Security Assessment Versus Security Audit
It is not
often that security organizations purchase professional security
services. Perhaps once every five to ten years. As such, consumers
may not know exactly what service to request to best align to their physical
security needs. This article is intended to clarify the difference
between a security audit and a security assessment for organizations trying to
validate the effectiveness of their security program to enable the appropriate
choice to be made when the time comes.
Let’s start with two questions
managers should ask themselves about their security program:
1. Are
we doing the right things to protect our people, assets and information?
2. For
the things we are doing in our security program, are we meeting the commitments
we have made to security and are we doing things in a way that achieves
desirable outcomes?
The security audit answers the second
question, and the security risk assessment answers the first. Let’s start
with a view of the many things that should be looked at to determine security
adequacy. The following formula illustrates the three areas of security risk
that are typically analyzed.
Risk
= Threat + Consequence + Vulnerability
A security audit is only going to be
focused on one of these elements of the security risk formula as shown
below. An audit is not necessarily designed to diagnose criminal and
terrorist risk, but certainly mitigates non-compliance risk.
Risk = Threat + Consequence + Vulnerability
(or effectiveness of security)
Security
Audit Focus
Security
Audit –By comparison, a security audit is probably the easiest methodology to
execute for the consultant as it is simply a verification that all security
measures which are supposed to be in place are in fact in place, functioning
and documented correctly. The security audit will focus on the
effectiveness of security or confirm whether vulnerability is being properly
mitigated. This as opposed to a security risk assessment which is
intended to be much more diagnostic and predictive into the future, typically
five years or more. The security audit is a point in time check
only. If the basis of design for the security program is incorrect, the
audit may not shed light on this. However, the security audit is an
important tool in the toolbox as an agent of positive change to protect people,
assets and information. Refer also to Physical Security Audit for
a video discussion by a Certified Security Professional and Certified Security
Consultant.
The challenge when organizations ask
for an audit and have no established security standard, what is the security
professional using as the benchmark against which the security audit results
will be measured? Some considerations if you face this common scenario:
·
If your organization does not have a
set of security standards, you must ask your prospective security professional
what methodology will be used to audit your organization. Ask to see the
methodology so that you can review it and ensure you will be satisfied with the
outcome. Will it cover all the necessary elements of your physical
security program? For instance, at a minimum, a proper physical security
audit should include within its scope thee following (note this list is by no means
all inclusive):
o Governance
o Access
control – site perimeter, building perimeter, restricted internal areas
o Security
systems installation, operation and maintenance
o Security
related policies and procedures
o Security
awareness training and education
o Information
protection
o Asset
protection
o Security
officer utilization (if applicable)
o Competency
of non-security persons in key security roles
o Crisis
and emergency management protocols
o Security
change management
·
If you are going to request an audit
from an outside security professional without having organizational security
standards, you will want to ensure that the security professional has some
experience in the following areas:
o Prior
similar work within your industry (for example, if you are a chemical plant,
the consultant should have some level of experience in the oil, gas or chemical
arena).
o Setting
up corporate or global security programs for organizations.
o Reporting
out on audits with a methodology that supports a stratification of the
findings. Some findings are going to be more important than others. There
should be a means to classify gaps. For instance, the following
definitions for high and lower priority observations and findings is shown
below.
Findings –
represent clear departures from, or exceptions to, existing applicable federal
or state laws or established audit security standards, where such departures or
exceptions can be confirmed. Exceptions may include any issues that were
previously discovered in prior audits that are still open or were improperly or
incompletely closed.
Suggestions –
represent options for enhancing the plan and/or plant security to reduce the
possibility of any exceptions or vulnerability to a security incident in the
future.
Another caution is the type of audit
that conducted as this will have a direct correlation to the validity of the
outcome. Two types of audits are discussed below.
First-Party
Audits
First-party audits are often called
self-audits. This is when someone from the organization itself will audit a process
or set of processes to ensure it meets the expectations set forth in the audit
protocol. This person would typically be an employee of the organization.
In some cases, particularly under some counter-terrorism regulations such
as the Marine Transportation Security Act (MTSA), first party audits are
prohibited and persons with any affiliation with the security program may not
audit the program.
A first party audit might be
appropriate as a rehearsal for a more robust audit conducted by a third party.
Otherwise it could be argued that there could be a potential conflict of
interest by auditing oneself.
I would consider an audit by an
internal audit group to be a step up from the self-audit as the internal
auditors are typically strict and objective. The problem with internal
auditors doing physical security audits is the lack of knowledge of the subject
matter. If internal auditor is going to be involved in physical security
audits, it is important to carefully script what will be their scope so that
they are looking at things they can fairly judge that are simple and high
impact.
Third-Party
Audits
A third-party audit occurs when a
company hires an independent entity to perform an audit to verify that the
company is executing a security program consistent with regulatory
expectations, internal standards or the methodology agreed with the auditor up
front. Some would argue that this is the best and most stringent means of
conducting an audit to ensure objectivity. But it also comes with a cost.
To close out the audit discussion,
this type of physical security review is intended to answer the question, “For
the things we are doing in our security program, are we meeting the commitments
we have made to security and are we doing things in a manner that achieves the
desired outcomes?” You state that you do A, B, C and D in your security
program and you have or pay someone to come in and verify that you are doing A,
B, C and D.
The
Security Risk Assessment
Continuing with the A, B, C, and D
discussion, the audit will not necessarily tell you if A, B, C, and D are the
right things to be doing in your security program. To get this type of
diagnostic insight, organizations need to be asking their consultant for a
security risk assessment versus a security audit.
Risk
= Threat + Consequence + Vulnerability
The security risk assessment is going
to analyze all elements of the risk formula shown above. The predictive
nature of the risk assessment is borne out of the threat assessment and pairing
threats with critical assets to formulate future security scenarios that will
be analyzed for consequences (how bad would it be if it occurred) and
vulnerability (how susceptible is the organization to a criminal or terrorist
attack or conversely, how well prepared is thee organization to prevent a
security incident). Risk assessments are forward looking, but of course
will take into account historical security incidents which are one of the best
predictors for future incidents. Security risk assessments can
nicely inform a security master plan versus the security audit which may
generate some findings and corrective actions to remediate shortcomings in
existing security measures.
There are many benefits of a security
risk assessment:
·
Prevent incidents and criminal activity.
·
Compliance with the OSHA General Duty
Clause.
·
Identify to all stakeholders what
needs to be protected, why and from whom.
·
Learn where you can be victimized by
criminals or terrorists.
·
Identify holistic mitigation
strategies to reduce security risk to people, assets and information.
·
Stage implementation of
recommendations at your own pace rather than hastily responding or overreacting
after a security incident.
·
Secure funding for security
improvements by making a compelling business case. (Management will sometimes
react more rapidly to third party recommendations or those that are well
supported with crime and other data analysis).
·
Implement many improvements without a
capital investment. There are always easy, inexpensive and impactful
recommendations that can be implemented at a low or even no cost.
·
Identify emergency scenarios and
calibrate emergency response and business continuity plans accordingly.
·
Defend against frivolous litigation.
The illustration below shows how
scenarios can be analyzed and scored to identify the highest concerns to an
organization.
Security
Audit
·
Point in time assessment
·
Verifies security commitments are
being met
·
Leads to potential action items where
gaps are identified
·
Less expensive typically that a risk
assessment
· Does not validate that the security program is aligned with risk
· Does not provide a basis of design for an organizational security program
Security
Risk Assessment
·
Forward looking methodology
·
Verifies security commitments are
being met
·
Leads to a long-term security master
plan and cost staging
·
More expensive than a security audit
·
Validate that the security program is
aligned with risk
·
Provides a better defense of
conformance to the OSHA General Duty Clause
·
Provides a better defense against
frivolous premises liability claims
·
Provides a basis of design for an
organizational security program
· Enhances crisis management and resiliency
