Over the last two months, I’ve examined how to determine the risk to a facility and a methodology for performing a relatively simple risk analysis. One of the remaining questions is what to do once you've determined the risks? This column will explore that question, again using the American Society of Civil Engineers (ASCE) Manuals and Reports on Engineering Practice No. 128, “Building Security Rating System,” to illustrate the concepts. The overall risk in the manual is quantified as one of five required levels of security ranging from “Rated,” the minimum security that any building should implement, to “Platinum,” the highest level of security appropriate for the most valuable or vulnerable buildings. Based on the required security level, the document directs users to several countermeasures that are divided by the building system category and increase in number, effectiveness, and cost as one moves up the required security rating ladder.
Let’s focus this discussion on the “mechanical” and “equipment maintenance and operations” categories and explore how the countermeasures build on each other to provide increasing levels of protection. Starting with operation and maintenance, at the Rated level, there is only a single countermeasure suggested, “Access to building information is restricted.” This is a very basic precaution and is meant to ensure that only those who need to know are aware of how the building operates. At Bronze-level security, the requirements are having up-to-date drawings of major systems and an updated operations manual. At the Silver level, a preventive maintenance schedule for ventilation systems is additionally required. In addition to rebalancing critical air systems once a year and testing backup power monthly, as are required for the Gold level, the Platinum level adds performing periodic recommissioning of systems. What we can see is that each step of enhanced security builds on the previous steps, generally comes at an increased cost, and that the implementation effort involved reflects the risks that are being addressed.