In Depth

Metrics for Corporate and Physical Security Programs

CSOs count on physical security metrics to evaluate their organizations' performance and to communicate security's value to other business executives

By Tom Wailgum

Page 5

"We have reports documenting that the people who have access to those areas have legitimate reasons to be there," Levine says.

Tracking results of these and other reports yields a measure that allows Georgia Power to compare its performance to itself in past years. It's a conscious management decision to turn the "play by the rules" portion of the operation into a performance measure.

"You need to find a meaningful purpose other than just pushing paper," she says. Security executives, she adds, can "take the next step and think, How can I use this report and statistics in a way to improve my security program or to better educate me about my customers' business?"

A second metric for Levine comes from a combination of readiness reviews and penetration testing.

Readiness reviews are planned events and are a key component of Georgia Power's business continuity program. The reviews assess whether employees and site security professionals at a particular facility understand that facility's threat plans and know what to do when the threat level is raised or lowered. Readiness reviews also include interviews with local managers about facility security; an audit of procedures and documentation related to security requirements; an evaluation of the facility's physical security program; and a review of its emergency action plan.

At the end of each review, Levine says, her office writes a report for the facility manager that highlights findings, best practices and recommendations.

For readiness reviews, Levine sends a team of security professionals unannounced to do security audits of all critical facilities and operations (though she declines to list what types of facilities those are).

In addition, penetration testing attempts to breach securityprocedurally, technologically or physicallyto determine whether the security program is functioning as it should, she says. "We may have someone try to walk through a facility without wearing a badge to see how far they can get before being challenged," Levine says. "Or we may have someone see if they can talk their way around our delivery processing requirements." Results ReportsResults are reported in two ways. First is what Levine calls the "objective, scenario, outcome": Here's what Georgia Power was testing (for example, the effectiveness of visitor management personnel); here's how security tested it (use of outdated or fake identification credentials); and here's what happened. "The results are reported by comparing the test outcome with the test objective, in addition to including a description of how the test was carried out," Levine says.