Feel Secure about Vulnerability Assessments

Take advantage of some pointers from Security Professionals

By by Frank Pisciotta, Business Protection Specialists, and Deborah Allen, Potash Corp.

2 of 2 1 | 2 > View on one page


Six tips for SVA success
1.Plan the activity well in advance; senior leadership should communicate to
the entire organization about the assessment and seek candid input.
2. Ensure the full support and authorization of management before proceeding
with the SVA.
3. Insist upon data that are verified and complete. Consider the use of a
scenario worksheet in documenting the information in your SVA. (Figure
2 shows a sample worksheet.) Such a form will greatly aid in getting your
information organized in the way it will need to be entered into CSAT at the
conclusion of the SVA.
4. Keep the objectives and scope concise; DHS will provide structure in the
initial written communication after the Top Screen is complete.
5. Staff the team with people knowledgeable of and experienced at the process
they are reviewing (release, theft/diversion, etc.).
6. Use a team leader who is skilled in the SVA process methodology so it can
be properly facilitated.

Threat assessment. This determines the estimated general threat level, which varies as situations develop. Depending upon the threat level, security measures greater than baseline ones likely will be necessary. While threat assessments are key decision-support tools, always bear in mind that such assessments, even if updated often, might not adequately capture emerging threats posed by some adversaries. No matter how much we know about potential threats, we’ll never know that we have identified every threat or that we have complete information even on the threats about which we are aware.

Vulnerability assessment. The identification of security vulnerabilities underpins the validity of the whole process. Existing security measures must be evaluated to ensure they are being managed in a manner that provides the most value to the organization. Ultimately, the deliverable of this phase is the assessment of the level of effectiveness in reducing vulnerability and meeting applicable risk-based performance standards. This is the phase where your security professional should be doing most of the work.

Risk analysis. This includes a determination of the relative initial degree of risk to the chemicals of interest in terms of the expected effect on each critical asset and the likelihood of the success of an attack; it typically is represented in a matrix (Figure 1).

Improvement (risk reduction) is derived from identifying additional countermeasures that can be applied to:

  • reduce the probability of a successful attack on a chemical of interest;
  • enhance the degree of risk reduction; 
  • increase the reliability/maintainability of security; 
  • decrease the consequences of an event.

Risk is reassessed after proposed countermeasures are applied to the scenarios addressed in your SVA. Measures accepted by management must then be incorporated into your site security plan.


Figure 2. A form like this can ease data entry into CSAT.


Results of the SVA will be entered into CSAT and will form the basis of the site security plan. In fact all vulnerabilities identified in the SVA must be addressed in the site security plan, which is due 120 days after your SVA is complete.

Protecting information
It’s crucial to safeguard Chemical-Terrorism Vulnerability Information (CVI) from disclosure to unauthorized persons. While a company likely will certify only a limited number of employees as able to handle CVI, all employees must know enough about what to do if CVI documents are found unsecured. Staff must be taught how to recognize this information based on this labeling:

Chemical-terrorism Vulnerability Information
(Placed in the header of each page.)
Each cover page, title page and page within the document should have the following statement inserted: WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR 27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR 27.400(e). Unauthorized release may result in civil penalties or other action. In any administrative or judicial proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h) and (i).

Any documentation prepared due to your SVA should be labeled accordingly.

A start towards security
These new standards will substantially expand the security requirements for many chemical facilities that have never before been covered under government security guidelines. Clearly, it’s necessary to get a start on them. However, much work by both the private sector and the government will have to be done before all of the high risk chemical facilities in the United States can fully meet the standards.

Frank Pisciotta, CSC, is president of Business Protection Specialists, Canandaigua,
N.Y. E-mail him at

Deborah Allen, CPP, is director of product stewardship and security at Potash Corp., Northbrook, Ill. E-mail her at dlallen@potashcorp.com.

2 of 2 1 | 2 > View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments