"The CSO's note book"

The importance of security surveys – what to look for in a survey

A good cost effective security system is the kind that addresses the most feasible vulnerabilities and threats to critical assets within the security budget restrains.

In order to reach that goal one should first answer the following questions:

1.       What are the critical assets to be protected?

2.       How vulnerable are they?

3.       What are the potential threats?

4.       What is the likelihood of these threats to actually happen?

5.       What should be done to protect critical and endangered assets?

6.       What can be done to ensure business continuity / recovery (in the case of being hit by a natural disaster, accident or targeted attack)?

7.       What measures are taken to date (if at all)?

8.       What measures have yet to be installed (gap analysis)?

9.       What are the priorities for the implementation (+ cost estimates)?

10.   Implementation impact on production / daily routine (will it improve, not affect at all, affect slightly, or add hard-to-live-with restrictions and "bottle necks")?

11.   How to go about the implementation (stages, timetables, cost).

In order to answer these questions, a comprehensive survey has to be conducted and its result presented to the customer.

Since most customers lack the knowledge and objectivity to conduct such a survey, they usually commission it from a security consulting firm (preferably firms that exclusively do consulting and are not involved in selling equipment, since that might lead to a conflict of interest).

What should appear in a survey report:

1.       An executive summery describing the scope of the survey and its conclusions.

2.       Survey's scope - List of objects and persons that have been surveyed / interviewed.

3.       Evaluation of existing security layout: systems and functions (functionality, effectiveness), such as:

A.      Security personnel and their preparedness to deal with potential threats

B.      Procedures and Post orders

C.      Infrastructure & Equipment:

·          Walls & fences, gates, doors & locks, vaults & safes 

·          Burglar alarm

·          Access control

·          CCTV

·          Monitoring & Control Center

D.      Data security (IT / physical)

·          Infrastructure (network elements & web applications)

·          EPS (End Point Security)

·          Archives (physical & electronic)

·          Data disposal procedures (hard & soft copies)

·          Employee awareness

·          Business partners & Service providers' commitment

4.       List of critical assets and their vulnerabilities.

5.       Threat assessment to the latter (importance of asset multiplied by likelihood to be hit = threat coefficient).

6.       Gap analysis.

7.       To do list ­­­­­­– an easy to follow list of detected rejects and vulnerabilities that surfaced (+ photos).

8.       A detailed plan of suggested improvements addressing the 3 pillars of security: 

A.      Human recourses

B.      infrastructure & equipment

C.      Policies, Procedures & Post orders

9.       Timetable + milestones.

10.   Detailed project proposal and payment terms.

Once all relevant questions are answered, and a comprehensive survey-based threat analysis was conducted, a security plan (that will work in harmony with core business and client's routine) can be tailored to the company's measures, budget and realistic needs.