Security Audits Build a Baseline of Knowledge
The security audit provides a detailed evaluation and a strong baseline of knowledge about a building. It can also be targeted to mitigate a particular threat, perhaps workplace violence. The audit, depending on its level of complexity, goes by a number of different names, including "security survey" and "vulnerability and risk assessment."
In the absence of a security audit, you, as a facility manager, may have had a ready answer to the question: How secure is your building? But was your answer based on a detailed look — or simply an impression? Have you, for example, taken a close look at how well (or poorly) you use one of the great crime deterrents, lighting? How about the location of glass in walls, windows, and doors? Are the doors really closing as they should? If you're confident in your access control system, maybe you'd be a little less so if you knew that a security consultant has a $50 device he says can easily penetrate most systems. And have you considered how an untrained employee can screw up the best security plan?
Bo Mitchell, president of 911 Consulting, sees a security evaluation as providing a "common platform for discussion with the CEO," since Mitchell insists on bringing top management into his onsite visits.
The audit's value is that it helps a company understand what it has in place and whether existing measures are working as planned, says consultant Kevin Doss, president of Level 4 Security. "You can put in a video camera for surveillance purposes," he says, "but unless you conduct an audit, can you be sure it's working as intended? Does it work at night? Does it work when it snows or rains?"
Experts often draw a distinction between the security audit, sometimes called a security survey, and a vulnerability and risk assessment, often called a The TVRA — threat vulnerability risk assessment. latter is more involved, more quantitative, and more expensive. A facility must decide what it wants and what it's willing to pay.
For Doss, the security audit is largely qualitative and means examining processes, procedures, and equipment as they are now and comparing them to what an organization thinks it has. It makes sure the system is working as intended, asking, for example: Is the access control system allowing in the people who belong there and keeping out those who don't? The on-site inspection can often be done in a day, followed by report-writing time.
A risk assessment, he says, can take a month or more and has more scope and detail, considering such matters as whether the countermeasures currently in place are effective; the variety of external, internal, and passive threats that might exist; whether the organization is adequately protected from them; and the consequences if critical assets are lost. This more detailed level of study can involve meetings and phone calls with local and federal authorities. (As an example of a rather complex assessment, Doss was part of a team that assessed the entire 51 miles of the Panama Canal zone over nine months, evaluating everything from water treatment and power distribution to the canal locks and hydroelectric dams.)