Physical security. Risk mitigation. Where to start? | Guidepost Solutions LLC
Why do you manage your physical security program? What threats are you trying to protect against? What specific risks to your organization and business are you trying to mitigate?
If you can’t quickly and succinctly answer these questions, you may have skipped the critical step of developing a foundation for your physical security program – conducting a security threat and risk assessment. vulnerability (TVRA). Basing your physical security program on the results of a formal TVRA process defines the rationale and objectives of the program, provides the information needed to make informed decisions about how to allocate limited resources, and aligns the program with business strategy basic.
The big picture:
Traditionally, a physical security risk assessment is a qualitative and quantitative assessment based on the vulnerability of assets to threats. The qualitative part assesses things such as how employee recruitment and retention are affected by perceived safety and security. The quantitative part estimates the monetary loss using the probability multiplied by the impact equation. Qualitative and quantitative assessments are relative – comparing various threat scenarios on a continuum from low probability/low impact events to high probability/high impact events.
Why is it important:
Basically, threats take advantage of vulnerabilities to gain access to assets. Therefore, it is important to clearly identify and document your organization’s critical assets. Identifying assets starts with people – your most important asset – and includes tangible assets such as plant and equipment. However, it is important not to overlook intangible assets such as reputation and intellectual property. Risk reduction activities focus on fixing vulnerabilities to reduce a threat’s access to those assets.
Architectural, operational, and technological countermeasures and mitigations can be applied to address vulnerabilities to reduce residual risk.
Architectural countermeasures include doors and door hardware, lighting, fencing and gates, signage and landscaping, and the layout of building and facility security zones.
Operational countermeasures include employee, visitor and contractor identity management, alarm monitoring and response, security staffing, business continuity planning, emergency preparedness emergency and crisis management, and related security policies and procedures.
Technological countermeasures include electronic security systems such as access control, video surveillance, intrusion detection and security communications, as well as incident management software and security tracking and reporting measures. ‘alarm.
These mitigation measures are mutually supportive and act interdependently to directly address the vulnerabilities identified in the TVRA process.
The effectiveness of the physical security program is evaluated over time using the Plan-Do-Check-Act (PDCA) cycle. This will help determine where risks and vulnerabilities remain, or have changed or shifted, as a result of the applied mitigations. The assessment and evaluation process then continues to apply additional mitigations to evolved threats and vulnerabilities to further reduce residual risk.
The objective is not to eliminate all risks, as this is neither realistic nor feasible. Not only is such a goal prohibitively expensive, but it interferes with normal business operations and limits opportunity risk that could produce desirable business results. Instead, the goal is to reduce residual risk to an acceptable level with manageable identified risks.
Tailoring your physical security program to reduce the risk of specific threats and vulnerabilities identified based on the TVRA process enables physical security risk management to be a business enabler. It is imperative that your physical security program is not siled. It should be integrated with supporting initiatives and operations and aligned with organizational objectives and core mission goals.
Independent third-party security consulting firms leverage their experience with many different types of organizations and threat environments to perform TVRA assessments. By incorporating lessons learned from various facilities in different industries, they integrate many different viewpoints such as environment, health and safety (EH&S), business continuity, HR, IT, assessment Workplace Violence Threats, Investigations and Crime Prevention through Environmental Design (CPTED) in addition to physical security to develop comprehensive asset, threat, vulnerability and mitigation profiles. The resulting TVRA not only establishes a solid foundation of data to build upon, but also documents how the mission and strategies of the physical security program align with the core business strategy.