RISKVUE ARCHIVE | RISK BITES

The Security Audit: First Line Of Defense In The War On Terrorism (And Other Threats)

By William Irwin, MBA, CPP

Even before September 11, 2001, the most proactive and well-prepared organizations used the security audit as one of many tools to (1) assess the relative strengths and weaknesses of their security efforts, (2) identify and prioritize opportunities for improvement, and (3) document their progress on those objectives. Corporate risk and security managers have teamed up to persuade senior management that credible security audits can demonstrate the company’s seriousness in providing a secure work environment and thus defeat an injured party’s potential charge of negligence. By providing a strong defense to counter legal actions that may follow a security incident, audits can reduce insurance premiums, limit potential liabilities, provide tangible proof of “good citizenship,” and foster positive public relations.

If the ultimate goal of any security program is to protect people and property from harm, then an ongoing security audit process is more than good business, it is an ethical imperative. This becomes self-evident when we look at what happened to Worldcom, Enron, Arthur Andersen, and the growing list of executive graduates from the nobody-will-notice school of enterprise ruination. In each of these cases, the auditing function was turned on its head and, as a result, became part of the problem instead of the solution. The still-unfolding revelations of accounting irregularities in major corporations could have and should have been uncovered by competent audits and corrected before they caused irreparable damage to their stakeholders. Whether an audit is focused or financial controls or security controls, the issues are strikingly similar. Both ensure the ongoing integrity of existing policies and procedures in day-to-day operations, and both help correct problems and deficiencies when they are discovered as a result of the audit. This is especially true for industries that prefer self-regulation (e.g., water utilities, chemicals, and hazardous materials) instead of more Government mandates, whether from the SEC, EPA or Office of Homeland Security. Because most government regulations come about when companies or industries fail to police themselves, auditing is a form of efficient, effective, and economical self-regulation that hopefully precludes the need for government regulation.

Consequently, the security audit has taken on a new level of importance not because the game has changed, but because the stakes are much higher now than before 9/11 and all that has followed in its wake. Many corporate security departments conduct their own internal audits, with an added benefit of integrating themselves into the day-to-day operations of their company. As thorough and competent as those internal audits may be, however, they lack the critical eye of a truly objective outsider. An external auditor can bring new insights and observations that may improve the outcome or, at a minimum, validate the status quo.

Most, if not all, private security companies in North America, as well as a few industry associations and more than a few business consulting firms, offer some sort of security audit — or “Asset Based Vulnerability Checklist” or “Security Vulnerability Analysis” or “Threat Assessment” or similar methodology. Whether you hire an outside resource, download a one-size-fits-all program from the Internet, or do it yourself from scratch, the following comments may be of some use for evaluating your own security audit function.

Getting Started

A logical way to begin is with a set of relevant questions that will probably generate more questions than answers. For example:

(1) Are you an easy target (e.g., a parked car with keys in it) or a difficult target (e.g., a parked car with a burglar alarm)?

(2) What is the range of threats against your location?

(3) What is the likelihood of these threats occurring?

(4) What is the impact of each threat being realized?

(5) What about multiple threats occurring simultaneously?

(6) What is your worst-case scenario?

(7) How do you prioritize multiple sites or targets? Prioritization could depend upon a target being the most vulnerable, most likely, most critical to your operation, most damaging to the environment, most expensive to replace, or most people killed or injured. It’s multidimensional and, therefore, somewhat subjective.

(8) Do you have a counterintelligence program; that is, can you find out what the bad guys (terrorists, criminals, competitors, disgruntled employees) are trying to find out about your vulnerabilities?

(9) How attractive a target is your enterprise in the eyes of the bad guys?

(10) What standards do you audit against — Government, your industry, your own?

(11) Are you ready to personally sign off on the integrity of your security audits?

(12) Does your organization have a policy statement on security signed by the CEO and embraced by the of rest management?

The Human Factor

Before, during, and after the audit, communication among all concerned parties is the single most important ingredient for success. Senior managers should understand and endorse the audit criteria. They and everyone else may need to be reminded (especially when problems arise) that the purpose of the audit is not to assign blame for any shortcomings, but simply to document the current situation, make on-the-spot corrections, and/or develop an action plan for improvements.

The Framework

Most security audits will have three fundamental elements to be examined, separately and as a whole:

(1) Personnel security

(2) Physical security

(3) Information security

Personnel security covers all employees and visitors (i.e., contractors, vendors, customers, applicants, regulators, even trespassers) and includes policies, procedures, education, and training. Physical Security consists of architectural design, building construction, doors, windows, lighting, locks, alarms, cameras, guards, receptionists, electronic badge readers, and other hardware from high-tech to low-tech. Information Security comprises all sensitive electronic data and communication systems, printed materials, and oral statements made on or off the record.

Rings Of Protection

Many security systems use the “Rings of Protection” concept to determine what level of deterrence is appropriate for the assets and operations being protected. The outer ring is typically the property perimeter, followed by the building exterior and common areas, with some restricted areas or inner rings within the building.

These rings are interconnected and, therefore, should be evaluated collectively. For example, if the property is adjacent to a river or lake, does that natural barrier represent a security strength or weakness? The answer may be, “It depends upon the effectiveness of all the perimeter barriers — fences, gates, closed-circuit TV camera monitoring, etc.” Railroad tracks, pipelines, and utility connections that cross the property boundary should also be identified and evaluated.

Similarly, the level of building access control required for good security will depend partly upon the level of protection existing on the property perimeter. When auditing building exterior and interior controls, be sure to differentiate between employees and visitors and between normal business hours and non-business hours.

In addition, special safeguards should be documented and audited for their effectiveness. These include but are not limited to:

• Prohibitions on alcohol, illegal drugs, and any kind of weapon
• Recordkeeping for building keys and access cards
• Authorization for removing company property
• Emergency procedures and crisis-management plans
• Documentation and follow-up on incident reports
• Internal investigation protocols

The actual scope and structure of your own organization’s audit activity should be tailored to its environment and circumstances. It should be a dynamic process, one that changes with the security needs of the organization. It should be a team effort, involving both the auditor and the audited. And it should be a fully integrated part of the overall management process, with senior leadership as engaged as it is in other important aspects of the enterprise. While companies may vary in their specific needs, the basic security audit is the same. They all need to do the same thing: Make sure they have good rules and good people who follow those rules.

Reference Material

Like any business topic, plenty of information on security auditing is available through books, journals, periodicals, the Internet, the government, and the marketplace. Because the subject can be highly subjective, it is often difficult for a person without a substantive security background to determine what is appropriate for the needs of their organization. One of the best ways to determine what will work for you is to find out what works (or doesn’t work) for others by building your own network.

If your organization has a security professional on board, he or she most likely belongs to the American Society for Industrial Security (ASIS) International. Based in Alexandria, Virginia, ASIS International has a monthly magazine (Security Management), bookstore, library, seminars, and local chapters around the world for members and non-members to increase their knowledge and improve their skills. Contact ASIS International via their Web site at www.asisonline.org or telephone 703/519-6200.

Other readily available resources are your local, county, and state law enforcement agencies. Long before they were involved in homeland security and the war on terrorism, most of these agencies had various crime-prevention programs coordinated by specially trained police officers. While these programs tend to focus on youth, schools, and troubled neighborhoods, they are now expanding to the business community in order to be more effective in protecting the public from every possible danger.

Not so long ago, the above strategy would have seemed a bit “over the top” for most CEOs and their staffs (except, perhaps, their risk managers and security managers). Today we all know better. Regardless of where you are (or think you are) on the security spectrum, an objective and systematic audit can provide a baseline for enhancing your ability to prevent and respond to any threat, even terrorism. 

ABOUT THE AUTHOR

William Irwin is a retired Special Agent of the Air Force Office of Special Investigations and an independent security consultant. He holds an MBA from the University of Saint Thomas in Minneapolis, Minnesota, and a postgraduate diploma in Strategic Intelligence from the Joint Military Intelligence College in Washington, DC. He is also a member of ASIS International and a Certified Protection Professional. E-mail WCIrwin@aol.com or telephone 267-918-8371.

riskVue | The webzine for risk management professionals
October 2002