Vulnerability Assessments

According the the US General Accounting Office (Key Elements of a Risk Management Approach) “a vulnerability assessment is a process that identifies weaknesses in physical structures, personnel protection systems, processes, or other areas that may be exploited by terrorists and may suggest options to eliminate or mitigate those weaknesses. In general, these assessments are conducted by teams of experts skilled in such areas as engineering, intelligence, security, information systems, finance, and other disciplines.”

“For private sector companies, such assessments can identify vulnerabilities in the company’s operations, personnel security, and physical and technical security.
With information on both vulnerabilities and threats, planners and decision makers are in a better position to manage the risk of a terrorist attack by more effectively targeting resources…”

Global Security Planning provides in-depth Vulnerability Assessments for businesses and organizations using the experience, knowledge and professionalism of our network of certified security firms and consultants.

To help you get started, below is a sample vulnerability checklist that every organization can use to self-assess their own vulnerability. This checklist has been adapted from the FBI’s standard vulnerability assessment. This checklist does not replace a formal Vulnerability Assessment which should be performed by trained security professionals.

The Federal Bureau of Investigation (FBI) Terrorism Vulnerability Self-Assessment Checklist

This vulnerability self-assessment is intended to help determine vulnerability to terrorism and to assist local law enforcement in assessing the overall vulnerability of the community.  The  worksheet is intended to be a general guide.  It may not include all issues that would be considered in every specific operation.  Therefore, it is imperative to consider the unique character of the individual organization: its functions, its general public image, and its overall public visibility.  Consider both who may work in the organization and what the organization does.  Assess the symbolic value of the organization to the public.  Each worksheet section is ranked on a 20-point scale.  Answering this self-assessment is a subjective process.    There are no firm guidelines on how to score a category.  Since the questions are subjective, give a best estimate when scoring each question.

It is important to remember that the most important threat reduction measure is vigilance on the part of the organization’s staff, their awareness of anything out of the ordinary and their prompt communication of that information to the organization’s security team or management. This assessment follows exactly the same format as the community assessment performed by local law enforcement to assist in preventing criminal acts committed by terrorists.  Based on the results of this assessment, the organization may wish to share a copy with law enforcement, or to include their representative in the assessment process, to support their understanding of the organization’s function and its role in the community.

This assessment should be conducted at least annually, and within the year if there is an increased threat of a terrorist event or whenever there is a significant change to the organization’s facilities or activities.

Upon receipt of a high risk assessment, each law enforcement agency sheriff, chief of police, head, or his/her designated representative may forward that assessment, or other threat report, to the state Emergency Management Agency (or equivalent),to state law enforcement, or to the local FBI office.

The Assessment

This assessment checklist is broken down into 17 different categories as follows:

1. Potential Terrorist Intensions.
2. Specific Targeting.
3. Visibility of Your Facility or System Within the Community.
4. On Site Hazards.
5. Population of Sites, Facility, or Activity.
6. Potential for Mass Casualties.
7. Security Environment and Overall Vulnerability to an Attack.
8. Critical Products of Service.
9. High Risk Personnel.
10. Organization Communication Systems.
11. Security and Response.
12. Policies, Procedures, and Plans.
13. Security Equipment.
14. Computer Securities, Cyber Crime, and Cyber Terrorism.
15. Suspicious Mail and Packages.
16. Telephone, Bomb, and other Types of Threats.
17. Employee Health and the Potential for Bio-terrorism.

Click on the link in the sidebar to view the Self Assessment or download the Self Assessment as a Microsoft Word file.