Security Management

Systems (SeMS)
Workshop
www.caainternational.com
Part of the UK CAA International Group ICAO AVSEC Symposium 2019
 What we will cover:

• Aim and expected outcomes of this workshop

• The foundations of a positive security culture

• The link to the UK SeMS Framework

• The SeMS Chapters (including practical examples to help its development)

• How SeMS links into ICAO requirements (Annex 17) and the GASeP

- Break -

• Revisit SeMS and look at other potential benefits it can offer.

• First steps

• Final thoughts
Aim:

To explore the fundamentals of an effective Security

Management System (SeMS) and link these to the
development of a positive Security Culture
 Expected outcomes:

• Gain a better understanding of some of the key aspects that may help within the
development of an effective SeMS and the potential benefits that this can bring to
an organisation

• Learn and share ideas and best practice in a number of the UK SeMS framework
chapters

• Understand the rationale behind how implementing a SeMS can aid in the
development of a positive security culture.
The Foundations of a Positive
Security Culture
Security Culture
Key points to a Positive Security Culture:

• Leadership

• Positive work environment

• Understanding the threat

• Training / Education

• Incident Response

• Vigilance

• Effective Reporting Systems

Security Culture
Wealth of information out there relating to Security Culture…
ICAO – GASeP Priorities:

The Global Aviation Security Plan (GASeP) provides the foundations for States, industry,
stakeholders and ICAO to work together with the shared and common goal of achieving five key
priority outcomes:

1) enhanced risk awareness and response;

2) develop security culture and human capability;
3) improve technological resources and innovation;
4) improve oversight and quality assurance; and, ICAO Global Aviation
Security Plan (GASeP)
5) increase cooperation and support
https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
The UK Security Management
Systems (SeMS) Framework.
 Security Management Systems (SeMS)
• Akin to Safety Management Systems (SMS) a SeMS is made up of…
Security Policy and Objectives
Security Risk Management
Security Assurance and Oversight
Security Promotion

• SeMS provides a formalised, risk driven framework for integrating

security into the daily operations and culture of an Entity.

• A SeMS enables an Entity to identify and address security risks, threats gaps and
weaknesses in a consistent and proactive way
 Security Management Systems (SeMS)
1. Management Commitment
2. Threat and Risk Management
3. Accountability and Responsibilities
4. Resource
5. Performance Monitoring, Assessment and
Reporting
6. Incident Response
7. Management of Change
8. Continuous Improvement
9. Education and Security Culture
10.Communication
 SeMS Chapters

1) Management Commitment

2) Threat and Risk Management

3) Accountability & Responsibility

 1) Management Commitment

The Entity’s management should show its commitment to security by:

1. Board-level and senior management support of the SeMS

2. Promoting a positive security culture

3. Key appointments that reflect the importance of the SeMS

4. Determining and providing the appropriate resources

 ICAO – GASeP Priorities:

The Global Aviation Security Plan (GASeP) provides the foundations for States, industry,
stakeholders and ICAO to work together with the shared and common goal of achieving five key
priority outcomes:

1) enhanced risk awareness and response;

2) develop security culture and human capability;
3) improve technological resources and innovation;
4) improve oversight and quality assurance; and,
5) increase cooperation and support
https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
 2) Threat and Risk Management
A SeMS should provide:

1) A process for identifying local threats

2) A Threat assessment and scoring process
3) A Process for assessing the security risks
4) A review process.
www.manchestereveningnews.co.uk

www.nationalgeographic.com www.flickr.com
 ICAO – GASeP / Annex 17 Priorities:

The Global Aviation Security Plan (GASeP) provides Annex 17 states:

five key priority outcomes:
‘2.2.2 Each Contracting State shall ensure
1) enhanced risk awareness and response; that measures designed to safeguard
against acts of unlawful interference are
2) develop security culture and human capability;
applied to domestic operations to the extent
3) improve technological resources and innovation;
practicable, based upon a security risk
4) improve oversight and quality assurance; and, assessment carried out by the relevant

5) increase cooperation and support national authorities.’

https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
 3) Accountability and Responsibility
Accountability and responsibilities for security should be clearly defined throughout an
Entity, including security responsibilities at all levels. This should be tailored to an
individual’s role.

 Airport Chief Executive Officer (CEO)

 Airport security officer

 Airside maintenance staff at airport

 Cleaner at airport
 Front desk staff at independent airport hotel

 Airport taxi driver

 Passenger
 ICAO – GASeP Priorities:

The Global Aviation Security Plan (GASeP) provides the foundations for States, industry,
stakeholders and ICAO to work together with the shared and common goal of achieving
five key priority outcomes:

1) enhanced risk awareness and response;

2) develop security culture and human capability;
3) improve technological resources and innovation;
4) improve oversight and quality assurance; and,
5) increase cooperation and support.
https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
 Break away session. (1)
Please discuss within groups some examples of best practice that you have seen, or future
ideas that you may have, in relation to developing / evidencing:

1) Management Commitment to security

2) Threat and Risk Management
3) Defining Accountabilities & Responsibilities to staff

Time: 5-10minutes

Outcome: A few suggestions to present to the group of best practice that you have
seen either from industry or from the regulator / Government.
 Best Practice - Management Commitment
A Security Policy which can:

- Describe who the policy applies to.

- Cover the entity’s security standards and recommended

practices

- Define who enforces the policy

- Explain what the consequences of failure to follow the

policy are.

- Encourage a Just Culture and the reporting of incidents.

- Be endorsed and visibly signed by the Accountable

Manager
Best Practice …. Management Commitment

• Managerial walkabouts

• Breakfast with the board

• Back to the floor exercises

• Open phone lines

• Newsletters

• Release of Board Minutes / Actions (https://imgarit.pw)

• Recognition of good deeds

Best Practice…. Threat and Risk
Management

• Holding regular meetings with appropriate departments / organisations present

• Maintaining a collaborative relationship with your regulator / Government body

• Suitably trained staff

• Having a defined risk tolerability matrix within the company

Best Practice …. Accountability &
Responsibility
- Drop in sessions / Security days
- General Security Training to all staff / 3rd parties
- Posters / Audio messages
- Job Adverts
- Security Champions in all departments
 SeMS Chapters

4) Resource

5) Performance Monitoring, assessment and reporting

 4) Resources

1. The provision of adequate facilities, resources, equipment and

support

2. The Entity placing an appropriate degree of importance on

security in the selection of personnel www.disssolve.com

3. Appropriate specifications for security equipment and services

and maintenance
4. Effective contracting and oversight of 3rd parties, contractors
and suppliers
 ICAO – GASeP Priorities & Annex 17
The Global Aviation Security Plan provides five Annex 17 recommends:
key priority outcomes:
2.5.1 Each Contracting State should promote
research & development of new security
1) enhanced risk awareness and response; equipment, processes and procedures which will
2) develop security culture and human better achieve civil aviation security objectives (…).
capability;
2.5.2 Each Contracting State should ensure that
3) improve technological resources and the development of new security equipment takes
innovation; into consideration Human Factors principles.

4) improve oversight and quality assurance; 2.5.3 Each Contracting State should consider
and, implementing innovative processes and
procedures to allow operational differentiation of
5) increase cooperation and support.
screening and security controls based on clearly
defined criteria.
https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
 5) Performance Monitoring, Assessment and
Reporting

1) Collection, analysis and sharing of honest and accurate data is an essential SeMS principle.

2) Effective, targeted performance measurement and reporting is part of the bedrock of a SeMS

3) Think wider tan security requirements – how can overall performance be improved and
potential gaps closed?

4) An open SeMS is a good SeMS. Clear reporting procedures will encourage involvement
 ICAO – GASeP Priorities & Annex 17
The Global Aviation Security Plan (GASeP)
Annex 17 states:
provides five key priority outcomes:
3.4.5 Each Contracting State shall ensure
1) enhanced risk awareness and response; that the implementation of security
2) develop security culture and human
measures is regularly subjected to
capability;
verification of compliance with the
national civil aviation security programme.
3) improve technological resources and The priorities and frequency of monitoring
innovation; shall be determined on the basis of risk
4) improve oversight and quality assurance; assessment carried out by the relevant
and, authorities.

5) increase cooperation and support.

https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
 Break away session. (2)

Please discuss within groups some examples of best practice that you have seen, or
future ideas you may have, in relation to developing:

4) Resource management
5) Performance Monitoring, assessment and reporting

Time: 5-10 minutes

Outcome: A few suggestions to present to the group of best practice that you have
seen either from industry or from the regulator / Government.
 Best Practice… (Resource Management)

Goal of every organisation is to retain staff when possible,

this retains and allows development of their skill whilst ‘Train people well enough so they
can leave,
building culture… Treat them well enough so they
don't want to’
Empowering staff means higher retention rate.
Richard Branson

• Close engagement with training team and continuous monitoring and

updating of training material
• Dedicating oversight responsibility for 3rd parties to an individual within the
security team
• Speaking to and engaging with other entities, sharing best practice and ideas
 Best Practice …. Performance Monitoring,
Assessment and Reporting

- Using live and retrospective monitoring (CCTV) as a form of quality assurance

- Using 3rd party providers to conduct performance monitoring to gain unbiased results

- Identifying the root cause of an issue and rectifying. (Root Cause Analysis)

- Development of a Just Culture (Including a written process shared with staff identifying

the procedure the company will follow when a deficiency is identified).

- Confidential reporting lines being created and promoted (external to security)

SeMS Chapters

6) Incident Response

7) Management of Change

8) Continuous Improvement
 6) Incident Response &
7) Management of Change

• A robust security incident response process is in place, that encapsulates all roles and
personnel, building on a positive culture where all play their part.

• Methods of improving the response process.

• A process to implement additional security measures as appropriate.

• Effectively plan, communicate and implement changes to security policy and

procedures, in a formalised manner.

• Monitor the effects of change on security as part of the change process.

 ICAO – GASeP Priorities & Annex 17

The Global Aviation Security Plan (GASeP) Annex 17 states:

provides five key priority outcomes:
5.1.4 Each Contracting State shall ensure
that contingency plans are developed and
1) enhanced risk awareness and response; resources made available to safeguard civil
2) develop security culture and human aviation against acts of unlawful
capability; interference. The contingency plans shall be
tested on a regular basis.
3) improve technological resources and
innovation;
4) improve oversight and quality assurance; and,
5) increase cooperation and support.

https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
 8) Continuous Improvement

• Routine monitoring of Security Performance Indicators

• Determine the immediate cause of below-standard performance and their implications

within the operation of the SeMS

• Rectifying situations involving below-standard performance identified through security

assurance activities.

• Look for where something might fail – anticipate issues and mitigate as appropriate.

• Track organisational changes and risk mitigations to ensure they are effective.
 ICAO – GASeP Priorities & Annex 17

The Global Aviation Security Plan (GASeP) provides Annex 17 states:

five key priority outcomes:
2.5 Innovation, research and development…

1) enhanced risk awareness and response; 2.5.1 Recommendation.— Each Contracting

State should promote research and
2) develop security culture and human development of new security equipment,
capability; processes and procedures which will better
achieve civil aviation security objectives
3) improve technological resources and
innovation;
4) improve oversight and quality assurance; and,
5) increase cooperation and support.
https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
 Break away session. (3)

Please discuss within groups some examples of best practice that you have seen, or
future ideas you may have, in relation to:

6) Incident response
7) Management of Change
8) Continuous Improvement

Time: 5-10 minutes

Outcome: A few suggestions to present to the group of best practice that you have
seen either from industry or from the regulator / Government.
 Best Practice… (Incident Response &
Management of Change)
• Clear governance in place to manage an incident

• Robust exercise schedules in place and published

• Exercising of crisis teams (where appropriate)

• Robust wash ups and incident reviews – capturing learnings and continuous
improvement

• Robust Management of Change process, that is initiated at the beginning of any

change. Here, every departmental area is consulted and this is formally logged.
Best Practice… (Continuous Improvement)
 Best Practice…. Continuous Improvement

‘We commenced our SeMS journey in 2008 with the development of a 45 page SeMS Manual
outlining the roles and responsibilities (current and future state) of senior management and
each of our business units. The manual was widely circulated and formed the foundation of
what we have today

In 2019, the SeMS Manual is gone as SeMS is now part of the Qantas way of life. It is part of
each business unit’s way of thinking, but this has been a long and sometimes difficult journey.’
SeMS Chapters

9) Education and Security Culture

10) Communication
 9) Education and Security Culture

• A organisation must never become complacent and must continually strive to develop
and maintain a positive security culture within its organisation, encompassing not
only the staff conducing a security role, but also all others that work for, work
alongside, engage with or travel through this entity.

• As such a SeMS education programme should reach everybody and the message
tailored to suit.

• The sharing of information between SeMS entities and the regulator will benefit
everyone and help build an industry-wide Security Culture.
 ICAO – GASeP Priorities & Annex 17

The Global Aviation Security Plan (GASeP) provides Annex 17 states:

five key priority outcomes:
13.4.2 The operator shall also establish and
maintain a training programme to acquaint
1) enhanced risk awareness and response; appropriate employees with preventive
measures and techniques in relation to
2) develop security culture and human passengers, baggage, cargo, mail, equipment,
capability; stores and supplies intended for carriage on an
aeroplane so that they contribute to the
3) improve technological resources and innovation;
prevention of acts of sabotage or other forms of
4) improve oversight and quality assurance; and, unlawful interference

5) increase cooperation and support.

https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
10) Communication

• A good communications strategy will assist to

embed SeMS and an active security culture.

• Involving as many areas of the business in contributing to

communications builds inclusivity in security delivery.

• Within the SeMS there should be a mechanism for

allowing two way communication and measuring the
effectiveness of this communication
Communication
 ICAO – GASeP Priorities:

The Global Aviation Security Plan (GASeP) provides the foundations for States, industry,
stakeholders and ICAO to work together with the shared and common goal of achieving
five key priority outcomes:

1) enhanced risk awareness and response;

2) develop security culture and human capability;
3) improve technological resources and innovation;
4) improve oversight and quality assurance; and,
5) increase cooperation and support.
https://www.icao.int/Security/Pages/Global-Aviation-Security-Plan.aspx
 Break away session. (4)

Please discuss within groups some examples of best practice that you have seen, or
future ideas you may have, in relation to developing:

9) Education and Security Culture

10) Communication

Time: 5-10 minutes

Outcome: A few suggestions to present to the group of best practice that you have
seen either from industry or from the regulator / Government.
 Best Practice… (Education and Security
Culture)

• Evidence within the UK has demonstrated that those entities who have commenced
the development of a SeMS have seen a general trend in improved compliance with an
increase in number of reported incidents.

• Every operation will be unique, as such adapting and amending ideas presented over
the day to suit your organisation and its operating environment is important.
 Best Practice… (Communication)

• Morning briefings, Availability of managers, Availability of regulators and government

departments.

• Newsletters, posters, leaflets

• Visual displays / TV screens / Lightboxes

• Tannoy announcements, Security champions/representatives to promote security in

their department.

• Using different languages / making messages simple / changing on regular basis

- Break -
 SeMS Chapters
1. Management commitment
2. Threat and Risk Management
3. Accountability and Responsibilities
4. Resource
5. Performance monitoring, assessment and
reporting
6. Incident response
7. Management of Change
8. Continuous Improvement
9. Education and Security Culture
10.Communication
SeMS; additional benefits:

https://www.borderhawk.com/information-security-governance-consulting/
 SeMS; additional benefits:

 Improved oversight of operations for managers & appropriate quality assurance

conducted

 Improved ability to identify threats prior to incident & using a more proactive approach
to aviation security

 The development of a security culture where security is everybody's responsibility

 Improved communication within the entity & between an entity & its third party partners
 Comments from industry…

‘With accountability and responsibility moving closer to the front line, employee

understanding has increased, training becomes more relevant, feedback and reporting

has improved, trust has increased and the security culture has improved. With an

improved security culture, incidents (and repeat incidents or breaches) are fewer –

compliance is up’.
 Comments from industry…

“SeMS has joined up

“It’s made security procedures that we are
everyone's business” “A SeMS enables more already implementing” (…)
effective use of existing “generating a clearer picture
tools and systems” for senior managers”

“SeMS has provided me

with a complete overview
of security within my “Since implementing a
business that I did not SeMS we have seen a
have previously” 50% increase in security
incident reporting”
SeMS; First steps…

Visit:

www.caa.co.uk/SeMS

Open:

SeMS entity self-assessment

questionnaire
 Final Thought

 As a regulator, state representative or member of industry, regardless of

the amount of time and effort you put into implementing change you still
face the same problem as everyone else:

‘security is only as strong as the weakest link in the aviation chain. We

need to work together globally to improve standards throughout.
 Further information

• Framework for an Aviation Security Management System (SeMS) CAP 1223*

• Implementing a Security Management System : An Outline CAP 1273*

• SeMS : A guidance note for Accountable Managers CAP 1224*

• External FAQs*

* Available at www.caa.co.uk/SeMS
Questions?