Professional Documents
Culture Documents
Final SCF
Final SCF
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 2 of 29
Document Security
I
SECRET or RAHSIA
CONFIDENTIAL or SULIT
INTERNAL USE or UNTUK DALAMAN X
OPEN or TERBUKA
Document Structure
I
Level 1: Policy/Commitment/Conduct & Ethics/Other Directive
Level 2: Framework/Management System/Standard/Guideline/Reference X
Level 3: Manual /Procedure/ Work Instruction/Checklist/Template
Level 4: Data
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 3 of 29
AMENDEMENT SHEET
Signature Of
Page No. Data Nature of Amendment/Change
Approver
NA NA NA NA NA
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 4 of 29
Document Signatories
Khairil Annuar B M noor – Ts. Mohd Noor B Ahmad Dato’ Sri Zulkifli Abdullah
Senior Manager General Manager Senior General Manager
(Security Strategy, governance (Security Governance. Group Security
& Risk) Technology & Capability
Group Security Group Security
Juni 2024 Juni 2024 Juni 2024
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 5 of 29
FOREWORD
In issuing and making the document available, PETRONAS is not making any warranty on the
accuracy or completeness of the information contained in this document. The contracted
party shall ensure accuracy, reliability and completeness of the requirement used for the
intended activities or services and shall inform the contract owner for any conflicting
requirement with any laws and regulations, other international codes, and technical standards
before start of any work.
PETRONAS is the sole copyright holder of this document. No part of this document may be
reproduced, stored in a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, recording or otherwise) or be disclosed by users to any company or
person whomsoever, without the prior written consent of PETRONAS.
The document shall be used exclusively for the internal authorised purpose. The users shall
arrange for this document to be kept in safe custody; shall ensure its secrecy as well
confidentiality is maintained; and provide a reasonable assurance to PETRONAS that this
stated requirement in this document is met.
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 6 of 29
TABLE OF CONTENTS
1.0 INTRODUCTION.............................................................................................................................. 8
1.1 Objectives.................................................................................................................................................8
1.2 Scope........................................................................................................................................................8
1.3 Using This Document...............................................................................................................................8
1.4 Document Owner and Custodianship....................................................................................................8
1.5 Management and Implementation...........................................................................................................9
1.6 Applicability........................................................................................................................................... 10
1.7 Implementation Approach...................................................................................................................11
2.0 REFERENCES............................................................................................................................... 12
4.0 CAPABILITY.................................................................................................................................. 18
4.1 Purpose...................................................................................................................................................18
4.2 Scope......................................................................................................................................................18
4.3 Requirements..........................................................................................................................................18
4.4 References..............................................................................................................................................19
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 7 of 29
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 8 of 29
1.0 INTRODUCTION
1.1 Objectives
1.2 Scope
SCF supports PETRONAS Security Policy and provides clear and prescriptive
requirements related to the management of seven (7) focus areas. They are:
1. Capability;
ii. Security Operations;
111. Security Risk Management;
1v. Asset Classification and Minimum Security Standards (MS2);
v. Security Incident Reporting and Investigation;
v1. Security Incident and Crisis Management; and
v11. Security Technology.
In this document, the recommendation for a course of action is made with varying
degrees of emphasis. As a rule:
"Shall" indicates a course of action with a required or mandatory for BDs/ OPUs.
The English language equivalent or interchangeable term of "shall" is "must";
"Should" indicates a preferred course of action; and
"May" indicates a possible course of action.
This SCF is owned and maintained by Group security for which the content is to be
referred to and updated by the respective SMEs at PETRONAS as necessary.
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 9 of 29
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 10 of 29
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 11 of 29
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 12 of 29
2.0 REFERENCE
11. Others
(a) Malaysian Federal Government, Laws of Malaysia Act 298 Protected Areas, and
Protected Places Act, 1959;
(b) Malaysia Federal Government, Police Act No 41/ 1967 Regulation (Auxiliary
Police) 1970 (PU. (A) 461 dated 21 December 1970);
(c) Malaysian Federal Government, National Security Council (MKN) Key Point
Directive, Official Secrecy Act, 1972;
(d) United Nations Convention of Law of the Sea 1982 (UNCLOS 1982);
(e) United Nations Guiding Principles on Business and Human Rights;
(f) United Nations Protocol for the Suppression of Unlawful Acts against the Safety
of Fixed Platforms Located on the Continental Shelf 1992;
(g) International Civil Aviation Organization Standards and Recommended
Practices Annex 17: Security: Safeguarding International Civil Aviation Against
Acts of Unlawful Interference; and
(h) International Maritime Organization, International Ship and Port Facility Code
(ISPS);
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 13 of 29
The following terms and definitions are consistent as defined in PETRONAS Group
Management Framework
PETRONAS
Refers to PETRONAS and OPUs
Group
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 14 of 29
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 15 of 29
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 16 of 29
3.0 Abbreviations
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 17 of 29
Abbreviation Description
4.0 Capability
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 18 of 29
4.1 Purpose
To manage and assure the competence of personnel who manage security risk.
4.2 Scope
This applies to PETRONAS employees who undertake security role at BD/ OPU and leaders who
are responsible for setting direction and making resources available to meet security policy and
objectives.
4.3 Requirements
11. Identify the qualified position(s) that are responsible for the following:-
a. Front-line security activities;
b. Planning/ supervisory security activities;
c. Leadership positions; and
d. Other appointed security positions.
111. Establish and document competency and proficiency levels required for security position
and other appointed security positions based on Security Technical Inventory & Ruler
(FS03).
1v. Identify all relevant training programs to support the competencies and develop
Individual Development Plan (IDP) based on identified gaps.
v. Adhere to Security Learning Matrix which has been developed by Group Security for all
levels to be referred.
v1. Any appointment to security critical position shall be in consultation with Group
Security Skill Group Advisor.
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 19 of 29
4.4 References
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 20 of 29
5.1 Purpose
5.2 Scope
This applies to all PETRONAS owned and operated facilities and projects.
5.3 Requirements
11. Plan and establish layered security philosophy to detect, deter, delay, and respond to
security threats.
111. Identify appropriate and adequate security measures to safeguard operation security.
Iv. Develop and sustain culture of security awareness and compliance within business by
incorporating security program into annual business planning, review cycle and decision-
making process.
v. Establish Site/ Platform Security Plan and supporting documents approved by the
appropriate AA as per LOA, in consultation with Group Security.
v1. Establish and maintain an up-to-date Security Risk Register at BD/ OPU level.
vii. Conduct security drill and exercise to test response to specific security procedure.
viii. Conduct security program to ensure that the security mitigations are in
place. Below items shall be included as minimum:
v1. Maintain and update all security operation records and documentation.
5.3.2 Projects
11. Plan and establish minimum security philosophy to deter and respond to security
threats.
1v. Establish Project Security Management Plan and supporting documents approved
by the appropriate AA as per LOA, in consultation with Group Security.
v. Conduct security drill and exercise to test response to specific security procedure.
v1. Maintain and update all security operation records and documentation.
5.4 Reference
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 22 of 29
6.1 Purpose
6.2 Scope
This applies to all PETRONAS owned and operated facilities and projects.
6.3 Requirements
1. Plan, establish and maintain the documented Security Risk Management (SRM)
process for effective implementation of risk mitigation.
11. Manage security risks by applying the security risk management aspects as
below:-
a. Establish risk appetite;
b. Identify and document risk;
c. Develop risk mitigation plan; and
d. Risk monitoring & review.
1v. SRA should be conducted in consultation with Group Security under the following
scenarios (but not limited to) :-
a. Planning for new sites, project and pre country entry;
b. Operations in high-extreme risk environments requiring enhanced security
measures;
c. Where there is no applicable Minimum Security Standards (MS2) for the asset
type;
d. For assets when asset classification, compliance levels and/or security
measures to be applied cannot be agreed with BD/OPU management;
e. When major changes are planned in existing facility design or operations;
f. Following escalation of security threat levels or sustained changes in the
security environment;
g. Major conferences or special events;
h. Executive Protection;
1. If management express concerns about asset or project operational security;
J- Merger & acquisition (M&A).
v. Establish and issue approved SRA Report by appropriate AA as per BD/ OPU LOA.
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 23 of 29
v1. Check the evidence on the closure of action items which shall be made
available for verification through the line of assurance process.
6.4 References
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 24 of 29
7.1 Purpose
7.2 Scope
7.3 Requirements
1. Initiate asset classification and establish classification for each asset in collaboration
with Group Security. For operation/ assets that are identified as high to extreme
security risk environment, Security Risk Assessment (SRA) shall be conducted.
11. Ensure compliance with MS2 requirements according to asset class and type.
111. Establish gap closure activities and assign action parties and deadline for
implementation.
1v. Verify the evidence for action item closure which shall be made available for
verification through the line of assurance process.
v1. Maintain and update asset classification and MS2 records and documentations.
7.4 References
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 25 of 29
8.1 Purpose
8.2 Scope
This applies to all PETRONAS owned and operated facilities and projects.
8.3 Requirements
11. Notify incidents to relevant parties within the specified timeframe based on the
severity of incidents.
111. Carry out external notification to relevant government agencies as required under local
regulatory requirements.
1v. The investigation shall be performed by a competent team, in consultation with Group
Security. The report shall contain the following information as minimum: -
v. Prepare and communicate security alert and/ or lesson learnt for non-sensitive security
incidents to stakeholders and relevant parties, in consultation with Group Security.
v1. Establish recommendations in the incident investigation and assign action parties and
deadline for implementation.
8.4 References
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 26 of 29
9.1 Purpose
To be prepared for and manage incident and crisis response situations and minimize
adverse effects to people, property, information, and operations.
9.2 Scope
This applies to all PETRONAS owned and operated facilities and projects.
9.3 Requirements
1v. Maintain all security system, equipment, and facilities to address and manage
incidents.
v1. Ensure all emergency team members attended training and participate in
testing and exercise.
v111. Activate emergency plans, teams, and facilities according to type and level of
emergency.
1x. Declare Stand Down to terminate response operations once the situation is
under control.
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 27 of 29
9.4 References
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 28 of 29
10.1 Purpose
10.2 Scope
This applies to all PETRONAS owned and operated facilities and projects.
10.3 Requirements
111. Include security technology requirements as part of Site/ Platform/ Project Security Plan
which shall be approved by appropriate AA as per LOA, in consultation with Group Security.
1v. Implement security technology requirements and establish mitigation plan for efficient
security technology implementation.
vii. Communicate result of the assurance program to stakeholders and relevant parties.
viii. Maintain and update all security technology records and documentation.
Internal
PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 1 of 29
Internal