3
Security Plan Development and Risk Assessment
Abstract
This chapter provides a method to develop and format safety and security plans, along with a process to develop a Risk Assessment Matrix that provides a prioritized order of an organization’s threats and vulnerabilities. There is also a discussion on a process to quantify the safety and security initiatives you may consider, based upon your organizational risk assessment, in order to better compare the costs of the project against the savings of the potential security improvement.
Keywords
Cost analysis; Cost-benefit analysis; Direct benefits; Indirect benefits; Life-cycle costs; Risk assessment; Risk assessment matrix; Security plans; Security proceduresWithin this chapter, we will look at the overall process involved in safety and security planning. This includes the development of safety and security plans and procedures, risk assessment, identification of potential threats and vulnerabilities, how to quantify safety and security initiatives in terms of efficiencies and costs, how to match cost-effective solutions that work against these threats, and methods to justify safety and security processes to employees and shareholders. Each of the following sections will discuss these separate areas in detail.
3.1. Safety and Security Plans and Procedures
The primary method to implement any safety and security program is accomplished through a well-written organizational safety and security plan. Ideally, a security professional should be involved in the development of any detailed plan to ensure the document is complete and meets the specific needs of your organization; however, if this is not possible due to limited time or resources, there are several pieces of information that are useful for you to know that can assist you in the development of your own document, which can be used as a starting point until it can be further refined by an expert. These items should not only ensure that this process results in a safety and security plan that is properly accomplished and tailored to your organization, but that it can provide a consistent set of guidelines to your employees in the event of an emergency.
We will discuss these items that should be included in any safety and security plan by looking at the overall format of a typical document. This format should include the following sections to ensure coverage of all the necessary areas:
1. Executive Summary
2. Introduction to Security
3. Security Risk Assessment
4. Security Aspects, Requirements, and Mitigation Considerations
5. Physical Security
6. Information Security
7. Personnel Security
8. Emergency Response
9. Security Teams
10. Safety and Security Training and Exercises
11. Maintenance of the Plan and Audits
12. Appendices
Each of these sections will be looked at over the next several sections. In each of these sections, we will look at standard verbiage for many of the typical areas covered within that subject area, along with a discussion of what each section should cover.
3.1.1. Executive Summary
An executive summary of the organizational safety and security plan should be the first section of any good planning document. This section briefly covers some of the major points of the plan, along with summary information regarding your business and the local area.
The following paragraphs show a draft format of a typical executive summary, along with specific items that should be included in this section.
1. Executive Summary
1.1. Introduction. Businesses are not immune to security incidents and crises, as has been seen over the past several years. These incidents can be as minor in nature, such as vandalism and petty theft; however, they can also include more serious events such as natural disasters, threats against the facility, visitors, and staff, or environmental hazards. These incidents may result in significant catastrophes such as destruction of the facility, or workplace violence incidents that could include active-shooter scenarios. This plan is designed to provide response actions for the organization’s staff in order to mitigate these potential crises.
1.1.1. Summary of the local area where your business operates. This brief description should include the geographic area, major population centers, and the types of typical criminal activity in the area such as minor burglary, vandalism, theft, break-in, or more violent crimes.
1.1.2. Summary of the size of the business (e.g., number of buildings, number of staff, number and frequency of visitors, budget, etc.)
1.1.3. Security Risk Assessment. The method to accomplish a detailed Security Risk Assessment will be covered later in this chapter. The executive summary should detail where this assessment is contained within this document, as the risk assessment will provide a listing of the business’s risks with a high and moderate potential of occurrence.
1.1.3.1. Include a list of specific risks within the organization that have a high potential of occurring that would result in critical consequences based upon the results of your risk assessment.
1.1.3.2. Include a list of risks with moderate potential of occurring that would result in serious consequences based upon the results of your risk assessment.
1.2. Plan Objectives
1.2.1. Security Responsibilities. This section should delineate specific roles and responsibilities necessary to accomplish tasks required within the safety and security program. This should include:
1.2.1.1. Designation of the overall position responsible for the organization’s Safety and Security Program. This individual should normally be the person who will be standing in front of the cameras in the event of a significant incident, so it may not necessarily be the individual who runs the program on a daily basis, but instead it may be the CEO or President.
1.2.1.2. Designation of the day-to-day management of the organization’s Safety and Security Program (if different from the individual designated as the overall Safety and Security point of contact in 1.2.1.1).
1.2.1.3. Designation of various Security and Safety Teams. It is helpful to divide the effort within each of the major areas that comprise an organization’s safety and security program amongst a group of individuals, in order to ensure the program can be properly maintained. It is useful to designate the following teams to assist in management and maintenance of the safety and security program. These sections should discuss what positions are included in each respective team and will also describe the functions listed within each team.
1.2.1.3.1. Security Management Team should include the individual who is overall responsible for the organization’s safety and security program; the individual responsible for day-to-day management of the safety and security program; the director of operations; the director of human resources (or personnel); the director of maintenance or facilities; the public relations director; the director of information technology, and a line manager.
1.2.1.3.2. Plan Development Team should include the individual responsible for the day-to-day management of the safety and security program; the director of operations; the director of human resources (or personnel); the director of maintenance or facilities; the public relations director; and a director of information technology.
1.2.1.3.3. Exercise Management Team should include the individual responsible for the day-to-day management of the safety and security program; the director of human resources (or personnel); the director of maintenance or facilities; the public relations director; the director of information technology; and a line manager.
1.2.1.3.5. Information Security Team should include the individual responsible for the day-to-day management of the safety and security program; the director of information technology; and the director of maintenance or facilities.
1.2.1.3.6. Security Incident Response Team should include the overall responsible individual for the organization’s safety and security program, the individual responsible for the day-to-day management of the safety and security program, the director of operations, the director of human resources (or personnel), the director of maintenance or facilities, the public relations director, and the director of information technology.
1.2.2. Security Requirements and Mitigating Actions. This section provides a brief introduction and overview of the requirements and mitigating actions contained within the business’s safety and security program. The following paragraphs are examples of what could be included in this section:
1.2.2.1. A robust Security Awareness Program is critical to maintaining an active and viable safety and security program.
1.2.2.2. Access requirements and procedures are provided to ensure facilities are able to maintain control and awareness over all visitors into the building. Adequate access control procedures can greatly reduce the potential of unauthorized or hostile personnel from entering the facility and gaining access to employees and restricted areas within the organization.
1.2.2.3. Physical Security requirements detail physical measures designed to safeguard staff, visitors, and resources.
1.2.2.4. Information Security requirements discuss techniques to safeguard computers and information systems within the organization.
1.2.2.5. Personnel Security requirements provide processes to provide proper employee screening and ensure protection of sensitive information.
1.3. Things to Know. This section discusses some basic considerations within a typical safety and security plan and may include the following paragraphs:
1.3.2. A discussion of where emergency response checklists for significant safety and security incidents are located within the plan. Note: the development of emergency response checklists will be covered in detail within Chapter 9.
3.1.2. Introduction to Security
The next section within an organization’s safety and security plan is entitled ‘‘Introduction to Security.’’ When people read your plan, they need to understand what you are trying to do and why. This introductory section helps to accomplish this by ensuring that the reader is familiar with the concepts and terminology within the plan.
The following paragraphs show a draft format of an introductory section, along with some areas that should be included in this section.
2. Introduction to Security
2.1. Security is defined as the condition of being protected against hazards, threats, risks, or loss.
2.2. Protection. Overall protection requires defense-in-depth—the strategy of forming layers of protection around a critical resource. In the case of businesses, critical resources can include the staff, authorized visitors, customers, other assets such as valuable items and equipment, and stored funds.
2.3. Detection is the act of discovering an attempt (successful or unsuccessful) to breach a secured perimeter (such as scaling a fence, opening a locked window, breaking into a door or walls, or entering an area without authorization).
2.4. Prevention requires plans and processes that will allow an organization to avoid, preclude, or limit the impact of a crisis occurring. The tasks of prevention should include compliance with policy, mitigation strategies, and behavior and programs to support avoidance and deterrence and detection.
2.5. Reaction and Response.
2.5.1. Reaction describes how staff and visitors will initially act in the event of an emergency or crisis situation. To ensure proper reaction, increase survivability, and minimize injury to people and damage to resources, this plan provides for detailed actions and easy-to-understand response procedures that should be disseminated to the staff and exercised on a periodic basis.
2.5.2. Response requires personnel to execute the plan, the identified resources necessary to perform those duties, and services to preserve and protect life and property as well as provide services to the surviving population. Response steps include potential crisis recognition, notification, situation assessment, and crisis declaration, plan execution, communications, and resource management.
2.6. Documentation requires factual reporting of the events surrounding the incident, reaction and response by the affected student and staff, and an accurate after-action-report to analyze and improve current plans and procedures.
3.1.3. Security Risk Assessment
The Security Risk Assessment identifies potential risks and vulnerabilities to your organization and includes a fully developed Risk Assessment Matrix to rank orders and prioritize these risks. We will only look at the areas and verbiage that should be included within the plan here, as we will discuss how to accomplish a detailed Risk Assessment Matrix later in this chapter.
3. Security Risk Assessment
3.1. A primary response step is to identify potential crises and take action to mitigate these incidents prior to their occurrence. This section analyzes the safety and security risks of the business and provides a Risk Assessment Matrix of the potential incidents and emergencies that could be experienced.
3.2. Incidents that include sabotage and malicious destruction are as follows:
3.2.1. Active shooter
3.2.2. Hostage situation
3.2.3. Violent/Uncooperative visitor
3.2.4. Unauthorized visitor
3.2.5. Bombs, bomb threat, suspicious packages
3.2.6. Vehicle-borne explosives
3.2.7. Vandalism
3.2.8. Terrorist threats/Threats of violence
3.2.9. Gang activity
3.2.10. Protest activity
3.2.11. Homicide
3.3. Natural disasters (e.g., tornadoes, hurricanes, earthquakes, floods, wildfire, etc.) that could potentially occur in your organization’s region should be listed. Note that if there is no threat of a specific type of natural disaster, your plan need not include this type of incident nor take time to address response actions.
3.4. Biological/Chemical threats (mail handling, food-borne threats, MRSA, etc.) that could affect your company should be listed.
3.5. Facility Disasters that could occur to your organization could include:
3.5.1. Explosions
3.5.2. Structural collapse
3.5.3. Major accidents
3.5.4. Fire
3.6. Criminal Activity that could affect your company such as:
3.7. Personnel Problems that your organization and employees could experience. These issues would include:
3.7.1. Gambling
3.7.2. Disgruntled employees
3.7.3. Workplace violence
3.7.4. Malicious, willful, or negligent personal conduct
3.7.5. Absenteeism
3.7.6. Misrepresentation
3.7.7. Sexual harassment
3.7.8. Staff narcotics and drug use
3.7.9. Alcoholism
3.8. Miscellaneous risks
3.8.1. Medical emergencies
3.8.2. Traffic and parking accidents
3.8.3. Improper maintenance
3.9. The completed Organization Risk Assessment Matrix should be inserted in this paragraph. Again, we will specifically cover how to accomplish this matrix later in this chapter.
3.1.4. Security Aspects, Requirements, and Mitigation Considerations
This section covers some broad safety and security concepts and forms the major part of any organization’s safety and security plan. Here is where the plan discusses overarching initiatives that should be part of any organization’s safety and security program. This section also forms the basis for the next several sections that will discuss the three primary areas that comprise safety and security—Physical Security, Information Security, and Personnel Security. This section should discuss specific threats that should be considered along with the responses to these threats that are designed to minimize any damage, loss, or personal injury to your business. We will cover all of these areas and how they should be organized within this section over the next several paragraphs:
4. Security Aspects, Requirements, and Mitigation Considerations
4.2. Security Awareness Program. An extremely significant factor in the success of a business’s safety and security program is ensuring an active security awareness program amongst all staff. Over time, a successful program permeates throughout the entire organization and staff, which ultimately results in a greater ability to deter and detect potential threats before they can cause significant damage.
4.2.1. Background. Security and law enforcement personnel cannot be everywhere. As a result, the likelihood trained security professionals will be an exact location at the initiation of any incident is extremely unlikely—security awareness amongst all employees greatly increases the number of personnel who can identify potential problems before they even occur and ensure these individuals can appropriately respond and react to an event as it happens.
4.2.2. Implementation. To produce a robust security awareness program, the organization must accomplish periodic training of its staff on safety and security. This training should include the importance of security within the organization, basic procedures to communicate the staff’s vital role in mitigating safety and security incidents, and test and exercise emergency response and crisis plans.
4.2.3. Security Awareness Program Actions
4.2.3.1. Initial or indoctrination employee training must include safety and security training along with security awareness.
4.2.3.2. Recurring training for organizational staff on subjects to include company safety and security procedures, crime prevention, and emergency response.
4.2.3.3. Promote a heightened awareness to any suspicious activity and to emphasize the need for employees to report same.
4.2.3.4. Senior company leadership must periodically cover safety and security awareness items during staff meetings and conferences to emphasize its importance in order to emphasize senior leadership involvement in the program.
4.2.3.5. Provide special attention to perimeter security and access control issues and maintain a proactive effort to monitor visitor access and control to company facilities.
4.2.3.6. Emphasize secure access in order to ensure staff maintains locked entryways to facilities, storage areas, and utility locations.
4.2.3.7. Develop, review, refine, and test emergency response and crisis preparedness guidelines.
4.2.3.8. Assess health and medical preparedness and ensure organization staff prepares necessary actions for potential medical issues and incidents.
4.3. Travel Security. This section covers safety and security tips for individuals within your organization that travel. This area may not be necessary for all organizations; however, if your company requires its employees to make frequent business trips—particularly to countries and regions outside the continental United States—this section should be included within your organizational safety and security plan.
4.3.1. General Travel Security Considerations.
4.3.1.1. Dress. Do not wear clothing that will stand out or identify you as an American. If you are traveling to a foreign country, do some research and emulate how the locals dress.
4.3.1.2. Valuables. Leave fancy jewelry at home and clean out your wallet or purse before traveling so that you only take the bare minimum amount of cash and credit cards necessary for the trip.
4.3.2. Airports and Airlines. This paragraph should discuss security tips for employees that must fly through airports in the course of their duties. The following are some basic security awareness tips for employees who must use air travel:
4.3.2.1. Luggage. Attempt to pack as lightly as possible. If an individual has several bags, avoid public transportation and use a taxi instead.
4.3.2.2. Unsolicited Car Service. Never accept transportation from a person who first approaches you at the airport, grabs your bags, and says they have a car waiting.
4.3.3. Hotels. Stay away from hotels that are in bad areas of the town you are traveling to. Try to get a room on floors 2–8. A room on the ground floor will be more accessible to criminals from the outside, and a high-level floor can make evacuation difficult in the event of a fire or other emergency.
4.4. Security Guard Force Requirements. Chapter 4 includes a detailed discussion on whether your organization should consider the use of security guards along with many of the specific issues and concerns regarding these employees. Should your organization utilize a dedicated security guard force, this section would include requirements and other considerations for these individuals.
4.4.1. Personnel Requirements. This section covers the number of security guards necessary for your organization, arming requirements, and supervision considerations.
4.4.1.1. Manpower. This section should detail the exact number of security guard posts necessary to protect your company and its facility. As will be discussed in Chapter 4, the number of posts differs from the number of actual guards to be hired since each post may vary in the hours and days it must be manned.
4.4.1.2. Armed Guards. This section discusses whether or not the security guard force will be permitted to carry firearms and should include any special considerations that go along with any use of firearms.
4.4.1.3. Supervision. This section covers the supervision requirements of the security guard force. This section should include their duties, ratio of supervisors to actual guards, chain of command, and other supervisory considerations specific to your organization.
4.4.2. Security Guard Services Statement of Work. This section covers the contractual aspects relative to security guard force activities and may include the following sections:
4.4.2.1. Scope of Work discusses the particular duties of the security guard force along with their capabilities and limitations.
4.4.2.2. Authority and Jurisdiction. This section details the authority and jurisdiction of the security guard force. This will vary based upon state and federal law, agreements with local law enforcement, and your status regarding the facility and property (i.e., do you own, rent, lease, etc.).
4.4.2.3. Use of Force Policy. In the event that your organization has an armed security guard force, you will need to detail a use of force policy and ensure that individuals are appropriately trained.
4.4.2.4. Equipment, Uniforms, and Materials. If your security guard force is required to wear a uniform and maintain specific equipment, they should be detailed within this section.
4.4.2.5. Training. Security guard force personnel must periodically accomplish training to ensure they are aware of any appropriate rules, regulations, and procedures. This is critical if your security guards are armed or required to apprehend or detain individuals prior to arrival of local law enforcement.
4.5. Security Incident Reporting. This section discusses the specific process within your organization for employees to report any suspicious activities, safety concerns, and security incidents.
3.1.5. Physical Security
This section discusses the physical security requirements necessary to properly protect your organization. A physical security program should focus on equipment and documentation designed to protect your employees and organization’s critical resources. Physical security will be discussed in detail within Chapter 6, but for the purposes of a safety and security plan, the areas that should be addressed within this section include:
5. Physical Security
5.1. Introduction. This section of the plan details that part of security concerned with physical measures designed to safeguard visitors and staff, equipment, facilities, material, and documents; and to safeguard them against a security incident. The following paragraphs briefly discuss what topics your plan should cover:
5.2. Security Threats. The physical security of a facility can help to mitigate, or even preclude, some security threats. Specific threats that can be reduced through more robust physical security measures includes the following:
5.2.1. Active shooter, hostage situations, and violent visitor scenarios.
5.2.3. Natural Disasters (e.g., tornadoes, hurricanes, earthquakes, floods, or wildfire).
5.2.4. Criminal Activity to include pilferage, records manipulation, theft and burglary.
5.2.5. Industrial Disasters to include explosions, structural collapse, and fire.
5.2.6. Prioritization of Potential Security Threats. The Risk Assessment Matrix of the plan should be utilized to determine prioritization of critical resources when addressing potential security threats and determining how to expend resources against what threats.
5.3. Security Design Considerations. This area covers various subcategories that comprise areas within physical security. This section looks at the necessary requirements within each of these areas, along with any design considerations to provide adequate physical security within your organization.
5.3.1. Lighting. One of the most basic (and most inexpensive) components of a security system. Carefully designed and coordinated interior and exterior lighting systems can exert a significant deterrent effect.
5.3.2. Perimeter Control. Includes elements such as fences, walls, and landscaped berms that protect a facility’s potential access ways.
5.3.3. Access Control. This area includes both the use of limiting entry points, security personnel or receptionists, and automated access control systems that can include card-readers, chip-readers, and electronic locks that read information encoded on the cards, disks, or keys carried by employees.
5.3.4. Pedestrian and Vehicular Traffic Control. Closely related to access control, pedestrian traffic control covers systems such as electronic turnstiles equipped with card-readers. Vehicular traffic and parking control components also often play a role in physical security.
5.3.5. Intrusion Detection. This section includes the many types of sensors and alarm systems now available and what type of systems should be used within your facility.
5.3.6. Monitoring and Surveillance. Includes CCTV cameras and the monitors and security command centers they serve.
5.3.7. Exterior Protection includes perimeter security measures. These measures include fencing, natural barriers, gates, and exterior lighting. Exterior protection measures do not necessarily prevent all security incidents from occurring against your facility but instead they are designed to define boundaries and funnel pedestrian or vehicular traffic.
5.3.8. Exterior Doors should follow be reinforced and installed with appropriate locks.
5.3.9. Windows should be in good repair and capable of being locked. When possible or practical, windows should be installed with burglar-resistant glass.
5.3.11. Roof Openings should be locked at all times and staff shall check for tampering and condition of locks on a weekly basis.
5.3.12. Mechanical Areas. Mechanical areas should be locked at all times and never be left unsecured.
5.3.13. Building HVAC Systems. To enhance security, Heating, Ventilation, and Air Conditioning (HVAC) systems should not be located outside the facility. If they are located outside, they should be enclosed and locked to preclude unauthorized access.
5.3.14. Fire Escapes and Building Walls should be in good repair and checked periodically by school staff for serviceability.
5.4. Access Control. That part of security concerned with preventing unauthorized access to facilities through identification of people entering facilities, admittance into the buildings, and interior movement control.
5.4.1. Building Entry. This area should cover all entrances into the organization’s facilities, to include the main entrance and any alternate entrances.
5.4.1.1. Main Entrance. Each facility should attempt to use only one entrance in order to limit access and better control individuals entering and exiting the building. This entrance should be well-marked to ensure that personnel can readily identify the entry, and should be under continuous observation by staff in order to identify personnel entering and exiting the building and identify persons of concern before entry to workplaces or access to critical resources can occur.
5.4.1.2. Continuous Observation and Monitoring. The entrance should be under continuous observation by staff (either security personnel or a receptionist). Several methods can be used in order to allow for continuous observation such as direct observation by personnel, cameras, door locks with entry controlled by a staff member, alarms for any personnel wishing to enter the facility, or all of these. These items can be used in conjunction with one another to provide redundant capabilities and ensure that greater access control is provided for company facilities.
5.4.1.3. Traffic Flow for Entry. Personnel entering the facility should be directed into the reception area through either physical barriers or entry design in order to ensure that staff has visibility over all personnel entering the building.
5.4.1.4. Additional Exterior Entry. In order to limit access into the facility, staff should ensure that all other doors that allow entry into the facility are locked to prevent outside access. In the event that it is necessary to have multiple entries unlocked, there should be a method to monitor these access points (either in the form of staff or other physical security measure).
5.4.2. Employee Entry and Monitoring
5.4.2.1. Personal Identification. All employees should have an identification badge and ensure that it is worn above the waist, in plain view. Identification badges will typically have, at a minimum, the individual’s picture, name, and position title.
5.4.3. Visitor entry and monitoring system should be detailed. Some items to consider include:
5.4.3.1. The authorization process for visitors should be specified. This process ensures that everyone entering the facility has the necessary authorization and can be validated by an employee.
5.4.3.2. Visitor Badges. All visitors shall be provided with a distinctive visitor badge. This badge should be worn at all times, on the upper part of the body.
5.4.3.3. Visitor ID Accountability System should typically include a sign-in/sign-out log and a system to ensure accountability over any visitors within the facility.
5.4.3.4. Special Event Considerations should be specified to ensure that during any special event within your organization’s facility, staff can continue to maintain control over all visitors and guests.
5.4.4. Vehicle Control and Parking should include considerations for both staff and visitors. Any specific parking plans, designated visitor parking slots, or other details specific to your organization should be included in this section.
5.4.5. Material Control covers any deliveries of items to your organization in order to safeguard against the delivery of contraband or dangerous items into your organization’s facility.
5.4.5.1. Any contractors with material deliveries should follow your organization’s visitor access procedures, which were detailed earlier for initial building access.
5.4.5.2. Deliveries should be monitored by a staff member at all times until the safety of the items can be ascertained.
5.4.5.3. Material deliveries should be segregated from employees until the veracity and safety of the items or equipment is verified by a staff member.
5.4.6. Interior Protection covers physical security areas inside the actual building.
5.4.6.2. Interior doors should be reinforced and be constructed with hinges located on the interior of the room.
5.4.6.3. Secure storage provides high-security storage of critical resources.
5.4.6.4. A key control system within your organization should be developed and strictly adhered to for positive control of all facility keys. This system should ensure that all keys can be accounted for by either the individual it has been issued to or the location where each facility key is stored.
5.5. Medical Response and Mental Health Considerations.
5.5.1. Medical Response. Review training and staffing of any organizational medical personnel for emergency medical response to safety and security incidents.
5.5.2. Mental Health Services. Review procedures for mobilizing mental health services for visitors and staff in the event of a crisis, and plan in advance.
5.6. Communications
5.6.1. Office and work areas shall have intercoms with direct connection to the reception area.
5.6.2. The organization shall ensure that all members of the Emergency Response Team have emergency communications. Radios are highly recommended for this use, as cell phone usage may be extremely limited in the event of an actual emergency.
3.1.6. Information Security
This section discusses the requirements to provide for security of your organization’s information systems. Information security deals with the protection of electronic and hard-copies of critical information within your organization. Chapter 7 covers the specific details necessary to implement an information security program; however, the safety and security plan should include the following information:
6. Information Security
6.1. Introduction. This section of the plan discusses requirements necessary to protect your organization’s information while providing for the three pillars of information security—confidentiality, integrity, and accountability.
6.2. Server Security. This section discusses specific information security measures to protect information stored on servers within your organization.
6.2.1. Physical Security of server areas should include necessary requirements for these areas. These requirements should include the level of security necessary such as reinforced doors, locks, alarms, and access control measures.
6.2.2. Access to Servers. This section should discuss what job positions will typically be provided physical access to the server areas and the processes used to allow access to the information stored within the servers. This should include authentication procedures, password requirements, and other issues relating to the access of server information.
6.2.3. Software Maintenance and Updates. This section should designate the authorized individuals to maintain, update, and upload software to your servers.
6.3. Work Station Security.
6.3.1. Organizational Requirements for Employees. This section should discuss any specific requirements within your organization that employees should adhere to when using company work stations. This can include positioning monitors to minimize visual access, locking the system when not at their workspace or when not in use, securely storing portable equipment and storage devices, and other pertinent company procedures.
6.3.2. Username and Password Requirements. This section should detail your organization’s specific username and password requirements, such as how many and what type of characters constitute legal passwords.
6.3.3. Hardware Requirements. If your organization desires computers to be of a specific design or capability, this section should address these requirements, along with the desired time frame to replace older systems and the maximum age of systems that should be in use within your organization, as necessary.
6.3.4. Software Requirements. This section should discuss your organization’s requirements in regards to allowable software loaded on employee workstations. Areas that should be discussed include who can update and upload software applications on individual work stations, what are the minimum software applications for employee work stations, and your organization’s process for employees to request new software applications necessary to accomplish their duties.
6.4. Network Security. This section discusses requirements to maintain the confidentiality, integrity, and accountability of your organization’s information systems. This section should include encryption (although this area can also be discussed within the paragraph on communications security) and methods to ensure secure remote-user communications.
6.5. Firewalls. This section should designate the responsible individuals to maintain and check firewalls within your organization’s information systems, along with the methodology and type of firewalls to be used, and actions in the event of a security incident.
6.6. Website/Internet Security. This section will discuss any aspects of security necessary to protect your own company’s Website and access to the internet.
6.6.1. Website Security. This section should formally designate the individual (or individuals) responsible to maintain and monitor your organization’s website. This section should also discuss methods to protect your website from internal and external hackers, along with processes to periodically check the integrity of the website.
6.6.2. Internet Security. This section differs from website security, in that it is focused more on employee’s access to the internet and methods for individuals to securely download information without compromise to your own organization’s information systems.
6.7. Communications Security
6.7.1. Encryption Requirements. This section should detail what type of encryption is to be used within your organization. Encryption affects security across many other areas, to include individual work stations, your company network, websites and the internet, and the transmission of information across email and other communications systems.
6.7.2. Remote User Communications should discuss the methods your organization secures the ability fore employees to work from home or other locations outside your company’s facility.
6.8. Actions in the Event of Data Compromise. This section should not only detail actions after an event, but also include security measures to preclude such an event from occurring. These measures can include redundancies in your organization’s information systems and back-up storage.
6.9. Securing Applications. This section should cover any additional information security measures not already discussed in previous sections.
6.10. Attacks. This section looks at specific attacks and actions to preclude or hinder these attacks from occurring. We look at many of these attacks in Chapter 7, so we will only list a few potential attacks and not go into detail on each method of protection.
6.10.1. Virus/Trojan Horses target a host system with applications designed to slow or stop operation of the affected computers.
6.10.2. Denial of Service is done when a hacker exploits flaws or vulnerabilities in a computer system in order to fool the location into thinking that they are the master system.
6.10.3. Theft of Information can either include physical theft (obtaining the information by using discs or portable drives) or by hacking into an organization’s information system.
3.1.7. Personnel Security
This section discusses the personnel security requirements within your organization. Many organizations may choose to include these requirements within their human resources plans and procedures rather than within their safety and security plan. Regardless of where these requirements are dictated, the paragraphs listed below provide an overview of the minimum items that should be included. Chapter 8 covers the specific details of personnel security, which ensures that all hiring and retention actions across your organization takes into account employee traits and help to determine that these are aligned with your company’s interests.
7. Personnel Security
7.1. Introduction. This section of the plan discusses requirements that help to determine an individual’s character traits and the process to ensure that they integrate with that of your organization. Personnel security involves three primary steps: conducting pre-employment screening, investigating current employees suspected of violating rules and regulations, and protecting employees from discriminatory hiring or termination.
7.2. Pre-Employment Screening. This section discusses the processes necessary to accomplish a consistent pre-employment screening process for all potential employees.
7.2.1. Desired Organizational Traits in Prospective Employees. Chapter 8 provides the process to help your organization identify these traits. This section within your plan should formally list the desired traits that your organization wishes to emphasize and look for in your employees.
7.2.2. Methods to Measure Prospective Employee’s Character Traits. This section identifies various methods within your organization used to determine how well a potential candidate matches the desired character traits listed in the previous paragraph.
7.2.2.1. Employment Application Form. A copy of your organizational application form should be included in the plan.
7.2.2.2. Candidate Interview. Any specific processes, questions, or techniques your organization wishes to consistently use during candidate interviews should be included within this section.
7.2.2.3. Background Investigation. This section lists the responsible individual (or office) that conducts background investigations. Any specific information that supervisors should be on the lookout for as a result of this investigation should be discussed in this section.
7.2.3. Compiling Information on Prospective Employees. This section should discuss any specific information that supervisors should pay particular attention to, and methods that the organization wishes to consolidate from a candidate’s employment application, interview, and background investigation.
7.2.4. Hiring Decision Methodology. This section should detail any specific instructions on how your organization wants to determine who it should hire. This methodology may include scoring processes to determine interviewees or the final selection, procedures for hiring individuals, individuals authorized to conduct hiring, or other specific processes within your organization.
7.3. Employee Investigations. This section discusses the procedures in conducting employees suspected of violating your company’s rules or regulations.
7.3.1. Designation of Authorized Investigators. Within Chapter 8, we discuss the need to establish a small group of individuals who will conduct investigations within your organization. This section should designate these individuals and the process for supervisors to contact them in order to initiate an investigation.
7.3.1.1. Qualifications and Requirements of Authorized Investigators. If any specific qualifications or training is necessary for your organization’s designated investigators, they should be listed within this section.
7.3.2. Requirements and Procedures to Initiate an Investigation. This section should detail any specific requirements within your organization for an individual to initiate an investigation. Some issues to consider can include:
• Who can initiate an investigation—can it be anyone, or does it have to be a certain level of supervisor or manager?
• Does your organization require a minimum burden of proof prior to the start of an investigation?
• If the complaint involves harassment or discrimination, federal and state laws require that an investigation be conducted.
7.3.3. Employee Rights. This section should detail the rights of employees who are either the subject of the investigation or in the role of an eyewitness. This section can vary from organization to organization, based upon your specific employee or union agreements.
7.3.4. Conduct of an Investigation. This section discusses the various aspects that should be considered over the course of an investigation and can include the following issues:
7.3.4.1. Evidence Handling. Discussion of the methods to preserve the chain of custody and where evidence should be stored.
7.3.4.2. Employee Interviews. Who can and should be present during the interview?
7.3.4.3. Investigation Result and Report. Who receives copies of the investigation report and makes final determination?
3.1.8. Emergency Response
This section covers emergency response actions within your organization. This area is a vital part of your organization’s safety and security plan, since preplanning and preparation to potential emergency incidents will increase your ability to respond and minimize their impact. Specific details regarding emergency response and crisis action are contained in Chapter 9; however, this section of your safety and security plan should include the following paragraphs:
8. Emergency Response
8.1. Introduction. Directing your organization’s response during an emergency situation is one of the most demanding actions any executive would need to take. This section of the plan provides tools and checklists that ensure your organization is fully prepared to appropriately respond to an incident. There are four primary areas that ensure this appropriate response: mitigations, preparedness, response, and recovery.
8.2. Mitigations are efforts taken prior to an incident in order to lessen its impact. Many of these efforts include the implementation of physical, information, and personnel security measures based upon your organization’s risk assessment and available resources.
8.3. Preparedness provides your organization’s staff with tools to prepare for response and recovery requirements.
8.3.1. Command and Control. This section delineates the chain of command during an emergency incident. It should also detail the various roles and responsibilities of each individual necessary to accomplish tasks during an emergency. This team should mirror the Emergency Response Team that will be discussed in the next section of the plan.
8.3.2. Communications. This section should specify the procedures to notify leadership of an actual situation, the equipment necessary to allow your staff to talk to one other during an emergency, and the limitations and capabilities of your organization’s communications system.
8.3.3. Collection and Distribution of Resources. This section identifies available resources and designates where they should be located.
8.4. Response includes the activities necessary to address situations as they arise over the course of an actual emergency.
8.4.1. Command and Management of Emergency Operations. This section should provide instructions and procedures that determine where the Emergency Response Team will operate during an incident and how this information will be communicated to members.
8.4.2. Fire Management and Facility Evacuation Operations. This section should include information obtained from your local fire department, the designation of specific personnel who would assist with evacuation, evacuation procedures, and shelter-in-place procedures specific to your organization.
8.4.3. Traffic Control Operations. This section should designate personnel responsible to maintain crowd and traffic control, both within your company’s facility and on the grounds. Coordination with local law enforcement in the development of this paragraph is necessary.
8.4.5. Staff Care and Shelter Operations. The primary focus of this section is to specify your organization’s process to accomplish accountability of all employees. This should include designation of the overall point of contact to consolidate the information, responsible individuals who must account for employees in individual sections or teams, and the process to filter this information up to the Emergency Response Team. In addition to the accountability of your personnel, this section should also discuss the process to provide for basic human needs of your organization’s staff, such as lodging, food, and child care.
8.4.6. Facility Management and Plant Operations. This area covers any temporary purchase or construction necessary to relocate your organization, in order to maintain operations during the course of the emergency (should this be necessary).
8.4.7. Internal Rescue Operations. Should emergency response personnel be overwhelmed if the emergency extends beyond your organization, they may be unable to accomplish rescue operations in a timely manner. This section identifies teams and processes to accomplish the rescue, care, and safe removal of employees, should this be necessary.
8.4.8. Emergency Response Checklists. Your organization should develop checklists for some of the significant emergencies that could occur in your area. Checklists help people accomplish all the necessary tasks—even when they may not be thinking clearly—to ensure that damage and personal injury are minimized. It is advisable to limit the number of checklists and provide them as a separate booklet to responsible individuals. Some of the areas that should be covered by a checklist include:
8.4.8.1. Active Shooter
8.4.8.2. Hostage Situation
8.4.8.3. Bomb Threat
8.4.8.4. Bomb or Suspicious Package
8.4.8.5. Felony Criminal Activities
8.4.8.6. Biological/Chemical Threats
A draft checklist is included in Figure 3.1 to show a typical format and tasks that should be included.
8.5. Recovery occurs after an emergency has occurred and includes necessary actions to return your organization to full, pre-incident operations.
8.5.1. Damage Assessment. This area details how initial damage assessment estimates will be accomplished. It should include the responsible individuals to accomplish this task, along with the process to collect data and schedule items necessary to obtain information. This area should also include information on where to obtain detailed inventories and surveys of your company’s facility so that they can baseline this effort.
8.5.2. Clean-Up and Salvage Operations. This effort oversees cleanup and decontamination.
8.5.4. Customer and Client Information. This area focuses on the responsible individual or office that maintains all customer and client information. This section should also include procedures to provide the public and your customers with accurate information regarding any changes in service hours, location, or procedures.
8.5.5. Mutual Aid and Agreement Activities. This section determines what outside agencies can provide assistance and attempts to obtain support from these agencies.
3.1.9. Security Teams
To effectively manage security, it is desirable to assign responsibilities to various groups of individuals. Some of the teams listed below can be merged with business continuity teams (if your organization has a business continuity plan) or, within smaller organizations, many of these teams may be combined with one another. In any case, each team should be aware of their roles and responsibilities, what they need to accomplish in order to prepare for a safety or security incident, know their specific objectives in the event of an incident, and what should be done at the conclusion of the incident.
9. Security Teams
9.1. Introduction. The individual ultimately responsible for your organization’s safety and security program is the overall leader within the company. To assist this individual in the implementation of various initiatives and projects, along with oversight and day-to-day management of the safety and security program, the following teams should be formed. Within each section, the following paragraphs should be included (they are not shown within each team section for brevity):
9.1.1. Responsibilities of each respective team should be discussed.
9.1.2. Membership should be specifically designated.
9.1.3. Preparation Tasks should be included.
9.2. Security Management Team. This team oversees all aspects of security within your organization, such as top-level guidance on security planning and response, communication to employees and local media (as appropriate), and direction regarding the level of response to individual incidents.
9.3. Safety and Security Plan Development Team. This team reviews, maintains, and updates your organization’s safety and security Plan. This section should include the frequency of formal reviews of the plan (normally conducted at a minimum of once each year).
9.5. Safety and Security Team. This team identifies any discrepancies of your organization’s physical, information, or personnel security measures against any requirements contained in the safety and security plan, or identified vulnerabilities to the Security Management Team.
9.6. Emergency Response Team. This team is responsible to prepare for and react to any actual emergency incidents.
3.1.10. Safety and Security Training and Exercises
To ensure that your organization’s safety and security program is effective, the people who will execute the procedures must be trained and periodically exercised in order to ensure that the overall plan can be successfully put into action. A plan that only exists on the shelf in a binder, or on a hard drive on a server, is not one that will be successfully put into practice when the need arises. Chapter 10 provides specific details on how to conduct training and exercises within your organization. However, for the purposes of your plan, this section describes the various methods by which the plan will be implemented amongst your employees through training, along with testing and exercising that will ensure the plan improves over time and produces a living document.
10. Safety and Security Training and Exercises
10.1. Introduction. Employees who will execute the organization’s safety and security program must be trained for successful response actions. Furthermore, exercises and simulations must be conducted in order to ensure personnel understand their actions and that the current procedures minimize damage and injury within your organization.
10.2. Security Awareness Training. Security Awareness is the knowledge and attitude employees possess regarding the protection of critical resources of the organization. This training should be conducted with all newly-hired employees and conducted on an annual basis for refresher training to all employees. Security Awareness Training Topics can include, but not be limited to:
10.2.1. Sensitive or valuable material and resources that they may come in contact with.
10.2.2. Employee responsibilities for handling sensitive information.
10.2.3. Workplace security, including building access, wearing of security/visitor badges, reporting of incidents, forbidden articles, etc.
10.2.4. Consequences of the failure to properly protect information, including potential loss of employment, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal penalties.
10.3. Emergency Response Training. Employee actions to an emergency situation are critical in mitigating and minimizing damage and injury within the organization. This training can be conducted through review of emergency response checklists, conducting exercises, or formal classroom training. The following areas can be included in periodic emergency response training:
10.3.1. Specific emergency response procedures for any potential incident. This can include active shooter, bomb threat, locating a suspicious package, natural disasters, medical emergencies, or other incidents.
10.3.2. Evacuation and shelter-in-place procedures, along with training on when to use one or the other.
10.3.3. Notification procedures in the event of an actual emergency situation.
10.4. Types of Safety and Security Exercises. There are two primary types of exercises: simulations and full-scale exercises. This section will discuss processes to accomplish either type of exercise.
10.4.1. Simulation (or Table-Top) Exercises can be conducted through discussion with staff on a specific type of incident, along with the necessary response actions or through a table-top exercise, which is a more detailed simulation and covers every necessary step that must be accomplished by individual staff members. Development of these types of exercises include:
10.4.1.1. Scenario Development and Exercise Scope. The first step in the development of any exercise is to determine the scenario, along with the exercise goals and objectives. In the case of a simulated exercise, the scope will be limited so that the Exercise Management Team must decide upon the specific actions they wish to evaluate and tailor the exercise scenario accordingly.
10.4.1.2. Establish a time and meeting location for the simulation. All that is needed is an adequate conference room for all of the exercise participants and the exercise moderator.
10.4.1.3. Conduct the exercise simulation through the use of discussion and review of the applicable emergency response checklists.
10.4.1.4. Conduct an exercise hot-wash and note any identified areas for improvement within your organizational safety and security plan.
10.4.1.5. Report any areas for improvement to the Plan Development Team.
10.4.2. A full-scale exercise is much more involved, as it requires significant planning and coordination with employees and other affected agencies; however, it results in better education and training, greater clarity to identify areas for improvement, and a higher level of experience to be gained by your organization’s staff. Development of a full-scale exercise should follow this process:
10.4.2.2. Identify an Exercise Director.
10.4.2.3. Establish a time and location for the exercise (e.g., does the exercise affect only one school, several schools, or the entire district?).
10.4.2.4. Coordinate exercise details with district stakeholders. Agencies to consider in the notification include school staff, students, district staff, parents, and any affected agencies (e.g., local law enforcement, fire department, civil response agencies, local government, and School Board of Directors).
10.4.2.5. Develop an exercise timeline that includes exercise inputs and expected actions by participants.
10.4.2.6. Determine the number of evaluators and identify each individual. The exercise will require a sufficient number of evaluators to oversee all aspects of the exercise and ensure that they can control the scenario as necessary. During the course of the exercise, all evaluators will ensure that they take notes of all items they see within their evaluation area.
10.4.2.7. Determine the number of role–players and obtain volunteers to act in each specific role required.
10.4.2.8. Notify all affected district stakeholders prior to the exercise initiation.
10.4.2.9. Conduct the exercise.
10.4.2.10. Conduct an exercise hot-wash with all evaluators and participants immediately following the conclusion of the exercise.
10.4.2.11. Develop a formal exercise report and note any identified areas for improvement and superior performers.
10.4.2.12. Provide the formal exercise report to the Plan Development Team for incorporation of any identified areas for improvement into the Safety and Security Plan.
10.5. Frequency of Exercises. This section should discuss how often your organization should conduct safety and security exercises.
10.5.1. It is recommended that simulation exercises be conducted once every 6 months.
10.5.2. It is recommended that your organization conduct a full-scale exercise once every 2 years.
3.1.11. Safety and Security Plan Maintenance and Audits
To ensure that the safety and security plan continues to meet your organization’s needs, it needs to be maintained and periodically audited. This section discusses these requirements.
11. Safety and Security Plan Maintenance and Audits
11.1. Introduction. In order to continue to meet your organization’s needs, the safety and security plan should be maintained and periodically audited. This process ensures that the actions detailed in the plan are being taken, and that the plan meets its intent and original requirements.
11.2. Safety and Security Plan Maintenance. The Safety and Security Plan Development Team is the primary group that ensures the plan is maintained and kept up-to-date. The team should develop processes to identify areas of concern and shortfalls within the plan, along with methods to identify and implement corrective actions. Some of the methods to identify areas of concern may include:
11.2.1. Findings and results from exercises.
11.2.2. Issues and concerns brought about by employees.
11.2.3. Emerging technologies that result in new threats and vulnerabilities to the organization.
11.3. Audits. The Safety and Security Plan Development Team is also responsible for developing audit procedures for the plan. Some items that should be considered include methods to prioritize vulnerabilities and solutions, resourcing experts to assist in plan development, copies of the plan, and storage of documentation.
3.1.12. Appendices
There is a lot of information that is useful to the plan, but may not necessarily form a part of the document itself. This information should be included as part of any appendices and may include the following areas:
12. Appendices
12.1. Security Terms. This section can include glossaries of physical-, information-, and personnel security terms specifically tailored to your organization.
12.2. Passwords. This section can include specific instructions inherent to your organization in regard to username and password development.
12.3. Other Policies not included elsewhere in the document but necessary to the safety and security program within your organization.
12.4. Forms that are part of your organization’s safety and security program.
3.1.13. Summary of Safety and Security Plan and Procedures
Formal documentation is necessary to ensure that your organization’s safety and security program meets your needs. The preceding sections have described what items should be included and in many cases, provided verbiage to ensure you can get a head-start on your organization’s plan. Again, it is necessary to emphasize that much of this verbiage will only get you started—it will be necessary to tailor much of the document to your specific needs and requirements, either through further research or with the assistance of a security expert. Nonetheless, this section should provide you with a foundation to begin establishing a viable and effective safety and security program.
3.2. Risk Assessment
Developing a risk assessment for your organization is probably the best starting point when you are looking to either start an organizational safety and security program or accomplish any revisions to your current plans. This is because a risk assessment helps to identify all the potential threats and vulnerabilities that could occur to your business and facility. It also provides you with a prioritization of which threats and vulnerabilities are most critical, which will ultimately enable you to determine what security measures to immediately focus on with your resources. Since no one ever has enough time to accomplish all that is necessary in a given business day—particularly if you are trying to develop a safety and security program in addition to working on your other duties—this priority can help you to identify what individual tasks should be accomplished immediately and what areas can be addressed later on. This will allow you a lot of great information in developing and initiating an organizational safety and security program, rather than overwhelming you and your employees by trying to develop an entire program all at once. Additionally, this priority will provide you with better information on who best to spend the limited money and resources you have allocated for the safety and security program.
There are several different methods to accomplish a risk assessment, to include a hazard and operability analysis (HAZOP), Fault Tree Analysis, or a Risk Assessment Matrix. The Hazard and Operability Analysis is a bottom-up method to identify potential hazards in a system and help to identify operability problems that can create the event [1]. Fault Tree Analysis examines the system from the top down and investigates potential faults in order to identify the possible causes [2]. A Risk Assessment Matrix is also a bottom-up method; however, it differs from a HAZOP in that it looks at potential threats and prioritizes these based upon their probability and impact to a specific organization or facility. With respect to safety and security concerns, the best method to use is the Risk Assessment Matrix, since many other risk assessment methods provide better information once an incident has occurred in order to ensure the event is not repeated—this is not acceptable in the case of many different catastrophic safety or security incident such as an active shooter emergency or significant loss of an organization’s critical resources. With this in mind, we will show you a step-by-step process to develop a Risk Assessment Matrix over the next several sections.
3.2.1. Step 1—Determining the Probability of Threats and Vulnerabilities
There are a large number of potential threats and vulnerabilities that can occur to businesses operating within the United States. Table 3.1 shows a fairly comprehensive list of these possible threats, in order to provide you with a starting point to identify all the possible threats and vulnerabilities against your particular organization.
Table 3.1
Potential Threats and Vulnerabilities to Businesses
| Absenteeism | Explosions | Major Accidents | Structural Collapse |
| Active shooter | Fire | Malicious, willful, or negligent personal conduct | Terrorist threats/Threats of violence |
| Alcoholism | Forgery | Medical emergencies | Theft and burglary |
| Biological/Chemical threats | Fraud | Misrepresentation | Traffic accidents |
| Bombs, bomb threat, suspicious packages | Gambling | Natural disasters | Unauthorized visitor |
| Car theft | Gang activity | Pilferage | Vandalism |
| Computer crimes | Homicide | Protest activity | Vehicle-borne explosives |
| Disgruntled employees | Hostage situation | Records manipulation | Violent/Uncooperative visitor |
| Disruption or downtime to information systems | Illegal drugs (selling or possession) | Sexual harassment | Workplace violence |
| Embezzlement | Improper maintenance | Staff narcotics and drug use |
Once you have identified all the potential threats and vulnerabilities that could occur to your organization, the next step in developing your organization’s Risk Assessment Matrix is to determine the probability of occurrence for each of these incidents. Much of the probability depends upon the location your business operates in. For example, if you operate in a large metropolitan area with high crime rates, the probability for theft, burglary, and other felony crime will be much greater than if your business is located in a rural area far from any major population center.
Although identifying an exact probability for each type of incident may sound daunting, it is not necessary to accomplish such an exhaustive research project to do this. Instead, determining the probability of each incident can be fairly subjective based on the crime rates and societal factors within your specific region of operations. Thus, identifying each probability can be simply a matter of designating a number between one and 10 (one being that the incident is improbable of occurring and 10 being that the incident could frequently occur). This identification of each individual probability can be accomplished by coordination with local law enforcement, having one individual within your organization develop the numbers, surveying several employees within your organization on their assessment of various probabilities, or a combination of these methods. Once you have determined the probability of occurrence for each potential threat and vulnerability, you have a completed list for your organization. To better illustrate the overall process of developing the Risk Assessment Matrix, we will use a make-believe business (XYZ Corporation) throughout this section. In Table 3.2, we have identified the probabilities of the various threats and vulnerabilities that could potential occur against XYZ Corporation.
Table 3.2
Example Worksheet of Designated Probabilities
| Potential Threat/Vulnerability | Probability |
| Absenteeism | 9 |
| Active shooter | 1 |
| Alcoholism | 6 |
| Biological/Chemical threats | 3 |
| Bombs, bomb threat, suspicious packages | 3 |
| Car theft | 4 |
| Computer crimes | 5 |
| Disgruntled employees | 2 |
| Disruption or downtime to information systems | 3 |
| Embezzlement | 2 |
| Explosions | 1 |
| Fire | 1 |
| Forgery | 3 |
| Fraud | 3 |
| Gambling | 6 |
| Gang activity | 3 |
| Homicide | 1 |
| Hostage situation | 1 |
| Illegal drugs (selling or possession) | 3 |
| Improper maintenance | 6 |
| Major accidents | 5 |
| Malicious, willful, or negligent personal conduct | 4 |
| Medical emergencies | 8 |
| Misrepresentation | 5 |
| Natural disasters | 5 |
| Pilferage | 4 |
| Protest activity | 2 |
| Records manipulation | 4 |
| Sexual harassment | 5 |
| Staff narcotics and drug use | 3 |
| Table Continued | |
| Potential Threat/Vulnerability | Probability |
| Structural collapse | 2 |
| Terrorist threats/Threats of violence | 2 |
| Theft and burglary | 4 |
| Traffic accidents | 7 |
| Unauthorized visitor | 8 |
| Vandalism | 4 |
| Vehicle-borne explosives | 2 |
| Violent/Uncooperative visitor | 5 |
| Workplace violence | 6 |
Now that we have determined the probability of the various threats and vulnerabilities, the next step is to determine the severity of that incident, should it occur.
3.2.2. Step 2—Determining the Severity of Threats and Vulnerabilities
This step is similar to the determination of the probability; however, in this case you will be designating a number between one and 10 based on the severity should that particular incident actually occur. One is the designation of an incident that would cause negligible results within your organization and 10 is for an incident that would create catastrophic repercussions on your business. It should be noted that although none of the potential threats and vulnerabilities are desired, their outcome on the health of your business and organization is what this severity should focus on. For example, the severity of chronic absenteeism from one employee is much less than the severity of a hostage situation that occurs within your facility. This determination should provide the severity to the health of your business and employees in relation to all the various threats and vulnerabilities possible, even though they may not be probable of occurring.
Again, to illustrate using an example we have included Table 3.3, which provides numbers for the severity of each of the potential threats and vulnerabilities that could occur within XYZ Corporation.
3.2.3. Step 3—Combining Probability and Severity of Threats and Vulnerabilities
The next step is to consolidate the information form the various probabilities and severities you have designated for your specific organization into one table. This process is very straight-forward in that you simply place all the values into one table and determine the product of for the probability and severity of each threat and vulnerability. Table 3.4 shows how this is accomplished for XYZ Corporation with our example numbers.
Table 3.3
Example Worksheet of Designated Severities
| Potential Threat/Vulnerability | Severity |
| Absenteeism | 6 |
| Active shooter | 10 |
| Alcoholism | 4 |
| Biological/Chemical threats | 8 |
| Bombs, bomb threat, suspicious packages | 8 |
| Car theft | 2 |
| Computer crimes | 6 |
| Disgruntled employees | 4 |
| Disruption or downtime to information systems | 7 |
| Embezzlement | 8 |
| Explosions | 9 |
| Fire | 10 |
| Forgery | 6 |
| Fraud | 6 |
| Gambling | 4 |
| Gang activity | 3 |
| Homicide | 10 |
| Hostage situation | 10 |
| Illegal drugs (selling or possession) | 6 |
| Improper maintenance | 4 |
| Major accidents | 5 |
| Malicious, willful, or negligent personal conduct | 2 |
| Medical emergencies | 2 |
| Misrepresentation | 2 |
| Natural disasters | 8 |
| Pilferage | 5 |
| Protest activity | 1 |
| Records manipulation | 4 |
| Sexual harassment | 6 |
| Staff narcotics and drug use | 6 |
| Table Continued | |
| Potential Threat/Vulnerability | Severity |
| Structural collapse | 8 |
| Terrorist threats/threats of violence | 7 |
| Theft and burglary | 6 |
| Traffic accidents | 2 |
| Unauthorized visitor | 2 |
| Vandalism | 2 |
| Vehicle-borne explosives | 10 |
| Violent/uncooperative visitor | 4 |
| Workplace violence | 6 |
Table 3.4
Example Worksheet of Combined Probabilities and Severities
| Potential Threat/Vulnerability | Probability | Severity | Product |
| Absenteeism | 9 | 6 | 54 |
| Natural disasters | 5 | 8 | 40 |
| Workplace violence | 6 | 6 | 36 |
| Computer crimes | 5 | 6 | 30 |
| Sexual harassment | 5 | 6 | 30 |
| Major accidents | 5 | 5 | 25 |
| Alcoholism | 6 | 4 | 24 |
| Gambling | 6 | 4 | 24 |
| Improper maintenance | 6 | 4 | 24 |
| Theft and burglary | 4 | 6 | 24 |
| Active shooter | 1 | 10 | 10 |
| Biological/Chemical threats | 3 | 8 | 24 |
| Bombs, bomb threat, suspicious packages | 3 | 8 | 24 |
| Disruption or down-time to information systems | 3 | 7 | 21 |
| Violent/Uncooperative visitor | 5 | 4 | 20 |
| Pilferage | 4 | 5 | 20 |
| Vehicle-borne explosives | 2 | 10 | 20 |
| Forgery | 3 | 6 | 18 |
| Table Continued | |||
| Potential Threat/Vulnerability | Probability | Severity | Product |
| Fraud | 3 | 6 | 18 |
| Illegal drugs (selling or possession) | 3 | 6 | 18 |
| Staff narcotics and drug use | 3 | 6 | 18 |
| Medical emergencies | 8 | 2 | 16 |
| Unauthorized visitor | 8 | 2 | 16 |
| Records manipulation | 4 | 4 | 16 |
| Embezzlement | 2 | 8 | 16 |
| Structural collapse | 2 | 8 | 16 |
| Traffic accidents | 7 | 2 | 14 |
| Terrorist threats/threats of violence | 2 | 7 | 14 |
| Misrepresentation | 5 | 2 | 10 |
| Fire | 1 | 10 | 10 |
| Homicide | 1 | 10 | 10 |
| Hostage situation | 1 | 10 | 10 |
| Gang activity | 3 | 3 | 9 |
| Explosions | 1 | 9 | 9 |
| Car theft | 4 | 2 | 8 |
| Malicious, willful, or negligent personal conduct | 4 | 2 | 8 |
| Vandalism | 4 | 2 | 8 |
| Disgruntled employees | 2 | 4 | 8 |
| Protest activity | 2 | 1 | 2 |
The last column, entitled products, is obtained by multiplying each incident’s probability and severity. This number is used to rank-order each threat and vulnerability for your particular organization. In our example numbers, the highest ranked incident is absenteeism and the lowest is protest activity. The products of the probability and severity are the primary data that are used to produce an organizational Risk Assessment Matrix.
3.2.4. Step 4—Development of the Risk Assessment Matrix
The final step is to consolidate all this information into an easy-to-understand format. Although the rank order within Table 3.4 is what will likely be used to determine your priorities within the safety and security program, it may be necessary to provide this information in a format more suitable to presentations that can better highlight the significant threats and vulnerabilities that pose the greatest risk to your organization. This can be done through the use of a Risk Assessment Matrix, which shows all the potential threats and vulnerabilities based upon their combined probabilities versus severities. A Risk Assessment Matrix is typically color-coded for easier identification and improved presentation, and identifies the highest risk incidents in red that are located in the upper left-hand corner of the matrix. As one moves toward the lower right-hand corner of the matrix, the incidents are lower based upon their risk and the color moves toward green, which identifies the incidents with the lowest risk for that particular organization. Figure 3.2 shows a generic Risk Assessment Matrix for illustration of this explanation.
In order to accomplish the actual Risk Assessment Matrix with our example data for XYZ Corporation, it is best to start with the highest and lowest values and then fill in the matrix as you work between both extremes. In our example, the highest risk is absenteeism and the lowest is protest activity, so these items will be placed into the upper left-hand and lower right-hand corner, respectively. We will then work back and forth between our remaining high and low risks trying to match their number values for product, probability, and severity until the matrix is complete. The final Risk Assessment Matrix using our example values is shown in Figure 3.3.
Please note that the placement of many of the potential threats and vulnerabilities within the matrix may not align perfectly with their respective probability and severity, as an item’s placement in relation to the other potential risks is more important than trying to place each incident’s probability and severity against their specific number. As a result, the placement of many risks will likely be somewhat subjective–particularly when comparing incidents with similar risk values; however, the important aspect to remember is how you and your senior leadership perceive each individual item’s location within the matrix and against neighboring events. As you accomplish your own organization’s Risk Assessment Matrix, you will likely find it may take several attempts until you are able to ensure the location of each incident matches your feelings when comparing the overall risks of all the incidents that were developed through the combination of both the probabilities and severities.
3.3. Quantifying Safety and Security Initiatives
Once you have finalized your organization’s Risk Assessment Matrix, you can begin to consider what specific safety and security initiatives to implement; whether these initiatives may include the purchase of security equipment, more employee training, or the development of more stringent procedures. Unfortunately, most of these initiatives require funding, so it is necessary to determine the effectiveness of these expenditures through some type of cost-benefit analysis. This can be difficult to accomplish with many safety and security initiatives, so we will look at how to quantify these possible expenditures over the course of this section.
Investments in safety and security have two kinds of resultant payoffs: an improved security posture and improved financial picture. While determining exact cost savings for improvements to the financial picture of an organization, it is much more difficult to determine cost savings based upon improvements to the security posture. This can make it difficult to justify any cost expenditures within the safety and security arena, even though it is necessary that all companies maintain a robust safety and security program in order to stay in business. This is because of the fact that if these security initiatives are properly doing their job, then nothing has happened—no security incident occurred, no mishap ensued, and no emergency arose. This makes it difficult to quantify any potential safety and security improvements in order to justify any associated costs with the purchase of these security initiatives. This difficulty must be overcome in order to ensure that your organization’s safety and security program keeps pace with the continually evolving threats and vulnerabilities to business. Using the rationale that “nothing has happened, and thus no security initiatives are needed” is a trap. Having adequate security measures in-place and working to constantly improve your organization’s security posture are the only real methods to minimize risk and adequately mitigate potential incidents from occurring. How, then, can you determine if your organization should expend money and resources on a particular security measure? Over this section, we will cover the methods necessary to conduct a thorough cost analyses for safety and security initiatives you may be considering so that you can better decide between security initiatives that should be implemented against potential threats and concerns, and which issues your organization should assume the risk due to the lack of any return on investment.
In order to accomplish this cost analysis, we will work through the following processes:
• Describe the project and determine the value and priority of the potential security initiative
• Calculate the costs associated with that initiative
• Determine the direct and indirect benefits of the security initiative
• Analyze the costs and benefits for that initiative
Once we have discussed each of these processes, you should be able to accomplish a cost analysis for any considered security measure and make a more informed decision on what areas to focus on within your organization’s safety and security program.
3.3.1. Fully Describe the Project and Determine its Value and Priority
The first step in being able to quantify any security initiative is to ensure that you can fully describe the project. Although the necessity to provide a project description should be obvious, it is left out of the process many times because of time constraints and the other necessary tasks. Without a full understanding and comprehension of what the project entails and what purpose it should fulfill, it is extremely difficult to accomplish a thorough cost analysis. The description of the project’s purpose should include a clear statement of the threats and vulnerabilities to be addressed, as well as the recommended solution or various options if a decision by higher management or external stakeholders is required. A complete and easy-to-understand description of the issue will set the stage to capture costs, which will be accomplished within the next step in the process.
Once you can fully describe the proposed security project, it is necessary to determine the need for the security initiative. In order to accomplish this, it’s important to address two aspects: value and priority. The value of any considered security project must consider the proposed initiative’s time, effort, and cost to decide if the project is worthwhile. Obviously, answering this question requires a general understanding of what the initiative will accomplish and why it is important to your organization; hopefully, we have been able to do this when we described the project in the initial step of this process. It is important to remember that the real value of any project’s return on investment is not determined solely by the numbers; it’s also determined by the relevance, accuracy, and completeness of the cost and benefit data captured within the analysis. Next, assuming that your organization has determined that the project is worthwhile, the priority of the project should then be decided upon. This priority is determined through the use of your organization’s Risk Assessment Matrix and rank-ordered priority listing of potential threats and vulnerabilities; development of which was discussed in the previous section.
It should be noted that although risk is a key factor in prioritizing any type of security expenditure, financial factors must also come into play. For example, there may be a planned IT project to upgrade your organization’s entire network scheduled for the near future. If it has been determined that upgrading the security of your network is a necessary project from the safety and security program perspective, it may be more beneficial to put off the network’s security upgrade and either assume some of the risks or implement some inexpensive and short-term counter-measures so that the security upgrades to the network can be included as an incremental addition to the overall IT network project. By taking into account other factors, you can achieve better cost efficiencies although still maintaining safety and security for the organization.
3.3.2. Calculate the Costs
Once the security project has been defined with a determination of its value and priority, we are now ready to calculate the costs associated with the project. When looking at costs associated with any type of security project, it is necessary to think about costs in a broader way than one may have typically done in the past, and consider costs not only through the life cycle of the project, but also include the effects upon organizational safety and security of various options that can be considered for a potential project. One option to be considered for any security initiative should include the cost of doing nothing—or the costs associated with maintaining the status quo—in order to compare the costs of the proposed project against a baseline. This choice may seem simple since it appears to be between “spending something” and “spending nothing” (although there will normally be ongoing costs related even in maintaining the status quo). These expenditures can include indirect costs based upon the associated risks your organization must assume without the security upgrade, operational costs such as higher maintenance fees, or the cost of performing a process manually (compared to automating the process) due to the use of older equipment. Additionally, if several alternative approaches are being considered, the costs and benefits associated with each of these options should be calculated and compared. Measuring all of the project’s potential costs requires first identifying all these options and determining the financial outcomes associated with each.
Once you have identified all the various options, you will need to calculate the total cost of ownership of each potential project for the specific security initiative. This could be relatively straightforward, such as simply obtaining the purchase cost of a new item (if you are buying some minor equipment that requires little to no upkeep), or it could be very complex, such as calculating the life-cycle costs of a multilayered system (if you are looking at purchasing a system that is composed of multiple components and includes upgrade costs, maintenance, and other periodic fees). Regardless of how simple or complex the solution may be, it is important to capture all the relevant costs of the project in order to properly allocate the necessary budget and funds, assess project management over the course of the project, validate vendor claims, and ultimately measure the project’s worth. To calculate the total cost of ownership, you should use the following formula to ensure that all the possible costs are considered and included:
As we discussed, this calculation can be a complex process even though this formula looks straightforward—it is not always easy to collect and organize all of the cost data associated with the various portions of the total cost of ownership for a project. Some issues and considerations to be aware of when you are trying to determine the various components of this calculation could include the following: the lack of in-place accounting processes that track overall system costs, the system in question may not be under the control of a single or centralized manager, or there is no process to track maintenance costs for the proposed initiative. Regardless of these challenges, the more complete and well-conceived your cost calculations will be, the more likely your decision on the security project will be the right one.
3.3.3. Determine the Direct and Indirect Benefits
Once we have calculated the total cost of ownership, we next must determine both the direct and indirect benefits of the security project in question. As with any costs, benefits must also be considered in a broader way—especially when looking at safety and security initiatives. It is best to start with the direct benefits, which are verifiable and easy to understand. Indirect benefits can be included later on, based on their contribution to the project’s return on investment; however, it is not uncommon for indirect benefits to be 30% or more of the total financial benefit.
3.3.3.1. Direct Benefits
A return on investment calculation should justify a project based on the direct benefits attributable to that project. Many times, managers will try to justify a favored project based on a number of intangibles that they will then try to tie into the project’s direct benefits; however, these are not only difficult to measure or prove, but intangible benefits also do not materialize in many cases. The following list contains potential areas for cost reduction that may produce direct benefits from an IP-based physical security technology:
• Planning and design
• Fewer personnel
• Added space to the information systems infrastructure
• Improvements to servers, applications, or systems
• Additional storage
• Integration of systems
• Fewer calls for system maintenance and improved upgrades
• Decrease in power usage
• Less training
To use an example to better illustrate the determination of direct benefits, consider a security project that automates and consolidates an organization’s alarm system. Prior to completion of the project, the alarm system had to be monitored at four separate locations; however, this consolidation project will now allow the alarm system to annunciate at only one workstation within the corporate headquarters. The result of this project will allow the organization to reduce the number of personnel monitoring the alarm system from four 24-hour a day posts to only one, which in turn will lower the direct payroll and training costs. These costs can be easily calculated to determine this particular direct benefit is caused by consolidating the alarm system.
3.3.3.2. Indirect Benefits
Indirect benefits are defined as benefits that cannot be directly observed but are nonetheless realized [4], and as such they are not so easily measured as direct benefits. Furthermore, the value of some indirect benefits may be difficult to quantify, even though it is easy to acknowledge their usefulness. For example, the indirect benefits due to the installation of security cameras include the deterrent effect toward potential wrongdoers, along with the reassurance to employees who see the in-place security measures. These benefits may be difficult to quantify; however, they are easy to understand without firm cost numbers and should still be included as additional factors.
Based upon the difficulty in quantifying some indirect benefits, they will normally require a degree of subjectivity. In these cases, often a rough “lowest-benefit” estimate will serve to provide an acceptable minimum value to your return on investment calculations. To better illustrate this, let’s use an example of a project to upgrade an organization’s credentialing system. This project should reduce the average wait time for personnel to receive temporary identification cards or access badges from 35 to 5 min. Although this results in a savings of 30 min to the employees who accomplish this task, most people would agree that the entire 30 min saved will not necessarily be used productively. In order to determine a more realistic benefit, management may determine that these employees are, on average, 70% productive in their normal duties, and to ensure an accurate estimate, determine that only 50% of the recovered time (or 15 min) should be used as an indirect benefit based upon the savings in time from the upgrade. This estimate would likely provide a more reasonable cost for this benefit and not overvalue this security initiative. Another method to quantify indirect benefits is to look at other proposals your company or other businesses have accomplished when considering a similar type of security project, and see what cost savings were achieved by these projects. Such proposals may provide clues as to the type of indirect benefits that are considered valid and usable for your cost-benefit analysis.
Many security projects can be used to increase efficiency or reduce labor by improving or automating various aspects of security operations. The following table shows some standard indirect benefits as a result of corresponding safety and security projects (Table 3.5):
This is just a small list of some of the possible indirect benefits that could be gained from some of the safety and security projects your organization may consider, and should help to begin to identify any other indirect benefits from a particular project.
Indirect benefits can come in the form of productivity improvements for individuals or teams, and should also be considered. These benefits may be incremental or represent a small improvement per employee, but, when multiplied across your entire organization’s population or a large number of transactions, they may represent significant values in overall productivity, improved efficiency, or cost avoidance. In particular, indirect benefits that are related to corporate governance and regulatory compliance should be considered, as they can have a broad financial impact on organizations. For these reasons, it is important to take the necessary time to determine all the indirect benefits that may result from a security project.
Table 3.5
Security Projects and Examples of Some Corresponding Indirect Benefits
3.3.4. Accomplish a Cost-Benefit Analysis
Once the cost and benefit data are collected for a proposed project, they can be consolidated into a cost-benefit analysis to determine the project’s return on investment. Again, I must emphasize that because of the intangible benefits that result from the majority of safety and security projects, this cost-benefit analysis should not use the typical methods of comparing simple project costs or the total cost of ownership—these methods may not take life-cycle costs into account and they could ignore many of the indirect benefits from the initiative. Additionally, the value of the project’s actual return should be able to show the timing of both negative and positive cash flows over the time period in question to graphically display the information, and ultimately the project’s return on investment.
Over the next several paragraphs, we will work through an example to better illustrate this process. Throughout this example, we will work through the various processes to conduct our cost-benefit analysis of the proposed project that we covered: identification and description of the project, calculation of project costs, identification of direct and indirect benefits, and determination of the project’s return on investment.
3.3.4.1. Example Project Description
XYZ Corporation is a large company with several different operating locations throughout the United States (the total number of employees is 4000 working at 20 different operating locations). Our example project will consolidate multiple access control systems operating at these geographically separated locations into one single system that will allow access for all authorized personnel within the company to enter any of the 20 company locations. Additionally, the consolidated system will be managed at one main office rather than the current process, which has one individual at each location manage their own separate access control system.
3.3.4.2. Example Project Cost Calculation
To accomplish the cost calculation for the various options, we first must identify all the options and the time frame to evaluate these project options. In our example, we will compare two different options: maintaining the system in its current configuration (doing nothing) and moving forward with the project to consolidate the access control system. XYZ Corporation senior management has requested that the cost-benefit analysis be developed based upon a 5-year time frame. To calculate the costs for either option, we will use the total cost of ownership formula, which combines the costs to buy, install, operate, and maintain the project. Since the first option is keeping the current system with no changes, there are no purchase or installation costs associated with the total cost of ownership—only operational and maintenance costs. The second option—consolidating the access control systems—has costs associated with all four areas that compose the total cost of ownership. Table 3.6 shows the individual calculations for the total cost of ownership for both options, and Table 3.7 shows the overall total cost of ownership over the 5-year time period. Please keep in mind that these costs are being kept as simple as possible for the sake of our example and do not take into account several factors that would normally need to be considered, such as degradation of equipment over time, depreciation, inflation, etc.
Table 3.6
Total Cost of Ownership Considerations and Individual Costs
| Maintain Current Access Control System | Consolidate Access Control System | |||
| Purchase costs | Total purchase costs Engineering/design Software Hardware | $230,500 $18,000 $29,000 $183,500 | ||
| Installation costs | Total installation costs Infrastructure upgrades Application integration Other installation | $104,000 $31,500 $62,500 $10,000 | ||
| Annual operational costs | Total annual operational costs ID card purchases (due to loss or damage) Training | $72,000 $12,000 $60,000 | Total annual operational costs ID card purchases (due to loss or damage) Training | $9000 $4000 $5000 |
| Annual maintenance costs | Total annual maintenance costs Card reader maintenance System maintenance | $54,000 $34,000 $20,000 | Total annual maintenance costs Card reader maintenance System maintenance | $20,000 $16,000 $4000 |
Table 3.7
Total Cost of Ownership for Both Options Over 5 years
| Maintain Current Access Control System | Consolidate Access Control System | |
| Year 1 costs | $126,000 | $363,500 |
| Year 2 costs | $126,000 | $29,000 |
| Year 3 costs | $126,000 | $29,000 |
| Year 4 costs | $126,000 | $29,000 |
| Year 5 costs | $126,000 | $29,000 |
| Total life-cycle costs | $630,000 | $479,500 |
3.3.4.2.1. Direct and Indirect Benefits
As can be seen in Table 3.7, consolidating the access control system already has a lower total cost of ownership due to the significant decrease in annual personnel, operational, and maintenance costs. Now by looking at some of the other benefits of this proposed project—specifically the indirect benefits—we should be able to further determine its value.
In addition to the direct benefits of lower operational and maintenance costs per year, our proposed project also has the following indirect benefits that we will need to quantify:
• Increased employee productivity (due to less time to process into and out of company locations)
• Enhanced security capabilities
• Improved ability to meet regulatory and compliance requirements
The cost savings based upon increased employee productivity can be determined using an average amount of time that was required to enter and depart the locations with the old system and comparing it to this time required by the new system. Since the company has not yet installed the consolidated access control system, an estimate could be determined from a company that recently installed a similar system. If the difference between the current and consolidated system saves each employee an average of 2 min per individual every workday to enter and exit the facility, you can calculate a rough cost savings estimate based upon the number of employees, the average wage, the number of workdays per year, and your organization’s approximate level of productivity. In our example, XYZ Corporation has 4000 employees and their estimated productivity is 80%—in order to ensure that the estimate is conservative, we will cut this number in half to 40%. We will use an average wage of $20 per h and 200 workdays per year for our example. All of these figures result in an approximate cost savings of $53,300 per year due to increased employee productivity. To determine the cost savings due to enhanced security capabilities, we could compare previous losses due to theft and compare the reduction in these losses that other businesses have experienced when utilizing a similar access control system. In our example, we’ll use a figure of $5000 per year. Finally, to quantify a cost based upon the proposed project’s ability to meet regulatory and compliance requirements, you could determine the amount of money spent on fines and look at how these should be reduced with the newer access control system—for our example, we’ll use a figure of $2500 per year.
Now that we have been able to quantify all our indirect benefits, we can put this information together into a chart that can better senior leadership and other stakeholders the overall cost-benefit analysis of the proposed project. To accomplish this analysis, we will only look at the return on investment so that any initial costs due to the design, purchase, or installation of the system should be negated based upon the cost savings from direct and indirect benefits. An easy-to-understand method to show this analysis is in a bar chart format as shown in Figure 3.4, which uses the numbers from our example.
As can be seen in the chart contained in Figure 3.4, XYZ Corporation will pay off the initial equipment purchase and installation costs in the third year. Overall, our cost-benefit analysis shows that the proposed project will result in a total cost savings of over $250,000 over the entire 5-year time period.
3.4. Summary of Security Plan Development and Risk Assessment
Over the course of this chapter, we looked at how to develop safety and security plans and procedures, accomplishing an organizational risk assessment, and quantifying safety and security initiatives.
Safety and security plans and procedures are a critical part of any organization’s program. In order to ensure that you can develop a working plan, we provided an overall format and verbiage for many sections in order to give you a head-start on this document. Although it is advisable to work with an expert in the safety and security field at some point to refine your plan and ensure that it fits with your particular organization and industry, this format should form a foundation of your overall safety and security plan.
Next, we worked through the development of a Risk Assessment Matrix. This product provides your organization with the basis to identify all potential threats and vulnerabilities that could occur to your business and facility. It also provides you with a prioritization of the most critical threats and vulnerabilities in order to provide you the information on what incidents you should address and mitigate through the use of safety and security initiatives, equipment, and procedures.
Finally, we provided a process to quantify the safety and security initiatives you may consider based upon your organizational risk assessment. Many safety and security initiatives can be difficult to justify solely through financial means, since the outcome of any effective initiative is for no incident, loss, damage, or emergency to occur; we looked at a process to accomplish a cost-benefit analysis while looking at all the direct and indirect benefits that could be obtained.
By developing your own specific safety and security plans and procedures and a comprehensive risk assessment, you can better identify and implement your own organization’s safety and security program.
3.5. Security Plan Development and Risk Assessment Checklist
| Yes | No | |
| Have you completed a risk assessment matrix for your company? | ||
| Does your organization have a detailed safety and security plan that includes the various sections contained in this chapter? | ||
| Does your organization have a process in-place to accomplish a cost-benefit analysis for proposed safety and security initiatives? |
Note: All items are listed in priority order so you should ensure each answer is “Yes” prior to expending funds or effort on the next question. This order ensures that an executive with minimal security expertise can easily move down the list in order to implement an adequate security program.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.