TO THE SERVICE ENVIRONMENT

TASK 4-EVALUATE PROGRAM EFFECTIVENESS

Evaluating security program effectiveness identifies gaps in the program, helps prioritize solutions, and builds a platform for program development and implementation. This chapter examines and measures the effectiveness of in-place policies, processes, protocols, and protective measures that an adversary must defeat to carry out his or her mission. It outlines a 12-step approach, related tasks, and their respective interrelationships. The steps follow a logical sequence of analysis but do not necessarily have to be per- formed in the order given:

Subtask 4A-Status of operating-system features

Subtask 4B-Status of SCADA and distributed-control systems Subtask 4C-Status of IT network system

Subtask 4D-Status of facility security operations Subtask 4E-Status of electronic security systems

157

158 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS

Subtask 4F-Status of security operations methods and techniques Subtask 4G-Status of information security programs

Subtask 4H-Status of personnel-protection program and human- Subtask 41-Status of practical ability to detect, assess, and respond Subtask 4J-Status of security organization structure and manage- Subtask 4K-Status of security emergency planning and execution Subtask 4L-Status of security training

resources policy to incidents ment capability

The following suggested worksheets are offered to assist in collecting and analyzing program effectiveness:

Worksheet 19-Recording status of current enterprise institutional Worksheet 20-Recording status of current physical security effec- Worksheet 2 1-Recording test and exercise results by organizing

“drivers” and Performance Strategies tiveness

sector

EVALUATING PROGRAM EFFECTIVENESS AND ACCOUNTABILITY

Publicly traded corporations whose shareholders demand that manage- ment protect their assets ultimately share the same diverse concerns and issues as private enterprises. Among them are:

Duty to care-The inherent responsibility to provide a safe and secure work environment by exercising reasonable and prudent initia- tives across the entire spectrum of the corporation

Management-For those corporations that rely on national and international services, global partnerships, on-site expatriate employ- ees, and position-jockeying executives, security issues can be critical to their success or failure

Protection of shareholder interest-The commitment and initiative to meet business goals, market targets, and profit levels as well as providing employees with a positive work environment

TASK &EVALUATE PROGRAM EFFECTIVENESS 159

Exposure to litigation-The possible increase of legal action being taken against the corporation

Business continuity-The ability to keep the company up and run- ning even during high threat conditions and in particular in the after- math of a catastrophic attack or disaster

Identifying Program Shortfalls

Program effectiveness is the measurement of the enterprise’s capabil- ity to perform its security mission. The process involves analyzing all the data previously collected, reviewing new data, conducting additional inter- views, and performing tests and exercises. Under this task existing policies, processes, protocols, and protective measures are analyzed to determine the present effectiveness of the security organization and its dependency partners in preventing terrorist attacks or undesired events and their conse- quences from occurring. It identifies both the general strengths and weak- nesses of the enterprise and those specific to the security organization as well as barriers to performance. The program-evaluation process focuses on providing answers to the following questions:

What are the objectives and strategies of the overall security program and the mission of in-place security systems and other protective measures?

Which facilities, systems, functions, and resources need to be pro- tected?

What is the threat against multifunctional activities and resources?

Which physical, cyber, and procedural protective measures must the insidedoutsider adversary defeat to successfully penetrate the pro- tected area, carry out the mission, and effect an escape?

How well do the enterprise institutional “drivers” and performance strategies contribute to the effectiveness of the overall security pro- gram?

How well has the enterprise integrated the institutional security oper- ational capabilities into its routine?

What are the restrictions, limitations, and constraints of protection?

The very nature of protecting an enterprise’s infrastructure is a dynamic and evolving process that requires attention to detail and focus-which when applied and integrated into best practices will lead to improved

160 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS

awareness, preparedness, prevention, response, and recovery from acts of terrorism, criminal activities, and natural disasters.

Profiting from the Lessons Learned by Others

While many enterprises profess to implement, operate, and maintain inte- grated security programs and systems, the results of evaluating thousands of such programs reveal otherwise. This assessment is not an indictment against industry managers. Rather, it is an observation that commercial enterprises simply are not qualified and lack the in-house resources and infrastructure to adequately address or cope with the terrorist threat.

Attempts to develop protective measures at some locations only address symbolic cosmetic solutions at best. Reporting and coordinating an inte- grated response in many locations are also haphazard. Security measures employed by many enterprises fall short of providing the capability needed to detect an incident during the development stages. Examples of relevant observations include:

More often than not many security programs are comprised of several activities and functions strung together in a rather haphazard fashion with little coherence at the highest level:

b Employees do not buy into the security. This results from a poor security-awareness program, no method of communication to alert employees of an emergency, and no means of telling employees which actions to take in an emergency.

b Enterprise business objectives and goals and OSHA requirements are often not a part of security planning, and security plans and procedures are not kept up to date.

b No designated security leadership is present, and management actions are not integrated. In many locations a “stove-pipe” mind- set exists that fosters poor or no security planning.

b Security contracts and agreements throughout the industry are weak. Contract guard forces lack tactical-response and search-and- rescue expertise and adequate training to meet the demands of the security mission.

Most security programs lack standard metrics to evaluate their effectiveness.

b Poor security emergency planning and lack of organization readi- ness capability are rampant.

TASK &EVALUATE PROGRAM EFFECTIVENESS 161

b Lack of integrating communications and data networks into secu- rity assessments is common.

Electronic security systems are also comprised of several systems and parts that are not integrated:

F Where electronic security system operations are involved, little or no attention is given to human-factors engineering.

F Conflicting security and auxiliary responsibilities distract control- room or equipment operators from effectively performing their pri- mary security duties of monitoring system activity.

b Distractions coupled with inadequate or no system integration cre- ates the inability to adequately detect and assess displayed scenes on a console monitor in a timely manner.

b Many enterprises employ cameras that are neither integrated into the access-control or intrusion-detection systems nor viewed at a monitoring station.

F At many locations these cameras are only used as recording devices to review and analyze incidents on a demand basis after the fact.

b Some enterprises do not have an integrated intrusion-detection sys- tem that centrally reports alarms to a central security monitoring station. The various reporting configurations observed include security alarms reporting to various operational control centers including facility-management control centers, private alarm-mon- itoring companies, or the local police station.

Under this reporting configuration it was observed that many security organizations were reliant on third parties to receive and evaluate alarm conditions without providing the security organization with a security activity report. In other instances, third-party alarm-monitoring agencies were responding to an alarm without notifying the enterprise security organization of their actions or the severity of the alarm incident. One example in point was a recent breach of security at a Fortune 500 company that involved the dispatch to the scene of local law-enforcement agencies and the FBI as well as other special first responders and several of the cor- poration’s senior managers. The incident was detected late on a Friday evening, and the event was broadcast on a national TV network the next day. The enterprise security organization was not made aware of the inci- dent until Tuesday morning. Under this scenario the security organization was unaware of the status of a critical facility it was responsible to protect