15 March 2004

Terrorism Risk Management for Critical Infrastructure Protection - A Series

By Peter L. Higgins
1SecureAudit LLC

Part V

Asset Identification & Valuation
Priorities for protecting both physical and information assets is obtained through a comprehensive process for enterprise risk management. You must identify the relative importance and value of assets whether they are people, processes, systems or facilities. Business Impact Analysis has three primary actions that must take place:

· Identification and Definition of core business processes to sustain the organization in business
· Identification of critical business infrastructure assets such as:
o Personnel to run the functions and facilities
o Information systems and data
o Life safety systems and safe havens
o Security systems
· Assign a relative protection priority
o High – Loss or damage would have grave consequences for extended time
o Medium – Loss or damage would have serious consequences for a moderate time
o Low – Loss or damage would have minor consequences for a short period of time

Threat Assessment
Once this is completed a thorough threat assessment must take place. This is a continuous process of information gathering, analysis and testing. There are five key elements associated with threat profiles definition and analysis factors:

1. Existence – who or what are hostile to the assets
2. Capability – who or what weapons or means have been used in the past
3. History – what and how often has this occurred in the past
4. Intention – what outcomes or goals does the threat agent hope to achieve
5. Targeting – what is the likelihood that surveillance is being performed on the assets

Next a set of Event Profiles for the threat scenarios must be created. These detailed profiles describe the mode, duration and extent of an incident event as well as mitigating or exacerbating conditions that may exist.

The output of the threat assessment is the determination of threat rating to each hazard and to each asset in the priorities for protection. Assigning a threat rating could be as easy as using high, medium and low as long as you have specifically defined what each one is and also with the use of expert judgment.

One alternative here is to assign a level of protection against the threat itself. This could be arrived at through management decision-making however this is only used where you are assessing potential damage and expected injuries in DOD profiles.

Vulnerability Assessment

The Vulnerability Assessment is next in the process and looks at facilities across a spectrum so that you can determine the protection measures you may use either physically or operationally.

This is done answering questions concerning known and unknown vulnerabilities and involves visual inspection, document review and review of management or organizational procedures.

Visual Inspections encompass evaluation of the site, location, architectural, structural, utilities, communications, information technology, mechanical and plumbing. Investigations should be extended to all third party suppliers who have critical functions in the organizations operations. Document reviews include blueprints, contracts, maintenance records, equipment operation logs and visitor logs. Procedures review may uncover where modifications or alternatives can reduce risk exposure without making substantial changes to the physical structure or location.

Example Questions:
1. What critical infrastructure, government, military or other commercial facilities such as stadiums are in the local area that could impact this location?
2. What is the source of electrical service?
3. Is the parking garage adjacent and at a standoff distance from the main building?
4. What major structures surround the facility?
5. Is high visitor traffic located away from critical assets?
6. What type of construction?
7. Is the structure vulnerable to progressive collapse?
8. What systems receive emergency power and have capacity requirements been tested?
9. Where are the air intakes and how are the air handling systems zoned?
10. What is the method of gas distribution?
11. Are there redundant off-premises fire alarm reporting?
12. Are loading docks, mail rooms and service entrances separated from all critical building mains, including power, water and communications?
13. Do the IT systems meet requirements for confidentiality, integrity and availability?
14. What is the status of the current security plan?

These are just a few of questions that need to be addressed in the vulnerability assessment of the building, facility or infrastructure.

As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount. CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises. Now that threats to government and business operations are becoming more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

Last part of a five part series.

No comments:

Post a Comment