Comments
Security Vulnerability Assessments
SVA Overview
SECURITY VULVERABILITY ASSESSMENT
The Security Vulnerability Assessment (SVA) is used to identify a level of protection that is necessary to adequately mitigate identified risks from critical infrastructure assets.
The Division of Homeland Security and Emergency Management’s Critical Infrastructure and Key Resources (CIKR) planning team uses this process to identify specific security countermeasures designed to protect a community’s continuity of operations, critical assets, population, and visitors.
The first step to the community assessment process begins with the identification of critical assets within the community. The SVA team works through the infrastructure taxonomy provided by the National Infrastructure Protection Plan (NIPP) to identify which assets should be included in the report.
Through historical research, open source data mining, and working directly with the individual asset owner/operators the SVA team is able to gather CIKR asset and interdependency data. The asset information is then entered into the Automated Critical Asset Management System (ACAMS)*, which is a secure, online database and database management platform that allows for the management of CIKR asset data; the cataloguing, screening and sorting of this data; the production of tailored infrastructure reports; and the development of a variety of pre- and post-incident response plans useful to strategic and operational planners and tactical commanders.
Following the data collection phase of the SVA, the team conducts physical “on-site” surveys documenting security countermeasures already in place in the following categories:
• Site Security Criteria Site perimeter, site access, exterior areas and assets, and parking.
• Structure Security Criteria Structural hardening, façade, windows, and building systems.
• Facility Entrance Security Criteria Employee and visitor pedestrian entrances and exits, loading docks, and other openings in the building envelope.
• Interior Security Criteria Space planning and security of specific interior spaces.
• Security Systems Criteria Intrusion-detection, access control, and closed-circuit television camera systems.
• Security Operations and Administration Criteria Security management and personnel, plans, and training.
Through the assessment process and review the SVA team will assign each asset a baseline Level of Protection, or LOP, based off of the asset’s mission, symbolism, threat history, accessibility, recognizability, recoverability, population, proximity to other assets, and vulnerability scores.
During the review and reporting phase the team first decides whether there are additional risks that should be considered in establishing the baseline level of protection (LOP) t}at is required. Second, they determine whether the countermeasures associated with the LOP provide an adequate level of protection to address those risks. Customization of the recommended protective measures may fluctuate relating to the risks identified throughout the assessment. The existing LOP is then compared to the necessary LOP to determine if it adequately addresses the threat(s), or if vulnerabilities exist that need to be addressed (see figure 1). If the existing LOP equates to the necessary LOP, current countermeasures should be maintained and tested on a regular basis. Conditions at the facility should be monitored for changes that may impact the effectiveness of countermeasures or the needed LOP. If the existing LOP does not sufficiently address the risks, shortfalls must be identified and countermeasures to recommendations to address those vulnerabilities will be included in the final report.
This process helps to ensure that the level of protection recommended to CIKR facilities, their employees, and visitors is commensurate with the level of risk.
SVA Overview
SECURITY VULVERABILITY ASSESSMENT
The Security Vulnerability Assessment (SVA) is used to identify a level of protection that is necessary to adequately mitigate identified risks from critical infrastructure assets.
The Division of Homeland Security and Emergency Management’s Critical Infrastructure and Key Resources (CIKR) planning team uses this process to identify specific security countermeasures designed to protect a community’s continuity of operations, critical assets, population, and visitors.
The first step to the community assessment process begins with the identification of critical assets within the community. The SVA team works through the infrastructure taxonomy provided by the National Infrastructure Protection Plan (NIPP) to identify which assets should be included in the report.
Through historical research, open source data mining, and working directly with the individual asset owner/operators the SVA team is able to gather CIKR asset and interdependency data. The asset information is then entered into the Automated Critical Asset Management System (ACAMS)*, which is a secure, online database and database management platform that allows for the management of CIKR asset data; the cataloguing, screening and sorting of this data; the production of tailored infrastructure reports; and the development of a variety of pre- and post-incident response plans useful to strategic and operational planners and tactical commanders.
Following the data collection phase of the SVA, the team conducts physical “on-site” surveys documenting security countermeasures already in place in the following categories:
• Site Security Criteria Site perimeter, site access, exterior areas and assets, and parking.
• Structure Security Criteria Structural hardening, façade, windows, and building systems.
• Facility Entrance Security Criteria Employee and visitor pedestrian entrances and exits, loading docks, and other openings in the building envelope.
• Interior Security Criteria Space planning and security of specific interior spaces.
• Security Systems Criteria Intrusion-detection, access control, and closed-circuit television camera systems.
• Security Operations and Administration Criteria Security management and personnel, plans, and training.
Through the assessment process and review the SVA team will assign each asset a baseline Level of Protection, or LOP, based off of the asset’s mission, symbolism, threat history, accessibility, recognizability, recoverability, population, proximity to other assets, and vulnerability scores.
During the review and reporting phase the team first decides whether there are additional risks that should be considered in establishing the baseline level of protection (LOP) t}at is required. Second, they determine whether the countermeasures associated with the LOP provide an adequate level of protection to address those risks. Customization of the recommended protective measures may fluctuate relating to the risks identified throughout the assessment. The existing LOP is then compared to the necessary LOP to determine if it adequately addresses the threat(s), or if vulnerabilities exist that need to be addressed (see figure 1). If the existing LOP equates to the necessary LOP, current countermeasures should be maintained and tested on a regular basis. Conditions at the facility should be monitored for changes that may impact the effectiveness of countermeasures or the needed LOP. If the existing LOP does not sufficiently address the risks, shortfalls must be identified and countermeasures to recommendations to address those vulnerabilities will be included in the final report.
This process helps to ensure that the level of protection recommended to CIKR facilities, their employees, and visitors is commensurate with the level of risk.
by Rtucker