Protective security: Protecting critical assets

The Security Service has specialist staff dedicated to increasing the
level of security across society. Much of this work involves examining
government agencies and recommending measures they can take to raise their level of security and protection.

Acting in our capacity as an oversight body and performing records checks are other ways we ensure that critical assets are adequately protected.

All public agencies are obliged to perform a security analysis,  to identify what exactly has to be protected against adversary threats. An adversary threat exists when an adversary has both the intent and the capability to act, and when this action would have negative consequences for the operation of the agency in question. Incidents such as natural disasters and extreme weather, cable fires, pandemics etc. are not included in the security analysis but are dealt with in a risk and vulnerability analysis.

Adversary threats are different from ordinary daily incidents. Incidents resulting from serious adversary threats often feature some unprecedented action. This means that it is difficult to predict the likelihood of an attack occurring in the near future or even in the medium term, quite simply because there are no statistics on such unusual incidents. What can be said however is that such attacks could have serious and unacceptable consequences for the operations of an agency and for the nation.

As not all operations of an agency are considered critical, it is important to identify the ones that are, i.e. areas where the consequences of an adversary attack may have an impact on national security. In our experience, many public agencies struggle to identify their critical assets and therefore find it difficult to devise adequate protective measures.

Analysis necessary for adequate protection

Assessments made in the analysis serve to underpin decisions on security measures and to ensure that these measures form links in the chain that constitutes a functioning protective security system. Without some form of security analysis the security system would most often be ineffective and may even give a false sense of security. Moreover, it is often difficult for heads of security to convince management to invest in protective security measures that may be seen as cumbersome unless underpinned by easily explained, rational and traceable decisions.