Security Surveys

How can a security executive prove to the C-suite that all facets of the business that are susceptible to risk are covered adequately by the company’s security program? How can that same executive hold his or her employees accountable for assessing those programs and implementing improvements?

One way to answer these questions is through a comprehensive security survey, a long-time staple in the security manager’s toolbox. In general, the purpose of a security survey is to determine if a company’s security measures and programs are adequate to counter the risks that business confronts.

Confirming that security programs are adequate not only assures executives, customers, visitors, and employees, but also provides protection against claims of inadequate security, or negligence. In this case, the survey provides proof that the company foresaw the risks and implemented appropriate countermeasures.

Many versions of a security survey have been published through the years. The examples here provide an array of choices that can be tailored to specific businesses, industries, and institutions.

» View Past Security Spotlight Topics

Featured Resources Available to All

(free ASIS website account required)

Book Excerpt
Physical Security Principles (Chapter 3)
Planning and Conducting Physical Security Assessments (pdf)

A thorough and accurate understanding of the situation is critical to any physical security project—whether a complete system design or a simple component upgrade. The basic tool for developing this understanding is the security risk assessment or security survey.

Although there is almost universal agreement on this fact, confusion may arise from the wide variety of assessment models and approaches. These vary by industry sector, region or country, specialty area, and even individual consultant. A few national and international standard risk assessment models exist, but for this purpose they may be limited in usefulness because of their general nature or other considerations. 

This chapter provides a general framework for security risk assessment (rather than a specific model) and then presents a more specific framework for the security survey (also known as a physical security assessment). While physical security professionals should be somewhat familiar with the concept of a comprehensive security risk assessment, they should be intimately familiar with security surveys since these form the basis for any physical security project, are the largest portion of field work used to collect data, and accumulate evidence to support countermeasures.

Recorded Conference Session 
phishing graphic.PNG Phishing Assessments: More than Security Awareness

Common technologies to mitigate messaging attacks can only go so far in protecting organizations from cyber attacks. The increased complexity of these attacks and the ​creative social engineering schemes that commonly accompany them rely on the employee to be the final protection measure. Discuss how a cross-functional phishing assessment program can be standardized. Learn how the resulting data can be used not only to feed into the security awareness program, but also to correlate user risk analytics. Identifying employee risk by geography, device type, and role can support new ways to mitigate cyber attacks using existing technology that relies less on users.

Other Resources 

Selections from the book High-Rise Security and Fire Life Safety
Risk Assessment, Office Building Physical Security Survey;
Sample Office Building Physical Security Survey Checklist

Selections from Risk Analysis and the Security Survey
Security Survey Work Sheets
BONUS Security Survey: An Overview

Free for ASIS members only
Security Management Standard: Physical Asset Protection [ANSI/ASIS PAP.1-2012]

Buy this book! High-Rise Security and Fire Life Safety, Third Edition
By Geoff Craighead (Butterworth-Heinemann/Elsevier, 2012)
Chapter 4: Risk Assessment, Office Building Physical Security Survey
Appendix 4-1: Sample Office Building Physical Security Survey Checklist

In Chapter 4 of his book, Geoff Craighead asserts that a physical security survey will involve two major tasks: conducting a fact-finding investigation and preparing a written report of the results. Before embarking on these tasks, Craighead advises identifying the scope of the survey, setting a timeframe for its completion, and identifying who has the authority to implement the survey’s findings.

During the investigation, the following tasks are among those that should be completed:

  • Review applicable codes, standards, and ordinances.
  • Examine reports of incidents that have occurred on the property in at least the past three years.
  • Collect crime statistics for the property’s neighborhood.
  • Visit the site at various times of the day.

The written report should be a formal document with a cover letter and a summary of the survey’s methodology, tangible and intangible assets, site description, threats, recommendations, and an executive summary. The author cautions that opinions on the state of the overall security program should be reserved until the fact-finding and report is complete.

Appendix 4-1 is a detailed survey template with questions to gauge the current state of security operations on everything from the building’s perimeter, to its parking areas, utility closets, cafeteria, and janitorial operation.

Buy this book!Risk Analysis and the Security Survey, Fourth Edition
By James Broder, CPP, and Eugene Tucker, CPP (Butterworth-Heinemann/Elsevier, 2012)
Appendix A: “Security Survey Work Sheets.”

This appendix can be used to assist in performing physical security surveys in most industrial settings. Using a question format, the authors’ intent is to reduce the possibility of neglecting a review areas of importance and to assist in gathering material for the survey report. Before starting a detailed examination and study of a facility, they suggest conducting interviews on eight topics, including the cafeteria, the credit union, the company store, and classified operations. Answers collected in these interviews will help develop the degree of control required for various areas.

Next, answers to detailed questions grouped into 12 categories can be obtained by touring the facility. Categories and sample questions include the following:

  • Shipping and Receiving: How are truck drivers controlled? Do they have a designated waiting room?
  • Locking Devices: What type of security containers are used to protect money? Securities? High-value metals? Government classified information?
  • Perimeter Security: Are small buildings near the fencing? If so, is the height of the fencing increased?

BONUS! Download Chapter 7 - The Security Survey: An Overview

Members Only Resources

Security Management Standard: Physical Asset Protection [ANSI/ASIS PAP.1-2012]
(ASIS International, 2012)

This standard represents a comprehensive management approach for applying security measures for physical asset protection (PAP). Its eight sections provide a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving physical protection systems. In its Introduction, the standard acknowledges that all organizations face a certain amount of risk. The challenge is to determine how much risk is acceptable and how to cost-effectively manage the risk while meeting the organization’s strategic and operational objectives. To meet those objectives, choices must be made. This standard assists organization in achieving a balance between acceptable risk and the investments required to manage those risks.

Following sections on leadership, governance, and organizational resilience management, the standard’s Annex B sets a framework for a security survey, which involves an examination and evaluation of a facility and its policies, procedures, and operations to ascertain its present PAP status. The survey should achieve the following:

  • A comprehensive and integrated security risk analysis and assessment across the organization.
  • A range of potential solutions and their consequences.
  • The development of security risk management, continuity, response, and recovery programs.