In the past few issues, the compilation of instructions for conducting a vulnerability study has been presented in snippets. To complete the survey, you will need to use key management strategies, understand the consequences of loss and conclude the survey in order to begin reviewing the collected data.

Key management strategies include access controls including mechanical locks and re-keying locks. Electronic security controls are not always required for every facility door. In many cases, door status switches are the only security devices needed. The door status switch will indicate to the system operators when improper door openings occur, but will not control the door.

Use mechanical locks to control doors in these cases. Prepare a key management schedule for these locks. This can be an arduous task. One of the reasons electronic security systems are required in a facility is because key management is out of control. Duplicate keys for sensitive areas are frequently given to occupants who do not have an essential need for access.

As part of an overall security plan, consider that all existing mechanical locks be re-keyed so that the existing metal keys will no longer work. Create a new set of metal keys for the re-keyed doors and institute proper distribution. Once again, documenting the possession of these metal keys will be an essential part of the overall security plan. Use a matrix to document key management. The matrix indicates which doors are keyed and who has possession of those keys.

Other reference sources are available that discuss the ways and means of using master and sub-master keying plans. It is not the intent of this column to address those issues but merely to remind the security professional that such plans exist and need to be studied carefully before a re-keying effort is made. Usually, the implementation of an electronic security system signals the re-evaluation of all security measures in a facility. But remember to issue only a minimum number of keys under any re-keying process.

Consequences of Loss

After gathering data on the facility’s security perimeters and assessing the vulnerabilities, consider the consequences of loss. Further interviews with the operations and financial employees of the company may be required to establish this analysis. The goal is to determine the impact of a violation of the security perimeter on the ongoing operation of your company.

Make a list of the critical assets of the company and then identify the ways in which you could successfully defeat the existing security measures. Next, examine what impact that attack would have on the operation and seek the assistance of company personnel in establishing a cost of that impact. Remember that the cost is not just the loss of the asset but also includes the loss of revenue in removing the asset from service. The conclusions from this analysis will help justify the investment in equipment and provide additional motivation to act.

Concluding the Survey

At the conclusion of the survey, document all findings and prepare a report for the management team. Base the conclusions of the report on the data gathered then formulate a recommendation on how best to proceed. A valid recommendation may be to do nothing at all. If your existing security measures and the facility’s configurations are adequate to protect it from the expected threats, the report can be used as a basis for the company’s decision to use resources for other operational requirements. The mission of the vulnerability study is to determine the company’s readiness to counter expected threats.

The report should detail the existing assets, the protected perimeters, the openings in the perimeters and the current methods of controlling those openings. The report should also provide the results of the tests conducted on the effectiveness of existing security systems and the life safety tests. Conclude the report with an explanation of the consequences of loss and a recommendation for improvements or changes needed to meet the company’s security goals as defined in your policy statement.