The Ides of March & Security Plans

2). The second essential component is that of assessing and identifying all true Critical Assets. This is the identification and prioritizing of those company assets that if compromised would affect the normal operation of the facility and likely cause major disruption.

3). The third essential component is that of establishing Security Design Criteria following the determination of the Credible Threat and prioritized listing of Critical Assets and the development of an outline security plan in terms of security systems and measures. Security design criteria establishes where and why security devices such as cameras and access readers, etc., are located.

4). The fourth component is to have security professionals involved in some degree to 1-3 above. 

1). Threat Assessment:

Before investing in new or upgraded security systems and measures, it is important to understand the credible threat facing your facility and organization. 

By assessing the credible threat to the client, it will determine the level of protection required in terms of security systems and measures. Many companies fail to identify their credible threat and as a result may have ended up with the following:

• Invested in Security Systems that were not necessary.
• Installed the Wrong Equipment & Systems.
• Installed Inadequate Security.
• Misjudged their Environment.
• Listened to a Security Entity simply interested in selling as much as possible to the company.
• Considered Security an Unnecessary Expense.
• Failed to comply with OSHA (PER 29) Code 654.

It should be noted that the level of security required to counter a significant threat level as determined by knowledgeable security professionals is substantially greater than that required to protect against lesser situations. However, underestimating the threat level can prove very costly in the event of a serious security incident and Negligent Liability is alleged.

Of further note and where a lawsuit follows a serious security incident, by not having carried out a threat assessment you are allowing the plaintiff for the injured party to develop a host of threats that applied to the situation and which the entity failed to identify and protect its employees against.

2). Critical Assets:

In addition to understanding the Credible Threat Level, it is also important to identify the company’s critical assets. From a security point of view, it is considered logistically and financially very difficult, if not impossible to protect every asset, and thus it is necessary to prioritize, in order of importance, those assets which if compromised would seriously impact the company and result in operation failures.

Critical Assets can include the following:

• Employees – Depending on the specific company, this might include management at various levels, highly experienced individuals in a particular facet of the company, unique individuals with rare knowledge and skills, research personnel, specific groups of employees, engineers, etc.
• Infrastructure – Again, depending on the specific company and industry, this could include research facilities and laboratories, chemical plants, storage vats, engineering centers, offices, storage facilities, critical inventory, special machinery areas, warehouses, and many other types of key structures.
• Formulas and Trade Secrets – This will be more important in some industries and not so important in others. Chemical formulas, food processing formulas, beverage formulas, medication formulas, and other types of formulas that have significant value to a company.

Trade secrets can comprise lists of customers, lists of special inventory items such as rare metals essential to the manufacturing process, financial data that could benefit a competitor, new product data, sales and production plans, acquisition plans, etc.

• Essential Equipment & Machinery

There may be specialized machinery and equipment that if damaged beyond reasonable repair could take long lead times to replace due to availability from manufacturers.

• Essential Inventory

In a similar vein to that above, a company may have inventories that if compromised may be very difficult to replace within the short and medium term.

• Sensitive Data

Sensitive data can range from medical records, confidential reports, notes on current projects, bid documents to lists of access codes, passwords, or any other sensitive data that would be damaging to the company if disclosed to unauthorized third parties.

Sensitive data may also involve a variety of classified materials.

• Server Computers

Most companies now operate computer networks within a facility used for telephone systems, internet connections, computer processing of inventory control, process manufacturing, processing of sales data and so many other vital functions. The server units for all networks should be adequately secure and protected 24/7.

Destruction or serious damage to the servers would cause extensive downtime for the company for a possible extended period.

• Other Critical Assets Unique to the Company

Depending on the type of facility and specialized manufacturing and operation, as well as the industry served, there may be other critical assets that should be identified and prioritized. All critical assets should be incorporated wherever possible into the security plan.

Not knowing these Critical Assets that if compromised could cripple the company or worse, cause the facility to cease operation, and not having them adequately protected within the security plan is likely to leave the company open to legal action from shareholders and employees alike.

3). Security Design Criteria:

Having identified (1) and (2) above and deciding on suitable security systems and measures, ideally with professional assistance and which might involve a variety of security devices such as cameras, door alarms, access control readers, biometric readers, intercoms, gate controls, and other devices, it is important to utilize security design criteria.

In simple terms, security design criteria are the reason why certain security devices are being used, and why items such as cameras, are placed in specific locations, and with specific views.

Having security professionals assess security design criteria based on the results of (1) and (2) above ensures that there are no critical blind spots in necessary camera coverage, that there are adequate devices in the security plan and there are no excessive quantities of devices and equipment and that the company security plan is sound and adequate. 

It also allows the company to avoid negligent liability in the event of a serious security incident and ensuing lawsuit.

4). Engaging Independent Security Professionals:

There are many reasons to utilize experienced security professionals including the following:

• They have substantial experience and expertise in assessing security requirements in a variety of industries and environments.
• They act purely in the best interests of the client who can often be misled by venders and contractors attempting to maximize quantities and types of systems and devices where such practice is not justified.
• Independent security professionals are unbiased in their assessments and recommendations with “no axe to grind” with respect to department politics or individuals seeking upward movement within the company.
• Experienced professionals are likely to have expertise in the company’s specific industry, and with similar security requirements for companies in that industry and possibly the same specialization.
• Many security professionals accept full responsibility for their assessments and recommendations which can prove invaluable in the event of an incident and ensuing legal action.

Even a limited consult with the right security professional before committing to a defined Security Plan can often uncover sections of the plan that should be reviewed before investing costly management time and financial funds into a plan that may not be as watertight as first thought.

Wivenhoe Group consultants are available for limited consults at any time. Write to info@wivenhoegroup.com or click on https://wivenhoegroup.com.