Threat and Risk Assessment: What You Need to Know

Threat and Risk Assessment: What You Need to Know

In today’s day and age, a detailed and comprehensive Threat and Risk Assessment (TRA) is necessary for developing and implementing an effective physical security program. With more sophisticated crime operations spreading across North America every year, security management needs to keep up and address the risks.

A TRA provides a more thorough assessment of security risk than simply taking steps in isolation, such as studying threat statistics, historical data, or conducting a walk-through of the facility. Condor Security consultants can prepare assessments in compliance with applicable standards and industry best practices. They take data and information from a number of methods and combine the pieces together to form an extensive plan for sound security management.

The objective of a TRA is to protect against liability through identifying and understanding the risks facing the client community and property. A TRA aims at identifying exposures by determining potential security weaknesses and taking appropriate action to manage the risks and reduce the impact of threatening events.

Raising Awareness of Risk

TRAs are intended to raise the awareness of risks in an organization. The goal is to reach a level where risk-based decisions are effectively implemented on a continuous basis. TRAs ensure that all information is protected according to its sensitivity.

As a boutique security company, our team can prepare a TRA which is narrow and specialized to areas of particular concern or one which is broader in scope and covering a multitude of possibilities (including the development of a Business Continuity Plan or Emergency Response Plan).

The objectives and scope of the TRA are carefully outlined. Then the various risks and threats to the assets, systems and environment are systematically identified and quantified. An action plan is formulated on that basis.

The Process

The standard process of a comprehensive TRA consists of asset identification, threat analysis, risk assessment, and risk management. At the asset identification stage, assets are itemized and prioritized. A cost versus benefit analysis is a key factor of approaching improvement of security countermeasures.

For each asset, threat analysis is conducted to uncover the potential threats based on historical research and future projections. The root causes of each threat are considered and categorized by how likely an occurrence of damage or harm is to take place.

Information on assets and threats is compared via a risk assessment, which is the stage at which risk patterns emerge. Considered in an evaluation are the likelihood, severity, impact, cost, and time required to return operations to normal.

Risk management consists of providing recommendations and suggestions for improvement based on industry best practices and local laws, acts, and standards. Cost-effective measures that are realistic with appropriate solutions are taken, including practical mitigation strategies.

Aspects to Consider

  • Controlling secure areas
  • Reviewing access controls
  • Closing up or monitoring non-standard entry points to secure areas
  • Visitor supervision
  • Segregating access points
  • Physical penetration test
  • Random checks for unauthorized items
  • Fire detectors, carbon monoxide detectors, other detectors
  • Documentation discarding best practices
  • Monitoring and recording via security cameras
  • Measures to prevent unauthorized people from following authorized personnel into a secure area

A number of tools are used in a TRA to assess physical security risk, including law enforcement crime data and statistics available regarding the neighbourhood, spreadsheets and reports. It is valuable for the security team to speak on the phone or in person with local law enforcement to ask what types of crime are common in the area and what the response times are like for that department when a crime is reported.

Institutions should partner with local law enforcement to collect information about what equipment and procedures have worked, and which need to be improved, which can be helpful when making spending decisions regarding resources.

The Importance of a Continuous Presence

Security must be addressed from a 24-hour approach. Institutions are often highly conscious during the day of performing checks and guarding reception areas with greeters and other staff. But after hours, secure areas may become more open because the cleaning crew is inside and may prop a door open to a secured area to keep from having to open it. Yet physical security requires constant vigilance.

Penetration testing as part of the physical security risk assessment is very important. In today’s world, the focus of security is often on remote access to systems, but threats can come from criminals using social engineering to access a physical server or console onsite within the building.

The physical vulnerability that can happen involves multiple points of contact along the chain of physical security, which are the areas that need to be subject to a risk assessment. Reception procedures, locks and access, stairway access, windows and doors, all of these aspects must be covered.

Subcategories of TRAs in the Digital Age

Mobile Security Risk Assessment (MSRA): An assessment of mobile device security measures, such as for smartphones and tablets, and mobile applications.

Application Security Risk Assessment (ASRA): An assessment of the applications and software used on-site, including rogue software downloaded without authorization by employees.

Cloud Security Risk Assessment (CSRA): Assessing the cloud services and assets residing in the cloud.

Information Security Risk Assessment (ISRA): An assessment of the services, operating systems, and systems hardware, including servers, workstations, and network appliances.

Taking the Next Step

Condor Security can also provide a full security audit, which provides additional insight into existing and proposed security infrastructure, including personnel training and performance, applicable procedures and policies, and physical security design. Implementing a full security plan can be less expensive than you may think. Often it is a case of shifting or redistributing resources rather than acquiring new ones.

Insurance rates can be reduced depending on the extent of the security plan, and items or resources purchased for security purposes can be funnelled into tax write-offs. The insights provided by a detailed TRA and other security assessment systems can be invaluable, as they can often save lives. Rather than waiting for a security breach to occur, prevention is important to stop a threat before it occurs.

For more information, please call Condor Security at 416 665 1500 or contact us here.