The first step in developing a security program is a site-specific risk assessment for your mail center and its operation, in coordination with your agency and bureau or department. The objective of a risk assessment is to determine the likelihood that identifiable threats will harm a federal agency or its mission. Each site has different threats and risk levels, and this will lead to different security measures for each site. A thorough understanding of the risk assessment process will allow you to be better prepared to meet potential threats and eliminate or mitigate consequences. A Risk Assessment incorporates the entire process of asset and mission identification, threat assessment, vulnerability assessment, impact assessment and risk analysis.
All decisions about mail center security must be based in the risk assessment. Make sure the risk assessment is documented!
Components of a Risk Assessment with Definitions of Terms
Asset and mission identification: Identification of the agency assets and missions that might be damaged by threats that could come through the mail center.
Threat Assessment: Identification of potential threats to the mail center, including natural events, criminal acts, accidents, and acts of terrorism, plus evaluation of the likelihood of each.
Vulnerability Assessment: Analysis of the extent to which the mail center is vulnerable to each of the potential threats identified in the threat assessment.
Impact Assessment: Determination of the impact on the mail center, the facility, and/or the agency if a specific asset were damaged or destroyed, or if a specific mission were impaired or temporarily halted.
Risk Analysis: Quantification, based on the impact, threat and vulnerability assessments, of the likelihood and extent of possible damage from each identified threat to the mail center, other agency assets, and agency missions. This may help you to identify your “Risk Rating Interpretation” in Figure 4.
Risk Assessment: The entire process, consisting of asset and mission identification, threat assessment, vulnerability assessment, impact assessment, and risk analysis. Risk assessment helps answer the questions in Figure 2.
Questions Addressed by Risk Assessment
What assets and missions are we trying to protect?
What credible threats and other dangers could arrive in the mail center? (natural, criminal, accidental, and terrorist)
What is the relative likelihood of occurrence for each of those threats?
How vulnerable is the mail center to each of those threats?
How much damage might each of those threats cause, given what is known about missions, assets, threats, and vulnerability?
We should mention that the resources we consulted in developing this section use these terms in different ways. Even the term for the overall process differs – we have chosen to call it “risk assessment.” Others might call it a security assessment, security scan, and so on. We are using a generally accepted model to make the subject of risk assessment for a mail center as simple as possible to understand and implement. It will help guide mail managers learn hoe to review risk assessments for thoroughness. In the present environment, we must work together to stay safe.
Conducting a Risk Assessment
As mail center manager, you should be an active participant in the risk assessment. However, appropriately trained and experienced security personnel should have the lead in conducting your risk assessment. Depending on your situation, your risk assessment should be led by:
Your building security office;
Individual agency security service (e.g., Diplomatic Security Service);
The Federal Protective Service (now part of the Department of Homeland Security); or
Professional security consultants.
We used three resources in particular to help us develop the Risk Assessment section of this Guide. They are:
Risk Management: An Essential Guide to Protecting Critical Assets, National Infrastructure Protection Center, Washington DC, November 2002.
Threat/Vulnerability Assessments and Risk Analysis, Nancy A. Renfroe and Joseph L. Smith, Applied Research Associates, Inc., 2002. Anti Terrorism: Criteria, Tools & Technology, Applied Research Associates, Inc., Updated February 19, 2003.
The second and third items on this list are copyrighted and are used here by permission. Additional resources that you may wish to consult include:
Vulnerability Assessment of Federal Facilities, published by the US Department of Justice, June
28, 1995 (need website)
Mail Center Security, United States Postal Inspection Service
Federal Protective Service website: http://www.oca.gsa.gov. (After you have logged in to this web
site, (you must have an e-mail account) click on Resources and then scroll to the above title.)
Step One: Asset and mission identification – What are you trying to protect?
The first step in a risk assessment is identifying the assets and missions that must be protected. In the asset identification step, the security specialist with the assistance of the asset owner, identifies and focuses only on those assets important to the mission or operation. By identifying and prioritizing these assets, you take the first step towards focusing resources on what is most important. Assets can be tangible (e.g., people, facilities, equipment) or intangible (e.g., information, processes, reputations). Obvious mail center assets include personnel, postage meters and other equipment, computers, accountable mail, high-value shipments, the safe or vault and its contents, stamps, pre-printed permit stationery, and the mail delivery roster. Your mail center probably has most of these, and it may have others.
Since the mail center is a vulnerable point of entry for threats, your risk assessment must also identify the assets and missions of your customers; that is, the people to whom you deliver mail. Any deliberate attack may not be directed at your mail center. Rather, it probably will be directed at your customers and their missions. A worksheet is used to record the results of the Asset Identification (see Appendix A). The next step is to identify the threats that may adversely impact the assets or mission you identified.
Step Two: Threat Assessment – What bad things could happen?
The next step in the risk assessment is determination of potential threats. The threat assessment looks at the full spectrum of threats – natural, criminal, accidental, or terrorist – for a given location. The assessment should examine supporting information to evaluate the likelihood of occurrence for each threat.
For natural threats, you should look at historical data that shows the frequency of occurrence for tornadoes, hurricanes, floods, fires, and earthquakes in your area.
For criminal threats, look at local crime rates and consider whether your customers’ assets and missions make you or them more attractive to criminals.
For accidents, look at the layout and machinery in your mail center, and also consider your building’s mechanical equipment, especially plumbing. Also look at your historical accident rate (you should be keeping accessible, long-term records of accidents).
For terrorist threats, look at the missions performed by your customers and the visibility of federal executives located in the facilities that you serve.
For each of these, the security analyst should identify the specific threats that might happen to your mail center or your facility. Threshold then determines how they might enter the mail center or happen there, and then estimate how likely each threat is. In making these estimates, the analyst must rely on data and information obtained from research and interviews, not on intuition.
Significant threats to a federal mail center include:
Foreign terrorism - Agencies with high public visibility or international missions have a greater risk of being targeted by foreign terrorists. Also, agencies located in proximity to significant targets may be victims of collateral effects.
Domestic hate groups - Some citizens are actively involved with anti-government and hate groups and have adopted tactics similar to foreign terrorists.
Disgruntled employees/workplace violence - Reorganizations, layoffs and terminations may lead to theft, sabotage or violence. Additional steps should be taken to protect individual employees who are being harassed, stalked or threatened inside or outside the workplace.
Accidents – such as workplace accidents, vehicle accidents, floods from major plumbing leaks, and building fires.
Acts of nature - such as wildfires, floods, severe weather, or earthquakes.
One very important part of this step is simply looking at your mail stream. Certain agencies, such as the Federal Bureau of Investigation (FBI), receive threatening mail almost daily; while others have seldom, if ever, see a threatening mail piece despite careful, routine inspection.
A threat may be introduced by anyone who sends anything through the mail with the intent to frighten, disrupt, injure, etc. It could be the animal rights activist or the environmental radical, the pro-rights or pro-life extremist, the disgruntled employee, the angry spouse, or simply a disappointed citizen. It could be anyone. Remember: you don't have to be a target in order to become a victim. A key question that must be answered in a Threat Assessment is: How visible are your agency, your facility, and any executives who work in your facility, and to what extent does their visibility make it more or less likely that a criminal or terrorist might select your facility for an attack? Some federal agencies are, of course, highly visible, but many federal agencies and facilities are relatively unknown to the general public and are, thereby, much less at risk.
The next step is to identify and characterize vulnerabilities related to specific assets or undesirable events.
Step Three: Vulnerability Assessment – What are your weaknesses?
Once the security analyst has identified your assets, missions, and threats, the next step is to determine how vulnerable your assets and missions are to the threats. In this step, the security analyst looks for exploitable situations created by inappropriate design, inadequate equipment, or deficient security procedures. In the mail center, examples of typical vulnerabilities (which you might also call points of weakness) may include:
Poor access controls,
Lack of x-ray equipment,
Inadequate security training or rehearsal,
Lack of stringent service contract management, and
Unscreened visitors in secure areas
This step requires the security analyst to look at each asset from the outside inward, as each of the potential adversaries might look at it. Specifically, the analyst should begin by studying each asset and asking questions such as: “If I wanted to physically harm this facility, I would . . .?” Or “If I wanted to attack a specific person?” or “If a major hurricane struck?” And so on down the list of adversaries and undesirable events. The significance of each vulnerability depends on how easily an adversary could exploit it, or on the likelihood of an accident or natural disaster.
A key component of the vulnerability assessment then considers the potential impact of loss from a successful event or occurrence. Impact of loss is the degree of loss to which the mission of the location is impaired by a successful attack from a given threat. This question looks at the
What level of deterrence and/or defense do existing countermeasures provide, and how attractive is each of the assets or missions to a potential terrorist or criminal?
Step Four: Impact Assessment – What would happen if your security measures failed?
Once you have identified each significant asset and mission, next determine what the impact or consequence would be if that asset were lost, damaged, or destroyed, or if your agency were temporarily prevented from performing that mission, or if its ability to perform it were significantly impaired. The overall value of the asset or mission is based upon the severity of this effect.
For example, if your mail center were flooded by an overflowing stream or the building’s plumbing, and you could not get back into the mail center for several days, what would be the impact on your agency’s mission?
Another example: If an improvised explosive (that is, a bomb) passed through the mail center without being identified, reached its intended target in your facility, and detonated, what would the consequences be on the facility and the people who work there – the intended victim and everyone else?
Part of the impact Assessment will be a determination of the impact on the mail center, the facility, and/or the agency if a specific asset were damaged or destroyed, or if a specific mission were impaired or temporarily halted.
Step Five: Risk Analysis – What does it all add up to?
The final step in the risk assessment process is to combine the four previous steps; that is, to evaluate, for each asset and each mission, how the impact, threat, and vulnerability assessments interact. The product is a statement of the level of risk for each asset and each mission.
A worksheet such as the example in Appendix A makes it much easier to make this evaluation, by aligning all of the information into a readable and easily understood format.
The terms used in sample worksheet (high, medium, low) are subjective and hard to combine. Depending on the audience for the risk assessment, the security analyst may chose terms such as these, or he or she may chose a 1 to 10 numerical scale.
A simple equation provides the underpinnings for rating risks:
Risk = Consequence x Threat x Vulnerability
Sample Questions to Ask as Part of Your Risk Assessment
What is my agency protecting?
How much would this loss cost your agency in time, lost productivity or business? What is the key function your mail center plays in this role, this is the one that you need to restore/preserve under a disaster recover scenario.
Does your agency deal internationally, have foreign affairs officers, suppliers or been the primary focus of a recent crisis or other public interest?
Who are your adversaries?
Is your agency doing business where there is political/religious unrest?
Has your agency undergone recent downsizing, reduction in force or hiring freezes?
Has anyone in your agency received an employee threat recently?
Is your agency involved in research, products or services of public controversy?
What can you do to ensure that your vulnerabilities are limited and countermeasures are applied?
Figure 3 above offers a few questions that fit many federal mail centers. The remainder of this Mail Center Security Guide provides guidance on countermeasures; that is, on the things that the mail center manager, security professional, and agency executives can do to protect the assets identified in the risk assessment. You need to recognize that most risks cannot be eliminated. You also need to recognize that you can reduce risk dramatically by preparation, planning, training, rehearsal, and continuous review. A Risk Assessment is a snapshot in time and needs to be updated whenever operations change or there are significant changes in the organization.