Asset and Business Security Practice 1

Contents 1 Scope 2 Procedure 2.1 Operations 2.1.1 Prevent 2.1.2 Protect 2.1.3 Prepare 2.1.4 Respond 2.2 Solution Development and Deployment 3 Roles and Responsibilities 4 Definitions 5 Resources 6 Revision History

Scope

The purpose of TVA’s Asset and Business Security Program is to define responsibilities and accountabilities for protection of assets, property, and people. The Asset and Business Security program is of the utmost importance to TVA operations and is performed to ensure (1) protection of TVA’s critical infrastructure, (2) preparedness for natural and technological disasters, and intentional acts, and (3) compliance with regulatory requirements and industry standards related to security.

The Asset and Business Security program covers physical asset protection and security for all TVA properties and people. TVA properties include all TVA facilities and assets, whether owned or leased. People include all members of the workforce (TVA employees, contractors), tenants, retirees, visitors, and the public on TVA property. The program includes responsibilities and supporting programs and processes necessary to deter, prevent, prepare, and respond from destruction of or damage to facilities, critical infrastructure, property, or equipment; theft of or damage to equipment, materials or information; threat or harm to welfare of workforce personnel or public, and other law enforcement and homeland security identified threats to operations. In addition to the Asset and Business Security program managed by the TVA Police (TVAP), other organizations provide the following:

• Nuclear Power Group (NPG) provides nuclear security as required by the Nuclear Regulatory Commission (NRC).

• Information Services provides cyber security (reference TVA Practices and Procedures, Information Technology Procedure 1, “Information Technology”).

• The Chief Financial Officer (CFO) organization chairs the Enterprise Risk Council which integrates risk identification, assessment, and management. The Council includes three TVA Risk Committees: Financial, Operations, and Strategic.

• Facilities Management oversees TVA-SPP-14.1, “TVA Hazardous Materials Transportation Security Plan,” designed to meet DOT requirements.

• TVA’s Strategic Business Units (SBUs) are responsible for the processes associated with prevention, reduction, responding, and recovery from destruction, damage, and disruption of operations.

• Office of Environment and Research oversees TVA Environmental Management Procedure 10, “Environmental Emergency Preparedness and Response Process,” in accordance with oversight from the Environmental Protection Agency.

• River Operations is responsible for dam safety emergency preparedness and response in accordance with oversight from the Federal Emergency Management Agency’s Federal Guidelines for Dam Safety.

Procedure

Operations

The Asset and Business Security program managed by TVAP includes the following processes: prevent, protect, prepare, and respond. In a collaborative role with SBUs, specific operations carried out by TVA Police for each of these process areas are:

Prevent

Intelligence activities - Receive, review, and analyze intelligence information from a variety of sources (DHS, FBI, etc.) for relevancy to TVA operations and disseminate applicable threat information to BUs. Evaluation of threats and appropriate recommendations are made to the Senior Management Executive who is part of the Agency Coordination Center (ACC) concerning activation of the Agency Emergency Response Plan (AERP).

Access control - Manage authorization and authentication of credentials issued to individuals who are granted physical access to facilities. Monitor physical access to facilities and assets to prevent unauthorized access, damage, and interference to premises, equipment, systems, material, and information.

Investigations and law enforcement - Investigate administrative, criminal, or civil acts to determine appropriate administrative or prosecutorial action to be taken.

Screening people - Conduct background investigations to determine suitability for employees and contractors (both initially and ongoing). Mitigate the “insider” threat by assuring only trustworthy and reliable personnel are employed and granted clearances, needed for their duties and responsibilities, to help prevent or deter potential threats to assets and security, including classified information.

Security planning and risk mitigation - In a collaborative role with SBUs, establish standards for physical security countermeasures and provide project management for implementation, including funding requests, project approval, project management oversight, and cost control.

Protect

Asset classification and control - In coordination with the Critical Security Review Team, identify and prioritize assets and develop appropriate protection standards and plans.

Assess vulnerabilities - Apply a risk assessment methodology to prioritize assets, identify internal and external threats and vulnerabilities, prioritize risks, and prioritize countermeasures to mitigate threats, risks, and losses in coordination with SBUs.

Security countermeasures - Based on vulnerability assessments and asset classifications, determine and recommend the most cost-effective physical security countermeasures in a collaborative role. Request funding for and provide project management oversight for implementation of physical security countermeasures to protect assets and related supporting infrastructure against threats.

Protect critical infrastructure, assets, property, and people - Provide 24/7 facility/security patrols and monitoring at TVA facilities to prevent, detect, deter, and mitigate threats and unwanted or criminal acts. Patrols and other protection measures are performed based on the Homeland Security Advisory System, the Department of Homeland Security’s color-coded threat level system.

Prepare

Contingency planning - Coordinate planning efforts to ensure (1) agency-wide capability to respond to emergencies or threats that would require integrated agency action, and (2) the continued performance of essential agency functions when normal operations are disrupted by emergencies.

Communications - Serve as TVA’s liaison with Department of Homeland Security, Office of Personnel Management, Emergency Management Agencies, Federal Bureau of Investigation (FBI) local law enforcement agencies, and others, for TVA’s Asset and Business Security program. Assist NPG, Information Services, River Operations, and CFO as needed for nuclear, cyber, dam safety, and financial protection. TVAP is responsible for communicating and advising on additional precautions that should be taken based on changes in the Homeland Security Advisory System threat level.

Mutual Aid - Develop, manage, and implement law enforcement and homeland security mutual aid agreements with other local, state, and federal agencies to ensure adequate response to incidents.

Respond

Incident management and response - Assess and investigate incidents and provide assistance for SBUs and BUs in the role of a first responder and in support of other first responders. Coordinate response with the local FBI office and other law enforcement agencies as necessary. Coordinate with other first responders and emergency management agencies, participate in incident management organizations as directed by the responsible party when not the responsible party. This is in keeping with the National Incident Management System.

Emergency management and preparedness - Coordinate development and execution of TVAP emergency plans to respond to and recover from a "spectrum of threats or events," both natural and manmade, to ensure prompt resumption of business and operations.

Knoxville Emergency Operations Center (KEOC) - Oversee management and operations of the KEOC.

Solution Development and Deployment

Security Policies and Procedures - Provide strategic direction and management support for TVA asset and business security using physical security countermeasures that meet industry standards necessary to support TVA’s business needs.

Electronic Access Control System- Provide an electronic access control system to limit access to TVA properties, including account management of access privileges for employees, contractors, retirees, tenants, visitors, and the public.

Video Surveillance - Assist SBUs and BUs in providing video surveillance of critical TVA assets.

Compliance - Provide reviews of legislation (with OGC) for applicability to TVA’s asset and business security program. Recommend compliance actions needed to avoid breaches of statutory, regulatory, contractual, and procedural security requirements. Perform assessments and reviews to ensure TVA’s ongoing compliance with legislation and conformance to standards, best practices, and guidelines. Provide reporting as necessary related to physical security and law enforcement.

Training - Develop and provide physical security awareness training for employee and contractor workforces. Deliver training to BUs as requested and required (e.g., CPR, First Aid, Boating Safety).

National Incident Management System (NIMS) - Oversee agency implementation and compliance with NIMS.

Roles and Responsibilities

• The Chief Executive Officer has delegated responsibility for management and oversight of certain corporate-wide functions to the Chief Administrative Officer and Executive Vice President (EVP), Administrative Services.

• The EVP, Administrative Services has assigned the Director, TVAP ownership and oversight of TVA’s Asset and Business Security program and delivery of its products and services. The ownership and oversight roles include maintaining law and order and protecting persons and property on any lands or facilities owned or leased by TVA (Reference: TVA Act, Section 4a).

• Strategic Business Units (SBUs) and Business Units (BUs) work with TVAP in a collaborative effort in search of solutions to improve asset and business security. SBUs/BUs determine compliance with and implementation of the Asset and Business Security Program. Decisions related to physical security should be coordinated with TVAP and should conform to the physical security standards.

• The Critical Security Review Team (CSRT) is chaired by TVAP and consists of SBU subject matter experts with responsibility for:

1. Periodically reviewing and prioritizing the list of agency key/critical assets.
2. Approving the TVA Security Threat Matrix.
3. Reviewing and recommending the priority of security projects.

Definitions

Access control - A security countermeasure used to provide physical protection for assets and people. It includes the process of granting or denying privilege requests to enter specific physical facilities (metro facilities, fossil plants, tenant space, etc.).

Agency Coordination Center (ACC) - ACC is established as the physical location for representatives from various organizations to interface when the magnitude of an emergency indicates the need for overall coordination.

Agency Emergency Response Plan (AERP) - The AERP outlines TVA-wide response to more immediate, real-time emergencies or threats that would require integrated agency action. Organizations across TVA have designated individuals with roles and responsibilities in the overall AERP.

Assessment - Assess needs and vulnerabilities, identify and communicate security risks along with appropriate solutions.

Assets - Any real or personal property, tangible or intangible, that TVA owns that can be given or assigned a monetary value. Intangible property includes things such as goodwill, proprietary information, and related property. People are also considered assets.

Awareness - Identify and understand threats, determine potential impacts, and disseminate timely information to TVA business units (BUs) regarding asset and business security.

Background Investigation - Investigation designed to determine an applicant's reliability and trustworthiness for purposes of issuing government credentials and granting access privileges to TVA facilities. Investigations are performed in accordance with TVA's Personnel Security Policy.

Business Unit - A subdivision of a strategic business unit, sometimes referred to as departments.

CEO - Chief Executive Officer.

Contractor - An individual that performs work for and/or provides services to TVA and who is not a TVA employee or volunteer.

COO - Chief Operating Officer.

Countermeasure - Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of assets to maintain reliability or reduce risk. Countermeasures include but are not limited to fences, gates, video surveillance, alarm systems, patrols, motion detectors, adequate lighting, vehicle barriers, security awareness, access control, signage, etc.

Credential - The process of authoritatively binding an identity to an individual with the subsequent authorized issuance of a physical artifact (identity card, smart card, etc.) that contains stored identity credentials so that the claimed identity of the cardholder can be verified against the stored credentials. Credentials authenticate individuals who require access to TVA-controlled facilities.

Critical Facility/Asset - Any facility, system, equipment, or combination of facilities, if severely damaged or destroyed or otherwise rendered unavailable, would have a significant impact on the ability to serve large quantities of customers for an extended period of time, would have a detrimental impact to the reliability or operability of the energy grid, or would cause significant risk to public health and safety.

Critical Security Review Team - A team chaired by TVAP and consisting of SBU subject matter experts with responsibility for reviewing and prioritizing assets and projects and approving the TVA Security Matrix.

Federal Bureau of Investigation - The FBI is the investigative area of the United States Department of Justice.

First Responder - Those individuals who in the early stages of an incident are responsible for the protection and preservation of life, property, evidence, and the environment.

Homeland Security Advisory System - A color-coded threat level system used by the Department of Homeland Security (DHS) to communicate with public safety officials and the public at large so that protective measures can be implemented to reduce the likelihood or impact of an attack. The system can place specific geographic regions or industry sectors on a higher alert status than other regions or industries, based on specific threat information. TVA’s security posture changes in response to changes in the DHS security threat level.

Color Code	Threat Level
Red	Severe - Severe risk of terrorist attacks
Orange	High - High risk of terrorist attacks
Yellow	Elevated - Significant risk of terrorist attacks
Blue	Guarded - General risk of terrorist attacks
Green	Low - Low risk of terrorist attacks

Incident - An actual or potential event that necessitates a response from TVAP. Examples include assisting BUs during response to storm damage, vehicle accidents, serious accident team participation, theft investigations, etc.

Mutual Aid - The agreement to provide reciprocal assistance to other law enforcement agencies, emergency management agencies, etc.

NIMS - A standardized management approach that unifies federal, state, and local lines of government and other emergency responders for incident response, as defined by HSPE-5 “Management of Domestic Incidents.”

OGC - TVA’s Office of the General Counsel.

Prevent - Detect, delay, deter, and mitigate threats to people and property. Implement measures and actions to avoid or reduce likelihood or impact of incidents and threats to protect lives and property.

Protect - Augment defenses and use protective measures to reduce vulnerabilities; safeguard people, critical infrastructure, and property; and mitigate or neutralize economic and human loss from unwanted or criminal acts, natural disasters, emergencies, or other incidents.

Prepare - Develop, coordinate, and execute emergency management plans to save lives, protect assets, and ensure continuity of essential functions.

Respond- Lead, manage, and coordinate TVA’s response to criminal and civil acts, natural disasters, or other emergencies to reduce or eliminate risks to persons and property or to lessen the actual or potential effects or consequences of an incident, in conjunction with other programs in TVA.

Risk - Product of threat, vulnerability, consequence and likelihood of occurrence.

Risk Assessment - The process of identifying threats to agency assets or people by determining the probability of occurrence, predicting the resulting impact, and establishing countermeasures that would mitigate an adversarial impact.

Risk Assessment Methodology (RAM) - Standards used to perform risk assessments. Examples include RAM-D (Dams) and RAM-T (Electrical Utility Transmission Systems).

Strategic Business Unit (SBU) - A TVA organization that reports to the COO or CEO.

Supplier - A firm that provides goods or services to TVA. In providing services, some suppliers employ contractors to perform work for TVA.

Tenant - Companies or entities that lease or sublease TVA-owned or -leased properties.

Threat - An intent of damage or injury, an indication of something impending with the potential to adversely impact agency operations or assets.

Threat Level - Department of Homeland Security’s Advisory System relating to threats associated with terrorist attacks.

Trustworthiness - Security decision made following an investigation to determine and confirm suitability for employment or issuance of federal clearance.

TVA Security Matrix - The matrix provides descriptions of security measures requirements for various activities and operations. It defines security measures ranging from those that are the norm for TVA during times of little or no threat, to those that must be taken following an attack or event. It defines the authorities and responsibilities for deciding to change threat levels and for modifying the implementation of security measures within a given level, for a given activity or operations.

Visitor - Person with a business need or recreational right to be on TVA property, including the public.

Vulnerability - An exploitable capability; an exploitable security weakness or deficiency at a facility, entity, venue, or of a person.

Vulnerability Assessment - See Risk Assessment Methodology.

Resources

Governance

• Archeological Resource Protection Act of 1979
• Department of Justice Law Enforcement Guidelines, dated September 7, 1995
• Executive Orders
• Executive Order 10450 - “Security Requirements for Government Employees”
• Executive Order 12656 - “Assignment of Emergency Preparedness Responsibilities”
• Executive Order 12958 - “Classified National Security Information”
• Executive Order 12968 - “Access to Classified Information”
• Federal Identity Management Handbook, U. S. General Services Administration, March 2005
• Federal Information Processing Standards Publication (FIPS) 201-1, “Personal Identity
• Verification (PIV) for Federal Employees and Contractors,” June 2006
• Homeland Security Presidential Directives
• Maritime Transportation Security Act of 2002 (MARSEC)
• National Electric Reliability Council (NERC) Standards
• Office of Personnel Management Guidelines for Security Clearances
• Office of Management and Budget Circulars
• “Privacy Act of 1974,” U. S. Public Law 93-579, 1974
• “TVA Act,” Section 4a

Standards

• American Society of Industrial Security (ASIS)
• National Fire Protection Association (NFPA)
• Sandia National Laboratories Security Risk Assessment Methodologies
• TVA Personnel Security Policy

Contacts

• Communications Centers

- Knoxville: 1-800-824-3861 or 865-632-3631

- Muscle Shoals (includes Chattanooga): 1-800-839-0003 or 256-386-2444

- Buchanan, Tennessee (includes Nashville): 1-800-839-0028 or 731-644-9911

• email: TVA Police@tva.gov

• TVA Practices list
• TVA Procedures list

Revision History

Effective Date: 12/20/2007

Revision: 001