Вы находитесь на странице: 1из 18


Fortraks Motors Inc.


Fortrak Motors Inc. which produces high- quality commercial and industrial vehicles equipped with diesel engines benchmarked to provide maximum performance and reliability . The company continues to become the recreational vehicle of choice of executives on the go. Occupational health and safety provisions are strictly observed to prevent hazard.


Physical Security Process

1. Conduct risk assessment to identify inherent risks

  • 2. Identify current and potential resources including funding and expertise for selected areas.

  • 3. Develop assessment to measure effectiveness & impact of preliminary measures.

  • 4. Develop a physical security program

  • 5. Implementation


Physical building materials, perimeter security including fencing, locks and guards.



site location, facility design, building construction, emergency response and employee controls.

Technical Controls

Trainings and emergency drills are done once a year to educate employees the basic disaster preparedness practices. Using broadcast networks to share or consolidate information. System administrators often fail to realize the importance of networking hardware in their security schemes. Centralized server is the main storage of information.



Scope of Audit

It applies to the Security Operations Department and all its subunits including Intelligence and Logistics, Operations and Integration, Network Security Deployment and Emergency Readiness Team through their department heads and supervisors who have access to facilities and its assets. Such assets include data, images, text, or software, stored on hardware, paper or other storage media. Audit fieldwork is primarily performed within the vicinity of the workplace.

Audit Objectives

To establish adequate physical security measures

and practices for its critical assets; To address physical security measures

recommended in prior risk assessments; To conduct performance testing to ensure that

security measures for physical assets were being performed as designed and ; To provide security guidance and general procedures that are realistic, harmonized with other security disciplines to protect personnel, installations, projects, operations, and related resources against capable threats from terrorists, criminal activity, and other subversive or illegal activity.


Site Visit: data centers, computer rooms, and

office environment

arranged to identify

physical security risks. In addition, assessment team should record down on-site observations about system operations and end user behaviors (e.g. the use of password-protected screensaver) in order to verify if relevant security policies are followed accordingly.

Group Discussion: group discussions or workshops can be facilitated by the assessment team to gather information about the existing security environment (controls and risks) of the company. The discussion can have any format and topic, depending on the target information to be gathered.

Multi-level Interviews:

on-site interviews with key persons or representatives at different levels may also be conducted to verify previously obtained information, and to improve the accuracy and completeness of the collected information.

Areas of Internal Control which are Adequate

A1. Physical access barriers including door locks, high durability window ,unauthorized entry, evacuation entry and exit direction, alarm usage and conductivity.

A2. Biometric physical control solutions.

A3.Redundant power systems to support the company’s continuous operations.

Areas of Internal Control which are Inadequate

B1. Trainings and emergency drills are done once a year to educate employees the basic disaster preparedness practices.

B2. Using broadcast networks to share or consolidate information.

B3. Centralized server is the main storage of information.


1. It is recommended that disaster preparedness and emergency drills/pre-incident trainings be executed at least every other month to implement physical protective and operational procedures designed to safeguard personnel and protect resources from unauthorized use, theft, damage, sabotage, and espionage.

2. The company should conduct regular firewall and malware prevention to properly configure and enforce the security policy with the minimal and optimal security protection.

3. Access privileges granted to each individual user will adhere to the principles of separation of duties. Technical or administrative users, such as programmers, System Administrators, Data Base Administrators, security administrators of systems and applications must have an additional, separate end-user account to access the system as an end-user to conduct their personal business.