Showing posts with label Audit. Show all posts
Showing posts with label Audit. Show all posts

Friday, July 1, 2022

Security Assessment Vs Security Audit

Security Assessment Versus Security Audit 

It is not often that security organizations purchase professional security services.  Perhaps once every five to ten years.  As such, consumers may not know exactly what service to request to best align to their physical security needs.  This article is intended to clarify the difference between a security audit and a security assessment for organizations trying to validate the effectiveness of their security program to enable the appropriate choice to be made when the time comes.

Let’s start with two questions managers should ask themselves about their security program:

1.   Are we doing the right things to protect our people, assets and information?

2. For the things we are doing in our security program, are we meeting the commitments we have made to security and are we doing things in a way that achieves desirable outcomes?

The security audit answers the second question, and the security risk assessment answers the first.  Let’s start with a view of the many things that should be looked at to determine security adequacy. The following formula illustrates the three areas of security risk that are typically analyzed.

Risk = Threat + Consequence + Vulnerability

A security audit is only going to be focused on one of these elements of the security risk formula as shown below.  An audit is not necessarily designed to diagnose criminal and terrorist risk, but certainly mitigates non-compliance risk.

Risk = Threat + Consequence + Vulnerability (or effectiveness of security)

Security Audit Focus

Security Audit By comparison, a security audit is probably the easiest methodology to execute for the consultant as it is simply a verification that all security measures which are supposed to be in place are in fact in place, functioning and documented correctly.  The security audit will focus on the effectiveness of security or confirm whether vulnerability is being properly mitigated.  This as opposed to a security risk assessment which is intended to be much more diagnostic and predictive into the future, typically five years or more.  The security audit is a point in time check only.  If the basis of design for the security program is incorrect, the audit may not shed light on this.  However, the security audit is an important tool in the toolbox as an agent of positive change to protect people, assets and information.  Refer also to Physical Security Audit for a video discussion by a Certified Security Professional and Certified Security Consultant.

The challenge when organizations ask for an audit and have no established security standard, what is the security professional using as the benchmark against which the security audit results will be measured?  Some considerations if you face this common scenario:

·        If your organization does not have a set of security standards, you must ask your prospective security professional what methodology will be used to audit your organization. Ask to see the methodology so that you can review it and ensure you will be satisfied with the outcome.  Will it cover all the necessary elements of your physical security program?  For instance, at a minimum, a proper physical security audit should include within its scope thee following (note this list is by no means all inclusive):

o   Governance

o   Access control – site perimeter, building perimeter, restricted internal areas

o   Security systems installation, operation and maintenance

o   Security related policies and procedures

o   Security awareness training and education

o   Information protection

o   Asset protection

o   Security officer utilization (if applicable)

o   Competency of non-security persons in key security roles

o   Crisis and emergency management protocols

o   Security change management

·        If you are going to request an audit from an outside security professional without having organizational security standards, you will want to ensure that the security professional has some experience in the following areas:

o   Prior similar work within your industry (for example, if you are a chemical plant, the consultant should have some level of experience in the oil, gas or chemical arena).

o   Setting up corporate or global security programs for organizations.

o   Reporting out on audits with a methodology that supports a stratification of the findings. Some findings are going to be more important than others.  There should be a means to classify gaps.  For instance, the following definitions for high and lower priority observations and findings is shown below.

Findings – represent clear departures from, or exceptions to, existing applicable federal or state laws or established audit security standards, where such departures or exceptions can be confirmed.  Exceptions may include any issues that were previously discovered in prior audits that are still open or were improperly or incompletely closed.

Suggestions – represent options for enhancing the plan and/or plant security to reduce the possibility of any exceptions or vulnerability to a security incident in the future.

Another caution is the type of audit that conducted as this will have a direct correlation to the validity of the outcome.  Two types of audits are discussed below.

First-Party Audits

First-party audits are often called self-audits. This is when someone from the organization itself will audit a process or set of processes to ensure it meets the expectations set forth in the audit protocol.  This person would typically be an employee of the organization.  In some cases, particularly under some counter-terrorism regulations such as the Marine Transportation Security Act (MTSA), first party audits are prohibited and persons with any affiliation with the security program may not audit the program.

A first party audit might be appropriate as a rehearsal for a more robust audit conducted by a third party.  Otherwise it could be argued that there could be a potential conflict of interest by auditing oneself.

I would consider an audit by an internal audit group to be a step up from the self-audit as the internal auditors are typically strict and objective.  The problem with internal auditors doing physical security audits is the lack of knowledge of the subject matter.  If internal auditor is going to be involved in physical security audits, it is important to carefully script what will be their scope so that they are looking at things they can fairly judge that are simple and high impact.

Third-Party Audits

A third-party audit occurs when a company hires an independent entity to perform an audit to verify that the company is executing a security program consistent with regulatory expectations, internal standards or the methodology agreed with the auditor up front.  Some would argue that this is the best and most stringent means of conducting an audit to ensure objectivity.  But it also comes with a cost.

To close out the audit discussion, this type of physical security review is intended to answer the question, “For the things we are doing in our security program, are we meeting the commitments we have made to security and are we doing things in a manner that achieves the desired outcomes?”  You state that you do A, B, C and D in your security program and you have or pay someone to come in and verify that you are doing A, B, C and D.

The Security Risk Assessment

Continuing with the A, B, C, and D discussion, the audit will not necessarily tell you if A, B, C, and D are the right things to be doing in your security program.  To get this type of diagnostic insight, organizations need to be asking their consultant for a security risk assessment versus a security audit.

Risk = Threat + Consequence + Vulnerability

The security risk assessment is going to analyze all elements of the risk formula shown above.  The predictive nature of the risk assessment is borne out of the threat assessment and pairing threats with critical assets to formulate future security scenarios that will be analyzed for consequences (how bad would it be if it occurred) and vulnerability (how susceptible is the organization to a criminal or terrorist attack or conversely, how well prepared is thee organization to prevent a security incident).  Risk assessments are forward looking, but of course will take into account historical security incidents which are one of the best predictors for future incidents.  Security risk assessments can nicely inform a security master plan versus the security audit which may generate some findings and corrective actions to remediate shortcomings in existing security measures.

There are many benefits of a security risk assessment:

·        Prevent incidents and criminal activity.

·        Compliance with the OSHA General Duty Clause.

·        Identify to all stakeholders what needs to be protected, why and from whom.

·        Learn where you can be victimized by criminals or terrorists.

·        Identify holistic mitigation strategies to reduce security risk to people, assets and information.

·        Stage implementation of recommendations at your own pace rather than hastily responding or overreacting after a security incident.

·        Secure funding for security improvements by making a compelling business case. (Management will sometimes react more rapidly to third party recommendations or those that are well supported with crime and other data analysis).

·        Implement many improvements without a capital investment. There are always easy, inexpensive and impactful recommendations that can be implemented at a low or even no cost.

·        Identify emergency scenarios and calibrate emergency response and business continuity plans accordingly.

·        Defend against frivolous litigation.

The illustration below shows how scenarios can be analyzed and scored to identify the highest concerns to an organization.

Security Audit

·        Point in time assessment

·        Verifies security commitments are being met

·        Leads to potential action items where gaps are identified

·        Less expensive typically that a risk assessment

·        Does not validate that the security program is aligned with risk

·        Does not provide a basis of design for an organizational security program

Security Risk Assessment

·        Forward looking methodology

·        Verifies security commitments are being met

·        Leads to a long-term security master plan and cost staging

·        More expensive than a security audit

·        Validate that the security program is aligned with risk

·        Provides a better defense of conformance to the OSHA General Duty Clause

·        Provides a better defense against frivolous premises liability claims

·        Provides a basis of design for an organizational security program

·        Enhances crisis management and resiliency

Friday, September 4, 2015

About PSIM

What is PSIM?

PSIM stands for Physical Security Information Management, however it certainly requires further explanation about why it is important. Firstly, the future of all security systems is IP based, this means that CCTV, Access Control, Intruder and Fire Alarms will be computer based. Analogue and standalone systems are becoming more redundant and technology is moving rapidly towards converging all these IP based systems onto a single software management platform.
Assuming your security systems are IP based, then PSIM software packages will make an incredible difference to way you secure your school, business or public sector space. This means facility or building management staff can centralise all systems onto a single platform and remotely manage the building.
The key attributes of a PSIM system are:
1. Collection: Device management independent software collects data from any number of disparate security devices or systems
2. Analysis: The system analyses and correlates the data, events, and alarms, to identify the real situations and their priority
3. Verification: PSIM software presents the relevant situation information in a quick and easily-digestible format for an operator to verify the situation
4. Resolution: The system provides Standard Operating Procedures (SOPs), step-by-step instructions based on best practices and an organisation’s policies, and tools to resolve the situation
5. Reporting: The PSIM software tracks all the information and steps for compliance reporting, training and potentially, in-depth investigative analysis
6. Audit trail: The PSIM also monitors how each operator interacts with the system, tracks any manual changes to security systems and calculates reaction times for each event
PSIM is considered essential for Control Rooms or Command and Control Operations, as the software, provided all the systems are IP based, converge all the disparate systems onto a single platform to provide full management. Common security systems integrated onto a PSIM platform are:

- IP Access control systems
- IP CCTV systems
- Fire detection
- Video wall
- Intrusion detection systems
- Perimeter Intrusion detection systems
- Radar based detections
- GIS mapping systems
- Intercom or IP Phone systems
- Automated barriers & bollards
- Building management systems


The aggregated data, information and footage from the various systems provides the operator with intelligence to effectively manage situations (i.e fires, intruders etc) or day to day management of the building (i.e remote door locking etc). Ultimately, this means the need for large teams of facility staff can be reduce and the building managed centrally by key operators. A key reason for the development of PSIM has been the technology improvements of the systems listed above, which has meant software developers have been able to integrate and converge these systems onto single platforms. Technology in security systems is improving dramatically, prices are falling for systems and the software required to manage them is now available. It really makes sense to move forward and use PSIM to its full potential, let Sunstone help you embrace the future.