then the risk assessment/security plan should address the structure in general