KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SECURITY DIRECTIVES FOR INDUSTRIAL FACILITIES, SEC-01 Application of Security Directives a SY RESTRICTED AIL Righs reserved to HCIS. Copylg odsrbtonprofibitadwldnut writen pension om HISKINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives ‘Table of Contents 1.0. ADMINISTRATION 11. SCoPE... APPLICATION CONFLICTS & DEVIATIONS 2.0. DEFINITIONS.. 30. REFERENCE! 40. GENERAL REQUIREMENTS... 4.1. MINIMUM REQUIREMENTS THAT APPLY TO THIS DIRECTIVE: 42. FACILITY CLASSIFICATION. ws 421 Class I Facil 422. Class 2 Facility, 423, Class 3 Facility. 424 Class 4 Facility. 43. ENVIRONMENTAL REQUIREMENTS . 43.1. Indoor Air Conditioned Environment 43.2. Outdoor Environment 4.4.” ConTRACTOR PREREQUISITES FOR SECURITY PROJECT EXECUTION. 5.0. GENERAL REQUIREMENTS FOR EXECUTING SECURITY PROJECTS. Risk ANALYSIS. PRELIMINARY DESIGN. erat, Dasien. INSTALLATION CONTRACTOR 7 vw PERFORMANCE REQUIREMENTS... fe PROGRESS REPORTS, PERFORMANCE VALIDATION... MAINTENANCE & SUPPORT... ‘TRAINING... RESPONSE TO EMERGENCY EVENTS. 60, REFERENCE. somanannenesnsnnnins RESTRICTED At Righs reserved HCI, Copying or ditibutionprofbied witht writen persion fom HCIS Page 2 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR, HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 1.0. LL 12. 13. Administration Scope ‘This Directive provides the minimum requirements for companies and establishments that are subject to the supervision of the High Commission for Industrial Security (HCIS), Ministry of Interior, for application of security directives. Application ‘This Directive is applicable to all facilities, including new projects, the expansion of existing facilities, and upgrades. For application to existing facilities, the Owner shall, assess his fucilities against the requirements of these Directives and coordinate with the General Secretariat of the High Commission for Industrial Security (HICIS) to comply with the Security, Safety, and Fire Protection requirements according to these Directives and add to or modify the existing facilities as required. Where the HCIS has assessed deficiencies in existing facilities during a survey, comparing the current state of the facilities to the requirements of these Directives, those identified deficiencies shall be corrected by the Owner. Where implementation of 2 requirement is unsuitable or impractical, where other equivalent company or internationally recognized Standards and Codes are followed, or where any conflict exists between this Directive and other company standards and Codes, the deviations shall be resolved by the HCIS. Deviation lower than the requirements of this directive shall be listed and submitted in a report of compliance ‘or non-compliance, with justification and reason, for each applicable requirement of, these security directives, and approval shall be received from the HCIS prior to implementation, The documents shall be retained by the company in its permanent engineering files. RESTRICTED AU Rights servedto NCIS. Copying oe dsubuton probed withou weiuen pernitsion fom HCTS Page 3 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 2.0. Definitions Hels Shall: Should: Acs APL Evb FAT IDAS IMo- ISPs Iss scc High Commission for Industrial Security. The HCIS is part of the ‘Ministry of the Interior. It is responsible for the development, and implementation, of security, safety and fire protection strategies Kingdom-wide. Company or owner of a facility. Security Directives Indicates a mandatory requirement, Indicates a recommendation or that which is advised but not required. Access Control System: Manages access to facilities American Petroleum Institute: An organization that defines requirements for petroleum facilities. Explosive Vapor Detector: Detects presence of explosives Factory Acceptance Test: Test conducted at contractor facility to verify compliance with requirements Site Acceptance Test: Test conducted after equipment installation at its final location to verify compliance with requirements Intruder Detection & Assessment System: Detects intrusion attempt at perimeter, allows video surveillance and annunciates an alarm. International Maritime Organization; An organization that defines security and safety of ships and ports Intemational Ship & Port Security: A set of regulations that defines security of ships and port facilities. ISPS is part of the IMO. Integrated Security System: Provides an integrated environment to detect and delay intruders, monitor security environment and annunciate alarms generated from facility security systems. Security Control Center: A facility that monitors the complete security environment in a designated area and manages alarms and RESTRICTED ‘AI Right reserved to CIS. Copying or stbtion poked wthet writen permission fom HCIS Page 4 of 23KINGDOM OF SAUDI ARABIA. MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives responses to security events. sow Scope of Work: A study that defines the requirements for security, safety and fire protection at a facility. 3.0. References ‘This directive adopts the latest edition of the references listed. ‘The selection of material and equipment, and the design, construction, maintenance, operation and repair of equipment and facilities covered by this Security Directive shall comply with the latest edition of the references listed in each Security Directive, unless otherwise noted. API Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries RESTRICTED. AIT Rights reserved to HCAS. Copying or srtation rolibted without writen pension from HCIS Page 5 of 23KINGDOM OF SAUDI ARABIA. MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 4.0. 4 General Requirements Minimum requirements that apply to this Directive: 41d 413 419. ‘The High Commission for Industrial Security (HCIS) reserves the right to modify and/or make changes, as deemed necessary, to the Security Directives without prior notice. ‘The national security of Saudi Arabia, including the security of the economy and the well being ofits population, depends directly on physical and operational safety of a range of facilities across Saudi Arabia, The criticality of each facility varies depending on the product or service provided. Therefore, the High Commission for Industrial Security (HCIS) shall have the ultimate authority on classifying all facilities. Facilities shall have adequate levels of protection as defined within these Security Directives, The level of protection at each facility shall be dictated by its security classification. HCIS reserves the exclusive right to classify facilities according to its intemal criteria or any new security requirements. Guidelines are provided with this Security Directive in order to permit the Owner to develop a preliminary evaluation of facility classification. ‘The owner shall develop a detailed risk analysis that shall be used as the basis of facility classification. ‘This risk analysis, and the facility classification, shall be submitted to HCIS. for approval prior to detailed design development or implementation, The information contained herein will be used to define the levels of. protection required for facilities in the Kingdom of Saudi Arabia (KSA) that fall under the supervision of the High Commission for Industrial Security HCIS) of the Ministry of Interior, Kingdom of Saudi Arabia. ‘The details of protection required for each facility is described in individual Sceurity Directives that cover each aspect of the requirement. Owners who operate offshore or marine facilities shall ensure that they provide an adequate level of security measures to protect these facilities. Owners shall apply aspects of the Intemational Ship and Port Facility RESTRICTED AIDRighsrsesedt HCIS. Copying o istibtion proibitd wthoat writen permision fom HCIS Page 6 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 42. Security Code (ISPS), issued by the IMO, that apply to their offshore or marine facilities. Companies that operate marine facilities shall define an exclusion zone around each marine facility. They shall ensure that adequate warning signs are deployed on strategically located buoys advising incoming traffic that they are entering a restricted area. These warning signs shall comply with prevailing Saudi Arabian and intemational marine standards on sign construction and design. Owner shall be responsible for ensuring all required permissions and standards for buoy deployment are complied with and that the buoys are maintained in good condition. ‘Owner shall deploy marine barriers to protect marine facilities. Deployment of these barriers shall not compromise safety considerations for the facility. 4.1.10. These Security Directives supersede all older SSD’s previously issued by the HCIS. Facility Classification Facilities shall be classified based on a four (4) level classification methodology. ‘The general criterion for each level is defined in the sections below. 42.1, — Class 1 Facility A Class 1 facility is defined as any facility whose destruction, or serious damage, could seriously damage the Kingdom's economy or gravely disrupt the well being of its population Such facilities are characterized by meeting ANY of the following criteria: 42.1.1 Loss presents an unacceptable financial risk. 4.2.1.2. Loss of function/capacity cannot be made up by other existing ft 4.2.1.3. Directly and seriously impacts hydrocarbon exports RESTRICTED. -AlDRighs reserved to HCIS. Copying o stribrion pried witout writen perisscn from HCIS Page 7 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 42.14. 42.15. Major threat to environment or population due to damage or destruction. Critical infrastructure, regardless of capital investment or availability of alternates. Class 1 Facility Examples Examples of facilities that are classified as Class 1 are as follows’ 42.16. 42.17. 42.18. 42.1.9. 42.110. 421.11 42.1.12, 4.2,1.13. 4.21.14. 421.15, 42.1.6. ‘Major Oil & Gas production, processing, transportation and export. ‘Major Oil Refining and Storage. Major Electricity Generation Facilities. “Major Weter Deselination Facilities. Major Commercial & Industrial Sea Ports. Major Telecommunications facilities. Major pumping facilites for oil and water. Major facilities using or producing chemicals whose flammability, explosiveness, toxicity and evaporability may cause serious harm to the environment or population if the facility is damaged or destroyed. Manufacture and storage of commercial explosives. Infrastructure that supports, or contains facilities or services, that are deemed important to the national interest. Primary computer facilities that manage the above items. 42.2. Class 2 Facility ‘A Class 2 facility is defined as any facility whose destruction, or serious damage, could cause short term damage to the Kingdom's economy or temporarily disrupt the well being of its population. Such facilities are characterized by meeting ANY of the following criteria: 42.21. 42.22. 4.2.2.3, 4.2.24. Loss of function/capacity can be compensated for short periods by other existing facilities. Direcily impacts hydrocarbon exports but will not significantly reduce them. Possible threat to enviconment or population due to damage or destruction Critical infrastructure, regardless of capital investment or availability of alternates. RESTRICTED AURights served to HCIS, Copying or ditibation prohibited witout writen poision fom HCTS Page 8 of 23KINGDOM OF SAUDI ARABIA. MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY, SEC 01 - Application of Security Directives 423. Class 2 Facility Examples Examples of facilities that are classified as Class 2 are as follows: 4.2.2.5, Support facilities for hydrocarbon production, processing, transportation & export. 4.2.2.6. Hydrocarbon plants, such as major GOSP's. 4.2.2.7. Facilities using or producing chemicals whose relatively low flammability, explosiveness, toxicity and evaporability present ‘medium level risk to the environment or population if the facility is damaged or destroyed. 4.2.2.8. Infrastructure that supports, ot contains facilities or services, that are deemed important to the national interest mary computer facilities that manage the above items. 4.2.2.9, Class 3 Facility A Class 3 facility is defined as any facility whose disruption, or serious damage, could cause minimal or no damage to the Kingdom’ s economy or ‘would not disrupt the well being of its population. Such facilities are characterized by meeting ANY of the following criteria: 4.2.3.1. Loss of function/capacity can be compensated for an extended period by other existing facilities. 4.2.3.2. Nodirect impact on oil exports. 4.2.3.3. No threat to environment or population due to damage or destruction Class 3 Facility Examples Examples of facilities that are classified as Class 3 are as follows: 4.2.3.4. Minor Sea Ports. 4.2.3.5. Low Capacity Electricity Generation. (See SAF-19 for details of Power Generation Facilities). 4.2.3.6. Minor Telecommunications Facilities. 4.2.3.7. Bulk Plants. RESTRICTED reserved vo HCI. Copying or stbutinn prohibited without writen permission fom HCIS Page 9 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 43. 42.4, Class 4 Facility A Class 4 facility is defined as any facility considered a support facility, either adjacent to, or remote to, Class 1, 2 of 3 facilities. ‘Such facilities are characterized by meeting ANY of the following criteria: 4.2.4.1. Loss of function/capacity can be compensated for an extended period by other existing facilities. 42.4.2. No direct impact on oil exports, 4.2.4.3, No threat to environment or population duc to damage or destruction. Class 4 Facility Examples Examples of facilities that are classified as Class 4 are as follows: 424.4, Supply Warehouses. 424.5. Office Support facilities. Environmental Requirements All devices installed for Security Directive compliance shall be capable of operating continually when subjected to the environmental conditions of the installation site, 43.1. 43.2, Indoor Air Conditioned Environment All devices installed indoors, or in an environmental cabinet, for Security Directive compliance, shall be cooled with redundant split or central air- conditioning units. Outdoor Environment 4.3.2.1. Equipment to be installed outdoor shall be designed to operate without air conditioning or forced air ventilation system and - under the conditions of environment detailed below, and shall RESTRICTED [ALRighsreervedto HEIS. Copying ee rbtion prebibted wie: writen pemsion fom HCIS Page 10 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives meet the specified performance when subjected to the full range of these conditions. 4.3.2.2, Ambient Temperature Range: -10° C to 465° C (excluding temperature isin cabinet) 43.2.3. Ambient Relative Humidity Range: 5% to 100%, non- condensing 4.3.2.4. ‘The normal airborne dust concentration shall be considered as 1 mg/ml. During sandstorm conditions, dust concentrations reaching 500 mg/ml are encountered and winds may gust to 112 kav. 95% of all dust particles are less than 20 micrometers and 50% of all particles are less than 1.5 micrometers in size. Compounds present in the dust include those of sodium, calcium, silicon, magnesium and aluminuen, ‘When in wet condition (100% humidity), these compounds function as electrolytes and can result in severe corrosion of other materials. 43.2.5. Other pollutants present (ppm vol. /vol. in atmosphere, worst case) are: HS: 20 ppm (vol/vol) CO: 100 ppm (vol/vol) NOx: 5 ppm (vol/vol) sg: 10 ppm (vol/vol) oO: 1 ppin (vol/vol) Hydrocarbons: 150 ppm (vol/vol) 4.4, Contractor Prerequisites for Security Project Execution 44.1. — Designers, suppliers, contractors and systems for security related projects at facilities classified under the Security Directives shall be approved by HCIS. RESTRICTED AILRighs reserved 1 HCIS. Copying oF asebaton prohibited without writen pense from HCIS Page LI of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR, HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 4.2. 443. 4a, 4A5: 447, ‘The Owner shall be responsible for providing HCIS with required data at east three(3) months before the scheduled security related project initiation. This will allow a complete evaluation by HCIS of the project and the proposed contractors. Contractors and suppliers shall be certified by the Ministry of Interior and the Ministry of Commerce & Industry ‘The contractor shall be licensed by the competent authority at the Ministry of Interior (the General Directorate of Public Security). ‘The certification shall clearly indicate that the contractor is authorized to engage in security related work. It shall specify the nature and type of authorized activity and shall be included in the commercial registration certificate issued by the Ministry of Commerce and Industry. ‘The Commercial Registration (CR) certificate issued by the Ministry of ‘Commerce & Industry shall clearly specify that the contractor is authorized to conduct security related work. It shall clearly state the vendors line of business as cither importing, designing, installing or maintenance of security systems : Contractors engaged in executing safety and/or fire protection related work shall follow the requirements stated in the Safety Directives issued by the HCIS. ‘The Owner shall submit qualification data to the HCIS for approval of all contractors selected for design and installation of security related work. Contract award for design, installation or maintenance shall not proceed until such approvals are received from the ICIS. The data submitted to the HCIS shall include, but not be limited to, the following: A) Valid copies of commercial registration, showing license specified in 44.5. above. B) Chamber of Commerce membership C) Registration & classification certificate issued by the Ministry of Municipal & Rural Affairs D) Company profile E) Full names and details about company owners, director, senior project personnel, system designer and installation management, F) List of previous projects ofa similar nature that have been executed. List must show the type of work, size of project, dates and user of the executed project. all RESTRICTED rexerved to HCIS. Copying o dstbutenproded without writen pemmissfn frm HCIS Page 12 of 23,KINGDOM OF SAUDI ARABIA. MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 448, 449. 4A 4a 44. G) Whether company performing the work is a subsidiary or part of another organization H) Head office address & contact details for all prime and sub- contractors. ‘The Owner shall ensure that the company selected for security related work shall have adequate engineering capabilities and qualified manpower to design, install, test and maintain the system and execute all work requirements. ‘The Owner shall submit to HCIS full details of all Saudi and foreign ‘companies participating in the work. HCIS reserves the exclusive right to approve or reject any company proposed to perform the work ‘The Owner shall ensure that all companies participating in the work are approved by HCIS prior to work initiation. (0. The Owner shall ensure that the company selected for security related work shall have prior technical experience inside or outside the Kingdom in similar work that matches the scope, and magnitude, of the current work. 1. The primary contractor shall formally assume, certified in writing, total responsibility for executing all phases of the work. All sub-contractors shall be approved by HCIS prior to any contract award. The procedures for approval of sub-contractors shall be the same as for the primary contractor. 2, Contractors receiving bid documents or working on security system design, installation, support or maintenance shall sign Non-Disclosure Agreements (NDA) specifying that the contractor shall maintain all work related documents in confidence and not disclose them to any third party without prior written approval of the Owner. 4.4.13. Contractors performing security related work shall formally certify, in writing, that they shall provide, for the life of the system, after-sales services, support and spare parts for all devices and systems installed. 44.14, The Owner shall provide HCIS with a detailed list of major system and equipment for all security related work. The list shall include model numbers, descriptiotis, manufacturer and local agent. RESTRICTED -AIDRighs reserved to HCIS. Coylg oc iittonroided witout writen permiston eam HIS Page 13 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 5.0. 5. 4.4.15. HCIS shall have the right to reject any of the systems or equipment. In case any system or equipment is rejected by HCIS the Owner shall replace it with approved system or equipment or submit additional system or equipment details for approval 4.4.16. ‘The Owner shall ensure that any other prerequisites deemed necessary by the user or required by cucrent rules and regulations in effect in this regard are also included in the project scope. 4.4.17. There shall be no outstanding objections, reservations or claims by any other party against the contractor executing the work. 4.4.18. Owner shall not permit any start on security related work until HCIS approval for the specific work is received. 44.19. All submissions to HCIS shall be in writing. General Requirements for Executing Security Projects HCIS shall approve all security related work executed by companies that fall under the supervision of the Security Directives. HCIS approvals shall be secured as detailed in the following sections Risk Analysis 5.11. ‘The Owner shall prepare a risk analysis detailing the potential risk areas and the system design requirements that shall mitigate this risk, 5.1.2. ‘The Risk Analysis shall follow the methodology stated in the American Petroleum Institute (API) document entitled “Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries”. 5.1.3. ‘The Owner shall use the methodology outlined in this document to conduct a structured, comprehensive Risk Analysis for each facility 5.14, ‘The risk analysis shall take into account facility criticality and surrounding terrain 5.15. The risk analysis shall be submitted for review by HCIS. RESTRICTED [AIL Righscservd to HCIS. Capyng or disbution potbied without writen permission fram HS Page 14 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY EC 01 - Application of Security Directives 5.2. Preliminary Design 521 5.2.2. 523, ‘The Owner shall prepare a preliminary design package that details the Scope of Work (SOW), main and auxiliary elements of security related work and site specific requirements. ‘The preliminary design package shall include the following at a minimum: 52.2.1. 5.2.2.2. 5.2.2.3, 5.22.4, Site Layouts showing main security related activity, device locations and system locations. Area covered by the Access Control System (ACS), Intrusion Detection System (IDS) and Video Surveillance System (VSS) when installed. Information shall also be provided for any additional systems installed by the Owner above and beyond the directive requirements The preliminary design shall provide, at a minimum, general details on ACS location & number of card readers, IDS zones, layout & hardware/sofiware, VSS cameras, zones & hardware/sofiware. Details of fencing, lighting, patrol road, socurity control room, and clearances for each site. The information provided shall include the position of each element relative to each other and the facility. Location and installation details for main gates, restricted area gates and emergency gates. This section shall provide details of all devices that shall be installed at each of these gates. The data listed in section above shall be submitted to HCIS for review and approval before commencing detail design, bidding and contract award for design and installation, 5.3. Detail Design RESTRICTED ‘All Rights reserved to HCIS. Copying or dsuibuon prohibited without writen pennisson foe HCIS Page 15 of 23,KINGDOM OF SAUDI ARABIA ‘MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives SB. 53.2. 533. 53.4. 53.5. 536. 37, ‘The Owner shall prepare a detail design package that provides detailed technical specifications, engineering design and list of bidders for main design elements. All information provided to FICIS shall be up to date at the time of submission, During construction, the Owner shall ensure that ongoing construction sites shall be surrounded by a category 4 fence and adequate separation maintained from existing facilities. A copy of the detail design package shall be provided to the ICIS for approval at least three months prior to awarding the bid, ordering materials or initiating any work specified under the detail design package. This data shall include the items listed below. The Owner shall be responsible for any delay that may occur due to non-compliance with the time requirements mentioned above of failing to demonstrate compliance with the requirements in the HCIS security directives related to the project work. ‘The Owner is required to meet HCIS time requirements for approvals and ‘ensure full compliance with the security directives. ‘The details design package shall include a list of contractors on the bidders list. The certification of the contractors, as specified under section 4.4, of this security directive, shall be supplied as part of this package, A compliance list showing compliance or non-compliance, with justification and reasons, for each applicable aspect of the HCIS security directives & project specifications shall be provided as part of this package. A list of all equipment, hardware, software, and devices shall be provided as part of this package: 5.3.6.1. Manufacturers name for each system or equipment 5.3.6.2. — Certificate for material compliance that shows that material complies with required standards 5.3.6.3. Period in which device has been available in local and international markets 53.64. Local users of the product 53.6.5. Name & address of local agent 53.6.6. Local agent Commercial Registration as specified in section 4.4. of this security directive. ‘The proposed work execution schedule shall be provided as part of this package RESTRICTED 10 HIS, Copying 0 dsribuon petted witht witen permission from HIS Page 16 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR. HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 54. 55. 53.8, Copies of original manufacturer catalogs and device specifications shall be provided as part of this package. 5.39. The technologies, devices and systems to be supplied for the project shall be obtained from credible and reputable sources and manufacturers. The full identities of all sources and manufacturers shall be accurately disclosed in the documentation sent to HCIS, installation Contractor ‘The installation contractor shall be certified as specified in section 4 of this security directive. Performance Requirements 55.1. 55.2, 5.5.3. 55.4, 535. 556. 55.7. ‘The Owner shall ensure that all systems and de} ‘compliance shall incorporate the latest technologies, used for security Systems deployed for security directive compliance shall operate in an integrated environment as specified in security directive SEC-05 “Integrated Security System”. Alarm prioritization shall be a part of all systems. All critical system devices such as, but not limited to, computers and networks, shall operate in ¢ fully redundant mode as specified in security directive SEC-05 “Integrated Security Systern”. ‘System components shall have the capability for future expansion. The system shal] have at least 50% spare capacity when it is initially deployed. ‘This spare capacity includes, but is not limited to, computer memory and disc space. ‘Systems shall have no single point of failure in their design. ‘System components and devices shall have tamper sensors and shall annunciate an alarm for any attempt to open, modify, remove, or cut system devices and communications cabling, RESTRICTED AIRigis reserved to HCIS, Copying or dsiibution profited witout writen pemission from HCIS Page 17 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY, SEC 01 - Application of Security Directives 56. 5.7. 558. 539. ‘Systems shall be designed around open architecture to permit easy integration of technology advances. All main system components shall have the ability to send data, text or video, as applicable, to an external system, when main system is configured to doso. All external system communications and data transfers shall be in full compliance with all security considerations mentioned in the Security Directives. Progress Reports “The Owner shall provide HCIS with progress reports every six months on the progress of security related work. Performance Validation ST, 512. . System performance shall be validated by a Factory Acceptance Test (FAT) which shall verify compliance with all detail design and functional requirements. All major exceptions shall be cleared prior to shipment to the installation site. ‘The documented results of the FAT shall be used as the basis of system acceptance by the Owner. The system contractor shall produce a FAT certificate certifying full compliance with all requirements which shall be signed by both the system contractor and the Owner or his representative, ‘The FAT documentation shall be available for examination by HCIS. Installations at each site shall be validated by a Site Acceptance Test (SAT) which shall verify compliance with all installation & performance requirements. ‘The documented results of the SAT shall be used as the basis of site acceptance by the Owner. The SAT documentation shall be available for examination by HCIS. RESTRICTED AIDRights eservadto HCIS. Copying or astibuos probed without writen permission from HCIS Page 18 of 23,KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 5.8. Maintenance & Support 58.1 5.82. 58.3. 5.84, 58.5. 58.6, 58.7. 589, ‘The Owner shall ensure that all security installations are supported with a complete maintenance and support infrastructure. ‘The system contractor shall provide all details and tools required for system. maintenance. This shall include maintenance manuals, software diagnostics, special tools, calibration equipment and procedures. ‘The maintenance manuals shall contain recommended maintenance intervals, procedures and recommended spare parts lists ‘The Owner shall be responsible for implementing a maintenance strategy to ‘meet recommended maintenance requirements for all equipment. All emergency backup generators shall be started up and maintained as specified in SEC-07. Once a month the auto-switch switchgear shall be tested. Generator maintenance logs for the current calendar year shall be available for inspection by HCIS if requested, All components shall have regularly scheduled preventive maintenance (PM) at least once every 6 months with the exception of emergency backup generators which must be tested as stated in section 4.5 of SEC-07. The actual PM performed shall be documented and available for review for at least one calendar year. ‘The Owner shall have a facility, manned 24 hours a day, 7 days a week, available for field personnel to report failures via telephone, radio or security system telemetry. Owner shall be responsible for classifying system failures as critical or non- critical failures. Critical failures shall be rectified as soon as possible. ‘System failures and alarms shall be analyzed quarterly by the Owner to identify potential problem areas. This quarterly review shall be used as the basis for the development of strategies to rectify the problemas identified, 58.10. ‘The Owner shall maintain documentation for all security equipment installed. This documentation shall include full contact details of component manufacturers, part numbers, recommended spare parts and maintenance manuals needed for each security installation. RESTRICTED AA Rigi reserveto HCI, Copying o strbaton poked winout writen emission rom HCIS Page 19 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 59. 581 1. The Owner shall maintain a full set of As Built drawings for all security systems and civil work. The drawings shall be maintained as soft copy in an easily accessible format, The Owner shall maintain an index of all drawings pertaining to all security related work. ‘Training ‘The Owner shall ensure that training is provided to security personnel in the operation and support of all security related systems and devices. ‘The operational training requirements are as follows: 59.1 5.9.2. 5.9.3. 59.4. ‘Training shall be provided to security personnel, assigned to a location with ‘a new security installation, prior to system or device deployment. ‘The training shall cover procedures, general system operation, failure reporting procedures, methods for handling reported errors and alarms, alarm acknowledgement and response. ‘The Owner shall maintain logs of all training activities. The logs shall list all training provided to personnel and include personne! name, date and type of training provided. Personnel assigned to locations with security installations shall undergo a short training period prior to assuming their new duties. ‘The support training requirements are as follows: 5.95, 59.6, . Personnel directly involved in system support shall be provided training in all aspects of systems software, hardware, diagnostics and preventive maintenance. ‘The Owner shall maintain logs of all training activities. The logs shall list all training provided to personnel and include personnel name, date and type of training provided. RESTRICTED AURights eservedto HCIS, Copying o dstrbuia pected witout wren permission rem HCIS Page 20 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 5.10. Response to Emergency Events ‘The Owner shall setup the infrastructure, procedures and personnel to develop a cohesive, rapid response to an emergency event. This shall include the management of fixed and mobile security assets using a proven command and control system where an overview and details of emergency events shall be available to operators. Personnel designated for a rapid response force shall be provided with additional training as needed to meet expected emergencies. The safety directives issued by HCIS shall be used as the basis of defining, preparing and training for emergencies, RESTRICTED AI Right reserved to HCAS. Copy or dsrbaon profi witout weten emission fom HCIS Page 21 of 23KINGDOM OF SAUDI ARABIA ‘MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives 6.0. Reference ‘The table below provides guidelines for security directive usage based on facility classification; Directive ‘Application of Security SEC-01 | Directives mete ae Ee SEC-02 Security Fencing v v |v | |sEC-03 | Security Gate v v v SEC-04 | Security Lighting v vo ilvo ly Perimeter Lighting v viv “Checkpoint Lighting ¥ eee ere SEC05 | Integrated Security System | c “Perimeter Intrusion Detection | y, o System 7 ~Access Control System < < < -Video Surveillance System | SEC-06 | SecurityDeviees | “Ray “Crash Barrier | “Turnstile | -Drop-gate “Bullet-Proof Glass | RRA SEER etc CLR SEC-07 | Power Supply < ~ oy “Emergency Generator “UPS ~ < ~ RESTRICTED AILRights eservedto HCIS, Copying or iit pecibited without writen pemssion fom CIS Page 22 of 23KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 01 - Application of Security Directives reer Class SEC-08 SEC-09 | Security Doors SEC-10 | Security Locks SEC-11 | Identification Cards Communications SEC-12 | Information Protection cons RESTRICTED AIL Rights reserved to HCIS. Copying oe esbaton pot Page 23 of 23, without writen perisson fom HCIS