Document Classification

PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 2 of 29

Document Security
I
SECRET or RAHSIA
CONFIDENTIAL or SULIT
INTERNAL USE or UNTUK DALAMAN X
OPEN or TERBUKA

Document Structure
I
Level 1: Policy/Commitment/Conduct & Ethics/Other Directive
Level 2: Framework/Management System/Standard/Guideline/Reference X
Level 3: Manual /Procedure/ Work Instruction/Checklist/Template
Level 4: Data

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 3 of 29

AMENDEMENT SHEET
Signature Of
Page No. Data Nature of Amendment/Change
Approver

NA NA NA NA NA

No. QUESTIONNAIRES YE NO N/ REMARKS

S A
1 Does this document require other document X SeMS 2.0 is to be
change or revision? If yes, please list the adjusted and
affected document and action taken by the revised accordingly
document owner. into Security
Control Framework,
Management
System, Standards
and
Guidelines.
2 Does this document require adjustment at X The execution of
users in term of resources and organisation adoption and
design? If yes, please inform actions required deviation is to be
and execution timeline. managed by
in-roles function at
respective Business
and OPUs
3 Does this document require software and/or X
hardware change? If yes, please list action
required and its execution timeline
4 Did you consult relevant stakeholders on this X Integrated Assurance
document during the document development Unit (IAU)
and review? If yes, please list
the relevant stakeholders.
5 Does this document require briefing or training X Communication/
at users for effective implementation? engagement to
BD/ OPU post
document
approval
6 Is there any other note or action taken into X
consideration on this document including
document changes?

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 4 of 29

Document Signatories

Prepared By : Reviewed By : Approved By:

Wan Jin Loo

Executive
(SeMS & Govermance)
Security

Efftizal Hazrie Rosian

Manager
(SeMS & governance
Security Governance
Technology & Capability

Khairil Annuar B M noor – Ts. Mohd Noor B Ahmad Dato’ Sri Zulkifli Abdullah
Senior Manager General Manager Senior General Manager
(Security Strategy, governance (Security Governance. Group Security
& Risk) Technology & Capability
Group Security Group Security
Juni 2024 Juni 2024 Juni 2024

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 5 of 29

FOREWORD

PETRONAS governance document has been developed based on the accumulated

knowledge, experience and best practices of the PETRONAS Group supplementing
National and International standards where appropriate. The key objective of this
document is to encourage standardized and consistent practices across the PETRONAS
Group in ensuring compliance to laws and regulations, effective management of enterprise
risks controls and delivering principled performance in achieving PETRONAS Group
strategies and objectives.

Compliance to the intent and principle of this document's requirement is highly

recommended for OPUs where PETRONAS has more than fifty percent (50%) (i.e.,
majority) direct or indirect shareholding/interest and/or operational control at all phases of
work activities, in line with PETRONAS Group Management Framework ("PGMF")
applicability principles.

The applicability of this document is to be assessed and evaluated at respective OPUs in

ensuring effective adoption and implementation.

Contractors/manufacturers/suppliers or any contractual parties refers as "contracted party"

who use this document as part of contractual obligations in any form of agreement are
solely responsible in ensuring the quality of work, goods and services meet the required
intent. In cases where specific requirements are not covered in this document, it is the
responsibility of the contracted party to propose other proven or internationally established
standards or practices of the same level of quality and integrity as reflected in this
document.

In issuing and making the document available, PETRONAS is not making any warranty on the
accuracy or completeness of the information contained in this document. The contracted
party shall ensure accuracy, reliability and completeness of the requirement used for the
intended activities or services and shall inform the contract owner for any conflicting
requirement with any laws and regulations, other international codes, and technical standards
before start of any work.

PETRONAS is the sole copyright holder of this document. No part of this document may be
reproduced, stored in a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, recording or otherwise) or be disclosed by users to any company or
person whomsoever, without the prior written consent of PETRONAS.

The document shall be used exclusively for the internal authorised purpose. The users shall
arrange for this document to be kept in safe custody; shall ensure its secrecy as well
confidentiality is maintained; and provide a reasonable assurance to PETRONAS that this
stated requirement in this document is met.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 6 of 29

TABLE OF CONTENTS
1.0 INTRODUCTION.............................................................................................................................. 8
1.1 Objectives.................................................................................................................................................8
1.2 Scope........................................................................................................................................................8
1.3 Using This Document...............................................................................................................................8
1.4 Document Owner and Custodianship....................................................................................................8
1.5 Management and Implementation...........................................................................................................9
1.6 Applicability........................................................................................................................................... 10
1.7 Implementation Approach...................................................................................................................11

2.0 REFERENCES............................................................................................................................... 12

3.0 TERMS AND CONDITIONS........................................................................................................... 13

3.1 General Terms and Definitions..............................................................................................................13
3.2 Specific Terms and Definitions..............................................................................................................14
3.3 Abbreviations...........................................................................................................................................17

4.0 CAPABILITY.................................................................................................................................. 18
4.1 Purpose...................................................................................................................................................18
4.2 Scope......................................................................................................................................................18
4.3 Requirements..........................................................................................................................................18
4.4 References..............................................................................................................................................19

5.0 SECURITY OPERATIONS............................................................................................................. 20

5.1 Purpose...................................................................................................................................................20
5.2 Scope.....................................................................................................................................................20
5.3 Requirements .....................................................................................................20
5.4 References..............................................................................................................................................21

6.0 SECURITY RISK ASSESSMENT.................................................................................................... 22

6.1 Purpose...................................................................................................................................................22
6.2 Scope......................................................................................................................................................22
6.3 Requirements..........................................................................................................................................22
6.4 References..............................................................................................................................................23

7.0 ASSET CLASSIFICATION AND MINIMUM SECURITY STANDARDS (MS2)..............................24

7.1 Purpose...................................................................................................................................................24
7.2 Scope.....................................................................................................................................................24
7.3 Requirements........................................................................................................................................24
7.4 References..............................................................................................................................................24

8.0 SECURITY INCIDENT REPORTING AND INVESTIGATION........................................................25

8.1 Purpose...................................................................................................................................................25
8.2 Scope......................................................................................................................................................25
8.3 Requirements..........................................................................................................................................25
8.4 References..............................................................................................................................................25

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 7 of 29

9.0 SECURITY INCIDENT AND CRISIS MANAGEMENT..................................................................26

9.1 Purpose...................................................................................................................................................26
9.2 Scope......................................................................................................................................................26
9.3 Requirements..........................................................................................................................................26
9.4 References..............................................................................................................................................27

10.0 SECURITY TECHNOLOGY............................................................................................................ 28

10.1 Purpose...................................................................................................................................................28
10.2 Scope......................................................................................................................................................28
10.3 Requirements..........................................................................................................................................28
10.4 References..............................................................................................................................................29

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 8 of 29

1.0 INTRODUCTION

1.1 Objectives

Security Control Framework (SCF) contains the requirements to be implemented in

PETRONAS group-wide. Its main objectives are to:
1. Support PETRONAS Security Policy.
11. Expedite the implementation of security aspect on people, property, information,
and operations.
111. Clearly define the scope of security assurance.
1v. Strengthen security governance through clear and prescriptive requirements on
security significant focus areas.

1.2 Scope

SCF supports PETRONAS Security Policy and provides clear and prescriptive
requirements related to the management of seven (7) focus areas. They are:
1. Capability;
ii. Security Operations;
111. Security Risk Management;
1v. Asset Classification and Minimum Security Standards (MS2);
v. Security Incident Reporting and Investigation;
v1. Security Incident and Crisis Management; and
v11. Security Technology.

1.3 Using This Document

In this document, the recommendation for a course of action is made with varying
degrees of emphasis. As a rule:

 "Shall" indicates a course of action with a required or mandatory for BDs/ OPUs.
The English language equivalent or interchangeable term of "shall" is "must";
 "Should" indicates a preferred course of action; and
 "May" indicates a possible course of action.

1.4 Document Owner and Custodianship

This SCF is owned and maintained by Group security for which the content is to be
referred to and updated by the respective SMEs at PETRONAS as necessary.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 9 of 29

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 10 of 29

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) June 2024
Page 11 of 29

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 12 of 29

2.0 REFERENCE

Reference is made to the following frameworks, standards, or publications. Unless

specifically designated by date, the latest edition of each publication shall be used or
referred, together with any supplementary/revision thereto:

1. PETRONAS Governance Documents

(a) PETRONAS Group Management Framework, April 2021;

(b) PETRONAS Security Capability Development Framework, July 2022;
(c) PETRONAS Enterprise Risk Management Framework, January 2015;
(d) PETRONAS Contingency Planning Standard, November 2020;
(e) PETRONAS Group ICT Framework, September 2018;
(f) PETRONAS Information Management Standard and Guideline, July 2017;
(g) PETRONAS Code of Conduct and Business Ethic, August 2022;
(h) PETRONAS Health, Safety and Environment Mandatory Control Framework
(HSE MCF), January 2022;
(i) PETRONAS Human Rights Commitment, August 2021;
(j) PETRONAS Contractors Code of Conduct on Human Rights, May 2021;
(k) PETRONAS Adoption and Deviation Management Guideline, May 2022; and
(l) PETRONAS Security Management System, November 2020.

11. Others

(a) Malaysian Federal Government, Laws of Malaysia Act 298 Protected Areas, and
Protected Places Act, 1959;
(b) Malaysia Federal Government, Police Act No 41/ 1967 Regulation (Auxiliary
Police) 1970 (PU. (A) 461 dated 21 December 1970);
(c) Malaysian Federal Government, National Security Council (MKN) Key Point
Directive, Official Secrecy Act, 1972;
(d) United Nations Convention of Law of the Sea 1982 (UNCLOS 1982);
(e) United Nations Guiding Principles on Business and Human Rights;
(f) United Nations Protocol for the Suppression of Unlawful Acts against the Safety
of Fixed Platforms Located on the Continental Shelf 1992;
(g) International Civil Aviation Organization Standards and Recommended
Practices Annex 17: Security: Safeguarding International Civil Aviation Against
Acts of Unlawful Interference; and
(h) International Maritime Organization, International Ship and Port Facility Code
(ISPS);

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 13 of 29

3.0 TERMS AND DEFINITIONS

3.1 General Terms and Definitions

The following terms and definitions are consistent as defined in PETRONAS Group
Management Framework

Term I General Definition I

The authority delegated by an Entity to a person or role

Approving designated to occupy a position to approve on its behalf one or
Authority (AA) more functions within certain limits subject to the applicable
legislations, regulations, and procedures in effect at such time
Business An outfit headed by BD Head reporting directly to the President
Division (BD) or COO

Centre of Division(s) at PETRONAS that provide services to PETRONAS

Excellence Group through master service agreement or any form of
(COE) agreement

Corporate Division(s) at PETRONAS that is (are) responsible to steer,

Centre steward, safeguard and cultivate PETRONS Group activities

Corporate Division at PETRONAS, consisting of both Corporate Centre and

Division COE
(CD)
Division that steers direction & alignment and provide advisory to
Governance
OPU on governance & compliance requirements including the
Provider
development of governance documents for PETRONAS Group

Refers to OPUs. Joint Venture (incorporated or unincorporated),

Entities
Trusts, within PETRONAS Group

Limit of An OPU's corporate document which outlines the OPU Board's

Authority delegation of authority

Visibility at PETRONAS management level in the form of

Line of Sight
consultation, endorsement, and reporting on OPU's assurance

Refers to Legal Entities incorporated or registered under the

Operating Units companies act. Includes Wholly Owned Subsidiaries, Partly
Owned Subsidiaries & Associates

PETRONAS Petroliam Nasional Berhad

PETRONAS
Refers to PETRONAS and OPUs
Group

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 14 of 29

3.2 Specific Terms and Definitions

Term General Definition

Automatic access control system, , an electronically operated
system that is activated manually by security and/or entry of an
ACS
electronic credential from entry of a pin code, reading of an
RFID card/badge or biometric signature.
Company property that may be physical, intellectual (e.g.,
Asset
designs) or virtual (data).
A process or an activity of evaluation of systems and controls
Assurance to provide a reasonable level of confidence to stakeholders that
operations and risks are being effectively managed.
The ability to undertake responsibilities and perform activities
to the relevant standard, as necessary to ensure process
integrity and achieved a desired/specified outcome.
Competence is a combination of knowledge, skills and
Competence experience and may include willingness to undertake activities
in accordance with agreed standards, rule and procedures. The
standard of competence is expected to satisfy a number of
requirements, including business objectives, as well as process,
HSE and security.

Possible scenarios that could occur based on the identified

operational, security risks or top 10 hazards identified through
Credible scenarios
hazard and effect management or security risk management
(SRM) processes.
A significant business disruption that affects the organisation's
normal operations, affecting people, assets, environment and
reputation (PETRONAS Contingency Planning Standard). An
Crisis
abnormal, unstable situation that that threatens the
organisation's strategic objectives, reputation or viability (BS
11200:2014).
A comprehensive set of processes that build the capability of
an organisation to respond to and manage crises in the risk
areas to protect and save people, environment, assets and
Crisis management
reputation (PETRONAS Contingency Planning Standard).
Development and application of organisational capability
to deal with crises (BS 11200:2014).

Deviation Non-compliance with a mandated minimum standard.

Information or data fixed in a medium (PETRONAS Document

Document
Structure Guideline CM-16-001, June 2016).
Limited in scope and intended to test a limited aspect of
Drill
response capability.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 15 of 29

Term General Definition

The severity of the consequences of an event attributed to any
Effect HSSE hazards, normally expressed in terms of consequences to
people, environment, assets and reputation.
Capability of achieving the desired result where improvements
Effectiveness
can be measured; "doing the right things" (5 GP Guidelines).
An adverse situation that has an impact on people,
Emergency environment, assets and reputation and requires activation of
emergency team.

Emergency teams General term referring to EMT, ERT, etc.

The surroundings and conditions in which the

Environment company operates or which it may affect, including
living systems (human and natural).
A process or event planned to assess, train, practice and
improve performance of safety, security, emergency or crisis
Exercise
management (adapted from PETRONAS Contingency Planning
Standard Definition).
An operational unit consisting of buildings, containers, or
equipment e.g., complex or cluster of off-shore platforms
Facility serviced from the same hub, gas processing plant, refinery,
distribution terminals, pipelines, depots, warehouses,
workshops, laboratories.
An abnormal or unplanned event that affects people, assets,
Incident environment, operations or reputation, requires attention and
has the potential to precipitate an emergency/crisis.
Continual checking, supervising, critically observing or
Monitoring determining status in order to identify change from the
performance desired or expected.
A security incident that if not handled within a limited
Non-sensitive Security
audience, may not exposed to external influences that can
Incident
impact the final outcome of the investigation.
Document that contains high-level and broad statements that
sets the direction of an organisation in accordance to the
Policy organisation's vision, mission, corporate philosophies, shared
values, brand values and corporate agenda (PETRONAS
Document Structure Guideline CM-16-001, June 2016.)
Document that provides instructions and directions for tasks or
Procedure business processes (PETRONAS Document Structure Guideline
CM-16-001, June 2016).

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 16 of 29

Term General Definition

As defined by PETRONAS Project Management System (PPMS)
Project are opportunities that potentially lead to creation of operational
assets ("Capital Projects") undertaken within the Group.
Document that supports the output from work
instructions/processes that include forms, templates, drawings
Record
or specifications (PETRONAS Document Structure Guideline
CM-16-001, June 2016).

Risk The effect of uncertainty on objectives.

Coordinated activities to direct and control an organisation

Risk management
with regard to risk.
A condition of being protected against damage, harm or loss,
achieved through the management of adverse consequences
associated with natural events and the intentional and/or
Security
unwanted actions of others by physical, technical, electronic,
information technology (cyber) or human factors, or a
combination of those factors.
Any malicious or intentional event that results in, or may result
in, personal injury, damage to the property, plant, equipment or
environment. This definition includes 'near miss' events -
Security incident
although no-one may have been injured or any damage
caused, a deviation from normal operations have still occurred
and requires reporting and investigation to prevent recurrence.
A structured process of security risk identification, risk analysis
Security risk assessment
and risk evaluation.
Security risk Coordinated activities to direct and control an organisation
management with regard to security risk.
Persons or entities that can effect, be affected by, or perceive
Stakeholders
themselves to be affected by a decision or activity .
A 'threat' is the 'capability' and 'intent' of an adversary to carry
Threat out an act that would negatively affect the organisation, project
or asset/s.
A digital (or analogue to digital converted) closed circuit
television system comprising digital cameras, recording system
and video management, that is controlled by personal
computer desktop or mobile based devices and transmits video
Video surveillance
over ICT wired, fibre optic or wireless networks. VSS may be
system (VSS)
used for monitoring production, safety and/or site security.
Previously referred to as CCTV (closed circuit television) a term
that is no longer applicable to digital, internet protocol and/or
networked systems.

3.0 Abbreviations
Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 17 of 29

Abbreviation Description

ACS Access Control System

ALARP As low as reasonably practicable

MKN Majlis Keselamatan Negara (National Security Council)

vss Video Surveillance System

4.0 Capability
Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 18 of 29

4.1 Purpose

To manage and assure the competence of personnel who manage security risk.

4.2 Scope

This applies to PETRONAS employees who undertake security role at BD/ OPU and leaders who
are responsible for setting direction and making resources available to meet security policy and
objectives.

4.3 Requirements

1. Include a documented process for security capability development and

management. The documented process shall include the following:-
a. Assessment;
b. Learning and development; and
c. Career development.

11. Identify the qualified position(s) that are responsible for the following:-
a. Front-line security activities;
b. Planning/ supervisory security activities;
c. Leadership positions; and
d. Other appointed security positions.

111. Establish and document competency and proficiency levels required for security position
and other appointed security positions based on Security Technical Inventory & Ruler
(FS03).

1v. Identify all relevant training programs to support the competencies and develop
Individual Development Plan (IDP) based on identified gaps.

v. Adhere to Security Learning Matrix which has been developed by Group Security for all
levels to be referred.

v1. Any appointment to security critical position shall be in consultation with Group
Security Skill Group Advisor.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 19 of 29

4.4 References

1. Security Technical Inventory & Ruler (Tl & R);

11. Security Learning Matrix Guideline; and

111. Security Capability Development Framework (SCDF).

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 20 of 29

5.0 Security Operation

5.1 Purpose

To manage security operation through effective security planning, operating, and

monitoring and to reduce risk to ALARP.

5.2 Scope

This applies to all PETRONAS owned and operated facilities and projects.

5.3 Requirements

5.3.1 Operating Facility

1. Appoint dedicated security focal/ representative at facility.

11. Plan and establish layered security philosophy to detect, deter, delay, and respond to
security threats.

111. Identify appropriate and adequate security measures to safeguard operation security.

Iv. Develop and sustain culture of security awareness and compliance within business by
incorporating security program into annual business planning, review cycle and decision-
making process.

v. Establish Site/ Platform Security Plan and supporting documents approved by the
appropriate AA as per LOA, in consultation with Group Security.

v1. Establish and maintain an up-to-date Security Risk Register at BD/ OPU level.

vii. Conduct security drill and exercise to test response to specific security procedure.

viii. Conduct security program to ensure that the security mitigations are in
place. Below items shall be included as minimum:

a. Training, drills, and awareness program;

b. Security walkabout;
c. Security manpower deployment for operations and special events; and
d. Compliance to local laws and regulatory requirements and international
standards, as applicable
Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 21 of 29

1v. Check the effectiveness of security operation by conducting self-assurance

programs review periodically by appointed personnel. Execute corrective action
plan wherever applicable.

v. Communicate results of self-assurance programs to stakeholders and relevant

Parties.

v1. Maintain and update all security operation records and documentation.

5.3.2 Projects

1. Conduct Security Risk Assessment.

11. Plan and establish minimum security philosophy to deter and respond to security
threats.

iii. Identify appropriate and adequate security measures to safeguard operation

security.

1v. Establish Project Security Management Plan and supporting documents approved
by the appropriate AA as per LOA, in consultation with Group Security.

v. Conduct security drill and exercise to test response to specific security procedure.

v1. Maintain and update all security operation records and documentation.

5.4 Reference

1. Physical Security Guideline;

11. Workplace Security Guideline;
111. Information Security Guideline;
1v. Maritime Security Guideline;
v. Personnel Security Guideline;
v1. PETRONAS Assurance Framework;
v11. Project Security Management Plan;
v111. Remote Operation (RO) Guideline;
1x. Project Security Strategy;
x. Site / Platform Security Plan; and
x1. Voluntary Principles Security on Human Rights (VPSHR) Guideline.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 22 of 29

6.0 Security Risk Management

6.1 Purpose

To assess, mitigate, monitor, and review security risk.

6.2 Scope

This applies to all PETRONAS owned and operated facilities and projects.

6.3 Requirements

1. Plan, establish and maintain the documented Security Risk Management (SRM)
process for effective implementation of risk mitigation.

11. Manage security risks by applying the security risk management aspects as
below:-
a. Establish risk appetite;
b. Identify and document risk;
c. Develop risk mitigation plan; and
d. Risk monitoring & review.

111. Implement SRM processes through appointed assessors in consultation with

Group Security and to be approved by appropriate AA as per LOA.

1v. SRA should be conducted in consultation with Group Security under the following
scenarios (but not limited to) :-
a. Planning for new sites, project and pre country entry;
b. Operations in high-extreme risk environments requiring enhanced security
measures;
c. Where there is no applicable Minimum Security Standards (MS2) for the asset
type;
d. For assets when asset classification, compliance levels and/or security
measures to be applied cannot be agreed with BD/OPU management;
e. When major changes are planned in existing facility design or operations;
f. Following escalation of security threat levels or sustained changes in the
security environment;
g. Major conferences or special events;
h. Executive Protection;
1. If management express concerns about asset or project operational security;
J- Merger & acquisition (M&A).

v. Establish and issue approved SRA Report by appropriate AA as per BD/ OPU LOA.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 23 of 29

v1. Check the evidence on the closure of action items which shall be made
available for verification through the line of assurance process.

v11. Communicate security risk management to stakeholders and relevant parties.

v111. Maintain and update SRA records and documentations.

6.4 References

1. Security Risk Management Guideline; and

11. Security Risk Assessment Term of Reference (TOR).

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 24 of 29

7.0 Asset Classification and Minimum Security Standards (MS2)

7.1 Purpose

To classify PETRONAS facilities and apply adequate level of security protection.

7.2 Scope

This applies to all PETRONAS owned and operated facilities.

7.3 Requirements

1. Initiate asset classification and establish classification for each asset in collaboration
with Group Security. For operation/ assets that are identified as high to extreme
security risk environment, Security Risk Assessment (SRA) shall be conducted.

11. Ensure compliance with MS2 requirements according to asset class and type.

111. Establish gap closure activities and assign action parties and deadline for
implementation.

1v. Verify the evidence for action item closure which shall be made available for
verification through the line of assurance process.

v. Communicate asset classification and MS2 activities to stakeholders and relevant

parties.

v1. Maintain and update asset classification and MS2 records and documentations.

7.4 References

1. Asset Classification and Minimum Security Standards (MS2) Guideline;

11. Asset Classification Tool and Process Guideline;
111. Asset Classification Term of Reference (TOR); and
1v. Asset Revalidation Guideline.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 25 of 29

8.0 Security Incident Reporting and Investigation

8.1 Purpose

To specify requirements on reporting and investigating security incidents.

8.2 Scope

This applies to all PETRONAS owned and operated facilities and projects.

8.3 Requirements

1. Plan and establish a documented procedure for reporting and incident

investigation.

11. Notify incidents to relevant parties within the specified timeframe based on the
severity of incidents.

111. Carry out external notification to relevant government agencies as required under local
regulatory requirements.

1v. The investigation shall be performed by a competent team, in consultation with Group
Security. The report shall contain the following information as minimum: -

a. Background of the incidents (i.e., date, time, and location);

b. Information of the person involved;
c. Findings and root cause; and
d. Recommendation.

v. Prepare and communicate security alert and/ or lesson learnt for non-sensitive security
incidents to stakeholders and relevant parties, in consultation with Group Security.

v1. Establish recommendations in the incident investigation and assign action parties and
deadline for implementation.

8.4 References

1. Security Incident Reporting and Investigation Guideline.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 26 of 29

9.0 Security Incident and Crisis Management

9.1 Purpose

To be prepared for and manage incident and crisis response situations and minimize
adverse effects to people, property, information, and operations.

9.2 Scope

This applies to all PETRONAS owned and operated facilities and projects.

9.3 Requirements

1. Plan and establish a documented procedure to address security incident and

crisis management.

11. Document processes to ensure effective internal and external communications

during the period of security incidents (initial until stand down).

111. Outline the credible scenarios addressing security incidents.

1v. Maintain all security system, equipment, and facilities to address and manage
incidents.

v. Conduct periodic testing and exercise .

v1. Ensure all emergency team members attended training and participate in
testing and exercise.

v11. Establish support of external resources arrangement and relevant authorities.

v111. Activate emergency plans, teams, and facilities according to type and level of
emergency.

1x. Declare Stand Down to terminate response operations once the situation is
under control.

x. Review and assess emergency preparedness through post-mortem exercise and

actual incidents. Action items arising from this shall be tracked and reported to
the respective AA as per LOA.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 27 of 29

9.4 References

1. Security Incidents and Crisis Management Guideline;

11. Site/ Platform Security Plan;
111. Security Contingency Plan; and
1v. Security Crisis Management Guideline for Key Security Risks.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 28 of 29

10.0 Security Technology

10.1 Purpose

To complement security operation through the application and support of security

technology systems.

10.2 Scope

This applies to all PETRONAS owned and operated facilities and projects.

10.3 Requirements

1. Plan and establish a documented process for Security Technology implementation.

The documented process shall include the following as minimum: -
a. Inventory of Security Technology Asset;
b. Work process for managing access control system (ACS), video surveillance
system (VSS) and other security technology devices; and
c. Schedule for technology update and maintenance.

11. Identify appropriate security measures and competent manpower resources to

implement security technology requirements.

111. Include security technology requirements as part of Site/ Platform/ Project Security Plan
which shall be approved by appropriate AA as per LOA, in consultation with Group Security.

1v. Implement security technology requirements and establish mitigation plan for efficient
security technology implementation.

v. Conduct Security Technology Refresh in collaboration with Group Security.

v1. Check the effectiveness of security technology implementation by conducting assurance

program review periodically by appointed competent personnel. Execute corrective action
plan wherever applicable.

vii. Communicate result of the assurance program to stakeholders and relevant parties.

viii. Maintain and update all security technology records and documentation.

Internal
 PF-03-01-01
PETRONAS SECURITY CONTROL FRAMEWORK (SCF) JUNE 2024
Page 1 of 29

Internal