A security assessment can be more than the name implies, it can be a comprehensive review of the entire risk profile or simply a regulatory compliance audit of a specific element of your program. SDS will help you define the objectives of the assessment in our discussions about the initial scope of work. There is no charge for establishing a scope of work.
The objective of a security assessment is to provide management with a written report identifying the threats and vulnerabilities faced by the business. SDS works with your management team to establish security standards that meet corporate goals in key areas of the business then confirm how well the existing security measures are meeting those goals. This can include a review of security policies and procedures, a detailed examination of the effectiveness of the facility’s physical security steps and recommendations for improvements. Additionally, an effective assessment will include information to begin bid preparation and estimates of probable costs.
Many companies are required by Homeland Security to renew their Facility Security Plans and Facility Security Assessments annually (CFAT). Does your staff have the time to provide inspections, produce detailed written reports to meet compliance requirements? Moreover, will an “internal” review be accepted by regulatory inspectors? Let SDS help you meet your legal requirements
Security threat assessments identifies sources that may originate from outside or inside your organization. Outside threats include:
- Anti-industry extremists
- Anti-government groups
Inside threats often pose a greater danger because they have greater access to personnel, assets and information. Insiders who pose a security threat may include:
- hostile employees, contractors or visitors
- employees who are forced into cooperating with a criminal
- Persons motivated by greed, antagonism toward their employer, disputes with coworkers, alcohol or drug dependence,or psychological problems.
Elements of a Vulnerability Study
Goal Setting – Goal setting will be done in a meeting with the management team at the start of the assessment process. The purpose of the meeting is to identify the security goals and provide targets for the assessment. The attendees will receive an agenda with items to consider before the meeting. The following areas of discussion will be included in a comprehensive assessment only:
Asset Identification – The assets list should the location and description of valuable personnel an physical property. It would be helpful to know the insurance value of the property for setting priorities.
Exterior Perimeter – The function of an exterior perimeter is to establish a control boundary within which all the protected assets of the organization are contained. The goal is to provide a contiguous barricade around all protected assets. If the exterior perimeter is a part of this work, the study will include an examination of the property line and outside parking on premise parking.
Building Perimeters – A building perimeter is identical in function to an Exterior Perimeter but merely contains a more limited set of assets. Such perimeters are generally arrayed in concentric circles of protection, with additional perimeters inside the buildings.
Alarm Monitoring – The function of an alarm monitoring system is to detect the presence of an unauthorized individual in a secured area and display a notice of that presence to a response team. This function works in conjunction with perimeter controls and is an integral part of that capability. At this step we also review for panic buttons.
Access Control – The function of access control is to pre-determine “who”, “goes where”, “when” within the confines of a secured area through one of the above defined perimeters. Goals will be set that define who gets in and the criteria consider all legitimate access.
Lighting – Adequate lighting has several security benefits, chief among them is deterring crime before it happens. Potential victims can avoid unsafe situations by seeing danger before it happens and avoiding perpetrators. Criminals also avoid lighted areas where possible to avoid detection and apprehension. Sufficient lighting also provides better images for closed circuit television systems.
Remote Investigations – The function of remote investigations is to permit security forces to gather information about an incident without actually having to go to the incident location to classify it as a threat or non-threat. This is most often accomplished using closed circuit television cameras but can include other forms of monitoring.
Employee Identification – The primary purpose of Employee Identification is to distinguish between authorized and unauthorized individuals within the complex.
Visitor Control – The primary purpose of Visitor Control is to permit authorized individuals to access specific areas within the complex for legitimate reasons but to restrict those same individuals from entering areas for whom permission has not been granted. The goal setting team will also establish the extent to which visitors will be screened.
Response Team – Many of these security measures would be rendered ineffective without a trained and equipped response team. Based on the protection mission the existing force’s capability will be assessed.
Communications –Communications examinations are specifically focused on communications tool used by employees and security personnel to notify the response team about an incident or potential incident about to take place. This would also include mass notifications for situations such as active shooter.
Protocols – Protocols are instructions created for all personnel providing them guidance on how to respond to an incident or the likelihood of an incident unfolding. This may include responses to intrusion, hostile acts and may include active shooter instructions. The need for protocols will be compared to the risk level and the protocols currently in place. This will also include security awareness and recommended steps during an incident such as means of evacuation and following an incident such reporting and assessing an event.
Using the goals identified in the Goal Setting Meeting SDS will examine and diagram the existing threat mitigation methods and, as necessary, discuss security concerns and with other staff members.
Based on the location of the assets, SDS will identify all the contiguous perimeters starting at the facility property boundaries then building perimeters and finally internal perimeters. Each of these “concentric circles” of protection will be identified, documented and tested for resistance to intrusion.
The perimeter documentation will indicate openings along with the control devices used, if any, at the openings. If there are control devices such as card readers or key pads, they will be tested for functionality along with the locking devices and door closers applied to keep the opening secure.
Alarm devices such as intrusion alarms will not be tested but the person responsible for maintaining any system found will be questioned as to recent testing and results.
The response team (guards) will be asked about the procedures they use in doing their jobs and SDS will assess how well they understand the existing protocol. The tools they use will be examined for functionality and the effectiveness of camera, audio observing and other equipment will be assessed.
SDS will identify the means and application of devices to create credentials for employees and visitors. We will also randomly question employees on identifying an employee vs. a visitor.
All of these areas of concern will be documented and where applicable include photographs and illustrations. The assessment will also provide recommendations to improve each of these areas as applicable (if the mitigation effort in an area satisfactory, the report will say so) then conclude with an Estimate of Probable Cost to implement the recommendations. Equipment specifications and detail design will be done in the next phase, under an implementation scope of work.
The security assessment will be documented in a written report and delivered to the prime contact. It will be a type written document on 8 ½ X 11 pages in Times New Roman 12 pitch and the submittal will be in electronic format (Adobe PDF files) so the report can be shared and examined more easily. The general index of the report follows:
- Mission Objectives and Scope of Work
- Current Situation
- Threat Identified
- Security Assessment Results
- Problem Areas
- Suggested Legislative Steps
- Follow Up
Some variations on this standard format may be used predicated on the findings of the study. The document will contain all the factors that created the need for the study and detailed findings of the study with photographs and illustrations.