Client’s Challenge: A Company Decides to Test Its Security Guarantee to Clients
It’s one thing to establish a common set of physical security audit, policies and practices for the enterprise as a whole. It’s quite another to have every office in your national footprint execute these faithfully on a daily basis. “I want you to undertake a series of penetration tests over a four-week period,” directed the Vice President of Compliance and Oversight. “This is much more than physical security. This goes to the integrity of our service commitment to customers – and our ability to ensure the security and privacy of their assets.”
Our Solution: Undertaking Unannounced Physical Security Audits
Hillard Heintze’s random, unannounced audits were performed under the guidance and direction of a company security representative. These were undercover site visits conducted during and after business hours to provide management with an independent evaluation of the effectiveness of their physical security practices and procedures.
The audits included a wide range of unauthorized entry attempts under various pretexts, behavioral approaches involving overt and covert picture-taking, observation of sensitive areas and activities, credential-sharing with unprocessed visitors, technical evaluation of access control systems, analysis of security guard response, vehicle integrity checks and facility compliance.
Impact on the Client: A Surprising Set of Findings – and a Few Heroes
The Vice President used Hillard Heintze’s site-specific After-Action Reports and an in-person briefing by our penetration experts to (1) praise employees who had followed policy or responded appropriately, (2) identify where weaknesses and vulnerabilities needed to be addressed and (3) raise awareness of security practices among all personnel.
Unplugged: The Project Manager's Post-Engagement Perspective
“What you really hope you don’t find is that an unauthorized person can gain access to the operations floor in broad daylight, walk the facility unchallenged and succeed in taking pictures.
But that is exactly what one of our penetration experts was able to do on this engagement. Sometimes clients just don’t know how vulnerable they are – and how extensive breaches can be – unless they run a penetration test.”