It is a formidable undertaking, because few industry models exist. Few security programs are products of a comprehensive analysis; most are developed on an ad-hoc basis in response to a security incident. In fact, many security operations are designed for investigations after an event occurs, not for prevention.
The object of a security analysis is to identify security exposures in a methodical and thorough manner so that a security program is based on broad analysis and not simply on the last security incident. Analysis ensures that expenditures for security are directed appropriately based on local needs, thus protecting critical resources while accepting the risks stemming from lesser concerns.
The goal, however, is not to develop a foolproof security plan. An underlying concept is that an asset cannot be protected completely, without absorbing extravagant costs and without inhibiting business operations. The goal instead is to make it difficult — but not impossible — for an adversary to breach security. The level of difficulty depends upon the value of the asset and the organization's tolerance for risk.
The analysis process is divided into five phases: asset definition; threat assessment; vulnerability analysis; selection of countermeasures; and implementation. The process is arranged for a deliberate analysis and requires completion of each phase before proceeding to the next.
Asset definition begins with a broad understanding of the organization's operation, its tasks and functions, and its operating environment. At the beginning of an analysis, interviews are conducted with the organization's management and operating personnel to identify the resources essential for operations. This includes production equipment, operating systems, raw materials, finished product, inventory control and management systems, and the infrastructure of power, water, natural gas and telecommunications. Often, intangible assets are the most significant and are only discernible by examining the organization's operation beyond surface appearances. In effect, this step defines targets for attack.
Each asset may be further subdivided into micro components. An analysis may indicate that a particular asset must be defined in detail because of its criticality. Information technology is an example of the generally defined asset that may be further subdivided into an extensive list of system components, including equipment hardware, operating systems, applications software, database management systems, telecommunications and system documentation.
Both tangible and intangible assets should be categorized as vital (the loss would prove catastrophic); important (the loss would prove seriously disruptive but survivable); or secondary (the loss would be relatively insignificant).
A comprehensive security plan requires a broad definition of threats so that a range of exposures is considered. Through the analysis, the focus should narrow to target those threats that are deemed the most applicable.
Assessment begins by compiling data on past security incidents, including incidents at the site, within the company and within the industry. Determine if patterns of criminal behavior exist and define their nature. Review loss records, safety records and legal judgments involving the organization. Consult the company's legal counsel and examine court settlements to identify exposures with an implication for security.
Conduct interviews with management, insurance underwriters and local emergency management authorities to identify applicable threats. Review criminal data and compare crime rates for the nation, state, metropolitan statistical area, and the municipality.
Identify threats unique to the area and to the organization; locations where concentrations of hazardous materials are stored; and transportation avenues commonly used for transport of materials. Consider threats that may not have occurred yet, but are applicable because of the nature of the business and because of political and social issues.
A threat assessment is a qualitative analysis, although some quantitative techniques are used. It is important to emphasize that an assessment is a snapshot in time. As circumstances change, so does the threat environment. Consequently, the assessment must be updated to ensure that the security program is consistent with the needs of the time.
Each threat should be categorized as probable (expect the event to occur); possible (circumstances are conducive for an event); or unlikely (do not anticipate the event to occur). The severity of each issue should also be categorized as catastrophic (a disastrous event); moderate (a survivable event); or insignificant (relatively inconsequential).
Security countermeasures represent obstacles in the path of a threat event. The objective is to make the event less likely to occur by making it more difficult for a perpetrator to accomplish the deed. Before introducing obstacles, however, the process for an event must be defined. Vulnerability analysis provides a mechanism for construction of security event scenarios defined in step-by-step detail.
Representatives of the organization with extensive knowledge of its inner workings should construct the scenarios. The team assumes the role of a criminal attacking the organization, which allows key points of vulnerability to be identified. Security plans designed to thwart the informed insider will be equally, if not more, effective when applied to the external criminal. This exercise highlights points of vulnerability and provides a framework for the subsequent phase, the selection of security countermeasures. The vulnerability analysis creates protection sets; meaning that it clearly establishes a focused problem to be resolved through application of security countermeasures. These protection sets are best illustrated by creating a spreadsheet correlating assets and threats and noting which assets are exposed to which specific threats.
Each scenario should have spreadsheet entries focused on plausibility (Is the scenario too far-fetched?); consequences of the event; and the amount of risk the organization is willing to accept.
Selection of Security Countermeasures
Just as a patient may be harmed by improper medication, an organization's security posture may be weakened, if not compromised, by improper application of security countermeasures. The exercise is more art than science, requiring a collaborative effort of management and security staff to arrive at a program consistent with an organization's needs.
Security countermeasures can include electronic security systems, physical barriers, security personnel and policies and procedures.
Electronic security systems encompass access control, detection, surveillance and evidence gathering. Subsystems may include intrusion detection, access control, duress alarms, CCTV, intercoms, radios, public address systems, life safety and telephone systems.
Physical and psychological barriers are applied to prevent access to a target. Physical barriers include vaults, safes, vehicle barriers, fences and gates, bullet-resistant materials, barbed wire, mantraps, vehicle traps, armored cars, mechanical locking systems, vehicle speed bumps and curbing, bomb-resistant structures, lighting, shielding, penetration-resistant panels, and landscaping.
Security personnel perform a variety of duties including the operation of electronic systems, manual control of fixed post duties, and roving patrols. Most guard operations are designed to observe events and report incidents to law enforcement authorities. In some cases, officers are armed and trained to intervene in events.
Policies state management's position and philosophy on business issues and practices. Procedures define the means for implementing the policy. This is a critical part of a security program. It defines programs and processes that are essential for security mechanisms to be effective.
In this phase recommendations are transformed into specifications for people, systems and policies. The objective is to translate the security plan into bidding and purchasing documents and procedures, and organizational programs and processes. Learn more at Millennium Group Access Control.