This document provides an agenda and overview for conducting a comprehensive physical security risk assessment. It includes definitions of physical security, outlines roles and responsibilities, and provides sample tools and checklists to guide the assessment. When to conduct an assessment, why it's important, and how to develop a risk appetite and project plan are also covered. The goal is to identify vulnerabilities and risks in order to create an effective corrective action plan to improve security.

1. Physical Security Assessment

2. Agenda Physical Security – Baseline Definitions and Convergence DriversWhat is a Risk Assessment; When Should You Do One; and Why?Determining Your Company’s/Organization’s Unique/Individual Risk AppetiteGetting Started – The Project PlanSample Risk Assessment ToolsYour Corrective Action Plan – Basics to Consider

3. Physical Security Baseline DefinitionsPhysical security involves measures undertaken to protect personnel, equipment and property against anticipated threats. Passive measures include the effective use of architecture, landscaping and lighting to achieve improved security by deterring, disrupting or mitigating potential threats.

4. Active measures include the use of proven systems and technologies designed to deter, detect, report and react against threats.ISO 27001 role of physical security – Protect the organization’s assets by properly choosing a facility location, maintaining a security perimeter, implementing access control and protecting equipment.The physical security office is usually responsible for developing and enforcing appropriate physical security controls, in consultation with the computer security management, program and functional managers, and others, as appropriate. Physical security should address not only central computer installations, but also backup facilities and office environments. In the government, this office is often responsible for the processing of personnel background checks and security clearances.What is the impact of convergence (merging IT security and physical security) on this role and how does it play into the responsibilities for physical security risk assessments and action plans?

5. Security Roles and ResponsibilitiesOperational SecurityThe process of creating policies and procedures and establishing controls to preserve privileged information regarding organizational capabilities and vulnerabilities. This is done by identifying, controlling and protecting those interests associated with the integrity and the unimpeded performance of a facility. Includes, training, policies and procedures, facilities access, tenant space.Facilities ManagementThis role is almost exclusively planted in the world of physical security management. Key skills are the ability to run and maintain crucial environmental systems, mechanical processes, HVAC, fire alarms, etc. Facility Managers can extend their knowledge through teaming with other security professionals to understand risk management and technical security advances that will enhance the overall security posture of their organization.Information SecurityThe process of protecting the confidentiality, integrity and availability of data from accidental or intentional misuse by people inside or outside the organization or facility. Key elements, limiting/managing access to informational and Information Technology resources, ensuring data is protected in transmission, developing and enforcing policies, audit and compliance, incident management. What is a Risk Assessment? Prior to embarking on the risk assessment, ensure that policies and procedures are in place and have been updated recently and ensure that an effective security program is in place.

6. The purpose of the risk assessment is to assess the system’s use of resources and controls (implemented and planned) to eliminate and/or manage vulnerabilities that are exploitable by threats to the organization. It will also identify any of the following vulnerabilities:Risks associated with the system operational configurationSystem’s safeguards, threats and vulnerabilitiesNew threats and risks that might exist and, therefore, will need to be addressed in the corrective action planView the system relative to its conformance with corporate policies and procedures and all applicable legal and regulatory requirements

7. The risk assessment should:Provide a clear definition of the scope of the assessment such as present configuration, physical, environmental, personnel, telecommunications, and administrative security services providedIdentify which assets need to be protected and assign a value to each asset, identify owners and label its business criticality.Identify any and all threats.Identified threats can be incorporated into a dynamic threat model/digital dashboard and integrated to other threat and vulnerability models, data, etc.

8. Once identified, prioritize threats along with means to counter and respond to themA typical weakness to most security programs/plans is the lack of a comprehensive risk and vulnerability assessment and most only address security from an electronics systems perspective

9. When Should You do a Risk Assessment?Your Company has a policy to conduct a periodic or annual enterprise risk assessmentYou are opening a new facility or movingYou have had an audit findingYou have had a breach / other identified vulnerabilityCompliance to legal and regulatory requirementsMergers, acquisitions, divestituresOutsourcingPartnerships and alliancesYou are implementing a new technologyOther?

10. Why Should You Do a Risk Assessment?A comprehensive integrated risk and vulnerability assessment will assist management in critical financial decisions as well as budgeting

11. Since 911 everyone is increasingly concerned with safety of tenants and employees

12. If you don’t have an integrated risk assessment, how do you know what your security program should be, what to do first, second, etc.?

13. How do you justify costs, resources, schedules, etc. without the output of a risk assessment?

14. How do you know if you are compliant to legal and regulatory requirements?

15. How do you know what an acceptable level of risk is for your organization and how do you communicate that and implement policies and procedures around that?

16. Through the process of the risk, threat and vulnerability assessment you will learn and discover things about your environment that were previously unknown.

17. Depending on time and available resources, quantitative and qualitative assessments both have value. There are pros and cons to each.Determining Your Unique/Individual Risk AppetiteTo define your organization’s risk appetite and determine the acceptable level of risk, you should answer the following questions:Where do we feel we should allocate our limited time and resources to minimize risk exposures? Why?

18. What level of risk exposure requires immediate action? Why?

19. What level of risk requires a formal response strategy to mitigate the potentially material impact? Why?

20. What events have occurred in the past, and at what level were they managed? Why?Each question is followed by a “why” because the organization should be able to articulate the quantitative and/or qualitative basis for the appetite, or it will come off as backwards-looking (based only on historical events) or even arbitrary.Develop a risk appetite table.