A Security Vulnerability Assessment (SVA) is typically the first stage requirement of the majority of new and existing Security Legislation now enacted in the U.S. There are good reasons for this as follows:
Major Benefits of an SVA
- 1). Correct Threat Level Identification:
- It is particularly important in any security environment to know the level of Threat that a facility or organization is facing before considering the various improved security options available, or in simple terms, the who or what that one should be protecting against.
There is a significant difference, both financially and manpower-wise between protecting facilities from a State Sponsored Terrorist Group as opposed to dealing with theft, or other form of criminal act, or a disgruntled employee intent on making a statement against their employers.
- 2). What To Protect Most (Critical Assets):
- As with (1) above, it is also important to identify those Critical Assets that must be protected at all costs (those assets that if compromised, are likely to have the most serious consequences for the organization), given that it is not possible to protect everything.
It is unfortunately true that it is not possible to protect all assets for logistical and financial reasons. Correctly identifying the Threat Level and Critical Assets are essential to then determining Security Design Criteria.
- 3). Security Design Criteria:
- There is no such thing as guaranteed 100 percent security (the ingenuity of the human mind precludes such a goal). Thus it is vitally important to have Security Design Criteria (those specific reasons as to why a certain security system was installed in place of another, and why security devices such as cameras and access control readers were placed at certain locations and not at other points within a facility).
A professional SVA will identify such Security Design Criteria, and allow an entity to defend itself against alleged wrongdoing in the event of an incident. Applying correct design criteria will also, in a majority of cases, avoid unnecessary cost brought about by implementing security systems that are either “overkill,” incorrect for the proposed purpose, or addressing aspects of security that are trivial in nature with costly measures and equipment.
Many clients do not have design criteria of any sort for their facility, and in the event of an incident and court action, one of the first questions typically asked by the plaintiff’s attorneys is “What were the design criteria for the installed security systems?” The inability to answer this question immediately places the defendant in a less than favorable light.
- 4). Findings & Recommendations:
- Perhaps the most important section of an SVA, as this section provides an invaluable assessment of those issues most likely to have serious con-sequences for the organization.
A professional assessment of such issues is generally based on both many years of security industry experience, where the consultant team has experienced first-hand what should be in place in terms of security measures, and what is effective and what is not. The same assessment is also likely to be based on direct experience with current legislation, and knowledge of pending legislation.
Recommendations will also illustrate cost-effective and reasonable methods of addressing such issues, while limiting the security solutions to those necessary to meet specific requirements and/or legislation. Again, a professional SVA prevents “overkill” and excessive cost in dealing with security issues.
- 5). Legislation:
- Since “9/11” there has been extensive Security Legislation (examples of Security Legislation can be found under “Security Legislation” at http://goo.gl/cfLjN) covering many industries, as well as the eight Key Infrastructures identified by the U.S. Government in 1998. Substantial new security legislation is either going through the “House” at this time or is under serious consideration.
As previously stated, it should be noted that the majority of security legislation requires an SVA as the first stage of such requirements. It is anticipated that much of the new security legislation will be modeled on the Department of Homeland Security’s CFATS requirements which include both stringent regulations and penalties for violators of the legislation. It is therefore important to meet new legislation, and not incur financial penalties that can be $25,000.00 per day for each day of violation.
A professional SVA takes into account all current legislation that might apply to an organization, as well as looking at the potential effect of pending legislation so that an organization has time and flexibility to incorporate reasonable solutions into their medium and long-term planning.
- 6). Federal Grant Funding:
- A further benefit of undergoing an SVA is related to applying for Grant Funding. There is a variety of both Federal and Private Grant Funding available at this time, that can be used to offset the cost of any required security improvements, etc.
These grants can cover many different areas ranging from training grants, and information technology to advanced electronic security systems that include communications, security management, CCTV Camera Surveillance systems, vehicle control, and others.
There are many examples of Federal grants given to companies located from the Brooklyn Navy Yard, NY, to facilities on a major waterfront area in Illinois, where the grants ranged in value from $150,000 to $1.5 Million and above. A professional SVA is often the single most important document supporting such Grant Applications.
- 7). Customer Confidence:
- Many commercial organizations have utilized an SVA as a means of increasing their customer’s confidence in their ability to provide reliable and protected services and/or product. By instituting an SVA and then commencing an appropriate implementation program based on agreed recommendations of the SVA, the organization has then communicated by such actions, for their customers to have the utmost confidence in their chosen supplier of goods and services.
For instance, Fortune 1000 companies are particularly concerned about the reliability and continued capability of suppliers to continue to provide goods and services in the event of an emergency.
In any type of business environment, it is particularly important for customers or communities served by that organization to have faith and confidence in the provision of expected services, especially during an emergency situation. Loss of Public Confidence with a business entity or service provider can have very serious consequences, and is a major threat to any organization.
- 8). Counter Liability:
- In the event of an incident within an organization or at a facility, the event will almost certainly be followed by a law suit that is also likely to allege some degree of Negligence or even Gross Negligence. The inability of the organization or facility to demonstrate that they had already carried-out an SVA by a qualified party is likely to be seen as an immediate example of the failing of that entity.
Note: It should be remembered that the implementation of SVA recommendations are not governed by a precise time period, and from experience, many such recommendations can be initiated using existing manpower with minimal cost.
Given the above, it will be exceptionally difficult for any plaintiff legal team to prove any form of negligence where an SVA was performed, and where at least a part of the implementation program is shown to have been underway. An SVA specifically addresses situations which may be considered liable for the client.
- 9). Insurance Compliance:
- Insurance companies are now increasingly asking their customers to undergo an SVA as part of the insurance company’s due diligence before setting a premium for that customer. An SVA will provide evidence to any insurer that their client has taken steps to prevent possible liability, including negligence and gross negligence, as well as meeting legislation requirements, and identifying potential security problems.
Provided that there is some intent to implement recommended measures over a period, the client may see a discounted insurance premium, or avoid a substantial increase in the insurance premium, in the event that they had not carried-out an SVA.
- 10). Development of a Phased Solution:
- An SVA provides an opportunity for a client to address potential security problems in a flexible manner, and over a phased implementation period. In many cases, it is possible to develop a phased timetable of implementation based on asset protection priority, and over several years.
It also allows a client to incorporate security requirements, whatever they might be, and whether it is to meet legislation or prevent possible liability, over a period of years, thus easing the financial strain of having to meet security requirements in a hurry following an incident, etc.
- 11). Emergency Planning & Preparedness:
- One of the byproducts of a professional SVA is typically the updating of any Emergency Response Plan, not to mention the correct identification of critical assets within an organization or facility. Knowing the full extent of potential consequences of given actions, an organization is thus able to better respond to an emergency with appropriate resources at minimal cost, and to be able to demonstrate their overall preparedness for such emergencies.
Emergency Planning & Preparedness will also typically include a section on dealing with an “Active Shooter” event and having a program in place to counter such an incident. This, in itself given the number of active shooter incidents that have taken place in just the last 12-14 months will often justify the more than reasonable cost of a Security Vulnerability Assessment.
Special Note: Where cost of an SVA is a major issue, it should be noted that Wivenhoe Management Group have now developed an alternative Security Oversight Assessment that provides 70% of the deliverables of an SVA, including all key items for half the cost of a typical SVA.
- 12). Measured Response:
- Where an SVA has identified correctly, the credible Threat Level, Critical Assets, and likely consequences of criminal, terrorist, or negative insider actions, an organization or facility can deploy the appropriate resources to address those situations.
From experience, the measured response is likely to be far more effective, and also likely to be more cost/effective taking into account the findings and recommendations of an SVA than it would be without the benefit of such information.