Information

  • Document No.

  • Audit Title

  • Client / Site

  • Conducted on

  • Prepared by

  • Location

General Security Assessment

General Information

  • Does the organization have a dedicated security group in place? (Not including security officers)

  • Does the head of security report to the executive level?

  • Are there sufficient full-time internal security resources (not including security officers), including support staff, to meet the organization's security needs?

  • Are there formalized job descriptions for each internal security position?

  • Is there a formalized organizational chart for the security group?

  • Does the security group provide Senior Management with a periodic security status report?

  • Is the security program reviewed on an annual basis?

  • Is the security budget developed using demonstrated needs?

  • Is the location to be assessed comprised of standalone building(s)/facility(ies) located on property where the organization is the sole tenant?

  • Is there a site plan for the property?

  • Are there floor plans for the individual facility(ies)?

Threat, Risk, Imact and Consequence Assessment

  • Has an analysis of the history and future risk of crime occurring in and immediately around the property, through a process such as "CapIndex" or "CrimeCast" or using police data, been completed?

  • Have all existing and reasonably foreseeable threats been identified?

  • Have the levels of risk, associated with individual threats, been determined and quantified?

  • Have the impacts or potential injury to the organization been identified in relation to each threat event and risk level?

  • Have the consequences to the organization been delineated in relation to each potential injury?

  • Has senior management been made aware of these risks and the potential consequences?

  • Is there a formalized process in place by which the risks and consequences are reviewed on a periodic or event driven basis?

  • Does the organization have a formalize security contingency planning process which includes a business resumption plan in place?

Crime Prevention Through Environmental Design (CPTED)

  • CPTED combines several concepts including, but not restricted to; Access Control, Territorial Reinforcement, Natural Surveillance and Community Involvement to reduce the opportunity for crime.

  • Have fundamental CPTED concepts been applied in the design of the property which surrounds the facility?

  • Is the client's property or building(s) easily viewable from the nearest public thoroughfare?

  • Are fundamental CPTED concepts followed on a continuing basis with respect to the maintenance of property which surrounds the facility?

  • Once on the property, are there clear sight-lines to the employee and visitor entrances?

  • Have fundamental CPTED concepts been applied in the design of the facility?

  • Have fundamental CPTED concepts been followed on a continuing basis with respect to the interior of the facility?

Physical Security Protections

Perimeter Fencing/Barriers, including points of access (controlled or not)

  • Does the property have a secure exterior perimeter?

  • Do exterior walls of a building(s)/facility act, in any location, as a perimeter to the property?

  • If the property perimeter is protected by a fence, is the fencing material at least six feet high?

  • Is the fencing maintained and in good repair?

  • Is the fencing constructed of materials which allows a view of the area on the opposite side of the fence?

  • Is there a 'top guard' at least one foot in height, attached to the top of the fence line?

  • Is the 'top guard' maintained and in good condition?

  • Is the fencing constructed flush to, or below grade level?

  • Does the fencing show indications or damage caused by persons climbing over the fence?

  • Are inactive pedestrian gates in the fence line secured 24 hours per day?

  • Are active pedestrian gates in the fence line secured during business hours?

  • Are pedestrian gates in the fence line secured during non-business hours?

  • Are inactive vehicular gates in the fence line secured 24 hours per day?

  • Are active vehicular gates in the fence line secured during business hours?

  • Are active vehicular gates in the fence line secured during non-business hours?

  • Are unsecured gates staffed by security personnel?

Signage and Way Finding

  • Is there signage appropriate for the nature of the property/facility in place?

  • Is the signage material in good repair?

  • Are signs mounted at 100 foot (minimum) intervals around the perimeter of the property?

  • Are the messages on the signage easily read?

  • Have multiple language considerations been addressed and applied?

  • Does signage direct persons from the parking area and property directly to the appropriate point of contact?

  • Are staff and visitor parking areas clearly marked?

Visitor and Contractor Access

  • Are visitors required to sign in/out of the facility?

  • Is a statement of "confidentiality of information" part of the visitor/contractor sign-in process?

  • Are visitors issued appropriate identification badges?

  • Are visitor identification badges required to be worn above the waist?

  • Is is vouching for a visitor by an employee or other known person allowed?

  • Are unescorted visitors allowed into the facility?

  • Are contractors issued identification badges which identify them as contractors?

Exterior Lighting

  • Is exterior lighting in place?

  • Does the existing lighting illuminate the entire property?

  • Is there a formal lighting plan for the general property?

  • Are standard lighting fixtures backed up by motion activated lighting in critical areas?

  • Does an automated power-save program control exterior lighting?

  • Is exterior lighting visually adequate in the opinion of employees?

  • Does the nature and configuration of exterior lighting avoid high-contrast (light vs dark) areas?

  • Are all exterior lighting fixtures working?

  • Has the level of exterior lighting been measured and evaluated against available standards in the last two years?

  • Is there a regular or periodic lens/refractor/reflector cleaning and maintenance program in place?

  • Is there a bulb maintenance/replacement program in place?

  • Have exterior lighting fixtures been subjected to vandalism?

  • Is the exterior lighting system supported by an emergency power system?

Exterior Personal Alarm Stations

  • Are personal alarm stations in place around the parking and exterior pedestrian areas?

  • Are all stations in good repair?

  • Have all stations been physically tested within the preceding 12 months?

  • Are all stations equipped with a strobe light which immediately activates when the duress button is pushed?

  • Are all stations equipped with a variable pitch enunciator which immediately activates when the duress button is pushed?

  • Are all stations equipped with a two-way communication system which immediately activates when the duress button is pushed?

  • Are all stations live monitored by an off-site monitoring group?

  • Are all stations live monitored by an on-site monitoring group?

  • Do all stations have to be deactivated by a response person attending the scene?

  • Can all stations be deactivated remotely from the monitoring locations?

Closed Circuit Video Equipment

  • Are cameras used to view interior sensitive areas of the facility?

  • Are cameras used to view the property on which the facility (building) is located?

  • Has the use of and expectations of the camera system been delineated?

  • As required, are cameras contained in appropriate environmental or tamper resistant housings?

  • Are exterior cameras appropriately placed to monitor all access and egress points to the property?

  • Can all areas of the general property be viewed by exterior cameras?

  • Can the existing cameras positively identify persons and items such as vehicle license plates?

  • If color cameras are used for exterior applications, has lighting been implemented which specifically supports color imaging?

  • Do any of the exterior cameras incorporate a Pan-Tilt-Zoom (PTZ) capability?

  • Are all exterior camera images, as viewed on the monitor, visually adequate for their define purpose during daylight hours?

  • Are all exterior camera images, as viewed on the monitor, visually adequate for their define purpose during night hours?

  • Does the exterior lighting power-save program adversely affect individual camera performance?

  • Are internal cameras used to view visitor reception areas?

  • Are internal cameras used to view access/egress points to sensitive areas?

  • Are all interior camera images, as viewed on the monitor, visually adequate for their defined purpose during regular business hours?

  • Are all interior camera images, as viewed on the monitor, visually adequate for their defined purpose during non-business hours?

  • Do any of the interior cameras incorporate a PTZ capability?

  • Are the camera images constantly monitored by security officers or others?

  • Are the images from the cameras recorded?

  • Are the recordings kept in a secure location?

  • Are recording stored for a set period of time?

  • Are recordings stored for a minimum of 30 days?

  • Is the digital video recorder stored in a secure location?

  • Are digital images downloaded to another storage medium in order to provide at least twice the storage capacity of the principal hard drive?

  • Is there a formalized and regular camera housing/lens-cleaning program in place?

  • Are exterior cameras integrated with other external security/safety systems?

  • Are interior cameras integrated with other external security/safety systems?

  • Is there a legend/diagram of the exterior and interior camera systems?

Access Control Systems

  • Is there an automated access control system in place for the facility?

  • Is the management of the access control system the responsibility of a group other than the organization being assessed?

  • Is there a photo ID system in place for the facility?

  • Does the access card issued to the employee also bear their photograph?

  • If the Access Card and Photo ID Card systems are separate, is the management of the Photo ID Card system the responsibility of a group other than the organization being assessed?

  • Is the access control system continuously monitored on-site?

  • Is the access control system continuously monitored off-site?

  • Is the access control system also used to monitor on-site intrusion detection alarms?

  • Are system activity reports printed and reviewed on a regular basis?

  • Are all facility perimeter doors controlled or monitored by the access control system?

  • Are all employees required to enter the site/facility through points secured by the access control system?

  • Is authorization required to obtain a new of replacement access card?

  • Is there a process in place which confirms to the manager that an employee has been issued a card?

  • Are access cards programmed and issued on site?

  • Are non-issued access cards stored in a secure container?

  • Are non-issued access cards subject to a periodic audit?

  • Are individual cards assigned access privileges based on the employee's work area and hours of work?

  • Are temporary access cards issued to employees who arrive on site without their personal card?

  • Are temporary access cards programmed to limit access?

  • Is there a formalized tracking system in place for employees who show up for work without their access card?

  • Are door forced open notifications displayed as an alarm by the system?

  • Are door hold open notifications displayed as an alarm by the system?

  • Are cards of terminated/departing employees deleted from the system the same day the employee leaves the facility?

  • Is the access control system integrated with any other security technology component?

  • Is a 'supervised guard tour' function utilized as part of the access control process?

  • Is there a legend or system diagram which shows the location of the access control system components?

  • Are the access control system and it's components inspected and tested on a periodic basis?

Intrusion Detection (Alarm) System

  • Is there an intrusion detection system in place?

  • Is management of the intrusion detection system the responsibility of a group other than the organization being assessed?

  • Is the system, or components of it, continuously monitored onsite during business hours?

  • Is the system, or components of it, continuously monitored offsite during business hours?

  • Is the system, or components of it, continuously monitored onsite during nonbusiness hours?

  • Is the system, or components of it, continuously monitored offsite during nonbusiness hours?

  • Are monthly system activity reports printed and viewed on a regular basis?

  • If monitored offsite, are alarm notifications and their resolutions reported to the organization on an individual basis?

  • If monitored offsite, is there clear policy with respect to the action required of the monitoring agency?

  • Is a mobile security patrol dispatched to the facility by the monitoring agency when an alarm is received?

  • Does the monitoring agency have a call-out list of the organization's personnel to notify when alarms are received?

  • Are individual arm/disarm codes issued to employees?

  • Are group arm/disarm codes issued to groups of employees?

  • Are arm/disarm codes changed on a regular basis?

  • Are there personal alarm stations (duress buttons) connected to the intrusion detection system?

  • Are the personal alarm stations monitored onsite?

  • Are there audible alarms or strobe lights activated on site when a personal alarm is activated?

  • Are the personal alarms monitored offsite?

  • If monitored offsite, is there a clear policy with respect to the action required of the monitoring agency?

  • Is the intrusion detection system integrated with any other security technology component?

  • Is the intrusion detection system and it's components inspected and tested on a periodic basis?

Management and Control of Locks and Keys

  • Is control and issuing of locks and keys the responsibility of a group other than the organization being assessed?

  • Has the facility locking system been re-keyed within the last 5 years?

  • Have any Grandmaster, Master, or Sub-Master keys been lost or stolen since the last re-key?

  • Are high security locks and keys used to secure the facility?

  • Are high security locks and keys used to secure sensitive areas within the facility?

  • Are keys marked 'DO NOT DUPLICATE'?

  • Is a door or area re-keyed when keys are reported lost or stolen?

  • Is a key tracking system used to control and account for the issuance of keys to employees?

  • Are employees required to sign for the keys they receive?

  • Is an automated key tracking and issuance system used to control keys?

  • Are spare keys stored in a secure container within the facility?

  • Is the key control ledger/system subject to periodic audit by management?

Information Systems Physical Security

Physical Security of Network and Hardware Components

  • Is there a current Information Systems Threat, Risk, Impact and Consequences in place?

  • Is there a current Information Systems Business Continuity Management Strategy in place?

  • Are the principal information system network components, such as the LAN/WAN servers and routers located at one principal location within the building?

  • Is the principal location (ie, Network Room) physically located away from the exterior walls of the building?

  • Are all information system communication pathways on the property and within the building strongly protected against accidental and premeditated damage?

  • Is access to the network room restricted to information systems employees and key management staff?

  • Do contractors and information systems maintenance personnel, or others, have unescorted access to the network room?

  • Is there a contractor sign in ledger for the network room?

  • Are the network room perimeter walls fully constructed between the floor and the ceiling?

  • Is access through all doors to the network room controlled by an automated access control system?

  • Are automated access control system access/egress reports for the network room printed and reviewed by a manager on a regular basis?

  • If an automated access control system is not in place, are all doors to the network room secured by a heavy duty mechanical lock which incorporates a high-security key cylinder?

  • Is the network room equipped with an intrusion detection system?

  • Are intrusion detection system arm/disarm codes changed on a regular basis?

  • Is an individual arm/disarm code issued to each information system employee?

  • Is the network room intrusion detection system monitored continually while the room is not occupied?

  • Are monthly intrusion detection system activity reports reviewed by the manager on a regular basis?

  • Are intrusion detection system "exception" reports received by the manager within 24 hours of the event?

  • Do video cameras monitor the network room access/egress points and interior mission–critical spaces or equipment?

  • Are the video cameras integrated with the automated access control or intrusion detection systems?

  • Are information systems hardware components secured to racks, furniture or work surfaces?

  • Is a "call-home "or tracking software resident on computer hardware?

  • Are information systems hardware components assigned an "inventory control number", or information such as serial numbers recorded and tracked as part of an inventory control process?

  • Is a micro–alarm or asset tracking device installed in the majority of computer hardware?

  • Are the asset tracking devices integrated to the building's access control system?

  • Do security officers make note of unsecured laptops, etc. on work surfaces during routine building patrols and record these observations to management?

Security Support Functions

Security Officer Resources

  • Are security officers stationed on site?

  • Is the management of the security officer resources the responsibility of a group than the organization being assessed?

  • Are the security officer resources proprietary or contracted?

  • If contract resources are used, is there an opting out clause in the contract?

  • Does the contract clearly state who the security resources report to?

  • Are security personnel thoroughly screened prior to hiring?

  • Does the employment contract clearly state that any commission of a criminal offense will result in dismissal?

  • Does the contract clearly set out the duties and responsibilities of the security personnel?

  • Do security officers have at least 40 hours of formal/legislated security training prior to being placed on site?

  • Do security officers receive at least 40 hours of on the job training before being stationed alone on-site?

  • Is there periodic training for security personnel?

  • Are there complete and formalized security post orders in place for security officers to follow?

  • Are static security officers positioned at the perimeter fence entrance point(s) on a 24/7 basis

  • Are static security officers positioned at internal reception or command post locations on a 24/7 basis?

  • Are at least two mobile patrols conducted of the building/property during normal business hours?

  • Are at least three mobile patrols conducted of the building/property during non-business hours?

  • Can security officers immediately contract an on-site command post or remote security monitoring centre to request assistance?

  • Do security officers maintain daily patrol logs?

  • Are the security officer daily patrol logs reviewed by someone on a daily basis?

  • Are individual security incidents reported via separate reporting document which is sent to the client's representative on an immediate basis?

  • Do security officers record, track and report security incidents via an automated incident reporting system?

Administrative Secuirty

Security Directives and Guidelines

  • Are there formalized and current security directives and guidelines in place?

  • Is publication and maintenance of security directives and guidelines and responsibility of the organization's security group?

  • Are security directives and guidelines published on the organization's Intranet?

  • Is written policy in place requiring reporting and auditing of persons who access/egress the facility?

  • Is written policy in place addressing the management and control of keys?

  • Is written policy in place that details the operation and maintenance of the intrusion detection alarm systems?

  • Is written policy in place covering the use and operation of personal alarm stations?

  • Is written policy in place for employees to follow when they hear/see a personal alarm has been activated?

  • Is written policy in place which delineates needs the administration, operation and maintenance of the access control system?

  • Is written policy in place which delineates the administration, operation and maintenance of the organization's photographic ID system?

  • Is written policy in place covering generation, handling, transmission, storage and destruction of hardcopy information?

  • Is written policy in place which details reporting procedures, investigative follow-up and analysis of occurrences?

  • Is a written policy in place addressing security awareness?

  • Is a written policy in place addressing bomb threat response?

  • Is written policy in place that addresses violence in the workplace?

  • Is written policy in place covering hiring and dismissal practices?

  • Is written policy in place covering an employee communication program?

Documented Information Security

Generation, Transmission, Storage, and Destruction of Sensitive Hard Copy Information

  • Is there a sensitive information 'Classification Standard' in place?

  • Is sensitive information properly identified as such?

  • Are multiple copies of sensitive documents sequentially numbered?

  • Are file jackets containing sensitive information marked accordingly?

  • Are sensitive electronic files and records encrypted?

Internal Storage Practices

  • Are files stored in a central file room?

  • Is the central file control room continuously staffed?

  • Is the central file control room secured when not staffed?

  • Are files signed in and out of the central filing room on the honor system?

  • Is the file system audited periodically to ensure proper control and compliance?

  • Are signed out files stored in secure containers, within individual work areas or offices when not being worked on?

  • Are clean desk audits conducted by security officers or management to ensure adherence to existing policy?

External Storage Practices

  • Are closed files stored off site?

  • Are electronic files and records backed up daily?

  • Are backups stored off site?

  • Has the off site storage facility been inspected to ensure proper handling of storage of information is available?

  • Are receipts issued for the movement of files between the facility and the storage facility?

Destruction of Sensitive Material

  • Are there any shredding machines on site?

  • Are they cross cut shredding machines?

  • Is all sensitive waste destroyed on site by shredding or other methodology?

  • Is sensitive waste recycled after shredding?

  • Are periodic waste/recycle container audits performed to determine if sensitive information is not being destroyed?

  • Rather than destroy on site, is sensitive waste temporarily stored in locked containers for collection by a commercial destruction company?

  • If waste is destroyed by a commercial destruction company, has there been any review of that company's security procedures?

  • Is the commercial contractor required to sign out a key to retrieve sensitive waste stored in the temporary containers?

  • Does the commercial contract take the retrieved sensitive waste back to an off site location for destruction?

  • Does a representative of the facility accompany the commercial contractor during the retrieval process and witness the destruction of the sensitive waste on site?

  • Are destruction receipts issued by the commercial contractor for the amount of sensitive waste destroyed?

Organizational Security

Hiring and Termination Policies and Practices

  • Are background checks performed on prospective employees?

  • Do termination practices include retrieving the employee's keys, access and ID cards prior to them leaving the facility?

  • Have issues relating to the design and configuration of the office space used for termination been considered?

  • Are security resources requested to attend or be nearby during terminations where potential violence is expected?

  • Are security officer resources briefed on terminations as soon as possible after the employee leaves the facility?

Security Awareness Program

  • Is there a formalized security awareness program in place?

  • Does the hiring procedure formally incorporate a security awareness component?

  • Does the security awareness program address issues of personal security?

  • Does the security awareness program address physical security of the facility?

  • Does the security program address IT security issues?

  • Does the security awareness program address business travel safety and security issues?

Workplace Violence Program

  • Is there a formal Workplace Violence Program in place?

  • Does the hiring process formally incorporate a Workplace Violence Program component?

  • Is it made clear to employees that a zero tolerance policy is in force?

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.