Developing a
comprehensive security plan requires methodical and deliberate analysis.
Starting with a macro understanding of an organization and progressing to micro
security tasks, it takes structure to compile and analyze a security plan. The
resulting series of recommendations are orchestrated to complement and support
each other.
It is a formidable undertaking, because few industry models
exist. Few security programs are products of a comprehensive analysis; most are
developed on an ad-hoc basis in response to a security incident. In fact, many
security operations are designed for investigations after an event occurs, not
for prevention.
The object of
a security analysis is to identify security exposures in a methodical and
thorough manner so that a security program is based on broad analysis and not
simply on the last security incident. Analysis ensures that expenditures for
security are directed appropriately based on local needs, thus protecting
critical resources while accepting the risks stemming from lesser concerns.
The goal, however, is not to develop a foolproof security plan.
An underlying concept is that an asset cannot be protected completely, without
absorbing extravagant costs and without inhibiting business operations. The
goal instead is to make it difficult — but not impossible — for an adversary to
breach security. The level of difficulty depends upon the value of the asset
and the organization's tolerance for risk.
The analysis
process is divided into five phases: asset definition; threat assessment;
vulnerability analysis; selection of countermeasures; and implementation. The
process is arranged for a deliberate analysis and requires completion of each
phase before proceeding to the next.
Asset Definition
Asset definition begins with a broad understanding of the
organization's operation, its tasks and functions, and its operating
environment. At the beginning of an analysis, interviews are conducted with the
organization's management and operating personnel to identify the resources essential
for operations. This includes production equipment, operating systems, raw
materials, finished product, inventory control and management systems, and the
infrastructure of power, water, natural gas and telecommunications. Often,
intangible assets are the most significant and are only discernible by
examining the organization's operation beyond surface appearances. In effect,
this step defines targets for attack.
Each asset
may be further subdivided into micro components. An analysis may indicate that
a particular asset must be defined in detail because of its criticality.
Information technology is an example of the generally defined asset that may be
further subdivided into an extensive list of system components, including
equipment hardware, operating systems, applications software, database
management systems, telecommunications and system documentation.
Both tangible and intangible assets should be categorized as
vital (the loss would prove catastrophic); important (the loss would prove
seriously disruptive but survivable); or secondary (the loss would be
relatively insignificant).
Threat
Assessment
A comprehensive security plan requires a broad definition of
threats so that a range of exposures is considered. Through the analysis, the
focus should narrow to target those threats that are deemed the most
applicable.
Assessment begins by compiling data on past security incidents,
including incidents at the site, within the company and within the industry.
Determine if patterns of criminal behavior exist and define their nature.
Review loss records, safety records and legal judgments involving the
organization. Consult the company's legal counsel and examine court settlements
to identify exposures with an implication for security.
Conduct
interviews with management, insurance underwriters and local emergency
management authorities to identify applicable threats. Review criminal data and
compare crime rates for the nation, state, metropolitan statistical area, and
the municipality.
Identify threats unique to the area and to the organization;
locations where concentrations of hazardous materials are stored; and
transportation avenues commonly used for transport of materials. Consider
threats that may not have occurred yet, but are applicable because of the
nature of the business and because of political and social issues.
A threat assessment is a qualitative analysis, although some
quantitative techniques are used. It is important to emphasize that an
assessment is a snapshot in time. As circumstances change, so does the threat
environment. Consequently, the assessment must be updated to ensure that the
security program is consistent with the needs of the time.
Each threat
should be categorized as probable (expect the event to occur); possible
(circumstances are conducive for an event); or unlikely (do not anticipate the
event to occur). The severity of each issue should also be categorized as
catastrophic (a disastrous event); moderate (a survivable event); or
insignificant (relatively inconsequential).
Vulnerability Analysis
Security countermeasures represent obstacles in the path of a
threat event. The objective is to make the event less likely to occur by making
it more difficult for a perpetrator to accomplish the deed. Before introducing
obstacles, however, the process for an event must be defined. Vulnerability
analysis provides a mechanism for construction of security event scenarios
defined in step-by-step detail.
Representatives
of the organization with extensive knowledge of its inner workings should
construct the scenarios. The team assumes the role of a criminal attacking the
organization, which allows key points of vulnerability to be identified.
Security plans designed to thwart the informed insider will be equally, if not
more, effective when applied to the external criminal. This exercise highlights
points of vulnerability and provides a framework for the subsequent phase, the
selection of security countermeasures. The vulnerability analysis creates
protection sets; meaning that it clearly establishes a focused problem to be
resolved through application of security countermeasures. These protection sets
are best illustrated by creating a spreadsheet correlating assets and threats
and noting which assets are exposed to which specific threats.
Each scenario should have spreadsheet entries focused on
plausibility (Is the scenario too far-fetched?); consequences of the event; and
the amount of risk the organization is willing to accept.
Selection
of Security Countermeasures
Just as a patient may be harmed by improper medication, an
organization's security posture may be weakened, if not compromised, by
improper application of security countermeasures. The exercise is more art than
science, requiring a collaborative effort of management and security staff to
arrive at a program consistent with an organization's needs.
Security
countermeasures can include electronic security systems, physical barriers,
security personnel and policies and procedures.
Electronic security systems encompass access control, detection,
surveillance and evidence gathering. Subsystems may include intrusion
detection, access control, duress alarms, CCTV, intercoms, radios, public
address systems, life safety and telephone systems.
Physical and
psychological barriers are applied to prevent access to a target. Physical
barriers include vaults, safes, vehicle barriers, fences and gates,
bullet-resistant materials, barbed wire, mantraps, vehicle traps, armored cars,
mechanical locking systems, vehicle speed bumps and curbing, bomb-resistant
structures, lighting, shielding, penetration-resistant panels, and landscaping.
Security personnel perform a variety of duties including the
operation of electronic systems, manual control of fixed post duties, and
roving patrols. Most guard operations are designed to observe events and report
incidents to law enforcement authorities. In some cases, officers are armed and
trained to intervene in events.
Policies
state management's position and philosophy on business issues and practices.
Procedures define the means for implementing the policy. This is a critical
part of a security program. It defines programs and processes that are
essential for security mechanisms to be effective.
Implementation
In this phase recommendations are transformed into
specifications for people, systems and policies. The objective is to translate
the security plan into bidding and purchasing documents and procedures, and
organizational programs and processes. Learn more at Millennium Group Access Control.