Printer Friendly

Four steps to success.

THE SECURITY REVIEW IS ONE OF THE most important tools in the security professional's repertoire. When conducted by qualified personnel, a security review can lead to comprehensive problem identification, adverse event estimation, and ultimately the formulation of contingency plans and protective security programs to minimize an organization's exposure to threats.

During a recession the two major growth industries are crime and security. Recently in Australia there have been dramatic increases in vandalism, car theft, break-ins of shops and homes, and attacks on senior citizens in their homes.

The pressure on the legal system and the limited resources of police have forced citizens to take responsibility for their own safety. As a consequence, sales of vehicle antitheft devices, antiram raiding equipment, and personal alarm devices for senior citizens living alone have increased.

It is inevitable that public and private organizations will be closely scrutinized by both internal and external sources to ensure that they have adequate security protection.

The term security has a different meaning to different people. For example, to a brash teenager it might have something to do with birth control; to a 70-year-old woman it might mean being able to sleep comfortably at night without being awakened and beaten for the change in her purse. To employees it may mean returning to their cars at the end of the workday and finding them where they were left.

On the other hand, to an organization security means being able to continue its business activities without disruption. Security can also be defined as protection, assurance, a state or sense of safety or certainty, and not being exposed to danger. Security implies a stable, relatively unhanged atmosphere in which individuals or groups may pursue their ends without disruption or harm and without fear of loss or injury.

Now that security has been defined, how can an organization achieve such an ideal? A small enterprise, such as a professional practice or a local news entity, might be best served by using good common sense and applying general security principles. But even this can be difficult and expensive if the owner and staff have no security background.

For a large organization or any enterprise serious about security, a professional method can be followed in assessing security needs. This method is known by various titles, including security survey, protective security risk review, security audit, and security review.

The security review consists of the following four stages:

* resource appreciation

* threat assessment

* risk analysis

* identification of weaknesses and recommended solutions

The first stage in conducting a security review--resource appreciation--is to determine exactly what is to be protected. It is pointless to try to improve security without knowing what requires protecting.

I was once part of a security team responsible for providing security at an industrial facility. One part of the team's duties was to conduct regular patrols and inspections of the outside of many small buildings on the premises. These buildings contained equipment and other important material.

We did not have access to the interior of these buildings and did not know what was inside them. All we knew was that the client apparently required regular and frequent checks. After several months we received information that the buildings that we had been protecting so faithfully were in fact empty and had been for several years!

In the absence of a comprehensive security review, much time and money were wasted protecting buildings that were subject to no threat. The resource appreciation of a security review would have identified the situation and led to the modification of the security team's activities. Its efforts could have been directed to other areas or the personnel strength of the security team could have been reduced had a review been done.

The second stage in the security review is the threat assessment. This is a judgment of the probability of an event taking place that could adversely affect an organization's resources, assets, or activities.

Threats can be criminal, such as theft, arson, assault, robbery, or sabotage; terrorist, such as politically motivated attacks; commercial, such as industrial espionage, theft of trade secrets or other proprietary information, or adverse media publicity; or natural disaster, such as fire, flood, wind, or earthquake. The nature and range of the threat to a particular organization also depend on the type of activities and work force the organization engages and its location.

The process of threat assessment may appear simple, but it is a time-consuming process that is best conducted by appropriately trained personnel. These individuals must extract information from many sources and collate it for analysis. This includes interviewing people at all levels of the organization, local police, and even neighbors of the organization.

Management frequently believes it does not have difficulties with security. But the assessor will invariably find when speaking to nonmanagement-level staff that incidents that represent threats have occurred and gone unreported or disappeared into the black hole of bureaucratic red tape.

TO DEMONSTRATE THE IMPORTANCE OF the security review and the threat assessment, consider the following example: A couple of years ago in Adelaide, Australia, a large water storage tank on the roof of a tall central business district office building ruptured. Around 135,000 liters of water gushed onto the roof of the office building and into a stairwell, where the water drained down into the basement of the building. The main problem resulting from this event was that a large organization in the building had its computer mainframe in the basement.

A comprehensive security review would have identified the significant threat of having such a large reservoir of water in a position where it could cause thousands of dollars worth of damage to critical equipment. This was in addition to the disruption caused to the business activities of the organization while the facility was being salvaged from the disaster.

Although the water was for the fire sprinkler system and the required pressure necessitated that the tank be located on the roof, no measures were taken to protect the computer mainframe from potential water damage, such as locating it on a higher floor.

The third stage in the security review is the risk analysis. In this stage, a judgment is reached on the existing security arrangements being able to resist threats identified by the threat assessment. During the site surveys and interviews, information gained concerning the current security arrangements is analyzed together with the threat assessment. This is also a time-consuming process that is best undertaken by appropriately trained personnel and it should identify all the vulnerabilities of an organization.

Risk can be described by the following formula: risk = intention + capability + opportunity. For example, the still unapprehended person responsible for disrupting the Telecom network in Sydney in November 1987 certainly had the intention to do damage, the capability to cause the most disruption (it appears he or she had expert knowledge of the Telecom network as well as the appropriate heavy-duty cutting equipment), and the opportunity to gain unauthorized access to the vast telecommunications network beneath Sydney's streets.

An important element of the risk analysis is ascertaining and assessing the critical lead time for replacement, or the time it takes to replace any piece of compromised equipment or other article or service before it can again function satisfactorily for an organization.

I was involved in conducting a security review for a large national technology-based organization that used satellite facilities to carry all of its communications between its offices throughout Australia. In the design of the organization's satellite ground stations, company engineers incorporated a backup facility, a wise move. However, this backup was for technical failure only, with the primary and secondary parabolic antennas located adjacent to each other and the associated equipment for both systems in the same small building next to the dishes.

In the event of a circuit malfunction, the backup plan then in place would have worked satisfactorily, but if a disgruntled person handy with gelignite or other method of destruction decided to damage the facility, or if some other calamity leveled the site, then both the primary system and its backup would have been affected.

I discovered through my investigation that the satellite equipment was not manufactured in Australia and would take approximately six months to acquire from Japan. This critical lead time for replacement had not been taken into account by the organization's engineers, since they had not foreseen the possibility of both systems being substantially damaged or destroyed at the same time.

While the solution was to position the systems well apart from each other in the first place, no arrangements had been made to have another system on hand--and at $500,000 (Australian dollars) each, this was not surprising.

In this case a security review identified the problem before a catastrophe occurred. However, if protective security had been taken into account from the beginning, a lot of money and effort would have been saved.

The final stage in the security review is to identify weaknesses and recommend solutions. This can only be done by trained personnel after the three previous stages have been completed.

I once conducted security reviews for the top 35 art galleries and museums across Australia. In one country art gallery, in an unobstructed gallery space about half the size of a small house with only one point of access, I found seven passive infrared intruder sensors. In this area, two would have been satisfactory if the correct units were selected and installed in the appropriate positions.

My investigations revealed that there were no security equipment companies in town and so the art gallery had used the services of an electrical contractor to recommend and install a security system.

This example illustrates the integrity, or lack thereof, of individuals who claim to be able to advise on protective security. In this case, an institution with limited financial resources spent a significant amount of money on an extensive security system that was far in excess of its requirements in both threat to be countered and technical capability.

During the final stage of a security review the assessor can rate the risks and prioritize the threats in descending order of importance. This rating is particularly important, since it indicates where limited resources should be directed to do the most good and assists the assessor in making a judgment whether to accept or transfer the risk or to recommend that resources are assigned to provide protection.

NOW THAT WE HAVE AN UNDERSTANDING of the methodical and professional process of assessing an organization's security requirements, what are the consequences of not carrying out such a process and ignoring the risks?

The consequences that present themselves in each of the above examples are that too much money may be spent or it may be spent unnecessarily. For most managers, this should be sufficient encouragement to institute a security review for their organizations. After all, far more money can be saved by a comprehensive security review than is spent on its conduct.

But other compelling reasons exist for a company to be subject to a security review. They include the following reasons:

* obligation to protect personnel and visitors

* necessity to protect property

* necessity to protect information

* legal obligations

* contractual obligations

* threat of litigation

* threat of industrial disputation

* insurance company requirements

* moral obligations

* professional integrity

In the cases listed above, almost all can be reduced to one reason: financial expense. This can take many forms, including the following:

* replacement cost of equipment

* repair cost to equipment

* repair cost to buildings

* cost of rebuilding

* loss of revenue due to loss of market edge as a result of information or data loss

* loss of contracts

* awarding of damages

* cost of loss of company time due to industrial disputation

* increased insurance costs

* loss of insurance coverage

* damage to professional reputation or loss of accreditation

When human life is at risk, financial considerations obviously should not take precedence. Therefore, where security has not been reviewed comprehensively, it must not be assumed that the physical well-being of personnel is ensured.

Several years ago a New Zealand police inspector in Sydney found the body of a young woman on the pavement outside a building in the city center. Subsequent police investigations found that she had worked in the building and had been murdered by a security officer who had been assigned to protect the premises.

The security officer had a record of previous unlawful behavior. A comprehensive security review would verify the screening procedures of all personnel in positions of trust.

Building owners, managers, and the principals of organizations frequently underestimate the importance of adequate protective security at their own risk. Often, action to improve security only follows a robbery or some other event that proved security was inadequate. This article should prompt you to think twice about the adequacy of the security arrangements and procedures at your organization.


"City's Tallest Building Leaves Workers Awash," The Adelaide Advertiser, October 23, 1990. "Call to Step Up Telecom Security," The Adelaide Advertiser, November 24, 1987. Adams, J. "A Security Survey Can be Worth the Outlay." Security Australia, December 1991-January 1992, Vol. 11, Issue 11, pp. S 12-S 13. Broder, J. F. Risk Analysis and the Security Survey. Stoneham, MA: Butterworth Publishers, 1984. Gigliotti, R., and R. Jason. "Description and Approaches." Security Design for Maximum Protection, Stoneham, MA: Butterworth Publishers, 1984, pp. 1-23. Oliver, E., and J. Wilson. "Appraising the Risk." Practical Security in Commerce and Industry, Brookfield, VA: Gower Publishing Company, 1988, pp. 3-25. Post, R. S., and D. A. Schachtsiek. "The Security Audit Process." Security Managers Desk Reference, Stoneham, MA: Butterworth Publishers, 1986, pp. 59-98. Walsh, T. J., and R. J. Healy. "Security Vulnerability." Protection of Assets Manual, Santa Monica, CA: The Merritt Company, 1989, pp. 2-1 to 2-25.

Mark Golsby is an independent security management consultant in Adelaide, Australia. He is a member of ASIS.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Security Survey
Author:Golsby, Mark
Publication:Security Management
Date:Aug 1, 1992
Previous Article:Manufacturing a secure partnership.
Next Article:The service of surveys.

Related Articles
Sizing up city trees.
Powering up energy security.
Regulatory issues.
The Ultimate Computer Security Survey.
Keeping the client happy: By taking care of in-house customers, the security department can build loyalty and strengthen its role. (Leading Edge).
How Planning System Redesigns Can Succeed: A survey by the FEI Research Foundation and the Buttonwood Group finds that successful redesigns of...
Better service through surveys: security should conduct a survey to see whether employees are dissatisfied with security's services and, if so, why.
Are entrepreneurs born or made?

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters