ISSSource White Papers

Posts Tagged ‘operating procedures’

Wednesday, December 17, 2014 @ 12:12 PM gHale

The final version of the 2014 update to a guide on assessing the security and privacy safeguards for federal information systems and organizations just released.

The revised guide ended up issued in draft for public comment last August by the National Institute of Standards and Technology (NIST).

Looking to Secure Supply Chain
NIST Cyber-Physical Update
NIST’S Security Center of Excellence
Roadmap to Tomorrow’s Grid 3.0

Assessing Security and Privacy Controls in Federal Information Systems and Organizations (NIST Special Publication 800-53A, Revision 4) is one of two basic NIST publications used by government IT security professionals to assess software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks. The document is a guide to the tests and procedures needed to check security controls are in place and functioning as intended.

The assessment guide complements NIST’s Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53), a catalog of available methods or “controls” that can safeguard information systems ranging from desktop computers to major data networks. The fourth revision of SP 800-53 ended up issued in April 2013.

The latest revision of SP 800-53A, the assessment guide, brings it into alignment with the most recent version of SP 800-53, and includes several significant changes from the previous edition released in 2010. In addition to adding new assessment methods for some controls and clarifying some of the terminology, the new edition has improvements meant to provide better support for continuous monitoring and ongoing authorization programs, and for use with automated assessment and monitoring tools. All of these modifications aim to make IT security procedures more flexible and responsive to changing threats.

The new edition of SP 800-53A also continues an ongoing process to better integrate privacy safeguards into the information security framework in parallel with the privacy controls defined in SP 800-53, Appendix J. The privacy assessment procedures that will add into this guide in the future are under development by a joint interagency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee. They will end up separately vetted through the traditional NIST public review process and integrated into SP 800-53A.

Click here for SP 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations.

Friday, January 4, 2013 @ 04:01 PM gHale

Frozen food product manufacturer Rosina Food Products Inc. is facing fines of $54,750 for nine serious violations of workplace safety standards at its West Seneca, NY, production facility, said officials at the Occupational Safety and Health Administration (OSHA).

The inspection, which began in September, identified several deficiencies in the plant’s process safety management program, a detailed set of requirements and procedures employers must follow to proactively address hazards associated with processes and equipment involving large amounts of hazardous chemicals.

Oilfield Machine Firm Faces Fines
Death at Chem Plant Brings Fines
Injuries at 2 Chemical Plant Incidents
Chemicals Kill Refinery Worker

In this case, the process is the operation and maintenance of the plant’s refrigeration system and the chemical is anhydrous ammonia, used in the refrigeration system.

“The stringent and comprehensive requirements of OSHA’s process safety management standard are designed to prevent catastrophic incidents, such as the uncontrolled release of highly hazardous chemicals, including ammonia,” said Arthur Dube, OSHA’s area director for western New York. “This requires full, effective and proactive adherence to the standard’s requirements by the employer.”

In this case, OSHA’s Buffalo Area Office found the plant lacked effective standard operating procedures for all emergency shutdown procedures of the refrigeration system, necessary corrective actions identified during hazard analyses of the refrigeration process, clear instructions for safely conducting refrigeration procedures, written procedures to maintain the ongoing mechanical integrity of all equipment used in the refrigeration process, and procedures for handling small releases of anhydrous ammonia.

In addition, the inspection found all required safety testing did not take place. The plant did not develop specific procedures for locking out machines to prevent their unintended startup during servicing, did not inspect such procedures, and did not use group lockout/tagout procedures as required. A serious violation occurs when there is substantial probability that death or serious physical harm could result from a hazard about which the employer knew or should have known.

“One method of enhancing workers’ safety is developing and maintaining an effective illness and injury prevention program in which management and employees work together to identify and prevent hazardous conditions,” said Robert Kulick, OSHA’s regional administrator in New York.

Monday, April 16, 2012 @ 11:04 AM gHale

By Nicholas Sheble
“Nearly all process plant accidents are the result of some kind of human error,” said Todd Stauffer, “and it’s that error that certification aims to eliminate.”

Stauffer heads safety consultancy exida’s training and certification division. He talked about on the areas of human error that contributed to the safety incidents — process design, hazard and operability studies, operating procedures, training and human factors, and inspections during an exida webcast last week.

Safeguard, Control: Know Difference
Process Safety Means Communication
AIChE Goes Above and Beyond
Safety Means Business Benefits
Plant’s Safe Operating Limits

“The only way to eliminate accidents is to have a competent person at the controls. How do you know a person is competent? Only by measuring their knowledge against a known standard, body of knowledge,” Stauffer said.

ISA – The International Society of Automation, TUV Rheinland North America | TÜV Rheinland, and exida are the Big Three of the safety certification and certificate-granting entities in North America and Europe. As well, South Asia, South America, and Asia are more closely toeing the safety line as world standards, ethics, and a deeper sense of social responsibility take root in the emerging markets. Thus, the market for safety standards and expertise is expanding.

Engineers at TÜV SÜD and exida developed the CFSE (Certified Functional Safety Expert) and CFSP (Certified Functional Safety Practitioners, a lighter version of the CFSE) concepts with the support of other international safety experts to ensure that personnel performing SIS (Safety Instrumented Systems) lifecycle activities are competent as the IEC (International Electrotechnical Commission) requires by its IEC 61508, 61511, and 62061 standards.

Exida administers the program and issues certificates. Some companies now require CFSE holders to oversee safety projects and CFSP holders to execute them. Exida said the CFSE program is the most stringent in the world and represents the best demonstration of safety competency in the world.

Stauffer also touched on exida’s new Specialty Badge program, which will offer training in specific areas of safety, electives in safety, and a new cyber-security program – the ICSSE (Industrial Control Systems Security Expert).

The latter certification will delve into the fundamentals, relationships, and distinct differences between ubiquitous IT (information technology) and the more esoteric ICS (industrial control systems). Networking basics and industrial networking will also be a part of this undertaking.
Nicholas Sheble ( is an engineering writer and technical editor in Raleigh, NC.

Archived Entries