RISK, THREAT, AND VULNERABILITY ASSESSMENT

Selected contractor’s assessment would include written findings and recommendations, an evaluation of current risks and vulnerabilities facing the organization and the specific facility, its workforce, and associated assets, as well as providing a review of security-related policies and procedures.
The Risk, Threat, and Vulnerability Assessments will consist of a site-specific physical security review, and offer an objective perspective based upon selected contractor’s evaluation of the overall security program relative to the identified threats and risk exposures, as well as providing itemized observations, findings and recommendations for enhancing the site’s overall security program and workplace violence planning and preparedness.
Through a combination of interviews, site surveys and documentation evaluation, Selected contractor will review, assess and provide recommendations for the improvement of SMUD’s current security posture and site-specific risk exposures specific to physical security. This evaluation will include the protection of assets, including information systems, but it will NOT include a cybersecurity assessment or evaluation in any capacity.
Selected contractor will conduct a security and vulnerability assessment of each assigned SMUD facility. There will be six (5) sites in total including a main campus, a large operations center, a Nuclear Regulatory Commission-Regulated Site and associated facilities, a gas pipeline system and its assets, and one other geographically remote facility. The assessment would be conducted through a combination of site visits, interviews, and documentation reviews by means of the following tasks:
Request for Information
Selected contractor may begin each assessment by providing SMUD with a list of information items, pertinent to the assessment. These items typically include, but are not limited to:· Organizational charts for the organization and security unit· Site plan for the overall property, including related structures and exterior parking facilities· Floorplans of the designated areas to be surveyed · As-built drawings of the electronic security system(s)· Regulatory requirements, criticality or risk assessments and prior security assessments, if available· Security-related policies and procedures· Security training program documentation· Emergency preparedness documents· Security force documentation (SOPs, post orders, work schedule and deployment, legal authority and regulatory framework and compliance (vs licensure), and training components)
Obtain and review existing security documentation as available to include floorplans, Officer post orders, as-built security systems drawings, incident reports, security-related policies and procedures, organizational charts for the company, and examples of security-related trainings for leadership and employees.
Conduct a site survey for each site’s buildings and overall property, to include points of entry, critical interior spaces, emergency egress points, building perimeters, and adjacency concerns. Also included should be a review and evaluation of building operating procedures as they relate to security (visitor management, security staffing, access to loading docks and back of house, etc.)
Interview appropriate facility management and security personnel to become familiar with each site’s security programs and operations, discuss past criminal incidents, and the overall security climate for the property.
Inspect and evaluate the currently installed electronic security systems at the sites to include access control and alarm monitoring, intrusion detection, video surveillance and monitoring, intercom communications, etc..
Obtain and review current security staffing and Officer posts for the properties. Review and evaluate security staffing levels, performance levels and related operating protocols relative to available staff at static locations versus available staff for patrol or field duties.
Review and evaluate current written policies and procedures for security. Provide comments on their adequacy and depth of coverage. If necessary, a suggested topic array and sample security policy will be composed as part of this assignment.
Conduct a threat assessment to evaluate known and foreseeable threats facing the organization, its employees, and the designated properties and operations.
Document findings and recommendations in a Physical Security Assessment Report. The report would itemize all findings and recommendations, including specific physical security mitigating controls, devices, and other measures as warranted.