Instructions for Completing the Risk Assessment/Security and Safety Planning Instrument

Introduction

The course requirements for CCJS 345, Introduction to Security Management, include the completion of a “Risk Assessment/Security and Safety Plan” as the final project, which places students into a specific role of a security practitioner in a “real world” security application that provides them with the opportunity to demonstrate the security and leadership competencies they acquired and/or enhanced during the course by discerning the weekly reading assignments, incorporating into the required writing assignments substantive information regarding security operations and management principles based on diligent and thorough research, and fully participating in all the class security and safety discussion forums. Moreover, in this final project, our students/security practitioners have the occasion to establish their academic credentials and skill for assessing and managing risk, which is considered by many security professionals as their single most important function in protecting assets.

To fully succeed in the final project, our security practitioners must demonstrate their ability to apply risk assessment and management principles and other security planning and operating concepts, policies, and ideas studied in class, particularly those associated with ASIS International’s “General Security Risk Assessment Guideline,” “Security Management Standard: Physical Asset Protection,” Silva Consultants “Concentric Circles of Protection,” Foresight Security Risk Management’s “Risk Analysis and the Security Survey,” and other security and safety source documents presented during the eight week session.
To this end, after receiving a site selection authorization from their company’s “faux supervisor,” the security practitioners will initiate actions to conduct a risk assessment that includes thorough research of the designated organization and its operation; conducting actual site visits to make observations about current security operations, possible risks to assets, and physical and procedural vulnerabilities; and interviews with ranking security or site leadership personnel, if possible. The primary document students will use to collect the information required to write the “Risk Assessment/Security and Safety Plan” is the “Risk Assessment/Security and Safety Planning Instrument” assembled specifically for this course project. The practitioners, or in this case, the security consultants, will record their site observations and take notes as they would in an actual workplace, similar to auditor and investigator “work papers” that often must be produced in regulatory and administrative procedures or other organizational examinations and inquiries to support findings discussed in the issued report. This procedure provides the consultants an opportunity to familiarize themselves with one of many different types of assessment tools used by industry officials in a real world setting. The instrument, similar to the workplace, will become a part of the consultant’s official project file and must be submitted as a separate document to the Assignments Folder by the project due date. While this document will not receive an individual grade, it will be assessed for the depth in which it is completed in an element of the final project-grading rubric. It will also be used to support the findings of the prepared report should that become necessary.
The “Risk Assessment/Security and Safety Planning Instrument” is a significant document that supports a consultant’s pursuit to ascertain the information necessary to write a comprehensive report. A completed instrument must be submitted along with the report to receive a grade for the final project.
Guide to Completing the “Risk Assessment/Security and Safety Planning Instrument.”
This security and safety instrument contains a number of questions to which consultants must provide a written response regarding their site security and safety observations and the results of any research conducted in areas for which there were no opportunities to make observations or ascertain information from an organization representative responsive to the particular question. The instrument is not unlike many other security survey checklists used by professionals to record the information they need to write a report. See the reference page for many different examples. The instrument for this project has been enhanced in certain sections to assist consultants with specific references to the course reading assignments relating to risk assessment, mitigation, and management. It also provides consultants with teaching points and examples to facilitate and enhance their learning while completing the project. The instrument is organized in a sequential manner beginning with consultant information and proceeding with the various functional security and safety areas that must be addressed in most risk assessments. There are numerous areas for consultants to write their site observation and independent research notes to be used later when writing the final report.

This instrument is designed to provide consultants the direction necessary to ascertain information required to write a comprehensive report for this course. Consultants will find other commercial and government risk assessment security survey checklists used by professionals contain many more detailed questions, many of a proprietary nature, which would be “off limits” for our consultants. In fact, consultants will likely be unable to respond to some of the questions listed this Risk Assessment/Security and Safety Planning Instrument for the same reasons unless they are fortunate enough to identify organization officials willing to provide security information during successfully arranged interviews. Some questions are very sensitive, but are listed to provide consultants examples of the depth and complexity of inquiry required when conducting an authentic security survey for an organization under a contractual agreement and assuming the responsibility for providing accurate results and recommendations.

For this project, consultants will complete the Risk Assessment/ Security and Safety Planning Instrument by writing the information requested on the form, beginning with the sections on consultant, general survey, law enforcement, and risk asset evaluation information. Beginning with Section V. Exterior – Site Perimeter, consultants must review and respond to each question by “writing ” Y (yes) N (no) U (unknown) in the specified underlined area just after the number after making their site observations or determining the information as a result of independent research. There are a number of areas consultants must also “briefly describe” the site and facility characteristics, security physical and procedural controls and features, vulnerabilities, and safety issues and ramifications.

As mentioned above, consultants likely will be unable to respond to certain questions and will write U in the specified area. Some questions relate to very important risk mitigation practices and policies and must be addressed, but because it is sensitive and private, the information is not made available to the public. In these situations, where information is unknown, consultants will explain as a note how an organization’s security apparatus can be enhanced in that particular line of inquiry within the framework of the risk management principles learned in class. This information should also be discussed in the final report. For example, organizations may not want to publicize all the areas that are alarmed in the building under review, if any. Alarms are a significant security control that must be addressed, so consultants need to note in the instrument and write in the report, based on their assessment, what they believe should be alarmed in the building given the probability and criticality of the risks identified, as well as the feasibility and cost considerations. Any questions about this should be directed to the consultant’s faux supervisor.

UMUC CCJS 345
RISK ASSESSMENT/ SECURITY AND SAFETY PLANNING INSTRUMENT

I. CONSULTANT INFORMATION

  1. Name:
  2. CCJS 345 Section: 6382
  3. Final Project Site Selection:
    a. Name of Organization/Facility –
    b. Complete Site Address –
    c. Instructor Site Selection Approval Date –
    (Attach Email Approval Document)
  4. Survey Dates and Times:
    a. Daylight Observations –
    b. Night Observations _

Additional Comments:

II. GENERAL SURVEY INFORMATION

  1. Describe the building and surrounding area of the site under review. Include a statement about the nature an/or mission of the business, company, or organization and the purpose of the building:

General Information:
Mission Statement: The Defense Commissary Agency (DeCA) Mission is to deliver a vital benefit of the military pay system that sells grocery items at significant savings while enhancing quality of life and readiness.

  1. List the normal operating hours: Hours
    M-F Closed Mondays Tue-Thu-10-7 Friday- 10-6
    Sat 10-6
    Sun 11-4
    Holidays Varies based on holiday-Closed Christmas day
  2. Actual or Estimate: (Circle)
    a. Number of employees – 20-30
    b. Number of visitors/vendors –50
  3. Site Contact/Assistance Provided By (As Applicable): ): Unable to get assistance from site contact
    a. Name – ______________
    b. Title – _______________
    c. Interview Date – _______
    d. Phone Number –
  4. Employing the ASIS International’s “General Security Risk Assessment Guideline,” identify additional information about the site that will assist you to more thoroughly understand the organization, its various assets, its property, and its operations. These notes will assist you when drafting the Final Project. (See ASIS Practice Advisory #1.)

III. LAW ENFORCEMENT AND OTHER FIRST RESPONDER ASSISTANCE

  1. Relevant Police Department:
    a. Name –
    b. Address –
    c. Phone Number –
    d. Emergency Response Time to Site – Less than 5 min
    e. Crime Prevention Programs Availability – n/a
  2. Relevant Fire/Medical Emergency Responders
    a. Name –
    b. Address –
    c. Phone Number –
    d. Emergency Response Time to Site – Less than 5 min
    e. Fire/Medical Safety Training Program Availability – n/a

IV. RISKS TO ASSETS

  1. Crime Risk Evaluation: Using crime data obtained from the relevant police department or from other independent research (Uniform Crime Reports published by the U.S. Department of Justice, etc.) and personal interviews, including information provided by the organization under review, identify the incidence of crime and the calls for service at the site and in the immediate vicinity over the past two years. Analyze the crime data in conjunction with demographic/social condition data, economic conditions in the area, population densities, transience of the population, unemployment, etc. These notes will assist the consultant when drafting the Final Project. (See ASIS Practice Advisory #2.)

Crime Risk Evaluation:

n/a

  1. Non-Criminal Risk Evaluation: Identify the various types of non-criminal risk events that COULD occur at the site based historical records of past incidents; risks common to the type of business; risks based on geographic locations; risks common to similarly situated sites; and risks based on recent developments and trends. These notes will assist you when drafting the Final Project. (See ASIS Practice Advisory #2.)

Non-Criminal Risk Evaluation:

Injury at the store due to wet floors, falling in the parking lot, or inclement weather; debris hitting cars.

V. EXTERIOR – SITE PERIMETER

  1. N (Y/N/U) Perimeter of the facility grounds is clearly defined by a fence, wall, bollards, planters, vehicle gate controls, or other types of physical barriers. Briefly describe below the type of barrier, height, distance from building, cleared areas, barbed-wire top, roof or wall areas close to the fence, and its condition (damaged, etc.). Use the area below to draw any diagrams required to fully appreciate the building in relation to the property perimeter and other surrounding commercial, residential, or other buildings and properties.
  2. N (Y/N/U) Barriers limit or control vehicle or pedestrian access to the facility.
  3. N (Y/N/U) Perimeter barriers are considered to be a security safeguard.
  4. N (Y/N/U) All entrance points to perimeter barriers are guarded or secured.
  5. N (Y/N/U) Perimeter barriers are under surveillance at all times.
  6. N (Y/N/U) Site building forms a part of the perimeter barrier.
  7. N (Y/N/U) Site building forms a part of the perimeter barrier and presents a
    hazard.
  8. N (Y/N/U) Security officers patrol the perimeter. If unknown,
    should this be the policy? Explain below.
  9. N (Y/N/U) Landscaping obstruct view of security officers or surveillance
    cameras or interfere with lighting or intrusion device systems.
  10. N (Y/N/U) Intrusion alarm devices protect the perimeter. If unknown,
    should intrusion alarms be installed? Explain below.

Perimeter Notes:

The Commissary is a small grocery store; therefore, no devices are needed to protect the perimeter.

  1. Y (Y/N/U) Perimeter and building are protected by lighting.

13.Y (Y/N/U) Lighting provides a means of continuing during the hours of darkness
the same degree of protection available during daylight hours.

  1. Y (Y/N/U) Lighting is positioned to overlap to provide coverage when a bulb
    burns out.
  2. Y (Y/N/U) Additional lighting is provided at active gates, building doors, and
    other points (define the points) of possible intrusion.
  3. U (Y/N/U) There are provisions for emergency lighting. If unknown,
    should emergency lighting be installed? Explain below.

17 Y (Y/N/U) Lights are mounted to provide a strip of light both inside and outside
the perimeter.

  1. Y (Y/N/U) Lights operate in manner that increases the likelihood of detecting and
    deterring criminal acts on the property and enhances the capability of security
    cameras to record images that can effectively reconstruct an incident and
    identify individuals. 19.Y (Y/N/U) There is 360-degree lighting coverage around the exterior of the
    facility.
  2. Y (Y/N/U) All lights are working. If not, identify location?
  3. U (Y/N/U) Lighting has an auxiliary source of power. If unknown,
    should auxiliary power be installed? Explain below.

Perimeter Lighting Notes:

All lights in parking lot work; well lit; lighting around outside perimeter of building.

 23. Describe below the vulnerabilities of the employee and visitor parking lots and the 
 security features currently in place, if any.  Any other notes about the site perimeter 
 can be listed below.  

Other Perimeter Notes:

N/a

VI. BUILDING, INTERIOR LIGHTS, LOCKS AND SURVEILLANCE
SYSTEMS/ALARM

   1. Describe below the vulnerabilities of the employee and visitor parking lots and the 
   security features currently in place, if any.  Any other notes about the site perimeter 
   can be listed below.  

Vulnerabilities, et. al. :
N/a

   2. Describe the building design and composition (brick, block, concrete, metal panels, glass exterior, etc.).     
   Include comments about the number of stories (floors) above and below ground; total number of     
   entrances/exits and construction (solid core, hinges, hinge pins, etc.); ground floor windows and height      
   and construction; other windows and how they are secured; and roof construction and openings.  Also      
   comment on adjacent occupancies and if there are any security issues with those organizations that might 
   impact the site under review in this project.  Identify the distance in yards from the building to the 
   nearest public street. 

Comprehensive Building Description:

Brick building, glass doors, one floor level, 1 entrance and 1 exit door on the front of the building; no windows, no roof construction or openings; The Commissary is a grocery store and if another building caught on fire or was targeted for a robbery, it would not be at risk. However, if there was a robbery set in place at a nearby location, the thief could potentially enter the store to blend in, but it wouldn’t be wise because the nearest public street is 75-100 feet away.

   3. Y (Y/N/U) Public parks, plazas, or other public areas are immediately adjacent to the building. 

   4.  N (Y/N/U) Public transit systems are near the building.

   5.  Y (Y/N/U) Entrances/exits are supervised/controlled. 

   6. Y (Y/N/U) Interior lighting is appropriate for surveillance by night security 
        guards, local law enforcement, and closed circuit television coverage.
  1. Y (Y/N/U) Emergency lighting is available for power outages. If unknown, should auxiliary
    power be installed? Explain below.

Building Notes:

There is a PX (post exchange) adjacent 75 feet away from the building. A gym 150 feet behind the Commissary and a Bowling ale 50 feet from the gym. One entrance and exit for the building

  1. Describe the types of entrance/exit door key and combination locks in use at the facility.

Door Key and Combination Lock Notes:

Automatic entrance doors with key locks on them. All exits have alarm equipped with warning alarm will sound if opened; controlled by keys; code locks on office doors.

9. Y (Y/N/U) A key control official has been assigned and is responsible for 
                     issuance, replacement, and control of locks and keys.  If unknown, should 
                      there be?  Explain below.

10. Y (Y/N/U) Keys are secured when not in use. If unknown, should they be 
                      be secured? Explain below.

11. Y (Y/N/U) There is a master key system with 2 master keys issued. If 
                       unknown, should there be a system?  Explain below.

12. Y (Y/N/U) Key inventories are routinely conducted.  If unknown, should there  
                       be?  Explain below.

13. Y (Y/N/U) Employees authorized to receive keys sign for them.  If unknown, 
                       should signatures be obtained for accountability?  Explain below.

14. Y (Y/N/U) Removal of keys from the premises is prohibited. If unknown, 
                       should this be the policy? Explain below.

15. Y (Y/N/U) Records are maintained of those who have access to codes for 
                       combination locks. If unknown, should such records be maintained? Explain 
                       below.

16. Y (Y/N/U) Combination lock codes are changed routinely and a record of 
                       those changes is maintained. If unknown, should this be the policy? 
                       Explain below.

17. Y (Y/N/U) Combinations codes are changed when a user no longer requires 
                       access. If unknown, should this be the policy? Explain below.

18. Y (Y/N/U) There is a card key reader or similar system that records employee 
              and/or visitor or entries/exits.  If unknown, should this be a security control 
              employed by the organization? Explain below.

Key and Combination Lock Notes:

Keys may not leave the premises with the exception of the store managers. Records of who has access codes maintained; combination locks changed routinely

19. Y (Y/N/U) The facility has an intrusion alarm system with 24/7 monitoring 
                capability. If unknown, should this be a security control employed by the 
                organization? Explain below.

  20. Y (Y/N/U) There is a written policy and procedure for activating and 
                deactivating this system. If unknown, should this be the policy? Explain 
                below.

  21. Y (Y/N/U) The alarm system is centrally managed. If unknown, should this be 
                 the policy? Explain below.

  22. Y (Y/N/U) The alarm system is linked and managed by an outside private service 
                 vendor/police force. I f unknown, should this be the procedure? Explain below.

   23. Y (Y/N/U) The alarm system for active areas of the facility are disengaged 
                during operational hours. If unknown, should this be the policy? Explain 
                below.

   24. Y (Y/N/U) All external doors, ground windows, loading dock areas, and  
                internal doors are covered by the alarms. If unknown, should this be the 
                policy? Explain below.

   25. Y (Y/N/U) The alarms are linked to CCTV.  If unknown, should the alarms be 
                 linked?  Explain below.

   26. Y (Y/N/U) There is an emergency power source for all alarms.  If unknown, 
                should an emergency source of power be available?  Explain below.

Alarm Notes:

Law enforcement are the first responders when an alarm goes off. They receive a call. All doors covered by alarms; linked to CCTV.

  1. Describe below the other areas in the facility that are alarmed (data system
    location, safes, high value asset storage areas, executive suite offices, duress
    signals, etc.). Also, describe the procedures for taking action when alarms are
    activated. If unknown, are there other areas at the facility that should be alarmed
    and should there be a response plan and what might it include? Explain below.

Other Alarmed Areas and Response to Alarms:

The break room and office doors have a code to get into as well as the lockers having locks.

  1. N (Y/N/U) The facility employs CCTV cameras externally. Relevant
    notification signs are displayed. (Note: A brief discussion and diagram
    showing the location of the cameras would enhance the final project
    presentation.)
  2. U (Y/N/U) The facility employs CCTV cameras internally. (Note: A brief
    discussion and diagram showing the location of the cameras would enhance
    the final project presentation.)
  3. Y (Y/N/U) Recordings are continuous rather than event activated. If unknown,
    should recordings be continuous or event activated? Explain below.
  4. Y (Y/N/U) The camera feed is monitored in real time on site. If unknown,
    should the cameras be monitored in real time onsite or elsewhere? Explain
    below.

CCTV Notes:

Cameras are recorded in real time; located on the outside of the building room top near the entrance of the grocery store, throughout the entire store, and near the cash registers.

VII. SELECTED PROCEDURAL CONTROLS

  1. Describe the significant procedural controls employed by the organization to protect assets, particularly from risks associated with internal theft schemes. Include comments related to security controls for handling cash and negotiable instruments; inventory and audit control processes; shipping and receiving standards; separation of duties and responsibilities among employees, particularly for those with authorities related to the organization’s financial matters. For instance, would it be prudent for a cashier also be responsible for record keeping? As another example, might it be wise for an organization to prohibit the same employee would it be wise to have the same employee select, authorize, order, and receive merchandise for the organization? What about access to personnel records?
    Should an organization allow the same person responsible for stocking merchandise or ordering company equipment to conduct periodic inventories? How might the organization’s mailroom be a security challenge?

If information is unknown based on your observations and interviews as appropriate, briefly describe (after conducting the appropriate research) what procedural controls in the specific areas mentioned above would enhance the protection of any organization’s assets, particularly one similar in mission and purpose to the site of your assessment.

Selected Procedural Controls:

Employees must balance their drawers before and after their shifts to check for discrepancies such as shortages. The drawer must be balanced throughout the day once a cash drop has been conducted. The employees who handle cash are responsible for turning in cash at the end of their shift. The shift supervisors and managers record keep of shortages.
Store stockers must verify and sign for their shipping and received items on an inventory check list. There are many positions throughout the store that need to be filled based on qualifications.

VIII. GUARD FORCE

1.Y (Y/N/U) The organization employs a guard force at the facility. If unknown,
should a guard force be employed, proprietary or contractual? Explain below

  1. Y (Y/N/U) Written instructions are provided to the security guards regarding their
    responsibilities. If unknown, should such instructions be provided and what
    information might be included? Explain below.
  2. N (Y/N/U) Security Guards are armed. If unknown, should security officers at
    this site be armed? Explain below.
  3. Y (Y/N/U) The security guards on site are licensed in compliance with state or
    other jurisdictional requirements. If unknown, should security officers at this
    site be licensed? Describe the state or jurisdictional licensing and registration requirements for
    private security officers. Explain below.
  4. N (Y/N/U) Security guards have a distinctive uniform. If unknown, should
    security officers have such uniforms? Explain below.
  5. N (Y/N/U) Security guards check employee and visitor identifications. If
    unknown, should security officers have such duties? Explain below.
  6. N (Y/N/U) Security guards conduct entry and exit searches of personnel and/or
    vehicles. If unknown, should security officers have such duties? Explain below.
  7. Y (Y/N/U) Security guards protect the entrance reception area of the facility. If
    unknown, should security officers have such duties? Explain below.
  8. Y (Y/N/U) Security guards have a plan to react to intruders. If unknown, should
    security officers react to intruders and what might those actions include?
    Explain below.

Guard Force Notes:

The shift supervisors are trained to be the security personal. They wear regular clothes to fit in.

IX. INTERIOR – ACCESS CONTROLS

  1. N (Y/N/U) The organization issues employee and visitor identification. If
    unknown, should the organization issue such identification documents?
    Explain below. 2. N (Y/N/U) Visitors are prevented from moving around unescorted. If unknown, should visitors be prevented from moving around the facility unescorted? Explain below. 3. N (Y/N/U) Employees display badges. 4. Y (Y/N/U) There is visible distinction between employees and visitors.

Access Controls Notes:

Identification not required to enter facility, however when making a purchase, atleast one person in the party must display their identification and privilege card which allows access for them to buy things at the store.

  1. Describe other features of the access control system at the facility, i.e., electric card
    readers for employees, escorts for limited access areas such as the data center and
    other sensitive areas, security post control points, visitors/vendors/shoppers enter
    the facility from a different entrance/exit door then employees, vehicle
    identification/parking control, etc.

Other Access Control Features:

Visitors may not enter from any back door entrances/exits besides the stores from doors. Employees may enter from the side door or from door before opening time.

X. PERSONNL SECURITY AND TRAINING

    1. Y (Y/N/U) Employees are subject to background checks.  If unknown, 
                  should employees have a background investigation completed prior to 
                  employment and if so, what should it include? Explain below.

    2. Y (Y/N/U) Additional checks are conducted for personnel handling cash or    
                  holding more sensitive and/supervisory positions.  If unknown, 
                  should these employees have a more extensive background investigation 
                  completed prior to employment, and if so, what should it include? Explain 
                  below.

    3. N (Y/N/U) Ongoing (periodic) background checks are conducted for all 
                  employees.  If unknown, should employees have periodic checks conducted? 
                  Explain below.

    4. Y (Y/N/U) New employees are provided with security orientation and ongoing 
                 security awareness training.  What other training is provided? If unknown, should 
                 new employees be given such an induction and training, and if so, what should it 
                 include? Explain below.

Personnel Security and Training Notes:

Because the organization is on a military installation, background checks are imperative. Training must be done periodically as well due to unforeseen matters such as theft.

XI. UTILITY CONTROL POINTS AND FIRE PROTECTION

  1. Describe how utility and HVAC systems are protected so access is limited to only those
    authorized. Include a discussion of the electrical and telephone closets, mechanical areas,
    roof access, etc. Also note how any fuel stored in or around the facility is protected and
    how the water supply is protected, if known.

Utilities Notes:

Utility and HVAC systems are in a locked area; not viewable to customers; the electric closets are located in authorized personnel areas only; and secured by doors that require combination codes. Roof access are in authorized personnel areas only.

  1. Describe the proactive fire protection systems in place at the facility, including whether or not the entire building is equipped with sprinkler systems; locations where there are no such systems; whether the fire alarms are local, proprietary, or central station, if known; location of fire extinguishers and fire hose valves, if known. Describe any fire escapes or stairwells at the facility; whether or not the fire department have ladder trucks that can reach the top floors and the roof of the building; number of available fire hydrants within a city block any direction; combustibles such as paint, oil, gas, etc. stored on site; whether evacuation training exercises are routinely conducted, etc. Fire Department response time?

Fire Protection Notes:

Sprinkler systems throughout store along with local fire alarms The fire dept does have ladder trucks that can reach the top of the building, evacuation training conducted, response time from fire dept varies.

XII. SAFETY AND OTHER LOSS CONTROLS

  1. List the dangerous items and substances stored at the facility (weapons, ammunition, chemicals, pathogens, radioactive material, other, etc.) and state how and where they are secured. Also discuss the accountability procedures for these items.

Dangerous Items:
N/a

  1. Given the type of organization, facility, or business you are reviewing, identify the potential OSHA standards applicable to the site and note whether or not compliance is being maintained.

OSHA Standards and Compliance:

Having fire exits clear and free. Proper training is essential. Implement injury prevention efforts. Ensure assigned responsibilities are fulfilled. Provide appropriate resource. Have a suggestion and complains box.

  1. Y(Y/N/U) The facility has an Occupant Emergency Plan (OEP). If unknown,
    should the organization have such a plan and, generally, what information
    should be included? Explain below.
    1. Y (Y/N/U) The facility has a Continuity of Operations Plan (COOP. If unknown,
      should the organization have such a plan and, generally, what information
      should be included based on your study of the provisions of the ASIS International’s “Business
      Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis
      Management, and Disaster Recovery? Explain below.
    2. U (Y/N/U) The facility has trained OEP designees with specific assignments
      during emergencies. If unknown, should the organization have such designees?
      Explain below.

OEP and COOP Notes:

The company should have trained OEP employees with specific assignments during emergencies. Having separate responsibilities provides team work and preparedness.

  6. Y (Y/N/U) There is a “Shelter in Place Plan” for the facility.  If unknown,    
       should the organization have such a plan? Explain below.

  7.  Y (Y/N/U) There is a facility public address system. If unknown, should 
          the organization have such a system? Explain below. 

XIII. INFORMATION SECURITY

  1. Y (Y/N/U) The organization has an approved information security policy that has 
         been disseminated to all employees and contractors. If unknown, should the 
         organization have such a plan? Explain below. 

  2.  Y (Y/N/U) All employees and contractors have acknowledged they understand the 
         policy and agree to comply with it.  If unknown, should there be a record of 
         employees and contractors agreeing to policy compliance?  Explain below. 

  3. Y (Y/N/U) The organization’s IT resources and data (e.g., computer and 
                 network equipment, storage media, wiring closets) are physically secured  
                 from unauthorized access, tampering, damage, and/or theft.  If unknown,   
               should these resources be protected from loss or harm? Explain below. 

4.Y (Y/N/U) The organization maintains a business continuity plan for its
information and data support system that includes system backups, off-site
data backup storage, emergency notification, replacement IT and office
resources, alternate facilities, and detailed recovery procedures. If
unknown, should such a plan be implemented and maintained? Explain below.

Information Security Notes:

According to Stripes (2016), “The personal details of more than 21 million people were exposed in a 2015 hack of the Office of Personnel Management. The Department of Veterans Affairs has been criticized for its failure to protected sensitive information.”

  1. Describe other features of the organization’s information security policy and program. Include comments regarding data protection techniques; password controls; organization policy for emails; ongoing employee training regarding information security awareness; prohibitions of loading sensitive data on personal computers; and procedures for employees to report suspected violations, etc.

If this information is unknown after conducting observations and interviews as applicable, after conducting your own independent research, note how the organization’s information security program can be enhanced in each of the areas described above and any other areas you deem appropriate.

Information Security Notes Continued:

No personal computer utilization conduct quarterly training for employ

XIV. RECOMMENDATION NOTES FOR SITE SECURITY IMPROVEMENTS

  1. Based on the results of the risk assessment, including site observations, interviews conducted with officials from the organization (as appropriate), and extensive research about the organization, describe the physical and procedural controls you believe need to be enhanced to strengthen the organization’s current security operation to protect assets. Also, identify and discuss the ways the organization can more effectively prevent losses and harm from accidents, emergencies, and natural disasters, and when such risk events do occur, initiate a proficient response to mitigate damage to the organization’s property and resources.

When considering the possible security and safety control options to mitigate risks (See ASIS Practice Advisory #5), be sure to consider the feasibility of implementing the options (See ASIS Practice Advisory #6) along with a basic cost/benefit evaluation (See ASIS Practice Advisory #7). Also, you should identify the priority of the recommendations with supporting justifications.

Prioritized Recommendations:

I think there needs to be an actual security guard working at the store. I believe this could be a useful scare tactic in preventing loss. I don’t believe their security measures are as safe as they make them out to be, but then again it is a military installation so not may people dare to find out the consequences it comes with. As far as preventing accidents, perhaps carpet in some areas of the store could help with slipping.

XV. CONSULTANT RESEARCH AND OTHER SUPPORTING PROJECT NOTES

References
White Sands | Commissaries. (n.d.). Retrieved from https://www.commissaries.com/shopping/store-locations/white-sands

Jail commissary employee arrested for theft – WGAA Radio. (n.d.). Retrieved from https://www.wgaaradio.com/jail-commissary-employee-arrested-for-theft/

Commissaries look to limit cyber breaches. (2016, April 11). Retrieved from https://www.stripes.com/news/commissaries-look-to-limit-cyber-breaches-1.403934

REFERENCES

This CCJS 345 Risk Assessment/Security and Safety Planning Instrument was developed using the following sources:

Halkyn Consulting Ltd. (2010). Physical Security Assessment Form. Flintshire, UK. Retrieved August 1, 2017 at: http://www.halkynconsulting.co.uk/security-resources/downloads/physical_security_assessment_form.pdf

ISACA. (No Date). Physical Security Survey Checklist. Rolling Hills, IL. Retrieved August 1, 2017 at: http://www.isaca.org/Groups/Professional-English/physical-security/GroupDocuments/physicalsecurity.pdf

University of Illinois at Urbana. (2006). Risk Management Audit Checklist. Urbana, IL. Retrieved August 1, 2017 at: http://citebm.business.illinois.edu/TWC%20Class/Project_reports_Spring2006/Business%20Risk%20Management/Manzoor/Audit%20Checkilist.pdf

U.S. Department of Agriculture. (No Date). USDA Physical Security Inspection Checklist. Washington, D.C. Retrieved August 1, 2017 at: https://www.dm.usda.gov/physicalsecurity/physicalcheck.pdf

U.S. Fish and Wildlife Service. (2016). Physical Security Survey – Level 3. Washington, D.C. Retrieved August 1, 2017 at: https://www.fws.gov/forms/3-2419.pdf

U.S. Geological Survey. 2005. Physical Security Survey Checklist. Washington, D.C. Retrieved August 1, 2017 at: https://www2.usgs.gov/usgs-manual/handbook/hb/440-2-h/440-2-h-appc.pdf

Consultants can enhance their study, understanding, and application of risk assessment and management processes by reviewing the following sources:

American Bankers Association. (2003). Physical Security Checklist and Inventory. Washington, D.C.
Retrieved August 1, 2017 at: https://www.aba.com/aba/toolbox/brd/1tool.pdf

American Red Cross. (2012 ). Multi-Building Physical Security Checklist. Retrieved August 1, 2017 at: http://www.readyrating.org/Portals/1/PropertyAgent/2255/Files/26/Ready%20Rating%20-%20SAMPLE%20Building%20Security%20Checklist.docx

ASIS Foundation. (2007). ASIS.SIA Risk Assessment Survey: Results and Analysis. Alexandria, VA. Retrieved August 1, 2017 at: https://foundation.asisonline.org/FoundationResearch/Publications/Documents/asis-siaRickAssessment.pdf

Australian Hotels Association (South Australian Branch). (2013). AHAISA Hotel Security Assessment Checklist. Retrieved August 1, 2017 at: http://www.ahasa.com.au/__files/f/4010/AHA_Security_Assessment_Checklist.pdf

Broomfield Police Department (No Date). Construction Site Security Survey Checklist. Broomfield, CO. Retrieved August 1, 2017 at: https://www.broomfield.org/DocumentCenter/View/3380

Department of the Army. (2010). Physical Security. Washington, D.C. Retrieved August 1, 2017 at: https://fas.org/irp/doddir/army/attp3-39-32.pdf

Department of Homeland Security. (No Date). Risk Assessment. Washington, D.C. Retrieved August 1, 2017 at: https://www.ready.gov/risk-assessment

Federal Emergency Management Agency. (No Date). Building Vulnerability Assessment Checklist. Washington, D.C. Retrieved August 1, 2017 at: https://www.fema.gov/media-library-data/20130726-1524-20490-4937/fema452_a.pdf

Foresight Security Risk Management. (2013). Risk Analysis and the Security Survey. Retrieved August 1, 2017 at: https://foresightsecurityriskmanagement.wordpress.com/about/

Gardner, Robert A. and Wolf Aviation. (2002). Rural & Small Town Airport
Security Manual and Checklist. Las Vegas, NV. Retrieved August 1, 2017 at: http://www.crimewise.com/airport/manual.pdf

HELPNET SECURITY. (No Date). Information Security Checklist. Retrieved August 1, 2017 at: https://www.helpnetsecurity.com/2003/09/08/information-security-checklist/

Kabay, M.E.. (2012). Facilities and Security Audit Checklist. Northfield, VT. Retrieved August 1, 2017 at:
http://www.mekabay.com/infosecmgmt/facilities_checklist.pdf

Missouri Department of Health and Senior Services. (2011). Sample Threat/Risk Assessment Checklist.
Retrieved August 1, 2017 at: http://health.mo.gov/emergencies/pediatrictoolkit/SchoolResources/SampleRisk-ThreatAssessmentChecklist.pdf

National Clearinghouse for Educational Facilities. (No Date). NCEF Safe School Facilities Checklist. Washington, D.C. Retrieved August 1, 2017 at: http://www.ct.gov/demhs/lib/demhs/school_security/school_safety_checklist.pdf

Richardson Police Department. (No Date). Home Security Assessment Checklist. Richardson, TX. Retrieved August 1, 2017 at: https://www.cor.net/modules/showdocument.aspx?documentid=298

Rowe, Tina Lewis. (2009). How to Assess the Safety and Security of Your Place of Worship. Denver, CO. Retrieved August 1, 2017 at: https://www.santarosa.fl.gov/coad/documents/SafetyinChurch.pdf

Sans Technology Institute. (2015). Physical Security. Retrieved August 1, 2017 at:
https://www.sans.edu/cyber-research/security-laboratory/article/281

Siva Consultants. (2017). Physical Security Assessments. Covington, Washington. Retrieved August 1, 2017 at: http://silvaconsultants.com/physical-security-assessments-by-silva-consultants.html

U.S. Department of Agriculture. (No Date). Risk Based Methodology for Physical Security Assessments. Washington, D.C. Retrieved August 1, 2017 at: https://www.dm.usda.gov/physicalsecurity/riskmanagementapproachpresentation.pdf

West Virginia Department of Health and Human Services. (No Date). Risk Assessment – Information Security Policy. State of Wet Virginia. Retrieved August 1, 2017 at: https://www.wvdhhr.org/han/security/Riskchecklist.pdf

SRMC. (2013). Pima Community College Security Assessment Report and Recommendations. Columbus, Ohio. Retrieved August 1, 2017 at: https://www.pima.edu/administrative-services/college-police/docs/security-risk-report.pdf

Tech Republic Academy. (2010). Perform a Physical Security gap Analysis. http://www.techrepublic.com/blog/it-security/perform-a-physical-security-gap-analysis/

Vanguard Surveillance and Security. (No Date). 7 Step Security Survey. Retrieved August 1, 2017 at: http://www.vanguardsas.co.uk/contents/en-uk/d26.html

Revised: November 7, 2017

Sample Solution

This question has been answered.

Get Answer