A PROVEN SECURITY ASSESSMENT METHODOLOGY
R. S. Means
In 2003, R. S. Means published Building Security: Strategies and Cost to assist building owners and facility managers to assess risk and vulnerabil- ity to their buildings, develop emergency-response plans, and make choices about protective measures and designs. Building Security includes pricing information for several security-related components, systems, and equipment as well as the labor required for installation.
THE S3E SECURITY ASSESSMENT MODEL AND METHODOLOGY
A clear distinction needs to be made between the sample models pre- sented and the S3E Security Assessment Methodology and its security strategies proposed in this book. The developed design methodology pro- vides a fresh, strategic, systematic approach to security problem-solving
62 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS
that embraces all aspects of business and security-related operations, plat- ing them into perspective. Expanding on the works of others, the frame- work of the methodology incorporates the very best components from var- ious risk-assessment models and research papers. These components have been integrated into a forensics investigative process that can be effec- tively applied to any environment.
The second layer, the S3E Security Assessment Methodology (see Exhibit 4.2), shows the detailed breakdown of the process by specific task and the associated interfaces of each program element to be explored.
Each component of the model is transferred into a performance-based, task-driven activity based on the proposition that a threat to a vulnerable asset results in security risk and consequences. Here, the strategic-plan- ning architecture [Elements of Tasks 1,2, and 31 is customized to meet the dynamic needs of an enterprise, thereby giving the methodology local meaning to stakeholders.
The S3E security-assessment methodology is a systems-level per- formance-based approach to security problem-solving. In an increas- ingly complex and dangerous world, enterprises and government agencies of all types require solutions to protect operations, employees, facilities, and proprietary information. The methodology presented offers an explicit approach for achieving these objectives.
The S3E Security Assessment Methodology is a process that encom- passes a series of mitigating actions that permeate an enterprise’s activities and reduce the likelihood of an adverse event occurring and having a neg- ative impact. In general, the security assessment is a portfolio that addresses enterprise-wide vulnerability and risk. It addresses “inherent,”
or preaction, vulnerability [a weakness that would exist absent any miti- gating action] and “residual,” or postaction, vulnerability [that weakness that remains even after mitigating actions have taken place].
The S3E Security Assessment Methodology represents a comprehensive security-management action plan that focuses on evaluating and enhancing an enterprise’s security program from a systems-level perspective:
It employs a timely approach and a wide variety of complementary strategies, keyed to the security program’s prevention, control, detection, and intervention functional objectives.
It integrates physical measures, cybersecurity, processes, informa- tion, people, facilities, and equipment as well as their internal and external dependencies and the relationship of such dependencies to other critical program elements.
A PROVEN SECURITY ASSESSMENT METHODOLOGY 63
Because it is a performance-based security-assessment methodology, it blends the evaluation and measurement of a mix of facility and land use, operations and processes, procedures and techniques, personnel and effi- ciencies, and technology effectiveness critical to the security program.
The methodology aims at minimizing exposure to risk and loss in the areas of corporate policies, human resources, security technology, and physical or architectural barriers:
It is a powerful tool for identifying, evaluating, and controlling risk.
It permits the consultant assessment team to fold the results of analy- sis within a larger context of requirements, bringing protective meas- ures into direct alignment with the corporation’s business-continuity- planning initiatives, including emergency-preparedness planning and response and recovery activities.
The S3E Security Assessment Methodology consists of the following indispensable components: strategic planning, program effectiveness, pro- gram analysis, and reporting and implementation plan. We’ll discuss each of them in turn.
Strategic Planning
Strategic planning itself has several components.
The Internal (or operational) enterprise environment is the institu- tional “driver” of the security-assessment process. It includes the enter- prise’s organizational and management structure, processes that provide the framework for executing services, and the control and monitoring of activities.
Criticality assessment is an asset’s relative importance based on a variety of factors such as mission or function; the extent to which systems, functions, facilities, and resources are at risk; and significance in terms of enterprise security, economic security, or public safety. Criticality assess- ment is important because it provides, in combination with other factors, the basis for prioritizing those assets that require greater or special protec- tion relative to finite resources and funding.
The threat (or undesirable event) assessment is an assessment of any event that may disrupt, damage, or destroy enterprise systems, functions, and facilities or injure or cause the death of human resources. Threats are acts of terrorism, criminal enterprises, lone wolves, industrial accidents, natural disasters, and other events that would impact business or govern- ment operations.
64 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS
I I
Operational Envlronment Taak 1 Enterprlse Goals Corporate Image, Core Values Areas of Responslblllty Performance Objectives Business Incentives, lnvestment
Commltments Federal Statutes, State Laws, Munlclpal Codes, Confldentlallty Laws, Clvll Common Law, Wlllful Tofts, Contractual Obllgatlons, Agreements, Governlng Authorltles, Voluntary Commltments
Mission, Locatlon, Faclllty Layout Facllity/Land Use, Neighboring Facilities, Terrain, Cllmate Resources, Operations, Processes
Operations - Logistlcs
Vlsltors, Customers, Vendors; Mall and Materlal Dellvery, Receiving, Shlpplng;
Staging, Storlng, Dlstrlbution 6 Delivery; The-Sensitlve Processes;
Communkatlons I
Characterlzatlon
Crltlcal Asaesament Task 2 Resources, Operations, Functions Adminlstratlve, AlrcraWFleet Facilities Board/Conference Rooms
Cable/Communlcatlons Rooms Electrlcal/Mechanical Rooms Physlcal Infrastructure Telecommunications Centers IT Network Centers Tralnlng Facllltles Warehouses, Loadlng Docks SCADA 6 Securlty Systems lnfrastructure Sharlng Critical Interdependencies
Prlmary, Backup, Redundant Systems
Threat Assesament Task 3
lnternatlonal, Natlonal, Reglonal, Local Range 6 Levels of Threats
Design Basls Threat Profile, Probablllty Threat Categorles. Capabilities, Methods 6 Techniques
I
Enterprise Roles 6 Responslbllllles Operations, Processes, Protocols Functlonal Relationships Securlty Awareness Reportlng Security Incident Alert NotMicatIon System
I
Securlty Capablllties Management Team Otganlzation 6 Composition StaMng, Skllls, Experfence Quallffcatlons 6 Trelnlng Operatlonal Capabllltles Dependency Programs
I
Barrlers & Delay Measures Terrain, Approaches, Fences Barrier, Walls, Gates
Detectlon Measures Interior/ Exterior Sensors Speclal Purpose Sensors Tamper Systems
Accesa Control Measures PeopleNehlcle/Dellver Controls Screening, Verlffcatlon
Perimeter Securlty, Llghtlng Posts and Patrols, CCTY
Radio, Telephone, PA, Hardwlre, Wlreless Flber Optlc lnformatlon Network
Annunclatlon 6 Dlsplay Event Storage, Reports Alarm lntegratlon lnformatlon Networks infrastructure
Primary, Secondary, Backup, Redundancy
Aaaesament Measures
Communlcatlons Medla
Securlty Control Center[s]
I
Response 8 Recovery Tactics, Techniques Flrst 6 Second Responders lntegrated Responders Closeout Actions
Exhibit 4.2 The S3E security assessment methodology
A PROVEN SECURITY ASSESSMENT METHODOLOGY 65
Security Strategies Vulnerability Analysis Loss Consequence Rank Order Facilities 6 Assets Prloritier, Protective Measures Day-to-day Planning
Emergency Preparedness Planning Business Continuity Planning Performance Expectations Hlring Practlces
I Business Losses Theft of Trade Secrets Loss of Competitiveness Shrinkage, Vandalism Shelf Life, Spoilage Damage to Crltical Assets Production Shutdown Service Contamination Business Continuity
Disasters 1 Accidents Work Place Violence Bomb Threats Demonstrations Unidentified Materials Specified Threats lnefficiencles 6 Waste Sudden Unexpected Layoffs lnsensltive Termlnations lgnorance or lndlfference Business Liability lnsurance Premiums Exposure to Shareholders Employees, Suppliers Carriers, Customers Unsafe Work Envlronment Nelghborhood Social Order lneffective Security Plan lneffective Safety Plan lneffective Parking Plan Loose Visitor Controls Personnel, Vehicle Screening Puallficatlons 6 Tralnlng Supervision
Business Disruptlons
I
Partner Organizations Federal Agencies State Agencles Munlcipal Agencies Trustees
Board of GovernodDirectors Commissions
Other Governing Bodies
1
I I I I I I I I I I I I I
Integrated Transformation
Solution Action Plan Reduce Vulnerability Reduce Llabiiity Enhance Work Place Enhance Best Practices
Strategies Strategic Vision Resources Prlority lnltlatives Mllestones Budget
Deliverable8 Progress Reports Schedules Assessment Repofl Presentatlons
I I I I I I I I I I I I I I I
Exhibit 4.2 (continued)
66 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS
Program Effectiveness
The components of program effectiveness are discussed below.
The security vulnerability assessment is an assessment of any inher- ent state-physical, technical, or operational-of a system, function, facility, or resource that can be exploited by an adversary to cause harm, damage, or destruction. Vulnerability is an inherent state to the extent that it is susceptible to exploitation relative to the effectiveness of existing pro- tective measures [PEI]. Residual vulnerability is the inherent state that remains when the mitigation-selection [PE2] process is completed.
Security-risk assessment is a qualitative and/or quantitative determi- nation of the probability of occurrence [PA] of an undesirable event. It includes scenarios under which two or more risks interact, creating greater or lesser impacts.
Program Analysis
Following are the elements of program analysis.
Security-risk characterization involves the application of a graded scale of risk [PA] and the severity of its consequences [C]. Security-risk characterization is the crucial link between security-risk assessment, miti- gation evaluation, and mitigation selection, recognizing that not all risks can be addressed as resources and funding are inherently scarce.
Accordingly, security-risk characterization forms the basis for deciding which actions are best suited to mitigate the assessed vulnerability and risk.
Security-mitigation evaluation assesses the efficacy of mitigation alternatives relative to their likely effect on reducing risk, effectiveness of performance, reliability and dependability, and cost-effectiveness.
Reporting and Implementation Plan
Security-risk mitigation is the implementation of prioritized mitigation actions in priority order, commensurate with assessed risk. Depending on risk tolerance, no action may be taken. This is characterized as risk acceptance. If the enterprise does choose to take action, such action falls into three categories: [ 11 risk avoidance-existing activities that expose the enterprise to risk; [2] risk reduction-implementing actions that reduce the likelihood of impact or risk; and [3] risk sharing- implementing actions that reduce the likelihood or impact by transfer- ring risk to or sharing it with affiliated enterprises and external depend- encies. In each category, the enterprise implements actions as part of an integrated “systems” approach, with built-in redundancy that addresses
A PROVEN SECURITY ASSESSMENT METHODOLOGY 67
residual risk [the risk that remains after actions have been imple- mented]. The systems approach then consists of taking actions in per- sonnel [e.g., training, deployment], processes [e.g., operational proce- dures], technology [e.g. software or hardware], infrastructure [e.g.
institutional or operational configurations], and governance [e.g., man- agement and internal control and assurance]. In selecting actions the enterprise assesses their benefits and costs [where the amount of risk reduction is weighed against the cost involved] and identifies potential financing operations for the actions chosen.
Security-mitigation selection involves a management decision as to which mitigation alternatives should be implemented among the possibil- ities, taking into account risk, the effectiveness of mitigation alternatives, and costs. Selection among mitigation alternatives should be based upon established criteria. Mitigation selection does not necessarily involve pri- oritizing all resources to the highest-risk area but attempts to balance over- all risk and available resources. However, there are as of yet no clearly pre- ferred selection criteria for most infrastructure sectors, although potential factors might include risk reduction, net benefits, equality of treatment, or other stated values.
Monitoring and evaluation of security-risk mitigation entails test- ing, evaluating, and validating the effectiveness of implemented actions against the established strategic objectives and performance measures to ensure that the entire process remains current and relevant, reflecting changes in the mission and operations, processes and people, and threats.
Monitoring and evaluation includes, where and when appropriate: peer review, testing, validation, evaluation of the impact of the actions on future operations, and identification of unintended consequences that in turn would need to be mitigated. The process requires frequent review, restarting the “loop” of quality-assurance assessment, mitigation, and monitoring and evaluation.
The S3E Security Assessment Methodology has successfully been used and refined over the last three decades in over 3,000 security assess- ments, domestically and internationally. This approach has been excep- tionally well received by those enterprises that shun models that are either generic in nature or too confusing to understand. Its thoroughness and specificity help the enterprise better understand and relate to the process and engender a high level of confidence in the professionalism and quality of the approach. The methodology involves working hand-in-hand with enterprise executive management and their staffs to establish the rapport and trust that are vital in performing a security assessment. In the end, the effort produces highly positive analyses that lead to clear, defendable, and
68 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS
workable solutions. This approach is well-suited for large multidiscipline corporations. For smaller enterprises, a scaled-down version of the methodology can be just as effective.
The S3E Security Assessment Methodology helps the enterprise gain a greater awareness of threats and impacts on business operations while formulating a framework to establish a sound security program. It blends the fields of organizational sciences, management theories, operational- and training-need analysis, and the application of security and information technologies into a flexible, responsive, integrated, top-down-bottom-up approach to security problem-solving. These disciplines are folded into the process because feasible solutions must be based on a series of inte- grated functional operational needs measured against a series of collective risks-othenvise, there is no relationship between identified problems and proposed solutions and therefore no workable solution.
The S3E Security Assessment Methodology determines program sta- tus and guides the development of workable solutions. It provides an adaptable capability to determine an enterprise’s critical infrastructure and assets and to examine the strength and weaknesses of the systems, functions, and processes. This is accomplished by combining an analysis of asset functions and their relationships to operations with an assess- ment of vulnerability and threat against an evaluation of in-place protec- tive measures and by measuring required or discretionary risk-mitigation alternatives that may be implemented to reduce vulnerability and threat to acceptable levels. A flexible six-step process captures the fundamental elements of the methodology. Results are reinforced in the conclusions of a formal report that is management-oriented and designed to prioritize the application of recommended protective measures to reduce vulnera- bility and threat and improve program effectiveness. The methodology guides the development of well-designed program solutions that are palatable to the culture and operation of an enterprise. It is exceptionally helpful in identifying the enterprise’s security-program strengths and weaknesses to determine whether performance requirements have been met or whether consequences will have to be mitigated or the effective- ness of security increased.
The S3E Security Assessment Methodology presents five distinct benefits:
First is the flexibility of the methodology-its greatest strength. The experienced investigator is able to adjust the focus of assessment parameters to meet enterprise needs without jeopardizing the integrity of the overall process.
A PROVEN SECURITY ASSESSMENT METHODOLOGY 69
0 Second, the objective investigator recognizes that solutions are not always hardware- or software-driven. Experience tells us that creative management measures, progressive business practices, and a moti- vated workforce can often reduce the scope and cost of scientific and engineering solutions.
* Third, a key value-added benefit of the methodology is how the expe- rienced investigator can apply a four-dimensional perspective to the evaluation of alternatives by bringing together a delicately balanced, integrated solution composed of resources, processes, facilities, and technology into the decision-making process.
* Fourth, when evaluating security risk and business exposure, the methodology does not distinguish between safety issues and security issues. Peter E. Tarlow argues that any problem that affects the well- ness of the corporation or its resources is one and the same and that any distinction between these two sides of the coin is mere academic sophistry. Taking it further, the methodology considers safety issues and security issues as integral elements of a larger whole-liability.
Last, the methodology’s “built-in” quality-assurance review offers the enterprise and the security-assessment teams the immediate opportunity to evaluate judgments and to consider new circumstances and conditions that may evolve or influence judgments already reached in a previous step that now require further investigation.
Quality-assurance reviews may occur at any point during the assess- ment and analysis process.
The methodology is effective and produces best results when the secu- rity-assessment team exercises objectivity through independence of thought and action and zeros in on the problem. The methodology involves the discreet execution of a deliberate, comprehensive, perform- ance-based, forensic investigative technique. It requires a clear under- standing and application of several disciplines: risk analysis, business analysis, improvement analysis, process analysis, time-sensitive analysis, operational analysis, performance measurement, testing, auditing, inspec- tion, interviewing, cost analysis, and an extensive background in asset- protection measures including a thorough understanding of the national strategies for protecting the nation’s infrastructure.
The S3E Security Assessment Methodology rests on three key secu- rity strategies:
0 Enterprise performance standards to accomplish the security mission
* Enterprise security operational capabilities to implement require- ments and expectations
70 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS
Enterprise security program performance-based standards and met- rics to measure the performance effectiveness of the overall security program
Enterprise Performance Standards to Accomplish the Security Mission
When enterprise performance strategies are embraced by executive manage- ment, staff, and employees, the process effectively identifies and tears down barriers and obstacles including those that foster “stove pipe” thinking.
Enterprise performance strategies are designed to ensure the establishment of indispensable enterprise security operational capabilities and security pro- gram performance-based standards and metrics to measure achievement.
The S3E Security Assessment Methodology has as its foundation those indispensable corporate performance strategies that make up the enterprise infrastructure and give it its purpose. To provide the greatest value to the enterprise, the S3E Security Assessment Methodology embraces six critical and inseparable corporate performance strategies that are the foundation of corporate operations. These strategies, shown in Exhibit 4.3, contribute directly to identifying the strengths and weaknesses of the enterprise’s secu- rity program. They provide the foundation for the analysis process and in the selection and implementation of clear, defendable solutions to reduce secu- rity risk associated with current, anticipated, or emerging threats.
Enterprise Security Operational Capabilities to Implement Requirements and Expectations
The S3E Security Assessment Methodology also identifies six strate- gies are indispensable to the effective performance of a security mis- sion. An effective security program has all six capabilities: deterrence, delay, detection, assessment, response, and recovery. These capabilities permeate all aspects of an enterprise. The significance and interrelation- ship of these security operational strategies are discussed in Chapter 8,
“Evaluate Program Effectiveness.” For the time being, it is only important to know that these elements play a crucial role in preventing a terrorist attack, criminal activity, or other emergency.
Creditability of the S3E Security Assessment Methodology is estab- lished in its measurement criteria. To be meaningful, security opera- tional performance capability must have some level of expectation. To be objectively measured, performance must have a clear beginning, a visible process, and a recognizable closure or specific end. The measurement cri- teria used must be distinct between degrees of strengths and weaknesses in