Title Page

  • Conducted on

  • Prepared by

  • Location

Site Information

  • Company/Customer

  • Site Address

  • Site General Manager

  • Site Security Manager

Product/Services

  • Number of Employees

  • Operating Hours

Site Area

  • Neighbourhood

  • Site information Summary Risk assessment Management policies Physical security

  • Access control Employee security Information security Material security

Executive Summary

Risk Assesment

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Management Policies

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Physical Security

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Access Control

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Employee Security

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Information Security

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Material Security

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Emergency Response

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Crisis Communication

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Review/Audits

  • Observed Strengths

  • Observed Weakness

  • Action Plan

Risk Assessment

  • Has your company completed a systematic risk assessment for security threats? Is it updated at least annually

  • Does the risk assessment clearly identify key vulnerability assets and sensitive processes requiring protection? Are the threat levels clearly understood?

  • Does the risk assessment identify the likelihood and severity of consequences with credible threat scenarios?

  • Does a multi-disciplinary team conduct the risk assessment? Does the team have appropriate training to conduct the risk assessment?

  • Is there a plan that utilises an effective prevention and mitigation strategy?

  • Are any neighbourhood operations, building tenants, and location risk factors contributing to increased terrorism and other security threats?

  • Are there designated people and procedures in place to monitor the early warnings of increasing threat levels and escalate security efforts in response?<br>Alpha = Normal conditions<br>Bravo = Credible threats issued (alert)<br>Charlie = Reported incidents elsewhere<br>Delta = Actual incident

Management Policies

  • Is top management support and involvement evident in the security planning? Consider policies, budgets, accountabilities and resources in the assessment.

  • Is there a current security plan that addresses access control and emergency response policies? <br>Describe it.

  • Is there a current emergency response and crisis management plan specific to the site?

  • Does the emergency response plan address fire, explosion, bomb threat, civil disturbance and suspicious mail <br>handling?

  • Does the access control policy address visitor registration, ID badge usage,background checks, escorting and <br>other requirements for all visitors and contractors?

  • Is there a zero-tolerance workplace violence and weapons policy in place?

  • Is there a centralised system for reporting and analysing all security-related incidents and suspicious activities?<br>Are response procedures for security breaches developed?

  • Has the local law enforcement agency reviewed the current security plan?

  • Is the security plan reviewed at least annually? Has the latest revision taken into account:<br>• New threats<br>• Risk assessment<br>• Change management

  • Are there defined procedures and resources for heightening the site security efforts in response to escalating threat levels?

  • Are there strict hiring and selection standards for security staff? Are there standards for security staff pertaining<br>to the following:<br>• Licensing<br>• Background checks<br>• Physical health<br>• Psychological health<br>• Training<br>• Compensation<br>• Weapons policy

  • Is the security staff routinely involved in “non-security” tasks?

  • Is a lockdown procedure in place in response to an immediate threat?

  • Is there a business continuity plan in place based on business impact analysis?

Physical Security

  • Is appropriate perimeter protection in place? Examples include:<br>• Fences<br>• Trenches<br>• Terrain<br>• Barricades<br>• Landscaping<br>• Turnstiles<br>• Roof access<br>• Waterside access

  • Are redundant layers of protection considered for core assets?

  • Are physical barriers in place that limit vehicle access to the building?

  • Are the perimeter doors, gates, windows and docks secured and in good working condition? Items to be considered include:<br>• Penetration resistance<br>• Security hinges and hardware<br>• Break and blast-resistant glass

  • Are the perimeter doors, gates adequately staffed during working hours and secured after hours?

  • Are security surveillance cameras and perimeter (doors, gates and windows) alarms in place? Suitable type and adequate number for appropriate coverage?

  • Are cameras monitored in real-time to allow immediate response?

  • Are surveillance video records properly archived?

  • Are security cameras and alarms inspected and tested regularly?

  • Is there regular perimeter patrolling to inspect the fence line damage, clear zone, obstructions, unoccupied/ unidentified vehicles and other breaches?<br>• Are logs maintained?<br>• Is there a prompt reporting and investigation of security breaches?<br>• Guard dogs?

  • Are the equipment and critical assets (utilities, HVAC/air intakes and control rooms and communication equipment)<br>in the yard and on rooftops protected and monitored? Is access controlled?

  • Is the perimeter lighting adequate? Is lighting adequate for the use of a surveillance camera?

  • Is there a parking lot security plan in place? The plan should include the following:<br>• Illumination<br>• Visitor parking restrictions<br>• Executive parking location<br>• Video surveillance and monitoring<br>• Patrolling<br>• Vehicle inspections

  • Is there a maintenance program in place for all exterior grounds? Does the program cover inspection and emptying <br>of trash receptacles?

  • Does the reception/security desk have a clear, unobstructed view of all entrances? Best practices include:<br>• Landscape trimming<br>• No posters on glass<br>• Watch tower or guard post

  • Are proper warning signs posted (e.g. no trespassing, driver direction, restricted areas, etc.)?

Access Control

  • Is the access approaching, and is entry into the facility controlled? Are there restricted access points?

  • Is there a documented access control procedure in place? Access control could include:<br>• Photo identification check<br>• Proximity access cards<br>• Strict key control program<br>• Biometrics

  • Are all visitors and contractors screened and required to sign in/sign-out and produce valid photo identification?<br>Are the logs reviewed regularly?

  • Are all visitors and contractors clearly identified and escorted while on the property?

  • Are the visitors and contractors briefed on the site’s safety and security procedures including evacuation, restricted areas, search policies, etc.?

  • Are search procedures for packages and delivery/contractor/visitor vehicles activated in case of heightened security? Search procedures could include:<br>• X-ray scanning<br>• Metal detectors<br>• Physical searches<br>• Surprise security sweeps

  • Is a list of approved contractors/vendors, delivery and messenger services available to security staff? Is the approved list reviewed regularly?

  • Are deliveries restricted to regular working hours only?

  • Are sensitive areas identified and adequately secured for authorized access?

  • Is the access control program organized to promptly react to lost/stolen identification, access cards, and employee terminations?

  • Are locks changed immediately when critical controls are compromised?

Employee Security

  • Is there a program for verification of past employment, academic credentials and references before the start of <br>employment?

  • Are background checks conducted on all employees in sensitive jobs and following transfer requests to more sensitive jobs?

  • Are personnel and employee medical records adequately secured?

  • Does the new employee orientation program cover:<br>• Security<br>• Emergency evacuation<br>• Bomb threat procedures<br>• Drug policy<br>• Zero-tolerance workplace <br> violence policy<br>• Confidentiality

  • Are photo identifications issued to all employees for access security and verification?

  • Are there controls for issuing replacement photo identification, missing ID and access cards?

  • Are employees required to carry photo identification while on the property?

  • Are employees encouraged to report all suspicious activities and security lapses? Best practices include:<br>• Challenging individuals without identification<br>• Confidential phone number for reporting

  • Is there a telephone number list for employee notification in an emergency? Is it kept current?

  • Are confidentiality agreements/background checks required for employees with proprietary and confidential information?

  • Is company property (credit cards, identification, keys, PCs, etc.) retrieved during exit interviews

  • Is there a corporate policy on travel restrictions to dangerous locations?

  • Is there a plan to address the security of employees working alone and/or during late hours?

Information Security

  • Is there a document control program in place? Best practices include:<br>• Electronic/paper records<br>• Confidential/proprietary data<br>• Protection of records<br>• Back-up copies<br>• Retention and archiving<br>• Destruction/shredding of sensitive<br> information

  • Is access to the network computer room and equipment restricted to authorized personnel only? Issues include:<br>• Physical access<br>• Working/non-working hours<br>• Monitored<br>• Remote/network access

  • Are authorization levels for sensitive information reviewed periodically?

  • Can a practical audit trace access/hacking into secured and sensitive work areas and computer networks?

  • Are all computers and networks equipped with appropriate fire walls and anti-virus protection? Are virusprotection patches updated regularly?

  • Is there a data center security plan in place? Considerations include:<br>• Fire and physical protection<br>• Intrusion protection/safes<br>• Virus protection and regular updates<br>• UPS (uninterruptible power supply)<br> protection<br>• Electronic media and tapes<br>• Daily back-ups<br>• Off-site storage (distance?)<br>• Disaster recovery plans

  • Is there information security awareness/training for all employees? Issues requiring consideration include:<br>• New hires<br>• Password protection<br>• Unauthorized/unlicensed software<br>• Sensitive information on laptops<br>• Traveling with laptops<br>• Policy on using laptops and cell phones in public<br>• Unattended sensitive

  • Is password protection in place for employee access to all computers and electronic records? Is there a periodic password change policy in place?

  • Is there a priority for prompt revocation of computer access to all terminated and disgruntled employees?

  • Is access to fax machines restricted to reduce unauthorized reading of sensitive messages?

  • Is there a policy for controlling and shredding sensitive materials at the end of business meetings? Sensitive materials may include:<br>• Flip charts and scrap papers<br>• Extra handouts<br>• Dry-erase boards<br>• Residual memory from electronic whiteboards

Material Security

  • Is there any theft-prone material on the property? Are there theft control procedures in place:<br>• Precious metals<br>• Laptops<br>• Highly toxic chemicals<br>• Biohazard material<br>• Radioactive material

  • Are screening procedures in place for recognizing suspicious mail and packages? Methods to mitigate risk include:<br>• Employee training<br>• X-ray<br>• Explosive sniffing dogs

  • Is there a “package pass” program in place for the removal of any company-owned property from the facility?

  • Are controls in place for scrap disposal and pick-up?

  • Are accurate inventory records maintained for sensitive materials? Is inventory reduction implemented in response to heightened security?

Emergency Response

  • Is there a current site-specific emergency response plan in place?

  • Does the emergency response plan address threats like fire, explosion, utility failures, civil disturbance, bomb threats, product contamination and natural hazards?

  • Is there an incident command (IC) to coordinate and deploy internal assets/resources and external resources?Considerations include:<br>• Designated people<br>• Alternates<br>• First responders<br>• Damage assessment<br>• Communication

  • Does the security staff play a role in emergency response?

  • Are the emergency numbers posted prominently?

  • Are the pagers and cell phone numbers for the emergency response team verified and tested periodically?

  • Is there an effective program for training/refresher training for emergency responders?<br>• Protective equipment<br>• Resources

  • Is there a bomb threat response procedure? Considerations include:<br>• Telephone instructions<br>• Law enforcement notification<br>• Systematic searches (who)<br>• Employee training

Crisis Communication

  • Is there a media and public relations plan in place?

  • Is there a qualified designated spokesperson to manage all media inquiries? Is there an alternate?

  • Does management receive appropriate media training?

Review/Audits

  • Are comprehensive security audits conducted randomly? Review the following:<br>• Last audit<br>• Results<br>• Corrective actions

  • Is employee and management training support provided to address changing security needs and emerging threats and enhance skill levels?

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.