Infrastructure & Building Risk Assessment on New and ...€¦ · Building & Infrastructure Risk...
Transcript of Infrastructure & Building Risk Assessment on New and ...€¦ · Building & Infrastructure Risk...
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
1
1
Infrastructure & Building Risk Assessment on
New and Existing BuildingsE. Scott Tezak, PE, BSCP – Security Practice Lead, TRC Companies
Lawrence Fitzgerald, CPP, PSP – Security Group Leader, TRC Companies
2
Why Perform A Risk Assessment?
• Are you concerned about current events and how they impact your employees, clients, and facilities?
• Do you have an upcoming project?
– Large capital infrastructure investment
– Signature capital improvement / addition
• Do you have aging infrastructure / aging systems?
• Does your organization lack safety and security program documents, technology solutions, and physical solutions?
• Do you need assistance organizing a 5‐, 10‐, 20 year safety and security plan for your organization?
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
2
3
What Type of Risk Assessment?• Safety system inventory?
• Security system inventory?
• Threat assessment?
• Vulnerability assessment?
• Threat and vulnerability assessment?
• Risk assessment?
• Detailed engineering security assessment?
In 2003 (only 2 years after 9/11), a DHS study on TVAs compared over 45 different methodologies that were in use at that time
4
Integrated Rapid Visual Screening (IRVS) with ISC Module
IRVS v5.0, 2013
BIPS 11: Interagency Security Committee (ISC) Assessments, 2013
BIPS 02 and 03: Tunnel and Bridge Assessments, 2011
BIPS 04: Building Assessment, 2012
Multiple Configurations and Options•Standalone or Network / Multi-user •iPad app Capability•Web Data Extraction Capability
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
3
5
Part 1: The IRVS Methodology
Provides framework and methods that can be adjusted
Free, non‐proprietary– Method
– Database
– Training
Written by DHS/FEMA for use by state and local agencies
Government / commercial sector‐specific plan (NIPP)
6
Part 1: The IRVS Methodology
Risk = (Threat Value) x (Vulnerability Value) x (Asset/Consequence Value)
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
4
7
Objectives: • Risk Analysis of mission critical functions, assets and supporting
infrastructure systems• COOP Analysis: Prepare, Respond, and Recover• Organized storage / retrieval of: reports, pictures, diagrams, GIS
products, miscellaneous documents,• Free Product for all Federal, State, Local, Commercial users• Stand-alone system: MS Access database
Process• Pre-Field Actions:
– Tailor Threats/Hazard: Blast, CBR, earthquakes, floods, wind, landslide, and fire
– Tailor Resiliency: Government, School K12, Business/Financial, Retail, Medical, General
• Field Activities– Consequences Assessment, Threat Assessment,
Vulnerability Assessment, Resiliency computations
• Post Field Activities– Summary Calculations / Reports
Part 1: IRVS Database
Basic IRVS Screening• Current Modules: buildings, subways, and tunnels• Categorizes 15 building types and 20 hazardous
events: Internal and External of Blast, CBR, earthquakes, floods, wind, landslide, and fire.
• Risk Summary: Threat, Vulnerability, Consequence of Loss, Resilience.
• Tailored evaluation (up to 272 questions)• Tool interactions are automatically calculated by pre-
assigned weights, interaction logic, and context-based algorithms. Risk is based primarily in target attractiveness (for manmade hazards).
8
Part 1: IRVS Database
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
5
9
Display on Google EarthDashboard: Listing Completed / Scheduled
Site Risk Summary:Threat, Vul., Consequence, Resiliency Total Risk Summaries:
All screenings
Part 1: IRVS Database Component
10
Part 2: The ISC MethodologyUndesirable Events (UE):• DBT: 29 events (may add more) • Set Necessary LOP (1-5) for each event• Event only applicable to certain Criteria
Criteria:• ISC starting point: 86 criteria• Each Criteria split into 5 Levels of Protection
Dashboard: • Completed / Scheduled Events• Results
Pictures, Files, Reports: • Analysis Graphs, Status of each Criteria,
Comparison Matrix, Charts, Photos, GIS
ISC Risk Management Process
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
6
11
Part 2: The ISC MethodologyStep / Action Reference Document
Determine FSL Facility Security Level Determination for Federal Facilities
Identify Baseline LOP and Countermeasures
Physical Security Criteria for Federal Facilities
Identify and Assess Risks
Physical Security Criteria for Federal Facilities: The Design‐Basis Threat (U)
Determine LOP Required to Address Risk or Highest LOP
Physical Security Criteria for Federal Facilities: The Facility Security committee
Implement Countermeasures
Physical Security Criteria for Federal Facilities: The Design‐Basis Threat (U)
Measure Performance
Use of Physical Security Performance Measures
12
Part 2: ISC Database Component
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
7
13
Part 2: ISC Database Component
14
Part 2: ISC Database Component
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
8
15
Case Study 1: IRVS During Design Phase
Renaissance Square Transit Center Rochester‐Genessee Regional Transit Authority
16
Transit Center Project Scope 87,000‐square‐foot
Center 30 Bus Bays ‐26 indoor,
4 on Mortimer Entrances on St Paul
and N Clinton LEED Silver Certifiable Access Controlled Gates Video Surveillance
System
Security and Operations Control Room
Customer Amenities Restrooms Family restroom Ticket Vending Food Vending
Operator Amenities Concourse restrooms Break room Operator kiosks Tap in sign in
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
9
17
Security Scope• Perform TVA using IRVS w/ ISC Module• Applied the recommendations of the TVA to the design
• An important effort that ensured RGRTA was aware of– Mitigation being implemented – Level of protection being provided
• In addition to 50% and 70% reviews– Calls with design‐build team– Dialogue with RGRTA on residual risk
• Final report links design to SSMP
18
Incorporating Security Into Design
Influenced site design• Bollards
• Fencing/gates
• Lighting
Influenced building design• Protection of select structural elements (man‐made threats)
• Roof enhancements for snow loading
• Glazing protection (man‐made threats and natural hazards)
• HVAC system modifications (man‐made threats)
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
10
19
Results of the TVA / Design Review • 53 mitigation actions proposed for the site and
facility
– 39 actions incorporated into design
– 14 actions incorporated into plans and procedures
• 74% of actions resulted in physical improvements to the design of the site / facility
– Opportunity to implement CPTED during design phase (not post construction)
– Engaged local PD and Fire into design for Security
Emergency response
20
Case Study 2: Statewide Facility Security Assessments
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
11
21
Program Needs Driving Assessments
Security Mission Statement and Standardized Approach
to Integrated Security
Enterprise Security Management Systems and
Command Centers
Site Specific Integrated
Electronic and Physical Security
Systems
Security Plans, Policies, and Procedures
22
Putting Assessments to Practical Use• Establishing Security (and other) Standards only part of the process
• Site assessments need to be performed to document existing conditions and identify gaps, variation will be high– Buildings owned/operated by other State entities– Buildings managed and operated by contracted firms
• The right Standard, evaluated with an integrated assessment, will provide – A clear understanding of security posture– A compliance/non‐compliance with new Standard– A road map of required projects/investments to address gaps
in site‐specific security programs
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
12
23
Customized Site Summaries• Standards Program sets ISC criteria as the security standard / Levels of Protection (LOP)
• Assessments were used to identify – Existing conditions
– Program needs
• Database stores findings and data
• Customized Site Summaries provide– Site summary
– Projects needed to meet desired LOP
– Rough Order of Magnitude (ROM) Cost Estimates
24
Report Contents
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
13
25
26
Applications to Non-Federal Clients
• State offices of facility management
• State agencies with high‐profile public interaction
• Regional transit entities
• County government faculties management
• Modified versions (based on the process)
– Utilities sector
– Local government
(Note: ISC Module requires a Federal sponsorship)
Building & Infrastructure Risk Assessments – ASIS Expo 2016
9/7/2016
14
27
Questions / Comments
E. Scott Tezak, PE, BSCPTechnology Engineering ServicesSecurity Practice [email protected]‐656‐3675 (o) / 617‐921‐0995 (c)
Lawrence Fitzgerald, CPP, PSPEngineering / Construction / Remediation Security Group [email protected]‐620‐3881 (o) / 207‐620‐4452 (c)