SECURITY VULNERABILITY ASSESSMENT (SVA). Intellectual Property of Win Noor FAQ What is Security...

SECURITY SECURITY VULNERABILITY VULNERABILITY ASSESSMENT ASSESSMENT

(SVA)(SVA)

Intellectual Property of Win Intellectual Property of Win NoorNoor

FAQFAQ What is Security Vulnerability Assessment What is Security Vulnerability Assessment

(SVA)?(SVA)? A process of identifying, quantifying, and A process of identifying, quantifying, and

prioritizing (or ranking) the vulnerabilities in a prioritizing (or ranking) the vulnerabilities in a security system.security system.

Is it the same with Security Audit?Is it the same with Security Audit? No, Security Audit focuses on discrepancies in No, Security Audit focuses on discrepancies in

the implementation of Security System; while the implementation of Security System; while Security Vulnerability Assessment focuses on the Security Vulnerability Assessment focuses on the review of the Security System itself.review of the Security System itself.

Is it similar with Security Risk Management?Is it similar with Security Risk Management? SVA is a part of Security Risk Management. SVA SVA is a part of Security Risk Management. SVA

is the most well-known form of Security Risk is the most well-known form of Security Risk Analysis.Analysis.


Steps: Security Vulnerability Steps: Security Vulnerability AssessmentAssessment

Identify Asset Observe the Environment Identify Threats Identify Existing Countermeasures Calculate risk Generate alternatives of action


Identify AssetIdentify Asset Things of value Needs to be protected:

Tangible CashDocument, Equipment, Goods, Personnel/ManpowerPremises/Building, Vehicle

Intangible Life, Health, Process Image


Observe the EnvironmentObserve the Environment Macro Environment

Employment Rate, Socio-Economic Conditions, Crimes trends Crimes occurring to similar industry,

Micro Environment Demography, Culture, Local Socio-Economic issues, Life-style, Conditions of Adjacent areas Crime occurring in the area


Identify ThreatsIdentify Threats

What can happen? When it can happen? Where it can happen? Who can make it

happen? Why it can happen? How it can happen?


Types of Security ThreatsTypes of Security ThreatsThreat CASH DOC EQUIP GOOD PERS PREMISE VEHICLE OPS

ABDUCTION

ARSON

ASSAULT

BLACKMAIL

BOMB HOAX

BRAWL BREAKING AND ENTERING

DECEPTION

EMBEZZLEMENT

ESPIONAGE

EXTORTION

FORGERY


Types of Security ThreatsTypes of Security ThreatsThreat CASH DOC EQUIP GOOD PERS PREMISE VEHICLE OPS

FRAUDFRAUD

HIJACKING

HOSTAGE SITUATION

INTIMIDATION

MISAPPROPRIATION

SABOTAGE

SHOPLIFTING

TERRORISM

THEFT

TRESPASS

VANDALISM


Identify Existing Security Identify Existing Security CountermeasuresCountermeasures

Elements of Security Countermeasures

Deter

Delay

Detect


Security Management SystemSecurity Management System

Security

System

Physical

Protection

Electronic

Protection

Security

Manning

Procedural

Protection


Security Management SystemSecurity Management System

MANPOW

ER

PERIMETER & ACCESS CONTROL

PROCEDURES & ST

RATEGIESELECTRONIC DEVICE &

SUPPORTING EQUIPMENT

SECURITY MANAGEMENT SYSTEM(SEMS)


ManpowerManpower

Requirements/Competence for Manpower Sentry Guards and Distribution Law Enforcement Intelligence Internal Audit / Business Ethics

Compliance


Perimeter Security and Access Perimeter Security and Access ControlControl

Security Fencing Equipped/Capped with Barbed Wire or Razor Wire

Limiting number of Access Points Limiting personnel provided with access Types of checks on Access Points Illuminations Security Watch Towers Waste Disposal Windows Emergency Doors


Procedures and StrategiesProcedures and Strategies

Recruitment Screening Procedures Access Control Procedures Body Search Procedures Patrol Procedures Key Management Crime Trend Analysis (as basis to determine

strategies) Deterrence Strategies Detection Strategies


Electronic Device and Electronic Device and Supporting EquipmentSupporting Equipment

General ClassificationGeneral Classification

Access Control DeviceAccess Control Device

Detection DeviceDetection Device

Non-Lethal Weapon and Protective Non-Lethal Weapon and Protective EquipmentEquipment


Pedestrian AccessPedestrian Access IdentificationIdentification

ElectronicElectronic Keypad/PINKeypad/PIN Swipe-CardSwipe-Card Magnetic-CardMagnetic-Card Proximity SystemProximity System

Biometric Biometric Finger-printFinger-print Voice IdentificationVoice Identification Retinal and Iris ScanRetinal and Iris Scan


Vehicle AccessVehicle Access

High Security High Security Rising BarriersRising Barriers

Short And Medium Short And Medium Range Rising Range Rising Barriers Barriers


Vehicle Access Cont’)Vehicle Access Cont’) Rising BollardRising Bollard

Road BlockerRoad Blocker


Pedestrian AccessPedestrian Access

Tripod TurnstilesTripod Turnstiles Automatic Gates Automatic Gates


Pedestrian Access (cont’)Pedestrian Access (cont’)

Speed Doors Speed Doors Full Height Full Height Turnstiles Turnstiles


Pedestrian Access (cont’)Pedestrian Access (cont’) Man Trap Doors/ Lock GatesMan Trap Doors/ Lock Gates


Detection DeviceDetection Device Detection on pedestrian and vehicle Detection on pedestrian and vehicle

accessaccess Door/Window Intrusion DetectionDoor/Window Intrusion Detection Perimeter Intrusion DetectionPerimeter Intrusion Detection Area Intrusion DetectionArea Intrusion Detection


Detectors - AccessDetectors - Access Handheld Metal DetectorsHandheld Metal Detectors Walkthrough Metal DetectorsWalkthrough Metal Detectors Bomb Detectors (=Sniffer)Bomb Detectors (=Sniffer)


Door/Window & Indoor Door/Window & Indoor Intrusion DetectionIntrusion Detection

Ultrasonic SensorUltrasonic Sensor Passive InfraredPassive Infrared


Door/Window & Indoor Door/Window & Indoor Intrusion Detection (cont’)Intrusion Detection (cont’)

Photo-Electric Photo-Electric BeamBeam

Microwave SensorMicrowave Sensor


Door/Window & Indoor Door/Window & Indoor Intrusion Detection (cont’)Intrusion Detection (cont’)

Magnetic ContactMagnetic Contact Glass BreakGlass Break


Outdoor Intrusion DetectionOutdoor Intrusion Detection

Buried LineBuried Line Seismic PressureSeismic Pressure Magnetic FieldMagnetic Field Ported Coaxial cablePorted Coaxial cable Fiber Optic cableFiber Optic cable


Outdoor Intrusion Detection Outdoor Intrusion Detection (cont’)(cont’) Video Motion Video Motion

DetectionDetection Bistatic MicrowaveBistatic Microwave


Outdoor Intrusion Detection Outdoor Intrusion Detection (cont’)(cont’) Passive InfraredPassive Infrared Active InfraredActive Infrared


Perimeter Intrusion Perimeter Intrusion DetectionDetection Sensor cablesSensor cables Microwave BarrierMicrowave Barrier


TrackerTracker

GSM/GPRS TrackerGSM/GPRS Tracker Geo-FenceGeo-Fence


Visual AidsVisual Aids

Thermal Imaging / Thermal Imaging / Flash Termo Sight Flash Termo Sight VisionVision

Infra Red Night Infra Red Night Vision GogglesVision Goggles


ExplosiveExplosive Blast WallBlast Wall


Non Lethal WeaponNon Lethal Weapon

Expandable BatonExpandable Baton Point-Blank TazerPoint-Blank Tazer


Non Lethal WeaponNon Lethal Weapon

Pepper GunPepper Gun Long-Range TazerLong-Range Tazer


Protective EquipmentProtective Equipment

Stab-Proof VestStab-Proof Vest


Group DiscussionGroup Discussion

Discuss on specific types of security countermeasures based on categories (Manning, Access Control & Perimeter Security, Electronic Device, Procedures & Strategies) and element types of each countermeasure applicable for certain types of threats


Discussion SheetDiscussion Sheet

Threat Countermeasure Dominant Element


Threat versus Threat versus CountermeasureCountermeasure Is it still possible for threat to succeed with

the existing countermeasure?

Example: External Theft Perimeter Fencing Sentry Guards Intelligence CCTV Motion Sensor Device Access Control Device


Threat versus Countermeasure Threat versus Countermeasure (cont’)(cont’)

Example: Embezzlement Background Check / Screening Life-Style Check Internal Auditing Business Ethics Agreement CCTV in cash vault

After all the existing countermeasures, how high is the possibility for the threat to succeed?

Use of Professional Judgment


Risk CalculatorRisk Calculator


Generating Alternatives for Generating Alternatives for ActionAction Root-Cause Analysis Root-Cause Analysis

Information CollectionInformation Collection AnalysisAnalysis Testing / VerificationTesting / Verification


RCA: Information CollectionRCA: Information Collection

To find the facts on an event, issue, To find the facts on an event, issue, and/or condition. Not (yet) to find the and/or condition. Not (yet) to find the cause, whose fault, or what should cause, whose fault, or what should have happenhave happen

To find signs or symptoms of the To find signs or symptoms of the event, issue, and/or condition. event, issue, and/or condition.


RCA: AnalysisRCA: Analysis

What factors causes the event, issue, What factors causes the event, issue, and/or condition?and/or condition?

Are there more than one factors Are there more than one factors influencing the event, issue, and/or influencing the event, issue, and/or condition? condition?

Why? Why? Why? Why? Why?Why? Why? Why? Why? Why?


RCA: Testing/VerificationRCA: Testing/Verification To ensure that the result from the To ensure that the result from the

analysis is (close to) accurate.analysis is (close to) accurate.

How?How? Re-AnalyzeRe-Analyze Group AnalysisGroup Analysis Run through your colleagues, Run through your colleagues,

subordinates, or superiors.subordinates, or superiors.


SVA ExerciseSVA Exercise

GROUND RULES!GROUND RULES!

Think like a criminal!!!Think like a criminal!!! Don’t just believe what your source Don’t just believe what your source

(from the Assessment Object) tells (from the Assessment Object) tells you. Verify!you. Verify!

Keep yourself an open mind!Keep yourself an open mind!


SVA ExerciseSVA ExerciseASSET IDENTIFICATIONASSET IDENTIFICATION CashCash Document/InformationDocument/Information EquipmentEquipment Goods/InventoryGoods/Inventory PersonnelPersonnel Premises/Building/PlantPremises/Building/Plant VehicleVehicle Business Process/Operations/ActivitiesBusiness Process/Operations/Activities


SVA Exercise (cont’)SVA Exercise (cont’) IDENTIFING THREATS AND MEASURING IDENTIFING THREATS AND MEASURING

LIKELIHOOD TO OCCUR: MACRO ENVIRONMENTLIKELIHOOD TO OCCUR: MACRO ENVIRONMENT

General Perception towards line of businessGeneral Perception towards line of business Threats toward similar business operationsThreats toward similar business operations


SVA Exercise (cont’)SVA Exercise (cont’) IDENTIFING THREATS AND MEASURING IDENTIFING THREATS AND MEASURING

LIKELIHOOD TO OCCUR: MICRO ENVIRONMENTLIKELIHOOD TO OCCUR: MICRO ENVIRONMENT Neighboring AreaNeighboring Area Organizations and Gatherings in the Organizations and Gatherings in the

Neighboring AreaNeighboring Area Adjacent Buildings and LandAdjacent Buildings and Land Community Perception towards Assessment Community Perception towards Assessment

ObjectObject Crime trends and rateCrime trends and rate Traffic and Road condition Traffic and Road condition Closest emergency services and response timeClosest emergency services and response time


SVA Exercise (cont’)SVA Exercise (cont’) IDENTIFING THREATS AND MEASURING LIKELIHOOD TO IDENTIFING THREATS AND MEASURING LIKELIHOOD TO

OCCUR: MICRO ENVIRONMENT (cont’)OCCUR: MICRO ENVIRONMENT (cont’)

PersonnelPersonnel QuantityQuantity Education BackgroundEducation Background Life-StyleLife-Style Security AwarenessSecurity Awareness Recruitment ProcessRecruitment Process Distribution (Location, Work-Shift, Crowded or Distribution (Location, Work-Shift, Crowded or

Scarce)Scarce) Work-ShiftWork-Shift

History of Identified Internal CrimeHistory of Identified Internal Crime Location of AssetLocation of Asset Company Culture and Implementation of Business Company Culture and Implementation of Business

EthicsEthics Implementation of Internal Audits towards Departments Implementation of Internal Audits towards Departments

and Contractorsand Contractors


SVA Exercise (cont’)SVA Exercise (cont’)SECURITY COUNTERMEASURE OVERVIEWSECURITY COUNTERMEASURE OVERVIEW

Perimeter Single/Multiple Perimeter Wall/Fence Wall/Fence type Climbable/Penetrable Adjacent Tree/Pole Waste/Water Disposal Access Security Watch Towers Illumination Intrusion Detection Device (CCTV, Sensors,

IR, Microwave) Patrol


SVA Exercise (cont’)SVA Exercise (cont’)SECURITY COUNTERMEASURE OVERVIEW (cont’)SECURITY COUNTERMEASURE OVERVIEW (cont’)

Pedestrian Access Points (Regular and Emergency Doors) Sentry Guards and competence Climbable/Penetrable Illumination ID verification Intrusion Detection Device (CCTV, Motion

Detection) Visitor Access ProcedureVisitor Access Procedure Body Search ProcedureBody Search Procedure Bag/Carried Item ProcedureBag/Carried Item Procedure Metal DetectorMetal Detector X-RayX-Ray SnifferSniffer



Vehicle Access Sentry Guards and competence Penetrable (availability of Barrier, Speed Bumper,

Road Blocker, or Bollard) Illumination ID verification Intrusion Detection Device (CCTV) Visitor Access ProcedureVisitor Access Procedure Vehicle Search ProcedureVehicle Search Procedure Bag/Carried Item ProcedureBag/Carried Item Procedure Metal DetectorMetal Detector Vehicle Inspection MirrorVehicle Inspection Mirror SnifferSniffer



Internal Pedestrian Access Points ID verification (manual or electronic) Penetrable (locks, type of door, hinges) Illumination Intrusion Detection Device (CCTV) Visitor Access ProcedureVisitor Access Procedure

Windows Penetrable (type of glass, hinges) Illumination Intrusion Detection Device (Glass Break, IR,

Microwave, CCTV)



Corridors and Office Areas Patrols Illuminations Intrusion Detection Device during off-work times (IR,

Microwave, CCTV) Security Awareness of employees Walls and Partitions Employee Population (Dense/Scarce) Key Management Clean Desk Policy Locks for Document Storage Document Labeling and Records Waste Disposal Management Caller IDCaller ID



Open Areas Patrols Illuminations Intrusion Detection Device (Buried Line, IR,

Microwave, CCTV) Security Watch Towers

Limited Access Office Areas Locks and/or ID verification Key Management Intrusion Detection Device (IR, Microwave, CCTV) Waste Disposal Management Access Permit Authorization ProceduresAccess Permit Authorization Procedures Access LogsAccess Logs



Employee Screening Life-Style Company Culture and Implementation of Business

Ethics Security Awareness Program Work Environment Office Politics

Vehicle Driver Requirements and Recruitment Process Trackers Locks Intrusion Sensors and Alarms Glass and Exterior Protection



Storage Areas Sentry Guards and competence Locks and/or ID verification for Limited Access Areas Incoming-Outgoing Procedures Incoming-Outgoing Records/Logs Illuminations Inspections and Monitoring Procedures Internal Audits Intrusion Detection Device during off-work times (IR,

Microwave, CCTV)

Cash-In-Transit Escort Randomized Schedule Insurance Armored Vehicle, or contracted service



Community Community Development ProgramsCommunity Development Programs Intelligence/Information Gathering ProgramsIntelligence/Information Gathering Programs Deterrence StrategyDeterrence Strategy Community Security InvolvementCommunity Security Involvement


SVA Exercise: Threat Identification and SVA Exercise: Threat Identification and Related CountermeasureRelated Countermeasure

Asset Threat Countermeasure


SVA Exercise: Threat Identification and SVA Exercise: Threat Identification and Related Countermeasure (cont’)Related Countermeasure (cont’)

Asset Threat Countermeasure


Risk Calculation: Risk Calculation:

Threat TargetLikelihood To Occur

Likelihood To Succeed

Consequence

Risk

SECURITY VULNERABILITY ASSESSMENT (SVA). Intellectual Property of Win Noor FAQ What is Security...

Documents

Transcript of SECURITY VULNERABILITY ASSESSMENT (SVA). Intellectual Property of Win Noor FAQ What is Security...