Information
-
Document No.
-
Audit Title
-
Client / Site
-
Conducted on
-
Prepared by
-
Location
General Security Assessment
General Information
-
Does the organization have a dedicated security group in place? (Not including security officers)
-
Does the head of security report to the executive level?
-
Are there sufficient full-time internal security resources (not including security officers), including support staff, to meet the organization's security needs?
-
Are there formalized job descriptions for each internal security position?
-
Is there a formalized organizational chart for the security group?
-
Does the security group provide Senior Management with a periodic security status report?
-
Is the security program reviewed on an annual basis?
-
Is the security budget developed using demonstrated needs?
-
Is the location to be assessed comprised of standalone building(s)/facility(ies) located on property where the organization is the sole tenant?
-
Is there a site plan for the property?
-
Are there floor plans for the individual facility(ies)?
Threat, Risk, Imact and Consequence Assessment
-
Has an analysis of the history and future risk of crime occurring in and immediately around the property, through a process such as "CapIndex" or "CrimeCast" or using police data, been completed?
-
Have all existing and reasonably foreseeable threats been identified?
-
Have the levels of risk, associated with individual threats, been determined and quantified?
-
Have the impacts or potential injury to the organization been identified in relation to each threat event and risk level?
-
Have the consequences to the organization been delineated in relation to each potential injury?
-
Has senior management been made aware of these risks and the potential consequences?
-
Is there a formalized process in place by which the risks and consequences are reviewed on a periodic or event driven basis?
-
Does the organization have a formalize security contingency planning process which includes a business resumption plan in place?
Crime Prevention Through Environmental Design (CPTED)
-
CPTED combines several concepts including, but not restricted to; Access Control, Territorial Reinforcement, Natural Surveillance and Community Involvement to reduce the opportunity for crime.
-
Have fundamental CPTED concepts been applied in the design of the property which surrounds the facility?
-
Is the client's property or building(s) easily viewable from the nearest public thoroughfare?
-
Are fundamental CPTED concepts followed on a continuing basis with respect to the maintenance of property which surrounds the facility?
-
Once on the property, are there clear sight-lines to the employee and visitor entrances?
-
Have fundamental CPTED concepts been applied in the design of the facility?
-
Have fundamental CPTED concepts been followed on a continuing basis with respect to the interior of the facility?
Physical Security Protections
Perimeter Fencing/Barriers, including points of access (controlled or not)
-
Does the property have a secure exterior perimeter?
-
Do exterior walls of a building(s)/facility act, in any location, as a perimeter to the property?
-
If the property perimeter is protected by a fence, is the fencing material at least six feet high?
-
Is the fencing maintained and in good repair?
-
Is the fencing constructed of materials which allows a view of the area on the opposite side of the fence?
-
Is there a 'top guard' at least one foot in height, attached to the top of the fence line?
-
Is the 'top guard' maintained and in good condition?
-
Is the fencing constructed flush to, or below grade level?
-
Does the fencing show indications or damage caused by persons climbing over the fence?
-
Are inactive pedestrian gates in the fence line secured 24 hours per day?
-
Are active pedestrian gates in the fence line secured during business hours?
-
Are pedestrian gates in the fence line secured during non-business hours?
-
Are inactive vehicular gates in the fence line secured 24 hours per day?
-
Are active vehicular gates in the fence line secured during business hours?
-
Are active vehicular gates in the fence line secured during non-business hours?
-
Are unsecured gates staffed by security personnel?
Signage and Way Finding
-
Is there signage appropriate for the nature of the property/facility in place?
-
Is the signage material in good repair?
-
Are signs mounted at 100 foot (minimum) intervals around the perimeter of the property?
-
Are the messages on the signage easily read?
-
Have multiple language considerations been addressed and applied?
-
Does signage direct persons from the parking area and property directly to the appropriate point of contact?
-
Are staff and visitor parking areas clearly marked?
Visitor and Contractor Access
-
Are visitors required to sign in/out of the facility?
-
Is a statement of "confidentiality of information" part of the visitor/contractor sign-in process?
-
Are visitors issued appropriate identification badges?
-
Are visitor identification badges required to be worn above the waist?
-
Is is vouching for a visitor by an employee or other known person allowed?
-
Are unescorted visitors allowed into the facility?
-
Are contractors issued identification badges which identify them as contractors?
Exterior Lighting
-
Is exterior lighting in place?
-
Does the existing lighting illuminate the entire property?
-
Is there a formal lighting plan for the general property?
-
Are standard lighting fixtures backed up by motion activated lighting in critical areas?
-
Does an automated power-save program control exterior lighting?
-
Is exterior lighting visually adequate in the opinion of employees?
-
Does the nature and configuration of exterior lighting avoid high-contrast (light vs dark) areas?
-
Are all exterior lighting fixtures working?
-
Has the level of exterior lighting been measured and evaluated against available standards in the last two years?
-
Is there a regular or periodic lens/refractor/reflector cleaning and maintenance program in place?
-
Is there a bulb maintenance/replacement program in place?
-
Have exterior lighting fixtures been subjected to vandalism?
-
Is the exterior lighting system supported by an emergency power system?
Exterior Personal Alarm Stations
-
Are personal alarm stations in place around the parking and exterior pedestrian areas?
-
Are all stations in good repair?
-
Have all stations been physically tested within the preceding 12 months?
-
Are all stations equipped with a strobe light which immediately activates when the duress button is pushed?
-
Are all stations equipped with a variable pitch enunciator which immediately activates when the duress button is pushed?
-
Are all stations equipped with a two-way communication system which immediately activates when the duress button is pushed?
-
Are all stations live monitored by an off-site monitoring group?
-
Are all stations live monitored by an on-site monitoring group?
-
Do all stations have to be deactivated by a response person attending the scene?
-
Can all stations be deactivated remotely from the monitoring locations?
Closed Circuit Video Equipment
-
Are cameras used to view interior sensitive areas of the facility?
-
Are cameras used to view the property on which the facility (building) is located?
-
Has the use of and expectations of the camera system been delineated?
-
As required, are cameras contained in appropriate environmental or tamper resistant housings?
-
Are exterior cameras appropriately placed to monitor all access and egress points to the property?
-
Can all areas of the general property be viewed by exterior cameras?
-
Can the existing cameras positively identify persons and items such as vehicle license plates?
-
If color cameras are used for exterior applications, has lighting been implemented which specifically supports color imaging?
-
Do any of the exterior cameras incorporate a Pan-Tilt-Zoom (PTZ) capability?
-
Are all exterior camera images, as viewed on the monitor, visually adequate for their define purpose during daylight hours?
-
Are all exterior camera images, as viewed on the monitor, visually adequate for their define purpose during night hours?
-
Does the exterior lighting power-save program adversely affect individual camera performance?
-
Are internal cameras used to view visitor reception areas?
-
Are internal cameras used to view access/egress points to sensitive areas?
-
Are all interior camera images, as viewed on the monitor, visually adequate for their defined purpose during regular business hours?
-
Are all interior camera images, as viewed on the monitor, visually adequate for their defined purpose during non-business hours?
-
Do any of the interior cameras incorporate a PTZ capability?
-
Are the camera images constantly monitored by security officers or others?
-
Are the images from the cameras recorded?
-
Are the recordings kept in a secure location?
-
Are recording stored for a set period of time?
-
Are recordings stored for a minimum of 30 days?
-
Is the digital video recorder stored in a secure location?
-
Are digital images downloaded to another storage medium in order to provide at least twice the storage capacity of the principal hard drive?
-
Is there a formalized and regular camera housing/lens-cleaning program in place?
-
Are exterior cameras integrated with other external security/safety systems?
-
Are interior cameras integrated with other external security/safety systems?
-
Is there a legend/diagram of the exterior and interior camera systems?
Access Control Systems
-
Is there an automated access control system in place for the facility?
-
Is the management of the access control system the responsibility of a group other than the organization being assessed?
-
Is there a photo ID system in place for the facility?
-
Does the access card issued to the employee also bear their photograph?
-
If the Access Card and Photo ID Card systems are separate, is the management of the Photo ID Card system the responsibility of a group other than the organization being assessed?
-
Is the access control system continuously monitored on-site?
-
Is the access control system continuously monitored off-site?
-
Is the access control system also used to monitor on-site intrusion detection alarms?
-
Are system activity reports printed and reviewed on a regular basis?
-
Are all facility perimeter doors controlled or monitored by the access control system?
-
Are all employees required to enter the site/facility through points secured by the access control system?
-
Is authorization required to obtain a new of replacement access card?
-
Is there a process in place which confirms to the manager that an employee has been issued a card?
-
Are access cards programmed and issued on site?
-
Are non-issued access cards stored in a secure container?
-
Are non-issued access cards subject to a periodic audit?
-
Are individual cards assigned access privileges based on the employee's work area and hours of work?
-
Are temporary access cards issued to employees who arrive on site without their personal card?
-
Are temporary access cards programmed to limit access?
-
Is there a formalized tracking system in place for employees who show up for work without their access card?
-
Are door forced open notifications displayed as an alarm by the system?
-
Are door hold open notifications displayed as an alarm by the system?
-
Are cards of terminated/departing employees deleted from the system the same day the employee leaves the facility?
-
Is the access control system integrated with any other security technology component?
-
Is a 'supervised guard tour' function utilized as part of the access control process?
-
Is there a legend or system diagram which shows the location of the access control system components?
-
Are the access control system and it's components inspected and tested on a periodic basis?
Intrusion Detection (Alarm) System
-
Is there an intrusion detection system in place?
-
Is management of the intrusion detection system the responsibility of a group other than the organization being assessed?
-
Is the system, or components of it, continuously monitored onsite during business hours?
-
Is the system, or components of it, continuously monitored offsite during business hours?
-
Is the system, or components of it, continuously monitored onsite during nonbusiness hours?
-
Is the system, or components of it, continuously monitored offsite during nonbusiness hours?
-
Are monthly system activity reports printed and viewed on a regular basis?
-
If monitored offsite, are alarm notifications and their resolutions reported to the organization on an individual basis?
-
If monitored offsite, is there clear policy with respect to the action required of the monitoring agency?
-
Is a mobile security patrol dispatched to the facility by the monitoring agency when an alarm is received?
-
Does the monitoring agency have a call-out list of the organization's personnel to notify when alarms are received?
-
Are individual arm/disarm codes issued to employees?
-
Are group arm/disarm codes issued to groups of employees?
-
Are arm/disarm codes changed on a regular basis?
-
Are there personal alarm stations (duress buttons) connected to the intrusion detection system?
-
Are the personal alarm stations monitored onsite?
-
Are there audible alarms or strobe lights activated on site when a personal alarm is activated?
-
Are the personal alarms monitored offsite?
-
If monitored offsite, is there a clear policy with respect to the action required of the monitoring agency?
-
Is the intrusion detection system integrated with any other security technology component?
-
Is the intrusion detection system and it's components inspected and tested on a periodic basis?
Management and Control of Locks and Keys
-
Is control and issuing of locks and keys the responsibility of a group other than the organization being assessed?
-
Has the facility locking system been re-keyed within the last 5 years?
-
Have any Grandmaster, Master, or Sub-Master keys been lost or stolen since the last re-key?
-
Are high security locks and keys used to secure the facility?
-
Are high security locks and keys used to secure sensitive areas within the facility?
-
Are keys marked 'DO NOT DUPLICATE'?
-
Is a door or area re-keyed when keys are reported lost or stolen?
-
Is a key tracking system used to control and account for the issuance of keys to employees?
-
Are employees required to sign for the keys they receive?
-
Is an automated key tracking and issuance system used to control keys?
-
Are spare keys stored in a secure container within the facility?
-
Is the key control ledger/system subject to periodic audit by management?
Information Systems Physical Security
Physical Security of Network and Hardware Components
-
Is there a current Information Systems Threat, Risk, Impact and Consequences in place?
-
Is there a current Information Systems Business Continuity Management Strategy in place?
-
Are the principal information system network components, such as the LAN/WAN servers and routers located at one principal location within the building?
-
Is the principal location (ie, Network Room) physically located away from the exterior walls of the building?
-
Are all information system communication pathways on the property and within the building strongly protected against accidental and premeditated damage?
-
Is access to the network room restricted to information systems employees and key management staff?
-
Do contractors and information systems maintenance personnel, or others, have unescorted access to the network room?
-
Is there a contractor sign in ledger for the network room?
-
Are the network room perimeter walls fully constructed between the floor and the ceiling?
-
Is access through all doors to the network room controlled by an automated access control system?
-
Are automated access control system access/egress reports for the network room printed and reviewed by a manager on a regular basis?
-
If an automated access control system is not in place, are all doors to the network room secured by a heavy duty mechanical lock which incorporates a high-security key cylinder?
-
Is the network room equipped with an intrusion detection system?
-
Are intrusion detection system arm/disarm codes changed on a regular basis?
-
Is an individual arm/disarm code issued to each information system employee?
-
Is the network room intrusion detection system monitored continually while the room is not occupied?
-
Are monthly intrusion detection system activity reports reviewed by the manager on a regular basis?
-
Are intrusion detection system "exception" reports received by the manager within 24 hours of the event?
-
Do video cameras monitor the network room access/egress points and interior mission–critical spaces or equipment?
-
Are the video cameras integrated with the automated access control or intrusion detection systems?
-
Are information systems hardware components secured to racks, furniture or work surfaces?
-
Is a "call-home "or tracking software resident on computer hardware?
-
Are information systems hardware components assigned an "inventory control number", or information such as serial numbers recorded and tracked as part of an inventory control process?
-
Is a micro–alarm or asset tracking device installed in the majority of computer hardware?
-
Are the asset tracking devices integrated to the building's access control system?
-
Do security officers make note of unsecured laptops, etc. on work surfaces during routine building patrols and record these observations to management?
Security Support Functions
Security Officer Resources
-
Are security officers stationed on site?
-
Is the management of the security officer resources the responsibility of a group than the organization being assessed?
-
Are the security officer resources proprietary or contracted?
-
If contract resources are used, is there an opting out clause in the contract?
-
Does the contract clearly state who the security resources report to?
-
Are security personnel thoroughly screened prior to hiring?
-
Does the employment contract clearly state that any commission of a criminal offense will result in dismissal?
-
Does the contract clearly set out the duties and responsibilities of the security personnel?
-
Do security officers have at least 40 hours of formal/legislated security training prior to being placed on site?
-
Do security officers receive at least 40 hours of on the job training before being stationed alone on-site?
-
Is there periodic training for security personnel?
-
Are there complete and formalized security post orders in place for security officers to follow?
-
Are static security officers positioned at the perimeter fence entrance point(s) on a 24/7 basis
-
Are static security officers positioned at internal reception or command post locations on a 24/7 basis?
-
Are at least two mobile patrols conducted of the building/property during normal business hours?
-
Are at least three mobile patrols conducted of the building/property during non-business hours?
-
Can security officers immediately contract an on-site command post or remote security monitoring centre to request assistance?
-
Do security officers maintain daily patrol logs?
-
Are the security officer daily patrol logs reviewed by someone on a daily basis?
-
Are individual security incidents reported via separate reporting document which is sent to the client's representative on an immediate basis?
-
Do security officers record, track and report security incidents via an automated incident reporting system?
Administrative Secuirty
Security Directives and Guidelines
-
Are there formalized and current security directives and guidelines in place?
-
Is publication and maintenance of security directives and guidelines and responsibility of the organization's security group?
-
Are security directives and guidelines published on the organization's Intranet?
-
Is written policy in place requiring reporting and auditing of persons who access/egress the facility?
-
Is written policy in place addressing the management and control of keys?
-
Is written policy in place that details the operation and maintenance of the intrusion detection alarm systems?
-
Is written policy in place covering the use and operation of personal alarm stations?
-
Is written policy in place for employees to follow when they hear/see a personal alarm has been activated?
-
Is written policy in place which delineates needs the administration, operation and maintenance of the access control system?
-
Is written policy in place which delineates the administration, operation and maintenance of the organization's photographic ID system?
-
Is written policy in place covering generation, handling, transmission, storage and destruction of hardcopy information?
-
Is written policy in place which details reporting procedures, investigative follow-up and analysis of occurrences?
-
Is a written policy in place addressing security awareness?
-
Is a written policy in place addressing bomb threat response?
-
Is written policy in place that addresses violence in the workplace?
-
Is written policy in place covering hiring and dismissal practices?
-
Is written policy in place covering an employee communication program?
Documented Information Security
Generation, Transmission, Storage, and Destruction of Sensitive Hard Copy Information
-
Is there a sensitive information 'Classification Standard' in place?
-
Is sensitive information properly identified as such?
-
Are multiple copies of sensitive documents sequentially numbered?
-
Are file jackets containing sensitive information marked accordingly?
-
Are sensitive electronic files and records encrypted?
Internal Storage Practices
-
Are files stored in a central file room?
-
Is the central file control room continuously staffed?
-
Is the central file control room secured when not staffed?
-
Are files signed in and out of the central filing room on the honor system?
-
Is the file system audited periodically to ensure proper control and compliance?
-
Are signed out files stored in secure containers, within individual work areas or offices when not being worked on?
-
Are clean desk audits conducted by security officers or management to ensure adherence to existing policy?
External Storage Practices
-
Are closed files stored off site?
-
Are electronic files and records backed up daily?
-
Are backups stored off site?
-
Has the off site storage facility been inspected to ensure proper handling of storage of information is available?
-
Are receipts issued for the movement of files between the facility and the storage facility?
Destruction of Sensitive Material
-
Are there any shredding machines on site?
-
Are they cross cut shredding machines?
-
Is all sensitive waste destroyed on site by shredding or other methodology?
-
Is sensitive waste recycled after shredding?
-
Are periodic waste/recycle container audits performed to determine if sensitive information is not being destroyed?
-
Rather than destroy on site, is sensitive waste temporarily stored in locked containers for collection by a commercial destruction company?
-
If waste is destroyed by a commercial destruction company, has there been any review of that company's security procedures?
-
Is the commercial contractor required to sign out a key to retrieve sensitive waste stored in the temporary containers?
-
Does the commercial contract take the retrieved sensitive waste back to an off site location for destruction?
-
Does a representative of the facility accompany the commercial contractor during the retrieval process and witness the destruction of the sensitive waste on site?
-
Are destruction receipts issued by the commercial contractor for the amount of sensitive waste destroyed?
Organizational Security
Hiring and Termination Policies and Practices
-
Are background checks performed on prospective employees?
-
Do termination practices include retrieving the employee's keys, access and ID cards prior to them leaving the facility?
-
Have issues relating to the design and configuration of the office space used for termination been considered?
-
Are security resources requested to attend or be nearby during terminations where potential violence is expected?
-
Are security officer resources briefed on terminations as soon as possible after the employee leaves the facility?
Security Awareness Program
-
Is there a formalized security awareness program in place?
-
Does the hiring procedure formally incorporate a security awareness component?
-
Does the security awareness program address issues of personal security?
-
Does the security awareness program address physical security of the facility?
-
Does the security program address IT security issues?
-
Does the security awareness program address business travel safety and security issues?
Workplace Violence Program
-
Is there a formal Workplace Violence Program in place?
-
Does the hiring process formally incorporate a Workplace Violence Program component?
-
Is it made clear to employees that a zero tolerance policy is in force?