Threat, Vulnerability and Risk What is the Best Way to Determine if Security is Adequate?…
It is not often that security organizations purchase professional security services. Perhaps once every five to ten years. As such, consumers may not know exactly what service to request to best align to their physical security needs. This article is intended to clarify the difference between a security audit and a security assessment for organizations trying to validate the effectiveness of their security program to enable the appropriate choice to be made when the time comes.
Let’s start with two questions managers should ask themselves about their security program:
- Are we doing the right things to protect our people, assets and information?
- For the things we are doing in our security program, are we meeting the commitments we have made to security and are we doing things in a way that achieves desirable outcomes?
The security audit answers the second question, and the security risk assessment answers the first. Let’s start with a view of the many things that should be looked at to determine security adequacy. The following formula illustrates the three areas of security risk that are typically analyzed.
Risk = Threat + Consequence + Vulnerability
A security audit is only going to be focused on one of these elements of the security risk formula as shown below. An audit is not necessarily designed to diagnose criminal and terrorist risk, but certainly mitigates non-compliance risk.
Risk = Threat + Consequence + Vulnerability (or effectiveness of security)
Security Audit Focus
Security Audit –By comparison, a security audit is probably the easiest methodology to execute for the consultant as it is simply a verification that all security measures which are supposed to be in place are in fact in place, functioning and documented correctly. The security audit will focus on the effectiveness of security or confirm whether vulnerability is being properly mitigated. This as opposed to a security risk assessment which is intended to be much more diagnostic and predictive into the future, typically five years or more. The security audit is a point in time check only. If the basis of design for the security program is incorrect, the audit may not shed light on this. However, the security audit is an important tool in the toolbox as an agent of positive change to protect people, assets and information. Refer also to Physical Security Audit for a video discussion by a Certified Security Professional and Certified Security Consultant.
The challenge when organizations ask for an audit and have no established security standard, what is the security professional using as the benchmark against which the security audit results will be measured? Some considerations if you face this common scenario:
- If your organization does not have a set of security standards, you must ask your prospective security professional what methodology will be used to audit your organization. Ask to see the methodology so that you can review it and ensure you will be satisfied with the outcome. Will it cover all the necessary elements of your physical security program? For instance, at a minimum, a proper physical security audit should include within its scope thee following (note this list is by no means all inclusive):
- Access control – site perimeter, building perimeter, restricted internal areas
- Security systems installation, operation and maintenance
- Security related policies and procedures
- Security awareness training and education
- Information protection
- Asset protection
- Security officer utilization (if applicable)
- Competency of non-security persons in key security roles
- Crisis and emergency management protocols
- Security change management
- If you are going to request an audit from an outside security professional without having organizational security standards, you will want to ensure that the security professional has some experience in the following areas:
- Prior similar work within your industry (for example, if you are a chemical plant, the consultant should have some level of experience in the oil, gas or chemical arena).
- Setting up corporate or global security programs for organizations.
- Reporting out on audits with a methodology that supports a stratification of the findings. Some findings are going to be more important than others. There should be a means to classify gaps. For instance, the following definitions for high and lower priority observations and findings is shown below.
Findings – represent clear departures from, or exceptions to, existing applicable federal or state laws or established audit security standards, where such departures or exceptions can be confirmed. Exceptions may include any issues that were previously discovered in prior audits that are still open or were improperly or incompletely closed.
Suggestions – represent options for enhancing the plan and/or plant security to reduce the possibility of any exceptions or vulnerability to a security incident in the future.
Another caution is the type of audit that conducted as this will have a direct correlation to the validity of the outcome. Two types of audits are discussed below.
First-party audits are often called self-audits. This is when someone from the organization itself will audit a process or set of processes to ensure it meets the expectations set forth in the audit protocol. This person would typically be an employee of the organization. In some cases, particularly under some counter-terrorism regulations such as the Marine Transportation Security Act (MTSA), first party audits are prohibited and persons with any affiliation with the security program may not audit the program.
A first party audit might be appropriate as a rehearsal for a more robust audit conducted by a third party. Otherwise it could be argued that there could be a potential conflict of interest by auditing oneself.
I would consider an audit by an internal audit group to be a step up from the self-audit as the internal auditors are typically strict and objective. The problem with internal auditors doing physical security audits is the lack of knowledge of the subject matter. If internal auditor is going to be involved in physical security audits, it is important to carefully script what will be their scope so that they are looking at things they can fairly judge that are simple and high impact.
A third-party audit occurs when a company hires an independent entity to perform an audit to verify that the company is executing a security program consistent with regulatory expectations, internal standards or the methodology agreed with the auditor up front. Some would argue that this is the best and most stringent means of conducting an audit to ensure objectivity. But it also comes with a cost.
To close out the audit discussion, this type of physical security review is intended to answer the question, “For the things we are doing in our security program, are we meeting the commitments we have made to security and are we doing things in a manner that achieves the desired outcomes?” You state that you do A, B, C and D in your security program and you have or pay someone to come in and verify that you are doing A, B, C and D.
The Security Risk Assessment
Continuing with the A, B, C, and D discussion, the audit will not necessarily tell you if A, B, C, and D are the right things to be doing in your security program. To get this type of diagnostic insight, organizations need to be asking their consultant for a security risk assessment versus a security audit.
Risk = Threat + Consequence + Vulnerability
The security risk assessment is going to analyze all elements of the risk formula shown above. The predictive nature of the risk assessment is borne out of the threat assessment and pairing threats with critical assets to formulate future security scenarios that will be analyzed for consequences (how bad would it be if it occurred) and vulnerability (how susceptible is the organization to a criminal or terrorist attack or conversely, how well prepared is thee organization to prevent a security incident). Risk assessments are forward looking, but of course will take into account historical security incidents which are one of the best predictors for future incidents. Security risk assessments can nicely inform a security master plan versus the security audit which may generate some findings and corrective actions to remediate shortcomings in existing security measures.
There are many benefits of a security risk assessment:
- Prevent incidents and criminal activity.
- Compliance with the OSHA General Duty Clause.
- Identify to all stakeholders what needs to be protected, why and from whom.
- Learn where you can be victimized by criminals or terrorists.
- Identify holistic mitigation strategies to reduce security risk to people, assets and information.
- Stage implementation of recommendations at your own pace rather than hastily responding or overreacting after a security incident.
- Secure funding for security improvements by making a compelling business case. (Management will sometimes react more rapidly to third party recommendations or those that are well supported with crime and other data analysis).
- Implement many improvements without a capital investment. There are always easy, inexpensive and impactful recommendations that can be implemented at a low or even no cost.
- Identify emergency scenarios and calibrate emergency response and business continuity plans accordingly.
- Defend against frivolous litigation.
The illustration below shows how scenarios can be analyzed and scored to identify the highest concerns to an organization.
The table below draws up a final comparison between a security audit and a security risk assessment. For additional information, please Contact Us. We hope that this article helps you to make the correct choice when it is time to review your physical security program.
- Point in time assessment
- Verifies security commitments are being met
- Leads to potential action items where gaps are identified
- Less expensive typically that a risk assessment
- Does not validate that the security program is aligned with risk
- Does not provide a basis of design for an organizational security program
Security Risk Assessment
- Forward looking methodology
- Verifies security commitments are being met
- Leads to a long-term security master plan and cost staging
- More expensive than a security audit
- Validate that the security program is aligned with risk
- Provides a better defense of conformance to the OSHA General Duty Clause
- Provides a better defense against frivolous premises liability claims
- Provides a basis of design for an organizational security program
- Enhances crisis management and resiliency