Physical security is the foundation of every security program. It is the combination of people, equipment, and procedures into a seamless protection program.
Physical security focuses on the protection of organizational assets such as people, property, and information.
Security system components tend to fail at the worst possible time; so contingency planning must be assessed and factored into physical security planning.
Physical security starts with the environment and takes a proactive stance to building programs that are both flexible and comprehensive in design. One proactive approach in the planning and design is referred to as Crime Prevention Through Environmental Design.
Crime Prevention Through Environmental Design (CPTED) is a set of concepts based upon the idea that the proper design and use of the environment can reduce the fear, opportunity, and incidence of crime and improve our quality of life.
Defensible Space, a concept often associated with CPTED, is where the environment is compartmentalized into smaller areas or zones that are clearly defined, making them easier to protect.
CPTED is best applied using a multi-disciplinary common-sense approach. By involving engineers, architects, designers, security professionals, law enforcement, landscapers, and the end-users of the area/facility, the final application of CPTED concepts will offer a proactive approach in crime prevention. CPTED relies on an awareness of how people will use the space for legitimate and illegitimate purposes.
Physical security assessment plan.
1. Risk assessment models and considerations
2. Qualitative and quantitative assessment methods
3. Key areas of the facility or assets that may be involved in assessment
4. Types of resources needed for assessment
Identify assets to determine their value, criticality, and loss impact.
1. Definitions and terminology related to assets, value, loss impact, and criticality
2. The nature and types of assets (tangible and intangible)
3. How to determine value of various types of assets and business operations
Assess the nature of the threats so that the scope of the problem can be determined.
1. The nature, types, severity, and likelihood of threats and hazards (e.g., natural disasters, cyber, criminal events, terrorism, socio- political, cultural)
2. Operating environment (e.g., geography, socio-economic environment, criminal activity)
3. Potential impact of external organizations (e.g., competitors, supply chain, organizations in immediate
proximity) on facility’s security program
4. Other external factors (e.g., legal, loss of reputation, economic) and their impact on the facility’s security program
Conduct an assessment to identify and quantify vulnerabilities of the organization.
1. Relevant data and methods for collection (e.g., security survey, interviews, past incident reports, crime statistics, employee issues, issues experienced by other similar organizations)
2. Qualitative and quantitative methods for assessing vulnerabilities to probable threats and hazards
3. Existing equipment, physical security systems, personnel, and procedures
4. Effectiveness of security technologies and equipment currently in place
5. Interpretation of building plans, drawings, and schematics
6. Applicable standards/regulations/codes and where to find them
7. Environmental factors and conditions (e.g., facility location, architectural barriers, lighting, entrances) that impact physical security
Perform a risk analysis so that appropriate countermeasures can be developed.
1. Risk analyses strategies and methods
2. Risk management principles
3. Methods for analysis and interpretation of collected data
4. Threat and vulnerability identification
5. Loss event profile analyses
6. Appropriate countermeasures related to specific threats
7. Cost benefit analysis (e.g., return on investment (ROI) analysis, total cost of ownership)
8. Legal issues related to various countermeasures/security applications (e.g., video surveillance, privacy
issues, personally identifiable information)
Design, and Integration of Physical Security Systems
1. Design constraints (e.g., regulations, budget, cost, materials, equipment, and system compatibility)
2. Applicability of risk analysis results
3. Relevant security terminology and concepts
4. Applicable codes, standards and guidelines
5. Functional requirements (e.g., system capabilities, features, fault tolerance)
6. Performance requirements (e.g., technical capability, systems design capabilities)
7. Operational requirements (e.g., policies, procedures, staffing)
8. Success metrics
Determine appropriate physical security measures.
1. Structural security measures (e.g., barriers, lighting, locks, blast migration, ballistic protection)
2. Crime prevention through environmental design (CPTED) concepts
3. Electronic security systems (e.g., access control, video surveillance, intrusion detection)
4. Security staffing (e.g., officers, technicians, management)
5. Personnel, package, and vehicle screening
6. Emergency notification systems
7. Principles of data storage and management
8. Principles of network infrastructure and network security
9. Security audio communications (e.g., radio, telephone, intercom, IP audio)
10. Systems monitoring and display (control centers/consoles)
11. Systems redundancy alternative power sources (e.g., battery, UPS, generators, surge protection)
12. Signal and data transmission methods
13. Considerations regarding Personally Identifiable Information (physical/logical/biometric)
14. Visitor management systems and circulation control
Design physical system and prepare construction and procurement documentation
1. Design phases (pre-design, schematic design, design development, construction documentation)
2. Design elements (calculations, drawings, specifications, review of manufacturer’s submittals and technical data)
3. Construction specification standards (e.g., Construction specifications Institute, owner’s equipment
standards, American Institute of Architects MasterSpec)
4. Systems integration (technical approach, connecting with non-security systems)
5. Project management concepts
6. Scheduling (e.g., Gantt charts, PERT charts, milestones, and objectives)
7. Cost estimation and cost-benefit analysis of design options
8. Value engineering
Outline criteria for pre-bid meeting to ensure comprehensiveness and appropriateness of implementation.
1. Bid package components
2. Criteria for evaluation of bids
3. Technical compliance criteria
4. Ethics in contracting
Procure system and implement recommended solutions to solve problems identified.
1. Project management functions and processes throughout the system life cycle
2. Vendor pre-qualification (interviews and due diligence)
3. Procurement process
Conduct final acceptance testing and implement/provide procedures for ongoing monitoring and evaluation of the measures.
1. Installation/maintenance inspection techniques
2. Systems integration
3. Commissioning
4. Installation problem resolution (punch lists)
5. Systems configuration management
6. Final acceptance testing criteria
7. End-user training requirements
Implement procedures for ongoing monitoring and evaluation throughout the system life cycle.
1. Maintenance inspection techniques
2. Test and acceptance criteria
3. Warranty types
4. Ongoing maintenance, inspections, and upgrade
5. Ongoing training requirements
6. Systems disposal and replacement processes
Develop requirements for personnel involved in support of the security program.
1. Roles, responsibilities, and limitations of security personnel (including proprietary (in- house) and contract security staff)
2. Human resource management
3. Security personnel training, development, and certification
4. General, post and special orders
5. Security personnel uniforms and equipment
6. Personnel performance review and improvement processes
7. Methods to provide security awareness training and education for non-security personnel
Risk management: (A business discipline that consists of three major functions: 1) loss prevention, 2) loss control, and 3) loss indemnification). can be defined as the systematic approach that identifies risk, calculates the impact of the risk, and eliminates or minimizes the risk to an acceptable level. Another way to define risk management is making the most efficient before-the-loss arrangement for the after-the-loss continuation of the business. It uses a rational approach and is defendable in a court of law.
Risk management is an ongoing process that must be re-evaluated on a regular basis. Risk should be the driving factor of the organization’s asset protection program. An ongoing risk assessment program is the best tool for monitoring the changing threat and risk environment, and proactively preparing to respond to it.
Risk can be simply defined as the potential for damage to an asset or loss of an asset. Risk is the most important driver of security measure choice and deployment. Security’s primary objective is to manage risks by balancing the cost of protection measures to the benefit of those measures.
The goal is to eliminate or reduce the number of incidents leading to a loss. The organization’s risk management program should be similar to a computer’s operating system, it should be running in the background and driving security decisions and actions.
Most security programs are reactive in nature, meaning that they only deploy security measures after a loss has occurred. Risk management is the process that can help the organization develop a comprehensive protection strategy based on sound practices.
The risk assessment process can be divided into six basic steps:
Assets
The first step in risk assessment is to identify and value the assets. This should help to identify what is being protected and what needs to be protected. Such information allows for the prioritization of assets. Not all assets are of equal value to the organization.
Assets can be divided into three categories:
Most organizations focus their physical security protection program on tangible assets only; however, the security professional should also incorporate the protection of intangible assets into the process. There are other factors that must be considered when assessing the value of assets, mainly the indirect costs of an asset.
A Few Examples of Indirect Costs Are:
Threats
Physical security programs should look to build their programs using an all-hazards approach to threats, which provides a context to risk. By using a holistic, full-scope, and balanced approach to the threat, the security professional will be able to understand that some threats are prevalent at certain times and some in certain places.
A hazard is a contributing factor to a peril. For example, a hazard is a condition that makes it more likely a peril will occur such as mental illness or stress. If an active shooter incident is used as the peril in this example, the hazard of stress or mental illness caused the loss.
Threats can be divided into three additional characterizations:
1. Natural
2. Intentional (man-made)
3. Inadvertent (accidents, errors and omissions)
When it comes to physical security planning for threat, an All-Hazards approach should be taken to ensure all risk is accounted for.
An All-Hazards approach means that risk is considered from a full-scope perspective (big-picture) and uses a realistic and balanced approach when assessing threat.
Physical security is mostly concerned with intentional threats and, to a smaller degree, natural threats. However, peripheral threats do exist and although usually inadvertent in nature, they should also be considered. Neighboring facilities or operations, environmental issues, public roadways, trains, and utilities are all examples of peripheral threats that could adversely affect an organization.
Vulnerabilities
A vulnerability (A weakness or organizational practice that may allow a threat to be realized or increases the magnitude of a loss event). is a gap or weakness that allows a threat to compromise an asset or function.
The difference between a vulnerability and a threat is that a vulnerability allows the organization some level of control over it. Conversely, threats are typically outside of the control of the organization.
Although there are many methods that can be used to calculate vulnerabilities, a simple method is to measure the vulnerability in terms of observability and exploitability. Observability is the ability for an adversary to visually see the vulnerability, such as through an open window or door.
Exploitability is the ability for the adversary to take advantage of the vulnerability once aware of it. Exploitability, for natural threats, is based on the ability for the natural event to damage the facility, operation, or mission.
When It Comes to Inadvertent Threats, There Are Two Simple Questions That Need to Be Answered: (Is security aware of the vulnerability?
Is there a potential for a loss event?).
Impact
Accordion. Select each button to expand the content.
Impact refers to the severity of the situation when an incident occurs. Impact is usually measured in financial terms. In addition to impact, many risk management models will assess the likelihood or probability that a loss event will occur.
The Likelihood of Occurrence and an Asset’s Risk Exposure is Based on Many Factors but Often is Related to: Historical events
Risk analysis
Risk analysis is the process of identifying potential areas of loss (at a specific time and place) and implementing countermeasures to mitigate the potential for the loss. Analyzing risk can be achieved in two basic steps: Calculation of impact and prioritization of the identified risks.
(Often, organizational leadership only wants to discuss the most likely risks; however, it is important to analyze high consequence loss events even if there is a low likelihood that they may occur).
It is important to note that the evaluation levels for threat, vulnerability, and impact should be decided by a multidisciplinary team of experts in a collaborative manner not by an individual. This is especially true when using a quantitative method
The goal of risk analysis is to give management information on which they can make decisions. It is not practical to eliminate all risk, so it is important to prioritize risk based on the criticality to the organization.
Mitigation measures:
Determining which protective measures to implement in the effort to mitigate risk can be a difficult task. It is important to consider budgetary constraints and available resources; however, it is more common to consider the potential adverse effect each strategy may have on the operations of the organization.
It should also be balanced using sound strategies and operational requirements and should consider the psychological impact it may have on people.
Protective measures, a physical security professional should consider the following:
Physical security measures should be scalable and agile and constantly evolving and improving. There are many protective elements that must work together to protect assets in our constantly changing world. Complacency is the greatest enemy of progress.
Qualitative and quantitative assessments
When it comes to assessments there are two main types; qualitative and quantitative. Which method to use is based on the risk assessor’s style and the organization’s executive decision maker. Some professionals prefer a blended approach, using a combination of both types. The most important aspect is to ensure that the information entered into either method is accurate and up to date.
Qualitative Assessment
Uses a general range or description such as high, medium, and low to describe asset value and risk element calculations. This is typically used for low-value assets or operations and to describe basic security applications. It offers a quicker process and is less expensive to perform than a quantitative assessment.
Quantitative Assessment
Uses specific numerical values and scientific formulas to describe asset value and risk element calculations. This is typically used for high-value assets or operations, and to describe PPS values such as detect, delay, and response.
Addressing risk
There are five methods to address the identified risk within an organization. Despite best efforts, there are always residual risks that must be analyzed and accounted for within the organization’s comprehensive risk management program. Most organizations use a combination of some, or even all the five mitigation methods.
Five methods of addressing risk.
Risk avoidance is the most direct way to remove risk; however, many times the organization cannot avoid risk due to the mission or objectives.
Risk Assumption or Acceptance the organization liable for loss.
Risk spreading often increases the cost of operations, but also may have a good return on investment due to the reduction of risk to the organization.
Risk transfer can be through the purchase of an insurance policy, but a portion of risk may also be transferred by contracting with third-party consultants, suppliers, and vendors to perform certain functions.
Risk reduction is the goal of the security practitioner and it is the most direct means of reducing risk by reducing the vulnerability of assets.
Risk reduction includes site-hardening and often is considered to be the most expensive method in reducing risk.
Physical security measures, policies and procedures, education, and awareness all play a part in reducing risk.
A security survey is a thorough examination of a facility, its operations, and systems and procedures that is conducted to assess the current level of security and determine any vulnerabilities and assess the level of protection needed to address those vulnerabilities.
Security survey is an on-site examination, which often can take up to 50 percent of the time required to complete a survey report.
The Purpose of the Survey is to:
The main difference between a comprehensive risk assessment and a security survey is that a security survey focuses more on the vulnerability aspects.
Although providing just the cost of a security measure is generally not part of the security survey report (cost of security measure with no analysis), a cost-benefit analysis may be appropriate. A cost-benefit analysis is where you assess the cost of a security measure against the benefit derived from implementing the measure.
A Cost-benefit Analysis Typically Consists of Three Factors:
When performing a survey, a checklist may be helpful to ensure that you do not miss any important elements. It also helps to keep the process performed sequentially; however, a checklist is not recommended as the only tool used when performing an assessment. The assessor needs to have the experience to be flexible in their approach. Interdependencies should also be considered as you perform a survey.
Typically, there are several approaches to performing a security survey:
Outside-In Approach
Inside-Out Approach
Functional (Security Discipline) Approach
This is where the assessor addresses each security function individually. The survey should include environmental factors, neighboring operations, and policies and procedures as part of the analysis. It considers assessing security functions in the following order:
Whatever security survey method is used, it should be systematic in approach, constant, and repeatable.
SWOT analysis
A SWOT Analysis is a tool that can support the security survey process that focuses on the Strengths, Weaknesses, Opportunities, and Threats. It is a situational business process that can be adapted to security, which focuses on internal and external factors.
Outside support
The use of consultants or third-party vendors when it comes to the risk assessment process is commonplace within the industry. Consultants can bring a fresh perspective and can offer collective knowledge that is up to date.
Consultants should be able to demonstrate their expertise, have verifiable references, and should be licensed or certified to perform the assessment. When it comes to regulatory compliance and government oversight, using a consultant to perform the assessment may strengthen the organization’s position that the assessment is unbiased and comprehensive.
Survey systems tests
During the security survey process, the assessor should consider applying certain tests to ensure the systems are operable and effective.
The security survey report.
The survey report is designed to communicate the facts of the findings and then to persuade the organization to mitigate the identified vulnerabilities. The report should apply the following criteria:
Accurate
facts with proper perspective
Clear
communicate with understanding.
Concise
eliminate the unnecessary, not overly wordy
Timeliness
current information
Consider Slant or Pitch
tone of the report, no pettiness
A good survey report will include positive findings along with any negative findings of the program and will be tailored to the intended audience. The security process is enhanced by the reporting, sharing, and use of the report results.
The goal of a security survey is to provide actionable intelligence, for both the short and long term, to leadership so that informed decisions can be made in relation to risk.
Automated assessment tools.
Automated assessment tools can be of assistance when you are processing, analyzing, comparing, and storing large amounts of data. Automation allows you to compare results and prioritize findings easily. It also is a great tool when you have numerous sites to assess simultaneously, which requires a standardized systematic and repeatable process.
The software may also allow for a rapid calculation of the benefits of protection measures or a combination of protection options.
However, automated tools should not be relied on as the sole process in conducting a physical security assessment. Automated tools are not good at assessing the intangible factors in the assessment process and are only as good as the program inputs.
The adage, “garbage in, garbage out” can be applied when it comes to automation of results.
A Few Other Considerations That May Affect the Effectiveness of Automated Assessment Tools Are
Key Points.
Forward-thinking leaders:
Will think two or three moves ahead. They think not only about what they have achieved, but about how they can achieve more. They diversify their knowledge, challenging themselves to maximize their responsibilities. Supportive Leaders:
Leads by example, focusing on team development and positive communications.
Fostering pride & ownership, motivating one to self-challenge, creating a positive work environment while providing best work practices and success.
Copyright © 2018 Crawford Professional Services - All Rights Reserved.
Powered by GoDaddy Website Builder