Recording
IP Video
Intelligent Video
Access Control Systems
Stand-alone Devices
System Controllers
Readers
Locking Devices
Egress Devices
Door Hardware
Perimeter Security Systems
Fencing
Gates
Bollards
Locks
Lighting
Fire Systems
Specialized Protection Systems
Metal and Explosive Detectors
Ballistic-Resistant Materials
Security Personnel
Proprietary Security Force
Contractual Security Force
Off-Duty Law Enforcement Officers
Other personnel who serve in a protection capacity
Security Assessments
The remaining steps of a risk assessment involve various evaluations
designed to analyze threats, vulnerabilities, and overall risks and a suggested
course of remediation. Each step is a systematic approach to determining the
actual risk posed to the assets, specifically those that are mission critical. As dis-
cussed in Chapter 1, there are three types of security assessments: vulnerabil-
ity, threat, and risk assessments. The final step of the risk assessment is to
Asset Identification and Security Inventory 23
evaluate the costs and benefits of remedial measures, including redeployment
of resources to protect higher risk areas or assets. This step often provides the
greatest heartache to security decision makers because it often involves reduc-
ing security to one asset and redeploying those resources to protect more
critical assets or at-risk assets. While the heartache is justified, the task is
possible. It is possible. It is reasonable. It is defendable. In a nutshell, the risk
assessment is designed to provide a continuous process of identifying critical
assets and threats to those assets, and reducing any vulnerabilities by careful
analysis and implementation of effective countermeasures to achieve an
optimum level of protection.
Security assessments are very specific to the type of organization or facility
being assessed. Similarly, the methodology used must also be specific to the
organization or industry. An assessment methodology designed for chemical
facilities will not be useful for a university campus. If an industry-specific
methodology is used, it should clearly identify the type of facility for which it
is designed and any limitations. Security assessment methodologies are also
designed to address certain security arenas. Currently, the division is twofold:
physical security and information technology security. Although the gap is
closing through the process of convergence, the two fields still stand alone and
require different methodologies.
Regardless of the type of organization or whether the assessment is related
to physical security or to information technology security, the assessment
should state what critical assets require protection, what type of information
is needed for each asset, and how the asset’s loss, damage, or destruction
would impact the mission of the organization. The assessment should also
include a threat assessment, vulnerability assessment, and risk assessment
that allow security decision makers to prioritize asset protection protocols.
Finally, the assessment should make specific recommendations as to how to
block opportunities for adversaries to attack and how to protect specific
assets.
Once the risk assessment has been completed, certain assets may have a high
critical rating, but a lower security level may be required for the overall facil-
ity. A typical qualitative approach to facility security levels is as follows:
Security Level 1
Minimum Security
A system designed to impede some unauthorized external activity.
Security Level 2
Low-Level Security
A system designed to impede and detect some unauthorized external
activity.
24 Strategic Security Management
Security Level 3
Medium Security
A system designed to impede, detect, and assess most unauthorized exter-
nal activity and some unauthorized internal activity.
Security Level 4
High Security
A system designed to impede, detect, and assess most unauthorized
activity.
Security Level 5
Maximum Security
A system designed to impede, detect, assess, and neutralize all unautho-
rized activity.
Asset Identification and Security Inventory 25
This page intentionally left blank

Get Strategic Security Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.