It is a formidable undertaking, because few industry models
exist. Few security programs are products of a comprehensive analysis; most are
developed on an ad-hoc basis in response to a security incident. In fact, many
security operations are designed for investigations after an event occurs, not
for prevention.
The object of a security analysis is to identify security
exposures in a methodical and thorough manner so that a security program is
based on broad analysis and not simply on the last security incident. Analysis
ensures that expenditures for security are directed appropriately based on
local needs, thus protecting critical resources while accepting the risks
stemming from lesser concerns.
The goal, however, is not to develop a foolproof security plan.
An underlying concept is that an asset cannot be protected completely, without
absorbing extravagant costs and without inhibiting business operations. The
goal instead is to make it difficult — but not impossible — for an adversary to
breach security. The level of difficulty depends upon the value of the asset
and the organization's tolerance for risk.
The analysis process is divided into five phases: asset
definition; threat assessment; vulnerability analysis; selection of
countermeasures; and implementation. The process is arranged for a deliberate
analysis and requires completion of each phase before proceeding to the next.
Asset Definition
Asset definition begins with a broad understanding of the
organization's operation, its tasks and functions, and its operating
environment. At the beginning of an analysis, interviews are conducted with the
organization's management and operating personnel to identify the resources
essential for operations. This includes production equipment, operating
systems, raw materials, finished product, inventory control and management
systems, and the infrastructure of power, water, natural gas and
telecommunications. Often, intangible assets are the most significant and are
only discernible by examining the organization's operation beyond surface
appearances. In effect, this step defines targets for attack.
Each asset may be further subdivided into micro components. An
analysis may indicate that a particular asset must be defined in detail because
of its criticality. Information technology is an example of the generally
defined asset that may be further subdivided into an extensive list of system
components, including equipment hardware, operating systems, applications
software, database management systems, telecommunications and system
documentation.
Both tangible and intangible assets should be categorized as
vital (the loss would prove catastrophic); important (the loss would prove
seriously disruptive but survivable); or secondary (the loss would be
relatively insignificant).
Threat Assessment
A comprehensive security plan requires a broad definition of
threats so that a range of exposures is considered. Through the analysis, the
focus should narrow to target those threats that are deemed the most
applicable.
Assessment begins by compiling data on past security incidents,
including incidents at the site, within the company and within the industry.
Determine if patterns of criminal behavior exist and define their nature.
Review loss records, safety records and legal judgments involving the
organization. Consult the company's legal counsel and examine court settlements
to identify exposures with an implication for security.
Conduct interviews with management, insurance underwriters and
local emergency management authorities to identify applicable threats. Review
criminal data and compare crime rates for the nation, state, metropolitan
statistical area, and the municipality.
Identify threats unique to the area and to the organization;
locations where concentrations of hazardous materials are stored; and
transportation avenues commonly used for transport of materials. Consider
threats that may not have occurred yet, but are applicable because of the nature
of the business and because of political and social issues.
A threat assessment is a qualitative analysis, although some
quantitative techniques are used. It is important to emphasize that an
assessment is a snapshot in time. As circumstances change, so does the threat
environment. Consequently, the assessment must be updated to ensure that the
security program is consistent with the needs of the time.
Each threat should be categorized as probable (expect the event
to occur); possible (circumstances are conducive for an event); or unlikely (do
not anticipate the event to occur). The severity of each issue should also be
categorized as catastrophic (a disastrous event); moderate (a survivable
event); or insignificant (relatively inconsequential).
Vulnerability Analysis
Security countermeasures represent obstacles in the path of a
threat event. The objective is to make the event less likely to occur by making
it more difficult for a perpetrator to accomplish the deed. Before introducing
obstacles, however, the process for an event must be defined. Vulnerability
analysis provides a mechanism for construction of security event scenarios
defined in step-by-step detail.
Representatives of the organization with extensive knowledge of
its inner workings should construct the scenarios. The team assumes the role of
a criminal attacking the organization, which allows key points of vulnerability
to be identified. Security plans designed to thwart the informed insider will
be equally, if not more, effective when applied to the external criminal. This
exercise highlights points of vulnerability and provides a framework for the
subsequent phase, the selection of security countermeasures. The vulnerability
analysis creates protection sets; meaning that it clearly establishes a focused
problem to be resolved through application of security countermeasures. These
protection sets are best illustrated by creating a spreadsheet correlating
assets and threats and noting which assets are exposed to which specific
threats.
Each scenario should have spreadsheet entries focused on
plausibility (Is the scenario too far-fetched?); consequences of the event; and
the amount of risk the organization is willing to accept.
Selection of Security Countermeasures
Just as a patient may be harmed by improper medication, an
organization's security posture may be weakened, if not compromised, by
improper application of security countermeasures. The exercise is more art than
science, requiring a collaborative effort of management and security staff to
arrive at a program consistent with an organization's needs.
Security countermeasures can include electronic security
systems, physical barriers, security personnel and policies and procedures.
Electronic security systems encompass access control, detection,
surveillance and evidence gathering. Subsystems may include intrusion
detection, access control, duress alarms, CCTV, intercoms, radios, public
address systems, life safety and telephone systems.
Physical and psychological barriers are applied to prevent
access to a target. Physical barriers include vaults, safes, vehicle barriers,
fences and gates, bullet-resistant materials, barbed wire, mantraps, vehicle
traps, armored cars, mechanical locking systems, vehicle speed bumps and
curbing, bomb-resistant structures, lighting, shielding, penetration-resistant
panels, and landscaping.
Security personnel perform a variety of duties including the
operation of electronic systems, manual control of fixed post duties, and
roving patrols. Most guard operations are designed to observe events and report
incidents to law enforcement authorities. In some cases, officers are armed and
trained to intervene in events.
Policies state management's position and philosophy on business
issues and practices. Procedures define the means for implementing the policy.
This is a critical part of a security program. It defines programs and
processes that are essential for security mechanisms to be effective.
Implementation
In this phase recommendations are transformed into
specifications for people, systems and policies. The objective is to translate
the security plan into bidding and purchasing documents and procedures, and
organizational programs and processes. Learn more at Millennium Group Access Control.
Thanks for the sharing the information about security equipments.
ReplyDeleteéquipements de sûreté