Risk Management for DoD Security Programs
Student Guide
Page 14 of 21
• Press exposure of sensitive information represents a potential vulnerability. For
example, an activity with poor entry control procedures may be susceptible to
loss/theft of property and may have implanted listening devices.
Information Vulnerability Areas
Information vulnerability areas include the following:
• Information unnecessarily disseminated to a wide audience – the wider the
dissemination the more difficult it is to protect.
• Failure to practice need-to-know - “Need-to-know” refers to the determination by
an authorized holder of classified information that a prospective recipient requires
access to specific classified information in order to perform an authorized
governmental function.
• Poor program administration includes failure to properly safeguard sensitive
information, improperly classifying information and failure to mark classified
information.
• Failure to follow Freedom of Information Act (FOIA) requirements - Adversaries
routinely request information through FOIA. Failure to properly evaluate information
that has been requested for public release may pose a threat to critical assets
Facility Vulnerability Areas
Facility vulnerability areas leave assets in jeopardy. These are some potential issues:
• Location – Areas designated as high crime areas or with a significant potential for
natural disasters could be a concern.
• Poor perimeter fencing with holes, gaps, vegetation overgrowth, etc.
• Building design characteristics with floor plans that inhibit access control
measures, ground floor windows along a heavy pedestrian route, etc.
• Tunnels and drains that permit an avenue of approach by an adversary
• Unsecured doors that allow adversary access.
• Parking lots provide adversaries with a venue for observing a facility, perpetrating a
crime, detonating mobile explosive devices, etc.
• Vehicle barriers – They must be reinforced and security personnel must be trained
to be effective.
• Untrained guard forces may be ineffective in observing, preventing, or responding
to an adversary attack. Guard forces must understand their duties and be trained to
carry them out.
• Unsecured windows provide adversaries with a potential avenue of approach.
• Insufficient access control allows adversaries a potential means of entry either
detected or undetected.
• Gates must be properly operated when in use, locked when not in use, and regularly
evaluated to ensure they do not provide adversaries with a potential avenue of
approach.
Equipment Vulnerability Areas
Equipment vulnerability areas include the following:
• Signal interceptions that can occur when using devices like cell phones, wireless
networked computers, and personal digital assistants (PDAs).
• TEMPEST emanations - TEMPEST is the short name referring to the investigation,
study, and control of compromising emanations from telecommunications and
information systems equipment. Computer equipment, typewriters, etc. emanate
electronic signals that can be collected by an adversary. They can then interpret the