History of Responsible Care ® - 14001
Security Code of Management Practices

• Purpose and Scope

• Relationship to Guiding Principles

• Relationship to Other Industry Commitments

• Management Practices

• RESPONSIBLE CARE SECURITY CODE VERIFICATION

• Scope of Verification

• What Will Be Verified

• Who Will Verify

• Timing of Verification

• Verification Progress Measurement

Purpose and Scope

The purpose of the Security Code of Management Practices is to help protect people, property, products, processes, information and information systems by enhancing security, including security against potential terrorist attack, throughout the chemical industry value chain.  The chemical industry value chain encompasses company activities associated with the design, procurement, manufacturing, marketing, distribution, transportation, customer support, use, recycle and disposal of our products. 

This Code is designed to help companies achieve continuous improvement in security performance using a risk-based approach to identify, assess and address vulnerabilities, prevent or mitigate incidents, enhance training and response capabilities, and maintain and improve relationships with key stakeholders.  The Code must be implemented with the understanding that security is a shared responsibility requiring actions by others such as customers, suppliers, service providers, and government officials and agencies.  Everyone in the chemical industry value chain has security responsibilities and must act accordingly to protect the public interest.

Implementation of this Security Code is mandatory for all members of the American Chemistry Council to further protect the public, our communities and our employees. 


Relationship to Guiding Principles

Implementation of the Security Code helps achieve several of Responsible Care’s Guiding Principles:

Relationship to Other Industry Commitments

The Security Code complements, and should be implemented in conjunction with, other management practices that demonstrate the industry’s commitment to protecting its employees and the public.  Existing management practices that enhance community safety and emergency preparedness, pollution prevention, process safety, employee health and safety, product distribution and product stewardship include security components.  Companies regularly should reassess these security-related practices in the spirit of continuous performance improvement.  Companies also should regularly reassess their participation in, and monitor the activities of, the national TRANSCAER® initiative which promotes dialogue and emergency preparedness along chemical transportation routes.
Management Practices

Each company  must implement a risk-based security management system for people, property, products, processes, information and information systems throughout the chemical industry value chain. The chemical industry value chain encompasses company activities associated with the design, procurement, manufacturing, marketing, distribution, transportation, customer support, use, recycle and disposal of our products. The corresponding security management system must include the following thirteen management practices:

1. Leadership Commitment.  Senior leadership commitment to continuous improvement through published policies, provision of sufficient and qualified resources and established accountability. The chemical industry’s commitment to security starts at the top.  This element calls for each company’s leadership to demonstrate through their words and actions a clear commitment to security within their company, from corporate headquarters to our facilities.

2. Analysis of Threats, Vulnerabilities and Consequences.   Prioritization and periodic analysis of potential security threats, vulnerabilities and consequences using accepted methodologies. Using generally accepted tools and methods, companies will conduct analyses to identify how to further enhance security.  This process will be applied at chemical operating facilities using methods developed by Sandia National Laboratories, the Center for Chemical Process Safety, or other equivalent methods.  Companies also will be using tools to analyze the security of product sales, distribution and cyber security.  These initial analyses will be conducted on an aggressive schedule then conducted periodically thereafter. 

3. Implementation of Security Measures.  Development and implementation of security measures commensurate with risks, and taking into account inherently safer approaches to process design, engineering and administrative controls, and prevention and mitigation measures. Companies will take action when they identify and assess potential security risks.  Actions can include putting additional or different security measures into place to provide greater protections for people, property, products, processes, information and information systems.  At facilities, actions can include measures such as installation of new physical barriers, modified production processes or materials substitution.  In product sales and distribution, actions can include measures such as new procedures to protect Internet commerce or additional screening of transportation providers.

4. Information and Cyber-Security.  Recognition that protecting information and information systems is a critical component of a sound security management system. Companies will apply the security practices identified in this Code to their cyber assets as well as their physical assets.  Information networks and systems are as critical to a company’s success as its manufacturing and distribution systems.  Special consideration should be given to systems that support e-commerce, business management, telecommunications and process controls.  Actions can include additional intrusion detection and access controls for voice and data networks, verification of information security practices applied by digitally-connected business partners, and new controls on access to digital process control systems at our facilities.

5. Documentation.   Documentation of security management programs, processes and procedures. To sustain a consistent and reliable security program over time, companies will document the key elements of their program. Consistency and reliability will translate into a more secure workplace and community.

6. Training, Drills and Guidance.  Training, drills and guidance for employees, contractors, service providers, value chain partners and others, as appropriate, to enhance awareness and capability. As effective security practices evolve, companies will keep pace by enhancing security awareness and capabilities through training, drills and guidance.  This commitment extends beyond employees and contractors to include others, when appropriate, such as product distributors or emergency response agencies.   Working together in this fashion improves our ability to deter and detect incidents while strengthening our overall security capability.

7. Communications, Dialogue and Information Exchange.  Communications, dialogue and information exchange on appropriate security issues with stakeholders such as employees, contractors, communities, customers, suppliers, service providers and government officials and agencies balanced with safeguards for sensitive information. Communication is a key element to improving security.  Maintaining open and effective lines of communication includes steps such as sharing effective security practices with others throughout industry and maintaining interaction with law enforcement officials.  At the same time, companies understand that their role is to protect employees and communities where they operate, while safeguarding information that would pose a threat in the wrong hands.

8. Response to Security Threats.  Evaluation, response, reporting and communication of security threats as appropriate. Companies take physical and cyber-security threats very seriously.  In the event of such threats, companies promptly will evaluate the situation and respond.  Real and credible threats will be reported and communicated to company and law enforcement personnel as appropriate.

9. Response to Security Incidents.  Evaluation, response, investigation, reporting, communication and corrective action for security incidents. Companies will be vigilant in efforts to deter and detect any security incident.  If an incident should occur, however, the company promptly will respond and involve government agencies as appropriate.  After investigating the incident, the company will incorporate key learnings and will, as appropriate, share those learnings with others in industry and government agencies and implement corrective actions.

10. Audits.  Audits to assess security programs and processes and implementation of corrective actions. Companies periodically will assess their security programs and processes to affirm those programs and processes are in place and working and will take corrective action as necessary.  In appropriate circumstances, assessments also will apply to the programs and processes of other companies with whom the company conducts business such as chemical suppliers, logistics service providers or customers.

11. Third-Party Verification.  Third-party verification that, at chemical operating facilities with potential off-site impacts, companies have implemented the physical site security measures to which they have committed.  Chemical industry security starts at our facilities.  Companies will analyze their site security, identify any necessary security measures, implement those measures and audit themselves against those measures.  To help assure the public that our facilities are secure, the companies will invite credible third parties – such as fire fighters, law enforcement officials, insurance auditors and/or federal or state government officials – to confirm that the companies have implemented the enhanced physical security measures that they have committed to implement.  In addition, companies should consult with these same parties as enhanced physical security measures are being considered and implemented.

12. Management of Change.  Evaluation and management of security issues associated with changes involving people, property, products, processes, information or information systems. Our employees and our processes contribute to, and rely upon, changes and innovations in products and technologies.  As any changes are considered, our companies will evaluate and address related security issues that may arise.  This can include changes such as new personnel assignments to installation of new process equipment or computer software or hardware.

13. Continuous Improvement.  Continuous performance improvement processes entailing planning, establishment of goals and objectives, monitoring of progress and performance, analysis of trends and development and implementation of corrective actions.
 
Our industry commitment to security calls for companies to seek continuous improvement in all of our security processes.  Since practices for addressing security will evolve, it is anticipated that company security programs and measures will evolve, reflecting new knowledge and technology.  Companies continually will be tracking, measuring and improving security efforts to keep people, property, products, processes, information and information systems more secure.  

Companies will share information on effective security practices within the industry and with external, qualified security professionals.  Companies will continue to expand the awareness of and commitment to enhanced security practices throughout the chemical industry value chain.  The American Chemistry Council will continue to provide guidance, including examples of effective member security practices, to assist members in their implementation of this Code, and will periodically review and as appropriate revise the guidance.    

Due to the rapidly evolving nature of security issues and related expertise, the American Chemistry Council will reassess the Responsible Care Security Code, its management practices and implementation timetable two years after Code adoption or earlier as appropriate.  Security Code implementation guidance will be updated as necessary in the interim.

 
RESPONSIBLE CARE SECURITY CODE VERIFICATION


Scope of Verification 

Verification will be conducted at member company chemical operating facilities with potential off-site impacts.  Sales and administrative offices will typically not fall within this scope.

What Will Be Verified

Physical site security measures.  This process will verify on a one-time basis that physical site security measures identified by companies through their initial vulnerability assessment were implemented.  Verifiers will not independently assess site security or measures that should be implemented. 

Verification that physical site security measures have been implemented will allow for credible, visible verifications, avoid jeopardizing sensitive information, and allow a broader range of verifiers to constructively participate.  Such verification will also focus on those areas of security about which the public is typically most concerned.   Non-physical site enhancements, such as process modifications, will not be verified, given the complexity of these types of changes, the difficulty of verifying them, and the potential sensitivity of the information.  For similar reasons, non-site security measures, such as cyber security enhancements, also will not be verified.  Under the Code, companies will conduct internal self-audits of these and other security systems. 

Longer term the credibility of security implementation may be further enhanced by having company security systems certified in a manner consistent with the certification of other company Responsible Care® management systems.  This can be considered in the review of the Security Code called for in two years in the Code itself.

Who Will Verify

Credible independent third parties.  Board guidance in January referenced use of local first responders for verification.  The Code recognizes first responders as a viable option.  In addition, the Code allows companies to choose other credible third parties, such as security consultants or insurance auditors, as verifiers.  Guidance materials accompanying the Code will provide broad criteria that companies may use to determine if verifiers will be considered credible in the area of security.  For example, profession, education or affiliation may provide persons appropriate capacity and credibility to conduct verifications.  Timing of Verification

Companies will be encouraged to pursue verification as soon as possible, but no later than three months after implementation of physical site security measures.  Implementation of site security measures will proceed on the following schedule. *

	Tier 1	Tier 2	Tier 3	Tier 4
Complete Site Vulnerability Assessment	6 months	12 months	18 months	24 months
Complete Implementation of Security Measures	18 months	24 months	30 months	36 months

In addition, companies are encouraged (not required) under the Code to “consult” with verifiers prior to verification and as enhanced physical security measures are being considered and implemented.  “Consultation” could include, for example, information exchange with the verifier where a company reviews the steps it will take leading up to verification and provides the verifier an opportunity to dialogue with the company.   Consultation does not envision verifiers independently assessing site security or measures that should be implemented, or any kind of decision-making authority or review.  It does envision active regular dialogue.
 
Under the Code, companies will need to generally document that the verification was successfully completed, but verifiers will not have to prepare or sign any written documents.  To be able to track and communicate industry verification progress, companies will submit information to the Council on an aggregate basis after verification for each tier is to be completed on their state of achievement of the deadline.