft of information and information processing facilities. Incorrect classification of assets might result in inadequate or incorrect controls being implemented to protect them.
If you need assistance or have any doubt and need to ask questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.
The following diagram shows the process flow for risk assessment as part of the overall ISMS framework.
1. Risk Assessment Definitions
For a given information asset, Risk is defined is a probability of a threat materializing as a result of a vulnerability compromise resulting in the undesired impact. In other words the assessment of risk includes the following key elements:
An Asset (1)
Applicable Threat category (2)
Threat & Impact (3)
Threat & Vulnerability (4)
Threat & Probability (5)
Overall Risk (to an asset against a specific threat)
This is illustrated in Table 1.
For the process of Risk assessment the following table has been used:
Probability (V) (1- Low, 2- Medium, 3 – High, 4 – Very High)
Risk (VI) (1 – 64)
Examples (Personnel,
(Breach of) Confidentiality (Intentional or Accidental)
paper, Business Applications)
(Breach of) Integrity (Intentional, Accidental)
(Source: Asset Master)
(Breach of) Availability (Intentional, or Accidental)
Table 1: Risk Assessment Formula
Asset Groups
Threat
Impact
Vulnerability
Probability
Risk Value
This includes all forms of assets including personnel, paper, software, hardware, internal service providers, external service providers
Any disaster event due to loss of confidentiality, integrity, and/or availability (CIA) (not exhaustive)
Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the impact value represents the scale of business impact to the organization in the event of security compromise
Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the vulnerability value represents the state of control for a given asset. Management takes action on all vulnerability greater than equal to 2.
Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the probability value represents the likelihood of a threat realization in the near future (next year). For all probabilities greater than equal to 3, management defines a continuity plan.
Measured on a 64-point scale (>12-High, 8-12 – Med, <8-Low), the risk value represents the state of risk for a given asset.
Table 2: Risk Assessment Terminology explained
(Information) Asset Groups
An Asset is defined as any business asset, which has information contents. Examples of asset (not exhaustive) are listed below:
Each department head creates and maintains their asset masters.
1.2 Risk Assessment Formula
Risk Assessment for each asset is carried out using the following formula.
Risk = Threat X Business Impact or loss of “Value” X Vulnerability X Probability. Each component of the risk assessment also undergoes a qualitative valuation based on the judgment of the risk analyst.
Listed below is an explanation of each of these terms.
1.1.1 Threat X (Business) Impact (valuation)
Each asset undergoes three major classifications of threat analysis – Confidentiality, integrity and availability. The risk analyst defines the appropriateness of the asset and the commensurate threat applicable to the asset. Each threat so chosen also undergoes a business impact or “valuation” on a range of 1(one) to 4(four) based on the following guideline. The risk analyst takes into consideration the worst scenario for valuation purposes:
Information Valuation/Rating
Information
Confidentiality Rating
New Business & Project opportunities
4
Company Risk Register
4
Joint Operations Agreement – JOA
3
Production Sharing Contracts – PSC
3
Sales Purchase Agreement
3
G & G data including Seismic data
3
Skills & Competency matrix of people (competitive advantage)
3
Oil & Gas Reserve data numbers (competitive advantage)
3
Oil & Gas sales report
2
Employee compensations & employee personal information (privacy of information)
4
Reservoir Data (e.g. Eclipse)
3
Table 3: Confidentiality Rating
Availability Rating
Availability Requirement
Availability Rating
< 4 Hours IT infrastructure and communication services and supporting utilities (Air-conditioning, Power etc.) Active directory serversShare pointFirewall and VPN servicesAll data & voice supporting network devicesCloud Services – Microsoft office 365 suite, Email
4 = Very High Essential Infrastructure Services # XXX is more connectivity driven as they need to remain in contact with their area & regional offices to fulfill all their requirements.
< 8 hours Oracle e-business suits
3 = High # Access to and availability of data stored on server mapped G: drive is paramount to XXX business operations in additions to specific business applications they connect to
> 8 hours and within 1 day (24 hours) – Shared drive – LiveQuest – Petrel, G & G, Petrel RE – REP 5, Pansystem, – Rose, Questor – Geoframe
2 = Medium Delayed Start Service
All other information that does not fall in the above categories
1 = Low
Table 4: Availability Rating
Integrity Rating
Information
Integrity Rating
Inaccuracy in content accessible to employees concerning health & safety
4
Inaccuracy results in financial loss to company or its employees or legal/regulatory reporting obligations
4
Inaccuracy in content accessible to public
3
Inaccuracy in content accessible to employees but not financial/health/safety in nature
3
No available category
2 & 1
Table 5: Integrity Rating
The asset ‘impact’ rating is performed based on enterprise context.
1.3 Threat X Vulnerability
Vulnerability is by definition, an inherent weakness by which a treat can be exploited. Vulnerability is the base factor and covers absence (or existence) of controls or countermeasures. Vulnerability is rated on the following 4-point scale:
Impact Value
Purport
Guideline
4
Very High Vulnerability
Rate 4 where there is more than 1 vulnerability but in the opinion of the analyst, the vulnerability is easy to exploit.
3
High Vulnerability
Rate 3 where there is more than 1 vulnerability
2
Medium Vulnerability
Rate 2 where there is at least one vulnerability.
1
Low Vulnerability
Rate 1 where there are no identified vulnerability.
Typical assessment (not exhaustive) made are presence of preventive, detective, maintenance and/or monitoring controls present to prevent the threat materialization. The risk owner and the risk analyst jointly agree on the valuation of asset.
1.4 Threat X Probability
Probability is the likelihood of a threat materializing for the given asset. The asset owner and the risk analyst jointly agree on the valuation of asset. Probability is rated on the following 4-point scale:
Impact Value
Purport
Guideline
4
Very High Probability
Rate 4 when there are more than 2 incidents in the last one year.
3
High Probability
Rate 3 when there has been two incidents in the past one year.
2
Medium Probability
Rate 2 when there has been one incident in the past one year.
1
Low Probability
Rate 1 when there has been no incident in the past, nor likely in the future.
For a given asset the risk is therefore calculated by a measure of threat, business impact, vulnerability and probability.
1.5 Justification
Each element of risk assessment i.e. Impact, vulnerability and probability is provided with justification of their valuation or reference to Very High, High, Medium and Low probabilities.
2. Risk Assessment Process
The process of risk assessment for a given asset consists of three stages as explained below:
Asset Definition
The Asset owner (typically HOD) creates and maintains an Asset master. The Asset master contains provision to captures all forms of information asset (paper, people, documents, hardware, business applications, and external service providers)
CIA Impact Valuation
Each asset owner conducts an Impact valuation on the loss of Confidentiality, Integrity and Availability (CIA) to a given asset. While doing he/she looks at the CIA reference table to assess whether the asset correlates to the CIA criteria.
Risk Valuation
Assets with a value of 4 as a result of either C,I and/or A, where the impact of the security violation is Very High, has mandatory requirement to be assessed for the other values of risk, namely vulnerability and probability.
Risks that cannot be treated is considered to be ‘Residual Risks’ and subject to approval by risk owner.
2.2 Risk Assessment Worksheets
All assets which have an impact value of 4 are rated with their vulnerability and probability in a centralized record called – XXX-ISMS-RA record.
A risk revaluation is done for those assets where a decision has been identified as closed.
3. Risk Treatment Process
Risk treatment process has the following parameter – All weakness areas are reported in a centralized vulnerability dashboard. ISMS QA/MR discusses each area of the weakness and reports to the applicable departments for closure.
ISMS QA/MR discusses the vulnerability or the associated risk with the risk owner.
Decisions to close an identified vulnerability are taken by either Head of Department. When the decision for implementation cannot be made by the department, the decision is moved up the chain of command, for senior management for final decision.
Each decision so made are ensured implementation through allocation of responsibilities, which in turn is coordinated with Head of Departments/applicable enforcer,
Areas wherein senior management/head of department does not take decisions or the implementation totality takes a certain period of time, it is considered as residual risk. However reference to senior management decision either as closed, work in progress (WIP) or residual risk (RR) is referred in the Gap dashboard.
An annual plan of future initiatives is made available demonstrating the senior management commitment to ensure effective implementation of existing security framework.
Reassessment of Risk values is done for those assets wherein decisions have been taken to reduce their Risk. This is an ongoing activity and ISMS QA/MR keeps track of all such Risk areas.
All risk values are rated on the 64-point scale. All attempts are being made to reduce the value of risk to the extent possible. However the following rule applies:
Risk Acceptance criteria is vulnerability value 1. When an asset’s vulnerability value is more than 1, it means that the asset has vulnerability. A vulnerability value of 1 reflects no known vulnerability, and is therefore becomes the benchmark for risk acceptance.
All vulnerabilities equal to 2 and above are presented to the management for reduction. Management includes department heads, and top management – depending on the areas of the risk.
All values of risk equal to greater than 12 are presented to the management
Upon the introduction of controls, there could be risks whose values do not come down below 12 and therefore, continue to remain on the higher side. Such values are part of the residual risk.
Risks are classified as High – if the value of the risk is >=12, Medium – if the value is =>8 and <12, and Low <8. Except for personnel assets, the objective of all remaining assets is to bring down the vulnerability value to <=2. For personnel, a HIGH Risk is acceptable, as they may be an operational requirement.
Residual risk are reflected against each asset group where risk assessment is performed.
4. Risk Communication
For those risks, where the vulnerability is 1, risk owners are communicated. The risk owner is required to own and accept the residual risk.
5. Supporting Worksheets/reports
XXX – Department-wise ISMS Compliance sheet
XXX-ISMS-Risk Assessment record (Also includes revised RA values),
Latest Statement of Applicability – reflects references to existing controls
Management review records includes residual risk and future plan of action.
Information Asset/ infrastructure-Management (Risk Area)
Form / Nature of Asset
Applicable Threats (NEW)
RA Date
Impact Rating
Justification
Existing Controls (=Strengths)
Missing Controls (=Weaknesses)
Vulnerability
Justification
Probability
Justification
Revised Risk Value
Recommendation (Yes or No)
Revised Risk Category
Residual Risks
xxx-RA-01
All Departments
xxx Employees (All personnel)
Personnel – Internal
Leak of Sensitive / Critical Data
01.01.1900
4
Teams has category 4 information
1. Background Screening in place, 2. Most Employee undergo induction training, 3. All employees sign code of conduct,
1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?)
3
One major vulnerability identified, however the ‘ease’ factor has high impact
2
Human behaviour is unpredictable
24
Yes – DLP verification is WIP
High
One major vulnerability identified, however the ‘ease’ factor has high impact
xxx-RA-02
All Departments
xxx Employees (All personnel)
Personnel – Internal
Critical Business activities get impacted
01.01.1900
4
Several teams are crucial for availability
1.Leave control management in place, 2. Whenever there is an additional manpower requirement, it is addressed as part of HR planning
Unauthorized access leading to information theft (by outsider)
Access Controls in placed. Central AD protects primary authentication followed by application specific controls.
No known weakness
1
No weakness identified
1
No incidents in the past one year, unlikely opportunity in the next year
4
No
Low
No weakness identified
xxx-RA-04
All Departments
Common User Applications (Active Directory/IP Telephony Oracle HRMS/Sharepoint Portal/Asset Management System/Enterprise Document Management System/Share drive (G: Drive)/Cogness/RPSystem/Discover/Global Tax Management System (GTMS)/Sun System/Hyperion/Website)
Business Applications
Information leakage and misuse, Virus impact on data/servers
01.01.1900
4
Applications are critical to business operations. Most information is rated as 3
Most products deployed are standard tools from recognized vendors/OEM.
1. OFI in change management process, 2. OFI in better access control
3
2 Identified vulnerabilities
1
No suspected incidents of application performance or misuse in the last year
12
Yes
High
1. OFI in change management process, 2. OFI in better access control
xxx-RA-05
IT Support
Switch configurations
LAN Management
Network down / impact day to day business operations
01.01.1900
4
Internal connectivity outage
Redundant network, secure configuration
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-06
IT Support
Router Configurations
WAN Management
impact day to day business operations
01.01.1900
4
External connectivity outage
Redundant network, secure configuration
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-07
IT Support
Wireless Configurations
Wireless Management
Data Leakage due to unauthorized access
01.01.1900
3
Office connectivity of mobile users
Alternate network based controls exist, limited access
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
3
No
Low
No weakness identified
xxx-RA-08
IT Support
All Servers (Unix and Windows) (Windows XP SP3/Windows 2003/Windows 2008/Solaris/Linux)
Server Management
Data Loss
01.01.1900
4
High Availability, High confidentiality
Combination of policies exist that include patch management, and vulnerability in place, certified staff handling the changes
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-09
IT Support
Database Management (SQL and Oracle)
Database Management
Impact day to day business operations
01.01.1900
4
High Availability, High confidentiality
Combination of policies exist that include patch management, and vulnerability in place, certified staff handling the changes
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-10
IT Support
Security Applications (Access Point – Card System/Access Point – Biometrics/Checkpoint-VPN/Firewall (Checkpoint)/AV (McAfee)/IPS/IDS (Cisco MARS)/Spam Filter (Symantec)/backup Management (Tivoli))
Security Applications
Data Leakage / corrupt due to unauthorized access
01.01.1900
4
Security Controls protecting the network
Combination of policies exist that include patch management, and vulnerability in place, certified staff handling the changes
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-11
IT Support
Desktop Management (Dell)
Desktop Management
Daily business activities impacted / delayed
01.01.1900
4
End user infrastructure
Standard list of software installed, malware protection that combines gateway and end user malware protection
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Low
No weakness identified
xxx-RA-12
IT Support
Laptop Management (Dell / Apple)
Laptop Management
Impact day to day business operations
01.01.1900
4
End user infrastructure
Standard list of software installed, malware protection that combines gateway and end user malware protection
No known weakness
1
No known weakness
2
Laptop theft is an opportunity
8
No
Medium
No weakness identified
xxx-RA-13
General Services
Physical Access Management (Building, Floors, Work area, Server Room/s, generator Areas)
Physical Access Management
People / business information or data impacted
01.01.1900
4
Availability infrastructure
Combination of controls including manpower, CCTV, Access controls in place
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Medium
No weakness identified
xxx-RA-14
IT Support
Document Management System (Share drives/Folders/Enterprise Document Management System)
Document Management
Data Leakage / corrupt / loss
01.01.1900
4
Storage areas for sensitive files/documents
Access Controls in placed. Central AD protects primary authentication followed by application specific controls.
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Medium
No weakness identified
xxx-RA-15
Legal
External Service providers (OEMs providing technical problem and patch management support)
External Service providers – IT
Financial Loss
01.01.1900
4
High Availability, their service are critical to application up time
SLA in place, most vendors are global, and provide 24-7 support
No known weakness
1
No known weakness
1
No suspected incidents of application performance or misuse in the last year
4
No
Medium
No weakness identified
xxx-RA-16
Legal
External Service providers (IT Consultants)
External Service providers – Legal
Financial / reputation Loss
01.01.1900
4
Teams has configurations which in turn has category 4 information
1. Background Screening in place, 2. All vendors staff sign NDA
1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security
3
Two major vulnerably identified
2
Human behaviour is unpredictable
24
Yes – DLP verification is WIP + Training on induction
High
1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security
xxx-RA-17
IT Support
External Service providers – IT + Hasibat information technology
External Service providers – IT
Financial Loss
01.01.1900
4
Several teams are crucial for availability
1. SLA including manpower availability is in place. 2. Vendors whose support in the form of patch/problem exist, are covered in SLA/NDA
To establish, implement and maintain a procedure for identification of legal and other requirements to which XXX subscribes & to identify how legal & other requirements are applicable to identified OH&S hazards covered under the scope of the Occupational Health and Safety Management system.
2.0 SCOPE:
This procedure covers the method to identify and have access to applicable Legal and other requirements related to activities, processes, products, and services of XXX.
3.0 RESPONSIBILITY:
Legal Team Members (LTM). (EHS-ML-14) The legal Team Members consists of HS MR, DGM –HR, AM-Safety, Officer Admin
4.0 DEFINITION:
4.1 Legal Requirements: These are regulatory requirements as defined by the Central or State regulatory authorities to which the XXX is liable to identify and comply.
4.2 Other Requirements: Any customer-specific requirements, statutory requirements by financial bodies, corporate-specific requirements & any other agreements with public authorities. (Ex: Customer requirements)
5.0 PROCEDURE:
5.1 The details of the List of Applicable legal requirement & other requirements to be compiled by the Safety Officer, along with the frequency of retrieval and personnel responsible for maintaining the records are defined in the Legal Register
5.2 Head responsible for compliance to legal requirement shall obtain information on the legal requirement, by referring to any of the following agency.
Notification from Kuwait Ministries
Information in Newspapers.
Communication with the National Safety Council and Confederation of Kuwait Industry & Authorized Publishers.
Subscription/contact with Bureau of Indian Standard, Book Supply Bureau, etc.
By referring to various Factories Acts & Rules Book
Through visiting the website to get information on the latest updates and also through member
5.3 The application for renewal of Consents / License /Authorization under Government statutory requirements shall be submitted in advance as specified in the Acts / Rules. Renewal frequency mentioned in the list of legal & other requirements may subject to change/alter as per Notification / Intimation from the government authorities from time to time. Responsible persons shall communicate relevant information on legal and other requirements to all concerned.
5.4 The following are the other requirements pertaining to the OH&S Hazards of the activities, processes, products & services, which are to be complied with:
Customer Specific Requirements – Marketing & Quality Departments are responsible for receiving the requirement from the Customer and forwarding it to the concerned department to ensure fulfillment.
The statutory requirement by Financial Institutions – Some of the financial institutions, Banks, Insurance companies may require the organization to comply with certain statutory norms. The finance dept shall identify and comply with those requirements and they are responsible for receiving and responding to the fulfillment of the above.
Corporate specific Requirements – MR shall identify any corporate-specific requirements and incorporate the same and periodically check for compliance.
Agreement with public Authorities – Public authorities like social bodies OR Industrial development authorities may require the organization to comply with their requirements. HR is responsible for receiving and responding to ensure fulfillment of such requirements.
5.5 Legal & other requirements applicable to OH&S Hazards are determined during significant HIRA study. Description of legal requirements & how legal & other requirements applicable to OH&S hazards are also described in the significant HIRA study.
The objective is of this procedure is to establish and maintain a system for carrying out emergency preparedness and response actions within the premises of the company and areas of its operations, with the aim of minimizing the impacts of emergency situations on the environment, including risks & injury to employees, subcontractors, general public and other interested parties.
To locate the emergency, control it and prevent it spreading further.
To safe guard the employees and to minimize the effort of accident.
To minimize damage to property.
To attain normalcy at the earliest.
ensure minimum damage to environment
2.0 Scope
This procedure is applicable to all emergency situations which can have significant impacts to the environment, including occupational health & safety risk to employees. This procedure is applicable to ISO 45001:2018.
Ensuring safety is the prime responsibility of a company and its employees. Even though we try to ensure total safety in the plant, occurrence is unavoidable. Planning for meeting such as emergency situation is to be made and everyone should be aware of such an emergency plan, so that, all employees remain prepared for such emergency situation.
This plan aims at identifying possible accidents and explores ways and means to meet such an emergency situation.
3.0 Responsibility
MR has overall responsibility as unit head, Section In-charge and Emergency response team members and security personnel. The Safety Officer is responsible for ensuring that this procedure is executed consistently and effectively. Members of the Emergency Response Team (ERT) are responsible for ensuring proper implementation of the company’s emergency response plans.
4.0 Description
4.1 Mock Drills: Are practical drills designed to test the capability of personnel or organization to perform a specific function (i.e., Fire, Spill response, communications, First Aid and Rescue).
4.2 Emergency Response Team: Consists of personnel who are knowledgeable, trained and skilled in basic incident stage firefighting, first aid and rescue operations and other site specific hazard response.
5.0 Procedure
The Safety Engineer, in co-ordination with other departments, shall identify all potential emergency situations or scenarios arising from the risk assessment associated with the company’s activities, operations and processes, including the means to eliminate, control and minimize the hazards and risk associated with it.
5.1 Emergency Drills
5.1.1 The Safety Engineer, in coordination with the MR and GM, including all other departments in the organization, shall plan and conduct company-wide emergency drills at least once every 6 months.
5.1.2 Emergency drills shall cover all but not limited to different types of emergencies as follows:
Evacuation
Fire fighting
First aid
Oil or Chemical spills/leaks.
5.1.3 Designated fire exits and evacuation areas (or “assembly points”) within or near the company premises shall be clearly marked and made clear to all personnel. Selected and assigned personnel shall supervise the evacuation, including headcount.
5.1.4 Where appropriate, an evacuation plan and vicinity map or site layout shall be posted in strategic locations of the company premises for the general awareness of everyone. The maps should show evacuation routes, recovery routes, closest exits, fire protection equipment location, eye wash and shower station, spill control station and whatever is applicable. All employees should follow these instructions and be familiar with the evacuation map.
5.1.5 If planned results are not achieved, appropriate corrective actions shall be planned and carried out in accordance with “Non-conformance, Corrective & Preventive Action Procedure”.
5.1.6 The H&S Department shall prepare and maintain records of “Emergency Drill Report” duly signed by the MR.
5.2 Emergency Equipment Monitoring & Inspection
5.2.1 The MR/ Safety Officer shall ensure that appropriate emergency equipment is provided, deployed and easily accessible in strategic areas of the company premises, where a potential environmental emergency and associated risk could potentially occur.
5.2.2 Emergency equipment shall cover all but not limited to the following:
Fire Extinguishers
Fire Alarms
Fire Hose
Emergency Lights
Spill kits (in the event of chemical/oil spills)
First Aid Kit
5.2.3 The MR/Safety Officer and/or its assigned staff shall periodically check and monitor all emergency equipment. Frequency of inspection and maintenance shall be specified in the list.
5.2.4 It shall be the responsibility of the Safety Officer and his designated staff to ensure that all emergency equipment are in good operational condition and easily accessible in the event of an incident and other emergency situation.
5.3 Emergency Situations
Emergency situation in the company can arise due to:
5.3.1 Fire
Sr.No
Activities
Responsibility for Mitigation
A
Vulnerable areas for fire are identified
MR
B
Adequate first aid, fire fighting equipment is made available during emergency
C
Fire alarm provided at security and relevant locations
Security
D
On information fire core group acts immediately.
Emergency Response team
E
Emergency escape routes are earmarked and Emergency Plans displayed
MR
F
Emergency power supplies cut-off system available.
Maintenance Personnel
G
Employees are imparted awareness on emergency preparedness.
MR, Core team
H
Assess the loss/damage and submit report to the management.
Supervisor
I
Train existing and new employees on emergency response/evacuation as part of their induction program.
Core team
Steps for Mitigation:
Conduct Fire mock drill
Used Fire Extinguishers with low pressures /invalid ones are to be refilled.
Display Emergency contact information
5.3.2 Handling Fire Emergency:
5.3.2.1 The person who discovered the fire shall promptly report the matter to any ERT member and/or the MR/Safety Officer through telephone, mobile phone or any other means of communication. In the event of fire, the following guidelines shall be as follows:
Call the ERT and report the location of fire.
Use the nearest fire extinguisher.
Wait for announcement.
Move out of the affected area.
Press the fire alarm.
Or shout “fire, fire, fire!”
5.3.2.2 Upon receipt of emergency call, the ERT shall respond immediately and shall act according to the following:
Use firefighting techniques.
Responds to emergencies as required.
Initiate orders and command activity with firefighting.
Call external Fire Department if the situation is out of control.
If situation is getting worse, evacuation shall be planned upon H&S’s recommendation and approval of the GM.
5.3.2.3 The ERT and/or designated personnel (referred to as “fire fighters”) shall direct and lead all personnel/workers towards the designated evacuation area (or “assembly point”).
5.3.2.4 Employees and visitors shall follow the following evacuation guidelines:
Proceed to the nearest exits or stairs.
Walk fast. Do not run.
Proceed to the designated evacuation area.
Do not go back to get personal items.
Wait for a further announcement.
5.3.2.5 The Safety Officer, in consultation with the Chairman/MR shall make a recommendation if there is to be suspension of work, and shall take any necessary action if suspension is announced.
5.3.3 Handling Injury/illness of Personnel
5.3.3.1 In case of serious injured:
Shout for help.
Recover the injured person and administer first Aid as per injury treatment.
Do not attempt to move the injured person if you are not aware of handling back or neck injuries.
Call the ambulance and report the accident to the management as well as to control room.
If the injured person conscious ask if can walk, transport him to the nearest hospital.
If injured person is unconscious wait for the arrival of the rescue team
5.3.3.2 In case of illness:
Inform the supervisor.
The Supervisor or first aid nominated person must transfer the sick person to the hospital for proper medical treatment.
If vehicle not available call : AMBULANCE
5.3.3.3 Reporting & Meeting:
The Safety Officer, MR and other relevant personnel shall review and discuss any reported incident and shall plan corrective measures to avoid recurrence of the same environmental and OH&S emergency situation and incident.
Emergency procedures shall be reviewed and revised as necessary to reflect continual improvement on the company’s emergency preparedness and response plan
All matters discussed shall be communicated to all employees, contractors and other person working for or on behalf of the company through meetings and bulletin boards for general awareness.
5.3.4 Handling Chemical/Oil Spills
The guidelines below shall be used in H&S emergencies such as oil or chemical spills and leaks resulting from handling, accidents and explosions that pose immediate danger to employees and environment:
For minor spills, clean the spills or leaks with absorbent materials and put the contaminated materials in a hazardous waste bin.
For major spills, call the ERT and report immediately the matter to Safety Officer and theSafety Engineer.
Then identify the type of chemical or oil spilled in the area and determine the source of all spills or leaks.
Use appropriate protections in handling spilled chemicals or oils.
Stop the source of leaks or spills.
Contain the spill or leaks using the techniques that best fit the situation.
For oil leaks, place an empty container under the source of the leak.
Tie-up the pipe or hose where a chemical comes out.
Replaced the defective pipe or hose.
Put the leaking container in a recovery or inside another container.
Rotate or shift the container to a position that stops the leak.
Use appropriate absorbent materials to remove the spills or leaks.
Limit the spill or leak to as small an area as possible.
Contain the spill chemicals within a salvage drum.
Remove the contaminated clothing & dispose them accordingly, then shower.
Decontaminate any tools used in the removal and clear-up of hazardous materials.
ERT shall ensure that appropriate PPE (Personal Protective Equipment) is used when handling chemical or oil spills.
5.4 Preparedness
5.4.1 Test the plans and procedures for adequacy at least once in 6 months.
5.4.2 Ensure the effectiveness of the emergency training through exercises and Mock drills.
5.4.3 Regularly inspect the existing emergency facilities, supplies and equipment and rectify any deficiencies.
5.4.4 Ensure provisions for notification, initial assessment and communication during an emergency situation.
5.5 Response
5.5.1 Ensure a safe and efficient evacuation during emergencies.
5.5.2 Ensure to maintain right level of security during any emergencies.
5.5.3 Communicate to news media and general public in the event of any emergency, accident or other incident, only after seeking concurrence from Chairman.
5.5.4 The steps taken in response to a fire, hazardous material incident, and situations requiring medical and/or rescue response shall be documented in detail.
5.6 Duties and responsibilities
5.6.1 Safety Officer
He will be in-charge of handling any emergency under the overall guidance of the Chairman.
Guiding the various controllers end and co-ordinates in carrying out their function effectively.
Depending on the seriousness of the emergency ensure outside help.
5.6.2 Service Center Manager
Immediately on knowing about the emergency he will proceed to the scene.
Quickly assess the scale of emergency.
To give instructions to managers for control of operations in other sections/shutdown
Ensure safety of personnel at site. Evacuate all unwanted persons from the site through operators or supervisors
An emergency is a situation, which may lead to or cause large-scale damage or destruction to life or property within or outside the factory. Sometimes the Emergency results in uncontrollable situations and leads to disaster. Such an unexpected severe situation may be too great for the normal workforce in the area within the plant. In any industry, an emergency can arise at any moment and this depends on the type of
Structure
Raw Materials
Machines / Plant
Nearby Industries etc.
2.0 NATURE OF EMERGENCY
The emergency has been identified and can be specified in one or more of the followings with source and effect:
Sr. No.
Emergency
Source
Effect
1
Fire / Explosion
Electrical Panels, Flammable oil storage tanks, Compressors, coolants, paints, etc.
Small fires, complete equipment loss, complete Area burn out. Dangers to Human beings
2
Spillage of flammable / Hazardous Oils & coolants etc
Hydraulic oil, Furnace Oil, Coolant etc.
Fire Burns Soil pollution. Injury by slippage
3
Electric Shock
Electrical panels, Power Distribution Board, DG Set, Overhead Crane, Voltage stabilizer, Electric Transformer & Machine Operated by electricity, etc.
Burns, suffocation, Death. Toxic chemical ingestion into the bloodstream
4
Accidents – Factory (Major)
Fall from height & Falling of Heavy Materials, Dies, Bins or other Heavy objects.
Fracture
5
Accidents-Transport
Accident due to the transportation of man & material
Death or Injury to Body
6
Personal confinement
Toilets, offices, Basement
Suffocation
7
Natural calamities such as storm, earthquakes, etc.
Nature
Structural collapse, Death
8
Structure collapse
Office building, & Any Wall or a part Of Factory building.
Serious injury, Major Fracture, Death
9
Riots, Arson, Sabotation
Anti-Social elements.
Serious injury, major Fracture, Death.
10
LPG leakage
Fire Hazard
Serious injury, Death
11
TANK DYKE Fire
Fire Hazard
Serious injury, Death
12
Electric fire
Fire Hazard
Serious injury, Death
13
Office fire
Fire Hazard
Serious injury, Death
14
Person on flames
Fire Hazard
Serious injury, Death
15
Food/Water Poisoning
Health Hazard
Poisoning, Death
16
Bomb hoax
Bomb Threat
Explosion, Death, fear
17
Burn-Minor
Health Hazard
Burn injury
18
Electric shock casualties
Health Hazard
Injury, Death
3.0 OBJECTIVES:
The objective of the major emergency procedure should be to make maximum use of the combined resources of the works and the outside services to
Effect the rescue and treatment of casualties;
Safeguard other people;
Minimize damage to property and the environment;
Initially, contain and ultimately bring the incident under control;
Identify any deed and provide for the needs of relatives;
Provide authoritative information to news media;
Secure the safe rehabilitation of affected areas;
Preserve relevant records of equipment by the subsequent inquiry into the cause and circumstances of emergency;
4.0 EMERGENCY MANAGEMENT & KEY PERSONS
During an emergency situation, it is generally seen that chaos and confusion rules leading to more damage. In Emergency Management, just like in normal operations where there are managers, engineers, supervisors, operators, etc., who are assigned specific tasks to run the business, similarly during an emergency also there are persons with specific duties. These persons are known as ‘Key Personnel’.
Following are the persons who are responsible to face the emergencies.
NAME
DESIGNATION
CONTACT NO
If required external help in case of an Emergency will be sought from appropriate sources. The required assistance from the probable sources has already been informed and consent obtained for the same.
5.0 ROLES & RESPONSIBILITIES:
5.1 Name & Address of the persons furnishing the information:
XXXXXX
XXXXXX
5.2 Any Individuals
When an emergency occurs, the person who observes it must evaluate the gravity of the emergency and he should alert all the factory personnel by activating the Emergency Siren. The emergency siren is activated just by pressing the Emergency Siren push button located at the main gate & other different locations. Then he immediately reports to the Emergency Control Centre (Main Security gate) and informs about the Emergency location.
5.3 Site Controller:
The Site Controller will assume overall responsibility for the factory/storage site and its personnel. His duties are to:
i) Assess the magnitude of the situation and decide if staff needs to be evacuated from their assembly points to identified safer areas
ii) Exercise direct operational control over areas other than those affected.
iii) Undertake a continuous review of possible developments and areas in consultation with key personnel as to whether shutting down of the plant or any section of the plant and evacuation of personnel are required.
iv) Liaise with senior officials of Police, Fire Brigade, Medical, and Factories Inspectorate and provide advice on possible effects on areas outside the factory premises.
v) Look after rehabilitation of affected persons on discontinuation of emergency.
vi) Issue authorized statements to news media and ensures that evidence is preserved for inquiries to be conducted by the statutory authorities.
5.4 Incident Controller:
The Head of the unit will act as an incident controller for that unit. Immediately on knowing about an emergency, he will rush to the incident site and take overall charge and report to the Site Controller. On arrival, he will assess the extent of emergency that exists and inform the Communication Officer accordingly. His duties will be to:
i) Direct all operations to stop within the affected area taking into consideration priorities for the safety of personnel, minimize damage to the plant, property and environment and minimize loss of materials
ii) Provide advice and information to the Fire/Security Officers and local fire service;
iii) Ensure that non-essential workers/staff of the areas affected are evacuated to the appropriate assembly point and the areas are searched for causalities
iv) Set up communication points and establish contact with the Emergency Control Centre in the event of failure of electric supply and internal telephones
v) Report on all significant developments to the communication officer and
vi) Have regard to the need to preserve the evidence so as to facilitate an enquiry into the cause and circumstances which caused or escalated the emergency.
5.5 Communication Officer:
He will also work as Liaison Officer and will be stationed at the main entrance (GateHouse) during the emergency. He will handle police, Press, and other inquiries, receive reports from roll-call leaders from assembly points, and pass on the absentee information to the Incident Controller. He shall maintain regular communication with the Incident Controller. He will:
Ensure that casualties receive adequate attention/ to arrange additional help if required and inform relatives;
Control traffic movements into the factory and ensure that alternative transport is available when the need arises; and
When an emergency is prolonged, arrange for the relief of personnel and organize refreshments/food.
Advise the Site controller of the situation, recommending evacuation of staff from assembly points if necessary.
Maintain proper agreed inventory in the control room.
Maintain a log of the incident on tape
In case of a prolonged emergency involving risk to outside areas by wind-blown materials, he shall contact the local meteorological office to receive early notification of changes in weather conditions.
5.6 Security Officer-
Security Officer will be responsible for fire fighting. On hearing the fire alarm, he shall reach the fire station immediately and advise fire and security staff in the factory of the incident zone. He will convey the message to the communication officer, Incident Controller and Site Controller about the incident zone. He will direct emergency services. He shall
1) Announce over the PAS in which zone the incident has occurred and on the advice of the Shift Executive In-charge inform the staff to evacuate the assembly service.
2) Inform the Shift Executive In-charge
3) Call Incident Controller, Engineering/ Production Manager, Personnel and Administrative Manager, Departmental Head in whose plant the incident occurred.
4) Security Supervisor for each unit will act as the Security officer for that unit.
5.7 Receptionist:
On hearing the emergency alarm, the receptionist shall immediately contact the Site Controller and on his advice will call the local Fire-brigade and or Police station and safety committee members. In case the PAS and telephone system becomes inoperative, she shall inform the communication officer through the messenger. In case the fire is detected and the alarm is not in operation, she shall receive information about the location from the person who detected the fire and immediately consults the Incident Controller. On his advice, she shall contact the Security Guard and advised him to make an announcement on PAS about the incident and the location of the incident and to evacuate to their assembly point. She will continue to operate the switchboard advising the callers and pass all calls connected with the incident to the Communication Officer.
5,8 Departmental Heads:
The HODs will report to the Incident Controller and provide assistance as required. They will decide the staff they require at the incident site.
5.9 Maintenance In-Charge and Electricians:
They will report the scene of the incident and close down the services as directed by the Incident Controller
5.10 Shift Executive In-charge:
As soon as he becomes aware of the emergency and its location, he will proceed to the scene. He shall assess the scale of the incident and direct operations within the affected areas with the following priorities:
Secure the safety of persons, which may require evacuation to the assembly points in the event of an escape of materials if the wind is from an adverse direction.
Minimize damage to plant, property and the environment.
Prevent spreading and damage to outside the premises.
Minimize loss of materials;
Have regard to the need for preserving evidence that may facilitate subsequent enquiry.
Inform shift engineer-in-charge as to what services are needed or not needed.
Hand over the charge of the operation to the Incident Controller when he arrives at the site.
Advice the Security Officer at Gate whether to make an announcement on PAS or not to call the Senior Staff to the factory, if necessary.
5.11 First-Aid Teams:
The Personnel Manager shall keep the roll call lists for the fire and First Aid team on duty. The First Aid team is appointed by each Departmental Head for his shift team. Roll call leaders shall check their roles as a member of the services and report for emergency duty. The name of unaccounted persons or absentees will be informed to the Security Officer. Members of First Aid teams will report to the shift Executive In-Charge or Incident Controller on hearing the alarm and follow his directions.
3.12 Factory Fire Fighting Personnel:
The duty of the Fire Fighting personnel under the command of the Security Officer shall be responsible for fire fighting and rescue. On hearing the alarm they shall proceed to the place of the incident if know, or otherwise, they shall report to the Security Gate. The men at the security Gate shall find the location of the emergency, the equipment and proceed to the site or occurrence. At the site, the team will respond to the directions given by the Incident Controller
6.0 Roles & Responsibilities for Safety Teams:
After confirmation of the emergency location from the Emergency Control Centre, concerned teams will start functioning. The team leaders will coordinate and communicate with the management. The team member fights the emergency under the instructions of the leader. The team will ensure that:
The emergency does not spread.
The head count is taken in consultation with Liaison Manager and if necessary search operation for missing person/s. is undertaken.
Every member of the team uses the required Personal Protective Equipment while the operation is going on.
First aid is arranged.
Additional fire fighting equipment for the fire fighting team is arranged.
The smooth rescue operation is facilitated.
The emergency will be informed to fire brigade, neighbouring industries.
Medicines are provided.
Send injured to the hospital if necessary.
Records of first aid and hospitalization are maintained.
The help of other people is taken to control the emergency.
Remaining part of the plant is safe.
The area is cordoned off.
Necessary tools, equipment to handle any repair work are mobilized.
The main power supply line is cut – off if necessary.
Maintenance and repair are undertaken.
Conduct safety committee meetings every 3 months or in case of an emergency.
Team members of the safety committee:
NAME
DESIGNATION
CONTACT NO
7.0 EMERGENCY CONTROL CENTRE
For the purpose of handling the emergency, Emergency Control Centre is very much essential. In the factory, Security Office at the Main Entrance is declared as Emergency Control Centre. All activities pertaining to the emergency will be carried out from this centre. The emergency Control Centre will be equipped with
Plant Layout indicating storages of hazardous material and fire fighting equipment and first aid box locations.
Material Safety Data Sheet of all chemicals handled in the premises.
List of all employees with addresses, tel. No., contact person and if possible blood group.
List of important telephone numbers such as police, fire brigade, hospitals, Directorate of Industrial Safety and Health, Pollution Control Board, etc.
A separate list of team members with their addresses and telephone numbers.
The facility of Direct Telephone Line.
Equipment such as Torch, Rope, and necessary Personal Protective Equipment, whistle, etc.
Note pads and pen/pencils to record the messages and record of activities pertaining to emergency
First aid box with proper medicines.
8.0 ASSEMBLY POINT
Assembly point is displayed in front of the main gate and known to everyone which is ensured at the time of safety audit. The area of the assembly point has been set farther from the location of likely hazardous events, where employees, contractors, and visitors must assemble in case of emergency. Up- to date list of pre-designated employees must be available with the Site in charge at the assembly point in case of assembly of the employees. The site in charge shall then do the roll call of the people present so that their presence can be marked.
9.0 ALARM RAISING SYSTEM
The factory Main “Emergency Siren” is located at the main gate. This will be used for raising the alarm and also for “All Clear” signals in case of emergency.
10.0 EMERGENCY RESPONDING PROCEDURE
In case of Fire / Explosion / natural calamity etc., any person noticing it must evaluate the severity of the emergency and he should alert all the factory personnel by activating the Emergency Siren. The emergency siren is activated just by pressing the Emergency Siren push button located at the main gate. Then he immediately reports to the Emergency Control Centre and informs about the Emergency location. As soon as the alarm is heard, the safety team members will contact the Security office at the Main Entrance and the safety team will rush to the Emergency location. The safety Team & other team members will assemble at the assembly point.
11.0 Communication System:
Alarms should be followed by an announcement over the Public Address System or verbally by shouting. In case of failure of alarm system communication should be by the security guard who will make an announcement through the Public Address system. Mobile Phones, landlines, etc could be used as a mode of communication for an emergency. If everything fails a messenger could be used for sending the information.
12.0 Action Plan For Various Emergencies.
A) Fire
Actions to mitigate the emergency
Responsibilityto Respond
Raising emergency alarm
One who observes Fire or explosion
Shut down machines and Main power supply
One who observes Fire or explosion / Prod incharge
Evacuation, Assembly at Assembly Point.
All employees
Fire fighting
All employees
Rescue Operation
All employees
First aid or Hospitalization
All employees
Final Declaration of “All Clear” Situation
MR / CEO
B) Major Spillage of flammable/ hazardous oils
Actions to mitigate the emergency
Responsibilityto Respond
Raising emergency alarm
One who observes the major spill
Switch Off Power Supply of the equipment
Concerned supervisor, Maintenance engineers
Evacuation, Assembly at Assembly Point.
All employees
Isolate & Barricade the area of spill
Security
Control the spillage to avoid spread
DH
Stop all the work of welding, electrical etc
DH
Fire fighting
Fire fighting team
Final Declaration of “All Clear” Situation
MR
C) Electric Shock
Actions to mitigate the emergency
Responsibilityto Respond
Switch Off Power Supply of the equipment
Concerned supervisor, Maintenance engineers
Rescue the person.
Concerned supervisor, Maintenance engineers
Call the ambulance, provide first aid
Departmental Head
D) Accidents – Factory (Major)
Actions to mitigate the emergency
Responsibilityto Respond
Contact company doctor/hospital
Departmental Head
Rescue Operation
Safety team
E) Accidents-Transport
Actions to mitigate the emergency
Responsibilityto Respond
Contact Ambulance/ Hospital, provide first aid Inform HR Dept
Inform Police
Concerned Person
HR dept
F) Personal confinement
Actions to mitigate the emergency
Responsibilityto Respond
Call fire brigade
Departmental Head
Raising emergency alarm
One who observes the calamity such as storm, earthquake
G) Natural calamities Such as storm, earthquakes, etc.
Actions to mitigate the emergency
Responsibilityto Respond
Evacuation, Assembly at Assembly Point.
All employees
Raising emergency alarm
One who observes the sabotage, terrorism or civil commotion
Isolate & Barricade if necessary
Security
Fire fighting
All Employees
Rescue Operation
All Employees
Hospitalization
All Employees
Evacuation, Assembly at Assembly Point.
All Employees
Final Declaration of “All Clear” Situation
Chief controller
H) Structure collapse
Actions to mitigate the emergency
Responsibilityto Respond
Raising emergency alarm
One who observes the calamity such as storm, earthquake
Evacuation, Assembly at Assembly Point.
All employees
Isolate & Barricade if necessary,
Security
Rescue Operation,
Rescue team
Hospitalization,
First aid team
Final Declaration of “All Clear” Situation
Chief controller
I) Riots, Arson, Sabotaging (Inside the premises of the organization)
The Security shall isolate the area of Rioting with its total force.
Security In charge
All work should stop immediately. The employees from rest of the premises shall be evacuated immediately. The ambulance should be kept in Stand by to meet any eventually. Inform Hospital immediately to prepare for any emergencies. As soon as police arrives the area of rioting should be handed over to police.
The ambulance should be kept in Stand by to meet any eventually. Inform Hospital immediately to prepare for any emergencies.
HR dept
The gates should be closed and no person and vehicle should be allowed to leave the company premises. Security should man the gates with full force and should prevent entry of any unauthorized person in side the company premises.
Security In charge
In case of more than 8 hours of riot situation the Admin should ensure adequate food and water is available for the employees.
Admin In charge
Once all clear signal is received from the police, normal operation shall resume in the organization
Dept HOD
K) LPG leakage
Actions to mitigate the emergency
Responsibilityto Respond
1. Take immediate steps to stop LPG leakage 2. Stop all operations 3. All out effort should be made to contain the spread of leakage/fire 4. Saving the human shall get priority in comparison to stock/assets. 5. Plant personnel without specific duties should assemble at the nominated place. 6. All vehicles except those required for emergency use should be moved away from the operating area, in orderly manner at pressure –nominated route 7. Depending upon severity, electrical system except for control supplies, utilities, lighting and fire fighting system, should be isolated 8. If the feed to the fire cannot be cut off, the fire must be controlled and not extinguished. 9. Start water at areas involved in or exposed to fire risks. 10. In case of leakage of LPG without fire and inability to stop the flow, take all precautions to avoid source of ignition. 11. Block all roads in the adjacent area and render internal/external support for the purpose if warranted.
Fire Fighting Team
L) Tank Dyke Fire
Actions to mitigate the emergency
Responsibilityto Respond
1. In case fire occurs in the dyke area due to flange leak in manifold area, the fire is to be extinguished with the help of foam. 2. Use of DCP if the fire is small, otherwise use water spray or foam. 3. Cooling of lines /flanges is to continued till incident/site controller gives the instructions to stop. 4. If tank collapses and product is spread in the dyke area with fire. 5. Withdraw manpower in and around the tank dyke area. 6. Use foam monitors of vehicles to spray and spread foam in the affected dyke area If tank dyke area is on fire and full product is in the dyke then water to be used judiciously otherwise flooding of dyke area may cause overflow of oil from the dyke area to open drains.
Fire fighting team
M) Electrical Fire
Actions to mitigate the emergency
Responsibilityto Respond
Disconnection of the electric supply of the affected area.Attempt to extinguish the fire with the help of DCP/CO2 fire extinguishersIf the fire still persists, ensure complete isolation of electric supply of that area and use of water.
Maintenance and fire fighting team
N) Office Fire
Actions to mitigate the emergency
Responsibilityto Respond
Disconnection the electric supply of the affected area.Attempt to extinguish the fire with the help of DCP/CO2 fire extinguishersSave all records from fire.
Office staff and fire fighting team
O) Person on Flames
Actions to mitigate the emergency
Responsibilityto Respond
1) Bring the water gel blanket 2) Open the bag inside the container to remove blanket. If the bag is already open such blanket should not be used for burn victims 3) The blanket can be held as a screen between the victim and the fire 4) If possible lay down the victim and wrap the blanket around the victim. Leave the victim wrapped in blanket and seek medical help
Fire fighting team
P) Food/Water Poisoning
Actions to mitigate the emergency
Responsibilityto Respond
1) Persons observing the symptom should inform the location in charge for assessing the situation 2) Shift in charge should call the doctor and ambulances and also alert all hospitals to meet any exigencies 3) To render first aid and induce vomiting to the affected persons 4) The ambulances and vehicles available should be mobilized to be in readiness to transport large number of people if required Assistant Manager-SHE to report to location in charge for required sanitation and medical assistance.
First Aid team
Q) Bomb Hoax
Actions to mitigate the emergency
Responsibilityto Respond
1) Person noticing on object like bomb, should bring it to the notice of the nearest available officer. 2) The officer should carefully observe the same from a distance and raise alarm 3) The area should cordon off. 4) Police control and fire control to be informed for their arrival and inspection of the area. After the bomb is diffused, all clear siren should be sounded by the watchmen.
Concerned person/ Admin dept
R) Burn –Minor
Actions to mitigate the emergency
Responsibilityto Respond
Pour cool water on the burn area till the burning sensation is reduced.Cover it lightly with a clean cotton cloth.Do not apply butter, oil, ointments or any home remediesGet Medical help
First aid team
S) For Electric shock casualties
Actions to mitigate the emergency
Responsibilityto Respond
Electric shock results in irreversible damage to brain cells followed by deterioration of the other organsRescue and first aidDo first thing first, quickly and without fuss or panic. Switch off the supply if this can be done at once. If not possible, use a dry stick, dry cloth or other non conductor to separate the victim of electrical contact. The rescuer must avoid receiving shock himself be wearing gloves or using a jacket to pull the victim.
First aid team
12.0 DO’S AND DON’T’S
12.1 All Company Employees
Do’s
Don’t’s
Stop work on getting information or hearing the alarm. Switch off the machines and main power supply. Gather at assembly point. Contact Management Take visitors to safer place.
Do not panic & cause stampede. Do not run and prevent others from doing so. Do not go anywhere else. Do not wait to collect personal belongings.
12.2 VISITORS & CONTRACTORS
After hearing the alarm they will follow the following steps:
Give attention to all instructions.
Stop work. Do not panic.
Do not wait for personal belongings.
Assemble at the assembly point.
Do not go to the emergency site.
Do not spread rumours.
Do not engage in communication systems.
13.0 TRAINING
The employees will be informed about the ‘On–Site Emergency Plan’ in detail, with the help of training programs. For the success of this plan not only training will be organized but mock drills also will be organized a minimum of once a year. Mock drills will help to understand the role to be played by everyone during the emergency. The Core members of the Disaster / Emergency control will be given refresher training at the interval of every One Year.
14.0 MOCK DRILL PROCEDURE
The success of the “On-site emergency plan” is very much dependent on planned and unplanned mock drills. Mock drills help employees to be familiar with their roles and ensure accuracy of the onsite Emergency Plan. Following is the procedure for conducting a Mock drill.
Inform all the employees about mock drill procedures.
Fix the date and time for mock drill.
The mock drill will be monitored by the observer/s not involved in the exercise.
The emergency alarm will be raised.
After hearing the alarm, the Emergency Procedure will be followed. All clear signals will be given after the emergency is over.
Observer/s will note down the activities with respect to the time.
Lacunae observed in the system will be studied carefully.
Records of drills will be maintained.
After each drill, the plan will be thoroughly reviewed to take into account the omissions or shortcomings for improvement.
15.0 Details of liaison arrangement between the Organization:
All the organizations involved in assisting during the emergency were contacted and apprised of the details of the plant, like process; hazardous material handled; likely emergency incidents; steps taken to avoid/reduce risk mitigation methods, resource availability, etc. The details are as follows:
15.1 POLICE
Sr.No
Name of Police Station
Tel.No
15.2 FIRE BRIGADE STATION
SR. no
Fire Station
Tel no
15.3 HOSPITALS AND DOCTORS
Sr.No
Name of Hospital
Tel No
16.0 UPDATING THE PLAN
As and when required, this ‘On–Site Emergency Plan’ will be updated and informed to all. If necessary, after each drill the plan will be thoroughly reviewed to take account of shortcomings.
I’m excited to share the book I have authored:
Standard for Integrated Management System for Quality, Environment & Health & Safety
ISBN: 978-8199763272 Published by Brown Books Publications
This book provides a practical, risk-based framework to integrate Quality, Environmental, and Occupational Health & Safety systems into one streamlined management system — helping organizations eliminate duplication, improve efficiency, and drive continual improvement.
