|A comprehensive security assessment will tell how to plan and manage security in the facility|
A comprehensive security assessment will tell you how to plan and manage security in your facility. Without an assessment, you can only guess about security. For facilities with existing security programs, an assessment can also reveal whether the pieces of the system are working as they should.
As a security director, can you do the assessment yourself? Sure, although a large school of thought favours “fresh eyes,” a third party that can form an objective opinion.
An objective third party assessment can cost thousands of dollars, and if you do it every year, as recommended, it could be prohibitively expensive.
“If you outsource assessments, use the same consultant every year,” says Kevin Doss, a principal with Wormleysburg, Pa.-based Level 4 Security. “The first will be expensive, but the annual update will cost less because your consultant already knows the facility and its security status.”
How to find a qualified consultant?
How do you find a qualified consultant? “The number one key is years of experience with assessments,” Doss says. “Education is second, especially ASIS training and certifications. When you earn a certification like CPP — Certified Protection Professional — you need a minimum of 60 continuing educational units every three years to maintain it.
“Each ASIS certification has continuing education requirements that keep certified security people focused staying up to date.”
Security assessment formal process
Investigate crime in surrounding areas
The formal process begins with a risk assessment that investigates crime in the area surrounding the facility. According to Doss, most police departments will provide some information, but they will often fail to reveal sensitive information that might affect an ongoing investigation.
To get around that, Doss suggests talking to someone with local knowledge, perhaps a retired FBI agent living in the area.
If the facility has an existing security program, security incident reports should be part of the crime analysis.
With a risk assessment in hand, Doss inspects the facility, looking for risk-related vulnerabilities.
“The first will be expensive, but the annual update will cost less because your consultant already knows the facility and its security status"
Doss begins his inspections beyond the outer perimeter with the neighbors. “Years ago, I saw people protesting around the Sunoco building in Philadelphia,” he says. “I assumed they were protesting Sunoco. When I asked, however, I learned that they were protesting a nearby investment firm for investing in a company that conducted research on animals.
“That taught me to find out who the neighbors are and to consider what threats they might bring to the facility.”
Doss checks the perimeter and works back to the core of the facility, paying particular attention to critical assets. “What will stop the company from doing business?” he asks. “It could be intellectual property like the secret formula for a soft drink. It could also be a manufacturing plant and supply chain. We address these critical assets first. Then come the secondary assets.”
Consider natural threats
Doss also considers natural threats. What happens when the basement floods? Some companies keep their generators in the basement where flooding would disable them.
Consider insider threats
Doss also looks into insider threats. How easy is it for employees to steal products or information?
Annual assessments and update
Where are companies the weakest when it comes to security assessments? “The biggest mistake I see is failing to update the plan,” Doss says. “They do an assessment and develop a security plan. But they don’t do annual assessments and update the plan. You should assess annually or when conditions change. A new tenant in a high rise, for instance, could completely alter a building’s security needs.”