)
Risk Analysis Report
XXXXXXXXXXXX
Report Prepared By
XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe
Executive Summary
1.1 Purpose
To calculate risk to XXXX’s XXXXXXXXXXXXX Headquarters, recommend countermeasures to reduce, transfer, avoid, or accept risk, and provide a countermeasures budget.
1.2 Background
XXXX is a pharmaceutical company based in XxxxxxxxXxxxxxx but is headquartered in XxxxXxxxxXxxx, XxxxxxxXxxxxx. XXXX has recently developed a vaccine for the xxxxxxxxxxx and has several pending patents that can result in medical breakthroughs. Senior management has requested a risk analysis be conducted for their XxxxXxxxxXxxx headquarters where a majority of their research, sales, and high level meeting activities take place.
1.3 Assessment Process
The appropriate assessment process for the XXXX headquarters in XxxxxXxxxxXxxx is to conduct a risk analysis for facilities and structures. In formulating the risk the following calculation was used per the American Petroleum Institute/National Petrochemical and Refiners Association (API/NPRA) Methodology:
Risk = Probability * Vulnerability * Consequence
The methodology used to prepare the report is one created by security expert Thomas L. Norman, CPP/PSP/CSC as outlined in his book Risk, Analysis and Security Countermeasure Selection. The methodology used is DHS compliant. The steps in the process include:
Facility Characterization
Threat Assessment
Vulnerability Assessment
Risk Calculation
Countermeasures
Baseline Security Program
Key Assets for Special Consideration
Countermeasure Budget
Countermeasure Implementation Recommendations
Interview with key stakeholder were conducted to help determine valuations in threats, probability, vulnerability, criticality, and consequence. Tools used to calculate quantitative analysis includes:
Criticalities and Consequence Matrix
Adversary/Means Matrix
Adversary Sequence Diagrams
Crime Statistics
Asset Target Value Matrices
Surveillance Matrix
Circulation Path/Threat Nexus Points Matrix
Circulation Path/Weapons Nexus Matrix
Vulnerability Matrix
Risk Matrix (sorted and unsorted)
Facility Characterization
The mission of XXXX is to provide the world definitive solutions to their health problems. XXXX is about curing diseases, not finding treatments. As noble a mission of XXXX, there are several threats that are of concern to senior management. Their headquarters in XXX is where senior management meets, academic research and development is performed, and the sales and marketing departments are located. Security, along with regulatory issues, political climate, and legal requirements are all concern of the management and employees of XXXX.
There are four classes of assets that are to be taken into consideration when conducting assessments: People, Property, Proprietary Information, and Business Reputation
People
Senior management
Management and Employees
Visitors
VIPs
Contractors
Delivery Personnel
Property
Reception Lobby
Xxx Avenue Exit
Offices
Research Library
Conference Rooms
Cafeteria
Mail Room
Passenger Elevators
Service Elevators
Stairwells
Utility Rooms
Proprietary Information
Pharmaceutical Formulas
Pending patents
Sales Predictions
Research Information
Business Reputation
The asset classes rank the same in criticality and consequence
Proprietary Information
People
Business Reputation
Property
Although the consequence matrix ranks people as second, it should be noted that loss of life is an unacceptable consequence.
Threat Assessment
The threat assessment is used to determine the design based threat in which the baseline security program will based upon. Terrorist, Economic Criminals, Non-terrorist violent criminals, Subversives, and Petty Criminal were the potential threat actors that were analyzed for capabilities and probability of attack. While it has been determined that a state sponsored terrorist has the capabilities and would cause the worse consequences for XXXX, an industrial spy has the specific capabilities and the highest probability of attacking XXXX.
Therefore, the baseline security program will be based on the design based threat of an industrial spy using social engineering to gain access to classified information that is contained within our XxxxXxxxxXxxx headquarters.
However, XXXX is an international company and the threat of terrorism cannot be ignored. Key assets for special consideration will also be addressed.
Vulnerability Assessment
Vulnerability Assessment revealed several vulnerabilities in the XXX location. In determining vulnerability we identified the mostly likely attack scenarios, identified what areas are most likely to be attacked, the threat actor’s weapons of choice, and their surveillance opportunities. The vulnerability assessment uncovered a lack of:
Physical Barriers – to prevent a truck or car bomb from destroying the property
Strong Information Technology Governance – to mitigate hacking and other information technology attacks from occurring
Background Investigation of Contractors and Visitors – Contractor and/or visitors may be subject to the usual criminal background investigation, however, there is no investigation conducted to ensure contractors and visitors aren’t affiliated with organizations that may seek to harm one of XXXX’s assets
Electronic Access Control – Once inside XXX location, access control is maintained by employees of XXXX. There is nothing preventing employee from moving freely into locations in which there is no authorization to be there.
Counter-surveillance Program – No program exist to determine is XXXX’s assets are under the surveillance of an adversary
Security Intelligence Program – No program exist to collect, analyze, process, and disseminate information regarding possible threat actors
The vulnerability assessment also uncovered intrinsic vulnerabilities that included current or former manager and/or employees with malevolent intentions toward XXXX.
Risk Calculation
The American Petroleum Institute/National Petrochemical and Refiners Association (API/NPRA) Methodology of calculating risk was used:
Risk = Probability * Vulnerability * Consequence
All values are on 0-10 scale, with 10 being the greatest amount of risk exposure to AIPC.
Using the probability, vulnerability, and consequences matrices, the top risk were:
Employee exploiting weak IT governance to steal proprietary information
Industrial spy exploiting weak IT governance to steal proprietary information
Countermeasures
Hi-tech, low-tech, and no-tech countermeasures can be used to address the risk that XXXX are exposed to.
Physical Barriers capable of stopping a truck or car from jumping the curb and driven into XXX site
Strong IT Governance Policy that will deter and/or prevent proprietary information from being destroyed, stolen, or lost
Electronic Security System that integrates electronic access control and surveillance
A robust security program that includes investigative, intelligence, and counter-surveillance units
Baseline Security Program
The baseline security program is designed to stop the design based threat, which is an industrial spy using social engineering to steal pharmaceutical formulas.
The Baseline Security Program enhancements need to consist of:
Policies
Access Control
IT Governance
Employee Security Awareness
Establishment of a IT security group under the direction of the Chief Security Officer
Confidentiality
Security Training
Intelligence
Counter-Surveillance
Investigation
Computer Forensics
Key Assets for Special Consideration
Although, the design based threat targeted asset is XXXX’s proprietary information, special consideration needs consideration when it comes to XXXX’s people and property. The biggest threat to XXXX’s people and property would be an attack by a religious or special interest terrorist organization. The vulnerability to such an attack is the lack of any barriers, active access control, and video surveillance of the site’s exterior perimeter.
Special Countermeasures should include:
Physical Barrier on site’s perimeter
Smart Card Technology Active Electronic Access Control
CCTV surveillance integrated with alarms, intrusion detection, and AC&D console
Countermeasure Budget
Countermeasure
Cost
Concrete Reinforced Bollards (8)
$523.42/ea
Smart Card ID Access Control System
$7000.00
Integrated Electronic Security System
$700,000 (estimate)
Security Department Training (20)
$8000.00/per employee
Total
$871,187.36
Countermeasure Implementation Recommendations
Based on the calculated risk, countermeasures, and countermeasures budget, the following countermeasure implementations are recommended:
Steel bollards, reinforced with cement, 4 on the sidewalk in front and back of XXX sight
Smart cards with picture ID issued to all employees
Need to swipe in at reception lobby
Need to swipe into restricted areas
All visits must be pre-arranged
Integrated Electronic Security System
CCTV cameras
Intrusion Detection Sensors
Alarms
Security Training
Employee awareness
Security Intelligence
Counter-surveillance
Investigations
Computer Forensics
IT Governance
IT security team
Sufficient firewalls and anti-virus systems
Physical security of hardware