Security Administration Write 250 words each with proper in text citation, APA, reference, and free from Plagiarism. Then follow the below Rubric when writing QUESTION 1 At the corporate headquarters for a major greeting card company, the Vice-President for Operations (your boss) has just informed you (the Security Director) that the budget for security for the next fiscal year will be cut by 20 percent. Since 2001, security costs have risen due to concerns about possible acts of terrorism against the company. The VP however feels that this company is not a viable target of terrorists. How would you respond to the VP? In terms of risk management, what steps would you take to assess the actual threat of terrorism to this organization? (Be sure to apply risk management concepts and procedures from your readings and study this unit).Write 250 words Read the below Risk Management Programs and the Security below to answer the above question Risk Management Programs and the Security Professional’s Role A risk management program is the formal process utilized to quantify, qualify, and mitigate specific concerns an organization may discover or define. Many companies have some form of risk management program. These programs may be very mature and well defined or may appear to have developed without planning or foresight. It is important for the security professional to identify the program in place and understand the approach accepted in a particular company. The specific model utilized by the company will give the security professional an understanding of the role he or she has in the pro-gram. This is critical whether the security professional is an employee or a consultant for a company. Questions that aid in defining the program include what the assessment process involves and who manages the overall risk program. Answers to these questions illustrate the formality of the program and the level of management oversight and sup-port of the program. Risk programs may apply to the enterprise or to a specific business line, depending on the perspective the company takes when defining risk. An enterprise approach is a concerted effort by various divisions within a company to measure risk across the company. This may allow for a broad application of mitigation techniques that produce efficiencies as well as effective spans of control by a smaller number of risk managers. Other programs may focus on key business divisions that have regulatory mandates for reviewing specific risks or have been identified as businesses that operate within a risk culture. These programs tend to address well-defined and known risks with singularly focused mitigation strategies. For example, documents containing sensitive information need to be transported according to regulations issued by a government agency to protect the individuals listed on these documents. The regulating agency has produced standards for protecting these documents. The security professional’s role in this scenario may be to compare the protection in place for these documents to the regulatory requirements and identify gaps that may exist. Once gaps are identified, the security professional may present mitigating steps in a report to a senior manager. The security professional’s approach could be different if he was asked to perform an assessment of life safety and traditional security concerns at the direction of a staff member within a company’s corporate security division. This request may require the security professional to review fire systems and their adequacy given the size of a facility and/or the items stored in the facility. Additionally, he or she may have to review local fire department response times and capabilities. The reporting and mitigation plan in this example would be centered on preserving life and mitigating fire damage but would not necessarily adhere to a regulatory mandate. The security professional should understand the requirement behind the program and the overall process so he or she can fulfill the objectives of the overall risk review. Although these examples show the security professional as the one completing reviews and reporting, it does not preclude the security professional form acting as the lead or senior most managers in the program. Many programs are conducted at the direction of and managed by the security professional. Security directors may also be responsible for the risk management pro-gram and/or have converged areas reporting to them, such as Corporate Security, IT Security, Business Continuity, and Life Safety, which are critical components of the risk mitigation program for many organizations. Further, the security professional may be asked to relate these security functions and their inherent risks to one another. This allows for a streamlined approach and reporting of an overall mitigation strategy. For example, a traditional security hazard such as a fire in an office building may cause the activation of a business continuity plan for a particular business unit within a company. Additionally, the risk (i.e., the fire) represents concern for life safety. If both areas report to the same manager and have built close cooperative relationships, that man-ager may be able to direct a response to the immediate need, preservation of life, while simultaneously activating a plan to meet the secondary need, resumption of business operations. Risk Program Components Although the roles and programs will differ, risk programs have several common components: 1. Risk analysis 2. Risk assessment and risk rating 3. Risk mitigation 4. Risk reporting Each component is necessary for a successful program. Organizations such as ASIS International, standards organizations, and government agencies all offer many standards and documents to help manage a risk program. The goal of this chapter is to provide an understanding of the methodology for risk programs and examples of the application of risk concepts. The security professional must then apply this understanding to the unique situations he or she will encounter. The outline of a program and its components, included here, represents an attempt to define as many general areas found in security risk programs as possible and is by no means meant to capture every example and nuance of risk review and/or mitigation strategy. 1. Risk Analysis: Risk analysis includes identification of the assets to be protected and the risks to those assets. These assets can be intellectual property or physical items; however, security traditionally views these assets as: 1. People (employees/customers, etc.) 2. Facilities (owned/leased properties) 3. Property (sensitive documents/financial instruments/vehicles) 4. Reputation (public perception/client perception) The formulation of the assets that are of value sets the framework for assessing the associated risk. The risks must be identified and described before they can be analyzed. They should be viewed from both the internal (company employees/policies, etc.) and external (natural disasters/competitors, etc.) perspectives. The typical risks to the assets listed previously include: 1. Natural disasters (hurricane/flood/earthquake) 2. Man-made disasters (fire/workplace violence) 3. Criminal behavior (fraud/embezzlement) 4. Terrorism (international/domestic) To accurately evaluate risk, a correlation of assets and threats described must be made. The risks should be described in a formal manner and related directly to the asset. For example, consider a fire at a clothing manufacturer’s facility. The manufacturer may have a warehouse that holds inventory while waiting for distribution. The assets in this example are the facility, all of the equipment in the facility, the employees, and the merchandise stored within the facility. Focusing on fire as the risk, this phase of the program must include naming the risk (fire) and describing what danger the risk poses to the asset, which in this case could be loss of the facility (partial or complete), loss of life, and loss of merchandise. Each asset should be addressed in context of the risk; in the case of the merchandise, the risk to the asset includes total loss due to fire. Additionally, loss of access to the merchandise may have financial impact as orders cannot be filled, or the merchandise may lose value due to smoke imbedded in the clothes. Potential damage to the asset is linked directly to the specific risk factor we have analyzed. 2. Risk Assessment and Risk Rating Once the risk analysis is complete, a measurement of the risk must take place. The risk assessment validates the risk and measures the likelihood of occurrence and the extent of the impact the risk could have. During the assessment additional risks may be identified as gaps in protection or other process flaws are discovered. Normally, the assessment is conducted using a checklist or template and, at times, may be part of the security survey process. Depending upon the role the security professional has in the risk management program, the risk assessment and the security survey process may be one and the same. The assessment will vary in length, depth of research, and total staff required. To be properly completed, the assessment process must be flexible enough to allow for these variables. The risk assessment will measure the following: 1. Qualification of the risk (whether the risk actually exists) 2. Probability (is likely to occur, very likely, not likely at all) 3. Other risks/vulnerabilities to the asset 4. Knock-on effect (fire in the facility also damages trucks in loading bays) 5. Total effect of risk (probable loss/total maximum loss) The risk identified during the analysis needs to be validated in the field. For the most part this is academic; however, field-validating the risk may expose other vulnerabilities. Also, the risk may become better defined and the extent of the risk may become more clearly understood. After the risk has been validated, the assessment must then measure the probability of an event occurring. 3. Risk Mitigation Mitigation of risk is a broad field. An array of options is available to minimize losses, avoid risk, or insure against the results of a risk event. The security professional is an integral part of the risk mitigation plan for most risk programs. The security professional may have a role in every component of the risk program or play only a limited role, but he or she will always have a role in the mitigation portion of all plans. The mitigation role could be preventive in nature such as designing a physical security plan to include alarms and CCTV to prevent robbery. Traditionally, in addition to the security planning, the security professional may be called upon to investigate the robbery. The hope is to recover the funds taken and thus eliminate the loss, mitigating the effect of the risk event. So far, we have identified the assets, qualified the risk, and measured and assigned a rating to the risk. The mitigation phase is where we review and plan to minimize the probability and effects of the identified risk to our assets. Mitigation tools should not be limited to device installation or the adding of personnel/guard staff. These are legitimate and appropriate security mitigates; however, other options such as training, a robust security plan, and implementing policy changes are also valid, strong mitigation tools to be considered. Through a strong security plan that includes training and securityminded policies, many risks (particularly employee-driven risk) can be minimized. The application of risk mitigates should be goal oriented and designed to mitigate the specific risk identified. The better defined the goals the better the results. This is particularly true regarding the security professional’s role in risk and risk mitigation. To better understand this point, consider training as an example of risk mitigation. Security guards receive training as part of their jobs. In many cases minimum training requirements are mandated by local laws for guards to become licensed prior to becoming a security guard. This mandatory training normally offers very general rules to be followed and covers laws that are applicable to situations guards have historically confronted. The security guard is then assigned to a post in the company to perform certain tasks. Typically, the guard receives some on-the-job training, usually supervised by another security guard familiar with the duties. Additionally the guard may be given an operating manual with procedures and post orders to enhance the understanding of the tasks and actions required. This level of training is adequate for the guard to begin working; however, more focused training is needed to truly mitigate risk. This training will not address specific accesscontrol guidelines to be followed by the guard. If access control is a mitigating strategy managed by the security guard, more in-depth training must occur for the strategy to be effective. Let us take this example and look deeper into training as a mitigation tool. During the assessment phase, unauthorized access to the facility is identified as a risk at the company. One of the conclusions from the security survey is that the main entry to the facility is an area in need of additional security and monitoring, since it is the most frequently utilized entry for employees and visitors. To mitigate the risk of unauthorized entry, the company installs access control devices and a reception desk staffed with a security guard. The reception desk duties include typical access control and verification as well as visitor management tasks. One evening a recently terminated employee arrives attempting to gain access to the facility through the entry previously described. What level of training does the guard need to truly mitigate this risk? Is an acceptable level of mandatory licensing train-ing enough? Is the on-the-job training conducted by another security guard adequate? Specific facility access control training in combination with the previously listed training, situational drills, and escalation procedures may place the guard in a better position to properly mitigate this risk. The goal is to highlight that a guard at the entry is not the proper mitigant to the assessed risk; the correct mitigation tool is a properly trained security guard at the entry. The goal of risk mitigation is to minimize the potential impact of the identified risk to the point where the concern of the risk is minimal. However, often the risk cannot be mitigated to the minimum, and some level of risk must be accepted. For example, every-one has a heating or cooling system in their homes. The possibility of an electrical fire, gas line explosion, or oil tank leak exists, yet nearly every home utilizes one or more of these to heat, cool, or cook every day. We generally accept the risk but have mitigation strategies in place, such as circuit breakers and shut-off valves. We accept the risk we can-not completely eliminate, and potentially insure against the outcome of the risk event. This is another example of a risk mitigation strategy — layering mitigation tools to minimize the risks. 4. Reporting The security professional will be called upon to present the findings of the risk review, regardless of the extent of the review. If the security professional is retained as a consulting subject matter expert, he or she will be asked to formally report all findings to the client. The security professional who is acting on behalf of his or her employer to review risk will also be required to articulate the findings at some point. In either case, when reporting risk, the security professional should keep these things in mind: 1. The written presentation will “live” longer than the oral presentation. 2. Understand the stakeholders to whom you will be reporting. 3. Where will this report go? The client may share it with the insurance company, a supervisor may pass it to another supervisor, and so forth. 4. Present the facts without exemption; there are many reasons for accepting or ignoring risk. Present the findings and proposed plan, and then allow the decision process to begin. 5. Include the security survey and other supporting products utilized to identify the facts. 6. There is always a measure of risk acceptance — no plan is absolute. This list represents themes the security professional should consider when framing the report. Remembering who you are ultimately reporting to and the scope of your role will help create a true summation of the process. The report and the presentation must be fact driven. It becomes difficult, at times, to keep personal opinion or the desires of a particular stakeholder out of a report. The security professional’s role in this process should be impartial but as practical as possible. The report should emphasize the threat, the risk (in real terms) the threat poses to the organization, the suggested steps to reduce the risk, and a summary that relays the frequency of reevaluation. This will allow the decision makers to analyze how much risk they are willing to accept based on the analysis presented and the frequency with which the risk will be reviewed. QUESTION 2 You are the security manager for a large transportation facility which has a major access credentialing function. All employees and some visitors require identification cards to access restricted areas. You have just hired a new office manager to supervise your security front office operations, which includes the issuance of ID cards. You are having your first orientation interview with the new supervisor. Complaints from upper management have referred to the general inefficiency of the office staff and the poor image the security office has been providing to customers and employees coming into the office. What will you and your new office manager discuss? Be sure to provide examples of how you expect the office to function to improve service. Write 250 words Please answer all questions with good solution and proper in text citation and Reference. Discussion Questions Rubric Grading Exceeds Criteria expectation Content: Content is 50% comprehensive, accurate, and persuasive; definitions are clearly stated. Meets expectation Content is not comprehensive and/or persuasive. Does not meet No expectation evidence Content is Did not incomplete or complete omits some assignment requirements stated in the assignment’s criteria. Major points are Major points are Major points stated clearly and addressed, but are not clear, are well are not well not persuasive, supported with supported by and not sourcing. sourcing. sourced. Research, if necessary, is adequate, timely, relevant, and addresses all of the issues stated in the assignment’s criteria. Readability Organization and 50% structure of the response is clear and easy to follow. Response exceeds the minimum length as described in the assignment’s criteria. Research, if necessary, is inadequate in either relevance, quality of outside sources, and/or timeliness. No outside sources were used to support major points.

Organization and Organization No structure structure is not and structure or easy to follow. detracts from organization. the writer’s message. Response is at Response is the minimum below the length as minimum described in the length as assignment’s described in criteria. the assignment’s criteria. Paragraph Paragraph Paragraph transitions are transitions are transitions are present and fragmentary and not obvious. logical, and ideas are maintain the flow presented of thought throughout the paper. Conclusion is logical, flows from the body of the response, and does not include new information. Citations and reference formatting meet standards for the discipline. without logical connection. Conclusion is Conclusion is provided but missing. …