Why Expertise Is a Top Consideration When Considering a GRC Partner
GRC is an ever-evolving practice; place value in a vendor with extensive knowledge of the GRC landscape, one…
Cybersecurity incidents like ransomware attacks and data breaches are grabbing many of the risk and security headlines these days — and for good reason. But physical security risks are still a real threat for organizations everywhere.
The potential harm physical security risks could cause to your business necessitates taking a proactive approach towards managing and mitigating it all, and that starts with conducting effective physical security risk assessments. In many industries, carrying out these assessments is mandatory.
In this article, we’ll explore how to conduct physical security risk assessments, and how doing so on a regular basis can benefit your organization.
What is a physical security risk assessment?
Physical security risk assessments are comprehensive reviews of all of the security risks your organization faces across its physical footprint. That includes offices, warehouses, production facilities, retail locations, and any other brick-and-mortar asset your organization owns or operates.
Conducting physical security risk assessments makes it easier to stay on top of the various threats your organization’s physical assets face and to prioritize your mitigation efforts and incident response.
Mandatory assessments in regulated industries
Every organization can benefit from carrying out physical security risk assessments on a regular basis, but organizations operating in some specific industries must conduct them to meet regulatory requirements.
These include health care organizations, financial institutions, and organizations considered to be critical infrastructure, such as companies that operate nuclear power facilities, the broader energy industry, transportation providers, government agencies, and telecommunications providers.
Oftentimes, one or more common risk management frameworks, such as the ISO 27001 standard or the NIST framework, or various regulations from government agencies like the Nuclear Regulatory Commission, the Department of Defense, or the Transportation Safety Administration, mandate regular physical security risk assessment.
How physical security risk assessments benefit organizations
Knowing where your organization’s physical security risks exist — especially if your operations span a country or the whole world — vastly expands your options for addressing them. Physical security risk assessments empower your risk and security teams to take proactive approaches towards securing your organization’s assets, rather than responding to threats or incidents as they emerge, often when it’s too late to make a difference.
Here are some of the benefits of conducting regular physical security risk assessments.
Enhanced asset protection and proactive threat mitigation
The biggest benefit of physical security risk assessment is the insight it provides into your physical security risk landscape. It allows you to better protect the assets, locations, and facilities your organization depends on for normal business operations.
The more physical security risk assessments you conduct, the more complete a picture of your physical security risks you’ll have. That means you’ll be able to anticipate and prevent, rather than just respond to and recover from, physical security incidents. Inevitably, you will face incidents related to physical security risk, regardless of how hard you work to prevent them. Having done the physical security risk assessment work ahead of time ensures you’ll have the plans in place to recover more quickly.
More efficient resource allocation
Effective physical security risk assessment provides the information you need to prioritize your physical security risks based on their severity and probability of occurrence, so you can allocate more resources to addressing the risks that stand to do the most damage to your organization first.
Risk quantification methods are an effective way of gauging the specific threat each risk poses to your business and translating it into financial terms. Having detailed figures of this nature makes it much easier to conduct cost/benefit analyses, rank your security risks accordingly, and make better decisions around which mitigation activities to invest in.
Improved compliance
Most organizations operate under at least some regulatory requirements from agencies that mandate managing physical security risks, whether they’re related employee safety, proper securing and storage of dangerous materials, and security at critical infrastructure or transportation facilities. Many organizations also adhere to standards frameworks like ISO 27001, SOC 2, and NIST, and work to maintain certification under them.
Carrying out regular physical security risk assessments makes it much easier to maintain compliance with these regulations and standards and avoid lawsuits, fines, and other penalties.
Safeguarding employees and the public
Every physical security incident at any facility you operate has the potential to cause harm or worse to your organization’s employees, or, in some industries, to the public as a whole. That could take the form of improper fire suppression or prevention practices leading to employee death or injury, or an attack on a power plant taking vital services offline for days or weeks.
Staying on top of your physical security risks means you’ll be able to spot any gaps in your physical security well before they turn into a major incident, helping you keep everyone safe.
Preserving your organization’s brand image and reputation
Physical security risk assessment also helps protect your brand image and reputation by helping you avoid major physical security incidents. No organization enjoys becoming a high-profile headline due to a physical security incident that could have reasonably been prevented.
How to conduct physical security risk assessments
So, how do you get started with physical security risk assessment? We recommend using this repeatable six-step framework.
1. Develop a plan and define its scope
Start by figuring out exactly how extensive and far-reaching in scope your physical security risk assessment will be. Let’s say you manage corporate offices in five cities, plus a handful of production facilities across the United States.
Are you planning on assessing physical security risk at just your most business-critical facilities, or are you going all in and examining the physical security risk at each of those locations? Each approach will require different strategies and different levels of investment.
2. Identify threats and vulnerabilities
Now, you’ll need to conduct an audit of each facility to determine which physical security risks they’re facing. Some examples:
- How many entrances and exits does each facility have? Are they secured against unauthorized access, and are they easily accessible to employees for egress in the event of an emergency?
- Is your facility adequately staffed to ensure operations are being conducted in a safe manner, or is this location understaffed and overworked?
- Is your facility located in an area that’s prone to conflict, terrorism, or crime?
- Who has access to your facility? Have your revoked access for everyone who should no longer have it?
- Are all hazards clearly marked to ensure employee and visitor safety?
- What environmental threats does your facility face? Is it in an area where tornadoes, flooding, or wildfire are common? Do you have emergency and evacuation plans for those events?
Threats can be identified by site visits, interviews with management and employees on site, and other forms of inspection. You could house this data in a master spreadsheet or document, but it’s a better idea to use enterprise GRC software that allows you to centralize it all in one universally-accessible repository— even better if it has the capability to automate that process.
3. Assess impact and likelihood
Deciding where to invest limited resources to make the biggest impact on your physical security posture requires taking each of the risks you identified in the previous step and assessing how likely they are to occur and how severe the damage or loss could be as a result.
Traditionally, this has been done through qualitative methods like ordinal lists and red-yellow-and-green severity charts, but risk quantification can provide a much more detailed and accurate analysis, allowing you to tie each of your physical security risks to their true financial impact.
4. Review the current state of your physical security
With your prioritized list of physical security risks in hand, it’s time to evaluate the current state of your physical security risk management and mitigation measures. For each risk, starting with the ones that carry the highest impact, examine how you’re addressing them. For example:
- Do former employees who left on less than amicable terms still have keys or codes to access your facility, or are you up-to-date on privilege revocation? Similarly, do all of your employees have the levels of access to parts of your facility that are appropriate for their role?
- If your facility is in a conflict zone or area prone to terrorist attacks, are you appropriately restricting access to your facility with fences and other barriers, and are you staffing security professionals to monitor the grounds?
- Are you monitoring environmental and weather conditions around your facilities to ensure you’re able to evacuate staff if needed and established contingency plans for continued operation?
If you find that any of these areas are lacking, take note of them and move to the next step.
5. Implement or update mitigation measures
For the areas that you found physical security was lacking, determine the best course of action for updating your mitigation measures or implementing new ones. This could include updating your facilities' access protocols to a more modern method, such as biometrics or individual PIN access, adding security staff, improving fire suppression technology, and developing better business continuity plans, among other strategies.
6. Establish a regular cadence for reassessment
Physical security risk is constantly changing, so physical security risk assessment needs to be an ongoing process. You should establish a regular cadence for repeating the process however frequently you deem necessary for your organization’s continued security.
Each time you conduct a physical security risk assessment, be sure to clearly communicate the results to relevant stakeholders, leadership, and your board of directors.
Using GRC software to scale your physical security risk assessment program
Depending on the size of your organization and the number of physical locations you own or operate, carrying out physical security risk assessments can be a massive undertaking. Using the right governance, risk management, and compliance (GRC) software can be a big help. These systems centralize all of your physical security risk data to help you streamline audits, automate compliance, quantify risk, and share data-driven insights across your entire network of facilities.
Specifically, modern, next-generation GRC software that runs on flexible graph databases and that have user interfaces and workflows that can quickly and easily be changed as your organization grows and your physical security needs change, like LogicGate Risk CloudⓇ and its Physical Security Management Application, can help you ensure your physical security meets industry-leading standards, keeping your operations humming and your workforce safe.
Schedule a demo to see how LogicGate Risk Cloud can help you scale and adapt your physical security risk management and assessment programs to meet your evolving business needs.
SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.