Security

Guidelines

OMV-EP Guidelines

Security

HSEQ-HQ-06-10-00

Prepared by: Date 6 May 2005

Peter E Neal, Senior HSEQ Advisor

Approved by: Date 6 May 2005

Rod Ritchie, Head of EP-HSEQ

Exploration & Production, HSEQ, Vienna Page 1 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Contents

1. Scope and Application ...................................................................................... 4

2. Cross References .............................................................................................. 5
3. Management Responsibilities........................................................................... 5
4. Definitions .......................................................................................................... 5
Facilities....................................................................................................................5
Adversary .................................................................................................................6
Attractiveness of Target............................................................................................7
Security Risk.............................................................................................................8

5. Procedure ........................................................................................................... 9
5.1 Country Briefing Notes 9
5.2 Personal Conduct 10
General...................................................................................................................10
Preparation and Planning .......................................................................................11
5.3 Facilities 12
Security Risk Assessment ......................................................................................12
Design, Installation and Maintenance.....................................................................12
Perimeter Security ..................................................................................................13
Access Control .......................................................................................................15
Internal Physical Security .......................................................................................15
Security Guards......................................................................................................15
‘Key’ Controls .........................................................................................................16
Ships and Ports ......................................................................................................16
Information Security................................................................................................17
Emergency Response (ER)....................................................................................18
Training and Briefings.............................................................................................18
Audit .......................................................................................................................19

6. Record of Revisions ........................................................................................ 19

APPENDIX A – Additional Personal Security Guidance...................................... 20
Driving ....................................................................................................................20
Hotels .....................................................................................................................20
At the Airport...........................................................................................................23
Exploration & Production, HSEQ, Vienna Page 2 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

Onboard the Aircraft ...............................................................................................24

Hijacking Survival Guidelines .................................................................................24
Arrested – What Next? ...........................................................................................25
Residential Security................................................................................................25
Residential Fire Safety ...........................................................................................27
Security for Children ...............................................................................................27
Letter and Parcel Bombs ........................................................................................28

APPENDIX B – Risk Assessment .......................................................................... 29

Risk Assessment Team..........................................................................................29
Security Risk Level (SRL).......................................................................................30
Severity (S).............................................................................................................31
Difficulty of Attack (D) .............................................................................................32
Attractiveness of Target (AT) ..................................................................................33
Risk Reduction Measures.......................................................................................34
Scenarios................................................................................................................35

APPENDIX C – Aviation Operations...................................................................... 36

Exploration & Production, HSEQ, Vienna Page 3 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

1. SCOPE AND APPLICATION

These guidelines apply to all activities of the Exploration and Production Division. This
guideline supports Security Standard EP-HSEQ document no HSEQ-HQ-06-09 latest
revision. The purpose of the standard is as follows:
ƒ To set security standards for travellers and expatriates
ƒ To set security standards for facilities
ƒ To identify, evaluate and manage security risk
ƒ To improve security performance within OMV
ƒ To protect people, environment and communities
ƒ To minimise losses and protect assets

The following business areas and risks are excluded from the standard and this guideline:
ƒ Fraud
ƒ Mine fields and unexploded ordnance
ƒ Fire
ƒ IT security

Reference to OMV in these guidelines means OMV E&P, its subsidiaries and contractors.

This document lists security guidance in Section 5.0 and has three main sections:
ƒ Country briefing notes – to ensure all persons working in the country (but especially
targeted at visitors and expatriates) are aware of basic information to minimise
settling-in problems and ensure a quick familiarisation with the country
ƒ Personal conduct – to ensure individuals can pro-actively avoid problems and
understand what to do when involved in a security incident.
ƒ Facilities – to ensure each venture has carried out an overall facility specific security
risk assessment and then evaluates credible scenarios to confirm in more detail how
effective their controls are.

The most common security threat we face is crime. Terrorism and armed insurrection are
real threats, but the probability of being its victims is small compared to crime. Appendix A
contains comprehensive guidance on personal security most of which is focused on reducing
the likelihood that individuals will become victims of crime.

Appendix B provides a security risk assessment methodology. All facilities are required to
have a security risk assessment. Each facility is assessed individually and this allows an
optimisation of risk management alternatives.

Measures to control risks are usually a combination of systems and procedures, and
‘hardware’ solutions (e.g. fences, floodlights, alarms). Hardware solutions will, in most case
be purchased from companies specialising in these products. However, for high-risk

Exploration & Production, HSEQ, Vienna Page 4 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

situations specialist contracted expertise may be required to prepare detailed

technical/engineering specifications as part of the procurement process.

There may be situations were facilities are not owned by OMV. For example, offices and
expatriate accommodation are often leased/rented and shared with other tenants. It is
important that a security risk assessment is completed before entering into a contract to
ensure that the right level of security is negotiated into the terms and conditions. For existing
contracts, the same principles apply and line managers are advised to carryout a full risk
assessment and, where necessary, renegotiate the contracts.

2. CROSS REFERENCES
Security Standard, EP-HSEQ document no HSEQ-HQ-06-09 latest revision
Security Forces, EP-HSEQ document no HSEQ-HQ-06-05 latest revision
International Ship and Port Facility Security Code and SOLAS Amendments 2002, ISBN
9280151495, published by International Maritime Organisation 2003
Guidelines for analysing and managing the security vulnerabilities of fixed chemical sites,
ISBN 081690877X, published by American Institute of Chemical Engineers 2002

3. MANAGEMENT RESPONSIBILITIES
Line managers are responsible for implementing these guidelines.

4. DEFINITIONS
Facilities
For the purpose of this standard a facility can mean any of the following:
ƒ Residential accommodation1 used by OMV employees, contractors and their friends
and families
ƒ Site accommodation
ƒ Office accommodation
ƒ Warehouse or storage area
ƒ Air landing strips and heliports
ƒ Aircraft hangers and vehicle garages
ƒ Geophysical survey camps
ƒ Drilling and well sites
ƒ Production or processing plants including gathering stations
ƒ Water/effluent treatment plants
ƒ Pipelines
ƒ Offshore platforms (fixed or mobile) including storage vessels

1
This applies to expatriates who are seconded overseas.

Exploration & Production, HSEQ, Vienna Page 5 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ Offshore mooring and offloading facilities

ƒ Mobile offshore drilling units
ƒ Ships
ƒ Port and bunkering facilities
The scope of a ‘facility’ includes any car park, safety zone, standoff area, muster area
whether fenced or not, and also areas where the public has no right of access

Adversary
Adversary - the collective name to describe criminals and terrorists. They are persons who
intend to cause harm. Adversaries may be categorised as originating from three general
areas:
ƒ Insiders
ƒ Outsiders
ƒ Insiders working in collusion with outsiders

Criminal – person(s) who engage in illegal activities for personnel gain or satisfaction.
For example: robbery, assault, product theft from pipeline/storage, vandalism.

Terrorist – person(s) with extreme religious, ethnic, political or social agendas who use
force or violence to achieve their objectives. For example: bombs, hijack, hostage taking,
disruption to operations.

Exploration & Production, HSEQ, Vienna Page 6 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Attractiveness of Target
Not all targets are of equal value to adversaries. Attractiveness of target (AT) is an estimate
of the real or perceived value of a target to an adversary based on such factors as shown in
Table 1 below:

Possible Target Attractiveness Factors (AT)

Poor community relations

Extreme rich/poor polarisation
Association with human rights abuses
High value items e.g. laptops, cash, jewellery, precious metals
Drugs in clinics, weapons, ammunition
Hazardous inventories e.g. explosives, radioactive sources
Potential for large casualties / fatalities
Extensive property/asset damage
Partnership with unpopular government
Facilities shared or adjacent to ‘attractive’ target
Proximity to national asset or landmark
Disruption or damage to company critical infrastructure
Disruption of the national, regional, local economy infrastructure
Ease of access to the target
Extent of media interest
Company reputation and brand exposure
Iconic or symbolic target

Table No 1

Attractiveness of target (AT) is the most important predictor of security risk. It can be used at
an early stage to screen and risk-rank facilities.

Exploration & Production, HSEQ, Vienna Page 7 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Security Risk
The broad definition2 of HSE risk is:

The product of the chance that a specified undesirable event will occur and the severity
of the consequences of the event

The consequences of the event are usually described in terms of the impact on people,
environment, assets or reputation. In general, this HSE definition is applicable to security
risk.

Although security risk is similar to HSE risk, it does differ in a number significant ways. This
difference is important for the management of risk and the evaluation of security systems.
The differences are as follows:
ƒ The initiating event for an HSE risk is accidental (but considered preventable)
ƒ HSE risks can be calculated numerically using historical databases based on
structured incident records, maintenance data, component reliability testing/history
and consequence modelling. There is no established methodology for quantifying
security risk
ƒ Security incidents are intentional, and not accidental
ƒ Security risks may have consequences not directly linked to the original initiating
event. For example, theft of ammunition, toxic chemicals or radioactive sources may
be carried out for use at a later date
ƒ The consequences of security risks from terrorists is primarily connected to
maximising publicity, media attention or shock value. This is done through the
surrogate ‘success’ measures of HSE risk impacts of injury to persons, environment,
asset loss and reputation
ƒ The victims of security risks may or may not be involved in any way with the agenda
of the adversaries and are almost always innocent victims. They may also be third
parties
ƒ Security risks are characterised by the attractiveness of the target as a leading risk
indicator. This is analogous to the likelihood (or chance) that an event will occur in the
definition of HSE risk.

2
From Guidelines for the Development and Application of Health, Safety and Environmental
Management Systems, published by E&P Forum (now OGP) July 1994, Report No 6.36/210
Exploration & Production, HSEQ, Vienna Page 8 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

5. PROCEDURE
5.1 Country Briefing Notes
Each Venture shall prepare and keep updated a set of country briefing notes that are readily
available for any visitor to that country before the person travels. The briefing notes shall
contain, as a minimum, the following information:
1. The time zone relative to GMT and if daylight saving time is in operation
2. Business and banking hours
3. Brief guide to telephone services
4. Emergency telephone numbers – police, fire, ambulance
5. Emergency contact numbers and names for the in-country venture
6. Addresses and telephone numbers for offices/sites and any ‘safe havens’
7. Embassy or consulate representation for the nationality of the visitor
8. Details of the in-country person tracking register (if relevant) – details of how to
access and register a person
9. Prohibited items – articles that cannot be brought into (or taken out of) the
country, or are not permitted without the appropriate licence or documentation
10. Food and drink – advice on drinking water purity and potential food risks
11. Currency – recommended currency to bring, acceptance of credit cards and
availability of automated cash machines or other sources of cash
12. Detail the main language(s) spoken
13. Brief details of the weather/climate
14. Religions – list the main religions in the country
15. Potential targets for discrimination because of: nationality, race, colour, religion,
ethnic group
16. Women and society – give information on how women are expected to dress and
appropriate cultural information of particular interest to women in general. Include
any special security and safety information for women travellers.
17. Transportation – describe road, rail and air travel and give guidance on safe
travel
18. Explain arrangements for meeting visitors at the airport including back up if one
party is delayed
19. Any special country specific information, such as: common crimes, areas to
avoid, restrictions on photography, natural phenomena (e.g. earthquakes, tropical
storms), hazardous fauna (e.g. scorpions, snakes), prevalence of health risks
(e.g. rabies, HIV AIDS), electrical supply and connection details for portable
equipment (e.g. mobile phones, laptops)
20. Who is responsible (with contact details) for updating and developing the country
briefing notes – this will help ensure that they are up to date and feedback can be
used to improve the notes
Exploration & Production, HSEQ, Vienna Page 9 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

5.2 Personal Conduct

All persons travelling on behalf of OMV shall comply with the following standards:
ƒ Review the country and city risk profile as published by Control Risks Group (CRG)3.
CRG definitions and risk levels are used to establish consistency. OMV E&P
subscribe to their on-line information service that gives up to the minute information
on country and city information. Persons who wish to use this internet web-based
service (www.crg.com and www.crg-online.com) should contact EP-HSEQ
department for current log-in and password access4 or the country HSEQ
representative
ƒ Review the relevant online travellers guidance published on line by CRG and also
refer to any country specific guidance issued by their national government.
ƒ Review the OMV country briefing notes issued by the host country and, if required,
contact the country HSEQ representative or Security Advisor (if available) who can
arrange a security briefing
ƒ Review the personal conduct advice listed below.

This guidance is primarily targeted at people travelling outside their home countries.
However, many of the issues will be relevant to security when in their normal country of
residence.

General
Personal security is primarily concerned with protection from criminal and terrorist activities.
Whilst physical threats and thefts may be the highest priority, more subtle threats can occur if
a person is involved in compromising or illegal activities, or is just too careless and trusting.
This can leave vulnerable employees open to arrest, blackmail or corruption, or as a
minimum, damage the reputation of the company. Guidelines to minimise these risks are:

ƒ Do not do anything that reflects badly on your personal integrity, professional

judgement or embarrassing to you or your company
ƒ Do not gossip about business matters, character flaws, emotional relationships,
marital difficulties of anyone working for your company including yourself
ƒ Do not carry, use or purchase any recreational or illegal drugs. If you are using
prescribed medication carry a copy of the doctor’s prescription. In some countries
additional documentation may be required
ƒ Do not let a friendly ambiance and alcohol override your good sense when it comes
to social drinking – individuals are more vulnerable to indiscretions or attack if they
have been drinking
ƒ Do not accept drinks from strangers and be careful when leaving drinks unattended.
This reduces the chance of substances being added to your drink

3
CRG is an international specialist business risk consultancy that prepares and regularly updates
country and city security risk profiles. OMV subscribes to their online business service.
4
Log-in and password details change periodically, hence, they are not detailed in this standard
Exploration & Production, HSEQ, Vienna Page 10 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ Do not engage in ‘black market’ activities such as illegal exchange of currency,

purchases of religious icons or other cultural artefacts, promiscuous behaviour,
brewing or consumption of illegal alcohol
ƒ Do not access internet sites that may be considered undesirable by the host country.
Be aware that any downloaded images or documents on your computer hard drive
can be accessed and the data may be considered offensive or illegal
ƒ Do not accept or deliver letters, packages or anything else from anyone unknown to
you
ƒ Do not engage in any type of political or sensitive religious activity
ƒ Do not carry political or sensitive religious documents that could be misconstrued
ƒ Be aware that the host country may perceive some publications as pornographic or
subversive and illegal
ƒ Do not photograph anything that could be associated with the military, government or
infrastructure (e.g. ports, airports, bridges, security guards). Some countries are
sensitive to photos that can be perceived as reflecting badly on their image or
disrespectful of human dignity (e.g. environmental damage, scenes of poverty,
undernourished or diseased people, beggars)
ƒ Photographs of oil and gas installations can sometimes be interpreted as
‘infrastructure’. When visiting these facilities, always get authorisation from your hosts
before taking photos – if in doubt keep your camera in it’s case
ƒ Do not use your mobile phone or other devices to take surreptitious photos/videos.
Many people find this distasteful and it can be interpreted as illegal or offensive
behaviour in some countries
ƒ When confronted with a tradition or custom that you have not experienced, be
cautious about using humour, as it can be interpreted as offensive
ƒ Find out any codes of etiquette for meetings in business and social situations, e.g.
most women in Islamic countries do not shake hands with men

Preparation and Planning

ƒ Do not publicise your travel plans, but limit that knowledge to those that need to
know. Leave an itinerary of your travel schedule, hotel phone number and business
appointments with your office and with a family member or friend
ƒ Ensure you have consulted a medical doctor and have all necessary inoculations with
records. Check your medical insurance will cover the specific country/region you will
be entering
ƒ Take sufficient prescription medicine with you and copy of doctors note for any drugs
which may arouse suspicion (e.g. opiates, syringes)
ƒ Wear an alert tag/badge if you have any special medical condition or allergies
ƒ Take copies of your passport and visas and pack one set in your hand luggage and
one in your checked baggage
ƒ Ensure your passport does not have any country stamps which could cause problems
ƒ Check if there are any import and export restrictions (e.g. currency, cultural, political
or religious sensitive material)

Exploration & Production, HSEQ, Vienna Page 11 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ Keep a copy of ‘country briefing notes’ – see previous section – with your carry on
baggage. Read the notes as part of your preparation and ask questions about
anything you are not sure about. If required, contact the country HSEQ representative
(or Security Advisor if available) who can arrange a security briefing.
ƒ Carry out some personal research into the country you are visiting. Use the CRG
website to get more information or purchase a guide/phrase book.

Appendix A provides further personal security guidance including information of more

relevance to expatriates.

5.3 Facilities
These facilities guidelines represent a ‘menu’ of risk control measures. However, each
individual facility shall implement the appropriate security measures based on the results
from the risk assessment. Additional specialised guidance covering aviation operations is
given in Appendix C.

Security Risk Assessment

Each facility shall carry out a security risk assessment to identify and define the
threats against which the facility requires counter-measures. A realistic threat
assessment will help to ensure that security measures are proportionate to the risk
and cost-effective.

The risk assessment should normally be done in two stages. First, a facility based
assessment that calculates the Security Risk Level as an overall risk. Second, a
scenario based assessment that goes into more detail. The scenario-based
assessments may cause a re-evaluation of the overall facility based assessment.

There are four occasions when a security risk assessment is required:

ƒ An initial review of the facility
ƒ When the threat or the activities of the facilities substantially changes
ƒ After a significant security incident
ƒ Periodically to revalidate the security risk assessment – every two years for
low risk5 facilities and annually for all other facilities

The risk assessment shall be documented and carried out by a dedicated risk
assessment team in accordance with the generic methodology detailed in Appendix
B. For new facilities the assessment shall be carried out before entering into any
binding contracts. In particular, at this early stage it is possible to optimise the
location, design and layout of the facility. This can make a major contribution to cost-
effective risk reduction.

Design, Installation and Maintenance

All security systems shall be designed, installed and maintained by companies with
the relevant specialist expertise and by personnel who have the appropriate level of

5
Levels of risk are defined in Appendix B using the security risk level
Exploration & Production, HSEQ, Vienna Page 12 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

security clearance for the specific system. Information on the systems that could be
of benefit to an adversary shall be strictly controlled. Factors to be considered:

ƒ Technical specifications prepared by architects/engineers with security

expertise
ƒ Pre-qualification of potential suppliers
ƒ Minimise the number of perimeter and facility openings consistent with safety
requirements
ƒ Use of modern technology e.g. digital video surveillance/alarm equipment with
remote control and wireless data storage
ƒ High quality locks tied to smart card technology on all exterior and restricted
areas doors for protection and quick change capability in the event of card/key
loss
ƒ High security windows and where appropriate explosion resistant glass
ƒ Systems should have maintenance and test programs in place to ensure high
reliability.

Perimeter Security
Each facility shall have perimeter security to prevent intrusion by unauthorised
persons by land or sea, as appropriate. Perimeter security is the outer layer of a
physical barrier. The layers are (1) the grounds around the facility (2) the perimeter of
buildings (3) Interior rooms/areas within buildings, and (4) contents. Figure 1 below
illustrates these four lines of protection.

Grounds perimeter protection

Building perimeter protection

Space/area protection

Object protection

Figure 1 - The Four Lines of Protection

Exploration & Production, HSEQ, Vienna Page 13 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Physical barriers are important and rarely, if ever, prevent penetration. Fences can be
climbed, walls can be scaled, and a determined adversary can eventually bypass
locked doors and windows. They can deter and delay, and have to be used with other
systems of security to be effective.

The first layer of protection can be very important as a psychological deterrent. If an

adversary views this as highly challenging they will start to assume that inner layers
are equally tough. They are then likely to bypass the facility and look for a ‘softer’
target.

Typical perimeter security methods are:

ƒ Physical barriers against unauthorised access, e.g. fences, razor wire, outer
raised earth mound as a barrier to small arms fire
ƒ Adequate external lighting around the perimeter and on the approaches to the
site
ƒ Uniformed and patrolling security guards
ƒ Video surveillance cameras and intruder alarm systems
ƒ Video surveillance cameras and intruder alarm systems are to be monitored
by trained staff who have been provided with comprehensive procedures on
the actions to be taken if they detect intruders
ƒ The clearance of trees and bushes that could provide hiding places for
intruders or could obstruct the view of guards covering the area around the
site
ƒ Where there is a risk of suicide bomb or ram attack, measures such as
concrete-block chicanes, retractable barriers or armed-guard reinforced
guardhouses should be installed on the approach road(s)
ƒ Locating car parks within the perimeter with video surveillance cameras or
regular patrols, particularly where there are parking spaces reserved for senior
executives who could be targeted
ƒ In high risk countries using covert surveillance personnel (e.g. disguised as
gardeners, maintenance personnel, etc) watching for anything unusual or
suspicious

For offshore installations/ships special measures may be applicable:

ƒ Retractable stairways from the sea landing stage
ƒ Security gate at the stair head from the sea landing stage
ƒ Video surveillance cameras and intruder alarm systems covering the sea
landing stage and stair head
ƒ Below deck lighting to illuminate the sea landing stage and water surrounding
the platform
ƒ Ropes, hoses and ladders are to be stowed out of reach and secured when
not in use

Exploration & Production, HSEQ, Vienna Page 14 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Access Control
Each facility shall have systems and procedures to ensure that only authorised
persons can enter the facility.

ƒ Access points (including vehicle entrances as well as pedestrian doors) are to

be controlled by trained security staff and/or an electronic access control
system6
ƒ Adequate procedures are to be in place to ensure that only OMV staff,
appointed contractors and other authorised visitors are given access and,
where appropriate, are escorted before proceeding onto the site
ƒ Personal identification by receptionists/guards may be adequate for a small
number of employees. However, above 50 employees, the opportunity for
error is too great and the use of a badge identification system should be
considered
ƒ Safeguards must be in place to protect against bypass or forced entry.
ƒ Emergency exits are to be secured in such a manner that they cannot be
opened from the outside but can be quickly and easily opened from the inside
in the event of an emergency evacuation
ƒ All other actual or potential access points are to be locked and (depending on
the local risk assessment) covered by monitoring devices such as video
surveillance cameras or alarms

Internal Physical Security

Within each facility, there shall be additional security measures to ensure strict
control of access to sensitive areas.

ƒ Sensitive areas (such as IT equipment rooms, communication buildings, plant

rooms, operations control rooms and major storage areas) are to be subject to
additional access control measures to ensure unauthorised persons do not
enter them
ƒ Other areas that should be controlled are: human resources records, cashier
offices, medical clinics where drugs are stored, mail rooms
ƒ On operational sites sensitive areas/items requiring enhanced security could
be: explosive/ammunition stores, radioactive isotopes, diamond drill bits,
communications equipment, utilities plant, food/drink stores
ƒ Weapons, ammunition, explosives and detonators are to be secured in
separate two-lock containers, with the keys held by different members of site
personnel, to minimise the risk of theft or misuse

Security Guards
At those facilities where security guards are used, measures shall be taken to ensure
they are vetted, trained and properly controlled. Where guards are armed, they shall
comply with OMV commitment to human rights as detailed in Security Forces, EP-
HSEQ document no HSEQ-HQ-06-05 latest revision. Guards may be contracted
directly by OMV or included in the contract package for facilities rented/leased by
6
Emergency exits must be capable of being opened without keys in the direction of escape
Exploration & Production, HSEQ, Vienna Page 15 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

OMV. Whatever the commercial arrangement OMV should use these guidelines to
ensure that the risks are being properly managed.

Security guards must be:

ƒ Checked to ensure there is nothing suspicious in their backgrounds
ƒ Trained in general security duties
ƒ Trained on all systems that they will be required to use (e.g. communications,
video surveillance cameras, intruder alarms, access control system, etc)
ƒ Thoroughly familiar with the layout of the site, with particular regard to
emergency systems, fire-fighting equipment, access points and sensitive
areas
ƒ Provided with comprehensive assignment instructions and emergency
procedures

If the guards are armed, they must also:

ƒ Have more stringent vetting particularly of their psychological stability
ƒ Undergo weapon familiarisation training and range-practice on a regular basis
ƒ Be provided with clear rules of engagement
ƒ Be provided with adequate segregated storage facilities and accounting
procedures for all weapons and ammunition
Strict inventory control of guards’ uniforms and identity documents shall be in place to
prevent adversaries acting in disguise and breaching security

‘Key’ Controls
Each facility shall have procedures and secure key7 storage to ensure that only
authorised persons have keys for access to external entrances/exits and sensitive
areas.
ƒ Measures are to be taken to ensure that keys to external doors, sensitive
areas and safes/security furniture are issued only to authorised persons
ƒ Keys must be adequately safeguarded and accounted for when not in use
ƒ Procedures shall be in place to replace locks or recode electronic access
software immediately a key is lost, cannot be accounted for or there is a
possibility that an unauthorised copy exists
ƒ Consider replacing critical locks/security codes on a regular basis

Ships and Ports

Ships and ports (including mobile offshore drilling units) shall comply with the
International Ships and Port Facility Security Code8.

7
A ‘key’ can be a mechanical piece of equipment or any item with an electronic interface, e.g. swipe
cards, personal identification numbers (PIN), biometric devices
8
International Ship and Port Facility Security Code and SOLAS Amendments 2002, reference ISBN
9280151495, published by International Maritime Organisation 2003
Exploration & Production, HSEQ, Vienna Page 16 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

In essence, the Code takes the approach that ensuring the security of ships and port
facilities is a risk management activity and that to determine what security measures
are appropriate, an assessment of the risks must be made in each particular case.
The purpose of the Code is to provide a standardized, consistent framework for
evaluating and controlling risk.

The Code requires cargo ships over 500 tonne and MODUs9 to be certified for use in
international waters to comply with the following:
ƒ A designated individual of the shipping company to be responsible for
developing a security program
ƒ A risk based analysis of the security threats to each ship
ƒ A ship specific security plan
ƒ A designated individual on each ship who is responsible for ensuring the
security plan is implemented and is the primary point of contact between the
ship and the Port Facility Security Officer at each port facility the ship uses

For port facilities, the requirements will include:

ƒ Port security risk assessment
ƒ Port facility security plans
ƒ Port facility security officers
ƒ Certain security equipment

In addition the requirements for ships and for port facilities include:
ƒ Monitoring and controlling access
ƒ Monitoring the activities of people and cargo
ƒ Ensuring security communications are readily available
The Code gives very detailed information about what is required to managing ship
and port facility risks. A security specialist with expertise in this area will be able to
provide further guidance.

Information Security
Each facility shall have safeguards and procedures to ensure that sensitive OMV and
partner documents/information cannot be accessed or viewed by unauthorised
persons. Typical controls may include:

ƒ Adequate secure storage furniture on-site

ƒ Archive facilities on or off-site
ƒ A ‘clear-desk’ policy at end of work
ƒ Security classification system for documents/information
ƒ Encrypt sensitive electronic data
ƒ Secure packaging and courier transport for important documents

9
MODU = Mobile offshore drilling unit
Exploration & Production, HSEQ, Vienna Page 17 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ Restricting photocopying and printing of sensitive documents

ƒ Accounting procedures for very sensitive documents (e.g. signing out, tracking
registers)
ƒ High security waste disposal procedures

Emergency Response (ER)

Each facility shall have procedures to ensure that any credible security incident
identified in the risk assessment has an emergency response plan to safeguard
personnel, the environment, assets and OMV reputation.

For most facilities there should be in place emergency response plans (ERP) that are
based around HSE incident scenarios. In general security incidents scenarios will be
integrated into an overall facility ERP. Specific security incidents that should be
considered (based on the facility risk assessment) for inclusion in the ERP are as
follows:
ƒ Bomb threats
ƒ Suspect vehicles, mail, packages or other items
ƒ Explosions/fires
ƒ Assault with or without weapons (e.g. gun, knife)
ƒ Intruders
ƒ Suicide attack
ƒ Hostage situations
ƒ Siege situations
ƒ Kidnap and ransom
ƒ Major protests and demonstrations against OMV

Training and Briefings

Each facility shall provide training and briefings to personnel on their responsibilities
towards security and the response required in any type of emergency.

Persons working on the facility who have been made aware of the risks and are
constantly vigilant are an important defence against security incidents. Briefings
should be organised for all new starts and personnel with specific security
responsibilities shall be properly trained and regularly assessed to ensure continuing
effectiveness. Mock exercises should be scheduled to test both people and
equipment. After an exercise or security incident a formal review of the response
shall be carried out to improve, where possible, the management of security.

Exploration & Production, HSEQ, Vienna Page 18 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Audit
Each facility shall have their security risk assessments and security control systems
audited by an independent10 expert security consultant periodically – annually for
high/extreme risk facilities and every two years for medium/low risk facilities.
Temporary or short-term facilities (e.g. geophysical survey camps, drill sites,
construction camps) should be audited immediately before significant activities
commence in high/extreme risk situations, and, at the discretion of the country
General Manager, in low/medium risk situations.

A single person can audit small or low risk facilities. A team with a mix of skills and
experience should audit larger and higher risk facilities. The composition of the team
would be similar to the security risk assessment team, refer Appendix B.

All auditors shall be trained. Actions arising from an audit shall be tracked until
satisfactory close-out

6. RECORD OF REVISIONS
None

10
EP-HSEQ will provide an approved list of consultants
Exploration & Production, HSEQ, Vienna Page 19 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

APPENDIX A – ADDITIONAL PERSONAL SECURITY

GUIDANCE
This guidance is additional to that given in Sections 5.1 and 5.2. This appendix is primarily
targeted at people travelling outside their home countries or expatriates. However, many of
the issues will be relevant to security when in their normal country of residence.

Driving
ƒ Plan your journey: check the weather forecast, keep maps in the car in case of
detours, ensure car is regularly serviced and has sufficient fuel
ƒ Travel with a fully charged mobile telephone, keep an emergency kit for breakdowns,
have identification and have contact numbers to arrange rescue
ƒ If you do breakdown and someone stops to help, do not get out of the car unless you
know them or it is the police. Ask the person offering assistance to stop at the nearest
service station and report your problem
ƒ When in your car, always keep the doors locked and windows closed. Be aware the
most likely time when you will be at risk is when your vehicle is stopped or your speed
is significantly reduced. Typically this will be at stop lights, stop signs, ‘give way’
junctions, accident sites, police/military checkpoints and road works. Be aware -
sometimes these stops are staged by criminals/terrorists as deliberate traps
ƒ Avoid driving through religious processions, political demonstrations or crowds in
general
ƒ When you stop leave ample manoeuvring space between you and the vehicle in front
of you. If suspicious persons approach you, do not roll down the window, but drive
away quickly
ƒ If you are trapped on the road or in a parking area and in trouble, keep the car locked,
and blow the horn to alert others
ƒ If you are followed or harassed by another driver do not stop. Never lead the person
back to your home. Instead, try to find a police station, hotel or public facility. Once
you find a place of safety, do not worry about using a legal parking space. Park as
close as you can and get inside the building fast
ƒ If a car ‘bumps‘ into you, be aware this may be a contrived accident. If you are
suspicious, do not stop to exchange information but drive to the nearest service
station or public place to call the police
ƒ Never pick up hitchhikers or give lifts to strangers
ƒ If involved in a car hijack, comply with any requests and keep your hands visible to
minimise any misunderstandings

Hotels
General requirements when selecting a secure hotel room:
ƒ Ask the OMV in-country Venture for a list of recommended hotels or if not available,
use this guideline to specify your requirements with the OMV corporate travel agency

Exploration & Production, HSEQ, Vienna Page 20 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ For travel to countries where OMV does not have a base, consult the Control Risks
Group website (refer Section 5.2 above) to establish the risk profile and use this
guideline to specify your requirements with the OMV corporate travel agency
ƒ If possible try to get a room between the second and sixth floors. Ground and first
floors generally may be more vulnerable to unauthorised entry. Floors above the sixth
floor may be out of reach of fire rescue ladders
ƒ Try to get a room away from elevator landings and stairwells. This is to avoid being
caught by persons exiting the elevator or hiding in the stairwell
ƒ If arriving after 1800 hours ensure that reservations are guaranteed
ƒ If anticipating renting an automobile, request information about parking arrangements
to assess security. Typical risk reduction factors are: controlled and guarded access,
good lighting, Video surveillance cameras coverage, no dense shrubbery for criminals
to hide in, short walk to hotel

Additional requirements in countries where terrorism is a major concern:

ƒ Hotels with low rise accommodation in private grounds are less attractive targets for
bomb attacks because they reduce the likelihood of causing heavy casualties
ƒ The hotel should be located away from main roads and prestigious government,
commercial or diplomatic buildings
ƒ The hotel should not be identified with any specific local political group or high profile
individual or serve as a venue for local foreign business or diplomatic community
activity
ƒ Well controlled access to the main entrance with obstacles intended to slow vehicles
and restrict unauthorised entry
ƒ Public areas, car parks and grounds should have continuously monitored and
recorded Video surveillance cameras
ƒ Uniformed guards should be conspicuous
ƒ Parking underneath the hotel shall not be possible and all service areas shall have
controlled access

When registering and at the hotel:

ƒ Give your company address (but not company name) when registering, not your
home address
ƒ Watch your luggage or get a bellman to look after it in exchange for a hotel luggage
tag
ƒ Be aware of persons in the hotel lobby who may be taking an unusual interest in your
arrival
ƒ Always accept bellman assistance upon check in. Allow the bellman to open the door,
turn lights on, and check the room to ensure that is vacant and ready for your stay.
Before dismissing the bellman, always inspect the door lock, locks on sliding glass
doors, optical viewer, privacy latch or chain, guest room safes, lock on any
interconnecting door and telephone. If a discrepancy is found request a room change

Exploration & Production, HSEQ, Vienna Page 21 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ Ask where the nearest fire exit is and, to help memorise, walk from your room to the
fire exit stairwell and back.
ƒ All hotel keys, mechanical or electronic card type, are insecure. They can be copied
or employees (room cleaners, maintenance staff, return of laundry) can use them
dishonestly. Keep all valuables in a sealed envelope in the hotel safe - better still, do
not bring expensive jewellery or watches
ƒ Valuable electronic equipment (e.g. camera, laptop computer, handheld computer,
mobile phone) may have to be stored in your room. Keep stored in a locked suitcase
even when you are in the bathroom or visiting the restaurant/bar
ƒ Always use the safety chain and optical viewer before allowing someone into your
room. Meet visitors in the hotel public areas – not in your room
ƒ Whilst sleeping or in the bathroom use the safety chain – hotel staff have master keys
that can override the door lock and sometimes the deadbolt lock
ƒ Commercial and personal documentation should also be secured in a locked
briefcase or suitcase
ƒ Keep you room neat and tidy – this makes it easier to spot if someone has been in
your room and searching your possessions
ƒ Keep your room number confidential. Answer the phone with you name only. At the
bar/restaurant show your room card do not say the number out loud and do not
display your key. Hand in your key to the receptionist and do not leave it in view on
the counter.
ƒ If you are required to use parking labels in your car make sure it does not indicate
your name or room number
ƒ Thieves often work around hotel ‘relaxation’ areas, as guests tend to lower their
guard. Take care with valuables/briefcases/handbags around the bar, restaurant, gym
or swimming pool

Fire safety in hotels:

ƒ Check where the nearest fire exit is and, to help memorise, walk from your room to
the fire exit stairwell and back. Count the number of doors between your room and
the exit. If there is a fire you may have to crawl to the exit in the dark/smoke
ƒ If you suspect fire, always call the fire service first. Hotel staff have reputation for not
wanting to disturb their guests and reluctant to call the fire service. They will send
someone to check if there really is a fire. This will often take valuable time in which
you could be making a safe escape
ƒ If you suspect fire, check your door by tentatively placing the back of your hand on
the door and then on the door handle. If either feels hot do not open the door
ƒ If the door/handle is cool, very carefully open the door a few centimetres and be
prepared to slam it shut quickly. If it appears safe you can leave your room - take your
room key with you – you may have to return to your room for whatever reason during
the emergency. If there is smoke building up, crawl on your hands11 and knees at low
level where the air is fresher. Do not use the elevator – go to the exit stairwell and
walk to safety

11
Use the back of your hands – if your palm gets burnt it is much more serious and severely limits
your ability to escape e.g. opening doors, climbing ladders, etc.
Exploration & Production, HSEQ, Vienna Page 22 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ Most people die in fires from smoke inhalation – be aware of how hazardous this can
be. Cover your mouth/nose with a wet cloth to increase your chances of survival
during the emergency
ƒ If you are trapped in your room call reception and make sure they know you are
waiting to be rescued
ƒ Fill the bath and sink with water, soak towels/blankets and seal openings around the
door and vents to prevent smoke leaking into your room. Cool the door and walls
using water. A door can hold back a fire for over an hour – sufficient time for rescue
ƒ Open a window for fresh air. Do not break the window as you may need to close it
again if smoke starts entering from the outside
ƒ A wet towel swung around the room will help clear the room of smoke
ƒ Stay low, but alert to any signs of rescue from the street or corridor. Let the firemen
know where you are by waving a towel or sheet from the window

At the Airport
To reduce the risks of arousing suspicion or becoming an innocent victim of a crime or
terrorist attack the following guidance should be followed:
ƒ In the event of a disturbance of any kind, go in the opposite direction and do not get
involved
ƒ Check in early for your flight to avoid long queues at check in counters – the spare
time can be used for working in the airside business lounge
ƒ After check in go directly through security and customs to the airside section of the
airport. This area tends to be more secure
ƒ Co-operate and be patient with all security staff – they are there to help you and may
have difficulty speaking and understanding the same language as you
ƒ If any conflict arises during the check in and security screening – remain polite and
ask for the supervisor or airline representative
ƒ It is not a good idea to exchange items between bags while waiting in queues for
security or immigration/customs screening
ƒ At all times keep control of luggage/briefcases – never leave unattended or with
zippers/covers open
ƒ Keep a low profile as this will keep any undue attention away from you, for example:
o Dress casually and do not wear expensive watches or jewellery
o Luggage tags should have the address concealed
o Consider removing frequent flyer luggage tags or similar ‘prestige’ indicators
o Consider removing company logos from luggage
ƒ Have a plan for arrival at your destination airport: onward transportation
arrangements, accommodation booked, country briefing notes readily at hand, and
currency
ƒ Drivers who are meeting new arrivals at the airport should use a display board with
the name of the visitor only – the company name/logo should be used with discretion

Exploration & Production, HSEQ, Vienna Page 23 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Onboard the Aircraft

Risks can also be minimised upon arrival at your destination by ensuring you are mentally
and physically fit during the flight. Good practice for travellers, especially for long haul flights,
is as follows:
ƒ Eat moderately, avoid alcohol, drink plenty of water to avoid the effects of dehydration
ƒ Walk around the cabin and carry out the exercises recommended by airlines to
improve wellbeing and minimise the risk of deep vein thrombosis
ƒ Sleep as much as possible during the flight
ƒ Avoid a demanding schedule upon arrival. Give yourself a chance to adjust to the
surroundings and time zone change

Hijacking Survival Guidelines

Any traveller could become a hostage. The probability of this happening is extremely low
when the number of travellers is compared to the number of people that have actually
become hostages.

The first thing that a traveller should remember is that he or she is not the only one that is
scared and nervous. Everyone involved is in the same emotional state. Fear can lead to
irrational behaviour and set off a defensive state of violence. These guidelines will minimise
the possibility of being selected for special attention by the hijackers and maximise your
survival chances.

There is no set pattern for how a hijacking starts, it may be noisy, with shouting and shooting
or it may be quiet and methodical with an announcement by a flight crew member. The first
few minutes are crucial in order to stabilise the situation:
ƒ Stay calm, and encourage others around you to do the same
ƒ Remember the hijackers are extremely nervous and are possibly scared
ƒ Comply with the hijackers instructions
ƒ If shooting occurs, keep your head down or drop to the floor

Once the takeover of the aircraft has been accomplished, you may be separated by
nationality, race or gender. Your passport may be confiscated, and your hand baggage
ransacked. The aircraft may be diverted to another destination. The hijackers may enter into
a negotiation phase which could last indefinitely. During this phase passengers may be used
as bargaining tools, lives may be threatened, or passengers may be exchanged for food or
fuel. This will be the longest phase of the hijack:
ƒ If you are told to keep your head down or maintain another body position, talk
yourself into relaxing as you may need to stay in that position for some time
ƒ Prepare yourself mentally and physically for a long ordeal – but remember, it will end
ƒ Do not attempt to hide your passport or belongings e.g. mobile phone
ƒ If addressed by the hijackers respond in a regulated tone of voice
ƒ Use your time wisely by observing the characteristics and behaviour of the hijackers,
mentally attach nicknames to each one and notice their dress, facial features and
temperaments

Exploration & Production, HSEQ, Vienna Page 24 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ If you or a nearby passenger are in need of help due to illness or discomfort, ask for
the assistance of a crew member first – do not approach a hijacker unless they have
already given similar assistance to other passengers
ƒ If the hijackers single you out, be responsive but do not volunteer information

The last phase of the hijacking is resolution. This could be by rescue team or through
negotiation. If a hostage rescue team is used, be prepared for noise, chaos, possibly
shooting:
ƒ If you hear shots fired inside or outside the aircraft, immediately take a protective
position – put your head down or drop to the floor
ƒ If instructed by the rescue force to move, do so quickly, putting your hands up in the
air or behind your head, make no sudden movements
ƒ If fire or smoke appears, attempt to get emergency exits open, and use the inflatable
slides or exit onto the wing
ƒ Once you are on the tarmac, follow the instructions of the rescue team or, if there is
no guidance, move quickly away from the aircraft and eventually move towards the
terminal or control tower
ƒ Expect to be treated as a hijacker or co-conspirator by the rescue team; initially you
will be treated roughly until it is determined that you are not part of the hijacking team

Arrested – What Next?

Police and security agencies detain persons for a myriad of reasons or sometimes out of
curiosity and suspicion. Most countries have introduced much tougher laws in the fight
against terrorism and this has generally resulted in making it very easy for an individual to be
detained on the slightest grounds of suspicion. If you are detained, the best advice is to
exercise good judgement and maintain a professional approach in dealing with the
authorities. However, some important points to remember:
ƒ Ask for the embassy or consulate representing your country to be notified of your
detention. If you believe you are being ignored, continue to make your request
periodically until you get positive feedback that notification has occurred
ƒ Stay calm, maintain your dignity and do not do anything to provoke the arresting
officers
ƒ Do not admit anything or volunteer information
ƒ Do not sign anything that you do not understand or disagree with. Decline politely
until the document is examined by a lawyer or embassy/consulate representative
ƒ Do not fall for the trick of helping the ones who are detaining you in return for your
release.

Residential Security
Residential security is a critical part of your personal security. The following guidelines
should be used when reviewing your security arrangements:
ƒ Choose a location that offers the most security. The less remote, the safer your home
will be, particularly if in an area close to a police station and fire protection. However,
locations with high profile business leaders or politicians may increase risks.
Generally a house at the bottom of a dead end road is considered safer.

Exploration & Production, HSEQ, Vienna Page 25 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ All entrances, including service doors and guest house/servant doors, shall have
quality deadbolt locks
ƒ The locks on the main entrances should be changed when first moving into
accommodation, if a key is lost or there is a possibility that an unauthorised copy
exists
ƒ Install external security lights with motion detectors
ƒ Do not leave keys hidden outside your home. Leave an extra key with a trusted
neighbour or friend
ƒ Have the utility meters installed outside the boundary walls of the house and have
security locks installed on your electricity supply switchgear box
ƒ Keep doors locked even when you or family members are at home
ƒ Fit an optical viewer in the main entrance door.
ƒ Have window locks installed on all windows or fit security grilles
ƒ If you have window grilles and bars, review fire safety and how to exit in an
emergency
ƒ Have emergency numbers/contacts posted by your telephone
ƒ Where possible have caller identification and memory storage on your telephone
ƒ Educate family members on the proper way to answer the telephone at home (also
see the section below on Security for Children)
ƒ Install intruder alarms and use them
ƒ A dog can be a deterrent to criminals but can be disabled by poisoned food. Do not
install separate ‘doggy doors’ or entrances because they can admit small intruders
ƒ Have a designated ‘safe room’ for use in an emergency
ƒ Remove unnecessary shrubs and bushes from outside your residence to minimise
cover for criminals – this can also reduce the fire risk
ƒ After switching on the lights in the house at night, draw the curtains
ƒ Private servants should be vetted and cleared with the in-country Security Advisor
(where available)
ƒ Guests of servants should not be allowed
ƒ The maid or servant room should not have direct access to the house via an internal
door
ƒ Always supervise any maintenance or repair personnel who are working inside or on
the premises of your house
ƒ Get to know your neighbours. Develop a rapport with them and offer to keep an eye
on each others homes, especially during trips away
ƒ While at home you and your family should rehearse safety drills and be aware of how
to escape danger and get help
ƒ Vary routines and avoid predictable patterns
ƒ Know where all family members are at all times
ƒ Park your car facing outwards for a quick move in an emergency

Exploration & Production, HSEQ, Vienna Page 26 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Residential Fire Safety

ƒ Install smoke detectors in your home. Check them regularly and replace batteries
periodically (usually every six months)
ƒ Have all electrical circuits and portable equipment checked by a certified electrician
before moving into the house and annually thereafter (and if there has been
modifications or problems)
ƒ All faulty electrical equipment shall be replaced or completely isolated
ƒ Check there are no leaking propane tanks or hoses
ƒ Store flammable substances securely and away from the main house
ƒ Install portable fire extinguishers on each floor and in the kitchen
ƒ Install a fire blanket in the kitchen
ƒ You and your spouse (and older children) should be trained in fire safety and the use
of the extinguishers
ƒ If you have window grilles and bars, review fire safety and how to exit in an
emergency
ƒ You and your family should create a fire exit plan and learn to escape from every
room in the house. Locate two exits from each bedroom. Designate a meeting place
outside your house.
ƒ Most importantly practice your plan. For smaller children invent a reward game to
help them learn the plan

Security for Children

ƒ Teach children never to admit strangers into the home
ƒ Encourage children to report suspicious persons or incidents with as much detail as
possible
ƒ Teach children not to accept toys from strangers or pick them up from outside the
house – they can contain explosive devices
ƒ Teach children to keep away from animals in countries where rabies may be present
ƒ Teach children local emergency phone numbers, the company emergency number
and how to use any special communication equipment you may have
ƒ Make sure younger children know their full name, address and phone number
ƒ Caution teenagers about ‘blind dates’ or meeting anyone they do not know
ƒ Check internet access has security features specifically designed to protect children
ƒ Teach younger children how to answer the phone so that they do not give out
personal information, such as home address or absence of adults.
ƒ Teach children how to say ‘no’ to strangers and particularly never to accept lifts in
cars
ƒ Teach children how to exit the house in an emergency

Exploration & Production, HSEQ, Vienna Page 27 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

ƒ Make sure all external perimeter gates are locked when children are playing in the
garden area
ƒ Do not send children to friends houses unless you are satisfied that their parents
manage security effectively
ƒ Review with older children Section 5.2 Personal Conduct above. Some security
precautions will be important and relevant to them

Letter and Parcel Bombs

Letter and parcel bombs generally are ‘victim activated’ meaning that the victim or intended
target must activate the device by opening it. They do not normally contain timing devices.

Bombs can range from the size of a cigarette pack to a large parcel. They can be disguised
as letters, books, food/sweets, toys and figurines. Delivery methods have included mail
systems, personal delivery or left at the door of the house/building.

A letter or parcel bomb may have some of the following indicators:

ƒ Suspicious origin – especially if the postmark or name of sender is unusual, unknown,
or no further address is given
ƒ Excessive or inadequate postage
ƒ Irregular shape and have soft spots or bulges
ƒ Unusual weight for the size of the letter or package. Letters may also be unusually
thick
ƒ Protruding wires or components; unusual grease/oil stains on the envelope
ƒ Strange smell or suspicious odour
ƒ Handwriting of sender is not familiar or indicates a foreign style not normally sent to
the recipient
ƒ Common words or names are misspelled
ƒ Markings such as ‘confidential’, ‘personal’, ‘handle with care’, ‘fragile’, ‘urgent’
ƒ Small hole in the packaging that could have been used for an arming/safety wire

A suspicious device should be moved to an open area outside the house, the area
evacuated and the emergency services called. Do not attempt to open the package or
immerse it in water.

Consider having personal parcels delivered to your office if it has a security scanner.

Exploration & Production, HSEQ, Vienna Page 28 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

APPENDIX B – RISK ASSESSMENT

Security risk assessment shall be done with a dedicated team in two stages. Firstly, a facility
based assessment that calculates the Security Risk Level as an overall high-level risk
screen. Secondly, a scenario based assessment that goes into much more detail. The
scenario-based assessments may cause a re-evaluation of the overall facility based high-
level risk screen.

Risk Assessment Team

A dedicated team who have the resources and authority to complete the task should carry
out security risk assessment. The team shall possess the following knowledge and skills:
ƒ Security analysis methodologies
ƒ Security procedures, methods and systems
ƒ Knowledge of the facilities under assessment
ƒ Community relations
ƒ Knowledge of local/global politics and community/social issues

Other skills shall be considered and included as appropriate:

ƒ For higher risk facilities - military or police knowledge, especially in counter-terrorism,
weapons, explosives, insurgency/guerrilla warfare
ƒ Ability to ‘think’ like an adversary and to understand what are their motivators
ƒ Safety and occupational hygiene
ƒ Environmental science

Exploration & Production, HSEQ, Vienna Page 29 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Security Risk Level (SRL)

Security risk level is the sum of Severity Factor (S), Difficulty of Attack Factor (D) and
Attractiveness of Target Factor (AT):

SRL = S + D + A T

This is represented as a range of risk as follows:

Security Risk Level

3 4 5 6 7 8 9 10 11

Low Medium High Extreme

Low – Common sense security practices to be implemented - typically, follow best

practice by other oil and gas companies in the same location. Second stage scenario
risk assessment may not be required.

Medium – Review and introduce additional security measures to reduce risks. Second
stage scenario based risk assessment to be carried out for the more obvious threats.

High – Second stage scenario risk assessment to be carried out for all possible
threats. Expert security advisor to review SRL assessment, conduct facility survey and
make recommendations to reduce risks.

Extreme – As for ‘high’ above - also consider evacuation of vulnerable personnel and
possible cessation of activities until risk reduction recommendations are fully
implemented.

It should be noted that the risk level is only valid at the time of the assessment. Threat levels
do vary and it would be prudent to include a safety factor to cover foreseeable variations in
level of risk. For example if the SRL was assessed as 4 (low risk), it could be raised to 5 or 6
to bring it into the medium risk classification. This may be appropriate if the venture was
likely to change from being a non-operator to operator because the public profile would be
elevated with the change in activity.

Exploration & Production, HSEQ, Vienna Page 30 of 37

HSEQ-HQ-06-10-00

Severity (S)
Severity is a parameter that defines the predicted consequences resulting from a security
incident.
Severity Factor (S)
Factor Generic consequence severities12
1 Injuries, theft or damage of low value items
(up to €10k), minimal disruption of activities,
possible local media coverage
2 Fatalities, theft or damage of high value items
(up to €500k), theft of hazardous or
dangerous items, significant but short term
disruption to activities, national media
coverage
3 Fatalities including third parties, theft or
damage to very high value items (over
€500k), theft of hazardous or dangerous
items, major and long term disruption to
activities, international media coverage
12
The monetary criteria included here are generally replacement cost insured values and does not
cover consequential losses.
Exploration & Production, HSEQ, Vienna
HSEQ-HQ-06-10-00
Security
Guidelines
Examples
• Theft of laptop PC from office
• Security guard concussed and
weapons/ammunition stolen
• Radioactive source stolen from
construction site
• Bomb ruptures well flow line –
repaired and production back online
in one weeks
• Armed terrorist attack on drilling
site – two fatalities
• Rocket attack on production plant -
€5M asset damage and loss of full
production for 6 months
Page 31 of 37
 Security
Guidelines

Difficulty of Attack (D)

The Difficulty of Attack Factor is as shown in Table 2 below. This factor is to be estimated
based on the type(s) of scenario(s) expected at the facility. It is influenced by the site layout,
existing risk reduction measures and other considerations.

Difficulty of Attack Factor (D)

Factor Description and Factors Which Influence Examples

the Likelihood of Attack

1 The scenario could be caused by a • Hijacking an aircraft

successful attack, which would require a well-
planned and coordinated series of events • Organised paramilitary attack on a
involving several individuals with special facility.
general knowledge/training and breaching
several independent security levels of
protection.

2 The scenario could be caused by a • Use of explosive materials within

successful attack, which could be the facility boundaries
accomplished by a small group of individuals
with equipment or materials available to • Sabotage of central
terrorist (or criminal) organisations (or an communications and IT
insider with special knowledge of the facility), infrastructure
and does require access to restricted areas. • Theft of cash or valuables

3 The scenario could be caused by a • Use of explosives from outside the

successful attack, which could be
accomplished by a small group of individuals
with equipment or materials available to
terrorist (or criminal) organisations, but does
not require access to restricted access areas.
facility boundaries, e.g. truck bomb
• Kidnap/ransom of senior executive
• Damage to remote wellhead

4 The scenario could be caused by a • Rifle shot from outside a fence

successful attack accomplished by a single
individual with readily available equipment or • Assault and robbery
materials. • Theft of or from a vehicle.

Table 2

Exploration & Production, HSEQ, Vienna Page 32 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Attractiveness of Target (AT)

Not all targets are of equal value to adversaries. Attractiveness of target (AT) is an estimate
of the real or perceived value of a target to an adversary based on such factors as shown in
the table below:

Possible Target Attractiveness Factors (AT)

Poor community relations

Extreme rich/poor polarisation
Association with human rights abuses
High value items e.g. laptops, cash, jewellery, precious metals
Drugs in clinics, weapons, ammunition
Hazardous inventories e.g. explosives, radioactive sources
Potential for large casualties / fatalities
Extensive property/asset damage
Partnership with unpopular government
Facilities shared or adjacent to ‘attractive’ target
Proximity to national asset or landmark
Disruption or damage to company critical infrastructure
Disruption of the national, regional, local economy infrastructure
Ease of access to the target
Extent of media interest
Company reputation and brand exposure
Iconic or symbolic target

Table No 1 from Section 4

AT has a value between 1 and 4. There are no specific criteria for deciding the exact value.
The risk assessment team shall use their best judgement to select a representative value.
The assumptions they make shall be clearly documented for audit and future re-evaluations.
As guidance the following could be used:

AT Number of Factors that Apply to Facility

1 ~20%

2 ~30%

3 ~50%

4 ~50 to 100%

Table 3

However, Table 3 above should be used with extreme caution as some factors could have a
much higher weighting (or perceived value) for certain adversaries. For example, a facility
may only have 15% of the factors, but if one factor was ‘iconic or symbolic’ target, then this
could significantly increase the overall risk. Each case should be analysed on the specific
circumstances.
Exploration & Production, HSEQ, Vienna Page 33 of 37
HSEQ-HQ-06-10-00
 Security
Guidelines

Risk Reduction Measures

The overall strategy for risk reduction is based on the concepts of Diminish, Deter, Detect
Delay and Damage Limitation. In the context of security these strategies have the following
meaning:

Diminish – A security strategy based on the principle of inherent safety and minimising
hazardous situations from arising. For example: reducing hazardous inventories,
locating office buildings away from other attractive targets, good community relations,
not having company logos on vehicles, keeping a low profile when travelling, security
vetting of individuals.

Deter – A security strategy to prevent or discourage the occurrence of a breach of

security by means of fear or doubt. Physical security systems such as warning signs,
lights, uniformed guards (possibly armed), cameras and bars are examples of systems
that provide deterrence,

Detect – A security strategy to identify an adversary attempting to commit a malicious

act or other criminal activity. This strategy provides real time observation, interception
and post-incident analysis of the activities and identification of the adversary.

Delay – A security strategy to provide various barriers (physical or management

systems) to slow the progress of an adversary in penetrating a site to prevent an attack
or theft, or in leaving a restricted area to assist in apprehension and prevention of theft.
For example: restricted access to control rooms or IT/communications centres,
escorting of visitors, searching of vehicles or baggage on entering or leaving site.

Damage Limitation – A security strategy based on having emergency response plans

to manage the residual risk following an attack on a facility. Medical clinics, counselling
and business continuity plans are examples of systems that provide damage limitation.

In practice, risk reduction measures will be a combination of all the above strategies and
shall be determined on a case-by-case evaluation.

Exploration & Production, HSEQ, Vienna Page 34 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Scenarios
Scenario is the term for generic events that are initiated intentionally by adversaries.
Scenarios are used as the input to facility specific security risk assessments. They require
knowledge of the facility being assessed and are effectively a brainstorming exercise.

The scenario-based approach involves selecting adversary types to hypothetically attack the
facility and then evaluating if the current security systems have the ability to diminish, deter,
detect and delay the attack before it can be successfully completed. Once a scenario is
identified, the risk assessment team should challenge and craft the scenario to represent a
realistic event.

Scenarios shall be developed on a facility specific basis. Examples of generic scenarios that
could be developed are:
• Theft
• Sabotage
• Vandalism
• Violent assault/robbery
• Violent or threatening demonstrations
• Fire/arson attack
• Food/water contamination
• Bomb
• Suicide attack
• Hijack
• Kidnap and ransom
• Disruption of operations
• Disruption of essential utilities
• Corruption of information or communication systems
• Environmental damage
• Toxic or flammable releases
• Aircraft crash

Additionally for offshore activities

• Piracy
• Ship collision

Analysis time could be reduced by only considering ‘worst case’ scenarios. However, this
approach should be used with caution, as it may not identify all possible vulnerabilities of the
facility.

Exploration & Production, HSEQ, Vienna Page 35 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

APPENDIX C – AVIATION OPERATIONS

These guidelines apply for land and offshore aviation facilities, as appropriate. They are
additional to the security issues to be considered in Section 5.3 above.

Aviation Base Security

ƒ The aircraft hangar is to be designated as a restricted area with physical security
barriers and strict access control measures to prevent any unauthorised persons
being able to gain unescorted access
ƒ The hangar is to be protected by an intruder alarm system at all times when
authorised personnel are not in attendance
ƒ Fuel storage and refuelling equipment should have enhanced security to prevent theft
or contamination
ƒ If aircraft are parked outside overnight, they must be point-guarded
ƒ The airside of the facility should be separated from the landside by physical barriers
such as fencing and locked gates
ƒ Only maintenance and support vehicles should be allowed on the airside. Personnel
employed on these activities should be subject to search and identification
procedures on entering and exiting airside
ƒ When cargo is transported to the aircraft, the driver and shipment must be verified
first, then escorted to the aircraft by aviation security personnel who are to maintain
supervision throughout the time the delivery vehicle is airside
ƒ Passenger lists, cargo manifests, flight schedules and flight plans are to be handled
as sensitive documents until successful completion of each flight
ƒ An area should be set-aside for passengers to await identification and approval to
board
ƒ Procedures should be established for the search of passengers, baggage and cargo
ƒ Where the risk assessment indicates that illegal drugs may be transported, then the
use of drug detection sniffer dogs shall be considered
ƒ Safeguards should also be established to ensure that all baggage matches those
personnel who are passengers and that the baggage was not left unattended or
accessible prior to loading. If a person is off-loaded for any reason, their baggage
must also be removed before the aircraft departs
ƒ Passengers should be allowed to board the aircraft only through a designated
passenger lounge or operations office, and must then board under supervision
ƒ A final verification of the authenticity of all persons on board should be carried out
immediately prior to departure

Exploration & Production, HSEQ, Vienna Page 36 of 37

HSEQ-HQ-06-10-00
 Security
Guidelines

Aircraft Security
ƒ All avionics and removable items in the aircraft should be marked for positive
identification
ƒ Non-installed items of value should not be stored in the aircraft if it is to be
unattended for an extended period of time
ƒ The display of corporate logos or OMV identification is not recommended
ƒ The pre-flight inspection should include checks to detect unusual objects and any
evidence of tampering with the aircraft

In-Flight Security
ƒ Flight crews should regularly review plans for handling in-flight emergencies and
threats, including the actions to be taken in the event of a bomb threat, attempted
hijacking or other terrorist threat
ƒ Where possible a secure door from the passenger cabin should separate the flight
deck and unauthorised personnel should not be permitted onto the flight deck
ƒ Wherever possible, baggage and cargo should be physically segregated from
passengers to prevent them being accessed by passengers during flight

Exploration & Production, HSEQ, Vienna Page 37 of 37

HSEQ-HQ-06-10-00