This page is a living document that will be updated to include additional assessment tools are added to our website. You can sign up below to be notified of the updates.
Targeted Security Assessment
A targeted assessment is an evaluation or estimation of some specific aspect of a security program in order to obtain actionable insight—meaning enough of an increase in knowledge or understanding so as to know whether or not improvement is needed, and if so what to do next and how quickly it should be done.
Security assessments evaluate one or more aspects of these four things:
- security risk
- business alignment
That’s because the mission of security is to reduce security risks to acceptable levels, at an acceptable cost, in a manner harmonious to the business. Once the risks are known, the objective is to put in place and maintain security measures that are effective enough and affordable enough, and well-aligned with the business.
You Can’t Do Everything All At Once
You don’t have unlimited resources and you don’t have unlimited time. That’s why one of the most effective strategies is to define narrowly-scoped assessments that can be executed quickly. That’s what we mean by “targeted assessment”.
What Triggers Assessments
The term security assessment is generally used loosely to mean any kind of evaluation relating to the organization’s critical assets, threats to them, and/or their vulnerabilities to the threats (i.e. the three elements that make up a risk), as well as the effectiveness of existing security measures.
Assessments are most often performed in response to:
- management request or mandate
- regulatory requirement
- partnering or licensing contractual requirement
- security incident revealing a threat or vulnerability not yet addressed
- funding opportunity for security technology investment
Rarely are assessments recognized as category of security tool that can and should be used frequently to facilitate security program improvements.
That’s not surprising – because in the experience of a lot of practitioners, assessments have taken a lot more time and effort than expected, with sometimes disappointing results.
When there are many assessment findings and recommendations, the full scope of improvements can overburden the security leader if not implemented as self-sustaining improvements, with sufficient thought to the full people-process-technology picture. Over time security-effectiveness can start to diminish.
With smaller-scale improvements, especially in response to incidents or management directives, sometimes the evaluation process is rushed and gets shortchanged, and so not all of the security and resource options get sufficient consideration. Formalizing the evaluation just a little using a small assessment process can make a worthwhile difference.
Making Assessments Worthwhile
Assessments become much more worthwhile when they are smaller in scope, done more frequently, and when the purpose and objectives are crystal-clear up front.
Any question you would like to get answered — that relates to security risk, security-effectiveness or cost-effectiveness — could be the subject of a targeted assessment. When you find or create your own simple checklists, forms, questionnaires or templates to help get the answers you want, it becomes easier to evaluate the issue at hand.
You’ll find a template for narrowly focused assessments to support your decision making on our micro-assessment template page.
For Insider Threats to sensitive and proprietary information, there is an Insider Threat Micro-Assessment template, which has 2810 downloads to date and is reported to have great results in bridging organizational silos, and establishing cross-functional collaboration around insider threat risks.
We’ve published a Do-It-Yourself Time-to-Target Physical Access Control Assessment, which is a facility physical security penetration test. From that page you can download a 6-page assessment guide what includes an example worksheet, and example test results. Unsatisfactory findings would be high-priority action items for correction, which is why this is a high-ROI assessment that can usually be done in a single half-day or early evening per facility.
You can download some helpful checklists such as a Data Center Physical Security Best Practices Checklist on the assessment/evaluation/inspection checklists page. From this page you can also ask us to find or create a particular type of checklist for you if you need it.
We’ve posted a page containing a Security Stakeholder Camera Assessment Guideline because most business unit mangers don’t really know how the assets in their areas are covered by security video.
There are five security program assessment tools you can download from the Rate Your Security Program Page to evaluate:
- Business Alignment
- Security Ladder of Stakeholder Involvement
- Relationships and Allies
plus a universally applicable Prioritizing Tool.
The Evaluation Spectrum
There is a sort of spectrum of assessment frequency, where large-scope assessments are performed less-frequently, and small-scope assessments are performed more frequently that looks something like this:
Evaluation Interval Examples
- Years: Facility security asset, threat and vulnerability assessments should be performed every few years, and also be updated when significant changes or remodeling work occur at the facility. There are often short-term and long-term security improvement plans that result from these efforts, and their progress should be reviewed at least annually.
- Months: Where employee misconduct violations are addressed by a workplace violence program, the nature and frequency of misconduct allegations should be reviewed a short time after program implementation is completed to ensure that the program is being effective, and then quarterly to ensure it remains effective.
- Weeks or Days: Depending upon the level of risk, some items should be checked or inspected weekly or daily or once per security patrol shift, such as the working status of duress devices, and the condition of perimeter doors.
Although some evaluations are more specifically referred to as reviews, inspections, tests and checks—they can all be identified, documented and managed as part of an assessment plan or program.
Applying checklists, forms and templates can be delegated. It is usually easy to teach their use, eliminating dependencies upon the knowledge of single individuals.
New Targeted Assessment Material
As we collect and create new targeted assessment materials here at RBCS, we will expand this page to provide access to them. Sign up below to be notified of updates to this and related pages.