The Interagency Security Committee is the product of fifty-eight Federal departments and agencies combining their work to develop security standards for nonmilitary federal facilities. The ISC makes a number of their documents publicly available which can serve as good potential guidelines for private businesses and organizations. The ISC's Risk Management Process Guide is a high-level overview that is meant to inform the decision-making process for deploying security measures at a variety of different facility types. Before delving in, keep in mind the guide is short of specific measures and focuses instead on the organization and administration protocols to ensure that the processes can be adapted to whatever size and type of facility the reader is associated with.
The threat assessment evaluates occurrences that could potentially harm assets, whether by natural means or otherwise. The means a broad spectrum of potential vulnerabilities is identified, ranging from minor accidents to premeditated vandalism, cybersecurity breaches or worse.
Threat data will ideally be collected from credible resources. In the case of larger facilities, this may involve data from security organizations, and, in the case of government facilities include intelligence community reports.
If information like this is beyond the scope of your organization's budget, the ISC publishes the Design-Basis Threat Report which identifies a broad range of threats and is updated regularly based on the most currently available data.
The ISC recommends referencing historical data trends to identify frequency of natural hazards like floods, earthquakes, etc. While historical data doesn't necessarily predict the future, it can be a good starting point for establishing the most easily predictable threats in the assessment.
Is your facility located near known fault lines, flood-prone terrain, etc? If so, there may be preparatory measures you can take now that will pay off down the road.
The same method can be applied to considering crime threats. What are the current crime rates and trends in the surrounding area? Are there relevant assets or activities that may put a target on your facility?
The criticality assessment takes into account the level of consequence associated with the potentials evaluated in the threat assessment. The distinction is important: threat assessment deals with all credible potential adverse events while criticality deals with their significance. For federal buildings, the "Facility Security Level" measure is used to determine the degree of security necessary for that particular building's purpose. For businesses, the process is more simple. Construct your own overview of consequences associated with the events described in the threat assessment to determine criticality..
If a natural disaster were to affect the facility, would critical documents and assets be recoverable or replaceable? Would essential operations be continuable (albeit perhaps less efficiently) with a facility temporarily shut down? If the facility is a factory that uses special equipment, then it is likely not replaceable on a short-term basis. This would constitute a high-level of criticality.
Other adverse events will be less critical. Potentials like vandalism may not be critical enough to justify additional countermeasures.
This stage of assessment identifies features and attributes of the facility that constitute potential hazards. This could include broader categories like geographic area, asset type, network etc.
Present countermeasures are taken into account and weighed alongside their associated risks to determine the level of vulnerability that exists.
Risk assessment seeks to take the aforementioned assessments into account and prioritize risks by assigning them values. It's up to you to determine the details of the grading process, but a start could be a simple 1-5 or 1-10 scale for risk rating.
Integration of countermeasures weights the current baseline level of protection against desired and achievable levels of protection.
Questions the ISC recommends asking in order to find decision points:
Is the level of protection achievable (ie feasible and cost-effective)?
Is the risk acceptable?
Are alternate locations available?
Once decisions have been made, the process of scheduling and implementing countermeasures begins.
If a risk is identified that cannot be immediately mitigated then interim countermeasures may be justified. An example the ISC gives is using "K-rails" where permanent vehicle barriers may be desired. The permanent barriers will better match facility design but are functionally interchangeable with temporary countermeasures in the meantime.
Application is intended to proceed from periodic risk assessments. The frequency and level of these assessments will depend on your organization's security needs and priorities. Whenever a facility is renovated or modernized, it should be considered a timing opportunity for considering implementation of new security measures that previously may have been impractical.
For example, installation of new doors would present a perfect opportunity to improve countermeasures on one of the most vulnerable parts of any building. Ensuring steel exterior doors have non-removable hinge pins and proper latch fitment should be a matter of course for facilities that prioritize security.
What renovations do you foresee for your facility down the road and how could they tie in with updated security integrations? What vulnerabilities exist for your facility and how can they be mitigated? While the risk-management process varies for different types and sizes of facilities and doesn't necessarily have to be applied all at once, hopefully this risk-management guide can help facilitate the decision-making process for you by providing a fundamental framework to build off of and adapt to your own situation.