Reworking the Taxonomy for Richer Risk Assessments
by Ernie Hayden
By accommodating unique requirements and conditions at different sites, security pros can dig deeper get a clearer sense of organizational risk.
For many years, I have been performing risk assessments of multiple large facilities. These risk assessments have ranged from major power plants to large substations to oil/gas pipelines to oil sands facilities to multistory office buildings. One thing I began to realize over the years is that each risk assessment had its own nuances; however, the approach I took was generally the same making it a richer risk assessment.
The assessments are generally conducted following three phases: pre-assessment/planning, on-site risk assessment, and reporting.
With pre-assessment and planning, you need to think about the desired outcome (i.e., identify the risks to the facility) and identify the necessary actions to mitigate or eliminate the risks and associated vulnerabilities.
Now comes the fun part: Getting on-site and looking for threats and vulnerabilities.
Don’t forget these threats and vulnerabilities can be cyber or physical. They can also be part of the site management and culture. What about training or lack thereof? They can all contribute to the risk profile of the facility.
Just like the phrase says, the work isn’t complete until the paperwork is done! In fact, this is very important in order to help your customer — that is the manager of the facility you just inspected — to understand their threat profile, understand what they need to fix, and understand what needs to be mitigated first (that is, categorized risks).