Category
How to Conduct a Physical Security Assessment in 7 Steps
Safety and Security Mar 01, 2024

How to Conduct a Physical Security Assessment in 7 Steps

It’s hard to prevent a threat you don’t know exists. Use this assessment to think proactively and improve your facility’s physical security posture.

Threat Assessment Template
Identify the threats that will have the biggest impact on your organization.
Headline text reading Threat Assessment Template with visual of three professionals looking at laptop

When people think about physical security, they often imagine a simple process. Lock the doors, make sure smoke detectors and alarms are working, and mount cameras around entrances to the building.

Covering the basics is important, but the devil is in the details. The door to the loading dock doesn’t quite latch closed sometimes. There’s a light in the parking lot stairwell that’s been out for two weeks. You haven’t updated evacuation plans and maps after a company reorganization.

None of these issues is an immediate hazard, but they all represent potential security threats that could harm your company’s people and property. As a security professional, mitigating these identified risks before they materialize is one of your core objectives. But to solve a problem, you need to know it exists in the first place. That’s where a physical security assessment comes in.

“Having a good solid plan is crucial to security. And you need flexibility in the plan so you’re able to change direction on a dime, as security is very reactive. It’s also important to have the right technology and individuals trained to use it to its full potential, and you should always be looking for better tools.” — Joe Holokan, Manager of Central Region Security at Cox Enterprises

In this article, we’ll cover what a physical security risk assessment is, why it’s important, and a physical security assessment template so you can better protect your organization.

Preview the Threat Assessment Template

Preview of AlertMedia’s Threat Assessment Template

What Is a Physical Security Assessment?

A physical security assessment is a comprehensive audit of your organization’s physical security measures protecting your facilities, personnel, and assets. The assessment process evaluates your security systems and procedures relative to the threats and risks you face and recommends ways to improve physical security in the workplace. While security should be an organization-wide focus and cyberthreats are more important to address than ever, network and IT security is outside the scope of a physical security assessment.

Unlike more limited evaluations—such as testing fire alarms or ensuring cameras are working—a physical security audit is a 360-degree review. It covers everything from your building and security systems to plans and procedures to potential threats from your surrounding environment.

Some organizations have the expertise and resources to perform physical security assessments in-house, but many companies turn to security consultants who specialize in them. When possible, it’s best to both leverage your security team’s knowledge and engage a specialist—an extra set of eyes can provide fresh perspectives and catch details that might otherwise slip through the cracks.

How to Conduct a Risk Assessment

This video will help you facilitate an effective risk assessment at your organization.

Resource-RiskAssessment-Video-1920x1005

Why Are Physical Security Risk Assessments Important?

You must be ready for remediation if an emergency does unfold, but mitigation is preferable. At its core, security should prevent negative outcomes, be they injuries, loss of life, property damage, or theft. A physical security audit reduces the likelihood of these outcomes by identifying potential risks so you can implement security controls.

However, improved overall security through risk assessment isn’t merely preventative—it provides benefits in a few other ways too.

Improve business resilience and risk management

Resource-report-2024ThreatOutlook-v1
2024 Threat Outlook Report
Get expert insights on the critical events that shaped 2024 to better protect and prepare your business in the year ahead.
GET THE REPORT

Every company will face challenges, whether it’s severe weather, accidents, or acts of malice. An in-depth physical security assessment can identify vulnerabilities for all of these scenarios and curative measures you can take for risk mitigation. By implementing these safeguards, you can improve your business resilience and give your team the resources they need to deal with problems as they occur.

Foster a positive safety culture

One of the key tenets of a positive safety culture is providing an environment where employees believe you have their security and welfare in mind. By performing physical security assessments, addressing vulnerabilities, and communicating updated procedures, you’re displaying organizational commitment to safety and security.

Mitigate cybersecurity threats

While most penetration testing and cyberattack response planning are out of scope, physical security programs play a critical role in maintaining cybersecurity. A physical security assessment will help you identify and mitigate vulnerabilities that could lead to unauthorized physical access to critical information systems and sensitive data.

Your assessment should evaluate the effectiveness of any surveillance systems, security cameras, access controls, and security policies to ensure they meet any requirements and expectations. By revealing potential physical security weaknesses, you’ll be better able to implement improved safeguards that bolster your overall cybersecurity.

Maintain regulatory compliance

In some industries, physical threat and vulnerability assessments aren’t just a good idea; they’re a security requirement. There are a variety of regulations covering physical security—many of them related to companies storing sensitive information—but these are four of the most common:

Identify your business’ most critical threats with this fill-in-the-blank template.

7 Steps to a Thorough Physical Security Risk Assessment

The details and specifics will vary based on organizational and environmental factors, but the following seven areas should be part of any physical security assessment checklist.

1. Inspect your facilities and sites

The first step is to evaluate the spaces and structures you’re securing. The goal is to understand both strengths and weaknesses, remembering that physical security management isn’t just about preventing crime—it’s also about protecting against accidents, security incidents, natural disasters, and other potential threats.

Here are some of the most common items to consider during a building security assessment:

  • Is there appropriate lighting in both internal and external spaces?
  • What are the sightlines like around entrances and exits to the facility?
  • Have electrical systems and wiring shown any signs of degradation?
  • Are there any plumbing issues that could lead to building damage or accident hazards?
  • Do all of the doors, windows, gates, and other points of entry close and lock properly?
  • Are areas with critical assets physically partitioned from spaces with general access?
  • Is safety equipment, like fire extinguishers and smoke detectors, all in good working order?

2. Audit your physical security systems

Next, you need to assess your security systems and how they cover the physical spaces your company has. Target-hardening techniques include:

  • Access control systems, whether it’s biometric, card-based, or old-fashioned keys
  • Personnel, including supervisors, staff in your security operations center (SOC), and security guards throughout your facility
  • Surveillance cameras, monitors, and storage devices that contain recordings
  • Alarm systems and supporting systems that notify local law enforcement in the event of a problem
Worker entering through security
Benefits of Converged Security for Business
Vulnerability scanning and security testing aren't just for network and application security. Modern threats target blind spots at the intersection between physical and cyber security.
LEARN MORE

Since all of these systems work hand-in-hand, the questions you’ll ask will usually involve interactions between systems and/or resources. For example:

  • Are there any times of day when security personnel aren’t monitoring the CCTVs covering sensitive areas?
  • Are there alarms that should go off if someone bypasses access control systems, and will they notify the right people?
  • Does your surveillance camera network have any critical blind spots that would allow unauthorized access?
  • Can your SOC seamlessly leverage all of your security systems to prevent and respond to security issues as they arise?

3. Review your operating procedures

Even the most robust security systems are useless if your organization’s procedures don’t align with your security goals. For example, a company manufacturing toxic chemicals would establish the security goal of keeping the general public away for everyone’s safety. But if they leave external doors unsecured and don’t partition off sensitive areas, their procedures wouldn’t reflect that goal.

In this phase of the process, you’ll assess the effectiveness of your policies and security plans. While the focus of this exercise is physical security, the rise of converged security means you’ll also be touching on cybersecurity issues.

In this step, you’ll evaluate everything from security policies to emergency plans, such as:

  • What kind of overnight/off-hours security presence do you maintain on-site?
  • How should employees report suspicious activity or a potential security issue?
  • Which essential personnel have elevated access to the facility in the event of an emergency, and how is that controlled?
  • Do you have evacuation plans available and emergency exits clearly marked?
  • Have you trained all of your employees on using your two-way communication platform?
  • Do you have emergency response plans for events like robberies or active shooter situations?
  • Are all of your employees aware of your plans and procedures and able to access them easily?

4. Identify physical security risks

Every business faces different risks based on a combination of both internal and external factors. For example, a bank in the heart of New York City houses extremely valuable assets in a dense, urban environment, with a high volume of people visiting every day.

Conversely, a vacuum repair shop in South Dakota will operate in a slower-paced environment, with fewer visitors and less valuable inventory. That’s not to say the vacuum repair shop necessarily faces fewer risks, but they’re very different from the bank’s.

Specific risk factors will vary based on your company, but these are some core topics all businesses should consider:

  • Surroundings: What are the crime rates in your area, and what types of crime are most prevalent?
  • Natural disasters: Are you in a region that’s prone to specific disasters or severe weather like earthquakes, hurricanes, or snowstorms?
  • Workforce: Does your company have high turnover and thus a repeated influx of new people in positions of responsibility?
  • Visitors or customers: Are you in an industry with a constant stream of unknown entities at your facility?
  • Inventory and assets: Do you store or possess high-value items at your facility, and how portable are they? Securing small but valuable items like gold coins differs greatly from large objects like expensive printing presses or machinery.
  • Supply chain: Are there vulnerabilities in your physical security that may create supply chain risks and interrupt business operations?

5. Anticipate any insider threats

Threats to your physical security don’t always come from external sources. There may be potential security breaches that come from inside your organization that you must work to prevent or mitigate as soon as possible. Your assessment should focus on pinpointing vulnerabilities that could be exploited by insiders (employees or staff members), such as areas with inadequate surveillance, overly permissive access controls, or insufficient segregation of duties. You can also consider implementing a principle of “least privilege,” where individuals only have the access necessary to perform their job functions and no more. These strategies, paired with an overall culture of security awareness among employees, can significantly reduce the risk of insider threats.

6. Assess specific threats and vulnerabilities

Once you have a handle on the risks your company faces, you can assess which threats are the most realistic. The two most important factors to consider are the likelihood of a threat materializing and its potential impact on your business. For example, a meteor striking your office would be devastating, but the event is unlikely enough to more or less ignore.

While assessing threats, you’ll look for potential vulnerabilities and ways to fix them with security measures. For example, a retail establishment in an urban environment would view theft as a key threat. The occasional stolen candy bar won’t put anyone out of business, but losses add up over time. With that in mind, they’d look at retail loss-prevention strategies in the context of their business to minimize theft, such as:

  • Having a security guard at the entrance as a visible means of deterrence
  • Constantly monitored surveillance cameras
  • Keeping valuable merchandise in secured areas of the store
  • Training staff on how to deal with shoplifters and whether they should engage them
  • Lighting with motion sensors to deter loitering in the evening and overnight
  • Rollup doors or external gates to provide an extra layer of security while the business is closed

7. Review and update regularly

Just like your physical security is not static, your physical security assessment shouldn’t be a one-and-done process either. Encourage your physical security staff, stakeholders, and anyone involved in the assessment process to conduct regular reviews to adapt to evolving threats, changes in the organizational environment, and advancements in security technology.

You can use tools such as after-action reviews or simply redo the assessment report entirely. These updates should be performed consistently, such as biannually, to ensure your security measures remain effective and aligned with your organization’s objectives.

A Proactive Approach to Improving Physical Security

Security professionals face a constantly evolving threat landscape, and it can feel daunting to try to predict what’s coming next and meet your organization’s security needs. Between weather, worldwide pandemics, bad actors, and the vagaries of life, there are a wide array of factors outside your control.

However, what you do control is your company’s preparedness to meet the unknown. By taking a proactive approach to identifying realistic threats and determining how your physical security shapes up against them, you can anticipate problems before they happen. You might not be able to see every hazard lurking, but you’ll have confident procedures to activate and trained individuals ready to act on known and unknown threats.

Threat Assessment Template

Please complete the form below to receive this resource.

Like What You're Reading?
Subscribe to Our Newsletter
Subscribe to The Signal by AlertMedia to get updated when we publish new content and receive actionable insights on what’s working right now in emergency preparedness.

Cookies are required to play this video.

Click the blue shield icon on the bottom left of your screen to edit your cookie preferences.

Cookie Notice