Geoscience Reference
In-Depth Information
vulnerabilities can take an all-hazards approach. Vulnerabilities can result from,
but are not limited to, the following:
◾
Asset, building, site, or system characteristics
◾
Equipment properties
◾
Personal behavior
◾
Operational and personnel practices
◾
Security weaknesses (physical and cyber)
Vulnerability assessment methodologies can be characterized in terms of four
assessment elements—physical, cyber, operations security, and interdependencies.
Each is briefly described next.
A
physical security assessment
typically evaluates the physical security systems
in place or planned at a site, including access controls, barriers, locks and keys,
badges and passes, intrusion detection devices and associated alarm reporting and
display, closed-circuit television (CCTV) (assessment and surveillance), communi-
cations equipment (telephone, two-way radio, intercom, cellular), lighting (interior
and exterior), power sources (line, battery, generator), inventory control, postings
(signs), security system wiring, and protective force. These systems are generally
reviewed for design, installation, operation, maintenance, and testing. It may also
include an evaluation of sites housing critical equipment or information assets or
networks dedicated to the operation of the physical systems.
A
cyber security assessment
evaluates the security features of the information
network(s) associated with an organization's critical information systems. This
could include an examination of network topology and connectivity, principal
information assets, interface and communications protocols, function and link-
age of major software and hardware components (especially those associated with
information security such as intrusion detectors), and policies and procedures that
govern security features of the network. It may also include internal and external
scanning for vulnerabilities (penetration testing).
Operations security
(OPSEC) is the systematic process of denying potential
adversaries information about capabilities and intentions of the host organization.
This is accomplished by identifying, controlling, and protecting generally nonsensi-
tive activities concerning planning and execution of sensitive activities. An OPSEC
assessment typically reviews the processes and practices used for denying adversary
access to sensitive and nonsensitive information that might inappropriately aid or
abet any individual's or organization's disproportionate influence over system oper-
ation. This should include a review of security training and awareness programs, a
review of personnel policies and procedures, discussions with key staff, and tours of
appropriate principal facilities. It should also include a review of information that
may be available through public access (e.g., the Internet).
Infrastructure interdependencies
refers to the physical and electronic (cyber) link-
ages within and among our nation's critical infrastructures (i.e., within and among
