Security Risk Assessment - John M. White

Security Risk Assessment (eBook)

Managing Physical and Operational Security

John M. White (Autor)

eBook Download: PDF | EPUB

2014 | 1. Auflage
230 Seiten
Elsevier Science (Verlag)
978-0-12-800917-8 (ISBN)

Security Risk Assessment is the most up-to-date and comprehensive resource available on how to conduct a thorough security assessment for any organization. A good security assessment is a fact-finding process that determines an organization's state of security protection. It exposes vulnerabilities, determines the potential for losses, and devises a plan to address these security concerns. While most security professionals have heard of a security assessment, many do not know how to conduct one, how it's used, or how to evaluate what they have found. Security Risk Assessment offers security professionals step-by-step guidance for conducting a complete risk assessment. It provides a template draw from, giving security professionals the tools needed to conduct an assessment using the most current approaches, theories, and best practices. - Discusses practical and proven techniques for effectively conducting security assessments - Includes interview guides, checklists, and sample reports - Accessibly written for security professionals with different levels of experience conducting security assessments

John M. White, a recognized expert in asset protection management, has over 38 years of experience including military, law enforcement, corporate security administration, and professional security consultation. White is Board Certified in Security Management as a Certified Protection Professional (CPP), and he is a Certified Healthcare Protection Administrator (CHPA), the two highest certifications in the security profession. He is also a member of the International Association of Chiefs of Police, National Association of Chiefs of Police, The International Association for Professional Security Consultants, ASIS International, International Association for Healthcare Security & Safety, and several other professional groups. He has also presented as a security expert at an international security conference.White has been published in the Journal of Healthcare Protection Management, International Association for Healthcare Safety & Security, Rusting Publications, on numerous occasions, and in the association's monthly Directions magazine. He has also been published in the ASIS International's Security Management magazine.

Front Cover 1
Security Risk
4
Copyright 5
Contents 6
Acknowledgments 10
About the Author 12
Preface 14
Chapter 1 - Introduction to Security Risk Assessments 18
WHAT IS A SECURITY RISK ASSESSMENT? 18
SECURITY RISK ASSESSMENT INTENT 22
WHO WILL CONDUCT THE ASSESSMENT? 23
HOW OFTEN DO I NEED TO COMPLETE AN ASSESSMENT? 28
HOW LONG WILL THIS PROCESS TAKE? 29
Chapter 2 - Preassessment Planning 32
SERVICES AGREEMENT 32
PROJECT MANAGEMENT 34
IDENTIFY THE PARTICIPANTS 36
PROJECT SCHEDULE 39
BUDGETING CONSIDERATIONS 42
PROJECT ASSUMPTIONS 44
DELIVERABLES 45
Chapter 3 - Project Management 48
SECURITY MANAGEMENT VERSUS SECURITY CONSULTANT 48
INTERNAL PERSONNEL 49
SECURITY CONSULTANTS 51
Chapter 4 - Defining the Project Scope 56
THE PROJECT SCOPE 56
MEASUREMENT STANDARDS 60
LOCATIONS INCLUDED 63
Chapter 5 - Information Gathering 66
INTERNAL SOURCES 66
EXTERNAL SOURCES 70
STAFF SURVEY 75
PROJECT INTERVIEWS 77
Chapter 6 - Physical Security Assessment 80
KICKOFF MEETING 81
INTERVIEWS 82
CONDUCTING THE ASSESSMENT 84
BUILDING EXTERIOR 86
BUILDING INTERIOR 93
Chapter 7 - Security Department Operations 102
MANAGEMENT REVIEW 102
SECURITY CULTURE 103
MANAGEMENT SPAN OF CONTROL 104
SECURITY MANAGEMENT PLAN 107
STATUTORY AND REGULATORY REQUIREMENTS 107
SECURITY STAFF SCHEDULING 109
SECURITY PATROL OPERATIONS 112
SECURITY POLICIES 114
SECURITY RECORDKEEPING 115
SECURITY INCIDENT REPORT FOLLOW-UP 116
Chapter 8 - Security Training 120
STAFF SECURITY AWARENESS TRAINING 121
SECURITY OFFICER TRAINING 123
TRAINING DOCUMENTATION 127
FREQUENCY OF TRAINING 127
PROFESSIONAL CERTIFICATIONS 128
TRAINING RESOURCES 128
SUMMARY 129
Chapter 9 - Workplace Violence Risks and Vulnerabilities 130
VIOLENCE INDICATORS 132
SUSPECT PROFILING 133
WORKPLACE VIOLENCE RISK ASSESSMENT 134
DOCUMENTATION REVIEW 136
THREAT ASSESSMENT TEAM 137
PREVENTION STRATEGIES 137
RISK FORESEEABILITY 139
SUMMARY 140
Chapter 10 - Financial Risk Assessment 142
FINANCIAL ASSET MANAGEMENT 142
CASH HANDLING 143
PAID PARKING 145
LOST AND FOUND 146
TRANSPORTATION OF MONEY 148
FIDUCIARY RESPONSIBILITY 149
Chapter 11 - Security Technology Assessment 152
LOCKS AND KEYS 154
SECURITY CAMERAS 154
SECURITY ALARMS 158
MASS NOTIFICATION SYSTEMS 160
SECURITY OFFICER EQUIPMENT 161
SPECIALIZED SECURITY EQUIPMENT 162
SUMMARY 164
Chapter 12 - Access Control 166
LOCK AND KEY CONTROL 166
CIPHER LOCKS 168
ELECTRONIC CARD ACCESS CONTROL 170
DOOR HARDWARE 172
VISITOR MANAGEMENT 173
CRIME PREVENTION THROUGH ENVIRONMENTAL DESIGN (CPTED) 174
GEOGRAPHIC CONSIDERATIONS 176
BIOMETRICS 176
Chapter 13 - Legal Considerations and Prevention Strategies 178
LITIGATION AVOIDANCE 178
CRIME PREVENTION 180
LOSS PREVENTION STRATEGIES 182
SECURITY VULNERABILITY ANALYSIS 184
THREAT IDENTIFICATION 186
SUMMARY 187
Chapter 14 - Contracted Services 188
POLICE SERVICES AND CONTRACTED STAFFING 188
ELECTRONIC SECURITY CONTRACTORS: INSTALLS 190
BACKGROUND INVESTIGATION FIRMS 192
PARKING MANAGEMENT FIRMS 193
DOCUMENT SHREDDING SERVICES 195
CONTRACT SECURITY SERVICES 196
SUMMARY 198
Chapter 15 - The Security Risk Assessment Report 200
REPORT WRITING 200
COMPONENTS OF THE ASSESSMENT REPORT 201
Chapter 16 - Conclusion 214
IMPLEMENTATION PROJECT MANAGEMENT 214
PROJECT TEAM 215
CHALLENGES 216
IMPLEMENTATION PHASE 218
TRACKING CHANGE 220
MEASURING OUTCOMES 221
LET’S DO IT AGAIN 223
Index 226

Chapter 1

Introduction to Security Risk Assessments

Abstract

There are many names given to the term security risk assessment. In fact, the actual process of identifying security issues has been called physical security assessment, security survey, security audit, and risk assessment to name just a few. Generally speaking, it is a systematic on-site assessment and analysis of your current security measures, whether they are physical security measures, technology, operations, facilities, security management, policies, training, reports, or any other aspect of your security program or measures. This chapter will help to define the intent of an assessment, who will conduct it, and how to remain objective and unbiased throughout the project.

Keywords

Defining security risks; Physical security review; Security deficiencies or excesses; Security risk assessment; Security vulnerabilities

What Is a Security Risk Assessment?

There are many definitions given to the term security risk assessment. According to ASIS International’s manual, Protection of Assets: Physical Security, a security risk assessment is “a fundamental examination that can include review of documentation, policies, facilities, technology, protection strategies, staffing, training, and other key indicators to determine the present state of the protection program (security) in an effort to identify deficiencies and even excesses, in order to make recommendations for improvement based on proven methods.”1

In fact, the actual process of identifying security issues has been called many different things. Some of the more common names assigned to this subject have been security assessment, security survey, security audit, and risk assessment to name just a few. Generally speaking, it is a systematic on-site assessment and analysis of your current security measures, whether they are physical security measures, technology, operations, facilities, security management, policies, training, reports, or any other aspect of your security program or measures. Regardless of the title, they are all going after similar goals of identifying security weaknesses, risks, deficiencies, and even excesses, and then formulating a plan to address the findings with detailed recommendations based on industry accepted standards and best practices.

Most professionals would agree that how you go about the process of the assessment should be a uniformed approach. However, if there is one thing certain in life regarding such processes, it is that everyone who conducts such assessments does so in a variety of different ways.

Over the years, there have been numerous books that have covered different parts of a security assessment, so you would think that security practitioners would all be working from the same baseline. However, the opposite is true in many cases. Even among professional security consultants, all have different approaches and no two reports are the same.

Case in point—upon review of numerous security assessment reports written by independent consultants, it became clear to me that there are vast differences in style and project methodology. Some reports are nothing more than a statement of facts as determined by the author, followed by an extensive list of recommendations, most of which are not easily correlated within the report, nor are they explained in detail showing the reader what the recommendations will bring to the table if implemented. So this begs the question: if the report does not fully identify the security risk, tell the reader how to address that risk, or provide the reader with a sense of what the change will look like if implemented, what is the purpose of the assessment?

Quantitative and qualitative techniques are often used in an effort to measure and evaluate the security program’s effectiveness. The person conducting the assessment also needs to consider statistics when conducting a security risk assessment because the statistics are often the starting point in establishing a baseline of sorts for the program. You cannot effectively manage a security program if you do not track security incident reports and their outcomes. If the person doing the assessment (who will be referred to as the reviewer throughout this chapter) does not have information on historical security issues (e.g., past incident reports) to determine trends, he or she will be at a disadvantage and will likely be setting the baseline from scratch.

Another part of the security assessment is the process of identifying and defining the threat, as well as identifying what the target of those threats may be. As we often find, no two industries are exactly the same, and the process of identifying and defining security risks and threats is often different depending on your organization.

Take, for example, an organization that does research and development for high-end computer components and a retailer. The security threat for the research and development organization may be in the form of stolen trade secrets, products, or even patent infringements/violations. On the other hand, the security threats associated with the retail environment will often be theft of product or cash receipts. Therefore, in the case of a retail environment, you might be looking at implementing security measures that reduce the risk of robbery, burglary, shoplifting, or even embezzlement. As for the research and development company, security’s efforts may be more focused on preventing unauthorized access into research and development areas and unauthorized access to sensitive computer files. In both cases, security practitioners are often working in a proactive manner, which means they are trying to prevent an incident from occurring.

As most security practitioners know, security programs often operate in a proactive posture, whereas it is often the goal of security to prevent incidents from occurring. Law enforcement, on the other hand, is often operating in the reactive mode, meaning that they respond to calls for service as a situation is occurring or after it occurs. To conduct a security risk assessment is often being proactive, as you are looking at your program to see where you can improve based on industry standards. As part of that assessment, the security practitioner must look at past incidents, known threats, and potential targets, which in essence is being both proactive and reactive.

Today’s security practitioner must be flexible and must be able to not only look to the past but also plan for the future in their daily actions. The challenges of today’s security professionals are more complex than ever before. The industry in which you work has changed no matter what type of business it is. With the constant rise in workplace violence issues and threats, such as an active shooter, security professionals must adjust.

This book will only minimally touch on information technology (IT), due to the fact that most security professionals do not manage the computer systems of their companies. However, it is possible that some security practitioners are performing IT oversight to some extent, because we know there is a trend in many large corporations to bring all security systems and operations under one person, such as a chief security officer (CSO).

In most businesses, IT and security are separate, yet IT does play a role in security. IT protects the computer network systems, online presence, electronic records, and e-commerce, while the security department protects the corporate assets, which by nature of their responsibility, IT will fall under. If you are performing a security risk assessment at your organization and you are not considering your online presence or your computer network, you could be overlooking the most vulnerable portal into your organization. Although this book will address IT as it relates to the security assessment, it is not the focus and intent of this book to fully address all the security concerns associated with the corporation’s computer network. There are many resources available to fully address IT security, and we would suggest that security practitioners at a minimum have a basic understanding of their network systems.

What sets the tone for most security programs can often be described as the probability of “risks.” When you are assessing for risks you are evaluating for potential incidents of undesirable events. Real or perceived risks are those key factors that are the basis for the level of security measures instituted. In simple terms, if you do not believe that your company has any security risks, it is likely that you have minimal to no security measures other than a lock on the door.

Take, for example, a farmhouse in a very remote area. At this farmhouse, you are likely to find that the doors to the house and outbuildings are not locked, even when no one is on the property, and you may often find the car keys in the ignition. The owners believe that they have no real or perceived security risks, therefore they have no security. For them, this is a matter of choice.

On the other hand, when you look in the inner cities you will often find homeowners who go to great measures to secure their property. Those security measures will include deadbolt locks, bars on the windows, alarm systems, fencing, guard dogs, security cameras, and many other protection measures. They often do so because of the risks associated with their environment or geographic area. Either they have been a victim of a crime or someone they know has. It could also be that they have educated themselves in the risks around them and they...

Erscheint lt. Verlag	22.7.2014
Sprache	englisch
Themenwelt	Informatik ► Netzwerke ► Sicherheit / Firewall
	Sozialwissenschaften ► Politik / Verwaltung
	Wirtschaft ► Betriebswirtschaft / Management ► Unternehmensführung / Management
	Wirtschaft ► Betriebswirtschaft / Management ► Wirtschaftsinformatik
ISBN-10	0-12-800917-9 / 0128009179
ISBN-13	978-0-12-800917-8 / 9780128009178

Haben Sie eine Frage zum Produkt?

PDF (Adobe DRM)
Größe: 2,3 MB

Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM

Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.

Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine Adobe-ID und die Software Adobe Digital Editions (kostenlos). Von der Benutzung der OverDrive Media Console raten wir Ihnen ab. Erfahrungsgemäß treten hier gehäuft Probleme mit dem Adobe DRM auf.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine Adobe-ID sowie eine kostenlose App.
Geräteliste und zusätzliche Hinweise

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

EPUB (Adobe DRM)
Größe: 3,3 MB

Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

Print-Ausgabe

Buch | Softcover

46,10 €