As reported previously on Info4Security, the ASIS/ANSI Physical Asset Protection (PAP) Standard defines a framework that helps practising security managers to apply and manage physical security measures in order to safeguard an organisation’s people, property and information.
The standard strongly promotes the convergence of risk management activities across an organisation through a cross-functional risk assessment and management system that identifies, evaluates and resolves all security risks within a singular, managed process.
For its part, Citicus provides software for building an automated Physical Asset Protection Management System (PAPMS) as specified by the newly-published ANSI/ASIS PAP.1 2012 standard.
Citicus Limited’s Citicus ONE software provides security managers with an efficient and effective tool that helps them to build and maintain a PAPMS and enables them to:
- identify, categorise and record physical assets and their owners
- define and manage interdependencies between physical assets, information systems and key suppliers from a risk perspective
- measure the criticality of physical assets to the businessboth objectively and consistently
- conduct risk assessments of physical assets using a simple but powerful risk scorecard
- define and track remediation activities aimed at driving risk down
- report on risk to all stakeholders including individual asset owners, risk managers, senior management, auditors and others
Status of security controls: a key driver
A key driver of risk for physical assets is the status of security controls and Citicus ONE incorporates an in-built library of over 500 controls for site protection. These can be easily augmented or replaced with an organisation’s own security standards or internationally recognised standards (such as the ASIS Facilities Physical Security Measures Guideline), enabling users to benchmark their control status.
One of the goals of a PAPMS is to support decision making by balancing experience and intuition with factual data about the risk status of assets. Citicus ONE supports this through its collation of objective risk metrics, including information about past incidents and their impact.
In turn, this provides organisations with the ability to review, challenge and change past decisions concerning the protection of assets.
Common approach to risk management
Simon Oxley, managing director at Citicus, commented: “The ASIS/ANSI PAP Standard promotes a concept we at Citicus are very interested in – the use of a common approach to managing risks of all kinds across the enterprise – and I was very pleased to be able to contribute to its development.”
Oxley went on to state: “We believe that our Citicus ONE software provides an excellent platform for security managers to measure and manage risk in a more holistic way across their physical facilities, IT systems and supply chains.”
James Willison, tghe founder of Unified Security and vice-chairman of ASIS International’s European Security Convergence Sub-Committee, added: “Information and physical security leaders from across the security industry worked together to give the standard a strong converged perspective in recognition that, unless there is a collaborative approach to the management of security risk, those who attack physical sites will exploit the weakest link.”
He continued: “Citicus ONE enables security practitioners across the organisation to identify the assets most at risk. By using the same framework security risks can be correlated across the enterprise and a team approach established.”
Traditionally, many physical security managers have relied on spreadsheet-based risk tools which, in Willison’s opinion, make it difficult to assess the risks they face across the business.
“Citicus ONE can really help to ensure risk is recorded, monitored and managed efficiently, effectively and consistently,” concluded Willison.
Citicus Limited was formed in 2000 by Sian Alcock, Marco Kapp and Simon Oxley. Its award-winning Citicus ONE risk and compliance management software has been implemented in public and private sector enterprises of all sizes around the world, while Citicus’ partnership relationship with customers helps the company implement and run its risk programmes successfully.