Information
-
Document No.
-
Audit Title
-
Client / Site
-
Conducted on
-
Prepared by
-
Location
-
Personnel
SECTION I - THREAT ASSESSMENT
-
1. Does your security measures correspond with the level of threat?
-
2. Do you have a documented system for processing the flow of threat information?
-
3. Do you have a process in place to receive, disseminate, and store classified information?
-
4. Do you collect and analyze threat information periodically?
-
5. Do you have internal methods (internet, media, toll-free number) to receive threat information?
-
6. Do you have external resources (state agency, ISAC, FBI, LEO) to receive threat information?
SECTION II - VULNERABILITY ASSESSMENT
-
1. Do you conduct vulnerability assessments of your assets?
-
2. Do you have a documented vulnerability assessment program?
-
3. Do you conduct the vulnerability assessments with the help of an outside source (e.g., state officials, contractors, facility owner/operator)?
-
4. Do you use a standard for conducting vulnerability assessments (e.g., CARVER, AASHTO, ODP)?
-
5. Does your vulnerability assessment recommend corrective actions?
-
6. Are the assessments and corrective measures reviewed at the executive level?
-
7. Is your vulnerability assessment information protected from disclosure (e.g., statute, policy, regulation)?
-
8. Do you have method of determining who has access to the completed vulnerability assessments?
SECTION III - CRITICALITY
-
1. Do you have a list of critical assets in your security plan?
-
2. Do you internally determine which assets are critical?
-
3. Do you use a standard methodology for determining criticality (e.g., AAR, AASHTO)?
-
4. Is your critical list protected from disclosure (e.g., statute, policy, regulation)?<br>
-
5. Do you allocate security resources based on criticality (e.g., critical facilities, most visible facilities, no resources)?
SECTION IV - MANAGEMENT AND OVERSIGHT OF THE SECURITY PLAN
-
1. Do you have a documented security plan? If not, how do you address security in your organization (e.g., response plan, emergency plan, disaster recovery plan)?<br>
-
2. Do you conduct reviews and update your security plan periodically?
-
3. Do you have a designated security officer?
-
4. Are the security officer’s duties documented?
-
5. Do you have access to a 24/7 emergency response/operations center?
-
6. Do you maintain an updated list of contact information for your personnel?
-
7. Do you conduct security planning at the organizational level?
-
8. Do you have executive level support for implementing security enhancements?
-
9. Do you have dedicated funding mechanisms (e.g., budget line item, fee, tax) to make security enhancements?
-
10. Do you have specific processes in place to reallocate and/or redirect resources in a heightened alert?
-
11. Do you require that employees who have access to the security plan sign non-disclosure agreements?
-
12. Do you have an emergency response plan?
-
13. Do you use multiple methods to communicate threat information?
-
14. Do you have a list of Federal points of contact to notify when an incident occurs? (If yes, indicate the name and contact information for the contact.)
-
15. Do you participate in industry forums to discuss lessons learned?
SECTION V - PERSONNEL SECURITY
-
1. Do you provide company identification cards to employees?
-
2. Do you use identification card technology to verify employee identities (e.g., biometrics, photo)?
-
3. Do you conduct background checks on your employees? (If so, indicate what consists of the background check.)
-
4. Do you conduct different levels of background checks based on type of employment (e.g., executive, operational, police)?
-
5. Do you provide company identification cards to contractor personnel?
-
6. Do you conduct background checks on contract personnel?
-
7. Do your written contracts require specific background checks for contractor personnel who enter company property?
SECTION VI - TRAINING
-
1. Do you conduct employee training on security awareness and security plan implementation?
-
2. Do you conduct employee refresher training?
-
3. Do you use a formal training curriculum (AAR, FEMA, IAIP, Highway Watch)?
-
4. Do you maintain records of employee training?
SECTION VII - SECURE AREAS
-
1. Do you have access control at your facilities?
-
2. Are there designated secure areas at your facilities?
-
3. Do you differentiate between levels of access into secure areas?
-
4. Do you use technology to verify identities when allowing access into secure areas (card readers)?
-
5. Do you track and document employee access to secure areas?
-
6. Do you track and document contractors access to secure areas?
SECTION VIII - PHYSICAL SECURITY COUNTER MEASURES
-
1. Do you have preventative measure to deter terrorist attacks?
-
2. Do you use physical security barriers at your facility?
-
3. Do you use intrusion detection devices in your facilities?
-
4. Do you have surveillance capabilities at your faciliites?
-
5. Do you use guard services / patrols (e.g., armed / unarmed contract, law enforcement, National Guard, USCG)?
-
6. Are you aware of infrastructure co-located near additional transportation or utility networks (e.g., electric, water, rail)?
-
7. Do you have a documented key control program?
-
8. Do you have remote locking mechanisms on your vehicles?
-
9. Do you require drivers to conduct pre- and post trip inspections of the vehicle?
-
10. Is the integrity of the cargo checked prior to loading and / or before departure?
-
11. Do you use a tracking system for vehicles (GPS)?
-
12. Are loads matched with cargo manifest with a copy of the manifest supplied to the driver?
-
13. Are drivers responsible for handling luggage and placing it in bins below?
-
14. Do passengers have their tickets verified when they give a bag to be checked on the bus?
SECTION IX - CYBER SECURITY
-
1. Does your computer system incorporate cyber security?
-
2. Do you have provisions for data backup, an uninterruptible power source, and remote access?
-
3. Do you have a backup control center housed at an alternate location?
-
4. Are your operations systems housed on an isolated network?
-
5. Do you conduct system penetration tests?
-
6. Do you have procedures in place to prevent unauthorized access to your operations systems?
-
7. Do you have a designated internal or external cyber security officer?
-
8. Is the shipment bill of lading data resident in the tracking system database before the truck departs the shipping point?
SECTION X - EXERCISES
-
1. Do you conduct exercises and drills?
-
How often are training exercises conducted?
-
2. Do you include external resources when conducting exercises and drills (e.g., LEO, first responders)?
-
3. Do you document the results of the exercises and drills?
WARNING
-
This document contains Safety Sensitive Security Information that is controlled under 49 CFR 1520. No part of this document may be released to persons without a need to know, as defined in 49 CFR 1520, except with the written permission of the company owner. Unauthorized release may result in civil penalty or other action.
-
Do you understand that you will not disseminate this information to anyone without the written permission of the company owner / official?
-
Signature of Assessor
-
Signature of Company Official
