API-780: Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries

Introduction

 API developed the security risk assessment (SRA) methodology (API 780 Standard) as a universal approach for assessing security risk in the petroleum and petrochemical industries. The information contained herein has been developed in cooperation with government and industry and is intended to help oil and gas companies, petroleum refiners, pipeline operators, petrochemical manufacturers, and other segments of the petroleum industry or other similar industries maintain and strengthen their corporate security through a structured and standardized SRA methodology. This course contains a standard methodology and guidance for use including examples.

This course describes a methodology that can be applied to a broad range of assets and operations beyond the typical operating facilities of the industry. This includes other assets containing hazardous materials such as chemical, refining, and petrochemical manufacturing operations, pipelines, and transportation operations including truck, marine, and rail. It also can be used for a wide variety of non-hydrocarbon types of assets and is applicable as a general purpose SRA methodology. The methodology is suitable for assisting with compliance with regulations, such as the U.S. Department of Homeland Security’s Chemical Facility Anti-terrorism Standards, 6 CFR Part 27.

Objectives

Upon the successful completion of this course, each participant will be able to:-

• Get certified as a “Certified Security Risk Assessor (SRA)”
• Define the terms, acronyms, abbreviations, and symbols of security risk assessment
• Discuss general concepts of SRA covering security risk assessment and security management principles, risk definition for SRA and key variables, likelihood, consequences, threat, attractiveness, and vulnerability
• Apply SRA approach including the concept and relationship to the security risk management process, conducting and reviewing the SRA, validation and prioritization of risks and risk-based screening
• Employ proper planning in conducting SRA as well as gather, review and integrate information
• Identify the sources of information and the information needs
• Locate, collect and review the required information
• Analyze previous incidents and conduct a site inspection
• Gather threat information using the various steps of API SRA
• Recognize forms and worksheets, SRA supporting data requirements and various examples of the SRA process 

Training Methodology

This course relies on the use of individual and group exercises aimed at helping participants learn all key characteristics. There will be open question and answer sessions, regular group exercises and activities, videos, case studies, and presentations on best practices. Participants will have the opportunity to share with the facilitator and other participants what works well and not so well for them, as well as work on issues from their own organizations. 

Who Should Attend?

This course provides an overview of all significant aspects and considerations of security risk assessment for those who are involved in physical and cyber security, facility and process design and operations, safety, logistics, emergency response, management, and other disciplines as necessary.

Course Outline

Day 1: Introduction

• Scope
• Sequential Activities
• Normative References
• Terms, Definitions, Acronyms, Abbreviations & Symbols

API-780 SRA Concepts

• General
• Security Risk Assessment & Security Management Principles
• Risk Definitions for SRA & Key Variables
• Likelihood (L)
• Consequences (C)
• Threat (T) Attractiveness (A)
• Vulnerability (V)
• Locating Required Information
• Information Collection & Review
• Concept & Relationship to Security Risk Management Process

HCIS New Security, Directives & Process

Day 2: API-780 SRA Approach  

• Validation & Prioritization of Risks Conducting & Reviewing the SRA
• Risk-based Screening
• Planning for Conducting a SRA
• SRA Team
• SRA Objectives & Scope
• Information Gathering, Review & Integration
• Sources of Information
• Identifying Information Needs
• Locating Required Information
•  Information Collection & Review

API-780 Practical Hands-on Real Exercise

• API-780 SRA Approach Characterization
• Threat Assessment
• Vulnerability Assessment
• Risk Analysis/Ranking
• Identify Countermeasures

Day 3: API-780 Forms & Worksheets

• Characterization Form
• Threat Assessment Form
• Attractiveness Form
• Vulnerability Analysis & Risk Assessment Form
• Recommendation Form
• Residual Risk Based on Implementation of All Proposed Countermeasures
• Countermeasure Risk Score & Priority Form

Day 4: Countermeasure Risk Score & Priority Form

• Checklist Access Control, Security Force, Intrusion Detection, Perimeter and Building Barriers, Etc.

Information, Computers, Network & Intellectual Property Security

QRA Quantitative Risk Assessment Worked Real Onsite Case

Using Software to Collect & Update Risk Register

Day 5: Reviewing Worked Examples against HCIS Requirements

• Setting the Road Map, Plan for Completing Comprehensive SRA
• SRA Supporting Data Requirements, Meeting, Interviews, Etc.
• Security Situation Report & Recommendation for Capacity Build Up
• Competency Exam