enhancing nuclear security culture in organizations ... · 25 to nuclear security culture in...
TRANSCRIPT
NUCLEAR SECURITY SERIES NO. XX
ENHANCING NUCLEAR SECURITY CULTURE IN
ORGANIZATIONS ASSOCIATED WITH NUCLEAR
AND/OR RADIOACTIVE MATERIAL
DRAFT TECHNICAL GUIDANCE
INTERNATIONAL ATOMIC ENERGY AGENCY
VIENNA, 20XX
NST027
DRAFT: July 2016
STEP 8: Soliciting comments by Member States
CONTENTS 1. INTRODUCTION ................................................................................................................ 1
1.1 Background ............................................................................................................. 1 1.2 Objective ................................................................................................................. 2 1.3 Scope ....................................................................................................................... 2 1.4 Structure .................................................................................................................. 3
2. NUCLEAR SECURITY CULTURE ENHANCEMENT PROGRAMME STRUCTURE . 5
2.1 Nuclear Security Culture Enhancement Programme Roles and Responsibilities ... 7 2.1.1. State and/or competent authority .............................................................. 10 2.1.2. Nuclear security culture enhancement group ........................................... 12 2.1.3. Facility/activity head and competent authority ........................................ 15 2.1.4. Culture coordinator................................................................................... 16 2.1.5. Manager .................................................................................................... 19 2.1.6. Leader ....................................................................................................... 21 2.1.7. Personnel .................................................................................................. 21
3. KEY ELEMENTS OF A SYSTEMATIC NUCLEAR SECURITY CULTURE ENHANCEMENT PROGRAMME ........................................................................................ 22
3.1 Regulatory Basis ................................................................................................... 23 3.2 Self-Assessment .................................................................................................... 23 3.3 Action Plan ............................................................................................................ 25
3.3.1. Culture coordinator develops action plan ................................................. 26 3.3.2. Culture coordinator reviews action plan with head of the facility/activity 28 3.3.3. Culture coordinator incorporates changes and head of facility/activity approves action plan.............................................................................................. 28 3.3.4. Culture coordinator implements the action plan ...................................... 28 3.3.5. Culture coordinator reviews outcomes of actions .................................... 29 3.3.6. Culture coordinator revises action plan .................................................... 29
3.4 Nuclear Security Education and Training ............................................................. 29 3.5 Promotional Products and Training Aids .............................................................. 33 3.6 Human Resource Elements ................................................................................... 34
3.6.1. Personnel suggestion programme ............................................................. 34 3.6.2. Personnel recognition programmes .......................................................... 35 3.6.3. Trustworthiness programme ..................................................................... 35 3.6.4. Personnel assistance programme .............................................................. 36
3.7 Code of Conduct ................................................................................................... 36 3.8 Lessons Learned Programme ................................................................................ 36 3.9 Continuous Improvement of Nuclear Security ..................................................... 37 3.10 Enhancing Nuclear Security Culture..................................................................... 37
APPENDIX I: EXAMPLES OF THE IMPACT OF NUCLEAR SECURITY CULTURE ON NUCLEAR SECURITY .......................................................................................................... 39
APPENDIX II: SAMPLE ACTION PLAN FORMAT ........................................................... 48
APPENDIX III: NUCLEAR SECURITY INDICATORS AND SAMPLE ENHANCEMENT ACTIONS ................................................................................................................................ 54
APPENDIX IV: SAMPLE NUCLEAR SECURITY CODE OF CONDUCT ...................... 134
APPENDIX V: SUGGESTED TOPICS TO INCLUDE IN MANAGEMENT TRAINING 136
APPENDIX VI: LEADERS AND MANAGERS ................................................................. 141
APPENDIX VII: STRENGTHENING THE WORK ENVIRONMENT ............................. 147
APPENDIX VIII: EVOLUTION OF NUCLEAR SECURITY CULTURE ......................... 150
REFERENCES ...................................................................................................................... 155
GLOSSARY .......................................................................................................................... 157
1
1. INTRODUCTION 1
1.1 BACKGROUND 2
In its Nuclear Security Series, the IAEA issues publications providing nuclear security 3
guidance to States to assist in establishing, implementing, and maintaining their national 4
nuclear security regime. Nuclear security culture is an important component of an effective 5
nuclear security regime as indicated in high level IAEA guidance, notably the Nuclear 6
Security Fundamentals [1] and Recommendations [2, 3]. Essential Element 12(c) set out in 7
Ref. [1] states that “Developing, fostering and maintaining a robust nuclear security culture” 8
contributes to the sustainability of a nuclear security regime. 9
Security culture is one of the 12 Fundamental Principles of the 2005 Amendment to the 10
Convention on the Physical Protection of Nuclear Material [4]. Entry into force of the 2005 11
Amendment will make these Fundamental Principles binding on States party to that 12
Amendment. The Fundamental Principle on security culture states: 13
“All organizations involved in implementing physical protection should give due 14
priority to the security culture, to its development and maintenance necessary to 15
ensure its effective implementation in the entire organization.” 16
The IAEA is issuing this publication to assist States to develop, enhance, and maintain a 17
robust nuclear security culture. This publication is complementary to and consistent with: 18
— Nuclear Security Series No. 7 [5], which provides a model for nuclear security culture 19
and identifies roles and responsibilities of various nuclear security stakeholders; 20
— NST026 [6], which provides a methodology for nuclear security culture self-21
assessment. 22
Operating organizations try to balance the demands of and resources spent on safety, security 23
and their basic mission (e.g. power generation, research or medical uses). Nuclear safety and 24
nuclear security programmes are an investment to protect against unacceptable events and 25
thereby ensure that the mission continues. Both disciplines can work together to make sure 26
that the threat to each is addressed as effectively as possible. For example, radiation 27
detectors placed in key locations can be used to detect both radioactive contamination on 28
2
personnel and the unauthorized movement of nuclear and other radioactive material. 1
Cameras may be used to detect theft attempts as well as remotely monitor operations to verify 2
proper procedures are used for the safe handling of nuclear and other radioactive materials. 3
Access controls not only limit the number of potential insiders accessing nuclear and other 4
radioactive materials, but may also be used to ensure that only individuals who have been 5
properly trained in the safe handling of nuclear and other radioactive materials have access to 6
them. 7
The IAEA has also issued several publications on enhancing nuclear safety culture [7–9]. 8
Much of the information in these publications is also applicable to nuclear security culture, as 9
both nuclear safety culture and nuclear security culture are part of an overall organizational 10
culture. 11
1.2 OBJECTIVE 12
This publication is intended to provide practical guidance on how to implement a systematic 13
approach to enhance nuclear security culture, leading to increased effectiveness of the nuclear 14
security regime insofar as regulated activities are concerned. This guidance is provided for 15
use by States, relevant competent authorities, and the operators of associated facilities and 16
associated activities (including their managers and other personnel). Users of this document 17
may adjust this guidance and include additional actions to enhance nuclear security culture as 18
appropriate. 19
1.3 SCOPE 20
This Technical Guidance addresses the enhancement of nuclear security culture in 21
organizations having responsibilities in relation to the nuclear security of associated facilities 22
and associated activities, i.e. facilities and activities in which nuclear material and other 23
radioactive material is under regulatory control. The general approach may also be applicable 24
to nuclear security culture in organizations with responsibilities in relation to the security of 25
nuclear and other radioactive material out of regulatory control, but the detailed guidance is 26
not addressed to such cases. 27
3
The enhancement of safety culture is outside the scope of this Technical Guidance: relevant 1
requirements are specified in Safety Requirements on Leadership and Management for 2
Safety1. 3
As leaders and managers greatly affect nuclear security culture, this publication includes 4
guidance on how to enhance management and leadership skills to better support nuclear 5
security and the stakeholder organization as a whole. The importance of nuclear security, the 6
credibility of the threats, and each person’s responsibility are emphasized through the 7
development and implementation of self-assessments, action plans, regulatory and guidance 8
documents, training programmes, and a nuclear security promotional component using aids 9
such as poster campaigns, newsletters, and brochures. 10
Whereas the operator has the prime responsibility for implementing measures for the nuclear 11
security of nuclear material, other radioactive material, associated facilities and associated 12
activities, these responsibilities are overseen and/or strongly supported by various competent 13
authorities, such as regulatory bodies and law enforcement, who also have a need for a robust 14
nuclear security culture to carry out their nuclear security functions effectively. This 15
publication therefore addresses enhancing nuclear security culture within all stakeholder 16
organizations, whether operators or competent authorities with a designated role in 17
regulating/supporting regulated entities. This publication is also intended for any 18
stakeholders whose only involvement with regulated associated facilities and associated 19
activities is to have been given legitimate access to sensitive information concerning such 20
facilities or activities. 21
1.4 STRUCTURE 22
Following this Introduction: 23
— Section 2 highlights the goals, scope, and roles and responsibilities of those involved 24
in a systematic nuclear security culture enhancement programme. It provides steps 25
that can be taken by each in an effort to support nuclear security culture enhancement. 26
1 INTERNATIONAL ATOMIC ENERGY AGENCY, Leadership and Management for
Safety, Safety Requirements, to be published (DS456).
4
— Section 3 describes the key elements of a systematic nuclear security culture 1
enhancement programme. It includes information about nuclear security culture 2
regulatory basis and suggests how a regulatory basis can support sustainability within 3
an enhancement programme. It contains step-by-step guidance on how to develop a 4
nuclear security culture action plan. This section also includes information about the 5
self-assessment process and provides suggestions for nuclear security education and 6
training in an enhancement programme. It covers promotional products and training 7
aids as well as human resource elements that support the nuclear security culture. A 8
code of conduct, lessons learned programmes, the impact of human factor on nuclear 9
security effectiveness, and the need for continuous improvement are also covered. 10
— Appendix I provides examples of how the attitudes, beliefs, and behaviours of 11
personnel impact overall effectiveness of nuclear security. 12
— Appendix II includes a template for an action plan to support enhancement and a 13
completed action plan sample. 14
— Appendix III provides a matrix of indicators and sample actions that may be taken to 15
enhance nuclear security culture. 16
— Appendix IV provides a sample nuclear security code of conduct. 17
— Appendix V describes the training that personnel, in particular managers, may take to 18
enhance nuclear security. 19
— Appendix VI reviews how leaders and managers differ and provides guidance on how 20
to lead nuclear security culture enhancement. 21
— Appendix VII includes information about strengthening the work environment within 22
a nuclear security culture enhancement programme. 23
— Appendix VIII summarizes the evolution of nuclear security culture in three stages: 24
(1) security measures are based on rules and regulations; (2) security becomes a goal; 25
and (3) security can always be improved. 26
5
2. NUCLEAR SECURITY CULTURE ENHANCEMENT PROGRAMME 1
STRUCTURE 2
Nuclear security culture is defined in Ref. [1] as “the assembly of characteristics, attitudes 3
and behaviour of individuals, organizations and institutions which serve as a means to 4
support, enhance and sustain nuclear security”. 5
Nuclear security culture contributes to the ability of personnel to effectively mitigate 6
potential threats to nuclear and radioactive material by promoting appropriate attitudes and 7
behaviours that result in personnel adopting a more rigorous and prudent approach to their 8
nuclear security responsibilities. It instils vigilance and increases awareness of abnormal 9
conditions. Within competent authorities/associated facilities/associated activities that have a 10
strong nuclear security culture and have created a high level of job satisfaction, it is less 11
likely that personnel will commit a malicious act, either due to their belief that nuclear 12
security is important or to the deterrence factor of vigilance and professional adherence to 13
nuclear security practices that characterize the nuclear security regime. 14
Nuclear security culture is a tool that strengthens nuclear security through the system’s 15
continuous efforts to: 16
— Increase understanding of threats to and vulnerabilities of nuclear and other 17
radioactive material, associated facilities, and associated activities and sensitive 18
information 19
— Create a common understanding and awareness of nuclear security issues at all levels 20
(State, competent authority, facility/activity, manager and personnel) and enhance 21
coordination among these nuclear security stakeholders 22
— Involve all stakeholders in the collective task of promoting the importance of nuclear 23
security and creating a mind-set that is supportive of nuclear security 24
— Create a feeling of individual and collective responsibility for nuclear security 25
— Create a sense of pride of performance and promote job satisfaction to dissuade 26
disgruntled personnel who might carry out malicious acts 27
— Promote appropriate allocation of resources to nuclear security programmes 28
6
— Reduce human error and its impact on the effectiveness of nuclear security systems 1
and measures 2
— Establish an atmosphere of respect for all nuclear security personnel 3
— Take into account lessons learned and feedback to continuously improve nuclear 4
security. 5
Each stakeholder already has established a certain level of nuclear security culture. When 6
one works to systematically enhance nuclear security culture, personnel rally around a 7
common goal that increases the stakeholder’s ability to maintain effective nuclear security 8
and support its continuous improvement. Personnel working together to enhance nuclear 9
security results in fewer inspection findings and sanctions, and enhanced relationships with 10
other stakeholders, including the public. 11
People can be either the strongest asset or the weakest link in a nuclear security programme. 12
Nuclear security culture goes beyond a traditional focus on technical nuclear security 13
measures as the underpinning of an effective nuclear security programme. Instead, it 14
recognizes the critical role that the human factor plays in assuring that nuclear security 15
regime is better able to meet the challenges and threats present in today’s world. Because the 16
threats are always evolving, it is necessary to continually assess the existing nuclear security 17
systems and improve upon them to ensure that they are consistent with the current threat. If 18
personnel understand that their contribution to nuclear security is important, then they will be 19
motivated to implement the nuclear security system effectively and vigilantly, and contribute 20
to its improvement. 21
In its implementation, a nuclear security culture enhancement programme has three major 22
goals: 23
(a) Continuously sustain and improve effectiveness of the nuclear security system. 24
(b) Increase the understanding of the importance of taking personal responsibility for 25
nuclear security. 26
(c) Promote, establish, and sustain the attitudes, beliefs, and behaviours that support 27
effective nuclear security and personal responsibility for nuclear security. 28
7
Some examples of the impact of nuclear security culture on the effectiveness of nuclear 1
security are included in Appendix I. 2
2.1 NUCLEAR SECURITY CULTURE ENHANCEMENT PROGRAMME ROLES 3
AND RESPONSIBILITIES 4
The level of nuclear security culture within a State is impacted by: 5
— The State; 6
— Competent authorities; 7
— Heads of relevant facilities/activities; 8
— Managers of relevant facilities/activities; 9
— Other leaders (individuals, at any level or in any position, who act as role models and 10
guide other personnel to achieve a common goal); 11
— Other personnel (including staff, contractors, vendors or other collaborators) who 12
work in or support relevant facilities/activities. 13
To implement a systematic nuclear secuirty culture enhancemen programme, the State may 14
identify the following roles to assist with conducting nuclear security culture enhancement 15
programme activities : 16
— A nuclear security culture enhancement group, comprising representatives from the 17
nuclear security stakeholders as identified by the State. This group sets the strategy to 18
enhance the nuclear security culture and provides high level oversight of its 19
implementation; and 20
— A culture coordinator: a person or group officially appointed to lead the effort to 21
enhance nuclear security culture and reinforce all participants’ responsibilities for 22
nuclear security effectiveness. 23
A State’s regulatory body may be responsible for assessing operators’ nuclear security culture 24
efforts. It is understood that there is complete independence between the regulatory body and 25
the operators. Maintaining this independence does not preclude representatives from the 26
regulatory body and the operator from serving on the nuclear security culture enhancement 27
8
group. Having representatives from both of these organizations serve on the group promotes 1
information sharing on nuclear security culture enhancement. For example, the regulatory 2
body can provide information to the operators on what is required from them in the area of 3
nuclear security culture and make sure that trends are being addressed. 4
Since a strong nuclear security culture cannot be mandated and the regulatory body will be 5
busy with conducting assessments, it is recommended that the State establish the nuclear 6
security culture enhancement group to nurture nuclear security culture by specifically setting 7
the policy, guidelines and structure supporting the nuclear security culture enhancement 8
programme. The recommended nuclear security culture enhancement group is a central 9
mechanism for coordinating nuclear security culture efforts and not a regulatory mechanism. 10
See Section 2.1.2 for details of suggested roles and responsibilities of the nuclear security 11
culture enhancement group. 12
An example of how to structure a systematic nuclear security culture enhancement 13
programme is laid out in Figure 1. This example is for consideration only and each State may 14
determine the most effective way to structure its programme based on its needs and 15
requirements. 16
9
1 FIG. 1. Sample structure of a systematic nuclear security culture enhancement programme. 2
In the above sample structure, the State is responsible for establishing and maintaining a 3
legislative and regulatory framework to govern nuclear security and may issue policy as part 4
of this framework. The State assigns nuclear security responsibilities to designated 5
competent authorities and requires compliance by operators of associated facilities and 6
associated activities with nuclear security requirements established by the State and the 7
competent authority. The nuclear security culture enhancement group may consist of various 8
nuclear security stakeholders, including State and competent authority representatives. The 9
nuclear security culture enhancement group is focused on setting the strategy of how to 10
enhance nuclear security culture within designated competent authorities, associated facilities 11
and associated activities and refining this strategy based on implementation results. 12
In this example, the role of the culture coordinator is paramount in the daily execution of the 13
programme as this position is responsible for keeping a continuous focus on the importance 14
of nuclear security, reminding managers and personnel of the credibility of threats to nuclear 15
and other radioactive material, and continuously motivating managers and personnel to 16
10
maintain the effectiveness of the nuclear security programme. Each member of the nuclear 1
security culture enhancement group also acts as an advocate for nuclear security within their 2
organization. In this way, they lobby for resources, regulations, oversight, and general 3
infrastructure needs to support a State’s nuclear security regime. In addition, all participants 4
regularly report on progress, achievements, and issues to evaluate and improve programme 5
effectiveness. 6
The following subsections provide a set of actions that each programme participant may take 7
to enhance nuclear security culture. 8
2.1.1. State and/or competent authority 9
Depending on the structure of its nuclear security regime, the State and/or competent 10
authority perform the following actions to support nuclear security culture enhancement 11
insofar as associated facilities and associated activities are concerned: 12
(a) Establishes the legislative and regulatory framework for nuclear security, which may 13
include a requirement to implement a nuclear security culture enhancement 14
programme. 15
(b) Promotes nuclear security culture development in those facilities/activities under its 16
jurisdiction. 17
(c) Educates regulatory inspectors on nuclear security culture so that they may gain an 18
appreciation of the human impact on nuclear security effectiveness and be better able 19
to evaluate nuclear security culture. 20
(d) Establishes a nuclear security framework based on current activities undertaken 21
within the State involving nuclear and other radioactive material and the potential 22
threats it faces. The framework will include requirements for identifying and 23
assessing nuclear security threats, designing and testing nuclear security systems, 24
establishing systems to ensure nuclear and other radioactive material are appropriately 25
accounted for or registered and are effectively controlled and protected, addressing 26
and reporting issues related to nuclear security events and noncompliance, handling 27
sensitive information, determining the trustworthiness of personnel (consistent with 28
national practices), and licensing. It is suggested that one goal of the framework is to 29
provide a clear understanding of the need for and the major aspects of a nuclear 30
11
security culture enhancement programme. Since nuclear security culture concerns all 1
stakeholders, it is further suggested that the State request involvement from 2
representatives of other nuclear security participants (e.g. the competent authorities 3
and selected operators of the facilities/activities) when drafting the policy for the 4
nuclear security culture enhancement programme. 5
(e) Designates responsibilities within a nuclear security culture enhancement programme 6
to stakeholders that are responsible either directly or indirectly for the protection of 7
nuclear and other radioactive materials. These stakeholders will vary depending on 8
how the State has structured its nuclear security regime. Stakeholders may include 9
competent authorities, those in charge of promotion or utilization of nuclear energy 10
(e.g. training centres, fuel fabrication facilities), and those licensed or authorized to 11
use, store or transport nuclear and/or other radioactive material for industrial research 12
and other peaceful uses (e.g. hospitals). Stakeholders also include guard/response 13
force and customs services. 14
(f) Allocates resources to regulatory bodies to conduct nuclear security culture 15
enhancement actions in accordance with the nuclear security culture enhancement 16
strategy (e.g. providing oversight, designating responsibilities, drafting policy, 17
providing recommendations, defining requirements, and providing training). 18
(g) Encourages stakeholders to assist with IAEA guidance development, participate in 19
IAEA meetings and workshops, and use IAEA publications and other resources. 20
(h) Creates a nuclear security culture enhancement group consisting of representatives 21
from the major nuclear security stakeholders, such as the relevant competent 22
authorities. This group will be inclusive but practicable. If the competent authority is 23
responsible for both nuclear and other radioactive material, including associated 24
facilities, and associated activities, it may be more manageable to have separate 25
enhancement groups or subgroups (one to address nuclear material and one to address 26
other radioactive material). In addition, including a human factors expert and/or a 27
psychologist as a member of the enhancement group is suggested. 28
(i) Establishes an internal nuclear security culture enhancement programme (See section 29
2.1.3). 30
12
2.1.2. Nuclear security culture enhancement group 1
The nuclear security culture enhancement group may consist of representatives of the State, 2
relevant competent authorities, operators of associated facilities/activities, nuclear security 3
experts, psychologists, and stakeholders such as nuclear security training centres. The 4
enhancement group performs the following activities: 5
(a) Undertakes introductory training (e.g. an IAEA nuclear security culture workshop) to 6
become familiar with the core concepts and to be provided with a common foundation 7
and understanding of nuclear security culture. The group determines whether 8
additional training of the group members is needed. 9
(b) Documents the actions currently being done at all levels to enhance nuclear security 10
culture. 11
(c) Reviews the approach used by the State to enhance nuclear safety culture and 12
determines if any of the same approaches can be used. 13
(d) Develops the nuclear security culture enhancement strategy and determines the key 14
elements of the State’s systematic enhancement programme (see Section 3 for 15
suggestions on key elements), drafts and distributes implementation guidance, and 16
provides high-level oversight implementation. 17
(e) Determines a process to review and update the nuclear security culture enhancement 18
strategy. Modifications of the strategy may arise after pilot programmes have been 19
conducted and assessed, after results of self-assessments are analysed, after nuclear 20
security trends are identified, and/or on a regular basis (e.g. annually). 21
Some questions to be considered when developing the nuclear security culture 22
enhancement strategy are: 23
o Are the expectations for nuclear security clearly communicated? 24
o Are competent authorities held equally responsible for both nuclear security 25
and nuclear safety? 26
o Are personnel working in the radioactive and nuclear field receiving the 27
appropriate skills and knowledge through the State-approved training 28
13
programme to effectively conduct their work and respond to abnormal 1
situations? 2
o Is there a State-level event reporting system under which non-sensitive lessons 3
learned can be distributed in order to avoid repeating mistakes? 4
o Is there a State-level requirement for the facility/activity operator to conduct 5
self-assessments? 6
o Is there a State-level requirement for conducting root cause analyses and does 7
it cover human factor issues? 8
o Is there a State-level requirement for the facility/activity operator to 9
implement a personnel assistance programme that mitigates stressors among 10
personnel to decrease potential insider threats? 11
o Has a training analysis been conducted for personnel working in the 12
radioactive and nuclear field? 13
o Does the training programme for top-level managers include methods on how 14
to motivate personnel? 15
(f) Identifies the roles and responsibilities of a culture coordinator to provide a structure 16
for nuclear security culture enhancement to be carried out. This culture coordinator is 17
responsible for carrying out enhancement actions in accordance with the policy set by 18
the group and specific to the facility/activity needs (see Section 2.1.4 for more 19
information). 20
(g) Identifies content and authorizes development of training materials and other 21
resources for the culture coordinator to conduct their role in enhancing the nuclear 22
security culture. The group establishes a process in which the culture coordinator is 23
provided initial and refresher training on topics such as the basics of nuclear security 24
culture, how to conduct self-assessments, how to develop and implement an action 25
plan, and how to implement change (see Section 3.4 for more topics that may be 26
included in this training). 27
(h) Identifies content and authorizes development of training materials for managers to 28
understand the importance of nuclear security culture and how best to enhance and to 29
14
receive knowledge they can use to enhance, the work environment to decrease 1
potential insider threats (see Section 3.4 and Appendices III and V for topics that can 2
be included in this training). 3
(i) Meets with the culture coordinators on a regular basis (e.g. every six months) to 4
review progress made to date, identifies and resolves common issues, shares good 5
practices, and provides resources (e.g. training materials, posters, videos, brochures, 6
newsletters) in support of enhancing nuclear security culture. 7
(j) Serves as a mentor to one or more of the culture coordinators to provide advice on 8
development of action plan efforts, updates on nuclear security and nuclear security 9
culture topics, and advice on resolving issues affecting completion of action plan 10
items. 11
(k) Meets as necessary to identify and develop support materials, such as training, culture 12
coordinator reference documents, and poster campaigns. 13
(l) Is responsible for fostering the importance of nuclear security through promoting 14
attitudes, behaviours, and beliefs that support allocation of resources and general 15
support to nuclear security. To that regard, the group member uses the same or 16
similar resources used by the culture coordinator to: 17
o Provide education on the credibility of the threat, importance of nuclear 18
security, and the consequences of ineffective nuclear security, 19
o Communicate nuclear security priorities. 20
(m) Stays up to date on nuclear security events and analyses them with regard to nuclear 21
security culture, and advances in nuclear security culture, both in the domestic sphere 22
and internationally to ensure that the enhancement programme remains relevant and 23
continues to counter ever-evolving threats to nuclear and other radioactive material, 24
associated facilities, associated activities. 25
(n) Provides information to the culture coordinators on nuclear security events and trends 26
that can be used as an area of improvement to focus on under the programme, as 27
applicable. 28
(o) Develops a code of conduct (a sample is included as Appendix IV). 29
15
2.1.3. Facility/activity head and competent authority 1
The head of the facility/activity or competent authority or other nuclear security stakeholder 2
performs the following actions to implement a systematic nuclear security culture 3
enhancement programme that promotes the attitudes, behaviours, and beliefs that support a 4
continuous cycle of improving nuclear security effectiveness: 5
(a) Announces the enhancement programme in accordance with the implementation 6
guidance and nuclear security culture enhancement strategy provided by the 7
enhancement group. 8
(b) Designates a person(s) who will take on the role and responsibilities of the culture 9
coordinator. 10
(c) Ensures that the culture coordinator completes the necessary training to carry out their 11
roles and responsibilities. 12
(d) Decides how best to implement the nuclear security culture enhancement programme, 13
including the culture coordinator roles and responsibilities 14
(e) Issues an official document to all personnel announcing the establishment of the 15
nuclear security culture enhancement programme, identifying the culture coordinator 16
and their responsibilities, and stressing the need for cooperation. 17
(f) Allocates the appropriate resources to the nuclear security culture enhancement 18
programme. 19
(g) Supports the nuclear security culture training programme provided to all personnel. 20
(h) Authorizes nuclear security culture self-assessments, reviews results of the 21
assessments, and distributes results to personnel. 22
(i) Reviews and authorizes the nuclear security culture enhancement action plan, 23
provides resources to implement it, and oversees the results. 24
(j) Reviews the results of the nuclear security culture enhancement programme and 25
provides feedback to the culture coordinator and enhancement group. 26
(k) Reviews the management systems identified in Ref. [5], and implements as 27
appropriate. 28
16
(l) Establishes mechanisms for reporting unusual occurrences and nuclear security 1
concerns, tracking resolution of corrective actions and ensuring corrective actions are 2
completed in a timely manner. 3
(m) Acts as a positive role model supporting effective nuclear security by adhering to all 4
nuclear security requirements, showing leadership behaviour noted in Ref. [5], and 5
expecting personnel to adhere to high standards of individual and collective 6
behaviour. 7
(n) Fosters leadership behaviour among all levels of personnel. 8
(o) Establishes clear expectations and accountability regarding nuclear security on the 9
part of all managers and personnel. 10
(p) Communicates nuclear security priorities, as appropriate, to personnel. 11
(q) Establishes mechanisms to promote behaviour that supports and enhances nuclear 12
security, such as a personnel suggestion programme. 13
(r) Signs the code of conduct (see example in Appendix IV), is familiar with its contents, 14
and conducts himself/herself accordingly. 15
2.1.4. Culture coordinator 16
A systematic enhancement programme needs all personnel to work together to enhance 17
nuclear security culture. The culture coordinator continuously works to promote the 18
attitudes, behaviours, and beliefs necessary to support the continuous improvement of nuclear 19
security. 20
These roles and responsibilities are given to one person who will lead the enhancement effort. 21
Depending on the scope of the facility’s/activity’s nuclear security responsibilities, the 22
position of culture coordinator may be a full-time position, or those roles and responsibilities 23
may be included in those undertaken by a person in another nuclear security-related position. 24
The culture coordinator is positioned at a high enough level or has the appropriate level of 25
authority to make change within the facility/activity and be able to inform its head of the 26
efforts, progress, and results on a regular basis (e.g. weekly). Depending on the size of the 27
facility/activity, the culture coordinator may have assistants or a group of specialists with 28
complementary skills and experience in areas such as nuclear material accounting and 29
17
control, physical protection, psychology, sociologists, safety, transport, and/or guard/response 1
force. Assistants help implement nuclear security culture enhancement actions in different 2
buildings, departments, or areas. For example, these assistants can provide advice on how to 3
develop a self-assessment questionnaire, provide input on appropriate scenarios to illustrate 4
in videos, and review posters and training materials for technical accuracy. 5
The culture coordinator’s qualifications may include the following: 6
— General knowledge of nuclear material and/or other radioactive material associated 7
with the facility/activity 8
— General knowledge of nuclear security requirements associated with the 9
facility/activity 10
— At least five years of management experience 11
— Responsibilities involving frequent, direct contact with the head of the facility/activity 12
and the authority to augment change within it 13
— Leadership qualities, good communication and motivational skills, and the ability to 14
manage conflict and change. 15
The culture coordinator performs the following actions to support nuclear security culture 16
enhancement: 17
(a) Participates in all required nuclear security culture training and enhancement group 18
status meetings to exchange and share enhancement experiences. 19
(b) Identifies and documents any actions already being implemented to enhance nuclear 20
security culture in the facility/activity before planning additional actions and reviews 21
efforts that are being conducted elsewhere to enhance nuclear safety culture to see if 22
these approaches may be used. 23
(c) Develops an action plan at the start of the programme detailing the enhancement 24
efforts to be conducted, which can include self-assessment and reports. This action 25
plan is approved by the head of the facility/activity. The action plan is considered a 26
living document and may be modified as events dictate (e.g. self-assessment results, 27
changes in threat, trends in nuclear security events, inspection results, changes in 28
facility/activity mission). Tasks included in the action plan are designed to 29
18
complement ongoing nuclear security arrangements (see Appendix II for suggested 1
efforts to include in the action plan). 2
(d) Ensures the action plan includes efforts that support the following: 3
o Education that current credible threat(s) exist to nuclear material, other 4
radioactive material, sensitive information and assets, associated facilities, and 5
associated activities. This may be presented in a general, non-sensitive 6
manner for all personnel and in more detail for those with a need to know 7
o Education of personnel on the importance of nuclear security and 8
consequences of ineffective nuclear security to themselves, their family, the 9
public, the associated facility/activity, the environment, and the nuclear 10
industry 11
o Promotion of attitudes, behaviours and beliefs of personnel that support 12
continuous improvement to nuclear security 13
o Analysis of information concerning the impact of human factor and human 14
error on nuclear security 15
o Development of proposals for enhancing the human element of nuclear 16
security 17
o Analysis of nuclear security events, tracking trends, and the use of lessons 18
learned to improve nuclear security 19
o Opportunities for personnel to engage in dialogue on nuclear security and their 20
personal role in relation to it, to practice their security roles and 21
responsibilities in a controlled environment whenever possible, and to develop 22
the capability to act with increasing effectiveness with respect to security over 23
time. 24
(e) On a regular basis (e.g. every two years), leads a self-assessment to evaluate the 25
results of the nuclear security culture enhancement programme, subsequently 26
adjusting the action plan. 27
19
(f) On a regular basis (e.g. every quarter), reviews progress against the action plan, tracks 1
accomplishments, and adjusts the action plan and its associated details as appropriate. 2
(g) On a regular basis (e.g. every quarter), reports the progress made against the action 3
plan as well as the status of nuclear security culture within the facility/activity to the 4
head of the facility/activity. 5
(h) Signs the code of conduct (see example in Appendix IV), is familiar with its contents, 6
and behaves accordingly. 7
2.1.5. Manager 8
The involvement of senior managers in pursuing effective nuclear security is one of the most 9
important practices in establishing a strong nuclear security culture, as most personnel will 10
judge what is important by the words and behaviour of senior managers. Managers enhance 11
nuclear security culture by using good management skills and by being a positive nuclear 12
security role model. Many of the suggestions for managers in this guidance publication 13
promote an overall positive work environment. Such an environment increases productivity, 14
decreases safety events, and reduces the potential insider threat by decreasing the possibility 15
that personnel will become disgruntled and perform a malicious act. Managers may perform 16
the following actions to support nuclear security culture enhancement: 17
(a) Completes nuclear security culture training and keeps current with nuclear security 18
trends, gaining an understanding of nuclear security culture and setting an example 19
for personnel. 20
(b) Completes all required training and continues to seek new opportunities to improve 21
management skills (e.g. effective communications, motivation) via additional training. 22
(For additional information on management training topics, see Appendices V, VI, 23
and VII.) 24
(c) Holds regular (e.g. monthly) meetings to define expectations and check for 25
understanding of nuclear security requirements. The culture coordinator may be 26
invited to the meeting to discuss actions being implemented to enhance nuclear 27
security culture and request ideas for additional actions that may be implemented to 28
improve the effectiveness of nuclear security. 29
20
(d) Supports the culture coordinator in implementing the action plan and provides 1
feedback on a regular basis (e.g. annually). 2
(e) Sets a positive example for personnel by obeying nuclear security requirements and 3
following nuclear security procedures. The manager holds himself/herself to the same 4
level of accountability for following nuclear security requirements as he/she holds 5
subordinates. 6
(f) Proposes enhancements and revisions to nuclear security requirements. The manager 7
also eliminates outdated and useless requirements. 8
(g) Performs regular (e.g. weekly) walkthroughs to observe subordinates in the field, 9
requesting feedback that can be used to adjust the nuclear security culture action plan. 10
Actively interacts with personnel during these walkthroughs to discuss nuclear 11
security concerns, ideas on how to improve work processes and environment, and the 12
level of job satisfaction, and reinforces good behaviour by providing constructive 13
feedback. 14
(h) Takes the opportunity at forums such as meetings, presentations, informal and formal 15
lunches to stress to all personnel the importance of protecting nuclear and other 16
radioactive material, sensitive information and assets, associated facilities, and 17
associated activities, and adhering to nuclear security requirements. 18
(i) Reports any unusual occurrences and creates a work environment that encourages 19
personnel to report nuclear security concerns and abnormal behaviour without fear of 20
reprisal. 21
(j) Resolves conflict that decreases the effectiveness of nuclear security in a timely 22
manner. 23
(k) Demonstrates commitment to nuclear security by supporting nuclear security policies 24
and procedures, the nuclear security culture enhancement action plan and proposing 25
new enhancement actions during regular (e.g. monthly) meetings with subordinates 26
and the culture coordinator. 27
(l) Uses nuclear security culture training materials, visual aids (posters, policy, videos), 28
and reference documents (brochures); disseminates them to personnel; and has them 29
appropriately displayed inside and outside of his/her office. 30
21
(m) Maintains appropriate nuclear security and nuclear security culture information in a 1
centralized location and encourages personnel to access these resources. 2
(n) Supports implementation of the management systems identified in Ref. [5], as 3
authorized by the head of the facility/activity. 4
(o) Reviews the effectiveness of the current nuclear security programme to ensure its 5
adequacy for current and future circumstances through the regular conduct of risk 6
assessments. 7
(p) Holds personnel accountable for their behaviour and motivates them to continuously 8
enhance nuclear security effectiveness. 9
(q) Participates in nuclear security exercises and ensures that deficiencies are eliminated. 10
(r) Seeks to continually improve nuclear security effectiveness and achieve the three 11
stages of nuclear security culture (see Appendix VIII). 12
(s) Encourages personnel to have an appropriate questioning attitude that supports 13
continuous improvement to nuclear security. 14
(t) Protects all sensitive information and assets. 15
(u) Actively supports all nuclear security culture training for subordinates and ensures 16
personnel complete such training when necessary. 17
(v) Signs the code of conduct, is familiar with its contents, and behaves accordingly. 18
2.1.6. Leader 19
Personnel who take on the unofficial position of leader in the nuclear security enhancement 20
programme visibly demonstrate their belief that nuclear security is important and inspire 21
others to take responsibility for continuously improving nuclear security effectiveness. 22
Managers and culture coordinators will seek out these leaders and work with them to 23
implement specific action plan efforts. Leaders may proactively perform all of the actions 24
listed below for personnel, plus develop creative and innovative methods to enhance nuclear 25
security culture and positively impact nuclear security. 26
2.1.7. Personnel 27
All personnel perform the following actions to support nuclear security culture enhancement. 28
22
(a) Complete all required nuclear security training and provide feedback on its 1
effectiveness and value. 2
(b) Comply with nuclear security rules, regulations, and procedures, and propose changes 3
as needed. 4
(c) Become familiar with how to readily access nuclear security and nuclear security 5
culture resources. 6
(d) Report abnormal activity and nuclear security concerns. 7
(e) Support managers in creating and maintaining a work environment that encourages 8
reporting of abnormal activity and nuclear security concerns. 9
(f) Suggest improvements to nuclear security and its effectiveness. 10
(g) Provide feedback to managers and the culture coordinator regarding programme 11
effectiveness, training, job satisfaction, work environment, etc. 12
(h) Protect all sensitive information and assets. 13
(i) Question unusual actions. 14
(j) Reinforce positive nuclear security behaviour among peers. 15
(k) Take personal and collective responsibility for nuclear security. 16
(l) Sign the code of conduct, are familiar with its contents, and behave accordingly. 17
3. KEY ELEMENTS OF A SYSTEMATIC NUCLEAR SECURITY CULTURE 18
ENHANCEMENT PROGRAMME 19
As a stakeholder reviews the elements identified in this publication to be included in a 20
systematic nuclear security culture enhancement programme, consideration may be given to 21
implementing all elements, whether it is involved with the protection of nuclear and/or other 22
radioactive material, associated facilities, and associated activities. However, the level of 23
effort, content, and scope of each element may be developed using a graded approach based 24
on the consequences of malicious acts, which in turn depend upon the quantity and category 25
of nuclear and/or other radioactive material, and the size and type of facility/activity. When 26
planning to establish a systematic programme, it is suggested that management analyse the 27
23
existing infrastructure, procedures, and processes that support and maintain such a 1
programme. 2
3.1 REGULATORY BASIS 3
A nuclear security culture enhancement programme will help a State fulfil their obligations 4
under the Amended CPPNM [4]. In particular, Fundamental Principle F in the Amendment, 5
on Security Culture, states that: 6
“All organizations involved in implementing physical protection should give due 7
priority to the security culture, to its development and maintenance necessary to 8
ensure its effective implementation in the entire organization.” 9
A regulatory basis does not dictate a strong nuclear security culture, but recommends that all 10
stakeholders involved in implementing nuclear security work systematically to enhance 11
nuclear security culture. Implementing the programme described in this publication provides 12
the State with an approach to achieve and maintain a strong nuclear security culture. 13
States may implement a programme on a pilot basis prior to developing regulations in this 14
area to capture only those elements that have been found most effective. Where a regulatory 15
basis is not available, specific policy or guidelines, either issued by the State, competent 16
authority, or by the facility/activity, may be used as a basis for a nuclear security culture 17
enhancement programme. 18
3.2 SELF-ASSESSMENT 19
The nuclear security culture self-assessment is a tool used to understand what beliefs and 20
attitudes are held by personnel that support effectiveness of nuclear security and how the 21
competent authority/facility/activity can build on those beliefs and attitudes for continuous 22
enhancement and to diagnose signs of complacency. The level of nuclear security culture 23
may be difficult to assess as some aspects of culture are not visible. However, by using 24
various methods, including written questionnaires, focus groups, surveys, and oral interviews, 25
one can better understand the existing culture. It is important to recognize that the most 26
accurate feedback is attained from a variety of these assessment methods. Technical 27
Guidance for self-assessment of nuclear security culture [6] provides an approach to assist 28
States in determining the level of nuclear security culture within an associated 29
facility/activity. Guidance on enhancement of safety culture [8] provides additional 30
24
information about specific methods of self-assessment, and the advantages and disadvantages 1
associated with using each method. 2
Self-assessment may be conducted at the onset of implementing an enhancement programme 3
to determine the current level of nuclear security culture within a competent 4
authority/associated facility/activity. This can provide an indication of what specific efforts 5
will be included in the action plan. Afterwards, the culture coordinator may implement self-6
assessments on a regular basis (e.g. every two years) to evaluate results of the existing 7
enhancement programme and update the action plan accordingly. The conduct of self-8
assessments with subsequent development of prioritized action plans that address root causes 9
of difficulties is essential to maintain a strong nuclear security culture. 10
As is stated in [6], “A self-assessment methodology, complete with indicators for assessment, 11
will assist stakeholders in determining how best to strengthen nuclear security culture.” 12
Often, personnel from outside the facility/activity/stakeholder can more readily detect nuclear 13
security culture strengths and weaknesses. The regulator plays a key role in observing and 14
identifying these strengths and weaknesses. Some indicators that are more easily identified 15
by an external perspective, and thus are important to consider, are: 16
— Change management – Retaining corporate memory is important when managing 17
change to nuclear security systems to avoid creation of vulnerabilities. Implementing 18
an effective change management system and keeping adequate records can help to 19
reduce vulnerabilities caused by a loss of experienced personnel. 20
— Quality assurance– Nuclear security needs a high degree of rigour, control and 21
assessment to remain effective. Therefore, well-documented and applied quality 22
assurance practices for nuclear security will help ensure its effectiveness. 23
— Integration – Often certain functions of a stakeholder are separated from other 24
functions, either geographically or due to its organizational structure. In these cases, 25
different priorities can be developed and policies and standards may not be equally 26
implemented within the different functions. It is important that personnel interact on 27
a frequent basis to share information and that managers communicate the same 28
priority to nuclear security throughout the stakeholder organization. 29
25
— Findings of external nuclear security reviews – A strong nuclear security culture is 1
indicated when stakeholders have a process in place to address findings of nuclear 2
security reviews, monitor progress in implementing corrective actions, and complete 3
the corrective actions by the scheduled due date. 4
— Regulatory body – Regulators have a major role in enhancing nuclear security 5
culture. Nuclear security culture training of regulatory body representatives allow 6
them to be able to detect indicators of a strong nuclear security culture and assess 7
gaps that need to be addressed. 8
3.3 ACTION PLAN 9
The action plan is the culture coordinator’s implementation guide and is approved by the 10
head of the facility/activity. The action plan is considered a living document and may be 11
modified as events dictate (e.g. self-assessment results, changes in threat, trends in nuclear 12
security events, inspection results, changes in facility/activity mission). A management 13
method, such as plan-do-check-adjust/act, may be used in developing and maintaining the 14
action plan to manage and continuously improve the nuclear security culture enhancement 15
programme. FIG. 2 shows the action plan development and maintenance process. The 16
culture coordinator uses the action plan to establish goals of the enhancement programme, the 17
actions to be taken to achieve those goals, personnel responsible, timeframe, resources 18
needed, potential barriers, a breakout of steps to be taken, and expected results. These 19
actions may include, but are not limited to, training of managers and other personnel, 20
conducting a self-assessment, implementing poster campaigns, promoting the importance of 21
nuclear security, and familiarizing personnel with the enhancement programme goals and 22
objectives. A template and a completed action plan may be found in Appendix II. In 23
addition, Appendix III provides sample actions that can be included in the plan. 24
26
1 FIG. 2. Action plan development and maintenance process for culture coordinator. 2
3.3.1. Culture coordinator develops action plan 3
After conducting the self-assessment and before drafting the action plan, the stakeholder may 4
develop responses to the following questions. 5
— What are the issues identified in the assessment results that the stakeholder is facing? 6
— What new way of working is needed to meet organizational nuclear security goals? 7
— What new behaviour and thinking is needed to support the new way of working? 8
— What current characteristics may be built on to achieve the desired state? 9
— What optimization actions may be taken to improve nuclear security culture? 10
— What changes are needed for the stakeholder to achieve the goal? 11
The culture coordinator also becomes familiar with the strategy provided by the nuclear 12
security culture enhancement group, domestic and international nuclear security trends, 13
27
recent nuclear security issues within the facility/activity, specific nuclear security concerns of 1
the head of the facility/activity, and the guidance provided in this publication. 2
The culture coordinator can define activities to include in the action plan that build on the 3
facility/activity/stakeholder strengths and reduce their weaknesses identified in the self-4
assessment. The action plan may be developed in a SMART (Specific, Measurable, 5
Achievable, Relevant, and Time-Bound) way, meaning: 6
(a) Specific - What specifically is the goal and how does it contribute to nuclear security? 7
The goal needs to be defined so that all personnel know exactly what is expected, why 8
it is important, and who will be involved. What does the facility/activity gain by 9
conducting the proposed activity? 10
A specific goal will usually answer the five "W" questions: 11
o What: What will be accomplished? 12
o Why: What are the specifics reasons, purposes, or benefits of accomplishing 13
the goal? 14
o Who: Who will be involved? 15
o Where: Where will it take place? 16
o Which: What requirements and constraints are expected? 17
(b) Measurable - How will success be measured? How does the facility/activity know it 18
has reached the goal? What concrete criteria will be used for measuring progress 19
towards the goal? Measuring progress will help the facility/activity stay on track and 20
achieve target dates. 21
(c) Achievable - Is the goal realistic? How can the goal be accomplished? The goal is 22
neither set out of reach nor below standard performance. 23
(d) Relevant - How will achieving the goal enhance nuclear security? 24
(e) Time-bound – When shall the goal be accomplished? A commitment to a deadline helps 25
a team focus their efforts on completion of the goal on or before the due date and gives it a 26
sense of urgency. 27
28
The facility/activity will have a process by which it tracks progress against the action plan. It 1
will identify the responsible parties for each goal and hold them accountable for successful 2
completion. 3
The following sub-sections and FIG. 2 detail the nuclear security culture action plan 4
development and maintenance process. 5
3.3.2. Culture coordinator reviews action plan with head of the facility/activity 6
Once an initial draft of the action plan has been completed, the culture coordinator meets with 7
the head of the facility/activity and explains each proposed action along with its expected 8
outcome and resource needs. The head of the facility/activity may ask questions and provide 9
feedback. 10
3.3.3. Culture coordinator incorporates changes and head of facility/activity approves 11
action plan 12
The culture coordinator modifies the action plan based on feedback received from the head of 13
the facility/activity and submits the final version for approval. Once the approval is received, 14
the culture coordinator files the document appropriately and keeps it handy for easy 15
reference. 16
3.3.4. Culture coordinator implements the action plan 17
The culture coordinator communicates the approved action plan to personnel, including 18
leaders and managers, who will be responsible for and/or support the implementation of the 19
action plan. The culture coordinator may also post the action plan on the internal website or 20
within the facility, as appropriate, to familiarize personnel with the approved path forward. 21
The culture coordinator has regular meetings with personnel responsible for completing the 22
actions to gather updates on progress, costs, and any issues encountered. The more the 23
culture coordinator can personally communicate the goals of the nuclear security culture 24
enhancement programme throughout the facility/activity, the better personnel will understand 25
why there is a programme and the objectives of the actions to be implemented. Furthermore, 26
if personnel fully understand the goal, they may conduct their duties more effectively and 27
work as a group to support the implementation. The culture coordinator is available for 28
29
questions on the programme and associated action plan and discuss the “why” behind nuclear 1
security requirements so that personnel may understand their importance. 2
3.3.5. Culture coordinator reviews outcomes of actions 3
The culture coordinator monitors the progress and results of each effort throughout the 4
implementation of the action plan. Maintaining a tracking system allows for assessment of 5
necessary steps, actual costs, and results of the enhancement programme. Frequent updating 6
(e.g. weekly) of the tracking system (e.g. spreadsheet) allows for maintenance of up-to-date 7
and comprehensive data. 8
The culture coordinator conducts periodic reviews of action plan progress in a group setting 9
with appropriate managers, implementers, and selected personnel. The frequency of these in-10
person reviews varies depending on the participants. Such reviews focus on progress made, 11
problems encountered, how the problems were resolved, and on what changes will be made 12
in the overall approach to enhancing nuclear security culture. 13
3.3.6. Culture coordinator revises action plan 14
Based on the review of outcomes and monitoring of progress, the culture coordinator updates 15
the action plan tasks, adds actions to address new strengths and weaknesses, address any 16
obstacles, and updates resources needed. In addition, once the culture coordinator has 17
completed a self-assessment and analysed the results, any additional efforts/actions are 18
identified in the action plan to address specific strengths and weaknesses (see Appendix III 19
for suggested activities in relationship to indicators). 20
These updates may be conducted on a regular basis (e.g. quarterly) and then reviewed with 21
the head of the facility/activity to receive feedback and ultimately approval. 22
3.4 NUCLEAR SECURITY EDUCATION AND TRAINING 23
The focus of enhancing nuclear security culture is instilling the appropriate attitudes and 24
beliefs in personnel that support continuous improvement to nuclear security. The goal of the 25
NSC enhancement programme is to: (1) instil in personnel the belief that the threat to nuclear 26
and other radioactive material, associated facilities, and associated activities is real, (2) 27
provide an understanding of the consequences of ineffective nuclear security and its impact 28
30
on them personally, and (3) to encourage personnel to take concrete steps to enhance nuclear 1
security. These messages may be provided to programme participants via formal nuclear 2
security education and training and/or through awareness campaigns and promotional 3
products. For instance, to further promote a common understanding of the nuclear security 4
culture and its purposes and principles, introductory workshop (e.g. from the IAEA) may be 5
provided to all participants. Education and training programmes allow managers to 6
consistently communicate expected attitudes and behaviours to personnel. In addition, such 7
programmes allow the State to communicate its nuclear security policy. It is important that 8
all personnel receive some level of nuclear security culture education. The following outlines 9
the target audiences and associated content to be included in education and training. 10
— Competent authority – May include education workshops on the impact of the 11
human element on nuclear security and may include suggestions for incorporating 12
nuclear security culture concepts into the legislative and regulatory framework and 13
inspection regime. 14
— Nuclear security culture enhancement group – Introductory education and training 15
(e.g. the IAEA nuclear security culture workshop) is provided to promote a common 16
understanding, including concepts and principles. This type of education is also 17
practical for all decision-maker stakeholders in the programme. In addition, members 18
may undertake the same education and training provided to culture coordinators 19
and/or managers. 20
— Culture coordinator – Initial education and training for culture coordinators and 21
their assistants may consist of the following modules: 22
o Overview of nuclear security – importance of nuclear security, physical 23
protection, nuclear material accounting and control, sensitive information 24
protection, transport security, computer security, role of guard/response force, 25
contingency plans, etc. 26
o Threats to associated facilities/activities, both external adversaries and from 27
insiders 28
o Consequences of theft and sabotage of nuclear and other radioactive material, 29
associated facilities, and activities. 30
31
o Regulatory basis of the nuclear security culture 1
o IAEA nuclear security culture model [5] 2
o Human factor impact on nuclear security 3
o Self-assessment of nuclear security culture [6] 4
o Effective communication 5
o Motivation techniques 6
o Change management methods 7
o Conflict resolution. 8
The culture coordinators and their assistants will receive refresher training on a 9
periodic basis (e.g. annually). 10
— General personnel – Information of importance on nuclear security may be provided 11
during initial workshops of newly employed personnel and include a review of the 12
threat. This can be supplemented by training on the nuclear security system and what 13
personnel can do to support its effectiveness (e.g. protect access badges/passes, follow 14
nuclear security procedures, and report suspicious activity). This type of education 15
and training may be reiterated during refresher training on a periodic basis (e.g. 16
annually). 17
— Personnel directly supporting nuclear security (for example, guard/response 18
forces and nuclear material accounting and control personnel) – In addition to the 19
same information general personnel receive, these personnel are provided with in-20
depth education on credible threats, as appropriate, and the importance of nuclear 21
security to counter these threats. Subsequent training sessions, discuss the “why” 22
behind nuclear security requirements and provide the overall objective of the 23
facility/activity nuclear security programme. Education and training for these 24
personnel is updated and provided immediately after new information about the threat 25
is available and as refresher training on a periodic basis (e.g. annually). 26
32
— Scientific and technical personnel – In addition to the information general personnel 1
receive, the culture coordinator provides education and training to scientific and 2
technical personnel on credible threats, the importance of nuclear security, the 3
consequences of ineffective nuclear security, and personal responsibility for nuclear 4
security, including the importance of protecting sensitive nuclear information. These 5
personnel may also be given the opportunity to discuss the “why” behind the 6
requirements so that they may recognize the importance of their contribution to 7
nuclear security. This type of information may be included as an introductory module 8
to each technical training course. 9
— Management – Managers acts as a role model to personnel and have a huge impact 10
on the level of nuclear security culture within a facility/activity. For example, if 11
personnel observe top management complying with all access control procedures and 12
requirements, they may internalize that following these procedures is important. 13
Education and training for management provides tools to improve management skills 14
to enhance nuclear security and nuclear security culture. Managers are encouraged to 15
complete all required education and training and continue to seek new opportunities to 16
improve management skills (e.g. effective communications and motivation) through 17
additional education and training. Examples of education and training sessions that 18
may be provided to managers include: 19
o Overview of nuclear security highlighting the importance of nuclear security, 20
nuclear material accounting and control, sensitive information protection, 21
transport security, computer security, role of guard/response force, 22
contingency plans, etc. 23
o Threats to nuclear and other radioactive material, associated facilities, and 24
associated activities 25
o Risk informed approach to nuclear security 26
o Importance of the human factor and its impact on nuclear security 27
o Elements of the response strategy that are applicable to their areas of 28
responsibility 29
33
o IAEA nuclear security culture model [5] 1
o Self-assessment of nuclear security culture [6] 2
o How management may improve nuclear security culture, nuclear security, and 3
the overall facility/activity via good communication, timely feedback, 4
motivation of personnel, observation of personnel performance and nuclear 5
security practices, and by allocating appropriate resources. 6
For additional information on how to enhance management skills, see Appendices III, 7
V and VI. 8
— Education – States that have nuclear security degree programmes or degree 9
programmes associated with nuclear security degree programmes can include material 10
on nuclear security culture and its importance in the relevant degree programme 11
curricula. 12
The education and training activities listed above may be provided at a facility/activity, at a 13
central training centre or at a combination of venues. The enhancement group may review 14
the State’s education and training infrastructure to determine how to implement such 15
activities on the most sustainable basis2. For instance, some States have requirements to 16
certify top managers, such as heads of facility/activity. 17
3.5 PROMOTIONAL PRODUCTS AND TRAINING AIDS 18
Promotional products and training aids are designed to reinforce behaviours and attitudes that 19
enhance nuclear security. 20
— Contests may be conducted as a reminder of the importance of nuclear security and 21
can reach a large number of personnel. A contest could focus on developing a nuclear 22
security culture poster, logo, or slogan. If the reward for “winning” the contest is 23
associated with nuclear security (e.g. a coffee cup stamped with the slogan), the 24
reward serves as a long-term reminder of the importance of nuclear security. 25
2 Nuclear Security Support Centres could also serve for this purpose. International Atomic Energy Agency, Establishing a National Nuclear Security Support Centre, IAEA TECDOC Series No. 1734, Vienna (2014).
34
— Posters may be developed for distribution to all facilities/activities in a centralized 1
manner or facilities/activities may develop their own posters. Poster campaigns may 2
include motivational content to reinforce specific behaviour or help contradict trends 3
that may be discovered as events are analysed. Posters may be hung at central 4
locations in the workplace to act as a visual reminder of the importance of nuclear 5
security. The posters are replaced on a regular basis (e.g. quarterly) so that personnel 6
may continue to notice them. 7
— Handouts refer to almost any item that may be handed to personnel that reminds them 8
of nuclear security, such as a calendar with a different nuclear security message for 9
each month of the year. Each time personnel look at or use this item, it provides a 10
quick reminder to think about nuclear security while they work, which communicates 11
nuclear security messages using a minimum of personnel. Other examples of 12
handouts are pens, notepads, and coffee cups with a nuclear security logo or message 13
on them. 14
— Newsletters providing information on nuclear security may be issued on a regular 15
basis (e.g. quarterly). The content may be varied to appeal to a large audience. In 16
addition to including information about nuclear security (e.g. updates to policy), it 17
may include news about the facility/activity, a question-and-answer section, 18
interviews, contests, and motivational quotations. Personnel may be encouraged to 19
submit information for consideration in future newsletters. If the facility/activity 20
already issues a more general newsletter, another option would be to provide input on 21
nuclear security and its importance on a regular basis to the existing newsletter. 22
3.6 HUMAN RESOURCE ELEMENTS 23
Many facilities/activities currently have elements that influence nuclear security culture under 24
human resources or other departments within the facility/activity. These elements may 25
include the following. 26
3.6.1. Personnel suggestion programme 27
A personnel suggestion programme provides a vehicle for personnel to propose 28
improvements to the nuclear security programme, management practices, procedures, 29
35
policies, etc. This programme may offer recognition or other rewards to personnel who 1
participate and make such proposals, especially if they are acted on by the facility/activity. 2
Any proposals related to nuclear security may be provided to the culture coordinator, who 3
would research, evaluate, and formulate a reply to the individual who made the suggestion. 4
The reply is responsive to the suggestion and appreciative of the personnel’s desire to 5
enhance nuclear security. 6
3.6.2. Personnel recognition programmes 7
Recognition programmes may be designed to reinforce good nuclear security practices. 8
However, managers are aware that routine rewards are not a replacement for hands-on 9
coaching and supervision. The existing reward system is evaluated for what impact it has on 10
desired behaviours such as teamwork, quality, and ethics to make sure that it is in line with 11
the culture trying to be created. For example, managers do not want to implement a reward 12
system that encourages productivity above nuclear security. This system may include 13
certificates of appreciation or letters of recognition issued by the manager or photos 14
periodically posted on a central bulletin board providing recognition for personnel 15
contributing positively to nuclear security. 16
3.6.3. Trustworthiness programme 17
Taking into consideration national practices, it is the responsibility of a State to determine a 18
trustworthiness policy which identifies the circumstances in which a trustworthiness 19
determination is required for certain positions including those with access to nuclear and 20
other radioactive material, sensitive information and associated facilities/activities. There is a 21
need for facilities/activities to have an initial assessment and a system of ongoing assessment 22
that helps mitigate insider threats. The depth of the trustworthiness assessments are 23
conducted on a graded approach depending on the level of access associated with the 24
individual position. Trustworthiness assessments cover evaluations of personnel’s integrity, 25
honesty, and reliability. Assessments are intended to identify possible motivation or 26
behaviour of personnel who could become insiders or be coerced by outsiders. Motivation 27
can include financial and ideological interests, psychological conditions, desire for revenge 28
(e.g. due to perceived injustice), or physical dependency (e.g. on drugs, alcohol or sex). The 29
36
assessments are conducted on a continuous basis as some of these conditions may not be 1
identified during the initial assessment or may change over time. 2
More details about a trustworthiness programme are described in the Implementing Guide on 3
insider threats [10]. 4
3.6.4. Personnel assistance programme 5
Performance at work and emotional stability of personnel may be affected by outside 6
stressors such as divorce, death or illness in the family, and financial problems. Assistance 7
programmes help alleviate these outside stressors. If these stress factors are not addressed, 8
they can be the cause of malicious behaviour by the individual in the workplace. A personnel 9
assistance programme may assist with providing such services such as psychological 10
counselling, elderly care, monetary loans, babysitting, and addiction treatment. Working 11
actively to address stressors can help mitigate the insider threat, as well as reduce error rate 12
and absenteeism and increase productivity. 13
3.7 CODE OF CONDUCT 14
One way to enhance the morale and workplace environment is by reminding personnel of the 15
importance of their duties working with nuclear and other radioactive material, associated 16
facilities, and associated activities. It is suggested that the nuclear security culture 17
enhancement group develop a code of conduct that can be distributed to all personnel to 18
remind them of their share of responsibility for nuclear security. The code of conduct may be 19
developed at the State, competent authority, or associated facility/activity level. A sample 20
code of conduct for a facility/activity is included as Appendix IV. 21
3.8 LESSONS LEARNED PROGRAMME 22
States may have a programme in place that defines the types of nuclear security-related 23
events that an associated facility/activity will report to the competent authority. The 24
competent authority then reviews these events to determine trends and provides lessons 25
learned in a sanitized form to all relevant organizations. 26
37
3.9 CONTINUOUS IMPROVEMENT OF NUCLEAR SECURITY 1
Promoting the importance of nuclear security and enhancing nuclear security culture is a 2
continuous activity. To make an enhancement programme sustainable, the following items 3
may be considered: 4
— Regulatory basis – As stated earlier in this section, there may be a legal basis for the 5
enhancement programme. This will ensure that the programme is maintained long-6
term and is not just supported by specific personalities. 7
— Use of existing infrastructure – The programme may use lessons learned from 8
enhancing nuclear safety culture and take into account existing infrastructure to 9
promote synergy between nuclear safety and nuclear security, and use lessons learned 10
from enhancing nuclear safety culture, (e.g. by incorporating modules on nuclear 11
security culture into existing education and training programmes). 12
— Continuous education – Education of all stakeholders on existing threats, the 13
importance of nuclear security to counter those threats, and the personal consequences 14
of ineffective nuclear security is vital to receiving resources and support. When those 15
who can provide the resources (e.g. competent authority, head of facility/activity, 16
manager) understand why it is so important to do so, they may be more likely to 17
provide such support. For additional information about education and training see 18
Section 3.4. 19
— Involvement of all stakeholders – The inclusion of all nuclear security stakeholders is 20
crucial to the programme’s effectiveness and sustainability to provide a sense of 21
ownership. This interaction may reinforce specific attitudes and behaviours 22
supporting the importance of nuclear security. 23
— Feedback – The programme may include processes to facilitate stakeholders in 24
reporting any nuclear security concerns and events and reviewing them later in an 25
effort to learn how to improve performance and mitigate potential threats. 26
3.10 ENHANCING NUCLEAR SECURITY CULTURE 27
Each stakeholder involved in a State’s nuclear programme has some level of nuclear security 28
culture based on its experience and the organizational culture maintained by each 29
38
stakeholder. The systematic approach to enhancing nuclear security culture presented in this 1
publication is one way to proactively impact nuclear security culture, continuously improve 2
nuclear security, and assist the stakeholder with fulfilling their mission successfully. 3
Each stakeholder may define the new behaviour and thinking necessary for personnel to 4
develop and maintain a strong nuclear security culture before initiating a nuclear security 5
culture enhancement programme. Once the characteristics of a strong nuclear security 6
culture and the practices that support it are identified, each stakeholder may assess the current 7
state of nuclear security culture and determine the gap between current state and desired state. 8
Then, using the elements outlined in this publication, each stakeholder may develop an action 9
plan containing steps to be taken to minimize that gap. It is essential to build on the positive 10
aspects of the existing nuclear security culture and motivate personnel to support the 11
improvements. Their understanding and acceptance of the importance of the stakeholder’s 12
objective is key to successfully enhancing nuclear security culture and ultimately, 13
continuously enhancing the effectiveness of nuclear security. 14
15
39
1
APPENDIX I: EXAMPLES OF THE IMPACT OF NUCLEAR SECURITY 2
CULTURE ON NUCLEAR SECURITY 3
This appendix provides examples of how the attitudes, beliefs, and behaviours of personnel 4
contribute to overall effectiveness of nuclear security. 5
Example 1: Computer security 6
The head of Security receives a telephone call from the Information Technology manager and 7
is informed that remote terminals are to be installed in all material balance areas and hooked 8
up to the facility’s mainframe computer system. The remote terminals will be used to process 9
sensitive inventory data. After reviewing the potential security implications, the head of 10
Security and Information Technology manager agree that the remote terminals should be 11
configured as a physically separate, secure network complete with appropriate data 12
encryption and communication line protection. 13
If the Information Technology manager had not informed the head of Security about the 14
installation of the remote servers, it is possible that one or more of the following security 15
vulnerabilities could have occurred: 16
— Sensitive information on the remote terminals could have inadvertently been 17
introduced onto the mainframe. If the mainframe is not adequately configured to 18
protect sensitive nuclear security information, then that information could have been 19
accessed without authorization. 20
— The competent authority may require accreditation of networks used to process 21
sensitive inventory data. Not protecting these remote terminals appropriately could 22
result in the system not complying with accreditation requirements. This could result 23
in a temporary shutdown of the network until the system is able to be accredited, 24
which could significantly interrupt workflow. 25
Coordination between the head of Security and the Information Technology manager 26
exhibited a number of characteristics of a strong nuclear security culture. 27
— Management systems are well developed and prioritize security. 28
40
o Clear roles and responsibilities – the Information Technology manager 1
recognized and understood the head of Security’s role and responsibility 2
regarding assessing vulnerabilities associated with making change to the site 3
network. 4
o Information security – the Information Technology manager worked with the 5
head of Security to ensure that sensitive information was not compromised. 6
o Change management – the Information Technology manager properly 7
coordinated with the head of Security prior to making any changes to ensure 8
that there would be no negative impacts on nuclear security. 9
— Leadership behaviour fosters more effective nuclear security. 10
o Decision making – the Information Technology manager exhibited strong 11
decision-making skills by deciding to coordinate with the security 12
organization before installing the computer equipment and connecting it to the 13
mainframe. 14
o Effective communications – good communications between the head of 15
Security and Information Technology manager prevented the introduction of 16
vulnerabilities into the system. 17
— Personnel behaviour fosters more effective nuclear security. 18
o Adherence to procedures – the Information Technology manager followed 19
proper protocol by contacting departments that potentially could be affected 20
by the change, including the security department, before installing new 21
equipment. 22
o Teamwork and cooperation – despite working in different departments, the 23
Information Technology manager and head of Security effectively worked 24
together and cooperated to ensure the proposed change would not introduce 25
security vulnerabilities. 26
41
o Vigilance – both the head of Security and Information Technology manager 1
recognized the potential for security vulnerabilities and took proactive steps to 2
prevent them. 3
Example 2: Visitor control 4
Visitor passes for access to a facility are issued when a visitor arrives and returned when the 5
visitor leaves. A logbook is maintained to sign visitors in and out of the facility. Visitors are 6
escorted at all times by personnel who receive annual training on their responsibilities as an 7
escort. When escorting a visitor out of the facility, the escorting personnel note that the 8
visitor pass reception area is unattended. The escorting personnel ensure that the visitor is 9
signed out in the visitor logbook and that the pass is deposited into secure storage. 10
If the escorting personnel had not assumed the responsibility of ensuring that the visitor was 11
signed out and the pass was properly secured, it is possible that one or more of the following 12
nuclear security vulnerabilities could have occurred: 13
— If the pass was not returned to secure storage it could be reused by an unauthorized 14
person to gain entry into a secure area. 15
— If the pass was removed from the facility, the pass could be examined to obtain 16
information on the methods used by the automatic access control system to determine 17
validity and authenticity. 18
— In addition, if visitors do not sign out, they may be considered missing in the case of 19
an event, thereby putting rescue personnel in unnecessary danger by expending effort 20
searching for the visitor within the facility. 21
The actions of the escorting personnel demonstrated the following characteristics of a strong 22
nuclear security culture: 23
— Management systems are well developed and prioritize nuclear security. 24
o Clear roles and responsibilities – the responsibilities of an escort were clearly 25
defined by the facility. 26
42
o Training and qualification – annual refresher training provided the personnel 1
with a clear and current understanding of their responsibilities as an escort as 2
well as the requirements for visitor access to the facility. 3
— Personnel behaviour fosters more effective nuclear security. 4
o Professional conduct – the personnel took their escort responsibilities 5
seriously and were willing to assume the duties of the person that normally 6
staffs the visitor pass reception area. 7
o Adherence to procedures – the personnel ensured that all procedures related to 8
visitors were followed, including securing the visitor pass and signing out the 9
visitor. 10
o Vigilance – the personnel observed that the visitor pass reception area was 11
unattended and took action to ensure that all procedures regarding visitors and 12
visitor passes were followed. 13
Example 3: Information security 14
A facility operator occasionally holds meetings with vendors, personnel at other facilities, 15
and personnel at the competent authority, which involves either the facility personnel 16
travelling to the meetings or the off-site personnel travelling to the facility. Due to increasing 17
costs to travel, the facility implements an initiative to conduct more meetings using 18
teleconferencing. Two meeting rooms are equipped with teleconferencing equipment, which 19
allows off-site personnel to participate in the meeting by telephone. 20
The facility develops the following procedures for teleconferencing: 21
— Meeting participants are reminded that telephone conferencing is in use. 22
— All callers confirm how they connected to the call, their location, and environment. 23
— The head of the meeting affirms that sensitive information can or cannot be discussed. 24
— The head of the meeting provides regular reminders that teleconferencing is in use 25
and what type of information can or cannot be discussed. 26
43
— The head of the meeting mutes the telephone if sensitive information is to be 1
discussed. Once the call is unmuted, the head of the meeting reminds participants of 2
the information security arrangements for the meeting. 3
Manager communicates expectations regarding the handling of teleconferences and 4
videoconferences by ensuring that: 5
A copy of the procedures is posted in each meeting room with teleconferencing or 6
videoconferencing capability, and a briefing on the procedures is provided prior to use of the 7
teleconferencing and videoconferencing capability and is included in the annual security 8
refresher training. Without these procedures, it is possible that some participants may 9
inadvertently discuss sensitive information that should not be disclosed over the 10
communication network. 11
The actions of the facility demonstrated the following characteristics of a strong nuclear 12
security culture: 13
— Management systems are well developed and prioritize nuclear security. 14
o Visible nuclear security policy – posting the procedures in the meeting rooms 15
provide a clear visual reminder to meeting participants. 16
o Clear roles and responsibilities – the responsibilities of meeting participants 17
and the head of the meeting were clearly defined by the facility/activity. 18
o Training and qualification – initial and annual refresher training provides 19
personnel with a clear and current understanding of their responsibilities 20
during teleconferences and videoconferences. 21
— Leadership behaviour fosters more effective nuclear security. 22
o Expectations – facility managers clearly communicated their expectations 23
regarding the handling of teleconferences and videoconferences. 24
Example 4: Nuclear facility security 25
Unionized nuclear security personnel of a nuclear facility are preparing to go on strike. The 26
head of the facility informs the competent authority of an imminent strike of the facility 27
44
nuclear security personnel. Presumably not all nuclear security personnel would join the 1
strike, but it may be impossible to avoid a shortage of nuclear security personnel. 2
— The competent authority requests the head of the facility to take measures to make 3
sure that the facility is protected, even in the case of reduced availability of nuclear 4
security personnel. 5
— The competent authority implements an action plan to ensure off-site responders can 6
relocate to supplement nuclear security of the facility in cases of personnel shortages. 7
— The head of the facility also reacts to this potential vulnerability by developing an 8
action plan that addresses future instances of reduced level of nuclear security 9
personnel, including agreements with other facilities to use their trained and 10
experienced nuclear security personnel from another facility. 11
The actions of the competent authority and the head of the facility demonstrated the 12
following characteristics of a strong nuclear security culture: 13
— Management systems are well developed and prioritize nuclear security. 14
o Work management – the head of the facility took steps to ensure adequate 15
resources would be available to maintain an appropriate level of nuclear 16
security in case of a strike. 17
o Compensatory measures – the head of the facility developed a compensatory 18
measure to ensure that adequate nuclear security would be maintained in case 19
of a strike; the competent authority developed an action plan to use off-site 20
responders to provide additional resources to the facility if needed. 21
o Coordination with off-site organizations – the head of the facility coordinated 22
with the competent authority to address the potential strike and worked with 23
other facilities to arrange for additional resources in case of a strike. 24
Example 5: Nuclear facility security 25
While conducting an evaluation, facility managers note that an emergency exit door is 26
occasionally propped open so that personnel can take smoke breaks and move equipment in 27
or out of the building. Further review reveals that nuclear security personnel do not respond 28
45
to the alarm from the propped door because they are aware that authorized personnel are 1
working in the area and assume it is part of normal activity. The facility managers recognize 2
that propping open the emergency exit door provides opportunity to circumvent access 3
controls and detection for a potential insider, and provides a direct, unimpeded access path 4
into the vital area for outsiders. 5
Facility managers take the following corrective actions: 6
— A procedure is developed requiring nuclear security personnel to investigate and 7
document the cause of all unexpected alarms from the vital area, regardless of 8
whether or not authorized personnel are working in the area. All nuclear security 9
personnel who monitor the alarm system for the vital area are trained on their 10
responsibilities under the new procedure. 11
— A procedure is developed for posting a guard at the emergency exit door during 12
periods when the door is opened for nonemergency use (e.g. movement of 13
equipment). 14
— A notice is placed at the emergency exit door to contact security before opening 15
during nonemergency situations. 16
— Facility/activity personnel are immediately briefed on the nuclear safety and nuclear 17
security implications of propping open doors into the vital area without posting guards 18
and on the procedure for nonemergency use of the emergency exit door. The briefing 19
is incorporated into an annual nuclear security refresher briefing provided to all 20
personnel. 21
During subsequent evaluations, no instances of misuse of the emergency exit door are noted. 22
The actions of the facility manager and personnel demonstrated the following characteristics 23
of a strong nuclear security culture: 24
— Management systems are well-developed and prioritize nuclear security. 25
o Visible nuclear security policy – posting notices at the vital area emergency 26
exit doors clearly conveys the nuclear security policy for nonemergency use of 27
the doors. 28
46
o Clear roles and responsibilities – the responsibilities for nonemergency use of 1
the emergency exit door were clearly defined by the facility in the new 2
procedures. 3
o Training and qualification – initial and annual refresher training provides 4
personnel with a clear and current understanding of the nuclear security policy 5
for nonemergency use of the emergency exit door. 6
o Operations and maintenance – the facility developed an effective 7
compensatory measure (posting of guards) for nonstandard use of the 8
emergency exit door. 9
o Self-assessments – the facility has a self-assessment programme capable of 10
identifying issues that need to be corrected and eliminate the identified 11
vulnerabilities. 12
— Leadership behaviour fosters more effective nuclear security. 13
o Expectations – by implementing new procedures and directing training and 14
briefings on the new procedures, facility managers clearly communicated their 15
expectations to personnel regarding use of the emergency exit door. 16
o Effective communications – facility managers effectively communicated 17
requirements through the use of briefings and postings. 18
— Personnel behaviour fosters more effective nuclear security. 19
o Adherence to procedures – subsequent evaluations showed that personnel 20
were following procedures established for use of the emergency exit door. 21
Example 6: Transport security 22
Shipping department personnel at a facility notice that one of the approved transport carriers 23
has changed how they handle the facility’s most sensitive shipments. It is clear to the 24
shipping department personnel that the new method of handling the shipment is less secure 25
than the original method. Following the nuclear security procedure in effect means these 26
items will continue to be consigned to the shipper but not handled in an appropriate manner. 27
Since shipping department personnel understand not just that the material must be shipped 28
47
via the approved carrier, but also the reason for the shipping method, they alerted nuclear 1
security management. Nuclear security management removes the carrier from the approved 2
list until they correct the way they handle the shipments. 3
The actions of the personnel demonstrated the following characteristics of a strong nuclear 4
security culture: 5
— Management systems are well developed and prioritize nuclear security. 6
o Clear roles and responsibilities – shipping department personnel were well 7
aware of their responsibilities regarding sensitive shipments. 8
o Training and qualification – shipping department personnel were trained and 9
qualified to recognize the new method of handling shipments provided 10
inadequate nuclear security. 11
— Leadership behaviour fosters more effective nuclear security. 12
o Decision making – nuclear security management reacted quickly to remove 13
the shipper from the approved list until the method of handling shipments was 14
corrected. 15
o Involvement of personnel – nuclear security management listened to the 16
concerns voiced by the shipping department personnel, and took action to 17
correct the problem. 18
— Personnel behaviour fosters more effective nuclear security. 19
o Professional conduct – the shipping department personnel went beyond merely 20
following procedures and ensured the continued nuclear security of the 21
sensitive items. 22
o Personal accountability – the shipping department personnel recognized their 23
own responsibility to nuclear security and to resolve issues when they arise. 24
o Vigilance – shipping department personnel noticed and questioned the change 25
in the shipper’s method for handling shipments. 26
27
48
APPENDIX II: SAMPLE ACTION PLAN FORMAT 1
The action plan is a nuclear security culture enhancement planning and implementation 2
guide. It is developed by the culture coordinator in cooperation with the head of the 3
facility/activity (whether it is a competent authority with a nuclear security function to 4
regulate or support regulated entities, or an operator). The plan includes actions that will be 5
performed in support of the enhancement programme, the responsible personnel, timeframe, 6
resources needed, potential barriers, steps to be taken and expected results. Actions may 7
include the implementation of training, self-assessment activities, and promotional activities 8
(e.g., handouts, posters, and newsletters). Section 3.3 provides the process of how to develop 9
and maintain an action plan. The following action plan format can be used. The text 10
included in the completed action plan is meant to serve as a brief example of how culture 11
coordinators may use the template to develop their own plan. 12
Directions: 13
1. Using this form as a template, develop an action plan for each goal identified. Modify 14
the form as needed to fit your specific environment. 15
2. Meet with the head of the facility/activity and obtain their approval to implement the 16
action plan. 17
3. Communicate the action plan to personnel, including managers and leaders, 18
responsible for aspects of the action plan and throughout the facility/activity, as 19
appropriate. 20
4. Keep copies handy to bring to meetings to review and update regularly. 21
5. Once activity is implemented and has been established for a certain period, assess its 22
effectiveness to check if results were achieved as expected. 23
6. Document the activity’s impacts on nuclear security culture and the effectiveness of 24
nuclear security. 25
7. Review progress on action plan efforts on a regular basis (e.g. quarterly) and revise as 26
necessary based on new self-assessment results and/or changes to facility/activity 27
mission, nuclear security system, material inventory, or threats, etc., obtaining head of 28
facility/activity approval after each revision. 29
49
Goal: 1
Increase contribution of managers and personnel to nuclear security by: 2
— Training managers to provide them with skills to enhance the work environment and 3
motivate personnel 4
— Educating personnel on the existence of credible threats to nuclear and other 5
radioactive material and training them on their personal role and responsibility in 6
supporting effective nuclear security 7
— Educating and motivating personnel via nuclear security posters 8
— Implementing personal suggestion programme and encouraging participation 9
Results/accomplishments: 10
— Personnel will more willingly adhere to all nuclear security procedures 11
— Managers will communicate to personnel why certain nuclear security procedures are 12
being implemented and motivate personnel to recommend improvements to nuclear 13
security 14
— Personnel actively participate in providing recommendations on how to improve 15
nuclear security 16
Evidence of success: 17
— Number of personnel who participate in training sessions 18
— Number of managers who participate in training sessions 19
— Number of personnel who submit ideas for poster campaign 20
— Feedback from training participants’ course evaluation forms 21
— Number of suggestions on how to improve nuclear security 22
— Interest from managers and personnel on additional nuclear security topics to include 23
in training. 24
(How will you know that you are making progress? What are your benchmarks?) 25
50
Assessment process: 1
— Compile feedback from course evaluation forms and summarize comments to 2
determine overall effectiveness rating of training and interest in additional training 3
— Track number of personnel participating in training sessions and check with training 4
department on percentage of personnel completed training 5
— Hold discussions with personnel attending training to get their views on importance of 6
nuclear security and how they can contribute 7
51
Action Responsibilities Timeline Resources Potential Barriers Steps Expected Results Q
uest
ions
to A
nsw
er What will be done? Who will do it? By when? (date) A. Resources
available/to request?
B. Resources needed (financial, human, political, other)?
A. Who might resist (legislation, financial, environment)?
B. How?
How will it be accomplished?
What will the facility/activity gain?
Act
ivity
1
Implement 5-Day Nuclear Security Culture Manager Training
Culture coordinator and training department personnel
1 June 2018 A. Training room, laptop, projector, screen, pens and pads, whiteboard, coffee breaks, photocopies
B. Funds for coffee breaks, pens and pads, photocopies
A. Often difficult for managers to take leave for five days to complete training. Is it possible to implement course one day a week for five weeks?
B. Limited participation possible
(1) Generate agenda for training (2) Send agenda and invitations via email to managers with enough lead time so they can block time on their calendars (3) Implement training
It is expected during training activity that managers will acquire tools to improve skills that enhance nuclear security within the facility/activity. In particular, managers will motivate personnel to recommend improvement to nuclear security.
52
Action Responsibilities Timeline Resources Potential Barriers Steps Expected Results A
ctiv
ity 2
Develop, Print, and Disseminate Five Nuclear Security Culture Posters
Culture coordinator and graphic arts department or creative personnel with access to printer
1 September 2018 A. Graphic arts department or creative personnel with access to printer
B. Funds for printing posters
A. Graphic arts department or creative personnel may be too busy to take on this project
B. Funds may not be available for intricate design
Culture coordinator may print posters from office computer
(1) Send email to facility/activity personnel requesting they reply with ideas for posters within one month timeframe; can be framed as a contest with winner(s) receiving recognition for poster design (2) Compile ideas for posters, select five poster designs, and work with graphic arts department to generate five draft images (3) Email copies of completed posters to personnel and print and hang posters in central locations in facility/activity
It is expected the poster campaign will motivate personnel to be creative in drafting ideas for posters and the five printed posters will act as a visual reminder of the importance of nuclear security. The particular theme of the poster campaign would be focused on existence of credible threat and getting personnel to recommend nuclear security improvement.
53
Action Responsibilities Timeline Resources Potential Barriers Steps Expected Results A
ctiv
ity 3
Implement 2-hour General Personnel Training Module
Culture coordinator and training department personnel
1 June 2018 A. Training room, laptop, projector, screen, pens and pads, whiteboard, coffee breaks, photocopies
B. Funds for pens and pads, photocopies
A. May need multiple sessions so everyone completes the 2-hour module
B. Manager may not be supportive of personnel taking two hours for the training
(1) Work with the training department to schedule multiple sessions over a period of time (2) Send schedule and invitations via email to all personnel (3) Work with the training department to confirm all personnel sign up for a session (4) Implement training
It is expected that during training activity, personnel will receive information on credible threats to nuclear and other radioactive material, associated facilities, and associated activities. The training will motivate them to take their role in supporting nuclear security seriously and suggest improvement.
54
1
APPENDIX III: NUCLEAR SECURITY INDICATORS AND SAMPLE 2
ENHANCEMENT ACTIONS 3
Appendix III provides a table of IAEA nuclear security culture indicators with associated actions 4
that can be taken to enhance the specific characteristic. The characteristics of an effective 5
nuclear security culture are described in Ref. [5], and are reproduced here in Figure 3. 6
These indicators and associated actions are not all-inclusive. They may be modified to address 7
specifics of a facility or activity or competent authority and additional ones can be added. The 8
head of the facility/activity, other appropriate managers, and the culture coordinator can initially 9
review the list in Appendix III to see if there are any immediate activities they would like to 10
implement to enhance the nuclear security culture. After a self-assessment is conducted, as 11
suggested in Ref. [6], this list may again be reviewed for potential activities that build on and 12
optimize the identified strengths to further enhance nuclear security and the nuclear security 13
culture. Many of the indicators are similar in nature; therefore, it may be helpful to peruse an 14
entire section of sample actions to gain a fuller picture of what can be done to enhance a certain 15
management system, leadership behaviour, or personnel behaviour. The activities selected for 16
implementation would be included in the culture coordinator’s action plan (see Appendix II for a 17
sample action plan). 18
The suggested activities in this appendix identify an entity that would be responsible for 19
conducting the action; however, this may be different for different facilities/activities. It is the 20
culture coordinator’s responsibility to determine who will assist in implementing each of the 21
efforts included in the action plan. It is also the culture coordinator’s role to facilitate and 22
monitor progress on each item of the action plan to be accomplished. 23
Many of the actions are to establish nuclear security measures. It is not the purpose of this 24
publication to provide details on how to establish each of these measures. States can seek 25
technical assistance from the IAEA and other international partners and look to international 26
good practices when establishing the details of these elements. 27
55
The following tables may be used as a toolbox. Not every characteristic and/or indicator needs 1
to or can be addressed at once. As mentioned in Ref. [6], self-assessment can focus on a subset 2
of indicators as can the action plan developed by the culture coordinator. 3
4
56
1 FIG. 3. IAEA model of nuclear security culture. 2
3
4
57
III.1. MANAGEMENT SYSTEMS 1
Management systems are the framework of processes and procedures used to ensure that a facility/activity operator can fulfil all tasks 2
necessary to achieve its nuclear security objectives through a process of continuous improvement. These management systems 3
support security functions to define expectations, implement and maintain processes, measure progress, assess compliance, improve 4
performance on the basis of experience, and help manage change. The management systems set out in Ref. [5] are included below. 5
III.1.1. Visible security policy 6
Each stakeholder will have a policy document that indicates its commitment to nuclear security, and requires personnel to adhere to 7
the expectations set out in the policy. These expectations include protecting sensitive materials and information, acknowledging 8
security concerns and threats, being vigilant in carrying out nuclear security responsibilities, and reporting any unusual activity. 9
Indicator Activity A nuclear security policy is established for the organization.
Manager • Develops a nuclear security policy that forms the foundation of the management systems described
in [5]. This policy includes: ‒ a declaration of commitment to quality of performance in all nuclear security activities; ‒ a declaration that nuclear security has a high priority; ‒ a process for senior managers to resolve any conflicts between safety, security, nuclear material
accounting and control, and operations, taking into account the overall impact of risk to nuclear and other radioactive materials, associated facilities, and associated activities.
A nuclear security policy is posted in the facilities. Culture coordinator • Posts non-sensitive sections of the security policy at appropriate locations so that all personnel and
visitors can become familiar with policy. The nuclear security policy is familiar to all personnel.
Manager/Culture coordinator • Implements an awareness campaign to enhance knowledge of the policy; for example, managers
can send the policy to all personnel via email, discuss the policy in meetings, and make an announcement of how personnel can obtain a copy of the policy.
Personnel • Read and comply with the security policy.
The security function has a respected status. Culture coordinator
58
Indicator Activity • Implements an awareness campaign to educate personnel on the importance of the role of security
personnel. This education could remind personnel about the potential consequences to personnel, their family, their facility/activity, their country, and the environment if material gets out of regulatory control and how one event can threaten the stability of the entire nuclear industry.
• Hosts meetings at which information is shared with security personnel on scientific/medical projects the facility/activity is pursuing so they gain a better appreciation of personnel’s technical efforts
• Educates security personnel on the importance of establishing trust and rapport with other personnel by (1) explaining why security processes are done a certain way, (2) how security processes benefit personnel and the facility/activity, and (3) how not addressing security issues in a timely manner can create larger problems.
Security personnel • Create a more positive perception of security by interacting with other personnel on a regular basis
(instead of only when there is an event or problem) by: ‒ conducting walkthroughs of the facility to observe and talk to personnel about the importance of
nuclear security and their role in protecting assets. ‒ hosting informal discussions of security policies, personnel’s security concerns, recent events
occurring locally or internationally, etc. ‒ holding informal security get-togethers in open area (e.g. cafeteria) at which security personnel
can interact with other personnel and discuss aspects of security. A personnel code of conduct exists which covers the needs of nuclear security.
Manager and culture coordinator • Develop a code of conduct to use as a motivator that demonstrates the importance of nuclear
security and distribute it to all personnel (see Appendix IV for sample).
This code of conduct can be signed by personnel as a binding obligation to the facility/activity. The signed code of conduct is kept in the individual’s personnel folder with a copy given to the individual.
Personnel are familiar with the code of conduct through ongoing training and awareness sessions.
Culture coordinator • Distributes the code of conduct on a handy reference size document so that it is easily accessible
and can be worn on a lanyard with access badges or easily carried in a pocket. • Posts the code of conduct on walls in communal work areas.
Manager • Reminds personnel of the contents of the code of conduct at meetings or during other discussions.
Personnel • Attend training.
59
Indicator Activity • Ask for clarification of code of conduct, if necessary. • Sign the code of conduct. • Become familiar with code of conduct content. • Conduct themselves in accordance with the code of conduct.
Security is a clearly recognized value in the organization, and management invests adequate resources in security arrangements.
Manager • Evaluates requests for security budget against actual resources allocated and performs cost-risk
analysis to evaluate if resources provided are adequate to achieve acceptable level of risk (whilst complying with regulatory requirements).
• Performs walkthroughs on a regular basis (e.g. weekly) to have discussions with personnel regarding how they value nuclear security.
• Actively solicits suggestions on how to improve nuclear security and gauge level of priority for personnel via participation and interest in other nuclear security culture events such as contests for poster ideas.
• Mentions the importance of nuclear security in formal and informal settings, e.g. meetings, presentations, and lunches.
• Follows all procedures and requirements to provide a strong role model to staff.
Based on feedback received from personnel, managers may allocate resources and work with the culture coordinator to modify existing or include proposed nuclear security culture related activities in the action plan.
Personnel • Provide managers with feedback on security. • Provide suggestions on how to improve nuclear security. • Participate in nuclear security culture events. • Actively engage in discussions on nuclear security.
Security policy is reviewed and updated regularly with participation from senior management.
Manager • Identifies specific times when the nuclear security policy is reviewed and updated appropriately.
These instances would include regular review on a periodic basis (e.g. annually) and when there is a change to: (1) higher level documents (e.g. national-level nuclear security requirements and guidance), (2) threat, (3) mission, etc.
All appropriate departments (security, operations, safety, etc.) are involved in the review and update of the nuclear security policy.
Personnel • Familiarize themselves with the current security policy and make recommendations to update it, as
appropriate.
60
Indicator Activity Processes are in place to identify the mandatory requirements relating to security.
Manager • Receives amendments to State/competent authority nuclear security documents as well as new
requirements that are issued. • Reviews these documents to identify if/where facility/activity written procedures/measures are to
be changed. • Makes the changes to the facility/activity written procedures, has them approved by the appropriate
manager, and distributes to appropriate personnel. • Works with training department representatives to train personnel on the new requirements.
Personnel • Make note of announcements of changes to written procedures. • Successfully complete training as required.
Personnel understand that adherence to the nuclear security policy is expected of them.
Manager • Issues a code of conduct that requires adherence to the nuclear security policy, which personnel are
required to sign. • Works with training department representatives to provide training to personnel on the nuclear
security policy. • Includes a requirement to adhere to the security policy in performance evaluations, job
descriptions, contracts, etc. • Relays their expectation that all personnel are required to adhere to the nuclear security policy by: ‒ Making statements on videotape that are included in personnel training; ‒ Making statements in person at meetings; ‒ Issuing formal memorandums; ‒ Leading by example.
Personnel • Adhere to the security policy. • Appropriately protect information. • Are vigilant in reporting security events. • Successfully complete any required training on the nuclear security policy.
Management personnel are visibly interested in security and integrate it into their daily activities.
Manager • Conducts walkthroughs and discusses security with personnel. • Questions personnel on their knowledge of the security system and encourages ideas on how to
improve security. • Encourages participation in the personnel suggestion programme and security awareness contests. • Issues awards to personnel related to security performance (e.g. letters of recognition). • Holds informal meetings to solicit input from personnel on nuclear security.
61
Indicator Activity
Culture coordinator • Posts nuclear security culture posters in offices and common areas and encourages discussion.
Personnel • Provide feedback to managers on security. • Participate in nuclear security exercises. • Provide suggestions on how to improve nuclear security. • Participate in informal and formal discussions on nuclear security. • Ask questions about nuclear security messages to better understand intent.
Nuclear security policy is kept up to date. Manager • Designates a specific procedure for updating the nuclear security policy. • Identifies specific times when the security policy will be reviewed and updated appropriately.
These instances would include a regular review on a periodic basis (e.g. annually) and when there is a change to: (1) higher level documents (e.g. national-level nuclear security requirements and guidance), (2) threat, (3) mission, etc.
• Checks that the policy is kept up to date.
All affected departments (security, operations, safety, etc.) can be involved in the review and update of the security policy.
Personnel • Recommend updates to the security policy as appropriate.
Regularly held management meetings at the facility/activity adequately cover significant security items.
Manager • Keeps a placeholder for nuclear security to be included as a topic at all meetings and liaise with the
culture coordinator to determine if there is information of substance to be shared.
Personnel • Actively participate in these discussions using this opportunity to request clarification of security
requirements and suggest improvements.
62
Indicator Activity Events related to the threat environment and its potential impact on nuclear security and nuclear security policy are adequately reported to personnel.
Manager and culture coordinator • Educate all security personnel on a daily basis on information related to the threat environment and
the potential impact on nuclear security. • Educate other personnel on a regular basis (e.g. every six months) on unclassified information
related to the threat environment and its potential impact on nuclear security. • Institute a process whereby nuclear security training is updated when changes to threat occur, to
include how this impacts on the nuclear security system.
Manager • Provides immediate information via email, meetings, and newsletters, and suggests what personnel
may need to do differently to address the updated threat. Security personnel and others with key security responsibilities would receive more detailed and sensitive information than other personnel.
Personnel • Take note of the current threat environment. • Know the security procedures relating to the current threat level. • Follow those security procedures. • Report any abnormal events.
There is a well-defined and widely known policy to encourage implementation of the nuclear-security policy, with some professional rewards or recognition directly or indirectly associated with the achievement of its goals.
Manager • Institutes professional rewards associated with nuclear security achievements, such as:
1. Letters of recognition; 2. Certificates of appreciation; 3. Formal awards; 4. Recognition in the performance evaluation process; 5. Pictures of “security” personnel of the month or quarter displayed prominently in common area.
Note: Expecting rewards may not affect the level of performing security tasks. Any reward system will be structured so that it does not drive undesirable behaviour (e.g. personnel do not want to report security events to keep their record clean). Sanctions may also have the same impact (e.g. zero tolerance policy).
Personnel can cite examples from the security policy statements that illustrate their meaning.
Culture coordinator • Institutes a security training feedback process that requires each participant to write a brief
paragraph summarizing the security policy statement and what it means to them a number of weeks after the training has been completed.
Personnel • Study the security policy and request any clarification necessary to understand the intent so they
63
Indicator Activity can put the meaning of the policy into their own words and explain how it influences their day-to-day functions.
Media-based communication systems (Intranet, newsletters, and the like) are used to disseminate the security policy to personnel.
Culture coordinator: • Issues the nuclear security policy through: ‒ Management videos; ‒ Facility newsletters; ‒ A reference section on the security page of the facility website (that can be easily accessed by
personnel and contain relevant security policies, procedures, and general information). 1
III.1.2. Clear roles and responsibilities 2
All personnel have a responsibility for nuclear security within their own area of activity. Personnel need a clear understanding of who 3
is responsible for what in order to achieve effective nuclear security. Stakeholders need to review and update documented roles and 4
responsibilities for each position when change to the organizational structure is being planned and implemented. 5
Indicator Activity The facility/activity has clearly defined and documented roles and responsibilities for all nuclear security positions.
Manager and culture coordinator • Document the roles, responsibilities, and authorities of each position with specific responsibilities
for nuclear security.
Personnel • Receive the appropriate documentation and are familiar with their roles and responsibilities.
Personnel understand their roles and responsibilities for nuclear security and are encouraged to seek clarification when necessary.
Manager • Conducts walkthroughs and promotes an environment that encourages personnel to seek
clarification by asking if they have questions. • Establishes a peer that can act as an interlocutor and problem solver for personnel when they have
questions but feel uncomfortable to ask directly.
Culture coordinator • Provides general information to all personnel (e.g. website providing frequently asked questions). • Discusses the roles and responsibilities of each individual as they relate to nuclear security and ask
questions to ascertain whether they are understood.
Personnel • Review their nuclear security roles and responsibilities.
64
Indicator Activity • Clarify these roles and responsibilities by taking the opportunity to ask managers questions during
walkthroughs. • Access website information and use reference documents. • Interact with security interlocutor when necessary.
Roles and responsibilities are adequately explained to new personnel at initial briefings and/or training sessions.
Manager and culture coordinator • Review initial and general personnel training to ensure that appropriate information is included. • Decide to have training materials updated to add certain information. • Hold a session with new personnel to make sure roles and responsibilities are clear and answer any
outstanding questions.
Personnel • Ask questions at briefings and training sessions to ensure understanding of nuclear security roles
and responsibilities. Responsibility for security is assigned to a senior member of the management team, but all personnel are aware that security is a shared responsibility across the whole facility/activity.
Manager • Identifies board level director or senior executive who is directly accountable for security of the
facility/activity.
All personnel are made aware that security is their responsibility via: • Initial training; • Continuous security and technical training; • Discussions with the culture coordinator and manager; • Bulletins, newsletters, computer alerts, posters, videos, etc.
Personnel actively take responsibility for security by • Protecting their access badges; • Questioning individuals not showing their access authorization; • Following security procedures; • Proposing enhancements to nuclear security; • Respectfully following directions of guard/response force; • Reporting abnormal behaviour and events; • Encouraging their peers to do the same.
All personnel understand potential threats and the security system well enough to accept their role and responsibility relating to nuclear security.
Manager and/or culture coordinator • Provide personnel with appropriate information on threats through:
‒ Initial education and training; ‒ Continuous security and technical training; ‒ Management briefings; ‒ Bulletins and announcements of changes in threats as well as examples of real security events
65
Indicator Activity and trends.
Manager • Provides personnel with opportunities to discuss the credibility of these threats with security
personnel and managers. Manager and culture coordinator • Provide personnel awith appropriate non-sensitive information on malicious capabilities, how the
security system responds, and how personnel respond in case of an abnormal situation. Personnel • Take part in all required training and management briefings, keep up to date on the threat level,
actively discuss credibility of threats and real security events, and know how to respond in an abnormal situation.
Security processes and procedures are clearly defined, so that they are easy to understand, follow, and evaluate.
Manager and culture coordinator • Review security processes and procedures for clarity and request feedback from personnel. • Update security processes and procedures as necessary.
Personnel • Provide feedback on how to make processes and procedures easier to understand.
All personnel know why they are assigned security-related functions, how these functions fit into the broader picture, and what impact they may have on the facility/activity.
Manager • Requires training for security-related functions to provide the “why” behind the security activities,
processes, systems, and procedures, and explain how they fit into the overarching security strategy.
Personnel • Successfully complete the training and ask questions to better understand their function and the
impact it has on the facility/activity. Contractual documents clearly define contractors’ roles and responsibilities in nuclear security.
Manager • Requires the contracting department to include security requirements, including how to handle
sensitive information, in the terms and conditions of the contract. • Requires that each contractor complete general training on security before starting the work under
contract. • Requires that contractors be held responsible for their actions related to nuclear security and
understand that those actions will influence their ability to receive future work with the facility/activity.
• Requires that a record be maintained if they do not follow security regulations (such as access control).
There is a clear understanding within the facility/activity of the security-related levels of authority and lines of communication.
Manager • Issues an organization chart and points of contact for security issues. • Has this information easily accessible to personnel on the internal website.
66
Indicator Activity • Establishes an interlocutor, in each department, who can be contacted with any questions regarding
nuclear security authority and lines of communication without fear of reprisal. The overall responsibility of management for security is readily apparent.
Manager • Distributes this information through organization chart to all personnel. • Provides personnel with a list of important contacts in hard copy and has electronic copy easily
accessible (e.g. on security section of facility/activity internal website). • Informs personnel of this during formal and informal meetings, presentations, lunches, and breaks.
The threat (design basis threat, or DBT) against which nuclear and other radioactive material and associated facilities and associated activities should be protected is determined and well understood by all parties involved in designing, applying, and evaluating the security measures.
State/competent authority • Identifies stakeholders involved in determining the design basis threat and provides training for the
group. • Holds meetings of stakeholders to present information on the design basis threat. • Provides appropriate information from the design basis threat to designers of new
facilities/activities so the security system is built to meet the threats contained in the design basis threat.
Manager • Provides appropriate information from the design basis threat to designers of new
facilities/activities so the nuclear security system is built to meet the threats contained in the design basis threat.
• Provides appropriate training to counter the relevant threats contained in the design basis threat. • Provides appropriate information from the design basis threat to designers, operators, and
evaluators of the nuclear security system. • Educates personnel on the threat. • Takes into consideration details of the design basis threat in every stage of the facility/activity
lifecycle. Systems are in place to examine and make use of the synergies between safety and security.
Manager • Establishes a coordinating body responsible for discussions on a regular basis (e.g. monthly) on
how safety and security can complement each other. • Includes the requirement to consult with security and safety personnel in processes/procedures for
input into projects.
Safety and security personnel • Actively seek to coordinate with each other, learn from each other’s experience to enhance safety
and security, and promote cooperation between the two disciplines to achieve synergy. 1
67
III.1.3. Performance measurement 1
Nuclear security performance measures assist in establishing management expectations for personnel. 2
Indicator Activity The facility/activity uses benchmarks and targets in order to understand, achieve and improve performance at all levels.
Manager • Conducts a baseline analysis and create performance goals to be met that enhance nuclear security.
Note: Expecting rewards may not affect the level of performing security tasks. Any reward system will be structured so that it does not drive undesirable behaviour (e.g. personnel do not want to report security events to keep their record clean). Sanctions may also have the same impact (e.g. zero tolerance policy).
Performance results compared with the targets are regularly communicated to personnel.
Manager • Provides status updates on a regular basis (e.g. quarterly) in personnel meetings and/or in general
email if not sensitive.
Personnel • Track performance results and ask managers what they can do to improve the results.
Action is taken when nuclear security performance does not fully match the goals.
Manager • Develops and implements a documented process on what action is to be taken when security
performance goals are not met. This can include re-evaluating performance goals and preparing an action plan.
• Records, investigates, and analyses security events to determine if there is a systemic problem.
Personnel • Understand nuclear security goals and make recommendations on how to improve performance.
Effective performance leading to better security is rewarded.
Manager • Institutes professional rewards associated with nuclear security achievements, such as: ‒ Letters of recognition; ‒ Certificates of appreciation; ‒ Formal awards; ‒ Recognition in the performance evaluation process; ‒ Pictures of “security” personnel of the month or quarter displayed prominently in common area.
Note: Expecting rewards may not affect the level of performing security tasks. Any reward system will be structured so that it does not drive undesirable behaviour (e.g. personnel do not want to report security events to keep their record clean). Sanctions may also have the same impact (e.g. zero tolerance policy).
68
Indicator Activity Regulatory and independent assessments of security performance are discussed at management and other meetings.
Manager • Invites responsible personnel to report on assessment on a regular basis (e.g. monthly) at
appropriate meetings.
Personnel • Attend these meetings as appropriate to understand nuclear security performance and performance
goals and assist with meeting those goals. The facility/activity actively and systematically monitors performance through multiple means, for example, management walkthroughs, reporting of issues, indicators, trend analysis, benchmarking, industry experience reviews, self-assessments, and performance assessments.
Manager • Establishes reporting systems and grants responsibility for analysis to the appropriate individual(s). • Implements management systems such as exercising contingency plans, and self-assessments as
identified in [5]. • Identifies and supports personnel to attend forums for exchange of good practices and industry
experience reviews. • Conducts walkthroughs to observe personnel performance and effectiveness of the nuclear security
system. • Records, investigates, and analyses security events to determine if there are systemic problems.
Personnel • Report issues and make recommendations on how to improve performance. • Take part in self-assessments.
1 III.1.4. Work environment 2
The physical and psychological work environment has a large impact on how personnel comply with nuclear security requirements 3
and conduct their roles and responsibilities. Good standards in housekeeping generally indicate interested managers and motivated 4
personnel who have pride in their environment. See Appendix VII for criteria of a successful workplace. 5
6 Indicator Activity The work environment is conducive to high standards of performance (e.g. standards of housekeeping, timely provision of equipment and tools).
Manager • Implements a process whereby each position requests the equipment and tools required to perform
their job effectively or confirms they have such equipment and tools. • Implements a housekeeping review programme to rate facilities/activities and provides incentives
for good housekeeping. • Conducts walkthroughs of work area to ensure standards of housekeeping are being met.
69
Indicator Activity
Personnel • Request any additional equipment and tools required to conduct their job effectively. • Keep work areas up to high standards of housekeeping. • Take pride in their work areas.
Personnel are consulted about the ergonomics and effectiveness of their work environment.
Manager • Provides a process, with the appropriate resources, for personnel to request an ergonomics review
of their workplace and have workplace modified appropriately.
Personnel • Request an ergonomics review of their workplace and make sure workplace is modified
appropriately. Texts of guides and procedures are user friendly and understandable to personnel.
Manager • Involves personnel in reviewing guides and procedures to make sure personnel comprehend the
documents and makes sure the documents readily available.
Personnel • Provide feedback if guides and procedures are not user-friendly and easy to understand and make
recommendations on how to improve the documents. Top managers periodically visit staffed security posts. Special attention is paid to periods of reduced activity such as back shift and weekends.
Manager • Conducts walkthroughs to observe what security personnel are doing and show interest in the job
being performed. • Requires reviews and performance testing of procedures as part of the self-assessment
programme.
Walkthroughs will be conducted on a regular basis (e.g. once a week), in a random manner for all shifts in order to help instil vigilance and a sense of importance of the post.
Well established procedures exist for all significant security activities.
Manager • Requires that security personnel map procedures to security activities to ensure all significant
security activities are covered.
Personnel • Advise managers if there is no procedure for a security activity or if the procedure needs to be
updated. Security procedures are not regarded as an excessive burden.
Security personnel • Hold discussions with personnel on a regular basis so it is clear why security procedures are in
place and listen to personnel’s advice on how to make them more effective. Any voiced complaints will be reviewed and feedback will be provided.
70
Indicator Activity
Personnel • Actively participate in discussions and make suggestions on how security procedures can be made
more efficient. Feedback from personnel and contractors is requested and analysed.
Manager • Establishes a formal process (e.g. annual performance review cycle) to request input from
personnel on security concerns. • Analyses personnel input and is held accountable to review the input to and provide feedback. • Establishes a formal process that requires contractors to provide feedback on a regular (e.g. annual
or upon completion of tasks) basis that is also analysed by managers and used to make improvements.
Personnel • Actively provide their feedback on the work environment and how it can be improved.
The work climate supports teamwork and sharing of knowledge.
Manager • Establishes teams and working groups with all levels of personnel to tackle special projects such as
how to improve a specific work process. The team would write up their findings and present them to managers.
• Establishes a mentoring programme to give junior colleagues more visibility and exposure to different skills and knowledge.
• Holds meetings of personnel from various departments to share current activities and exchange good practices and solutions.
Personnel • Participate in special projects. • Act as mentors. • Share current activities as appropriate. • Exchange good practices. • Share successes in overcoming obstacles.
There is a mechanism to monitor and control overtime to prevent adverse security implications.
Manager • Appoints an individual (or individuals) who has responsibility to monitor overtime and put controls
in place that limit workers to international standards so as not to decrease their effectiveness on security responsibilities (e.g. limiting number of double shifts that guard/response force can work).
Personnel • Are aware of limitations on overtime and number of shifts that can be worked, and adhere to these
limitations. Procedures are regularly reviewed and updated based Manager
71
Indicator Activity on personnel input and performance testing results. • Establishes a formal system that requests input from personnel using the procedures on a regular
basis. • Includes input system as an element of the facility/activity performance testing programme to
incorporate results into procedure revision process.
Personnel • Provide input on procedures in regards to efficacy and clarity. • Participate in performance testing and follow-on actions as appropriate.
Designers and operators of security systems ensure that security measures do not compromise safety features.
Manager • Establishes a group of safety, security, and operations personnel that discuss security, safety, and
operational activities on an ongoing basis to help deconflict any issues on a timely basis and establish solutions agreed to by all experts.
• Establishes requirement that all new designs include security and safety in the review process.
Personnel, as experience warrants, • Participate in such discussions and reviews, and recommend solutions when safety and security
requirements conflict. 1
III.1.5. Training and qualification 2
Personnel need to have the skills and knowledge required to perform their nuclear security duties to the desired standards. 3
Indicator Activity A comprehensive nuclear security training programme exists, with requirements and qualification standards established and documented, and communicated to personnel.
Manager • Uses the guidance in this publication as well as other IAEA publications on nuclear security to
ensure comprehensive training programmes exist and are in line with international standards and good practices. Requirements and qualification standards will be established and documented for each position and distributed to the associated personnel.
Personnel • Understand their training requirements and qualification standards and seek training opportunities
that fulfil their requirements and assist them with meeting qualification standards. Participation in training is given a high priority and is not disrupted by non-urgent activities.
Manager • Encourages personnel to attend training and identify backup personnel that can help conduct work
while out of the office for training.
Personnel • Consider training a top priority and successfully complete all required training.
72
Indicator Activity Periodic evaluations of training programmes are conducted and revisions incorporated, as necessary.
The facility/activity’s training department • Has a process in place to receive feedback on instructors and course material after every training
activity. This feedback will be evaluated and course material will be revised on a periodic basis.
Personnel • Complete requested training evaluations and provide constructive comments for the training
material to be revised accordingly. Information about the status of personnel qualifications is easily accessed by those who need to know.
Manager • Maintains records of personnel training and qualification activities so it can be easily determined if
individual requirements have been met.
Personnel • Track their training requirements and keep a record of completed training.
Personnel do not perform work for which they lack the required skills and knowledge.
Manager • Identifies the skills and knowledge required for nuclear security roles and responsibilities so they
can match the right person to the right job.
Personnel • Request training and refresher training, as necessary, to best complete the work they are assigned.
Appropriate physical fitness criteria are established and monitored.
Manager • Establishes appropriate fitness requirements that help ensure personnel can continue to carry out
their required roles and responsibilities. • Works with personnel and training representatives to make sure the affected personnel are tested
against these fitness standards and the results are maintained in their personnel files.
Personnel • Maintain the required fitness standards or report if there is a reason (e.g. medical issue) making
them unable to do so. Top managers periodically visit training sessions. Top manager personnel
• Introduce themselves at the beginning of training sessions when possible and affirm that training is a priority of the facility/activity.
Basic security awareness training instructs personnel on proper workplace security as well as requirements for reporting security violations.
Manager • Ensures that training modules emphasize the importance of each individual being responsible for
security, which includes reporting their errors as well as any clear security infractions, suspicious activity, or abnormal behaviour.
Personnel • Complete all training requirements and know how to report a security violation.
Systems are in place to ensure procedures and Manager
73
Indicator Activity practices learned in training are applied in practice. • Observes personnel conducting work post training.
• Establishes a process to have personnel note how they will incorporate knowledge and skills gained from training into daily job and follow up with personnel after training (e.g. six months post training).
• Requires reviews and performance testing of practices as part of the self-assessment programme.
Training department • Conducts follow-on testing of personnel and refresher training.
Personnel • Implement procedures and practices in accordance with training received.
Leadership skills and best practice in security are included in training programmes for managers.
Training department • Actively seeks out good practices and incorporates them into training.
Manager • Successfully completes security training. • Offers personnel the opportunity to take training that provides leadership skills.
Personnel • Pursue opportunities to participate in leadership training.
See Appendix VI on Leaders and Managers for more information on this topic. Management is committed to providing adequate resources for effective training.
Manager • Checks the number of personnel trained per year against allocated budget and works with training
department to determine if it is adequate for maintaining all necessary security skills and knowledge.
Facility/activity values and practices require security and non-security personnel to participate in refresher training to improve security-related knowledge and skills.
Training department • Incorporates security-related information into training for all personnel at every level.
Personnel • Successfully complete the requirement for refresher security training.
Beliefs and attitudes are considered in security training.
Training department • Analyses and incorporates participant feedback after every security training implementation so as
better to address certain beliefs and attitudes. Personnel recognize that learning is a continuous and ongoing process throughout the facility/activity.
Manager • Develops training plans for different levels of personnel to show that it supports continuous training
programmes.
Personnel
74
Indicator Activity • Pursue training as one way to continuously improve skills and knowledge and provide suggestions
to managers on what training shall be offered. Management is committed to participating in nuclear security courses.
Manager • Identifies at least one nuclear security course to attend each year and presents information from this
course to personnel after attending.
Personnel • Express an interest in the nuclear security training that manager has completed or plans to
complete. Training materials include good practices and lessons learned from security breaches.
Culture coordinator, with the training department • Requests personnel provide them with information on security breaches that can be then researched
and turned into case studies using non-sensitive information. • Conducts independent searches for information on security breaches. • Works with partner organizations to share non-sensitive information on security breaches that can
be used for case studies. • Works with security personnel on how to present lessons learned and good practices that can be
applied to the case studies.
Personnel • Provide the culture coordinator with open-source information on security breaches that they learn
about in good practices exchanges, training sessions, international conferences, newsletters, etc. Personnel can provide feedback to security training. Manager
• Establishes a requirement that each security training courses include a formal evaluation by each participant, which is welcomed by managers and the training department and openly used to improve future training.
Training department • Establishes a feedback system so former training participants can see how their feedback was
incorporated into revised training materials.
Personnel • Complete all evaluation forms and provide constructive criticism.
Training programmes at the facility/activity address security-conscious behaviour as a key element of professionalism.
Manager and the training department • Include characteristics of personnel behaviour from [5], into training to promote a sense of
responsibility into personnel regarding their role in supporting nuclear security. • Include why the role of personnel in enhancing nuclear security is important to build on their sense
of pride.
Personnel
75
Indicator Activity • Are proud of their work and conduct themselves professionally, adhering to all security procedures
and reporting abnormal events Security personnel members are encouraged to share good practices with other facility/activities.
Manager • Approves security personnel to attend good practices exchanges with various organizations. • Approves non-sensitive information for security personnel to share at good practices exchanges.
Personnel • Pursue opportunities to participate in good practices exchanges to share and receive information
that can be used to improve security practices within their facility/activity. The absentee rate during training sessions on nuclear security is low.
Manager • Visits training sessions to signify the importance of the session and conveys the expectation that
those identified to attend actually attend. • Confirms that attendance rate is high, and if not, determines cause(s). • Requires attendance records to be maintained and personally discusses reason for absence with
personnel who do not attend. • Works with training and security department representatives to make nuclear security training
interesting, interactive, and dynamic. For example, guest speakers can be brought in, short tours and demonstrations can be given, and videos can be shown.
Personnel • Attend all required training unless there is a serious impediment. If unable to attend, they arrange
attendance at an alternative time with the training department as soon as possible. Arrangements are in place to enable personnel to avoid gaps in their training if they have to miss relevant modules.
Manager and the training department • Schedule implementation of the same module at various times of the year to allow attendance at
alternative sessions. • Implement computer-based or home-based training that participants can complete on a flexible
timetable. 1
III.1.6. Work management 2
All work is suitably planned and coordinated to prevent compromises to nuclear security. 3
Indicator Activity Work is planned to ensure that the integrity of the nuclear security system is maintained effectively at all times.
Manager • Requires procedure for compensatory measures be developed and implemented before any
maintenance work that may compromise the security system is scheduled.
76
Indicator Activity • Requires procedure that informs all appropriate personnel the expected impact of the maintenance
work on their normal duties (e.g. the central alarm station operator may receive more alarms as usual and will need to assess each one instead of dismissing as innocent due to the maintenance work).
• Requires administrative procedures, such as two-person rule, be implemented as necessary. • Conducts walkthroughs randomly during each shift to personally observe the effectiveness of the
nuclear security system.
Personnel • Inform manager or other appropriate personnel when nuclear security system effectiveness can be
improved and make specific recommendations on how to improve its effectiveness. • Do not perform work that will negatively impact the effectiveness of the nuclear security system
unless appropriate compensatory measures are in place. Compensatory plans are established to address foreseeable events.
Manager • Establishes compensatory plans to maintain effective nuclear security in case of planned loss of
power, performance testing, maintenance outages, etc.
Personnel • Are familiar with compensatory plans and when they may be implemented.
Personnel follow the established plans or seek proper approval to deviate from planned duties and activities.
Manager • Stresses the importance of following procedures using appropriate means such as emails, meetings,
discussions, and poster campaigns. • Encourages personnel to indicate when changing an established plan could be beneficial and when
procedures need to be modified. • Establishes a system through which personnel are encouraged to identify where plans, procedures,
and policies require changes. • Implements a system where work can be stopped by anyone if security requirements cannot be met
or work puts material at risk.
Personnel • Are knowledgeable of the approval process required prior to deviating from planned duties and
activities. • Receive the required approval(s) prior to deviating from planned duties and activities.
Work is planned in sufficient detail to allow personnel to work effectively and efficiently (e.g. resources are matched to demands, spare parts and tools are available when needed).
Manager • Establish a process for personnel to review the resources needed for a particular job and document
confirmation that they are in place before conducting the work.
Personnel
77
Indicator Activity • Review the resources required for a particular job (e.g. radiation protection for guard/response force
while doing exercises) and do not conduct the work if they are not in place. • Know who to contact to receive the required resources.
The interfaces between work groups are considered and addressed during planning.
Manager • Encourages communication between different work groups (especially security material accounting
and control and/or safety) and establish a formal process to address interfaces before conducting work.
Personnel • Understand how objectives of other departments influence work and interface appropriately prior to
conducting work. Cyber systems are developed and maintained to ensure that they are secure, that they are accredited by an appropriate authority and are operated in accordance with procedures.
Manager • Establishes procedures to ensure that computer security is fully integrated as an element of the
overall nuclear security programme. • Establishes procedures to support the security, accreditation, and operation of cyber systems.
Personnel • Protect their passwords and information processed on the computer system. • Comply with all computer security requirements and report suspected vulnerabilities and threats,
such as phishing scams. Security personnel are kept motivated through the training system and incentives.
Manager • Requires regular exercises be conducted. • Holds physical fitness competitions for guard/response force personnel and recognizes the top
competitors in the facility/activity newsletter, bulletin board, etc. • Supports security personnel attendance at education and training (e.g. authorizing leave from duty
station and potential temporary replacement). • Requires security personnel attend training that provides them with a general understanding of the
importance of their tasks, how they impact the effectiveness of the facility/activity nuclear security system, and the consequences of ineffective nuclear security to them, their family, the facility/activity, the environment, and the State.
Security personnel • Participate in exercises. • Pursue training opportunities. • Participate in healthy competition that motivates them to continuously perform their duties
vigilantly. • Understand the importance of their tasks and how they contribute to overall nuclear security.
78
Indicator Activity • Understand the consequences of ineffective nuclear security and how it can affect them and their
families. Management takes action on feedback to counter negative trends in security.
Manager • Immediately holds meetings when negative trends start to arise in security practices. At these
meetings, manager would share with personnel the negative trends, request their ideas on how to change them to be positive, and issue direction on what steps to take to counter the negative trends.
Personnel • Provide recommendations on how to improve nuclear security.
Minor security issues are addressed promptly. Manager • Establishes a procedure that includes a specific time frame within in which security issues are
addressed. For example, if a safe is left unlocked, the manager will notify the responsible person immediately and discuss how this can be avoided in the future.
Personnel • Take action to address minor security issues immediately and put in place a process so the issue
does not happen in the future. Consideration is given to synergies and contradictions among security, safety, and operations in order to avoid negative impact during operation.
Manager • Establishes a coordinating group that includes representatives from security, safety, and operations
that meets on a regular basis to discuss ongoing activities, better understand how each field impacts the others, and quickly come up with solutions to any conflicts.
Personnel • Participate in the coordinating group and discuss security, material accounting and control, safety,
and operational conflicts openly to develop appropriate solutions. The facility/activity has in place written policies, rules, and procedures for recruitment, appraisal, and termination of employment as they pertain to security.
Manager • Incorporates security requirements into written procedures, policies, and rules for recruitment,
performance appraisals, and terminations of employment. For example, certain positions may be subject to trustworthiness checks prior to being employed. Personnel who have access to sensitive information may be required to have a security debriefing prior to termination of employment.
Personnel • Are aware of security requirements associated with their employment and performance evaluation. • Make sure that those requirements are met.
1 III.1.7. Information security 2
Controlling access to sensitive information is a vital part of an effective nuclear security programme. 3
79
Indicator Activity Classification and control requirements are clearly documented and well understood by personnel.
Manager • Establishes a training programme for personnel who will handle sensitive information/assets and
distributes user-friendly documents so personnel can easily reference how to handle, store, and identify sensitive information.
• Identifies point of contact or other resource that can provide current guidance and answer questions on how to protect sensitive documents.
Personnel • Keep up to date on classification and control requirements. • Know who to contact with questions regarding classification and control requirements.
Clear and effective processes and protocols exist for classifying and handling information both inside and outside the facility/activity.
Manager • Establishes process and protocol for protecting and handling sensitive information that complies
with nuclear security regulations. Classified information is securely segregated, stored, and managed.
Manager • Establishes a procedure so all personnel conduct regular checks (e.g. at the end of a workday,
before breaks) to confirm that sensitive information is stored appropriately.
Personnel • Conduct regular checks to confirm sensitive information is securely stored.
Personnel are aware of and understand the importance of adhering to the controls on information.
Manager and security personnel • Include the importance of protecting sensitive information in security training. • Discuss formally and informally the importance of these controls and the impact they could have
on the facility/activity if not adhered to.
Personnel • Know how to access requirements for control of sensitive information and contact the appropriate
managers with any questions. Access to information and assets is restricted to those who need such access to perform their duties, have the necessary authority, and have been subjected to a trustworthiness check commensurate to the sensitivity of the asset.
Manager • Establishes procedures to restrict access to sensitive information and assets and conducts checks
that personnel are adhering to these procedures.
Personnel • Only provide access to sensitive information and assets to those that have the appropriate
authorization. An information and computer security function is established, funded, staffed, and visible.
Manager • Integrates computer security into the overall nuclear security programme and works with computer
personnel to reduce security vulnerabilities. • Appoints a computer security manager.
80
Indicator Activity • Includes budget for computer security activities into the overall budget.
Personnel • Know who to contact with a computer security question, issue, or improvement suggestion.
Management is fully committed to and supportive of computer-security initiatives.
Manager • Discuss in meetings. • Provide budget. • Participate in rollout of initiatives.
Documented IT-security policy covering all information carriers exists and is known to all personnel.
Manager • Includes computer security as essential element in overall nuclear security programme. • Documents computer security policy and stores it in central location in which all personnel can
easily access the most current version. • Distributes policy to all personnel, have them sign acknowledgement of receipt, and pledge to
comply with the policy.
Personnel • Read and become familiar with the computer security policy, sign to acknowledge receipt, and keep
the policy easily accessible as an everyday reminder of requirements. • Actively comply with the computer security policy (e.g. do not share passwords and lock computer
when leaving the work area). • Encourage peers to do the same.
Clear and effective processes, protocols, and procedures exist for operating computer systems both inside and outside the facility/activity.
Manager • Works with computer security personnel to document secure procedures for operating computer
systems from both inside and outside the facility/activity. • Has a group of personnel pilot the procedures to gather feedback on effectiveness before rolling out
the policy on a large scale.
Personnel • Provide feedback on the clarity and user friendliness of procedures for operating the facility/activity
computer system from both inside and outside the facility/activity. • Follow all procedures related to operating the computer system.
Personnel understand and are aware of the importance of adhering to the controls within the computer security programme.
Culture coordinator, computer security manager and the training department • Provide training to personnel using case studies and events where losses of personal and sensitive
information have occurred. • Provide training to personnel explaining the current cyber threats and how personnel can make
computer security more effective.
Personnel
81
Indicator Activity • Participate in training and associated discussions, and understand why it is important to adhere to
computer security requirements. Computer systems are maintained secure and operated in accordance with computer security baseline and procedures.
Computer security manager and personnel • Establish policy for maintenance and operation. • Perform self-assessment and performance tests to assess policy effectiveness.
Computer breaches are regarded by all as serious and undesirable.
Computer security manager and personnel • Share information on worldwide events and their consequences. • Respond immediately to any computer breach and inform all personnel of any new security practice
to be adopted.
Personnel • Review information on computer breaches, share these events with peers, and discuss how to
prevent such breaches within their facility/activity. Computer security requirements are clearly documented and well-understood by personnel.
Manager • Establishes a training programme for personnel who will use the facility/activity computer systems
and distribute user-friendly documents so that personnel can easily reference the requirements. • Has a central location (e.g. section on facility/activity website) where computer policy is stored and
the current version can be easily accessed by personnel.
Personnel • Know how to access current computer security requirements and keep up to date on the actions
needed to comply with the requirements. 1
III.1.8. Operation and maintenance 2
The indicators included in this section cover the technical equipment employed in the nuclear security system (such as material 3
accounting and control, physical protection, and transport security equipment), as well as the broader facility/activity operations and 4
maintenance. 5
Indicator Activity Operation and maintenance are performed according to approved procedures and vendor schedules to ensure that design requirements are not compromised.
Manager • Establishes a maintenance plan and funds the maintenance according to plan. • Establishes operational procedures. • Includes operational experience in maintenance plan and procedures (e.g. take into consideration
historical operational life of each item).
82
Indicator Activity • Conducts performance tests to evaluate procedure implementation effectiveness and function of
devices and equipment. Checklists/detailed procedures are used. Manager
• Develops checklists based on vendor operation and maintenance guides that identify each task to conduct for each item during scheduled preventative maintenance sessions.
• Maintains completed checklists in appropriate file. • Conducts self-assessment to determine if checklists are being used.
Measures are taken as compensation when security equipment is taken out of service for maintenance or when breakdowns occur.
Manager • Develops and implements compensatory measures when security equipment becomes non-
operational. • Establishes a process so appropriate personnel are informed when security equipment is not
working for whatever reason and authorizes that other equally secure alternate measures are taken.
• Establishes a graded approach for how long alternate measures can be in place before maintenance or repair may be completed (e.g. critical parts need to be repaired more quickly).
• Informs personnel of what alternate procedures may be followed. • Conducts self-assessments to confirm that alternate measures have been put in place in a timely
manner and are being followed to reduce the possibility of vulnerabilities.
Personnel • Follow all established security procedures, whether permanent or temporary.
Operational experience of security equipment is considered vital in maintenance and in planning purchases.
Manager • Establishes process to consistently receive operational experience of security equipment and
incorporate it into overall maintenance plan and equipment replacement plan. • Keeps logs to record downtime and cause of downtime for each critical part; this information is
considered when having to purchase replacements. Conservative decision-making principles are applied in making decisions about the operational reliability of security software and hardware.
Manager • Establishes a process in which subject matter expertise is included in decision making. Before
purchases are made, the list of equipment can be sent to appropriate personnel (e.g. operator of associated equipment, maintenance and repair personnel, and security representative) to gather feedback on the items to be purchased. Information such as ease of operation, operational history (malfunctions, false alarms, lifecycle, etc.), ease of maintenance, quantity of maintenance, ease of repair, and user friendliness is factored into future procurements of nuclear security equipment.
Operations and maintenance procedures have been established consistent with the threats defined by the DBT.
Manager • Establishes a process that requires security personnel to work with subject matter experts when
developing operations and maintenance procedures. Work orders for repair and maintenance of security Manager
83
Indicator Activity equipment and hardware are performed expeditiously. • Establishes a record or database to track repair and maintenance of security equipment.
• Conducts self-assessments to evaluate if repair and maintenance is being conducted in accordance with time requirements.
Procedures are used effectively with no tendency to take shortcuts, even if maintenance is running behind schedule.
Manager • Conducts walkthroughs and observes maintenance being performed. • Participates in performance test post maintenance to ensure item in question is performing
effectively. • Emphasizes importance of strictly following maintenance procedures during training sessions, and
in formal and informal settings such as briefings, meetings, lunches, and breaks. There is a system for documenting historical data on equipment and maintenance actions that is used in analysis of reliability and maintenance needs.
Manager • Establishes record or database documenting operation and maintenance data for equipment and
uses when developing maintenance needs and recommendations for procurement of equipment. There are rules in place defining and controlling maximum delay times for repairing security equipment.
Manager • Establishes a list of critical parts that will be replaced immediately to limit vulnerabilities in the
security system. • For each category of noncritical equipment, establishes maximum allowable outage times. • Conducts self-assessments to determine if equipment is being repaired within acceptable
timeframe. Resources are matched to demands so that critical spare parts and tools are available when needed.
Manager • Based on the list of critical spare parts and operational experience, establishes a cache of spare parts
and tools needed to repair nuclear security equipment within the established required timeframes. There are rules for providing compensatory measures when security equipment is out of order or being repaired.
Manager • Establishes procedures for alternate security measures. • Establishes training on procedures for alternate security measures.
Opportunities are provided to hold workplace forums for discussing issues of mutual interest to operations and maintenance personnel.
Manager • Provides formal and informal venues for operations, maintenance, and security personnel to discuss
and resolve issues. 1
III.1.9. Determination of trustworthiness 2
Ref. [10] provides reasoning for implementing a trustworthiness programme. These types of determinations are intended to identify 3
possible insider motivation or behaviour. Identifying potential motivations and abnormal behaviour early allows peers, managers, and 4
the culture coordinator to encourage personnel to seek assistance and get the help they need (e.g. see Section 3.6 of this guidance on 5
84
personnel assistance programmes) before any malicious behaviour is exhibited. Trustworthiness programmes can only be 1
implemented in accordance with national laws. 2
Some States have had good success in implementing post-employment programmes that allow the facility/activity to keep in touch 3
with personnel who have held critical positions in the past (e.g. retirees, temporary personnel). These programmes include having 4
certain managers of the facility/activity continue to interact with these personnel to solicit their expertise and continue to value their 5
experience and dedication to the facility/activity. It is also a way to remind past personnel that they may still have unique knowledge 6
that needs to be protected and to continue to provide them with the support to do so. 7
Indicator Activity Documented personnel screening processes are matched to the risks and threats associated with the specific employment roles and responsibilities. Screening must be conducted, when appropriate, on a regular basis.
State • Establishes a trustworthiness programme that oversees personnel assessments conducted on a
graded approach with stricter measures being placed on those with critical positions (e.g. access to nuclear material, other radioactive material, and sensitive information). These assessments can include employment and personal reference checks, police record checks, medical record checks, and financial record checks. The process may be conducted initially, as personnel are hired into critical positions and on a continual basis as personnel behaviour can change over time. Details of the trustworthiness programme can be determined in line with the actions described in NSS No. 8, Preventive and Protective Measures Against Insider Threats, Sections 2-4.
The process of determining trustworthiness is capable of identifying specific security risk factors, e.g. mental illness and drug/alcohol abuse.
Manager • Implements a trustworthiness programme that complies with State-level regulations/policy. • Certifies medical doctors, psychologists, and testing facilities that can confidentially test
personnel for drug and alcohol dependency and medical or psychological conditions that may potentially adversely affect personnel performance.
• Ensures screening is conducted prior to a person’s employment, then on a periodic basis as determined by the State.
• Secures records of all personnel included in the trustworthiness programme, even after personnel are no longer in the programme.
Personnel • Complete all trustworthiness programme forms and tests in a timely manner and comply with all
trustworthiness programme requirements. Screening processes are rigorously followed, are subject to oversight and auditing, and are required for
Manager • Conducts an assessment of the trustworthiness programme to determine if appropriate screening
85
Indicator Activity and applied to all levels of the facility/activity, including temporary personnel, contractor personnel and visitors.
is conducted of all personnel. For example, temporary personnel may not require in-depth trustworthiness checks if escorted in certain areas of the facility.
Real or apparent failures of the screening processes are appropriately investigated and adjudicated.
State/competent authority • Establishes procedures within the trustworthiness programme to assess effectiveness and ensure
processes are being implemented as was intended within the facility/activity. For example, the head of the facility/activity can provide periodic (e.g. bi-annual) reports on the effectiveness of the programme to the State. The information for these reports can be obtained by using various methods including written questionnaires and surveys completed by personnel in the programme.
Manager • Develops process for investigation and adjustment if programme processes appear to fail.
Personnel are aware of and understand the importance of trustworthiness determination.
Manager • Communicates expectations of the trustworthiness programme to personnel through discussions
with the individual, general emails, or newsletters. • Promotes the screening programme as beneficial to personnel, the facility/activity, and as being in
the best interest of nuclear security. • Holds informal and formal discussions about the importance of trustworthiness determination and
encourages personnel to ask questions if certain elements are not clear. Training is provided to management and other appropriate personnel to guide them in identifying apparent high risk behavioural symptoms, and in applying other similar observational and analytical skills.
State/competent authority • Establishes training for managers and other appropriate personnel on how to identify apparent high-
risk behavioural symptoms that may potentially lead to abnormal behaviour.
The screening process should address factors that might lead to degradation of trustworthiness such as substance abuse, workplace violence or criminal and aberrant behaviour.
State/competent authority • Institutes a screening programme that addresses risk factors identified as a threat to nuclear and
other radioactive material and associated facilities. • Certifies medical doctors and psychologists and employs testing facilities that can test personnel for
drug and alcohol dependency and medical or psychological conditions that may potentially adversely affect personnel performance.
An effective insider threat mitigation programme, coordinated among all aspects of the security and operations facility/activity, is in place.
State/competent authority • Establishes official communication chains and procedures on how to interact with local law
authorities and intelligence officials, along with internal departments (e.g. safety, security, nuclear material accounting and control, human resources), to develop and implement the most effective insider threat mitigation programme.
The process of background checks is periodically reviewed.
State/competent authority • Establishes a regular timeframe (e.g. annually) in which the trustworthiness programme is reviewed
86
Indicator Activity to determine if any changes are required in procedures.
• Documents this review requirement in the procedures supporting the trustworthiness programme. 1
III.1.10. Quality assurance 2
Standard quality assurance and control practices are to be applied to nuclear security. For example, the preparation, issue and 3
updating of procedures will be subject to quality control and the responsibilities for review will be clear. An indicator of a strong 4
nuclear security culture would be that personnel who have to use the procedures are involved in their review. 5
Indicator Activity Assessment processes are in place for the security function.
Manager • Establishes a quality assurance programme for the nuclear security system as one element of
the integrated management system • Establishes procedure to support the conduct of comprehensive performance testing at all
levels (operational, system, force-on-force). • Establishes procedure to conduct self-assessments on a regular basis.
Personnel within the facility/activity understand that the management system is relevant to the security function and to sustaining the nuclear security system.
Manager • Promotes this concept through walkthroughs and discussions at meetings.
Security processes are prepared, documented, and maintained in accordance with recommended quality-assurance standards (recording of formal approval, periodic and planned review, testing, lessons learned, etc.)
Manager • Establishes this requirement in the procedure for preparing security processes. • Conducts self-assessment to ensure compliance with requirements.
Quality-assurance measures are enforced. Manager • Monitors through observations and walkthroughs. • Reviews if events are caused by quality assurance issues.
Quality-assurance procedures are periodically evaluated against best practices for the industry.
Manager • Encourages personnel to attend international meetings regarding good practices. • Have available open-source documents for personnel to review. • Requires evaluation against best practices on a routine basis (e.g. annually).
6
87
III.1.11. Change management 1
Changes in equipment, procedures, organizational structures, and roles and responsibilities can have an impact on the effectiveness of 2
nuclear security. Therefore, each stakeholder will have an effective process in place to understand, plan, implement and reinforce 3
change as it applies to nuclear security. 4
Indicator Activity Change management processes are in place for changes that could affect the security function, whether directly or indirectly.
Manager • Establishes a change management process to verify that changes to operations, nuclear material
accounting and control, nuclear security, or safety processes do not negatively impact another before changes are made. Appropriate representatives within the facility/activity meet on a regular basis (e.g. once a month) and discuss the potential impact of any proposed changes.
• Establish a procedure that requires an evaluation be conducted if implementing a change would require new or revised training.
Manager and Personnel • Do not make changes that could affect the nuclear security without first going through the
established change management process. • Coordinate changes with personnel of all affected areas (e.g. operations, safety, and security).
Changes in such areas as operations, safety and security are coordinated with all potentially affected facility/activity.
Assessments are made of changes to confirm that the desired outcomes have been obtained.
Manager • Establishes a process that requires performance testing be conducted after any change to nuclear
security measures to ensure that all security requirements are met and that nuclear material accounting and control, operations and safety are not negatively impacted.
Personnel • Confirm that nuclear security measures are operating as intended or provide recommendations on
how to achieve the desired outcome. Evaluations are conducted upon completion of the change process to determine if the change affected established security procedures.
Manager • Establishes a process so that the impact of the change on current procedures is evaluated and
authorized personnel are charged with updating the procedures accordingly. The process also includes performance testing of the revised procedures.
• Evaluates if the change triggers new or revised training requirements.
Personnel • Provide their feedback on whether security procedures require revision and how to best update the
procedures. Personnel whose security-related tasks are affected by Manager
88
Indicator Activity changes receive the necessary training to handle the change.
• Establishes a process that, once new training is developed, all personnel affected by the change receive the training.
Personnel • Make sure they are up to date on all required training.
There is clarity about who is responsible and accountable for carrying out security related work.
Manager • Publishes and disseminates organization chart with roles and responsibilities and contact
information. Baseline standards in procedures and facility design are established from which changes are made and documented.
Manager • Establishes a requirement to record each authorized and approved procedure and what changes
were made that make it different from the last version. Before modifying or acquiring hardware, software, and equipment, task analyses are performed which take human factors into consideration.
Manager • Establishes a process where equipment is used on a temporary or pilot basis to analyse human
interaction with the modified and/or new hardware and/or software. • Analyses feedback from the pilot and uses the feedback to improve the process before
implementing on a larger scale.
Personnel • Volunteer to participate in the pilot programme and provide feedback on human factor issues.
Tests are conducted to ensure that replaced or modified equipment performs as expected.
Manager • Establishes operational testing programme that evaluates performance of replaced and modified
equipment. • Documents results of the operational tests and any changes made for equipment to perform as
expected.
Personnel • Request results from equipment tests before operating replaced and modified equipment.
Before implementing changes to procedures, equipment, or facility/activity structure that are likely to affect security, a communication process is established to inform and encourage adherence.
Manager • Establishes a coordinating group that reviews the potential impacts of changes and assesses
whether the effectiveness of the security programme will be impacted. • Notifies personnel prior to the change of the impact it will have on their work and requests
compliance with new requirements.
Personnel • Request clarity on changes and comply with new requirements.
1
89
III.1.12. Feedback process 1
A systematic in-depth analysis of events is necessary, if lesson are to be learned and the root causes identified. Root cause analysis 2
requires that both the direct and indirect causes of events are identified. Past experience has shown that human factors play a large 3
role in many nuclear security events. An indicator of a strong nuclear security culture is that the stakeholder trains personnel to 4
conduct systematic analyses of events and lessons learned are disseminated as appropriate. 5
Indicator Activity Processes are in place to obtain, review and apply available national and international information that relates to the security function and the nuclear security system.
State or competent authority • Requests International Physical Protection Advisory Service missions and IAEA training
workshops.
Security personnel • Sign up for updates from the IAEA and other organizations to receive notifications when new
nuclear security publications and other resources are available. • Participate in national-level exchanges of information on nuclear security.
Manager • Reviews new information received from security personnel and determines if it can be applied
within the facility/activity. Processes are in place to allow and encourage members of the public and personnel to report abnormal conditions, concerns, actual events or near-misses and, where appropriate, reward them.
Manager • Establishes a programme that supports personnel reporting, anonymously if desired, any concerns
relating to nuclear security. • Encourages personnel to report any abnormalities and concerns. • Creates an environment that makes personnel feel comfortable about reporting such concerns. • Provides, when possible, feedback to personnel on the issues reported (e.g. how concern was
addressed). • Rewards, when appropriate, personnel who assisted in major security successes due to their
reporting. • Establishes a phone number and email address that is given to the public so they can report any
concerns and abnormal conditions.
Personnel • Report concerns so they can be addressed and hold manager responsible for providing feedback on
how the concerns were addressed. • Facilitate dissemination of the phone number and email address to the public so they can report
90
Indicator Activity concerns.
Reports are reviewed by management with actions taken to ensure that the facility/activity learns from experience in order to improve its performance.
Culture coordinator and manager • Establish a process that takes the report data and incorporates it into training and promotional
activities, and uses it as lessons learned to improve nuclear security performance. Documented and established review systems for processes and procedures are in place to solicit comments and inputs from all bodies within the facility/activity.
Manager • Establishes process to solicit comments from personnel on processes and procedures.
Personnel • Actively use this process to provide feedback on processes and procedures in order to improve
nuclear security. Feedback is valued and encouraged. Manager
• Establishes process for gathering feedback on a regular basis. • Evaluates feedback in a timely manner and responds, if feasible. • Announces, as appropriate, changes that will be made based on feedback and gives credit to
appropriate personnel. • Conducts walkthroughs and holds informal discussions to elicit feedback from personnel.
Personnel • Provide feedback and hold manager responsible for providing response.
Dissenting views, diverse perspectives, and robust discussion of pending security-related issues and changes are encouraged.
Manager • Holds public and facility meetings to discuss major nuclear security-related issues to request
opinions. • Establishes process to receive anonymous feedback. • Encourages, through formal and informal venues, personnel to provide feedback.
Personnel are requested to critically review procedures and instructions during their use, and to suggest improvements where appropriate.
Manager • Establishes process for personnel to provide feedback on procedures. • Conducts pilot implementations of new and revised procedures with a small set of personnel to
receive their review and feedback before implementing to wider group of personnel. • Announces changes made based on personnel feedback and attributes to personnel review.
Personnel • Provide recommendations on how to improve procedures and instructions and hold manager
responsible for making changes based on the feedback. 1
91
III.1.13. Contingency plans and drills (exercises) 1
Effective nuclear security systems are in a continuous state of readiness to address security events. One important element is the 2
contingency plan that covers responses to unauthorized acts and the exercises that are conducted to practice and assess the 3
contingency plan. 4
Indicator Activity Contingency plans are in place to address the defined threats and responses.
Culture coordinator and the facility/activity • Establish contingency plans in accordance with [2], [3] and [13].
The plans are tested periodically through drills and other means to ensure that they are effective and current, and that the individuals involved are familiar with the plans and their roles.
Culture Coordinator • Trains the appropriate personnel on the contingency plan and their role in implementing the plan.
Facility/activity • Establishes robust performance testing programme to test the contingency plans through exercise
involving as many personnel as possible.
Personnel • Participate in training and drills and request clarification on their role, if necessary.
All security systems are tested periodically to ensure that they are functional and available when needed. Special attention should be paid to systems that are not activated during normal operation.
Facility/activity • Establishes performance testing programme of nuclear security measures. • Conducts self-assessment of testing programme to verify it is being implemented in accordance
with procedures. The human factor in security systems is evaluated periodically to ensure that personnel are alert and available when needed. Special attention should be paid to the human factor during periods of reduced activity such as back shift and weekends.
Manager • Establishes performance testing programme of personnel and procedures. • Conducts walkthroughs randomly during each shift to observe how personnel are performing. • Requests input from personnel on how to keep themselves operating at their most effective levels.
Personnel • Participate in performance testing and provide recommendations on how to keep personnel alert
and equipment operating most effectively. Contingency plans are coordinated with and linked to a relevant national strategy.
Facility/activity • Establishes a procedure that requires contingency plans to flow down from State-level documents
and may require approval by the competent authority. Contingency plans are tested not just with on-site forces but also in coordination with off-site backup forces.
Facility/activity • Establishes procedure and agreements with off-site response force to conduct performance tests of
contingency plans with on-site guard/response forces.
92
Indicator Activity Management is trained to effectively deal with exceptional situations for which no procedures have been devised and when no management supervision is available.
Facility/activity • Complete training on the objectives of the nuclear security system and how to perform in abnormal
situations.
Provisions are in place to ensure that security readiness can be temporarily tightened during times of increased threat (e.g. introduction of additional measures or reduction of access).
Facility/activity • Establishes procedures that document how, when, and why security measures are enhanced in times
of increased threat.
Contingency plans are based on sound human-performance principles.
Facility/activity • Establishes a procedure that requires exercises to be followed by a thorough post-exercise
evaluation to identify if there are any elements of the contingency plan that require personnel to perform beyond their capacity.
• Modifies contingency plans based on evaluation of performance test results and re-evaluates human performance capability of modified section(s) during next exercise.
The facility/activity provides adequate information on potential risks to public authorities such as first responders, the police, the military, medical facilities, and environmental authorities.
Facility/activity • Establishes one-on-one and group discussions with the local public authorities to discuss risks
associated with abnormal situations and steps that can be taken to mitigate that risk.
1
III.1.14. Self-assessment 2
This section, as noted in Ref. [5], covers a system of self-assessment that includes a wide range of nuclear security assessment 3
programmes, root cause analyses, performance indicators, lessons learned, and corrective action tracking programmes that can be used 4
for nuclear security. Indicators listed in Ref. [6] are included here to support nuclear security culture self-assessment. 5
Indicator Activity A nuclear security self-assessment programme is documented with a plan that defines self-assessment processes.
Facility/activity • Develops and implements means and procedures for evaluations, including performance testing.
Identified deficiencies are analysed to identify and correct emerging patterns and trends.
Facility/activity • Has a process to conduct root cause analyses, create corrective action plans, and compare analyses
results over time. Human factor methodologies are incorporated into problem analysis techniques.
Manager • Includes consultation advice from professional psychologists and sociologists specializing in
93
Indicator Activity understanding a wide range of human factor phenomenon in nuclear security activities.
Performance is benchmarked to compare operations against national and international best practices.
Specific data on effectiveness of operations of security programmes may not be publicly available due to sensitive nature of information. However, manager • Supports participation in events at which others are sharing good practices in order to (1) internally
compare their practices and (2) implement any good practices that can make their nuclear security system more effective.
Operational performance is observed to confirm that expectations are being met.
Manager • Conducts walkthroughs of the facility on a periodic basis, including during night shifts and
weekends. Corrective action plans are developed on the basis of self-assessment findings and implementation of these plans is tracked.
Manager • Establishes a procedure that requires corrective action plans be developed as an element of the
facility/activity self-assessment programme. • Establishes a database to record progress of implementation of the corrective action plans and
identify personnel to track and report on progress on a regular basis (e.g. monthly). Assessment of security systems takes into account the current DBT assessment and regulatory requirements.
Manage • Includes in self-assessment programme requirements that the nuclear security system be evaluated
based on the current threat assessment/design basis threat and regulatory requirements. Personnel understand their responsibility for improvements instituted as a result of security assessments.
Manager • Identifies specific personnel responsible for certain corrective actions and discusses with them the
steps they will take to implement the required improvements. Senior management plays a visible role in the promotion, preparation, and conduct of self-assessment.
Senior manager • Hosts a meeting of all personnel to announce the conduct of the self-assessment and requests
everyone’s participation and cooperation, explaining the importance of the evaluation and how it will make nuclear security more effective.
• Meets with the team that will conduct the self-assessment to review assessment plan and area(s) of focus.
• Participates in a set of performance tests to directly observe the nuclear security system in operation.
• Meets with the self-assessment team on a regular basis (e.g. weekly) to receive updates on conduct of evaluation.
Facility/activity looks upon assessments, reviews, and audits as an opportunity rather than a burden.
Manager • Emphasizes the importance of these reviews to all personnel and how they benefit the
facility/activity (e.g. its effectiveness, prestige, ability to continue operating). • Requests feedback from personnel on how reviews can be conducted most effectively and what
other benefits can be achieved. There is an established procedure to continuously Manager
94
Indicator Activity monitor security culture through use of indicators to implement improvements and help prevent the degradation of security culture.
• Establishes a procedure to implement nuclear security culture self-assessments as suggested in [6].
Management measures the extent to which training programmes contribute to improvements in attitudes toward nuclear security.
Manager • Uses the Indicators for Training and Qualification as a focus of a nuclear security culture self-
assessment as detailed in [6]. • Has training personnel issue surveys before and after certain training to identify changes in
attitudes. Self-assessment results are shared to the extent possible throughout the industry as part of the exchange of good practices.
Manager • Supports sharing of non-sensitive self-assessment results through good practices exchanges.
1
III.1.15. Interface with the regulator (and law enforcement bodies) 2
This section focuses specifically on the facility/activity interaction with the competent authority appointed by the State to perform 3
nuclear security oversight. 4
Indicator Activity Information is freely and regularly exchanged between the regulator and the facility/activity.
Culture coordinator • Has regular meetings with the competent authority to understand overall security concerns
(vulnerabilities and threats) and security event trends to apply lessons learned. Information regarding vulnerabilities and threats is mutually relayed in a timely manner.
Culture coordinator • Has regular meetings with the competent authority to understand overall security concerns
(vulnerabilities and threats) and security event trends to apply lessons learned. Regulatory interface roles are clearly defined and interagency processes are streamlined.
Competent authorities • Works to ensure regulatory interface roles are clearly defined and interface processes are
streamlined. Facility/Activity reports nuclear security incidents to the regulator/competent authority.
Manager • Establishes and implements a process to report nuclear security events as required by the
regulations/competent authority. Facility/activity fully understands the regulator’s responsibility.
Manager • Hosts a representative of the competent authority on a regular basis (e.g. every six months) to speak
at a meeting with all personnel on the competent authority’s responsibility and how it affects facility/activity and its personnel, to include a question and answer session.
95
Indicator Activity Facility/activity shows respect for regulator and its mission enjoys visible support and cooperation from management.
Manager • Opens the meetings with the competent authority, emphasizing their support for the competent
authority’s mission. Personnel view the regulatory presence on the site positively.
Manager • Discusses in formal and informal settings with personnel the benefits the facility/activity receives
from the competent authority. 1
III.1.16. Coordination with off-site organizations 2
Interaction with off-site organizations promotes learning from the experience of others and formalizes support required from off-site 3
organizations that help support nuclear security. 4
Indicator Activity Frequent personnel and management level communication is accomplished with local and national organizations involved in nuclear security.
Local and national organizations involved in nuclear security can include: nuclear security support centres of excellence, universities, non-governmental organizations, and think tanks.
Manager • Supports personnel interacting with local and national organizations involved in nuclear security, as
appropriate.
Manager and personnel • Interact with local and national organizations involved in nuclear security by peer reviewing papers
and journal articles on nuclear security, giving presentations on nuclear security, teaching a specific topic at a nuclear security support centre or centre of excellence, mentoring students, giving a guest lecture at a university, or providing input to a research topic.
Written agreements are in place with appropriate organizations to facilitate assistance, communication and timely response to incidents.
Competent authority • Negotiates written agreements with international partners to facilitate assistance and response to
events.
Manager • Negotiates written agreements with various local responders to facilitate timely response to nuclear
security events. Off-site and on-site security exercises are regularly held with lessons learned incorporated into procedures and memoranda of understanding.
Manager • Establishes and implement security exercises on a regular basis (e.g. annually) for all personnel
potentially involved in the response, including primary responders, secondary responders, response leaders, and support personnel.
96
Indicator Activity • Includes requirement for post-exercise evaluation to identify any changes that will be made to
procedures and memoranda of understanding which detail roles and responsibilities of each response organization.
Personnel • Participate in the security exercises and provide feedback and suggestions on changes to be made to
procedures. Contractors are aware of all security procedures after undergoing the relevant training prior to starting work.
Manager • Requires mandatory in-person or computer-based training for contractors prior to starting work for
the facility/activity. • Requires contractors to pass a mandatory test based on the training prior to starting work for the
facility/activity. • Requires the contractor to sign a document stating they are aware of the security procedures and
their responsibility to adhere to them, and for security in general. Outside stakeholders are consistently involved when problems are being solved and decisions are made based on the need to know principle.
Manager • Works closely with the competent authority, when appropriate, to resolve nuclear security related
problems. • Requests input from outside stakeholders (e.g. competent authority, other government departments,
law enforcement, emergency services personnel), as appropriate, to assist in the resolution of nuclear security related problems.
There is a system for communication and cooperation with current and potential suppliers and contractors that covers security-related issues.
Manager • Establishes a procedure so current contractors are included on distribution of appropriate security-
related information. Participation in recognized courses and events (e.g. those convened by the IAEA) is encouraged and supported by management.
State or competent authority • Requests International Physical Protection Advisory Service missions and IAEA training
workshops. • Authorizes personnel to participate in international meetings hosted by such organizations as
IAEA, Global Institute for Combatting Nuclear Terrorism, World Institute for Nuclear Security, Interpol, etc.
Manager • Encourages and supports personnel participation in nuclear security related courses and events as
budget and schedule allow.
Personnel • Request support to attend established nuclear security courses and events.
International publications and reports covering nuclear security are available to relevant personnel.
Manager • Establishes a library (virtual or not) that provides international and national nuclear security
97
Indicator Activity publications and reports.
• Encourages personnel to enhance their knowledge and awareness by reading these publications and reports.
Personnel • Keep up to date on nuclear security issues by reading the publications and reports and discussing
their findings with peers. The facility/activity participates in international cooperation on nuclear-security issues. The competent authority can authorize specific facility/activity participation in nuclear security international cooperation.
Competent authority • Authorizes specific facility/activity participation in international nuclear security cooperation.
Once authorized, the manager • Authorizes personnel to support nuclear security cooperation. • Provides direction for the cooperation. • Remains involved to track progress.
Personnel • Provide recommendations to manager on potential areas of nuclear security cooperation. Once
approved, personnel can participate in nuclear security cooperation and report progress to manager.
Nuclear-security information from international publications is made available, when possible, in the native language.
Competent authority • Works with international organizations to request copies of publications in the native language.
Manager • Requests that publications be translated into native language under international nuclear security
cooperation.
Personnel • Keep up to date on nuclear security issues by reading the publications and reports and discussing
findings with peers. 1
III.1.17. Record keeping 2
Record keeping is an essential characteristic of a nuclear security regime and is closely linked to the quality assurance function, as it 3
ensures that nuclear security documentation is maintained and kept current. 4
Indicator Activity Record keeping is a prerequisite for effective Manager
98
Indicator Activity functioning of the security regime and its assessment. • Establishes a procedure requiring specific recordkeeping for such elements as security functions,
duties, shift turnovers, and access control. • Conducts self-assessment to verify that recordkeeping is being conducted per the procedure.
Personnel • Follow requirements for recordkeeping and conduct random checks to monitor compliance;
personnel will influence their peers to maintain strict records as well. Records and logbooks are user-friendly and easily accessible.
Manager • Requests personnel feedback on user friendliness of recordkeeping procedures. • Establishes a procedure that details required location and accesses procedure for records and
logbooks.
Personnel • Provide feedback to managers on clarity and user friendliness of recordkeeping procedures and
inputting entries into logbooks. Records are analysed, and there is a procedure for obtaining relevant information from current records and logbooks as well as archives.
Manager • Establishes a procedure that details who can access and how they can access information from
records, logbooks, and archives. • Establishes a procedure to analyse records on a regular basis (e.g. weekly or monthly depending on
type of record) to determine if any abnormal situations or trends are occurring. There is a mechanism to protect confidential records. Manager
• Establishes a procedure that defines requirements on how to protect various levels of records, both hard copies and electronic files, due to the sensitive information contained in them.
• Establishes a procedure on how to exchange sensitive information with outside organizations. • Maintains records in secure format but allows authorized people to have access (e.g. the security
managers need to receive visitor personal information to process access authorization). Logbooks are correctly used. Manager
• Establishes a procedure detailing how logbooks are to be completed, reviewed, and checked. • Reviews whether the procedure is being followed by checking during walkthroughs and self-
assessments. 1
III.2. CHARACTERISTICS OF LEADERSHIP BEHAVIOUR 2
III.2.1. Expectations 3
Managers establish performance expectations for nuclear security roles to guide personnel in carrying out their responsibilities. 4
99
Indicator Activity Have and communicate to personnel specific expectations for performance in areas that affect the nuclear security system.
Manager • Issues mission statements and security policy advising personnel of the expectations. • Includes security as a topic of discussion in every meeting to remind personnel of its importance.
Ensure that resources are available to provide effective nuclear security.
Manager • Reviews the budget for security and discusses with personnel implications of funding/not funding
specific requests. • Conducts a cost-benefit analysis to ensure that risk level is acceptable (whilst meeting regulatory
requirements). Lead by example and – as is expected from all personnel – adhere to policies and procedures in their personal conduct.
Manager and personnel • Adhere to all security policies and procedures without complaint or requests/expectations for
exceptions, reinforcing their importance to their subordinates and peers. Personally inspect performance in the field by conducting walkthroughs, listening to personnel and observing work being conducted, and then taking action to correct deficiencies.
Manager • Sets up and informs personnel of scheduled walkthroughs.
Demonstrate a sense of urgency to correct significant security weaknesses or vulnerabilities.
Manager • Requests regular updates on status of corrective actions to address security vulnerabilities. • Requires compensatory measures be implemented immediately until corrective actions are
complete. • Provides the necessary resources for completing the corrective actions to address a significant
security vulnerability as soon as reasonably possible.
Personnel • Report any security vulnerabilities immediately upon discovering them. • Hold manager responsible for correcting significant security vulnerabilities immediately.
Be able to recognize degraded nuclear security conditions and take corrective action.
Manager and personnel • Have appropriate experience and training to effectively recognize nuclear security system
vulnerabilities and work to identify most effective-corrective actions. Management visibly support the high levels of security defined in a security policy or code of conduct.
Manager and personnel • Comply with all nuclear security policies and procedures. • Complete all nuclear security training requirements. Manager • Provide appropriate resources to support effective nuclear security.
Management makes security commitment known to personnel while seeing to it that this commitment translates into daily routine.
Manager and personnel • Comply with all nuclear security policies and procedures. • Complete all nuclear security training requirements.
100
Indicator Activity
Manager • Provide appropriate resources to support effective nuclear security.
Management provides on-going reviews of performance of assigned roles and responsibilities to reinforce expectations and ensure that key security responsibilities are being met.
Manager • Conducts self-assessment focused on roles and responsibilities of nuclear security personnel. • Conducts walkthroughs to observe actions of key security personnel.
Personnel can describe how management inspects worksites to ensure that procedures are being used and followed in accordance with expectations.
Personnel • Informs peers and self-assessment team members how manager conducts walkthroughs of work
areas and observes them to ensure work is in compliance with procedures. Constructive feedback is used to reinforce expected behaviour.
Manager • Provides constructive feedback to personnel during walkthroughs of work areas, during one-on-one
meetings, on written reports, and after performance tests and other nuclear security exercises. Personnel can cite examples of high expectations from senior management regarding security.
Personnel • Understand what is expected from them by senior managers and work to exceed those expectations.
Senior management encourages workforce to look at other facility/activity or other parts of their own facility/activity to see what they can learn from them.
Manager • Shares good practices between facility/activity departments and encourages personnel to share
details so that, if applicable, practice can be implemented in other areas of the facility/activity.
Personnel • Are eager to share their success and good practices to improve overall facility/activity performance.
1 III.2.2. Use of authority 2
Managers establish the responsibility and authority of each position within the nuclear security organization. Leaders do not abuse 3
their authority to override nuclear security requirements. 4
Indicator Activity Designated management demonstrates good knowledge of what is expected of them, recognize and take charge of all adverse security situations or situations in which vulnerability is heightened, e.g. when the security system is degraded or when the threat level is increased.
As soon as a security vulnerability is identified, the manager • Takes an immediate interest and provides leadership as necessary. For example, if the threat level
is increased, hold a personnel meeting providing the updated information (in accordance with information security requirements) and request personnel to be more vigilant, welcoming them to report any unusual activity.
Management makes themselves approachable and allows effective two way communication, and
Manager • Has a written and published “open door” policy, making sure to always provide time in the daily
101
Indicator Activity encourages personnel to report concerns or suspicions without fear of subsequently suffering disciplinary actions.
schedule for personnel to directly report concerns. All such discussions are held in confidence.
Management does not abuse their authority to circumvent security.
Manager • Adheres to all security policies and procedures without complaint or requests/expect exemptions,
reinforcing their importance to personnel. Management spends time observing and coaching personnel at their work locations.
Manager • Conducts walkthroughs of work areas and works with personnel to improve actions and discuss
issues. Management holds people accountable for their behaviour.
Manager • Immediately stops any behaviour that can impact the effectiveness of the nuclear security system
and discusses the event with the subordinate to determine the cause and apply corrective action. • Assesses personnel on nuclear security in their annual performance evaluation. • Applies sanctions, in accordance with established procedure, fairly and evenly.
Vigorous corrective and improvement action programmes are in place, supervised by management.
Manager has implemented corrective and improvement programmes, such as • Personnel suggestion; • Root cause analyses; • Lessons learned.
Manager • Supervises these programmes and encourages personnel to participate appropriately.
Personnel • Provide recommendations on how to improve nuclear security and the nuclear security culture.
Management launches, if necessary, procedures for investigating security problems, seeking advice on the causes thereof, and improvements to be implemented.
Manager • Establishes a procedure and methodology for analysing security events, to include root cause
analyses, and develops a procedure for development of associated corrective action plan. • Sanitizes security events and disseminates lessons learned to discourage similar events from
occurring again. Management must define a strategy to bring information on the current security policy to the attention of personnel.
Manager • Posts security policy as appropriate, maintains it in the nuclear security library, and holds meetings
with personnel to discuss the policy. If possible, senior management prevents personnel downsizing that will affect security, despite financial restraints.
Security personnel • Conduct vulnerability assessments and document any vulnerability that could arise from
downsizing key personnel.
Manager
102
Indicator Activity • Uses this information to actively lobby for additional resources so that a reduction in the number of
personnel does not affect nuclear security effectiveness. Management provides fair treatment of subordinates, understanding that errors are unavoidable, but that security breaches must be analysed and corrective actions implemented.
Manager • Encourages reporting of errors so that mistakes can be corrected and not repeated.
1 III.2.3. Decision making 2
Implementation of a formal and inclusive decision-making process demonstrates to personnel the importance of nuclear security 3
decisions and provides them a sense of ownership. 4
Indicator Activity Management makes decisions when the situation warrants.
Manager • Make decisions in an educated and timely manner within their authority.
Management explains their decisions when possible. Manager • Explain their decisions to personnel, with the understanding that the manager may not be able to
explain all security decisions due to the sensitive nature of some information. Management solicits dissenting views and diverse perspectives, when appropriate, for the sake of strengthening the decision taken.
Manager • Solicit input from personnel, as appropriate, when making decisions.
Personnel • Provide insight and valid ideas for improvement
Management does not shorten or bypass the decision making processes.
Manager • Follows process, allowing that some instances require more immediate decisions than others.
Decisions are made by those qualified and authorized to do so.
Personnel • Make decisions that are within their approved authority of their position.
Security-related decisions from management are seen as reasonable.
Manager • Announces security initiatives to personnel providing an explanation, as appropriate, so that
personnel can better understand why the initiatives are being implemented. Management is actively involved in balancing priorities to achieve timely resolutions.
Manager • Balances priorities such as security, safety, and operations. To achieve timely resolution, the
manager actively gets together with managers of other departments to openly discuss issues and develop commonly agreed-to resolutions.
Management supports and reinforces conservative Manager
103
Indicator Activity decision-making regarding security. • Mentors personnel in considering costs and risk reduction, when making decisions regarding
nuclear security to prevent hasty and costly decisions. 1
III.2.4. Management oversight 2
A strong nuclear security culture is dependent upon the behaviour and attitudes of personnel. Personnel are very strongly influenced 3
by positive supervisory skills. 4
Indicator Activity Management spends time observing, correcting and reinforcing the performance of personnel at their work locations.
Manager • Conducts walkthroughs and provides corrections in a timely, private, and constructive manner.
Comments on high-quality work will also be provided in a timely manner. Constructive feedback is used to reinforce behaviour expected from personnel.
Manager • Conducts walkthroughs to perform oversight and provides corrections timely, privately, and
constructively. Comments on high-quality work will also be provided in a timely manner. Personnel are held accountable for adherence to established policies and procedures.
Manager • Communicates expectations in writing and verbally that all personnel need to adhere to policies and
procedures. Any diversion from the policies and procedures will be written and documented in personnel records, including in performance evaluations.
Personnel are empowered to make technical decisions involving nuclear security matters.
Personnel • Have a written document that specifies their authority to make technical decisions and describes
when decisions need to be elevated to management. Management ensures that they understand the safety and security performance of their facility/activity and take steps to maintain adequate oversight of security.
Manager continuously • Reviews results of self-assessments, independent oversight inspections, and performance tests to
see how reports compare/contrast. • Follows up with questions to personnel regarding results of self-assessments, independent oversight
inspections, and performance tests to delve a level deeper in detail. • Conducts walkthroughs to personally observe performance. • Requests feedback on performance from personnel. • Works with personnel to improve effectiveness of nuclear security system.
Management appreciates the importance of security culture in the accomplishment of security tasks.
Manager • Leads by example and expects workers to look for ways to continuously learn and improve their
performance. • Values learning from others, both within and outside the facility/activity. • Recognizes, respects, and values personnel for their contribution to nuclear security.
104
Indicator Activity • Encourages personnel to make suggestions. • Coaches personnel to improve their performance. • Considers personnel an important part of the facility/activity and pays attention to satisfying
personnel needs, not just achieving technical efficiency. Management ensures that a security-conscious environment permeates throughout the facility/activity.
Manager • Leads by example and expects workers to look for ways to continuously learn and improve their
performance. • Supports the culture coordinator and implementation of the action plan. • Conducts walkthroughs to observe and discusses nuclear security performance. • Discusses lessons learned from security events with personnel. • Motivates personnel to continuously take responsibility for nuclear security and want to improve
nuclear security. • Provides an environment that supports reporting of events and mistakes so they can be corrected
and minimized in future. Management monitors the personnel’s coping skills, stress, and fatigue levels.
Manager • Conducts walkthroughs to observe personnel performance and checks if visibly stressed or
fatigued. • Encourages personnel to seek assistance for coping with stressors (e.g. from the personnel
assistance programme) and approves time off from work accordingly. • Provides an environment that welcomes reporting of abnormal behaviour by peers so personnel can
get the assistance they need. Management helps build trust and promote teamwork within the facility/activity.
Manager • Is honest in their communication and their actions prove it. • Is open to ideas from personnel. • Is responsible and accountable for actions. • Communicates smartly by knowing what to share and what not to share (e.g. personal information). • Treats all personnel equally. • Is compassionate and helps personnel balance multiple priorities. • Appreciates the work done by personnel. • Manages the direction and scope of the work. • Makes the work easier to be successfully completed by removing obstacles. • Uses personnel for various tasks based on their strengths and weaknesses. • Listens to personnel, their concerns, and suggestions.
Personnel • Are open to working with various personnel from the facility/activity and look forward to receiving
105
Indicator Activity different views and new ideas to incorporate into day-to-day operations.
• Welcome new personnel into their work routine and seek mentoring opportunities. Management ensures periodic audits and updates of computer security policy and procedures.
Manager • Participates in review of the computer security procedure and makes sure it includes an ongoing
evaluation process with vulnerability assessments, periodic audits, and continuous improvement. 1
III.2.5. Involvement of personnel 2
Performance is improved when personnel are encouraged to provide their ideas, especially when those ideas are acted upon by 3
management. 4
Indicator Activity Management involves personnel in the risk assessment and decision making processes and other activities that affect them.
Manager • Establishes a team of various nuclear security experts to conduct the facility/activity risk
assessment and provide recommendations. • Holds brainstorming sessions with personnel to generate ideas and alternate solutions, when
making major decisions. During this brainstorming session, the manager ‒ Concentrates on the one issue to resolve; ‒ Entertains all ideas; ‒ Defers judgments until the group has agreed on best ideas.
Personnel • Actively participate in brainstorming sessions and offer managers constructive input and opinions
to assist with the decision decision-making process. Personnel are encouraged to make suggestions and are properly recognized for their contributions.
Manager • Implements a personnel suggestion programme and encourages personnel to participate. • Recognizes performance of personnel via recognition letters, certificates of appreciation, publicized
awards, etc. (See Section 3.6 for additional information.)
Personnel • Actively participate in the personnel suggestion programme and provide constructive suggestions
on how to improve nuclear security and the nuclear security culture. Personnel are actively involved in identification, planning, and improvement of security-related work and work practices.
Manager • Implements a personnel suggestion programme and encourage personnel to participate. • Acts on valid ideas submitted through the personnel suggestion programme and includes personnel
in the planning and implementation stages of the improvement to nuclear security.
106
Indicator Activity
Personnel • Actively participate in the personnel suggestion programme and provide constructive suggestions
on how to improve nuclear security and the nuclear security culture. Personnel report any problem in confidence because they know that questioning attitudes are encouraged.
Manager • Encourages personnel to report concerns. • Acts on the concern and provides personnel feedback on how it was addressed.
Personnel • Report immediately any nuclear security concerns and encourage their peers to report nuclear
security concerns. Systems are in place to ensure it is easy, straightforward, and welcome for personnel to raise issues pertaining to potential or anticipated security-related weaknesses and threats.
Manager • Establishes a process for personnel to report concerns and nuclear security issues. The process
includes a way to report concerns anonymously. • Disseminates information on the process so that personnel understand how to report their concerns
and to whom. • Creates a work environment that encourages personnel to report concerns.
Personnel • Report security-related issues and encourage their peers to do the same
Personnel are able to contribute their insights and ideas to practical problems, and mechanisms are in place to support their contributions.
Manager • Conducts brainstorming sessions. • Implements personnel suggestion programme. • Recognizes personnel that contribute to more effective nuclear security.
Personnel • Submit their recommendations on how to improve nuclear security and the nuclear security culture
and hold managers responsible to provide feedback. Plans are in place to handle labour strikes without unacceptable impact on nuclear security.
Manager • Includes the possibility of labour strikes when developing security and contingency plans so that
procedures cover this scenario and there is a solution that does not incur an unacceptable impact on nuclear security.
• Processes the security and contingency plans through competent authority approvals to receive support for the solution and assistance in case there is a strike (e.g. competent authority could assist in the negotiation of temporarily using another facility’s guard/response force).
1
107
III.2.6. Effective communications 1
One indicator of a strong nuclear security culture is the quality of communication established by managers. 2
Indicator Activity Ensure that communication is valued and that potential blockages in communication are addressed.
Manager • Pursues training on effective communications, skills, and use these in daily operations. • Listens to personnel. • Requests feedback from personnel on a regular basis on how they think communication can be
improved.
Personnel • Listen to managers and provide suggestions on how to improve communication.
Explain the context for issues and decisions when possible.
Manager • Holds meetings with personnel to announce major decisions, explains impact to personnel, and
includes a question and answer session at end of the meeting to address concerns of personnel.
Personnel • Listen to managers and participate constructively in the question and answer session.
Visit personnel at their work locations and also conduct open forum meetings at which personnel can ask questions.
Manager • Conducts walkthroughs of work areas to interact with personnel. • Promotes an environment in which personnel feel free to ask questions. • Conducts meetings that include a question and answer session.
Welcome personnel input and take action, or explain why no action was taken.
Manager • Supports personnel providing recommendations and suggestions through ‒ Implementation of the personnel suggestion programme; ‒ An open door policy (manager is willing to meet individuals to discuss important issues).
• Has an established process to provide feedback to personnel regarding their recommendations and let them know how they were addressed.
Keep personnel informed on high level policy and facility/activity changes.
Manager • Establishes regular (e.g. weekly) meetings of key personnel to inform them of any high-level policy
and facility/activity changes and exchanges status on operations. • Has key personnel disseminate information to other personnel. • Disseminates information on high-level policy and facility/activity changes through email
messages, newsletter articles, and personnel meetings.
Personnel • Take an interest in high level policy and note how changes to it and the facility/activity impact their
108
Indicator Activity day-to-day work.
Personnel are comfortable raising and discussing questions or concerns, because good and bad news are both valued and shared.
Manager • Creates an environment that welcomes personnel raising questions and concerns to continuously
improve nuclear security. • Implements personnel suggestion programme and provides feedback to personnel on their
suggestions. • Does not necessarily act punitively when bad news is delivered but instead works to correct the
issue.
Personnel • Actively report accomplishments as well as issues and concerns to managers to keep them apprised
of current status. • Work with managers to resolve issues and concerns.
Policies are in place that reinforces personnel’s right and responsibility to raise security issues through available means, including avenues outside their chain of command.
Manager • Establishes a list of facility/activity-wide personnel that can be contacted with security issues so
that personnel can be comfortable reporting a problem even if it is in their chain of command.
Competent authority • Establishes a phone number and email address for personnel to report security events to the
regulatory body that they are not comfortable reporting within their facility/activity or have not received feedback from managers regarding their nuclear security concern.
Personnel • First work within their chain of command to report nuclear security concerns and understand other
options to pursue if they do not receive feedback within a realistic timeframe. Management communicates their vision of the status of security often, consistently, and in a variety of ways.
Manager communicates security status to personnel through: • Informational meetings; • Email messages, as appropriate; • Facility/activity newsletter articles, as appropriate.
Personnel • Attend meetings and read security status updates, and; ask managers questions to clarify status.
Clear, unambiguous, and documented definitions of the responsibilities of personnel have been communicated through established channels.
Manager • Works with human resources personnel to have position descriptions noting responsibilities
documented and disseminated to personnel in those positions. • Posts the position descriptions on the facility/activity website so personnel can have easy access.
Personnel • Maintain a copy of their position description and refer back to it when necessary.
109
Indicator Activity The security significance of various rules and procedures is clearly communicated and adequately explained to personnel.
Security personnel • Conduct informal and formal meetings, to include question and answer sessions, with personnel to
discuss why certain security rules and procedures are required. • Welcome personnel to meet with them one on one to clarify significance of security rules and
procedures.
Personnel • Request clarification from security personnel if significance of certain nuclear security rules and
procedures are not clear. All are aware of a policy of clear and unhindered communications, both upward and downward, within in the facility/activity.
Manager • Issues a statement that supports open communication, welcoming personnel to meet to discuss
issues. • Meets with personnel in a timely manner when personnel request meeting.
The system of communication is regularly tested to check that management is being both received and understood by personnel at all levels.
Manager • Conducts walkthroughs and asks personnel what they have been hearing about a certain topic. • Conducts self-assessments in the area of communication. • Notes behaviour by or communication from personnel that shows there is a miscommunication and
works to address issue.
Personnel • Request clarification from managers when they do not understand communications.
Security-related communications are consistent with the confidentiality policy.
Security personnel • Promote awareness of the confidentiality policy through posters, email, procedure posted on
facility/activity website, or discussions in formal and informal meetings. • Discuss with personnel in a general manner communications that did not comply with the
confidentiality policy so that personnel can improve compliance.
Personnel • Reference the confidentiality policy before sending security-related communications to ensure
compliance. • Request clarification on confidentiality policy from security personnel, if they do not understand
requirements. Measures are taken in the facility/activity to avoid groupthink and encourage sharing of opposing views.
Manager • Creates an environment in which personnel feel free to share their ideas. • Structures project teams to have less than 10 members and includes members from different
backgrounds and skill sets. • Holds a long discussion session before any judgment of suggestions proposed by the project team.
110
Indicator Activity • Has the project team come up with two options with justification of each option. • Invites experts external to the team to discuss aspects at various phases of the project. • Invites a devil’s advocate to participate in a session to help vet the two options.
Personnel • Openly share their ideas and listen openly to ideas from other personnel.
Processes are in place to ensure that the experience of senior personnel is shared with new and junior personnel at the facility/activity.
Manager • Establishes a mentoring programme and encourages both mentors and mentees to participate. • Establishes a specific day on which junior personnel can observe senior personnel in their daily
routine. • Establishes regular (e.g. monthly) informal sessions at which senior personnel share experience on
a specific topic. • Creates an environment in which junior personnel are encouraged to seek out advice from senior
personnel and senior personnel share their experience with junior personnel.
Personnel • Seek out opportunities to mentor and to be a mentee • Seek advice and input on specific efforts from senior personnel
1 III.2.7. Improving performance 2
In order to instil vigilance, it is recommended that managers and personnel strive to continuously improve nuclear security 3
effectiveness. Managers establish processes and show by example that they expect personnel to recommend ways to improve. 4
Indicator Activity Personnel at all levels are encouraged to report problems and make suggestions for improving the performance of the nuclear security system.
Manager • Supports implementation of personnel suggestion programme and encourages personnel to make
suggestions to improve nuclear security. • Creates and maintains an environment in which personnel feel comfortable reporting problems. • Provides feedback to personnel on suggestions to improve nuclear security and reports problems
and actions taken/to be taken.
Personnel • Provide suggestions on how to improve nuclear security and the nuclear security culture. • Report problems and encourage their peers to do the same.
The causes of security events and adverse trends are Manager
111
Indicator Activity identified and corrected. • Supports implementation of an event analyses system that tracks root causes and indicates trends.
• Oversees development of any corrective action plan and tracks progress. • Sanitizes information from security events and distributes lessons learned to personnel so security
events can be minimized in the future.
Personnel • Assist in implementation of event analyses and corrective action plan efforts. • Pay attention to information on past events in order to prevent similar security events in the future.
Analysis and follow-up of events or unusual occurrences consider not just the actual but also the potential consequences arising from each incident.
Manager • Oversees the implementation of incident analyses and holds discussions with key personnel to
determine what other consequences could have occurred to determine if additional measures can be incorporated into the nuclear security system to avoid similar events from happening in future.
When an error or event occurs, the question asked is “What went wrong?” not “Who was wrong?” with the focus on improvement, not blame.
Manager • Discusses problems with personnel with the attitude of correcting the problem, not establishing
blame.
Personnel • Immediately report errors so that they can be addressed quickly and not cause other problems.
A process exists for personnel to raise nuclear security concerns directly with immediate management, senior management, and competent authority.
Manager • Implements a personnel suggestion programme under which personnel can submit their concerns
with an option to do so anonymously. • Encourages personnel to report nuclear security concerns within their immediate chain of command
and within the facility/activity management chain, but also informing them there is a process to report concerns to the competent authority, if all else fails.
Personnel • Report concerns first within their immediate chain of command and hold managers accountable for
responding to their concerns. • Know the process of raising concerns with the competent authority.
Relevant security indicators are communicated to personnel.
Security personnel • Hold formal and informal meetings with personnel to relay information on security indicators. • Establish posters that highlight certain security indicators. • Issue reference documents such as booklets that provide information on certain security indicators.
Personnel • Attend the meetings, view the posters, and read the reference documents. • Request clarification of security indicators, when they do not understand the information being
provided is not understood.
112
Indicator Activity Senior management shows that the professional capabilities, values, and experience of personnel are the facility/activity’s most valuable strategic asset for security.
Manager • Considers personnel an important part of the facility/activity and gives attention to satisfying their
needs, not just achieving technical efficiency. See Appendix VII for additional information about how satisfaction in the workplace reduces the probability that personnel will become less reliable or even obstructive, and in extreme cases an insider threat.
• Supports personnel to participate in a mentoring programme. • Requests senior personnel give informal presentations on certain topics. • Recognizes the achievements of personnel. • Provides feedback on ideas, suggestions, and concerns.
Management exhibits a strong commitment to establishing a “learning facility/activity” that values learning from internal and external sources and commits to improving security performances as a result of this learning.
Manager • Supports the establishment and maintenance of a nuclear security library (hard copy, electronic
version, or both) that consists of an international collection of articles, presentations, regulations, books, etc. on nuclear security.
• Encourages personnel to spend time reading reference material and reviewing whether ideas can be applied to the nuclear security system of the facility/activity.
• Encourages and supports personnel to attend international and national good practices exchanges, then report back with any recommendations on application to the facility/activity.
• Supports interaction between disciplines and departments to learn from within the facility/activity. • Supports personnel attending nuclear security training sessions and classes, then report back with
any recommendations on application to the facility/activity.
Personnel • Recommend resources for the facility/activity library, read resources, participate in good practices
exchanges, workshops, training courses, and classes. • Make recommendations to managers on how to use what was learned to improve nuclear security
performance. Management frequently inspects work to ensure that procedures are being used and followed in accordance with expectations.
Manager • Conducts walkthroughs to observe personnel performance and adherence to procedures. • Discusses with personnel the expectation that all nuclear security procedures be followed without
exception.
Personnel • Follow all procedures and report to managers any modifications that need to be made to
procedures. Management provides continuous and extensive follow-through on actions involving security related human performance.
Manager • Provides feedback to personnel on any suggestions submitted to enhance nuclear security
performance and on any concerns raised in a timely manner; continues to provide feedback until
113
Indicator Activity suggestion or concern is closed out.
• Works with security personnel to analyse how new security requirements may impact human performance.
• Works with security personnel to conduct performance testing and self-assessments of human performance as it relates to nuclear security effectiveness.
Personnel • Hold managers responsible for providing feedback on nuclear security improvement
recommendations and addressing any nuclear security concern that was raised. Senior management ensures the analysis of events derives relevant information that can be used for improving security performance.
Manager • Reviews with security personnel the information derived from the security event analysis
programme and how it is being used to improve nuclear security performance. • Seeks input from security personnel on how the process can be improved.
Management and relevant personnel are aware of best practices pertaining to national and international security.
Manager • Supports the establishment and maintenance of a nuclear security library (hard copy, electronic
version, or both), that among other resources contains nuclear security good practices. • Encourages personnel to spend time studying international and national nuclear security good
practices. • Encourages and supports personnel to attend international and national good practices exchanges.
Personnel • Recommend resources for the facility/activity library, read resources, participate in good practices
exchanges. • Make recommendations to managers on how to use what was learned to improve nuclear security
performance. If deviations to a procedure are needed, there is an efficient and effective means to manage it correctly.
Manager • Establishes a procedure on how to handle deviations and exceptions to specific procedures. • Trains personnel on how to manage deviations and exceptions to procedures.
Personnel • Successfully complete training and understand how to handle deviations and exceptions to specific
procedures without compromising nuclear security. Human-factor specialists and psychologists are engaged with the facility/activity.
Manager • Encourages culture coordinator to work with human factor specialists and psychologists to instil
attitudes and beliefs necessary to support continuous improvement of nuclear security. • Includes human factor expert when designing nuclear security systems and upgrades to nuclear
security systems.
114
Indicator Activity • Encourages personnel to use psychologist to discuss issues and methods of how to minimize
stressors. • Uses psychologist to support trustworthiness programme and personnel assistance programme. • Creates an environment where there is no stigma or negative impact of meeting with a
psychologist.
Personnel • Utilize human factor specialists and psychologist expertise as appropriate in projects. • Feel comfortable to utilize use the services of the psychologist within the personnel assistance
programme and encourage their peers to utilize use the services in order to minimize stressors. 1
III.2.8. Motivation 2
There are many references available on how managers and leaders can motivate personnel; this publication provides only a few simple 3
examples. The culture coordinator is encouraged to read additional texts on this topic to develop a more robust approach to motivate 4
personnel to continuously improve nuclear security. In addition, the culture coordinator can consult a stakeholder’s psychologist, if 5
available, for ideas on how to motivate personnel. 6
Indicator Activity Management encourages, recognizes and rewards commendable attitudes and behaviour.
Manager • Acts as a role model by displaying behaviours they want to see in personnel. • Recognizes excellent personnel behavior through reward programmes and on performance
evaluations.
See Section 3.6 of this publication for additional ideas. Management assists in implementing the insider mitigation programme by stressing the responsibility to watch for and report unusual occurrences.
Manager • Shares lessons learned from other insider cases to highlight the threat is real. • Provides an environment in which personnel feel free to report concerns without fear of retribution. • Provides training to personnel on what constitutes abnormal behaviour and how to report it. • Encourages personnel to report unusual occurrences and abnormal behaviour.
Personnel • Understand the insider threat is of great concern. • Report concerns and encourage their peers to do the same. • Successfully complete training and understand how to report abnormal behaviour and other nuclear
115
Indicator Activity security concerns.
Reward systems recognize personnel contributions towards maintaining nuclear security.
Manager • Recognizes personnel contributions towards enhancing nuclear security through reward
programmes and on performance evaluations. Personnel are aware of the systems of rewards and sanctions relating to nuclear security.
Manager • Establishes procedure documenting system of rewards and sanctions relating to nuclear security. • Trains personnel on the system of rewards and sanctions. • Disseminates document detailing system of rewards and sanctions to all personnel. • Maintains description of rewards and sanctions system so that it is easily accessible to personnel
(e.g. posted on facility/activity internet site). • Applies system of rewards and sanctions evenly to all personnel.
Annual performance appraisals include a section on performance and efforts vis-à-vis nuclear security.
Manager • Acknowledges and documents personnel contribution to nuclear security performance on annual
performance appraisals. When applying disciplinary measures in the event of violations, the sanctions for self-reported violations are tempered to encourage the reporting of future infractions.
Manager • Develops nuclear security rewards and sanctions programme so sanctions for violations are issued
on a graded approach, with positive reinforcement provided to those who self-report. • Applies disciplinary measures as required by the authorized procedure and in the same manner
across all personnel. • Promotes an environment that encourages personnel to self-report security violations.
Personnel • Are not afraid to self-report security violations and encourage their peers to do so as well.
Performance-improvement processes encourage personnel to offer innovative ideas to improve security performance and find appropriate solutions.
Manager • Establishes the personnel suggestion programme and encourages personnel to submit
recommendations on how to improve nuclear security performance. • Provides feedback to personnel on their suggestions and informs them of any action taken. • Provides recognition to personnel if suggestion is accepted and enhances nuclear security
effectiveness.
Personnel • Want to submit suggestions on how to improve nuclear security performance and encourage their
peers to do so. Individuals’ expertise and special skills relevant to security are recognized, used, and rewarded by the facility/activity, regardless of their formal standing within the facility/activity.
Manager • Encourages use of personnel with the relevant expertise and skills to most effectively support
nuclear security, no matter what position they hold within the facility/activity. • Provides recognition of special nuclear security skills and expertise held by personnel.
116
Indicator Activity
Personnel • Search for those most qualified personnel to enhance nuclear security within the facility/activity
and include them in nuclear security enhancement efforts. The principles used to reward good performance in security mirror those used to reward good performance in safety and operations.
Manager • Establishes the nuclear security reward system modelled after reward systems used in other areas of
the facility/activity (e.g. safety and operations). Management has taken action to make career paths in nuclear-security management career-enhancing.
Manager • Works with human resources and training department to establish career paths for nuclear security
positions. • Disseminates career paths to personnel in nuclear security positions. • Encourages those personnel to take steps (e.g. training) to develop careers and mentors them on
how to enhance a nuclear security career.
Personnel • Understand the career paths associated with their nuclear security position and work with managers
to develop their career further Personnel can give examples when individuals who transmitted security-related concerns or potential improvements were given public recognition.
Manager • Establishes the personnel suggestion programme and encourages personnel to submit
recommendations on how to improve nuclear security performance. • Provides feedback to personnel on their suggestions and informs them of any action taken. • Provides recognition to personnel if suggestions are accepted and enhances nuclear security
effectiveness. This recognition can be an announcement in a major facility/activity forum, email, newsletter, etc.
Personnel • Want to submit suggestions on how to improve nuclear security performance and encourage their
peers to do so. • Feel free to raise concerns without fear of retribution.
A security-conscious attitude is one of the factors in approving a promotion to management levels.
Manager • Acknowledges and documents personnel contribution to nuclear security performance on their
annual performance appraisal. 1
III.3. CHARACTERISTICS OF PERSONNEL BEHAVIOUR 2
Managers, leaders, and culture coordinators are vital to eliciting the following results from personnel. To foster the desired 3
behaviours, managers, leaders, and culture coordinators conduct themselves as role models and continuously work with personnel on 4
117
these indicators using the approaches and methods identified within this guidance. The activities listed for personnel in the charts that 1
follow are, in actuality, the expected results of a robust nuclear security culture enhancement programme. For the convenience of and 2
as a reminder to personnel, they are included below. 3
III.3.1. Professional conduct 4
Indicator Activity Are familiar with the facility/activity’s professional code of conduct and adhere to it.
Culture coordinator • Works with manager to develop code of conduct for facility/activity (see Section 3.7 and Appendix
IV of this publication for more information on code of conduct). • Disseminates to personnel the code of conduct on pocket-sized cards. • Displays code of conduct on posters in various locations of the workplace.
Manager • Asks personnel questions pertaining to the code and provide an example of how they adhere to the
code.
Personnel • Familiarize themselves with the code of conduct, agree to adhere to it, and inform manager how
they adhere to the code of conduct. Take professional pride in their work. Manager
• Provides timely feedback on work conducted by personnel and emphasizes the importance of their contribution to the facility/activity’s nuclear security.
• Recognizes contribution of personnel to the facility/activity’s nuclear security.
Personnel • Want to impress their peers and managers by conducting their job professionally.
Help each other and interact with professional courtesy and respect.
Manager • Acts as a role model and treats all personnel with professional courtesy and respect. • Assists personnel in their ability to conduct their work by helping to remove obstacles. • Encourages mentoring relationships. • Encourage colleagues and treat them with courtesy and respect.
Most personnel at all levels of the facility/activity are actively and routinely involved in enhancing security.
Culture coordinator • Works with personnel to inform them how they can personally enhance nuclear security.
Manager • Routinely informs personnel of their expectation that they actively and routinely work to enhance
118
Indicator Activity nuclear security.
Personnel • Make it their responsibility to follow all nuclear security procedures. • Make suggestions on how to improve nuclear security. • Report abnormal occurrences and concerns. • Self-report security events. • Successfully complete all nuclear security training. • Encourage their peers to do the same.
Personnel consider the security-related aspects of their work valuable and important.
Culture coordinator • Continuously reinforces with personnel the importance of their role and responsibility in making
nuclear security effective using roundtable discussions, code of conduct, poster campaigns, contests, videos, etc.
• Continuously reinforces with personnel the consequences of ineffective nuclear security and how that personally affects them using roundtable discussions, poster campaigns, contests, videos, etc.
Manager • Continuously reinforces the importance of all personnel contributing to the effectiveness of nuclear
security at meetings, informal discussions, one-on-one settings, performance appraisals, etc.
Personnel • Understand their role and responsibility in supporting the effectiveness of nuclear security. • Understand the consequences of ineffective nuclear security to their job, their family, their country,
and the environment. • Believe their role in supporting nuclear security effectiveness is valued and therefore important.
Personnel have the qualifications, skills, and knowledge necessary to effectively perform all aspects of their security-related jobs and are provided an opportunity to improve them.
Culture coordinator • Works with managers and training personnel to incorporate nuclear security and the nuclear
security culture training requirements into facility/activity training programme for personnel. • Works with training personnel to make sure that all personnel receive the required training, both
initial and recurrent. • Works with training personnel to review training course evaluation forms and participant comments
to determine if training needs to be revised to best meet the needs of personnel.
Manager • Stresses the importance of personnel successfully completing all training requirements. • Authorizes personnel to attend required training. • Encourages personnel to pursue additional training, as appropriate.
119
Indicator Activity
Personnel • Complete all required nuclear security and nuclear security culture training requirements. • Pursue opportunities for additional training and classes that would enhance their ability to conduct
security-related activities effectively. Personnel are prepared to face the unknown and improvise, if necessary.
Manager • Institutes a robust performance testing programme that routinely puts personnel in abnormal
scenarios to hone their ability to wisely improvise if an actual event occurs.
Personnel • Participate in all exercises, discuss results with managers and peers, and consider how reactions can
be improved. Security is considered a respectable and career-enhancing profession for qualified personnel.
Manager • Works with human resources and training department to establish career paths for nuclear security
positions. • Disseminates career paths to personnel in nuclear security positions. • Encourages those personnel to take steps (e.g. training) to develop career and mentors them on how
to enhance nuclear security career.
Personnel • Understand the career paths associated with their nuclear security position and work with managers
to develop their career further. Personnel notify their co-workers when these co-workers are doing something that may downgrade security, even if it is not part of their job.
Culture coordinator • Works with personnel to practice scenarios on how to best tell their colleagues they can enhance
nuclear security performance.
Manager • Routinely informs personnel of the expectation that they actively and routinely work to enhance
nuclear security.
Personnel • Make it their responsibility to follow all nuclear security procedures. • Make suggestions on how to improve nuclear security. • Report abnormal occurrences and concerns. • Self-report security events. • Successfully complete all nuclear security training. • Encourage their peers to do the same.
Personnel contribute to improvements in the training Personnel
120
Indicator Activity programme. • Provide constructive feedback on training evaluation forms.
• Provide recommendations to manager and the culture coordinator on what types of training would enhance their ability to support nuclear security.
• Hold managers accountable for making the changes to the training programme. Security personnel participate in professional organizations and groups, both inside and outside the facility/activity.
Culture coordinator • Encourages security personnel to form a professional group associated with nuclear security within
the facility/activity. • Assists in the establishment of the group (e.g. development of charter). • Assists in planning activities (e.g. bringing in outside guest speakers). • Provides security personnel list of additional professional organizations and groups, external to the
facility, that they can join.
Manager • Encourages security personnel to participate in professional organizations and groups and may
grant time off to attend presentations or assist with payment of fees. • Encourages security personnel to provide presentations, upon clearance and approval, to
professional organizations and groups that support nuclear security.
Security personnel • Become members of professional groups, both inside and outside the facility/activity. • Hold positions within the professional group. • Actively participate in the professional group by giving presentations, helping to arrange guest
speakers, etc. Papers are published and presentations are made by personnel on nuclear-security issues.
Culture coordinator • Encourages personnel to publish papers and make presentations on nuclear security issues by
providing personnel with a list of opportunities (e.g. journals, conferences, workshops). • Assists personnel with processing papers and/or presentations through facility/activity review and
clearance procedure. • Assists personnel with receiving manager approval to make presentations.
Manager • Encourages personnel to publish papers and make presentations on nuclear security issues and
announces opportunities (e.g. journals, conferences, workshops) to do so in meetings. • Takes part in review and clearance procedure. • Grants personnel approval to publish papers and/or make presentations, as appropriate.
Personnel • Pursue opportunities to publish papers and make presentations on nuclear security issues.
121
Indicator Activity • Process papers and/or presentations through facility/activity review and clearance procedure before
submitting papers externally. • Encourage peers to publish papers and make presentations on nuclear security issues.
1 III.3.2. Personal accountability 2
Accountable behavior means that all personnel understand what they have to accomplish, by when, and what results should be 3
achieved. If they cannot execute their tasks as expected, then they are encouraged to inform their manager. 4
Indicator Activity Personnel understand how their specific tasks support nuclear security.
Culture coordinator • Works with managers and human resources personnel to document specific nuclear security tasks
that each position is responsible for and disseminate to personnel. • Continuously reinforces with personnel the importance of their role and responsibility in making
nuclear security effective using roundtable discussions, code of conduct, poster campaigns, contests, videos, etc.
Manager • Continuously reinforces the importance of all personnel contributing to the effectiveness of nuclear
security at meetings, informal discussions, one-on-one settings, performance appraisals, etc. • Works with the culture coordinator and human resources personnel to document specific nuclear
security tasks that each position is responsible for.
Personnel • Have a document they can refer to for specific nuclear security tasks and understand how their
position supports nuclear security. • Request clarification from culture coordinator and/or manager if they do not understand their
specific nuclear security tasks. Commitments are achieved or prior notification of their non-attainment is given to management.
Manager • Creates an environment that welcomes personnel reporting status of commitments, whether positive
or negative. • Does not necessarily act punitively when bad news is delivered, but instead works to correct the
issue.
Personnel • Actively report accomplishments as well as issues and concerns to managers to keep them apprised
122
Indicator Activity of current status of commitments.
• Work with managers to resolve issues and concerns. Behaviour that enhances security culture is reinforced by peers.
Culture coordinator • Acts as a nuclear security role model and reinforces desired behaviours.
Manager • Acts as a nuclear security role model and reinforces desire behaviours. Personnel • Make it their responsibility to enhance nuclear security. • Follow all nuclear security procedures. • Make suggestions on how to improve nuclear security. • Report abnormal occurrences and concerns. • Self-report security events. • Successfully complete all nuclear security training. • Encourage their peers to do the same.
Personnel take responsibility to resolve issues. Culture coordinator • Informs personnel that security is their responsibility through: ‒ Initial training; ‒ Continuous security and technical training; ‒ Discussions with the culture coordinator and managers; ‒ Bulletins, newsletters, computer alerts, posters, videos, etc.
Personnel actively take responsibility for security by • Protecting their access badges/passes; • Questioning individuals not showing their access authorization; • Following security procedures; • Proposing enhancements to nuclear security; • Respectfully following directions of guard/response force; • Reporting abnormal behaviour and events; • Self-reporting security violations.
Personnel consider themselves responsible for security at the facility/activity.
Culture coordinator • Informs personnel that security is their responsibility via: ‒ Initial training; ‒ Continuous security and technical training; ‒ Discussions with the culture coordinator and managers; ‒ Bulletins, newsletters, computer alerts, posters, videos, etc.
123
Indicator Activity
Personnel actively take responsibility for security by • Protecting their access badges/passes; • Questioning individuals not showing their access authorization; • Following security procedures; • Proposing enhancements to nuclear security; • Respectfully following directions of guard/response force; • Reporting abnormal behaviour and events; • Self-reporting security violations.
Personal accountability is clearly defined in appropriate policies and procedures.
Culture coordinator • Works with managers and human resources personnel to include personal accountability for nuclear
security in job position descriptions. • Works with managers and appropriate personnel to include personal accountability for nuclear
security in appropriate policies and procedures.
Personnel • Understand how they are accountable for nuclear security and have easy access to the associated
policies and procedures. • Request clarification from the culture coordinator, managers, and/or human resources personnel if
policies and procedures regarding accountability for nuclear security are not understood. Procedures and processes ensure clear single-point accountability before execution.
Manager • Appoints one position that has accountability for a certain procedure or process before it is
implemented. • Maintains information on which position has accountability for which procedure and process so
that personnel can easily determine point of contact.
Personnel • Know where to find list of positions that have accountability for procedures and processes. • Contact those positions when there is a question regarding a certain procedure or process.
1 2
III.3.3. Adherence to procedures 3
It is important that procedures are followed to avoid repeating errors that have been identified and corrected. In order to assist 4
personnel with adhering to procedures, it is recommended they be clear, up-to-date, readily available, and user-friendly. 5
124
Indicator Activity Personnel adhere to procedures and other protocols, such as information controls.
Culture coordinator • Works to continuously remind personnel of the importance of adhering to all nuclear security
procedures and protocols.
Manager • Continuously reinforces the expectation that personnel will adhere to all nuclear security
procedures and protocols. • Maintains copies of all nuclear security procedures and protocols in a location easily accessible by
personnel so that they can refer to them as necessary.
Personnel • Understand that adherence to procedures and other nuclear security protocols are vital to maintain
the effectiveness of nuclear security, which in turn is vital to national security. • Adhere to nuclear security procedures and protocols and encourage peers to do the same.
Visible sanctions are in place and applied to encourage personnel to follow procedures.
Manager • Establishes a procedure documenting system of rewards and sanctions relating to nuclear security. • Associates sanctions with violations using a graded approach. • Gives positive reinforcement to those that self-report security violations. • Encourages personnel to self-report. • Trains personnel on the system of rewards and sanctions. • Disseminates document detailing system of rewards and sanctions to all personnel. • Maintains description of rewards and sanctions system so it is easily accessible to personnel (e.g.
posted on facility/activity internet site). • Applies system of rewards and sanctions evenly to all personnel.
Personnel • Understand system of rewards and sanctions relating to nuclear security. • Know where to find documentation on the system of rewards and sanctions. • Adhere to nuclear security procedures to avoid sanctions. • Self-report security violations. • Encourage peers to do the same.
Personnel understand the potential consequences of noncompliance with the established rules for facility/activity’s safety and security.
Manager • Establishes a procedure documenting system of rewards and sanctions relating to nuclear security. • Associates sanctions with violations on a graded approach. • Gives positive reinforcement to those that self-report security violations. • Encourages personnel to self-report. • Trains personnel on the system of rewards and sanctions.
125
Indicator Activity • Disseminates document detailing system of rewards and sanctions to all personnel. • Maintains description of rewards and sanctions system so it is easily accessible to personnel (e.g.
posted on facility/activity internet site). • Applies system of rewards and sanctions evenly to all personnel.
Personnel • Understand system of rewards and sanctions relating to nuclear security and the consequences of
noncompliance with the established security and safety rules. • Know where to find documentation on the consequences of noncompliance. • Adhere to nuclear security procedures to avoid sanctions. • Self-report security violations. • Encourage peers to do the same.
The facility/activity’s instructions on security are easy to follow because they are clear, up to date, easily available, and user-friendly.
Culture coordinator • Works with the appropriate personnel to review nuclear security instructions and modify, as
necessary, to be clear, up to date, and user-friendly. • Works with the appropriate personnel to maintain current instructions on website of facility/activity
or other easily accessible location for personnel to readily reference.
Personnel • Provide recommendations on how to improve nuclear security instructions so they are clear, up to
date, and user-friendly. • Know where to access current versions of instructions to use as reference. • Know who to contact to suggest improvement to a nuclear security instruction.
There is a well-established practice of reminding personnel about the importance of following procedures.
Culture coordinator • Implements a continuous awareness campaign on the importance of following nuclear security
procedures via informal and formal discussions, exhibits, posters, videos, contests, newsletter articles, etc.
Manager • Stresses the importance of following procedures by appropriate means such as by emails, through
meeting discussions, and poster campaigns.
Personnel • Understand the importance of following procedures. • Follow procedures without deviations or exceptions. • Encourage their peers to do the same.
Personnel who discover discrepancies in the implementation of security procedures promptly
Culture coordinator • Discusses with personnel the importance of promptly reporting discrepancies in the implementation
126
Indicator Activity report them to management. of security procedures.
Manager • Maintains an environment that is supportive of reporting nuclear security issues and works with
personnel to fix the issue.
Personnel • Report nuclear security discrepancies promptly to managers. • Work with managers to fix the issue. • Encourage peers to do the same.
Personnel show reasonable trust in and acceptance of security procedures.
Culture coordinator • Informs personnel how security procedures are developed (e.g. by a group of experienced experts
using good practices as a foundation) so it is understood they were developed considering all aspects of the facility/activity and there are good reasons for the facility/activity to implement such procedures.
Personnel • Trust and accept the nuclear security procedures. • Request clarification if a procedure or part of a procedure is not understood.
Procedures are immediately available at all work stations.
Culture coordinator • Works with the appropriate personnel to maintain current instructions on website of facility/activity
or other easily accessible location for personnel to readily reference at their work station.
Personnel • Know where to access current versions of instructions to use as a reference at their work station.
Personnel avoid shortcuts in implementing security procedures.
Culture coordinator • Informs personnel how nuclear security procedures are developed (e.g. via group of experienced
experts using good practices as a foundation) so it is understood they were developed considering all aspects of the facility/activity and there are good reasons for the facility/activity to implement all steps in the procedures.
Personnel • Trust and accept the nuclear security procedures. • Request clarification if a procedure or part of a procedure is not understood. • Follow the established process to recommend changes to nuclear security procedures. • Completely follow the security procedure without taking shortcuts. • Encourage peers to do the same.
1
127
III.3.4. Teamwork and cooperation 1
A strong nuclear security culture can best be achieved when there is extensive interpersonal interaction and when relationships are 2
positive and professional. 3
Indicator Activity Teams are recognized for their contribution to nuclear security.
Manager • Recognize performance of teams through a recognition letters, certificates of appreciation,
publicized awards, etc. (See Section 3.6 for additional information.) Personnel interact with openness and trust and routinely support each other.
Culture coordinator • Hosts social and teambuilding events to help create an open environment.
Manager • Communicates honestly and actions prove it. • Is open to ideas from personnel. • Communicates smartly by knowing what to share and what not to share (e.g. personal information). • Treats all personnel equally. • Is compassionate and helps personnel balance multiple priorities. • Appreciates the work done by personnel. • Makes the work easier to be successfully completed by removing obstacles. • Uses personnel for various tasks based on their strengths and weaknesses. • Listens to personnel, their concerns, and suggestions.
Personnel • Are open to working with other personnel in the facility/activity and look forward to receiving
different views and new ideas to incorporate into day-to-day operations. • Welcome new personnel into their work routine and seek mentoring opportunities.
Problems are solved by multilevel and multidisciplinary teams.
Manager • Selects team members with the right skills and qualities from different departments. • Supports interaction between disciplines and departments to learn from within the facility/activity. • Holds brainstorming sessions with personnel to generate ideas and alternate solutions. During this
brainstorming session, the manager ‒ Concentrates on the one issue to resolve; ‒ Entertains all ideas; ‒ Defers judgments until group has agreed on best ideas.
Personnel
128
Indicator Activity • Actively participate in brainstorming sessions and offer managers constructive input and opinions
to assist with the problem-solving process. • Actively participate in multilevel and multidisciplinary teams to solve problems.
Teamwork and cooperation are encouraged at all levels and across and bureaucratic boundaries.
Manager • Encourages personnel to act as a team. • Selects team members with the right skills and qualities from different departments. • Supports interaction between disciplines and departments to learn from within the facility/activity. • Holds brainstorming sessions with personnel to generate ideas and alternate solutions. During this
brainstorming session, the manager ‒ Concentrates on the one issue to resolve; ‒ Entertains all ideas; ‒ Defers judgments until group has agreed on best ideas.
Personnel • Actively participate in teams. • Recommend their peers for specific teams.
Team members support one another through awareness of each other’s actions and by supplying constructive feedback when necessary.
Personnel • Interact with team members and acknowledge their efforts. • Provide constructive feedback when reviewing commitments and team deliverables.
Professional groups appreciate each other’s competence and roles when interacting on security issues.
Personnel • Maintain professional relationships with colleagues.
There are opportunities to exchange security-relevant information within and between units.
Manager • Supports interaction between disciplines and departments to learn from within the facility/activity.
Team members are periodically reassigned to improve communications between teams.
Manager • May reassign personnel so they can gain different experience and input from other team members.
Cross-training among different professional areas and groups is conducted to facilitate teamwork and cooperation.
Manager • Works with the human resources department to establish an effective cross-training programme that
promotes teamwork and cooperation. There are few signs of frustration, resentment, or other symptoms of poor morale within the facility/activity which may impede cooperation among different units, particularly those in charge of safety and security.
Manager • Considers personnel to be an important part of the facility/activity and pays attention to satisfying
their professional needs, not just achieving technical efficiency. • Supports interaction between disciplines and departments to learn from within the facility/activity.
Management and personnel promote and implement measures to ensure cross-pollination of ideas and
Manager • Selects team members with the right skills and qualities from different departments.
129
Indicator Activity measures to maintain security cooperation between facility/activity units.
• Supports interaction between disciplines and departments to cooperate on nuclear security.
Personnel • Recommend peers serve on teams and interact with other disciplines and departments. • Volunteer to serve on teams and interact with other disciplines and departments.
Personnel use a single technical vocabulary to achieve easy interactions.
Culture coordinator • Works with personnel to streamline terminology throughout the facility/activity.
Manager • Reinforces need to streamline terminology throughout the facility/activity at meetings.
Personnel • Work with different disciplines and departments throughout the facility/activity to streamline
terminology to avoid miscommunication. 1
III.3.5. Vigilance 2
The effectiveness of nuclear security depends on the vigilance of personnel. Prompt identification of potential vulnerabilities permits 3
timely and proactive corrective action. 4
Indicator Activity Personnel notice and question unusual indications and occurrences, and report them to management, as soon as possible, using the established processes.
Manager • Works with the training department to provide training on how to detect abnormal behaviour, why
it is important to report abnormal behaviour, how to make such reports, to whom they may be made, and in what time period.
• Works to provide assistance to personnel who exhibit abnormal behaviour.
Personnel • Successfully complete training and know how to report abnormal behaviour. • Report any abnormal behaviour through the established process.
Personnel are attentive to detail. Manager • Reinforce message that neglect or overlooking details can cause greater problems over time and
express that everything personnel do be done thoroughly. This saves time and money in the long run, as well as decreases the probability of creating nuclear security vulnerabilities.
Personnel • Are vigilant when conducting their nuclear security responsibilities and understand the importance
130
Indicator Activity of staying vigilant and paying attention to detail.
Personnel seek guidance when unsure of the security significance of unusual events, observations or occurrences.
Culture coordinator • Offers assistance with providing nuclear security guidance.
Manager • Creates and maintains an environment in which personnel feel free to seek such guidance and
understands the importance of addressing security vulnerabilities.
Personnel • Contact the culture coordinator/manager/security department and discuss concern to clarify if it is a
reportable event. An appropriate questioning attitude is encouraged throughout the facility/activity.
Culture coordinator • Encourages an appropriate questioning attitude of personnel via discussions, posters, videos, etc.
Manager • Encourages personnel to report concerns and question abnormal behaviour. • Acts on the concern and provides personnel feedback on how it was addressed.
Personnel • Report immediately any nuclear security concerns and encourage peers to do the same.
Personnel believe that a credible threat exists. Culture coordinator • Works with training department to incorporate information on credible threat into facility/activity
training programme. • Implements awareness campaign within the facility/activity to stress that a credible threat exists
through formal and informal discussions, poster campaigns, presentations, training sessions, videos, discussions of actual cases, etc.
Personnel • Successfully complete training. • Discuss the existence of a credible threat with the culture coordinator and peers. • Understand and accept there is a credible threat to nuclear and other radioactive material, sensitive
information, associated facilities, and associated activities. Personnel are trained in observation skills to identify irregularities in security procedure implementation.
Culture coordinator • Works with training department to develop and implement training on observation skills for
managers and self-assessment team members.
Manager • Successfully completes training. • Is assigned the responsibility of observing personnel to confirm compliance in procedure
131
Indicator Activity implementation.
Self-assessment team members • Successfully complete training. • Are assigned the responsibility of using observations skills to support self-assessment of procedure
compliance. Personnel are aware of a potential insider threat and its consequences.
Culture coordinator • Works with training department to develop and implement training on mitigating the insider threat. • Implements awareness campaign within the facility/activity focusing on how to mitigate the insider
threat through formal and informal discussions, poster campaigns, presentations, training sessions, videos, discussions of actual cases, etc.
Personnel • Successfully complete training. • Discuss the insider threat with the culture coordinator and peers. • Understand and accept there is an insider threat to nuclear and other radioactive material, sensitive
information, associated facilities, and associated activities. • Take responsibility to mitigate the insider threat.
Personnel avoid complacency and can recognize its manifestations.
Culture coordinator • Implements awareness campaign within the facility/activity focusing on how to avoid complacency
through formal and informal discussions, poster campaigns, presentations, training sessions, videos, discussions of actual cases, etc.
Personnel • Understand the importance of remaining vigilant and motivate their peers to avoid complacency.
Personnel accept and understand the requirement for a watchful and alert attitude at all times.
Culture coordinator • Implements awareness campaign within the facility/activity focusing on the need to stay alert
through formal and informal discussions, poster campaigns, presentations, training sessions, videos, discussions of actual cases, etc.
Personnel • Understand the importance of remaining vigilant and motivate peers to stay alert at all times.
Personnel feel safe from reprisal when reporting errors and incidents.
Manager • Provides an environment in which personnel feel free to report errors and concerns without fear of
reprisal. • Encourages personnel to report errors and concerns.
Personnel • Report errors and concerns and encourage peers to do the same.
132
Indicator Activity A policy prohibiting harassment and retaliation for raising nuclear-security concerns is enforced.
Manager and culture coordinator • Work with human resources personnel to develop and distribute policy prohibiting harassment and
retaliation for raising nuclear security concerns. • Work with human resources personnel to strictly enforce the policy. • Work with training personnel to develop and implement training on the policy for all personnel. • Implement an awareness campaign via small group sessions and posters explaining the policy and
that it will be strictly enforced.
Personnel • Do not harass or retaliate against other personnel who raise nuclear security concerns.
Personnel make decisions and take actions consistent with their responsibilities if a decision must be made before managers arrive on scene.
Culture coordinator • Works with manager and human resources personnel to document specific nuclear security tasks
that each position is responsible for and disseminates to personnel. • Works with training personnel to conduct drills running personnel through various scenarios to
reinforce what decisions they are authorized to make.
Manager • Works with the culture coordinator and human resources personnel to document specific nuclear
security tasks that each position is responsible for. • Authorizes personnel to take actions consistent with their documented responsibilities in case of a
nuclear security event and manager is not available.
Personnel • Have a document that they can refer to for specific nuclear security tasks and understand how their
position supports nuclear security. • Request clarification from culture coordinator and/or manager if they do not understand their
specific nuclear security responsibilities. • Participate in training and drills to better understand their responsibilities during a nuclear security
event. Personnel notify management of any incidents or possible incidents involving a compromise of computer security, or information security breach.
Culture coordinator • Discusses with personnel the importance of promptly reporting any incidents or possible incidents
involving a compromise of computer security or breach of information security.
Manager • Maintains an environment that is supportive of reporting nuclear security issues and works with
personnel to fix the issue
Personnel • Report any incident or possible incident involving a compromise of computer security or breach of
133
Indicator Activity nuclear security.
• Work with managers to fix the issue. • Encourage peers to do the same.
134
APPENDIX IV: SAMPLE NUCLEAR SECURITY CODE OF CONDUCT 1
Below is a sample nuclear security code of conduct. A code of conduct is one way to remind 2
personnel of the importance of their role in enhancing nuclear security. The code of conduct 3
may be issued to all personnel as a document to sign confirming they understand their 4
responsibilities and kept in their personnel file. A pocket version could be provided as a 5
reminder of their responsibilities and the importance of nuclear security. 6
NUCLEAR SECURITY CODE OF CONDUCT 7
Nuclear and other radioactive materials that get into the hands of criminal or terrorist groups 8
present a threat not only to national and international nuclear security but also to our community 9
and the citizens herein, including facility/activity personnel and their families. Proper protection 10
of nuclear and other radioactive materials, associated facilities, associated activities, and 11
sensitive information and assets is the responsibility of all personnel. This requires every 12
person’s vigilance, not just that of personnel who work directly with nuclear and other 13
radioactive materials or nuclear security personnel. All personnel understand that nuclear 14
security applies equally to the protection of sensitive information and assets and the nuclear and 15
other radioactive materials/activities themselves. 16
It is your obligation and responsibility to: 17
1. Know and follow the laws, regulations, and nuclear security procedures and instructions 18
associated with your job. 19
2. Perform your job in a responsible and rigorous manner, recognizing that the consequence 20
of improper job performance may compromise nuclear security. 21
3. Maintain your qualifications at the required level and commit to continuous improvement 22
in your job skills and knowledge of nuclear security. 23
4. Maintain an appropriate questioning attitude regarding every aspect of your job 24
performance. Do not accept or participate in nonstandard operations without proper 25
authority. Take responsibility and report job requirements that may not be in the best 26
interest of nuclear security. 27
135
5. Protect, at all times, your badges/passes, access cards, codes, and passwords that provide 1
you with access to the facility, secure areas, computer systems, and sensitive information 2
and report their loss as soon as possible. 3
6. Respect the work of nuclear security personnel and the guard/response force. 4
7. Uphold the standards of professionalism and be open and honest in all interactions with 5
colleagues, managers, and subordinates. 6
8. Report immediately any violation or infraction of nuclear security protocols, procedures, 7
and instructions, including any inadvertent errors you may have made or observed. 8
9. Report immediately any suspicious events in or around the facility, as well as unusual 9
contacts with facility or non-facility personnel, particularly if any inquiries regarding 10
facility nuclear security measures have occurred. 11
10. Not hesitate to ask questions and challenge assumptions to dispel complacency. 12
13
14
136
APPENDIX V: SUGGESTED TOPICS TO INCLUDE IN MANAGEMENT TRAINING 1
Nuclear security culture for the most part, is driven by management. It is important for 2
management personnel to recognize this and act as positive role models within an enhancement 3
programme. Training courses in management and leadership skills may be provided to those 4
responsible for overseeing nuclear security so that management personnel are equipped with 5
tools to enhance nuclear security and credibly deliver the message that nuclear security is 6
important to personnel. The actions that managers takes will ultimately support continuous 7
improvement to nuclear security and provide a positive work environment, which may help to 8
eliminate disgruntlement and potential insider motivation. 9
Culture coordinators are encouraged to include in the action plan an effort to implement 10
workshops specifically designed for managers. These workshops may provide information on: 11
— The regulatory basis for nuclear security culture 12
— International improvement programmes, including the IAEA nuclear security culture 13
model [5] 14
— Self-assessment of nuclear security culture [6] 15
— Threats to nuclear and other radioactive material, associated facilities, and associated 16
activities, as appropriate 17
— The importance of human factor and its impact on all elements of nuclear security (e.g. 18
physical protection, material accounting and control, sensitive information protection, 19
transport security, computer security, role of guard/response force, contingency plan). 20
These are all important topics related to nuclear security. However, the primary goal of any 21
workshop for managers is to provide the skills and knowledge they need to improve the nuclear 22
security culture in their facility/activity. During manager workshops, skills such as motivation, 23
communication, observation, time management, conflict resolution, and performance evaluation 24
may be analysed and good practices related to these topics may be discussed. 25
137
The following sections provide additional information about these skills. 1
Commitment 2
Success in establishing a strong nuclear security culture will depend to a large degree on the 3
leadership and commitment of management to implement effective nuclear security and the 4
enhancement programme. Managers communicate their priorities via policy and procedures but, 5
most importantly, they communicate their priorities through their actions, decisions, and 6
behaviours. Managers who are visibly committed through their behaviour to nuclear security 7
will have positive impact on their personnel. 8
Motivation 9
In general, personnel want to perform well. A manager’s primary role in this context is to 10
motivate personnel so that they feel valued and contribute to their overall facility/activity. 11
Managers recognize and reward personnel for commendable performance. In doing so, 12
managers create a positive work environment in which productivity is often increased and the 13
potential for personnel becoming disgruntled is decreased. Managers who provide an interesting 14
work environment and make themselves available to mentor and answer questions are more 15
likely to see a positive workplace in which personnel take responsibility for their actions and are 16
generally willing to contribute to the overall improvement of nuclear security. 17
The following suggested motivational checklist may be used by managers within an 18
enhancement programme: 19
— Be visible throughout the facility/activity and perform regular (e.g. weekly) walkthroughs 20
during all shifts 21
— Learn subordinates’ names and spend time building relationships showing interest in 22
personal life 23
— Ask for suggestions about how to improve work processes and environment, training, and 24
additional actions that may be implemented to improve the effectiveness of nuclear 25
security 26
138
— Acknowledge individual and group contributions, celebrate successes, and say thank you 1
when it is deserved 2
— Share as much information as you can (both good and bad) with personnel, as 3
appropriate, in compliance with nuclear security considerations 4
— Hold formal and informal meetings to keep information flowing both ways, and to stress 5
the importance of protecting nuclear and other radioactive material and adhering to 6
nuclear security requirements 7
— Develop personnel’s skills and capabilities 8
— Provide constructive and timely feedback. 9
Managers will be a model for the behaviours and levels of performance they expect. They can 10
keep current with nuclear security trends, and actively and systematically solicit personnel 11
opinions regarding how to improve the morale and performance of personnel and ultimately how 12
to enhance nuclear security. 13
Communication 14
Effective communication is key to maintaining a strong nuclear security culture within a 15
facility/activity. For a manager to get the expected results, the manager will ask clearly and with 16
confidence, and sincerity. Managers will be precise and communicate in a manner that will 17
make it easy for others to understand. 18
Managers will make personnel aware of policies and procedures and the importance of following 19
them. Managers will provide complete and clear directions and expectations, acknowledge 20
individual and group contributions, and provide constructive feedback. In the area of nuclear 21
security, managers will ensure that personnel know which nuclear security roles they are 22
responsible for and embrace the concept that a credible threat exists, that an event could happen 23
at their facility/activity/competent authority, and they need to do everything possible to prevent 24
such an event. 25
One of the keys to personnel performance and job satisfaction is the frequency and quality of his 26
or her interactions with their manager. Work dialogues (e.g. what is said and how it is said to 27
139
personnel) establish the context for managers to say things that encourage or discourage the 1
quality of subordinates’ work, the quality of the product, and the relationship with the customer. 2
Observation 3
Observation is a key method of assessment and one way to identify strengths and areas to 4
improve in nuclear security. Managers can go into the work area to observe and let personnel 5
know that the work they are performing is important. During regular (e.g. weekly) 6
walkthroughs, managers may request feedback from personnel regarding the action plan, nuclear 7
security concerns, and suggested improvements to work processes and environment. 8
Time management 9
Managers in the nuclear field will prioritize responsibilities and the workload to ensure emphasis 10
is on the most important activities. Managers can delegate work, as needed, so that they have 11
time to address critical issues in a complete and thorough manner. It is helpful to generate a “to-12
do” list that is kept in sight while working. Managers can: 13
— Update the to-do list regularly (e.g. daily) 14
— Set priorities on the to-do list using a low, medium, and high urgency rating system; for 15
example, writing an article on nuclear security culture for the facility newsletter may be a 16
low priority while addressing noncompliance of a nuclear security procedure would be a 17
high priority 18
— Leave some uncommitted time 19
— Start by determining which tasks may be delegated. 20
Managers are responsible for ensuring that those working for them have the appropriate time and 21
resources to perform their assigned tasks. 22
Conflict resolution 23
All personnel experience stress. Stress may be positive (e.g. wedding, birth of a child) and 24
negative (e.g. divorce, illness in the family). When stress impacts personnel, distress can occur. 25
Minimizing conflict in the workplace can decrease motivation for personnel to become a 26
140
potential insider who plans a malicious action. Managers may minimize stress in the workplace 1
by applying conflict resolution techniques. To understand the conflict, managers may observe 2
interaction and facilitate communication. Managers will ask questions and listen to the answers. 3
If the manager has already established a culture of open communication and trust, it will be 4
easier to understand the conflict and invite personnel to work together to find a solution. 5
Feedback process 6
Managers continuously encourage personnel to offer suggestions that may improve nuclear 7
security performance. Managers, in return, provide feedback on personnel performance, often 8
and in a timely manner. When offering feedback, managers: 9
— Provide constructive feedback to reinforce expected behaviour 10
— Base comments on documentation, facts, and observations 11
— Do not rely on hearsay, rumour, or second-hand reports 12
— Make any comments/suggestions privately to the person. 13
Attempt to describe the behaviour that is unsatisfactory, rather than judge. Managers encourage 14
all personnel to continuously monitor performance, report problems, and apply lessons learned. 15
Additional information about training for managers is included in Section 3.4 of this publication 16
and in the "Meetings, conferences and symposia" section on the Nuclear Security and Safety 17
page of the IAEA Website. The Nuclear Security Support Centre Network and IAEA 18
International Nuclear Security Education Network may also provide nuclear security culture 19
educational and training resources. 20
21
141
APPENDIX VI: LEADERS AND MANAGERS 1
People make all the difference in the effectiveness of nuclear security. To enhance the level of 2
nuclear security culture, managers may be motivated to make the required changes, provide 3
support to their personnel, and lead change using established approaches. Managers can also 4
empower leaders throughout the ranks and levels of personnel to promote the importance of 5
nuclear security and the personnel’s responsibility for nuclear security. Both leaders and 6
managers are needed to enhance the nuclear security culture. While leaders may exist at any 7
level of personnel, this section focuses on the notion that leadership behaviour may be exhibited 8
by managers. 9
How are leaders different from managers? 10
Managers have formal authority over a group of subordinates. Their position is vested in them 11
by their employer and they are paid to accomplish specific goals and delegate work to their 12
subordinates. 13
The title of leader is not an official position that is bestowed upon an individual. Leaders are 14
personnel who influence peer and manager behaviour, have voluntary followers, and motivate 15
others by appealing to their sense of idealism. If the leader is a manager, s/he will have 16
subordinates as well. 17
An effective nuclear security programme that pursues continuous improvement needs both 18
leaders and managers. The table below gives a sense of the differences between manager skills 19
and leader skills, but there is a spectrum of behaviours that can be exhibited between these two 20
points of the scale. In addition, many people lead and manage at the same time and may display 21
a combination of behaviours. 22
Subject Manager Skills Leader Skills Goal Stability Change
Focus Managing work Leading people
Horizon Short term Long term
Seeks Objectives Vision
Approach Plans detail Sets direction
142
Decision Makes Facilitates
Appeals to Head Heart
Culture Enacts Shapes
Dynamic Reactive Proactive
Direction Existing roads New roads 1 Any person in any position may act as a leader. A strong nuclear security culture needs 2
leadership to proliferate attitudes that support effective nuclear security. Regardless of whether 3
or not the leader is in a management position, a leader may: 4
— Recognize they are not more important than anyone else but their decisions and actions 5
have more impact; for example, their compliance with all nuclear security regulations 6
will more likely motivate other personnel to do the same 7
— Take responsibility for their team’s actions and give credit where it is due 8
— Conduct frequent self-assessments, analyse the results, and take necessary corrective 9
actions. 10
Leading nuclear security culture enhancement 11
This section provides guidance on how personnel, including managers may enhance the nuclear 12
security culture. There are several sources of culture including: 13
— Beliefs, values, and expectations expressed by key leaders 14
— Learning experience of group members 15
— New beliefs brought in by new personnel and leaders. 16
The beliefs, values, and expectations held by managers and leaders are by far the most important 17
source of nuclear security culture. Leaders have the ultimate influence on personnel behaviour 18
through the values expressed in their decisions, priorities, and promotions and how they reward, 19
sanction, applaud, allow, or approve of the behaviours of personnel. A leader is specific in what 20
is to be changed. For example, it may not be clear to personnel what is meant by enhancing 21
nuclear security culture. To promote nuclear security culture, a leader is willing to: 22
143
— Inspire creativity and be open to try new ideas of others 1
— Be team orientated by relying on the help of others 2
— Listen and value opinions 3
— Be accountable and own the change 4
— Recognize efforts as progress is made. 5
Culture is deep-seated and requires an investment of time to be further developed. Leaders are 6
the ones that most influence and manage change within a facility/activity. Leaders identify the 7
desired behaviours that will enhance nuclear security and use the strategies within this 8
publication to strengthen or increase the frequency of those behaviours. In addition, leaders 9
promote the change by stating the benefits and not by stating the negatives. For example, to 10
motivate personnel to prepare for an inspection by stating the regulatory body has the power to 11
close the facility/activity down if it fails does not help morale or the relationship with the 12
regulatory body. Instead, the leader can motivate personnel by approaching an inspection as a 13
way to improve the facility/activity. Edgar Schein identified five primary mechanisms and five 14
secondary mechanisms, noted below, by which leaders change cultures. 15
Five primary change mechanisms used by leaders 16
These are the main visible actions taken by leaders that can effect cultural change. 17
1. What leaders pay attention to, measure and control 18
The values and beliefs of leaders appear in where they place their attention. Personnel pay close 19
attention to what the leader is focusing on and passionate about. For example, if leaders pay 20
more attention to advances in nuclear security technology, personnel may believe that investing 21
in elaborate search equipment is preferred to spending time evaluating the effectiveness of 22
manual searches of personnel exiting a protected area. 23
2. How a leader reacts to critical events and crises within facility/activity 24
Crises, by nature, bring out underlying core values. A crisis may provide an opportunity for a 25
leader to influence nuclear security culture. For example, a fire broke out in a central storage 26
144
facility. Personnel evacuated the building and from the assembly point observed the head of the 1
facility coordinating the actions of emergency responders. Once the fire was out, the head of the 2
facility ensured all personnel were safe and accounted for, and then ordered the conduct of an 3
emergency inventory to account for all the nuclear material. Personnel noted that the head of the 4
facility was managing the response to the emergency, maintaining responsibility for personnel, 5
and assigning a high priority to nuclear security. 6
3. Deliberate role modelling, teaching, and coaching 7
Personnel listen to leaders and carefully watch what they do. If there is a conflict, personnel will 8
believe the leader's actions before they believe the leader’s words. Personnel assume the 9
behaviour of leaders is what is right and imitate them. For instance, leaders who follow all 10
access control procedures to include having their personal effects searched without complaint 11
and showing their identification badges/passes when required, encourage other personnel to 12
automatically follow these nuclear security procedures as well. 13
4. Criteria for allocation of rewards and status 14
Acknowledgement of work well done, recognizes desired behaviour as well as desired results. 15
For example, if a personnel reports a broken tamper indicating device that causes production to 16
be halted until an emergency inventory is complete, that personnel may be rewarded for 17
reporting the nuclear security event and not be sanctioned for halting production. 18
5. Criteria for Selection and Promotion 19
Recruitment and promotion are critical processes for choosing who does what and can be an 20
extreme form of reward. Managers reinforce nuclear security culture by recruiting and 21
promoting personnel who believe there is a credible threat to nuclear and other radioactive 22
materials, associated facilities, and associated activities, and who believe that nuclear security is 23
important to counter that threat and therefore is to be continuously improved. Performance 24
evaluations of personnel may include a rating on nuclear security. 25
Five secondary change mechanisms used by leaders/managers 26
These are additional methods by which a leader may indirectly impact nuclear security culture. 27
145
1. Design and structure 1
The hierarchical organization will have a subtle effect on operations. Leaders are accessible to 2
personnel so as to encourage communication among all. Leaders also encourage interaction 3
between the technical and professional personnel (e.g. scientists and doctors) and the nuclear 4
security personnel (e.g. guard/response force) to create mutual respect and understanding of the 5
importance of their duties. 6
2. Design systems, processes and procedures 7
The systems used also impact how personnel think. These include management systems listed in 8
Ref. [5], performance reviews, and management development/training. Deliberate design of 9
these systems can ensure alignment with desired nuclear security. Many nuclear security 10
procedures are repetitive and can easily lead to complacency. This is considered when 11
developing procedures. For example, a facility can make sure that the guards are not posted in 12
the same location during the same times every day. 13
3. Design of workplaces 14
The environment in which personnel work is important to consider in an enhancement 15
programme. Consistent policy regarding workplace design may be applied so that personnel do 16
not perceive managers as showing favouritism (e.g. to those with larger offices) or being 17
unapproachable. For example, if the office of the head of Security is located near other nuclear 18
security personnel’s offices, they will have more access to each other. The head of Security may 19
perform walkthroughs more often and will have more opportunities to act as a role model who 20
places a priority on nuclear security. 21
4. Stories about important events and people 22
The sharing of events and lessons learned from nuclear security events will go a long way to 23
reinforcing that the threat is real and that the facility/activity is striving for continuous 24
improvement in its nuclear security system programme (for examples, see Appendix I). 25
5. Formal vision or mission statements 26
This is the way leaders most often try to influence personnel and encompasses the heads’ values 27
and philosophy. Vision and mission statements are clear, succinct, and most importantly linked 28
146
to actions that affect the nuclear security culture. An example of a mission statement for an 1
information security department is included below. 2
Example: Information Security Mission Statement 3
The mission of the information security department is to: 4
— Ensure that electronic information is secure 5
— Ensure that all applicable regulations regarding the privacy and security of that data are 6
followed 7
— Support the facility/activity’s mission and policies 8
— Work with facility/activity data owners, subject matter experts, and leaders to understand 9
current and emerging needs regarding information security. 10
The information security department plays a crucial role in the information security process by 11
evaluating nuclear security issues and making suggestions to the head for protecting data and 12
computer systems through policy, education, lessons learned, and resource planning. 13
14
147
APPENDIX VII: STRENGTHENING THE WORK ENVIRONMENT 1
The physical and psychological work environment has a large impact on how personnel perform 2
their work and comply with nuclear security requirements. High job satisfaction reduces the 3
probability that personnel will become less reliable or even obstructive and in extreme cases an 4
insider threat. As is mentioned in Ref. [10], managers recognizes individual and group needs 5
and the relations among personnel so that they may motivate and retain personnel by creating a 6
supportive working environment that reduces and addresses workplace stress. The American 7
Institute of Public Opinion conducted a multi-year global research project in which 80,000 8
personnel were interviewed. It was determined that the following 12 key components make a 9
“great” workplace: 10
1. Expectations – Managers clearly define outcomes while understanding personnel’s 11
individual strengths and weaknesses. Managers encourage personnel to use their 12
strengths and follow their own path to the defined outcome, giving responsibility for the 13
outcome to personnel. Personnel know what is expected of them at work to be 14
successful. 15
2. Materials and Equipment – Managers work with personnel to determine which tools (e.g. 16
computer programme, laptop) they need to be successful. Personnel take on the 17
responsibility to request the equipment they need and understand how it will benefit the 18
facility/activity. Required equipment and tools are provided to personnel in a timely 19
manner. Ergonomics are taken into consideration when designing the workplace. Texts 20
of guides and procedures are user-friendly. 21
3. Maximizing Potential – Managers recognize that a specific talent is required to complete 22
a specific task well and subsequently match personnel with the appropriate skills to the 23
specific task. Personnel feel as though their talents are being used to their fullest 24
potential. 25
4. Feedback – Managers periodically conduct walkthroughs and observe their personnel at 26
work to better provide feedback to personnel. Specific feedback, both positive and 27
148
negative, is provided immediately. Personnel recognize the efforts of their peers and 1
managers. 2
5. Emotional Connection – Great managers genuinely care for personnel and personnel care 3
for their managers and peers. 4
6. Professional Development – Managers attempt to understand talents and communicate to 5
personnel how they may excel. Managers provide tasks that challenge and engage 6
personnel. Personnel accept the challenge, communicate potential issues to the manager, 7
and strive to succeed. 8
7. Sense of Ownership – Managers solicit personnel opinions, especially when making 9
decisions that may affect jobs. Subsequently, managers help personnel understand why 10
the final decision was made, which increases feeling of value to the facility/activity. 11
8. Belief in Mission – Managers communicate to personnel that they belong, are helping to 12
make a difference, and are directly contributing to an important mission. Personnel 13
attempt to connect their personal values with the values of their workplace, which 14
strengthens their sense of loyalty to the facility/activity. 15
9. Performing Quality Work – Managers help personnel identify their role and significance 16
within a team. Personnel recognize that they are part of a team and trust that their peers 17
are committed to performing quality work. 18
10. Valued Relationships – Managers realize that personnel spend the majority of their time 19
in the workplace and therefore look to forge quality relationships at work. Personnel’s 20
sense of loyalty is directly related to these bonds. Personnel value these relationships and 21
feel compelled to perform as part of the team. 22
11. Sense of Contributing – Managers provide quality, individualized feedback to help 23
personnel understand that their contribution is important. Personnel recognize that they 24
have a role and use their talents to further their contribution. 25
12. Opportunities for Growth – Managers understand that an environment of learning fosters 26
innovation and that personnel want to learn and grow. Managers expect personnel to 27
present their new ideas and provide them time and resources to develop those proposals. 28
149
1
150
APPENDIX VIII: EVOLUTION OF NUCLEAR SECURITY CULTURE 1
As stated in Ref. [8]: all organizations involved in the operation of facilities/activities (including 2
the competent authority) can assess the level of nuclear security culture against the following 3
stages. 4
Stage Focus
1 Nuclear security measures are based on rules and regulations
2 Nuclear security becomes a goal
3 Nuclear security can always be improved
5 Stage 1 is often found when the procedural framework to support nuclear security is first created. 6
As the nuclear security programme evolves to Stage 2, the focus is more on internalizing the 7
importance of nuclear security and establishing effective nuclear security as a priority. The third 8
stage corresponds to an emphasis on continuous improvement to achieve and sustain effective 9
nuclear security. 10
In Stage 3, it is understood that the human element is vital to the effectiveness of a nuclear 11
security programme. In addition, managers understands the need to develop a workplace that 12
can cope with frequent change (e.g. to the threat). Continuous review of the threat and 13
evaluation of the effectiveness of nuclear security measures against the current threat are 14
required. This goal encourages managers to become more receptive to ideas on how to improve 15
nuclear security performance by enhancing the nuclear security culture. 16
These three stages of nuclear security culture evolution may seem simplistic. However, each 17
stage is considered totally distinct from each other. It is possible at any one time to exhibit 18
characteristics associated with two or three of the stages. 19
Stage 1: Nuclear security based on rules and regulations 20
In this stage, nuclear security is seen as an external requirement and not as an aspect of 21
operations that will help it to succeed. The external requirements are those of the State, the legal 22
and regulatory framework, and the regulatory bodies. There is little awareness of how 23
personnel’s behaviours, beliefs, and attitudes impact nuclear security. Nuclear security is seen as 24
151
an issue, to be accomplished by compliance with rules and regulations. Some possible 1
characteristics of Stage 1 are: 2
1. Nuclear security problems are not anticipated, but rather reacted to as each one occurs 3
2. Communication between departments and functional areas is poor 4
3. Collaboration and shared decision making is limited 5
4. Personnel who make mistakes are blamed for their failure to comply with the rules 6
5. The role of management is seen as enforcing the rules 7
6. There is little listening and learning and criticism is met with a defensive position 8
7. There is an adversarial relationship between managers and their subordinates 9
8. Personnel are rewarded for compliance. 10
Stage 2: Nuclear security becomes a goal 11
In this stage, nuclear security is considered to be an important goal, even in the absence of 12
external requirements. Although there is growing awareness of how attitudes, beliefs, and 13
behaviours impact the effectiveness of nuclear security, this aspect is largely missing from 14
security management, which generally concentrates on technical and procedural solutions. 15
Nuclear security is dealt with in terms of goals, with accountabilities for achieving the goals 16
specified. It is often discovered that after a period of time, when nuclear security trends have 17
improved, a plateau of effectiveness is reached. Some possible characteristics of Stage 2 are: 18
1. There is growing awareness of the impact of nuclear security culture, although it is not 19
understood why added controls and training do not yield the expected nuclear security 20
improvements 21
2. Management encourages interdepartmental and interfunctional communications 22
3. Management’s response to mistakes is to introduce more controls and procedures, and to 23
provide more retraining 24
4. The role of manager is to make sure that goals are achieved and that work objectives are 25
clear to personnel 26
152
5. There is willingness to learn from external groups, especially new techniques and good 1
practices 2
6. The relationship between personnel and manager is adversarial, although there may be 3
some opportunities to discuss common goals 4
7. The interaction of personnel and technology is considered, but more from the viewpoint 5
of increasing the efficiency of the technology 6
8. There is some teamwork 7
9. Problems are addressed in a reactive mode, although there may be more anticipation of 8
potential problems in the planning process. 9
Stage 3: Nuclear security can always be improved (nuclear security is the norm) 10
In Stage 3, an idea has been adopted that continuous improvement is necessary to maintain 11
effective nuclear security and the viability of the facility/activity and competent authority. There 12
is a strong emphasis on communications, training, management style, and improving efficiency 13
and effectiveness. Personnel understand the impact of human factor and nuclear security culture 14
on nuclear security. Some possible characteristics of this stage are: 15
1. A process is in place to evaluate potential future problems and address them proactively, 16
rather than simply reacting to them as they occur 17
2. Teamwork and cooperation is actively pursued at all levels and across departmental 18
boundaries 19
3. Nuclear security is a priority and therefore, there are minimal conflicts among the goals 20
of safety, nuclear security, and mission (e.g. production) 21
4. Nuclear security can be improved by continual self-assessment; almost all mistakes are 22
viewed as an opportunity to understand and correct the root cause rather than find 23
someone to blame 24
5. In addition to ensuring compliance with regulations, a process is in place to continuously 25
evaluate and improve upon performance 26
153
6. Leaders show by personal example and direction that they expect workers to look for 1
ways to learn and improve their performance 2
7. Learning from others is valued; processes exist for obtaining, reviewing and applying 3
experience from internal and external sources; frequent personnel and management level 4
communication is accomplished with local and national stakeholders involved in nuclear 5
security 6
8. Managers recognize, respect, and value personnel for their contribution to nuclear 7
security 8
9. The relationship between manager and personnel is mutually supportive; personnel are 9
encouraged to make suggestions and are properly recognized for their contributions while 10
management’s role is seen as coaching personnel to improve their performance 11
10. Personnel are aware of the impact and the main principles of nuclear security culture are 12
considered in decision making 13
11. Personnel are rewarded for improving processes as well as achieving results; processes 14
are in place to allow and encourage personnel to report abnormal events as well as 15
recommend enhancements and, where appropriate, reward them 16
12. Personnel are considered to be an important part of the stakeholder organization and 17
attention is given to satisfying their needs, not just achieving technical efficiency. (See 18
Section 3.6 on trustworthiness programme and personnel assistance programme which 19
also help to minimize stress and mitigate insider threat. Also, see Appendix VII for 20
additional information about how satisfaction in the workplace reduces the probability 21
that personnel will become less reliable or even obstructive, and in extreme cases an 22
insider threat.) 23
The time required to achieve these stages is variable. Much depends on the commitment and 24
effort that personnel are prepared to make to bring about change. Sufficient time is needed for 25
the benefits from changed practices to be realized and become mature. Change in is rarely 26
simultaneous or uniform. A rule-based approach should not be viewed negatively; there will be 27
circumstances where strict compliance with rules is essential such as when responding to an 28
154
emergency. Nuclear security culture is not incompatible with having strict rules; much of culture 1
is about complying or conforming to norms. 2
3
155
REFERENCES 1
[1] INTERNATIONAL ATOMIC ENERGY AGENCY, Objective and Essential Elements 2
of a State’s Nuclear Security Regime, IAEA Nuclear Security Series No. 20, Vienna (2013). 3
[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations 4
on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5), 5
IAEA Nuclear Security Series No. 13, Vienna (2011). 6
[3] INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations 7
on Radioactive Material and Associated Facilities, IAEA Nuclear Security Series, No. 14, 8
Vienna (2011). 9
[4] Convention on the Physical Protection of Nuclear Material, INFCIRC/274/Rev.1, IAEA, 10
Vienna (1980). Amendment to the Convention on the Physical Protection of Nuclear Material, 11
GOV/INF/2005/10-GC (49) INF/6, IAEA, Vienna (2005). 12
[5] INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Culture, IAEA 13
Nuclear Security Series No. 7, Vienna (2008). 14
[6] INTERNATIONAL ATOMIC ENERGY AGENCY, Technical Guidance for Self-15
Assessment of Nuclear Security Culture in Facilities and Activities that Use Nuclear and/or 16
Radioactive Material, Technical Guidance in preparation (NST026). 17
[7] INTERNATIONAL ATOMIC ENERGY AGENCY, How to Continuously Improve 18
Safety Culture, Applying Organizational Science to Enhance Safety, Safety Report in 19
preparation. 20
[8] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Culture in Nuclear 21
Installations: Guidance for Use in the Enhancement of Safety Culture, IAEA TECDOC 1329, 22
Vienna (2002). 23
[9] INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Continual 24
Improvement for Facilities and Activities: A Structured Approach, IAEA TECDOC 1491, 25
Vienna (2006). 26
156
[10] INTERNATIONAL ATOMIC ENERGY AGENCY, Preventive and Protective Measures 1
Against Insider Threats, IAEA Nuclear Security Series No. 8, Vienna (2008). 2
3
157
GLOSSARY 1
Associated activity: The possession, production, processing, use, handling, storage, disposal or 2
transport of nuclear material or other radioactive material. 3
Associated facility: A facility (including associated buildings and equipment) in which nuclear 4
material or other radioactive material is produced, processed, used, handled, stored or disposed 5
of and for which an authorization is required. 6
Competent authority: A governmental organization or institution that has been designated by a 7
State to carry out one or more nuclear security functions. 8
Contingency plan: Predefined sets of actions for response to unauthorized acts indicative of 9
attempted unauthorized removal or sabotage, including threats thereof, designed to effectively 10
counter such acts. 11
Culture coordinator: A person or group of people who is/are officially appointed to lead the 12
effort to enhance nuclear security culture. 13
Facility/activity: An associated facility or associated activity. 14
Human factor: The complex of all individual and collective human physical, psychological, and 15
behavioural properties that interact with technological systems, management organizations, and 16
natural environments. 17
Indicator: A security culture characteristic that can be observed or measured to compare with 18
criteria as a means of assessing the strength of the nuclear security culture. 19
Insider: An individual with authorized access to associated facilities or associated activities or to 20
sensitive information or sensitive information assets, who could commit or facilitate the 21
commission of criminal or intentional unauthorized acts involving or directed at nuclear material, 22
other radioactive material, associated facilities or associated activities or other acts determined 23
by the State to have an adverse impact on nuclear security. 24
Leader: An individual, at any level and in any position, who acts as a role model and guides 25
other personnel to achieve a common goal. 26
158
Nuclear security culture: The assembly of characteristics, attitudes and behaviour of 1
individuals, organizations, and institutions which serves as a means to support, enhance and 2
sustain nuclear security. 3
Nuclear security culture enhancement group: A group of representatives from the nuclear 4
security stakeholders, as identified by the State or competent authority that sets the strategy to 5
enhance the nuclear security culture and provides high-level oversight of its implementation. 6
Nuclear security event: An event that has potential or actual implications for nuclear security 7
that must be addressed. 8
Nuclear security regime: A regime comprising: 9
— The legislative and regulatory framework and administrative systems and measures 10
governing the nuclear security of nuclear material, other radioactive material, associated 11
facilities, and associated activities. 12
— The facilities/activities within the State responsible for ensuring the implementation of 13
the legislative and regulatory framework and administrative systems of nuclear security. 14
— Nuclear security systems and nuclear security measures at the facility/activity level, 15
transport level, and activity level for prevention and detection of, and response to, nuclear 16
security events. 17
Personnel: All people (including staff, leaders, managers, contractors, vendors and 18
collaborators) who work to support a facility and/or activity. 19
Sensitive information: Information in whatever form, including software, the unauthorized 20
disclosure, modification, alteration, destruction, or denial of use that could compromise nuclear 21
security. 22
23