SCM Research, Development and Planning Unit Page 1 of 7

SCM ___________________________________________________Ships Classification Malaysia Revision : 0 Distribution Lists: Last Rev. Date : - Unit Managers Issue date : 20.02.2004 All Surveyors Prepared By : KYUZRI Verified By : ROSIDI

For Internal Distribution Only Guidelines to Surveyors

Port Security Assessment and Security Plan 1.0 INTRODUCTION 1.1 Scope This internal guideline is to provide guidance for the SCM’s Maritime Security Assessor (MSA) acting as a Consultant approved by the Designated Authority (DA), in performing port area security assessment (PASA)/ port facility security assessment (PFSA) and developing port area security plan (PASP)/ port facility security plan (PFSP) when requested by a Port Facility Operator (PFO) or Port Administrator (PA), based on the restricted scope stipulated in SOLAS Chapter XI-2 and ISPS Code Part A (mandatory) and taking into account ISPS Code Part B and guidelines from DA. 1.2 Application The assessment and development of plan is only applicable to port and port facilities serving vessels engaged on international voyages as categorized below: All passenger ships, including high speed passenger crafts Cargo ships, including high speed craft cargo ships of 500GRT and above Mobile offshore drilling unit (MODU) 1.3 Qualification SCM Maritime Security Assessor assigned to perform the assessment and development of plan, shall be qualified in accordance to SCM minimum requirements as follows:

i. The assessor should have knowledge in the ship operations, port facilities and operations. ii. The assessor should have knowledge in the auditing of management systems either through ISM

certification or ISO certification. iii. The assessor should have successfully attended ISPS course, covering PFSA and PFSP, internal or external

and passed the course examination. iv. The assessor shall carry out a minimum of one (1) PFSA and develop one (1) PFSP under direct supervision

by a qualified maritime security assessor. v. The assessor shall have passed a security vetting by the relevant authorities and periodical confirmation

thereafter. 1.4 Obligations and Responsibilities 1.4.1) Port Facility Operator (PFO)/ Port Administrator (PA) a) Provide a qualified Officer (PASO/PFSO) based on the ISPS Code and any additional requirements set by the

DA. b) Provide the resources needed by the SCM Assessor to ensure an effective and efficient assessment

(PASA/PFSA). c) Provide an effective communication and coordination through out the assessment (PASA/PFSA) period and

during the development of plan (PASP/PFSP) by forming up a committee so call Port Area Security Committee (PASC).

d) Provide necessary access to document, records, reports and facilities if requested by the SCM Assessor. e) Fully co-operate with the SCM Assessor in order to achieve the objective of assessment (PASA/PFSP) and

development of plan (PASP/PFSP). f) Provide necessary resources, tools and support if SCM is requested to assist the implementation process of

plan (PASP/PFSP). g) Actively participate and involved if assistance from SCM is required to perform in-house audit and review. h) Complete PASA/PFSA and PASP/PFSP to be submitted to DA for review and approval. i) To furnish SCM with any directives, guidelines and relevant information form the port itself or DA on the

port security measures.

SCM Research, Development and Planning Unit Page 2 of 7

1.4.2) SCM a) To ensure that the PASA/PFSA and PASP/PFSP process is performed in accordance with this guideline and

relevant DA requirements within the scope of ISPS code. b) To carry out and develop the PASA/PFSA and PASP/PFSP effectively and efficiently. c) To comply with applicable requirements and other appropriate directives. d) To note in the report any major obstacles encountered in performing the PASA/PFSA. e) To organize special technical assistance if required, to fulfill the compliance. f) To report the PASA/PFSA results clearly, conclusively and without undue delay. g) To ensure confidentiality of documents and information pertaining to the PASA/PFSA and PASP/PFSP. 1.4 Definitions and Abbreviations SCM Maritime Security Assessor (MSA) is a SCM Security Personnel who has been duly trained in accordance to IACS Procedural Requirement No.25 and qualified to carry out port assessment and plan development. SCM Maritime Security Unit (MSU) is a unit in Ships Classification Malaysia responsible for the maritime security activities, relating to port and ship. SCM Head of Maritime Security Unit (HMSU) is a Senior Manager of Ships Classification Malaysia who is responsible in the management of the maritime security activities. SCM Secretary of Maritime Security Unit (SMSU) is an SCM Administration Personnel accountable to HMSU and responsible in general secretarial and clerical tasks related to maritime security activities. Designated Authority (DA) means an authority or administration (Malaysia Marine Dept.) designated by the Contracting Government (Malaysia Government) to undertake security duties with respect to ship and port facilities. Port Facility Operator (PFO) means an organization or owner that operates a port facility. Port Administrator (PA) means the regulatory authority of the federal ports, which have been gazette as a port authority, or ports under the management of the state authority or the “Marine Department” which do not have gazette port authorities. Port Area Security Officer (PASO) means a qualified officer designated by the PA to facilitate the development, implementation, review and maintenance of a PASP and for liaison with PFSO and SSO. Port Facility Security Officer (PFSO) means a person designated by the PFO, responsible for the development, implementation, revision and maintenance of the port facility security plan (PFSP) and for liaison with CSO, SSO and PASO. Ship Security Officer (SSO) means the shipboard personnel, accountable to the Master designated by the Company, responsible for the security of the ship, implementation and maintenance of SSP and liaison with CSO and PFSO. Company Security Officer (CSO) means a person designated by the company to develop and revise the SSP and for liaison with the PFSO and SSO. Port Area Security Committee (PASC) means a committee composing of PASO, PFSO, PFO, Ship Operators, Agents and Government Bodies (such as Immigration, Custom, Quarantine, Police, Marine Dept. etc.) chaired by the PA, responsible to provide a communication and coordination of security arrangement, development and implementation of PFSP. Port Area Security Plan (PASP) means a plan developed to ensure the application and measures designed to protect the port area and vessels, their cargoes, persons onboard from the risk of a security incident. Port Facility Security Plan (PFSP) means a plan developed to ensure the application and measures designed to protect the port facility and vessels, their cargoes, persons onboard from the risk of a security incident. Port Area Security Assessment (PASA) means a comprehensive analysis of threats, vulnerabilities, existing protective measures, procedures and operations within the port area. Port Facility Security Assessment (PFSA) means a comprehensive analysis of threats, vulnerabilities, existing protective measures, procedures and operations within the port facility.

SCM Research, Development and Planning Unit Page 3 of 7

International Ship and Port Facility Security Code (ISPS) means the ISPS Code consisting of Part A and Part B as adopted by the Organization. Security Incident (SI) means any suspicious act or circumstance threatening the security of a ship, MODU, high speed craft, port facility, and ship/port interface and ship/ship activity. Security Level (SL) means the qualification of the degree of risk that a security incident will be attempted or will occur. Security Level 1 (SL 1) means the level for which appropriate minimum protective security measures shall be maintained at all times. Security Level 2 (SL 2) means the level for which appropriate additional protective security measures shall be maintained for a period of time as a result of heightened risk of a security incident. Security Level 3 (SL 3) means the level of which further specific protective security measures shall be maintained for a period of time when a security incident is probable or imminent. (Although it may not be possible to identify specific target). Port Security System (PSS) is the security system placed onboard which implements the procedures. Documentation and associated records, which are examined to verify compliance with the requirements of the ISPS Code. Declaration of Security (DoS) means an agreement to be executed between the SSO and PASO/PFSO and provides means for ensuring that the critical security concerns are properly address and security will remain in place throughout the time when vessel is in the port area and facility. Ship/Port Facility Interface means the interaction that occur when a ship is directly and immediately affected by actions involving the movement of persons, goods or the provision of port services to or from the ship. Threat means the likelihood of an unlawful act will be committed against a particular target, based on a perpetrator’s intents and capability. Verification means a planned and systematic audit sampling, examination, measurement and testing in order to verify that the port security system and equipment specified in the PASP/PFSP is being effectively maintained and implemented. Objective evidence means a quantitative or qualitative information, records or statement of facts pertaining to the security system and equipment observed during approval and verification. Observation means a statement of fact and judgment made during approval and verification supported by objective evidence which if not corrected may lead to non-conformity in the future. Non Conformity means an observed situation where objective evidence indicates the non-fulfillment with a specified mandatory rules and requirements. Findings means an observation or nonconformity raised up during PASA/PFSA, implementation of PASA/PFSA and internal audit. Recommendation means an observed situation due to findings made and recommended in order to comply with the ISPS code Part and Part B requirements. 2. WORK METHODOLOGY 2.1 Scope of Work SCM scope of work is just limited to port security assessment and security plan development. However, it may be extended, in a case by case basis and at the request of PFO/PA covering SCM value added services such as implementation of PASP/PFSP, in-house audit/review and ISPS awareness course with a clear define scope agreed between SCM and PFO/PA at an early stage of communication. 2.2 Process Flowchart The flowchart shown in Appendix 1 shows an overall process, including lines of communication, responsibilities and references involved in the port assessment, plan development, plan implementation (optional), in-house audit/review stages (optional) and in-house ISPS awareness course (optional). It is a responsibility of all Maritime Security Unit (MSU) personnel to follow and maintain a smooth flow of the process in order to prevent inefficiency causing unnecessary delay to PFO/PA.

SCM Research, Development and Planning Unit Page 4 of 7

2.3 Handling Request 2.3.1 Request and Confirmation Order SCM application for survey form (form No: TE/SURV/F/0) may be used for confirmation of order. Formal request made through letter or fax signed by the company’s representative would normally be acceptable. Soon as after receiving the request, SCM then should send a reply letter confirming to undertake the project noting an estimated period of project, scope of works and fee if requested. 2.3.2 Formal Contract Agreement In some cases, the PFO/PA may request a formal form of special agreement or contract for conducting a port assessment and plan development to a number of facilities in the port areas or a complete package inclusive of the optional services. In this regard, SCM or client’s standard format of agreement shall be used, with mutual acceptance 2.4 Planning In order to have good end results, an effective planning before/during /after execution of port assessment, plan development, plan implementation and plan audit verification, is necessary. It is to ensure that a channel of coordination and communication is always being maintained and controlled. This can be achieved through: (a) Setting up a specific agreeable work program (see Appendix 2- form to be used). (b) Conducting an opening meeting or kick off meeting or the first meeting in the PFO/PA premises participated

by PASO/PFSO and PASC for the purpose of collecting information, issuing instruction, discussion on the method of execution etc.

(c) Conducting a regular progress meeting with PASO/PFSO and PASC in order to discuss and agree to the daily findings and recommendations.

(d) Conducting a closing meeting or a final meeting with PASO/PFSO and PASC to summing up and to conclude information, findings, recommendation etc.

2.5 Execution Port assessment, plan implementation and plan audit verification are to be carried out based on the checklist attached in Appendix 3,4,5 respectively. Prior to conducting the aforementioned tasks, MSA should have a clear definition of objective. The main objective is to aim that the following preventive security measures are provided and maintained at all security level of risks: (a) Legal or illegal access to the port facility from land or sea for the purpose of committing unlawful acts is

prevented. (b) Unauthorized weapons, dangerous or hazardous substances and devices brought in or smuggled into the port

or from vessel using the port are prevented. (c) Personal injury or death or damage to the port facility, ships and infrastructures by explosive or other devices

is prevented. (d) Tampering with cargo, essential and important equipment, utilities, protection system, procedures and

communication system is prevented. (e) Smuggling of contraband, drugs, narcotics, prohibited material and other illegal substances is prohibited. (f) Other criminal activities, such as theft and robbery is prevented (g) Unauthorized disclosure of classified material, commercially proprietary information or security sensitive

information is prohibited. It is also important to remember that when carrying out the tasks, the MSA shall address and/or consider the following elements: 2.5.1 Port Security Assessment (a) Identification and evaluation of important assets and infrastructures that is important to be protected. (b) Identification of possible threats to the assets and infrastructures and the likelihood of their occurrence in

order to establish and prioritize security measures. (c) Identification, selection and prioritization of counter measures and procedures and effectiveness in reducing

vulnerabilities. (d) Identification of weaknesses, including human factors in the infrastructures, policies and procedures. 2.5.2 Plan Development (a) It has reference and close link to the valid PASA/PFSA. (b) It has taken into consideration all the recommendation set in the PASA/PFSA. (c) It shall be written in the working language or working languages of the port, if the working language(s) used

is not English/French/Spanish. (d) It has addressed all the identified list of risks. (e) It has taken into consideration of ISPS Code Part B.

SCM Research, Development and Planning Unit Page 5 of 7

(f) It allows for a full redundancy and contingency in the port security system and security equipment (g) It contains procedures stating what to do, when, how and by whom. (h) Threat and vulnerability assessment in SSA has been used as a basis in deciding the security measures. 2.5.3 Plan Implementation (a) The PASO/PFSO and port personnel having a specified security duty shall have sufficient knowledge and

have received appropriate training. (b) To conduct a drills and should test individual element of the PASP/PFSP with regard to the identified

potential threats. (c) To conduct a full scale/live and tabletop simulation/seminar or a combined exercise with the other port state

authority exercises. (d) To request and include involvement and participation from PASO/PFSO, PASC, CSO and SSO in joint

exercise. (e) To test efficiency of communication, coordination, participation, availability of resources and response during

the drills and exercises. 2.5.4 Plan Audit Verification (a) Verify that the approved PASP/PFSP is available and approval comments if any from DA have been dealt

with. (b) Verify that the PASP/PFSP has been satisfactorily and effectively implemented including drills, exercises and

training. (c) Verify through an audit sampling that the port security system is being fully implemented and objective

evidence demonstrating the effectiveness of the documented procedures. (d) Verify that all security and monitoring equipment specified in the PASP/PFSP complies with applicable

requirements and is satisfactorily working. For the port assessment, any observation made to be reported in the comments column of the PASA/PFSA checklist and later on will be used as an input to develop the PASP/PFSP. For the threat and vulnerability risk assessment, guidance from the International Labor Organization and International Maritime Organisation to be used. Each item in the plan implementation/plan audit verification checklist should be filled in the finding column denote as “OK/NC/NA/OBS”. Any remarks made to the findings should be then noted in the “comments” column. There is also a column where a cross-reference to the PASA/PFSA and PASP/PFSP should be noted. v OK : if the PASP/PFSP conforms to the requirement of ISPS code Part A and B and additional requirements

set by SCM v NC: non-conformance to the requirement of ISPS code Part A v NA: not applicable e.g. specific ship types, trading pattern etc. v OBS: observation non-mandatory recommendation if any, made based on the requirement of ISPS Part B and

requirement set by SCM in order to improve the documented security system of PASP/PFSP. The port assessment, plan development, plan implementation and plan audit review may be carried out individually or in a group of MSAs assigned by Head of MSU (HMSU). If carry out in group, an opening meeting in SCM office chaired by the HMSU should be established in order to discuss and assign responsibilities and communication. 2.6 Reporting A complete draft report of port assessment, plan implementation and plan audit verification are to be forwarded to HMSU for verification prior to preparing final report for submission to PFO/PA .If found necessary and if time permits, the reports should be verified by means of communication between the assigned MSA(s) and HMSU in a so call preclosing meeting. The PASO/PFSO of that particular PFO/PA may participate in the meeting if a request is received. On satisfactory verification of draft reports by the HMSU, a final report and PASP/PFSP (see App. 6 – forms to be used) to be prepared by the assigned MSA(s) with assistance from SMSU (SMSU) for submission to company. No changes shall be made to the procedures and in the plan or equipment and implemented unless approved by the DA. 2.7 Submission On satisfactory completion of plan and reports, either preliminary or final, SMSU shall forward them to the company attention to PASO/PFSO.

SCM Research, Development and Planning Unit Page 6 of 7

3 DOCUMENTATION 3.1 Archiving As a minimum requirement, the following copies would be retained securely in MSU office. (a) Working checklists (b) PASP/PFSP title page (c) PASP/PFSP index page (d) Revision history of the PASP/PFSP 3.2 Confidentiality In order to maintain and control authenticity and unauthorised changes, it is recommended that each page of the PASP/PFSP should be stamped and initialled by PASO/PFSO, on completion of final plan. SCM shall stamp “CONFIDENTIAL” and seal the entire postal document. 4.0 REFERENCE · International Ship and Port Facility Security Code 2003 Edition, International Maritime Organization · SOLAS Amendment 2003, International Maritime Organisation · Code of Practice On Security in Ports, Geneva 2003, International Labor Organization and International

Maritime Organisation · Implementation Guidelines, Malaysia Marine Department

SCM Research, Development and Planning Unit Page 7 of 7

Appendix I SCM Port Security Assessment, Security Plan Development, Security Plan Implementation and Security Plan Audit Verification Process Responsibilities Reference

Order request from PFO/PA

Confirmed order request (Quotation if necessary)

Assign MSA (s)

Conduct Port Assessment (PASA/PFSA)

Develop PASP/PFSP

Assist PASP/PFSP Implementation

Assist PASP/PFSP Audit

DA conduct verification

SMSU HMSU HMSU MSA MSA MSA MSA

Letter from owner or SCM application form Letter of confirmation from SCM with fee if necessary SCM PASA/PFSA checklist SCM to revise PASA/PFSA based on input from DA and if necessary perform re-assessment HMSU to verify draft report SCM PASP/PFSP report template SCM to revise PASP/PFSP based on the input from approval comment and if necessary perform re-assessment PFO/PA to re-implement PFO/PA to perform preventive and corrective action if any

START

END

PASO/PFSO submit PASP/PFSP to DA for approval

PASO/PFSO submit PASA/PFSA to DA for Approval

NO

NO

NO

NO

Correct

Correct

Correct

Correct

DA issue Statement of Compliance

YES NO

YES

YES

YES

YES