Vantage News: What is a physical security assessment?

Chad Shade: A physical security assessment is an evaluation of the security plans and measures at a location, campus, or multiple sites, depending on the client.

VN: What is assessed? What are you looking for?

CS: The assessment encompasses all items related to physical security. We are generally looking at ways to protect people and property from unwanted entry, loitering, theft, and acts of violence. We look at entry/exit points, video surveillance, card readers, intrusion detection, perimeter fencing, policy/procedures, guards, environmental design, things like that. We also assess what is happening at the site itself, whether it is critical infrastructure, high profile, controversial, or a storage location for sensitive items.  Not only do we look at the location, but we look at what is going on outside the site.

We conduct an area crime analysis to provide a view into what is going on in and around the property as well. We look at proximities to nearby possible high-risk locations such as chemical processing plants, correctional facilities, military bases, concert venues, etc. Sometimes the location itself is low risk, but spill-over might occur from outside influences and that needs to be taken into consideration.

VN: Is there a memorable security deficiency that stands out to you?

CS: One that comes to mind was a client that had an unmonitored lobby with an unsecured visitor sign-in book and unsecured official visitor badges. That set-up could allow someone to easily review the log to see who is visiting (corporate espionage, business intelligence, stalking, blackmail, etc.). Another problem was the unsecured self-issued badges which could allow someone to apply one to themselves and through social engineering tactics, gain entry into the building. This was a finding that seemed minor, but could have major implications if exploited.

VN: How do you conduct a physical security assessment?

CS: We use a scale and a matrix that rates the level of risk, current mitigations, and overall security posture. The risk rating takes into account the profile of the site, operations, crime rate, and proximity to high-risk locations. The mitigations rating accounts for the security measures in place (access control, video surveillance, guards, etc.). The overall rating blends the risks versus the mitigations to provide an overall risk rating. I’ll use a cash vault as an example to explain.

A cash vault is an obvious high-risk location due to its storage of cash, but if it has cameras, armed guards, barbed wire fence with intrusion detection, sally ports, etc., this will lessen its overall risk rating because numerous measures to protect the site have been implemented.

We use the rating indicators as guides along with other considerations such as whether the site is public or private, client budget constraints, and organizational culture. We make recommendations that fit the client and will provide a number of options to select from. Our recommendations are ranked according to priority level and placed on a matrix; this allows clients to easily see which items are high priority versus medium and low.

VN: Who needs physical security assessments? Is it only for places that are “high risk?”

CS: A physical security assessment has value for all types of organizations, public and private, large and small. Many sites that are commonly thought of as “high risk” already have some mitigations in place. This isn’t to say there can’t be room for improvement though. We find that many facilities that are significantly lacking security measures are businesses that think they are “low risk” or haven’t had anything happen. That’s probably the biggest error I see; organizations waiting until an event occurs to seek an assessment. A security assessment should be done on the front end in order to stop or reduce the chances of something happening. Don’t wait, mitigate.

VN: What can a client expect to get with a physical security assessment?

CS: At the end of the assessment, a final report is produced. This report outlines the area crime analysis, deficiencies, recommendations, and suggested next steps. We include matrices, floor plan markups, and photos to make the report easier to understand and visualize.

VN: What are some typical “next steps?”

CS: Each project is different, each client is different, so there is no “standard” next steps, but some common ones are security system design, integrator selection assistance, oversight of system installation, policy/procedure development, and training. We offer all these services to help our clients from start to finish.