6. Perform the Security Risk Analysis
Security policies and actual practice vary between different departments; hence, all analysis should be developed on a per-area or a per-department basis. In connection with this aspect, the following important steps should be noted:
1) Begin the risk assessment by asking all department members to answer the questionnaires.
2) Summarize the results of the survey questionnaires.
3) Compare the actual practices against the standards and the policies to determine compliance.
4) Test each security procedure to assess its integrity in view of the current set-up and in light of recent methodologies being used by criminal elements.
5) Conduct the interview to gather additional information.
6) After each test, identify the areas of vulnerability and susceptibility to risks or threats.
7) Prepare documentation of the observations, particularly the deviations from the standards and from the policies.
8) Discuss all deviations with the officer-in-charge of managing departmental security and be sure to secure his explanations or reasons for deviating from the standard or the policy.
9) Observe any risk strategies that have become obsolete or ineffective in light of new developments in technology.
10) Determine if there have been any occurrences of actual breaches.
11) Test the barriers to physical access and the scope of restrictions or if all mechanized devices are working.
12) Evaluate the security equipment and devices in place to ascertain the quality of information provided as well as the reliability of the procedures implemented in storing or releasing back-up records. Take note of equipment items that are frequently in need of repairs.
13) Examine all locks and the frequency by which locks or dial combinations are being replaced within a given period. Determine the reasons or explanations why they had to be replaced.