 Hello, welcome to the Vulnerability Assessment Worksheet overview. I am Tom Docher presenting on behalf of the California Governor's Office of Emergency Services Infrastructure Protection Unit. During today's presentation, we'll cover the Vulnerability Assessment Worksheet Purpose Format and Use over the course of the first three agenda items. We will cover these items and then we'll follow by a more detailed look at the worksheet proper and annex one to the worksheet. The presentation will wrap up with the contact information for further assistance in arranging for a vulnerability assessment. The Vulnerability Assessment Worksheet is a supporting document used to inform the organization of factors used in an overall risk assessment, as well as providing specific information necessary to complete a nonprofit security grant program application. It assists in preparing the investment justification. It can also be used to provide the required findings from previously conducted threat and or vulnerability assessments. The format of the Vulnerability Assessment Worksheet is divided into two parts, the worksheet proper and annex one. The five page worksheet generally provides information for direct use in corresponding sections of the investment justification. Annex one also consists of five pages and documents possible vulnerabilities as an aid to capturing vulnerabilities and mitigation options. Annex one is a short form of assessment template that includes certain essential assessment elements. Many assessment formats exist that collect information on risk to an organization. The annex is not focused on capturing all possible vulnerability related data, but acts as a guide in collecting sufficient information to assess vulnerabilities that may be mitigated under the nonprofit security grant, as well as some information pretending to overall risk and its mitigation. The vulnerability assessment worksheet is designed for use by someone with a background in security, emergency response, or the military. It does not explain or establish a standard, but rather documents elements common to security or vulnerability assessments. Local law enforcement personnel and firefighters, retired or on duty, members of the applying organization, and consulting security professionals have all completed the form. However, best success occurs when completed in close collaboration with the members of the organization responsible for both the application and oversight of the project. I'd like to emphasize that the nonprofit security grant program does not mandate a specific set of standards or methods for the conduct of a threat or vulnerability assessment. The assessment is a means to an ends as part of the application for the nonprofit security grant with the overall goals of addressing identified risk include threats and vulnerabilities to build or sustain a core capability identified in the national preparedness goal. And as part of providing the information for designing mitigation options that those options would be both feasible and effective at reducing the risk for which the project was designed. The Federal Emergency Management Agency has published a series of guidance documents for establishing risk to an organization and how to categorize and mitigate terrorism related risk. These documents also do not establish a standard, but are practical guidelines that your organization can use to understand the risk and assist in mitigating risk. If your organization wants to better understand risk and mitigation of vulnerabilities, the risk management series published by the Federal Emergency Management Agency is a good foundation. There are many methods to establish an effective security for an organization, some derived from standards set by industry security associations such as ASIS, some from guidelines published by governmental organizations like the National Institute of Standards and Technology in the area of cybersecurity, or as a result of studies and practice such as crime prevention through environmental design. Each of these are set of practical and defensible processes for determining risk and adopting measures to reduce that risk. Your organization may have someone with the skills to complete the vulnerability assessment or have the appropriate background to bring in the outside assistance necessary to complete a vulnerability assessment. This is sometimes overlooked, leaving the overall project manager who has the skills to provide general oversight to work through the vulnerability assessment process without the same degree of confidence that they may have in their ability to manage the overall scope of the project. First look to members of your own organization to assist in the vulnerability assessment. However, if necessary to go outside your organization, the first step is to look at your local law enforcement agencies. Departments may employ officers or other personnel who work as community services liaisons or crime prevention specialists. These individuals if available are a key to a successful assessment, bringing in local knowledge and tying an organization into local policing efforts. Local law enforcement should be considered first with the understanding that departments due to a variety of factors may not be in a position to conduct an assessment. Nonetheless, vulnerability assessments, regardless of who conduct them, are best conducted with the knowledge and in collaboration to the extent possible with local law enforcement. When reaching beyond local law enforcement, keep in mind that California has a network of fusion centers that act as an information sharing system concerning threats and hazards throughout the state. Your area center can advise what local assessment resources are available. Although each center has some capacity to conduct assessments, much of their work is focused on sharing information and their limited assessment capability may not be available to conduct nonprofit security grant related assessments. Please contact your center as early as possible and keep in mind that they may direct you to other resources. Contractors, other public agencies or private associations may also have the capability to conduct assessments. In all cases, setting expectations and goals, indicating the use of the assessment for the purposes outlined in the nonprofit security grant, should be done early in the process of selecting and working with these entities. The definition of a vulnerability assessment varies among organizations and among security professionals. As noted above, the Federal Emergency Management Agency defines it in the context of the nonprofit security grant as a threat or vulnerability assessment. A full evaluation of risk to an organization contains both threats and vulnerabilities to those threats, as well as the consequences of an organization from the occurrence of an incident. The investment justification requires information on threat, vulnerability, and consequence in order to complete. The vulnerability assessment workshop, ADEX-1, contains areas for documenting each of these, as well as documenting additional information that is both administrative and specific to the grant. Your vulnerability assessment, in a technical sense, can have a limited scope. At its tightest focus, an organization may assess the physical vulnerabilities of its facility with the goal of deriving detailed recommendations for upgrades allowable for purchase under the authorized equipment list. However, a vulnerability assessment in full evaluates additional elements such as exposure to natural and technological hazards, planning for actions during an incident or event, and restoration and continuance of operations in the face of specific incidents. The goals of a vulnerability assessment should be discussed with any assessors and expectations clearly delineated prior to the conduct of an assessment. The vulnerability assessment worksheet, ADEX-1, provides a structure to perform in an assessment that collects information on physical security, emergency action planning, and actions to maintain continuity of operations. We will now transition to doing a walkthrough of the worksheet itself. The worksheet, as I've said before in the comments on the format, has two parts. The worksheet itself, sections one through six, which is essential information for the investment justification, and ADEX-1, which is the on-site vulnerability assessment template. Before you will see the fiscal year 2018 proposed vulnerability assessment worksheet. Section one is designing a capture information of who has conducted the assessment. As I've noted before, there are a number of different credentials that an individual may have in assessing infrastructure or facilities. The list that you see here, CPP, PSP, TLO, is not definitive. With CPP being certified professional protection professional, PSP, physical security professional, and TLO, terrorism liaison officer. Once again, they are examples and are not definitive or comprehensive showing what would be a proper credential for someone to conduct an assessment. Section two is general information concerning the applicant and is generally corresponds to section two of the investment justification. As we go on in this part of the worksheet, you'll see sections three through six of the vulnerability assessment worksheet generally provides information that concerns the investment justification sections three through four, looking at background and consequence, threat, impact information, and specific information concerning mitigation options for vulnerabilities that are assessed during the assessment process. Here you see information threat information, then vulnerability information. Once again, although they're noted as being threat assessment and vulnerability assessment, they're simply capturing those elements of an overall risk assessment, the threat and vulnerability. As we come to the following section, this corresponds to the target hardening section of the investment justification and is an aid to collecting the information that is required to properly fill out that portion target hardening of the investment justification. Upon completion of that worksheet proper, you have annex one nonprofit onsite vulnerability assessment template. Once again, this is a guide or checklist for areas that may be assessed as part of your overall vulnerability assessment. And once again, it covers not only specific physical security vulnerabilities, but also additional information on consequence and emergency action planning and potential continuity of operations. The vulnerability assessment template is designed to use a process in which the facility is looked at from outside, from the perimeter inward and followed by a look at procedures that are used in place. Many of the questions are asked in several different areas that are similar. In other words, in some areas there are references to lights or to alarms that may be repeated in others, but are designed to elicit a different response or perspective based on the area that it is looking at, such as perimeter, interior, building access, overall lighting. So starting with perimeter assessments, you can see that the actual information in the way it's collected varies from simply descriptions to asking questions that elicit a yes or no answer, such as, in this case, is there a perimeter fence or other type of barrier in place around the entire site? Generally, the prompt is if not explained. In other words, if this particular item is not there, it is a potential vulnerability and therefore this is an opportunity to write down both the facts of how that particular perimeter looks and then any particular options that might be for improving the security at that particular location. Once again, as we go through there, it's a means to collect the information for each of these particular areas and as a guide and checklist. However, it does not establish a standard or provide guidance for the mitigation options that would be associated with the vulnerability that is observed. As you can see, going from outside perimeter to lighting to physical protection, each of these are generally moving from outside to inside, that intrusion detection, those circuit TV systems, and then moving from those particular areas into more procedural type of information, such as site security patrols, site access controls, operation security, in this case, either procedures for reporting suspicious personnel or activity onto visitor control procedures and ending with a look at the communication plan for the organization or the means of which employees, volunteers, and members are communicated both before, during, and after an event. And simply at the end is a section to note any of the other attachments or any other photos or other information that was brought in to the assessment. So once again, we've walked through the worksheet understanding that sections one through six are the worksheet proper and followed by the annex one, which is a guide and aid to completing a vulnerability assessment onsite. The fusion centers in California have the following areas of responsibility. Before you see a map of California and each of the fusion center's areas are outlined in a separate color. Contact information for the fusion centers will be shown on the following slide. When contacting any of the fusion centers, please state that you are contacting them in reference to a vulnerability assessment that may be used in a nonprofit security grant application. In addition, please be prepared to discuss the deadline for the assessment. Keep in mind that the centers generally have a series of already scheduled assessments. Also, vulnerability assessments may be conducted at any time of the year if your organization is considering an application for the nonprofit security grant. Please contact your local law enforcement and then one of the fusion centers as soon as possible. If you have any additional questions concerning this presentation, you can contact me, Tom Ducker, at the California State Threat Assessment Center. The contact information is at the top of this slide. You have a phone number and be contacted through InfoShare at caloas.ca.gov.