Feel secure about vulnerability assessments

Take advantage of some pointers from security professionals

By Frank Pisciotta, Business Protection Specialists, and Deborah Allen, Potash Corp.

2 of 3 1 | 2 | 3 View on one page

Preparing your SVA

Six tips for SVA success
1. Plan the activity well in advance; senior leadership should communicate to the entire organization about the assessment and seek candid input.
2. Ensure the full support and authorization of management before proceeding with the SVA.
3. Insist upon data that are verified and complete. Consider the use of a scenario worksheet in documenting the information in your SVA. (Figure 2 shows a sample worksheet.) Such a form will greatly aid in getting your information organized in the way it will need to be entered into CSAT at the conclusion of the SVA.
4. Keep the objectives and scope concise; DHS will provide structure in the initial written communication after the Top Screen is complete.
5. Staff the team with people knowledgeable of and experienced at the process they are reviewing (release, theft/diversion, etc.).
6. Use a team leader who is skilled in the SVA process methodology so it can be properly facilitated.
DHS’s identification of the chemicals of interest and the risks associated with them will provide the focus for your SVA. Doing it doesn’t have to be an onerous task. Selecting the right people and proper pre-planning can make the process operate very smoothly (see sidebar). To make the most of your assessment, it’s important to understand each of the required steps and their associated best practices:

Asset characterization. This involves the identification of critical assets (done in the Top Screen), evaluation of existing countermeasures and quantification of the severity of consequences. The severity of the consequences and asset attractiveness are used to screen the facility assets into those that require only general security countermeasures versus those that require more specific actions; protection levels must be spelled out in your site security plan. As soon as possible identify the scenarios that will be addressed in your SVA (i.e., release, theft/diversion, etc.) because the remainder of the SVA will focus on the risk associated with these scenarios.

Threat assessment. This determines the estimated general threat level, which varies as situations develop. Depending upon the threat level, security measures greater than baseline ones likely will be necessary. While threat assessments are key decision-support tools, always bear in mind that such assessments, even if updated often, might not adequately capture emerging threats posed by some adversaries. No matter how much we know about potential threats, we’ll never know that we have identified every threat or that we have complete information even on the threats about which we are aware.

Vulnerability assessment. The identification of security vulnerabilities underpins the validity of the whole process. Existing security measures must be evaluated to ensure they are being managed in a manner that provides the most value to the organization. Ultimately, the deliverable of this phase is the assessment of the level of effectiveness in reducing vulnerability and meeting applicable risk-based performance standards. This is the phase where your security professional should be doing most of the work.

Risk analysis. This includes a determination of the relative initial degree of risk to the chemicals of interest in terms of the expected effect on each critical asset and the likelihood of the success of an attack; it typically is represented in a matrix.
Improvement (risk reduction) is derived from identifying additional countermeasures that can be applied to:
• reduce the probability of a successful attack on a chemical of interest;
• enhance the degree of risk reduction;
• increase the reliability/maintainability of security; and

2 of 3 1 | 2 | 3 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments