The location will have to have, at a minimum multiple buildings. Be sure you can find information on the location. FIND A LOCATION IN NASHVILLE, TENNESSEE Caution, this three-part assignment

Running head: RISK ASSESSMENT WILLIAM AND MARY 1

Risk Assessment of the College of William and Mary:

Parts I-III

Elizabeth C. Russ

Virginia Commonwealth University

Example for students

*Note that the order of this example is a little different than what your instructions say. Use this

as a guide but go strictly by the instructions.

RISK ASSESSMENT WILLIAM AND MARY 2

Table of Contents

Critical Infrastructure………………………………………………………………………………5

Best Practices for Critical Infrastructure Identification……………………………………………5

National Preparedness and Homeland Security Directives……………………………………….7

Executive Order 13010…………………………………………………………………….7

Executive Order 13231…………………………………………………………………….8

National Infrastructure Protection Plan and Presidential Policy Directive 21…………….8

Homeland Security Presidential Directive 7……………………………………………….9

The College of William and Mary Profile…………………………………………………………9

An All-Hazards Approach……………………………………………………………………….10

William and Mary’s Critical Infrastructure………………………………………………………11

Sadler Center……………………………………………………………………………….11

Swem Library………………………………………………………………………………11

Wren Building………………………………………………………………………………12

Power Plant…………………………………………………………………………………12

Commons Dining Hall………………………………………………………..………….12

Law School…………………………………………………………………………………12

Zable Stadium……………………………………………………………………………..13

William and Mary Hall……………………………………………………………………13

Recreation Center…………………………………………………………………………13

Campus Center…………………………………………………………………………….13

Integrated Science Center………………………………………………………………..13

Phi Beta Kappa/ Andrews Hall……………………………………………………………14

RISK ASSESSMENT WILLIAM AND MARY 3

Small Hall…………………………………………………………………………………..14

School of Education……………………………………………………………………….14

Matoaka Amphitheater…………………………………………………………………….14

Sunken Gardens…………………………………………………………………………..15

Tools and Techniques……………………………………………………………………………………………………..15

Key Asset Prioritization Matrix………………………………………………………….15

Geographic Information Systems (GIS)….………………………………………………18

Critical Infrastructure Priorities at William and Mary………………………………………………………….23

First Priority: Sadler Center…………………………………………………………………………………..23

Second Priority: Swem Library……………………………………………………………………………..24

Third Priority: Wren Building……………………………………………………………………………….24

Summary of Critical Infrastructure Assessment…………………………………………………..…………..25

Best Practices for Conduction Risk Assessments………………………………………………………………..25

Role of Government and the Private Sector in Conducting Risk Assessments………………………..27

Tools and Techniques for Risk Assessments………………………………………………………………………28

Hazards U.S. Multi-Hazard……………………………………………………………………………………28

CARVER Matrix…………………………………………………………………………………………………28

Security Vulnerability Assessment…………………………………………………………………………29

Sadler Center Risk Analysis…………………………………………………………………………………………….30

Purpose………………………………………………………………………………………………………………30

Scope…………………………………………………………………………………………………………………31

Risk Assessment Approach…………………………………………………………………………………..35

Asset Characterization…………………………………………………………………………………………38

RISK ASSESSMENT WILLIAM AND MARY 4

Threat Statement………………………………………………………………………………………………….41

Findings……………………………………………………………………………………………………………..42

Fire………………………………………………………………………………………………………….42

Active Shooter………………………………………………………………………………………….46

Severe Weather…………………………………………………………………………………………47

Explosive………………………………………………………………………………………………….48

Assault/Violence……………………………………………………………………………………….49

Cyber Attack…………………………………………………………………………………………….51

Crime……………………………………………………………………………………………………….52

Surry Nuclear Power Plant Radiation Release……………………………………………….53

Abduction…………………………………………………………………………………………………54

Flood……………………………………………………………………………………………………….55

Asset-Based Security Vulnerability Analysis………………………………………………..56

Evaluating Risk……………………………………………………………………………………………………59

High Priorities…………………………………………………………………………………………..59

Medium Priorities……………………………………………………………………………………..60

Low Priorities……………………………………………………………………………………………62

Conclusion………………………………………………………………………………………………………….63

References……………………………………………………………………………………………………………………..64

RISK ASSESSMENT WILLIAM AND MARY 5

Critical Infrastructure

When creating a risk assessment for a locale, it is essential to identify the critical

infrastructure of the area. The USA PATRIOT Act defines critical infrastructure as “the

personnel, physical assets, cyber, and communications systems that must be intact and

operational to ensure survivability, continuity of operations, and mission success” (as cited in

Bennett, 2007, p. 53). Critical infrastructure can be evaluated within different scopes from a

national to a community level. An asset that is critical infrastructure at a local level may not be

considered as such at a state or national level. While the College of William and Mary has an

economic presence in the local community, it is not critical infrastructure nationally. However,

within the campus, there are key assets that are essential to the College’s operations and its

mission to educate. Through a risk assessment these assets can be evaluated and the critical

infrastructure for William and Mary can be identified.

Best Practices for Critical Infrastructure Identification

In completing a risk assessment, there are certain approaches to identifying critical

infrastructure that will provide the most comprehensive analysis. Bennett (2007) identifies three

key factors that should be considered when determining which infrastructure is critical:

dependencies, vulnerabilities, and alternatives (p. 57). First, some assets are interconnected in

their operations or provide services upon which other assets depend. If an asset fails that has

multiple dependencies, it can create a cascading effect, by incurring more losses than at the

initial site (Bennett, 2007, p. 63). Second, assets vary in the amount of vulnerabilities they have.

This can be related to their design and the services they provide. Some assets will be

characterized as soft targets, which have lower levels of security and more open access (Bennett,

2007, p. 62). Generally, assets that are for public use are soft targets because they can only have

RISK ASSESSMENT WILLIAM AND MARY 6

a certain level of security without interfering with the asset’s service (Bennett, 2007, p. 62). Hard

targets have higher security measures and less access (Bennett, 2007, p. 62). Since the services

they provide may be more critical, they are more desirable to attack (Bennett, 2007, p. 62). In

addition to those exploited in an attack, vulnerabilities must be considered that would cause risk

exposure in a natural disaster. The third factor refers to the presence of alternative resources

when an asset fails. If an asset’s services do not have built-in redundancies or cannot be

performed by another asset, then the asset is more critical (Bennett, 2007, p. 57). In determining

which assets are critical infrastructure, the dependencies, vulnerabilities, and alternatives should

be considered so that they can be appropriately prioritized.

Identifying critical assets is imperative, so the services they provide can be protected.

Failures of key assets can result in casualties, weakened security, economic turmoil, decline in

morale, and lack of access to basic needs (Bennett, 2007, p. 58). While it would be ideal to

protect all assets, limited resources prevent this. Therefore, critical infrastructure must be

assessed and prioritized to determine which assets warrant protective measures (Bennett, 2007,

p. 67). In order to produce the highest quality assessment, critical infrastructure identification

and prioritization should be conducted at the local level (Bennett, 2007, p. 67). A community is

the most knowledgeable regarding its assets and its essential needs. All of these assets may not

be considered critical in state and federal assessments, but a local jurisdiction can determine

which are most important to its community (Bennett, 2007, p. 67). To ensure best practices are

applied, communities should evaluate their critical infrastructure continuously to determine if

changes have occurred or priorities have shifted (Bennett, 2007, p. 67). To develop thorough

evaluations of critical infrastructure, numerous preparedness frameworks and assessment tools

can be applied.

RISK ASSESSMENT WILLIAM AND MARY 7

National Preparedness and Homeland Security Directives

The federal government has created numerous directives and documents that provide

mandates and guidance on best practices for national preparedness. Many of these documents are

interrelated or derived from another directive. In addition to providing direction for federal

agencies, the directives emphasize state and local level involvement. The intent is to provide a

framework that is scalable to different sized communities. Different documents address the

various phases of emergency management. Executive Order 13010, Executive Order 13231, the

National Infrastructure Protection Plan, Presidential Policy Directive 21, and Homeland Security

Presidential Directive 7 are examples of these documents that focus on critical infrastructure

protection.

Executive Order 13010

Issued in 1996, Executive Order 13010 addresses critical infrastructure protection.

Clinton identifies the sectors of critical infrastructure and categorizes potential threats as

“physical” or “cyber” (as cited in Bennett, 2007, p. 84). In this document, Clinton acknowledges

the role private stakeholders have in critical infrastructure, and he recognizes the need for

collaboration between the government and private sectors (as cited in Bennett, 2007, p. 84).

Through Executive Order 13010, Clinton established the President’s Commission on Critical

Infrastructure Protection, comprised of representatives of relevant federal agencies (as cited in

Bennett, 2007, p. 84). Clinton assigned the Commission the task of working with public and

private stakeholders to identify and assess critical infrastructure and their threats (as cited in

Bennett, 2007, p. 85). Clinton’s Executive Order also directs the Commission to use these

evaluations to create a national strategy to protect critical infrastructure (as cited in Bennett,

2007, p. 85).

RISK ASSESSMENT WILLIAM AND MARY 8

Executive Order 13231

With the continued development of technology, Executive Order 13231 was issued in

2001 to combat the cyber threats posed to critical infrastructure. Bush (2001) established the

President’s Critical Infrastructure Protection Board to develop security measures for information

systems of critical infrastructure. In order to execute this task, the Board needed to work with

other groups that manage cybersecurity threats, including federal agencies, state and local

governments, and the private sector (Bush, 2001). Executive Order 13231 was significant by

creating a policy to mitigate threats to critical infrastructure through their information systems.

National Infrastructure Protection Plan and Presidential Policy Directive 21

The National Infrastructure Protection Plan (NIPP) is designed to detail the methods by

which the public and private sectors can collaborate to mitigate risks and improve resilience for

critical infrastructure (Department of Homeland Security [DHS], 2015a). This plan was

developed from multiple perspectives, which included the public and private sectors from across

the nation and at all levels (DHS, 2015a). NIPP was crafted to be compliant with Presidential

Policy Directive (PPD) 21, which strives to promote a unified movement toward protecting

critical infrastructure from an all-hazards approach (The White House, 2013). NIPP outlines

steps that should be taken in order to execute the process of protecting critical infrastructure.

These include: setting goals and objectives, identifying infrastructure, assessing and analyzing

risks, implementing risk management activities, and measuring effectiveness (DHS, 2013, p. 15).

NIPP stresses the importance of information sharing during this process in order to promote best

practices and involve the entire community (DHS, 2013, p. 16). NIPP’s process can be used as a

guideline for assessing critical infrastructure in a community and determining which mitigation

efforts are worth employing.

RISK ASSESSMENT WILLIAM AND MARY 9

Homeland Security Presidential Directive 7

Homeland Security Presidential Directive (HSPD) 7 is an executive document that

provides a strategic framework for “critical infrastructure identification, prioritization, and

protection” (DHS, 2003). This document recognizes the presence of threats that must be

acknowledged and analyzed. HSPD-7 notes that it is not possible to protect against all threats

and key assets must be prioritized in order to create the most effective prevention (DHS, 2003).

In order to accomplish these goals, HSPD-7 outlines the critical infrastructure sectors that

different federal agencies should address, and it conveys the necessity of collaboration with the

private sector (DHS, 2003).

The College of William and Mary Profile

William and Mary is the second oldest college in the United States and is a research

university, with undergraduate, graduate, and doctoral programs (College of William & Mary

[William & Mary], 2015a). Chartered in 1693, the College is the origin of the first Honor Code

and Phi Beta Kappa (William & Mary, 2015a). The main campus is situated on 1,200 acres in

Williamsburg, Virginia (William & Mary, 2015a). It is separated from the surrounding

community and bordered by Richmond Road, Jamestown Road, and Lake Matoaka. Currently,

the population consists of 6,299 undergraduate students, 2,138 graduate students, and 609 full-

time faculty (William & Mary, 2015a). Thirty-one percent of students are of a minority ethnicity

or race (William & Mary, 2015a). William and Mary is a prominent academic institution

nationally and is also an economic force locally. “William and Mary contributes more than half a

billion dollars and over 7,000 jobs to Virginia each year” (William & Mary, 2015a). Any

incident, natural or manmade, at the campus would be significant to the College’s mission

RISK ASSESSMENT WILLIAM AND MARY 10

toward providing an environment for learning and research and would impact the surrounding

community of Williamsburg as well.

An All-Hazards Approach

Due to its location and the nature of its residential campus, William and Mary is more

prone to certain types of threats. Some of the events the College should prepare for are fire,

hurricanes, floods, winter storms, nuclear fallout, earthquakes, biological hazards, chemical

hazards, active shooters, terrorism, and cyber-attacks. Especially since William and Mary is a

residential campus, fires caused in the dorms or other buildings should be a concern. Due to the

campus’s location on the Virginia Peninsula, it is more likely to be impacted by hurricanes and

flooding. The lake on campus and surrounding wetlands make floods more probable. While

winter storms and earthquakes are less likely, they can and have had an impact on campus

operations. Across the James River and approximately seven miles from the campus, the Surry

Nuclear Power Plant’s location makes nuclear fallout a necessary incident to plan for, despite the

low level of likelihood of occurrence. Biological and chemical hazards should also be

considered, especially from the materials located in the science buildings. Since active shooters

have attacked other college campuses and terrorism can target unlikely soft targets, William and

Mary should also have shelter-in-place and evacuation plans. William and Mary’s classes are

primarily taught in classrooms, but they rely heavily on online services through applications,

such as Banner and Blackboard. Administrative services depend on information security as well.

If a successful cyber-attack occurs, the College’s activities and services could be impaired. These

natural and manmade hazards could cause negative consequences, such as financial loss,

casualties, inability to provide education and research services, loss of sensitive personal data,

and reputational damage. Since the college has a wide scope of potential incidents that could

RISK ASSESSMENT WILLIAM AND MARY 11

occur, it is necessary for it to take an all-hazards approach in order to ensure best practices are

carried out. This consists of developing emergency procedures that are adaptable to different

types of events.

William and Mary’s Critical Infrastructure

William and Mary’s campus consists of academic, residential, athletic, arts, activities,

and administrative buildings. Based on the amount of impact an incident could have in terms of

casualties, financial cost, loss of functions, and effect on dependent assets, the structures that are

critical infrastructure can be identified. There are several buildings which function as centers of

congregation. Some of these structures are filled to capacity on a daily basis. Others hold a

majority of the population during special events and are empty the remainder of the time.

Sadler Center

The Sadler Center contains one of the two major dining facilities and many of the

meeting rooms for activities. As a result, it is consistently filled throughout the day. In addition

to catering to the regular campus population, the Sadler Center hosts visitors and regional

conventions throughout the year. Therefore, the potential occupants exposed could rise higher

during special external events.

Swem Library

Swem Library is the main library for undergraduate and graduate students, and it is where

most students study on campus. The library is generally open from 8 a.m. until 2 a.m., so it is

especially full in the evenings when other buildings are closed. Swem Library contains all of the

reference documents and media for the main campus. In addition, it has the Special Collections

area, which holds rare, old, and significant documents. Swem Library also stores the College’s

historical regalia when they are not in use (W

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.