b. Vulnerability Assessment
A vulnerability assessment serves as the foundation for all security initiatives. It is a vital tool for determining what should be protected, what kind of threats the facility is vulnerable to, and how best to protect sensitive areas.
Start by creating a vulnerability assessment team, which should have representatives from all divisions of the organization, the appropriate resources to fulfill its mission, and the full support of senior management. If expertise in evaluating security vulnerabilities and in developing appropriate countermeasures to those vulnerabilities is not available within the company, consider enlisting the services of a qualified security consultant.
Once a team has been selected, conduct the vulnerability assessment. Building on the information gathered during the prioritization process, confirm if the previously identified areas are actually targets and determine if there are any other potential targets.
There are several effective methodologies for conducting a vulnerability assessment. Select an appropriate one that includes factors such as local security needs, the nature of the assets, the complexity of the asset infrastructure, available information, available personnel and resources, company and national interests, and community concerns.
Regardless of which method is selected, it should measure and compare relative security risks. If the risks are deemed unacceptable, recommendations must be developed for measures that reduce risks.
When assessing vulnerabilities, look beyond the ?fence line? of your facility. Take into account vulnerabilities that could arise because of inadequate security measures at nearby sites. Also consider vulnerabilities that could arise because of the site's proximity to attractive targets, such as government buildings, military installations, or national monuments (an attack on one of those targets could cause collateral damage to your site).
Determine the likelihood of a successful attack based on the scope of your analysis, local needs, and the quality of available information. Identify relevant layers of protection and the consequences of failure of those layers of protection. Consider potential consequences of security events on workers, the community, the environment and critical infrastructure. Base your analysis on reasonable worst-case scenarios.
The result of the vulnerability assessment is a site security plan, which addresses all relevant categories of site security: perimeter protection (fencing, clear zones); access control (doors, gates, keys, locks); cyber security; training; drills; surveillance; lighting; signage; alarms; badging; vehicle and property control; security communications; law enforcement or other emergency response scenarios; communications with local authorities and community leaders; intrusion detection; security officers and post orders; visitor control; package and mail inspection; investigations; employment termination procedures; and bomb threat procedures.
3. Implementation of Security Countermeasures
Implementing recommended security countermeasures identified through the vulnerability assessment will help a company protect employees, the community and the environment; maintain the integrity of operations; reduce litigation risk, insurance costs and theft; decrease the risk of vandalism and sabotage by employees and non-employees; safeguard trade secrets; and improve relationships with local authorities and surrounding communities.