RISK RATING SCORE

CRITICAL IMPACT MODERATED LIKELIHOOD MODERATE

FUNCTIONS VALUE VALUE (%) D VALUE
( X 2) VALUE
( 2X10)
PHYSICAL
SECURITY 5 10 3 60%
(PS)
ADMINISTRATIV
E SECURITY 3 6 5 100%
(AS)
INTERNAL
CONTROL 3 6 2 40%
(IC)
FIRE FIGHTING
(FF) 4 8 4 80%
IN-
HOUSERULES 5 10 5 100%
(IHR)
 ORGANIZATIONAL RISK MATRIX CHART

WARISAN CITYVIEW B CONDOMINIUM / L & M RISK EXPOSURE LEVEL

10
X X
VERY
HIGH (PS) (IHR)
9
HIGH

8
X

(FF)
7

6
L I KE L I H O X X
O D (%)
(IC) (AS)
5
10 20 30 40 50 60 70 80 90 100

3
I
2 MODERA
LOW
TE
1

: OVERALL RISK EXPOSURE LEVEL - VERY HIGH

(IMPACT 8 / LIKELIHOOD 76%)
CRITICAL FUNCTIONS - PROTECTIVE MEASURES
1. PHYSICALSEC Perimet Lighti Alarm Lock Total QUALITATIVE
URITY er ng Syste Securi Scor RATING
System Syste m ty e
m
Assigned 18 95 0 24 137 Moderate
Weighted Score
Total weighted 87 120 72 26 305
Score
2. ADMINISTRATI Employ Guard Contr Traffic Total
VE SECURITY ee Servic ol Contr Scor
Control e Signa ol e
s ge
Assigned 0 30 4 90 124 Moderate
Weighted Score
Total weighted 66 72 40 108 286
Score
3. INTERNAL Access Key Safe Petty Total
CONTROLS Control contr Contr Cash Scor
ol ol e
Assigned 48 49 54 12 163 HIGH
Weighted Score
Total weighted 72 54 63 32 221
Score
4. FIRE Fire Surveillance / Protection Total
FIGHTING System Scor
SYSTEM e
Assigned 18 18 Low
Weighted Score
Total weighted 60 60
Score
5. IN-HOUSE In-house Rules Total
CONTROL &Regulations/Procedures Scor
e
Assigned 0 0 Very Low
Weighted Score
Total weighted 128 128
Score

Total Assigned/Rated Weighted Score 442

Grand Total weighted Score 1000

WEIGHTED SCORE DESCRIPTIVE ASSIGNE CHECK

RANGE EVALUATION D APPROPRIA
SCORE TE
RATING
1. 0 - 700 Facility Assets NOT 442 / Low Level
 Adequately Protected 1000 Protection
2. 701 - 900 Facility Assets - Medium
ADEQUATELY Level
Protected Protection
3. 901 - 1000 Facility Assets WELL - High Level
Protected Protection
Strategies
can include
architectural hardness, access control measures, guards, obvious cameras, witnesses,
alarms, and alarm signs. To be effective as a deterrent, countermeasures must be visible
and must seem to create too much risk to carry out the attack. Ultimately, the entire baseline
security program is about deterrence, and it
Deterrence is achieved through making countermeasures visible enough that possible
threat actors think twice about their crime. Deterrence countermeasures creates the
environment for all the other
countermeasure functions .

type of countermeasure, grouped by functions.

Function classes include:
Entry control
Detection
Assessment
Delay
Response
Evidence
Entry methods: Without access by a threat actor, there is no risk, so access
control
is a key concept in security. Entry methods may vary depending on the type
of facility. The following list is an example only. Typical entry methods used by
threat actors include:
False credentials
Social engineering
Entry by threat
Forced entry
Breaking and entering
Insider

A good countersurveillance program includes:

Ample use of video surveillance in exterior and public spaces
Trained and alert security officers
Trained and alert console officers
Loitering detection software on the video system

Attack Detection
Once an attack of any kind is under way, whether it is terrorism, economic crime, violent
crime, subversive action, or a petty crime, it is important, where possible, to be able to
detect the crime under way.
Detection countermeasures may include:
Intrusion detection system on property and building perimeters
Intrusion detection system applied to critical passageways and internal spaces
Duress alarms at critical counters and desks
Hold-up alarms

Assessment

When an attack is detected, it is then necessary to assess the threat for the following reasons:
Is the detection real, false, o r a nuisance detection?
If the detection is real, what are the level and nature of the threat actors?
What is their goal?
 What weapons are they carrying?
What are their tactics?
Does this appear to be unfolding as a property or violent crime or a property
crime with potential for violence?
Are they employing countersurveillance methods?
How are they dressed? How can law enforcement recognize the threat actors
from ordinary employees or customers?
What is their apparent exit strategy?
Is the detection real, false, or a nuisance detection?

Economic crimes
Robbery
Burglary
Insider theft
Proprietary information theft
Crimes against the organizations business reputation
Computer crimes
Violent crime attack scenarios
Violence against employees
Violence against the public on the organizations property
Bladed weapons
Handguns
Available weapons

Petty crimes
Purse snatching/pickpocketing
Vandalism
Prostitution, pimping, and pandering
Other petty crimes

Disturbance causers

Establish Access Control

Establish area access levels
Establish access authorizations for various classes of users
Establish access vetting and authorization granting for:
Hiring and contracting
Management
Staff
Contractors
Vendors
Visitors
VIPs
Public
Department visitors
 Tenant departments
Vehicle access to the property
Parking by classes of users
Establish Standards of Behavior for:
Use of the facility
Use of internal roadways and curbs
Courtesy of interactions between staff, visitors, and security officers
Respect for the directions of security officers
Establish Standards for Security Posts and Patrols
What is the purpose of posts?
What are the purpose and goals of patrols, including routine and investigative?
What are the standards for event responders?
Establish Standards for Use of Security Technology, Including Alarms,
Video, Monitoring, Radios, and Coordination with Security Management
and Responders
real-time video feeds- monitor and appropriate level of FPS
Establish a Weapons Policy for the Security Unit and Employees and Visitors
Establish the Criteria for a Public Agency Liaison Program
Establish the Criteria for a Crisis Management Program
Establish an Information Technology Security Liaison Policy
Establish a Department Management Security Liaison Policy
Establish the Criteria for a Security Investigations Program
Establish the Criteria for a Security Intelligence Program
Establish Standards for Training of:
Security management
Security staff
Security contractors
Establish Security Management Metrics

Nonregulatory -Driven Policies

Nonregulatory-driven policies include all policies that are not required by law or regulation.
However, many of these are required by organization charters.
The key policy development should include policies to:
Protect People
Protect Business Operations
Protect Proprietary Information
Protect the Organizations Business Reputation
Protect Property

Implementation objectives and strategies include:

Control access to the target, denying access t o possible threat actors.
Where possible, deter threat actors from acting.
Detect any threat action.
Assess what has been detected.
Delay the progress of any threat actor into or out of the facility.
Respond to any active threat action.
Gather evidence for prosecution, investigations, and training.
Comply with the business culture of the organization.
Minimize any impediment to normal business operations.
Help to create an environment where people feel safe and secure and can focus
on the purpose of the organization.
 Design programs to mitigate possible harm from hazards and threat actors.

Modes: Access control has two modes:

1. Passive Screening of employees, contractors, and vendors
2. Active Screening of entry by employees, contractors, vendors, and visitors
Passive Strategies:
Develop an employee/contractor/vendor screening program
Screen for criminal background, drug abuse (and financial responsibility
where possible)
Enforce it strictly
Active Strategies: Access control should be arranged in layers, typically including:
Public areas
Semipublic areas
Controlled areas
Restricted areas
Public layers will be nearest the main public door, such as a public lobby,
customer waiting area, or service desks.
Semipublic areas are areas where the general public may not freely go, but
where they may be escorted, such as to an interview or triage room or emergency
department in a hospital.
Controlled areas are for those individuals with authorization, such as nonpublic
office floors, mechanical rooms, auto-mechanic work areas, airport
tarmacs, and so forth.
Restricted areas are those that require a high degree of vetting and where
access is limited to a relatively small number of persons, such as research
and development areas, the boardroom, main information technology server
room, cash vaults, counting rooms, and so forth.

Goals
Once a threat action is detected, a response is possible. Responses to threat actions
could include:
Take no direct action to counter the threat actors, instead try to minimize any
potential harm to innocent people.
Gather evidence for an investigation and for a postevent analysis resulting in
scenario planning and training later.
Call others (such as the police) for help.
Intervene directly against the attack to stop it and capture the threat actors.

The security program should include elements to deal with unwanted exceptions,
such as:
Intruders and Offenders
Disruptive People
Medical Emergencies
Natural Disasters
Civil Disorder and Riot
Loss of Business Continuity
Chemical, Biological, Radiological Emergency
Challenges to the Security Program from Outside and Inside Sources
Implementation strategies include:
Control access to the target, denying access t o possible threat actors.
Deter any threat action from occurring.
Detect any threat action.
Assess what has been detected.
Respond to any active threat action.
Gather evidence for prosecution, investigation, and training.
Comply with the business culture of the organization.
Minimize any impediment to normal business operations.
Help to create an environment where people feel safe and secure and can focus
on the purpose of the organization.
Design programs to mitigate possible harm from hazards and threat actors.

Typical Baseline Security Program Elements and Implementation

Program Elements
Hi-Tech Program Elements
Alarm/access control system
Parking access control system
Security video system:
Fixed and pan/tilt/zoom (PTZ) exterior cameras
Fixed and PTZ interior cameras
Video analytics
Security communications systems:
Digital two-way radio system (part of the telecommunications package)
Security intercom system
Command/control elements:
Lobby consoles
Security management console
Main and archive servers
Situation awareness software
Lo-Tech Program Elements
Perimeter control elements (fencing, etc.)
Pedestrian and roadway barriers, such as:
Office lobby turnstiles
Roadway barriers (lift-arm gates)
Automated road blockers
Lighting (part of the electrical package)
Locks (part of the architectural package)
Signage (part of the architectural package)
Crime prevention through environmental design (CPTED) elements
Security landscaping
Security architectural elements
No-Tech Program Elements
Management elements
Security program planning
Security management acquisition
Security policy development
Security procedures development
Security program metrics development
Security guard program
Posts (also called a fixed patrol)
Patrols
Security guard training program
VIP handling program
Mobile procedures (drop-off areas)
 Fixed procedures (in-house areas)
Liaison with VIP security staff
Security awareness program
Security communications program

Types of Countermeasures
Security i nvestigations program
Law enforcement liaison program
Baseline Security Program Implementation
Planning
Security supervisor hiring
Supervisor training
Security officer hiring
Security officer training
Scenario rehearsals
Daily operations training
Security program documentation
Baseline Security Program Phasing
Planning
Implementation
Training
Review
Designing Baseline Countermeasures
Follow these steps to design countermeasures for a baseline security program:
Access Control Program
Define access zones, such as:
Public zones
Semipublic zones
Controlled zones
Restricted zones
Define which assets require what level of zoning, then zone to those
requirements.
Define control points between zones. These will be the access control locations.
Determine what kind of access control is required at each control point (card
reader, biometric reader, vehicle lift gate, vehicle sliding gate, etc.).
Determine which access control locations need guard assistance (visitor badge
issuance, etc.).
Determine which access control points need intercom assistance (vehicle
parking gates, etc.).
Define the access credential program (photo ID badges, etc.).
Way-finding signage
Define the Detection Program
Perimeter detection
Facility perimeter
Building perimeter
Interior detection
Space detection
Duress alarms
Define the Assessment Program
Video assessment
Audio assessment
Two-factor alarm assessment

Define the Deterrence Program

 Patrols
Posts
Signage
Security awareness program
Security investigations program
Define the Response Program
Communications
Guards
Vehicles
Armed/unarmed
Response training requirements
Security-related medical emergencies
Define the Evidence Gathering Program
Video and audio archiving elements
Crime scene security principles
Evidence preservation
Witness statements
Follow-up investigations and training