Preparing for the worst
Her Majesty’s government is perceived by many terrorist groups as an attractive and ‘legitimate’ target. It is therefore of critical importance that Departments meet the obligations outlined in the recently published Security Policy Framework.
Individual departments and agencies are responsible for managing their assets – information, personnel and physical. This includes reducing risk from terrorist attack to as low a level as is reasonably practicable. Here it is important to recognise that the visible level of security is a factor in terrorist targeting. Departments have legal obligations to protect employees and visitors, and they must have in place physical security measures, proportionate to the threat and the assets to be protected. Contingency arrangements (which CTB will examine in the next issue) to facilitate the quick resumption of vital services are also essential.
Risk management
Departments must employ a risk management approach to counter-terrorism protective security, although it is recognised that for certain areas (such as the protection of nuclear weapons and nuclear materials) CT security policy will be intentionally more prescriptive. It should be noted that CT measures are likely to complement other security measures and therefore should be considered in conjunction with general protective security risk management. However, there are some very specific baseline CT measures that all departments must take.
Risk categories and threat levels
Government establishments fall into three risk categories according to the likelihood of being a target of a terrorist attack. These risk categories are HIGH, MODERATE, and LOW. Threat Levels are designed to give a broad indication of the likelihood of a terrorist attack. The Threat Levels are LOW, MODERATE, SUBSTANTIAL, SEVERE and CRITICAL. The five levels reflect an assessment of probability of attack based on an analysis of terrorists’ intentions, targeting priorities, capabilities and any evidence of current planning and timescales.
If an establishment is identified as being at immediate threat, the police and security authorities will inform the department and may take control of the scene. This can be either pre or post-incident depending on circumstances and may require careful handling to avoid compromising intelligence. In order to ensure departments have current information on the terrorist threat, the Centre for the Protection of the National Infrastructure (CPNI) and Cabinet Office Government Security Secretariat (COGSS) produce regular threat updates, some of which can only be seen on a ‘need to know’ basis.
Government Estate Response Level system
The Cabinet Office operates a system of response giving departments a broad indication of the level of protective security readiness required at any one time. The Response Level is informed by the level of threat as well as specific assessments of vulnerability and risk to HMG but Response Levels tend to relate to sites, whereas Threat Levels usually relate to broad areas of activity. The three Response Levels are: NORMAL, HEIGHTENED and EXCEPTIONAL.
Precise measures adopted for each individual site and at each Response Level are the responsibility of Departmental Security Officers (DSOs) in consultation with CPNI and specialist counter-terrorist Security Advisers, and must form part of CT planning. Measures are likely to include restricting access, increasing patrols and the frequency of bag searching. A more detailed description of incremental security measures is set out in the supplementary material within the framework.
Department security officers must ensure that the department and its agencies have baseline counter-terrorist physical security measures and counter-terrorist incremental security measures in place at each Response Level. Further, at each Response Level, DSOs must ensure that the identified counter-terrorist incremental security measures are applied.
Counter-Terrorist protective security policy and plans
Departments are best placed to assess the risks they face, and must develop their own security policies in line with the Framework. This must include an overarching counter-terrorist protective security policy providing management direction for the department’s CT effort.
Departments must produce counter-terrorist contingency plans setting out the appropriate procedures to be followed in the event of an incident or imminent terrorist threat. CT contingency plans should be developed in accordance with national security authorities’ advice and in consultation with local emergency services and should form part of departmental business continuity plans.
Protective security measures
The framework provides detailed policy and guidance on all aspects of protective security and DSOs must refer to these when developing CT policies and plans, but in broad terms they need to ensure:
Physical security – that establishments (both new construction and existing), including non-government establishments which sustain HMG business, such as data centres, are suitably robust and offer an appropriate degree of protection against attack and hostile interest. Considerations may include protected spaces, glazing, stand-off, barriers, CCTV, public areas, internal communications, signage, Perimeter Intrusion Detection systems (PIDs), access points and control, building services (e.g. ventilation inlets) and parking areas.
Personnel security – there is adequate protection for all staff, as well as personal protection arrangements required for high-threat personnel such as ministers and VIPs. National Security Vetting is a core element of ensuring trusted individuals are employed in sensitive posts. The Counter-Terrorist Check (CTC) plays an important part in CT vetting measures but other aspects of personnel security must be considered equally important, such as the Baseline Personnel Security Standard (BPSS) and ongoing personnel security management.
Information security – that all ICT systems, as part of the formal ICT accreditation process, consider and mitigate potential physical and electronic terrorist attack.
Testing CT arrangements
Testing and exercises are essential elements in providing assurance – they ensure that staff are well versed in procedure, that equipment and communications are functioning and adequate and that arrangements with external bodies (e.g. emergency services, contractors, suppliers) are effective. They also provide an opportunity to identify and address problem areas. The testing of CT plans is also essential.
Further information:
Full Framework Document
The full framework document is available from www.cabinetoffice.gov.uk
CONTEST strategy
CONTEST is the government’s strategy for reducing the risk from International terrorism. It is available at
www.security.homeoffice.gov.uk/counter-terrorismstrategy/about-the-strategy1/#
Centre for the Protection of the National Infrastructure (CPNI)
www.cpni.gov.uk
digital issue