Monday, October 1, 2012

Essentials of Physical Security



Essential of Physical Security
By Melencio S. Faustino

Introduction                                                                                                                          
Paradise is now shut and locked, barred by angels, so now we must go forward, around the world and see if somehow, somewhere, there is a backway in.
-Henrich von Kleist

This paper introduces the fundamental principles of physical security. The concept of security in physical layers is introduced and addressed the external barriers-such as fences, walls, gates, buildings, and lobbies-and internal barriers like the access control system. The importance of internal controls and intrusion detection system as applied with current technology, such as biometrics are also included.

Definition of Physical Security
            No business is without security problems and assets protection risks. These risks and problems take many forms. Effectively mitigating them is not a happenstance occurrence. Problem elimination and risk mitigation require both planning and an understanding of security needs, conditions, threats, and vulnerabilities. Assessing security conditions and planning for appropriate levels of assets protection should begin with basics: risk management.
            Physical control is the most fundamental aspect of protection. The use of physical control is to protect the premises, site, facility, building, or other physical assets of the company. The application of physical security is the process of using layers of physical protective measures to prevent unauthorized access, harm, or destruction of property. In essence, physical security protects a property, plant, facility, building, office, and any or all of their contents from loss or harm.
           Physical security also contributes to protection of people and information. Sophisticated protection measures, other than physical, are also employed to protect people and information. Nevertheless, physical security measures are part of the overall protective package. They are the baseline security measure, or foundation, from which all other security measures and functions are built.
            Both in public and private companies, physical security measures are necessary to ensure that only authorized persons have access to facilities and property. The measures employed must be appropriate for each separate operating environment. Manufacturing facilities will require physical security measures and functions and controls that may differ from those utilized in sales offices. Also, manufacturing facilities in different parts of the country or in different countries generally require varying physical security measures because each system is customized and individualized depending on the needs and specifications of the facilities. All other security measures will be integrated with physical security measures, thereby developing a protection profile of assets protection within layers. In short, physical security measures are the baseline of protection for different companies.
            It is the responsibility of the security managers to determine the kind of physical security controls necessary to provide for an adequate level of protection. To accomplish this, the security manager must know the totality of the facility or site layout. The security manager must understand the operating requirements and operation of the enterprise and must conduct an initial physical security survey and management survey program. This will also allow a thorough understanding of threats, vulnerabilities and strengths as it will enable the development and implementation of sufficient controls.

Effective Physical Security
  • People: Will always be the number one factors. Their training and motivation make them work effectively and efficiently.
  • Policy/procedure: Allows easy enforcement.
  • Hardware: Must be state of the art and highly reliable.
  • Facilities: May look different in shape and design but the principle and concepts are the same.
  • Information: Proactive responses and proper documentation.
  • Human Resources Department: A critical area, especially when the termination of an employee is to take place. Access cards to be punched out, badges returned/recovered along with the keys.
Security in layers
            Physical security measures protection of company assets depend greatly on what assets need to be protected, where they are located, and what threats, vulnerabilities, and risks pertain to them. Applying an appropriate level of protection for each environment requires an specific understanding of the environment. To best accomplish this, security manager should start at the beginning – the planning design stage of each facility.
            Physical security measures should be included during the facility design phase and incorporated into the facility during the construction phase.
            Ideally, architects and security professionals would work together taking into consideration all aspects of assets protection requirements applicable to the proposed operating environment. This type of planning would help create optimum security at the lowest possible cost. If done properly, the security problems created by so many buildings being designed without any consideration given to security controls would no longer be the issue that it usually is these days.
            As to security managers not working with new construction and are occupying an existing building, designing the architectural security may not be possible. If retrofitting or renovation of the site or facility is necessary to accommodate the business operating environment, then security issues should at least be addressed prior to occupancy or operation. Security problem resulting from a failure to make security part of the design and construction phase will probably be of a structural nature and too expensive to undo or fix. The only solution in this case will be the application of protective measures that otherwise might not have been needed, thus adding costs. In case where security manager knows that the facilities will be moved, it is important to coordinate the move to facilities that meet company’s assets protection of physical security criteria, or arrange to locate to another facility or modify the existing facility before company move takes place.
            The application of physical security controls should be approached in layers. There is no single physical control that will fulfill all of the company’s security needs. Layering controls from the outer boundaries of each of the company facilities to the inner boundaries will allow security manager to build a security profile to meet company’s specific security needs.

Outer Layer of Protection
            The outer layers of protection for a facility will depend on the type of facility and its location. For example, an office building located within a city may only have as its outer layer or perimeter, the walls of the building, whereas a manufacturing facility located in an industrial district may be on large parcel of land with parking lots, storage areas, and grounds surrounding the building or buildings. On a facility of the second type, the perimeter is usually a barrier, such as wall or fence, located at or near the edge of the property line.
            The perimeter of the facility may take many forms. For an office building, it may be the building walls. For a factory, it may be a fence line or a wall at the property edge. The outermost layer of protection could also be a highway; a natural physical barrier, such as river, lake, or other body of water; or other man-made barriers. Whatever the barrier, it is the first layer of physical security. It may be at the perimeter’s edge or inside the perimeter. Regardless of where it is situated, it is the layer of first control. Inside the outer layer, the use of other layers of physical may be necessary.
A barrier is a system of barricades place between the potential intruders and the assets to be protected. It delay, deter intrusion to the company property, and complement the on-site security personnel needs. It is deem to control vehicle and pedestrian traffic, enable identification of people arriving and departing and provide a buffer zone for more sensitive areas of the company. There are two types of barriers used for perimeter protection: natural barriers and structural barriers.
  • Examples of natural barriers include rivers, lakes, and other types of terrain that are difficult to traverse; and areas dense with certain types of plant life (e.g. blackberry bushes that are very thorny and dense).
  • Examples of structural barriers include highway, fences, walls, gates, or other types of construction that prohibit or inhibit access.
None of these barriers completely prevent access. They do, however, make it much more difficult for unauthorized persons to gain access. When used with other layers of physical control, they can be very effective.

            Grounds
            Not all facilities have grounds. Grounds may serve many purposes. It may be purely decorative to create a pleasant environment for customers and employees. It may be functional and serve as a place to locate storage areas and warehousing facilities. They may also serve as a buffer or barrier between the perimeter of the facility and the buildings where work is done and people, physical assets, and information are housed. If kept clear, the grounds may serve as a clear zone, allowing for unobstructed observation of the area. If used for storage or other purposes, they should be kept organized and maintained. In this way, disruptions are easier to identify and the risk of hazards is reduced.
           
            Roads
            Roads are both necessary and problematic. They allow for employees and customers to have easy access to the facility. However, they may also allow unauthorized personnel to have easy access to the facility. The degree of control necessary on all roads leading to company facility will vary. Any controls used will depend on the type of the road and its use. Is it a public road or a private road? Public roads do not allow for additional controls. They belong to the municipality, city, or state and exist to facilitate movement of vehicles and people. If a facility is adjacent to a public road, controls can begin only where the road ends and the company property begins. Private roads allow for much greater control. Owners of private roads may install controls that allow for restricted passage. Owners of private roads may make the determination as to who has access and under what conditions. Ideally, controls on any road should begin as close to the outer perimeter as possible.
            In an office–building environment, public roads generally lead to parking lots that are often adjacent to the buildings. This means perimeter controls begin at the parking area or at the walls of the building.

Fences
            The most commonly used form of barrier, other than walls of a building is the fence. Fences vary in type, size, use, and effectiveness. They can be erected quickly for a reasonably low cost, as is the case with the basic chain link fence. They may also be made more complicated and effective by adding barbed wire or concertina wire, alarm systems, or double fencing with alarmed clear zones between. The type of fence selected and used should be determined by the specific needs. Again, balance the costs versus the risks.
            In many companies around the world, perimeter does not have the advantage of a natural barrier, so fencing was necessary. The fencing used is very typical. It is 7-feet high, made with 9 gauge wire. It rests no more that 2 inches above the ground and in areas where the soil is loose, a concrete trough/border lies at the base to prevent gaps from erosion or human intrusion. At the top of the fence is a “guard” of four strands of barbed wire placed at a 45-degree overhang that faces away from the property. This actually extends the height of the fence by 1 foot and provides added difficulty for anyone attempting to scale the fence. Naturally, buildings, structures and trees are sufficiently away from the fence line as to not offer assistance to those who would attempt unauthorized entry. In enhancing the physical security of the facility, the security manager should consider the facility’s “good neighbor” policy. This policy states that the local city planning and beautification commission must also approve any changes made by the facility that affect the beauty of the surrounding area.
           
            Fence Design Criteria
            Four types of fence authorized for use in protecting restricted areas are: Chain link, barbed wire, concertina, and barbed tape. Choice of type depends primarily upon the degree of permanence of the installation, availability of materials, and time available for construction. Generally, chain link fencing will be used for protection of permanent and exclusion areas. All four types of fencing may be used to augment or increase the security of existing fences that protect restricted areas. Examples would be to create an additional barrier line, increase existing fence height, or provide other methods that add effectively to physical security.
            Chain link fence. Chain link fence, including gates, must be constructed of seven foot (approximately 2.13 m) material (6 foot or 1.83 m for controlled areas), excluding top guard. Chain link fences must be of 9-gauge or heavier wire galvanized with mesh openings not larger than two inches (approximately 5.1 cm) per side, and a twisted and bared selvage at the top and bottom. It must be taut and securely fastened to rigid metal or reinforced concrete posts. It must reach within two inches (5.1 cm) of hard ground or paving. On soft ground, it must reach below surface deeply enough to compensate for shifting soil or sand.
            For added resistant to climbing, optional top rail or taut wire may be omitted. Fencing may be painted with non-reflective substance to reduce glare to security forces. Weaknesses in the chain link fence occur as a result of weather (rusting) and failure to keep fencing fastened to the post, which affects the desired tightness.
            Barb wire fence. Standard barbed wire is twisted, double-strands, 12-gauge wire, with four point barbs spaced on equal distance apart. Barbed wire fences, including gates, intended to prevent human trespassing should not be less than seven feet high, excluding the top guard, and must be firmly affixed to posts not more than six feet apart. The distance between strands will not exceed six inches and at least one wire will be interlaced vertically and midway between posts.
            Concertina wire. Standard concertina wire is commercially manufactured wire coil of high-strength steel barbed wire, clipped together at intervals to form a cylinder. Opened, it is 50 feet long and 3 feet in diameter. When used as perimeter barrier for restricted area, concertina must be laid between poles with one roll on top of another or in a pyramid arrangement (minimum of three rolls). The ends must be staggered or fastened together and the base wire picketed to the ground.
            Barbed tape fence. The barbed tape system is composed of three items: barbed tape, barbed tape dispenser, and concertina tape. These items were type classified “standard A type.”
            Barbed tape is fabricated from a steel strip (0.020 inches thick nominal) with a minimum breaking strength of 500 pounds. The overall width is ½ an inch. The tape has 7/16 inch barb spaced at ½ inch intervals along each side. Fifty yards of tape are wound on a plastic reel 8 ½ inches in diameter and 1 inch thick. The finish is electro-galvanized at 0.0001 inch thick on each side.
            Barbed type concertina consists of single strand of spring steel wire and a single strand of barbed tape. The sections between barbs of the bared tape are securely clinched around the wire. Each coil is approximately 37 ½ inches in diameter and consists of 55 spiral turns connected by steel clips forming a cylindrical diamond pattern when extended to a coil length of 50 feet. One end turn is fitted with four bundling wires for securing the coil when closed, and each end turn is fitted with two steel carrying loops. The concertina extends to 50 feet without permanent distortion and when released can be retracted into a closed coil.
            Top guard. A top guard must be constructed in all perimeter fences and may be added on interior enclosures for additional protection. A top guard is an overhang of barbed wire or barbed tape along the top of a fence, facing outward and upward at approximately 45-degree angle. Top guard supporting arms will be permanently affixed to the top of fence posts to increase the overall height of the fence by at least one foot. Three strands of barbed wire, spaced six inches apart, must be installed on the supporting arms. The number of strands wire or tape may be increased when required. The top guard of fencing adjoining gates may range from a vertical height of 18 inches to the normal 45-degree outward protection, but only for sufficient distance along the fence to open the gate(s) adequately. Top fence rails should not be specified where protection is of utmost importance. Top rails will assist a climber. A bottom and top wire reinforcement should be used as a substitute.

            Walls
            Walls served the same purpose as fences. They are man-made barriers but generally are more expensive to install than fences. Common types are block, masonry, brick, and stone. Walls tend to have a greater aesthetic value, appealing to those who prefer a more gentle and subtle look. Regardless of the type of walls used, its purpose as a barrier is the same as the fence.
            Walls also present a disadvantage. It obstructs the view of an area. Chain link and wire fences allow for visual access on both sides. Walls do not. This obstacle can be overcome by keeping clear zones for several feet on each side of the wall and by using video cameras for observation. Use of roving patrols also increases visibility. When the walls of a building serve as a perimeter barrier in lieu of fencing, the issues are different. Scaling the wall to get to the other side is not an issue but access to the roof is. Furthermore, controlling access to other openings in the building becomes more critical when the walls to the building are the only outer barrier separating the outside world from the assets requiring protection.
           
            Natural Barriers
            The effectiveness of natural barrier will depend on the barrier itself and how it is. A body of water may be very effective in keeping pedestrian traffic away from the company property but not very effective at keeping boat traffic. In this case a natural barrier may need to be augmented with man-made barrier. In any case, natural barriers, as with man-made barriers, need also to be monitored. Cliff sides can be scaled, water can be crossed, and difficult terrain can be overcome.

            Gates
           Gate exists to both facilitate and control access. The most secure perimeter allows no one through. However, that is not practical or desirable; people must come and go. Employees, customers, and other visitors need to have easy access to the facility. Gates allow for this purpose.
            Gates need to be controlled to ensure that only authorized persons and vehicles pass through. A variety of controls can be used. Guards, electronic interactive access control system such as card key or password access, or remote control access with video camera observation can all be useful. Selection will depend on the specific needs and conditions of the facility (e.g. acceptable level of risk). The number of gates to a facility should be kept to the minimum necessary, not the minimum desired. Controlling gates requires using resources. The more gates used the more resources it will take and more potential problems will be created, because any opening is always a potential vulnerability.
            Gates not used should be locked or eliminated. Having the flexibility to open an additional gate when traffic demands are high is useful. Eliminating a potential vulnerability may be more useful. If a periodic need for an additional gate does exist, gate must be closed, locked, and monitored when it is not in use. Monitoring can be done by video camera, roving patrols, or through the use of an alarm system. Periodically, even monitored gates require physical inspection to ensure they are operable and secure.

Other Openings
            Openings not design for personnel or vehicle traffic are also a concern and must be secured. Sewage pipes, drains, utility tunnels, large conduits and heating, ventilation, and air conditioning ducts must be controlled. Where it is appropriate to lock them, they should be locked. Those that cannot be locked should be monitored. Monitoring may be in the form of an alarm system or a physical inspection. Any opening larger than 96 square inches should have doors, bars, or grills work in place to prevent human access. These can be installed as permanent or removable, with locking devices. For example, to prevent access through heating, ventilating, and air conditioning ducts, man bars can be installed inside the ducting. This is not ideal for openings requiring access by maintenance personnel, where the use of removable grills or doors may be more practical. In any configuration, all openings must be assessed for vulnerabilities so that appropriate protective measures can be implemented. Regular inspection or monitoring is essential to ensure that tampering has not occurred.

            Buildings and Doors
            For many facilities, buildings and doors define the outer layer of security and the inner layers of security begin. Within a site, buildings are the separation point between the outer and inner layers of security controls. In the area between buildings and outer perimeter (usually a fence line) of the facility lie a variety of security control that make up the entire layer of security.  In this configuration, it is better to keep the area adjacent to building and door exteriors clear. In essence create a clear zone of 10 to 15 feet where no storage, parking or regular activity is authorized. Maintaining a clear zone, allows for unobstructed observation by surveillance cameras and guards. Visual access to the clear zone becomes the first line of defense.   
            All exterior doors of commercial buildings shall meet the requirements as set for the residential buildings. Should glass door be installed, it must be of the laminated safety glass or poly-carbonated sheeting. 
            Rolling overhead or cargo doors. Doors not controlled or locked by electronic power operation shall be equipped with locking bars that pass through guide rails on each side. The locking bars shall have holes drilled in each end and a padlock placed in each end once the bar is in the locked position. The padlocked shall have the case hardened shackle with locking lugs on the heel and toe of the shackle and a minimum of four-pin tumbler operation.
More about doors. Fire safety doors required by safety regulations are generally undesirable to security. The usual method of opening fire doors is by pushing against a panic bar installed at the mid-rail position on the secure side of the door. Security should be enhanced at fire doors by the use of audible alarms. Unusually long warehouse doors should be padlocked inside at both ends. Hinge pins exposed to the outside must be protected by either spot welding, or hinge bolts set into the door frame.

            Parking
            Providing parking space for employees, customers, and visitors is necessary. Unless the business is small and located on a street with public parking access, parking needs to be provided. Parking should not be allowed within the inner perimeter. Vehicles inside the perimeter make it easier for theft to occur. Employees with immediate access to vehicles inside the perimeter have a ready place to conceal stolen items. Furthermore, unless all vehicles are inspected, it will not be known what items of contraband or weapons are brought into the facility. If for lack of space, parking must be permitted within the inner perimeter, additional fencing should be added to separate the parking area from the remainder of the facility.
            Parking can be very sensitive subject. It can be difficult to manage and police. It is recommended that parking rules be established by the management with security manager’s input. Parking enforcement should be handled by the security.
            Company owned vehicles are the only exception to parking within the perimeter. As an asset of the company, these vehicles need protection. Protection is particularly important if the vehicles are loaded with merchandize, supplies or raw materials. They should be parked in a secure well-lighted area and locked. However, they should not be parked in the same area as privately owned vehicles.

            Lighting
            Lighting serves several purposes. Adequate lighting reduces the possibility of accidents and injury. It also serves as a deterrent to would-be intruders. With adequate lighting, the company grounds, fences, walls, and buildings can be clearly observed. Guidance for specific levels of illumination may be obtained through government sources or from any company that sells or installs exterior and parking lot lighting. Perhaps the best determination for assessing adequate lighting is to conduct an actual test. Is the existing lighting sufficient as assessed under controlled and practical conditions? If not, the facility needs more lighting.
            Adequate lighting serves as a deterrent. Intruders are less likely to enter well-illuminated areas, fearing they will be observed. Lighting should be sufficiently protected to prevent tampering and destruction. It should be kept within the perimeter to reduce the possibility of damage. Lights should be placed high enough to reduce the possibility of damage and to ensure that deliberate tampering can be difficult. When used as a deterrent, lighting should have a backup power supply in the event of power disruption. Lighting requires little attention, it can be programmed to turn on and off at specific times. It can be light-movement, or heat sensitive. It can be linked to alarm systems and supports CCTV. After installation, it does require frequent inspection to ensure that all systems are operational.
            Specific lighting needs will vary with each site or facility. As part of a site physical security survey, lighting should be considered. The areas that require direct protection should have lighting that does not only illuminates the area but also does not interfere with security’s ability to effectively monitor. Too much lighting can create a problem by producing bright spots that blind people and cameras. Doors, gates, and other entrances should be well lighted. This allows for safe passage and for better observation by guards and cameras. Areas with heavy personnel and vehicle traffic also require good lighting. It will reduce hazards and increase visibility. Large open areas with little traffic can use less lighting, but lighting must be sufficient to allow for general security observation and a safe environment.
             
            Surveillance
            Surveillance is an important tool in its effort to protect assets. Generally, surveillance is accomplished by using security guards or by using surveillance cameras. Most frequently, a combination of both is used to achieve maximum observation and effectiveness for any facility. As part of a site physical security survey, the need for surveillance should be identified. This need should be assessed against the existing practice and capability. With this information, a plan for site or facility surveillance should be developed. The plan should consider the following:
  • Purpose of surveillance: deterrence/observation
  • Identify critical or high risk areas
  • Camera and guard mix
  • Location of cameras
  • Recording capability needed
  • Need for hidden cameras
  • Type of cameras needed: wide or narrow angle of view, low or high level of light; availability of solar powered cameras should be considered

Table 9-1 below outlines the strengths and weaknesses of CCTV and guards when used in the surveillance process.
Strengths
Weaknesses
CCTV
Camera with Recording Capability
Serves as a deterrent
Flexibility of recording
Permanent Record
Reduced insurance rates
Deterrent for crime
Multiple angels for view
Night view: works in low light
Cannot respond to incident
Cost of initial installation
Maintenance cost
Employees perception of being watched
Guards
or Security
Professionals
Can act on observation
Deterrent
Mobility
Apply immediate judgment
Can’t watch everything
Human error
No permanent record of observation
Limited angles of observation
Table 9-1. Strength and weaknesses of CCTV and Guards

Alarm
            Alarms are one of the layers used in the many layers of protection for a facility. How they are used and to what extent should be determined in the planning process. The site physical security survey should identify vulnerabilities, current and potential, and the layers of protection in use. When assessed against known or suspected threats, the need for alarms to augment physical protections should become apparent.
            Alarms augment barriers and guards. They call attention to problems not stopped or prevented by barriers and not observed by guards. In essence, they enhance the detection process. However, they also serve a deterrent function. Since most physical security controls include the use of alarm systems, intruders can assume they are part of the protection profile.
            Alarm systems are used to call attention to an immediate problem. Unlike physical barriers, such as walls, fences, or gates, alarms are not a physical obstacle used to slow down or stop an intruder. Alarm systems are an alert mechanism used to call attention in the presence of an intruder or problem. Audible alarm systems may serve as an obstacle much more than silent alarm systems, since everyone in the general area know when there is alarm activation.
            There are many types of alarm systems. Within the physical security, intrusion detection and fire detection is used to indicate penetration in or between the various layers of protection. Different types of alarm systems are available for fences, gates, and walls, and all provide an alert if they are compromised.
            Alarm system can be used as part of the protection profile for both inner and outer layers of physical security. When used as part of the outer layer of protection, they served as an advanced warning notice that an outer layer has been compromised, thereby making the inner layers more vulnerable. They serve to protect property and assets stored within the outer layer by providing an indicator that an intruder is tampering with, or in the area of the property being protected.
            In any case, alarm is only effective if there is a response. Someone must react to an alarm. An alarm system without timely response is not effective. Responding to an alarm is essential, or the alarm becomes nothing more than an expensive annoyance (e.g., car alarms in public areas are generally ignored). Perpetrators often test alarm systems by causing their activation and watching for response. No response lets perpetrators know that they have plenty of time to work with. Response to alarms by security guards or other must be periodically tested and the response of the security guards or others timed. These of course must be no-notice-test. It is ridiculous to test security guard response if they know a test is to be conducted.
            Alarm system provides balance for the overall physical security profile in both protection capabilities and costs. Alarm can reduced the need for a large, stationary guard force. They allow for a configuration of alarm monitors, respondents, and some form of patrol. They reduce or even eliminate the need for stationary force. If alarm systems are not used, the function they serve must be fulfilled by using a larger guard force or through the use of greater surveillance capability. Or, the security manager can just assume a greater level of risk. Remember that it is not up to security manager to assume a greater level of risk by choosing not to install alarms in an effort to save money. Actually alarms saved money by replacing people in many instances. Before assuming additional risks caused by the lack of alarms, security manager must consult with executive management and have them accept that additional level of risk.
            Alarm system cost more to install than to maintain. The cost of alarm system is greatest in the acquisition and installation phase. Once installed, maintenance and monitoring costs are generally much less than people costs. A return of investment can be calculated and used as a selling point on the value of alarm systems. Using alarm systems offsets the need for some guards. The saving in recurring guard costs can be compared to the cost of acquisition and installation of alarm systems. Over several years, it is usually more cost effective to use alarm systems to augment security than to rely on a larger guard force.
            If you were the security manager, would you want a silent alarm that was only audible in the manned security command center or an alarm audible in the area that is alarmed and also at the security guard’s console? The correct answer is, “it all depends.” It depends on the area alarmed. The value of the assets located therein, the risk to those assets, and so forth. The key is to base the choice on a risk assessment or physical security survey of each particular environment.
            There are varieties of commercially manufactured devices available. Some of these systems are suitable only for external protection while others are better utilized inside a structure. Since any alarm system can be neutralized or circumvented by resourceful individuals, consultation with a reputable expert in the field will help in the selection and installation of the most appropriate system for a particular situation. The standard alarm system consists of the following:
  • Sensor/detector or trigger
  • Circuit which transmit the change of condition
  • Signaling device, called the Enunciator

Inner Layers of Protection
            In the previous section discussed are the elements that generally considered part of the outer perimeter. These outer layers of physical security, for the most part, are layers of physical protection that lead up to the building walls. Also indicated is that depending on the environment of outer perimeter, the security manager might actually begin security at the building walls. In this situation, the first layer of security is made up of the walls, doors, and windows of a building. Office building in urban environments represents a good example of this situation. Outside these buildings are conditions that are not controlled by the building occupants. There is a single layer of outer physical security controls protecting the inner layers, which don’t leave much room for error. In this case, penetration of a single layer allows access to the inner layers of the facility. This condition should lead to a greater emphasis on the types of inner controls applied.
           
            Buildings, Doors, Windows, and Glass
            Buildings serve as perimeter. In urban areas, the walls, doors, and windows of office building may be the outermost perimeter and the only outer layer of security control for the entire facility. In other settings, buildings may serve as part of the outer perimeter or as the first layer of the inner perimeter. This will depend on the individual facility configuration. Whatever layer of protection it provides, full consideration must be given to all aspects of building protection. All openings must be addressed, and buildings generally have many of them. Doors, windows and passageways for ducting and conduits all need to be controlled. Power communications, and heating, ventilating, and air conditioning system require entry points from the exterior of the building into the interior of the building. To ensure they are not used for unauthorized purposes, control should be in place. Any openings that serve no useful function should be permanently closed.
            Functional openings larger than 96 square inches should be modified to prevent human access. Windows should be locked and alarmed. Alarms should detect entry or tampering. In some cases, man bars or screening may be necessary. Screens and man bars allow for the passage of air and visual inspection but do not allow for human access.
            The type of glass used in windows will vary depending on the location or use of the window. Windows at ground level on perimeter wall clearly require a stronger glass than those windows located on higher floors or inside the outer perimeter. In some areas they may need to be bulletproof. Furthermore, special glass may be required, for example, in earthquake areas. Should such glass be shatterproof or shatter inwardly or outwardly? The answer is that it all depends. Using a risk assessment approach that includes personnel safety factors (e.g. flying glass) will assist the security manager in making a cost-effective decision.
            Doors should be locked when not in use and controlled when in use. Controls range from guards at the door controlling entry and exit to mechanical or electronic access control systems requiring cards and card readers or access codes. Exterior or perimeter doors must be hardened, and are generally built to be stronger than interior doors. It may be necessary to have interior doors of a similar strength and quality as exterior doors if those interior doors are part of an area used to provide specific protection to high value assets. All associated materials for doors must be consistent with the strength of the doors themselves. For example, a high-security door is of little use if weak latching devices or cheap locks are used to hold it in place.

            Locks, Keys, and Combinations
            Locks are an essential part of physical security protection. They are a cost-effective and simple means of denying access to unauthorized persons. The largest expenses for locks are the initial purchase, installation, and control of their use. Depending on usage, little maintenance is required. Although any lock can be overcome, the higher the quality of the lock the longer it will take. Simple locks can be picked or easily damaged. More sophisticated locks will buy more time against any attempt to bypass them. Locks vary in quality and type. A wide variety of locking devices are available. Determining the appropriate lock for any door, window, or other opening is based on planned usage, specific needs, and the assets requiring protection.
            Perhaps the most vulnerable aspect of locks is the failure to properly protect locks, keys, and combinations. Effective lock, key, or combination control is critical. Poor key control can render any locking device useless. Issuance of master keys must be severely limited, particularly the issuance of grand master keys. All locks, keys, and combinations should be accounted for. Keys and combinations should be issued in accordance with employees’ need to perform their job. If there is no specific need, locks, keys, and combinations should not be issued. A permanent record of personnel issued or assigned keys or lock combinations must be kept. When keys are lost or stolen, the locks should be re-keyed. When a master key is lost, all affected locks should be re-keyed. There are many times when this is not necessary, such as if a key were inadvertently destroyed and its recovery or use poses no risk.
            Keys should never be issued on a permanent basis. An annual assessment of locks, keys, and combination needs and requirements should be made. This assessment will also assist in identifying lost or stolen keys or combinations that were not reported to security.
            Locks, keys, and combinations should be issued to individual rather than groups if individual accountability is a requirement. The sharing of locks, keys, and combinations is a risk in that a theft or misappropriations of an asset protected by the lock cannot then easily be attributed to a specific individual. It is no different from sharing computer passwords.

            Roofs
            It is important to remember that roofs may be part of the outer or inner perimeter. Roofs generally have openings for maintenance, power, heating, ventilation, air conditioning, and other conduit. The same principle applicable to barriers and walls are applicable to roofs. Openings must be controlled. Since routine access to roofs is generally not an issue, locking devices and barriers such as screens and bars are used. Moreover, ladders or stairs leading to roofs should be controlled. Access to the roof should be made difficult for unauthorized personnel.

            Areas, Rooms, Containers, and safes
            Inside buildings there are open work areas, individual offices and rooms, storage containers, and safes. How they are protected should depend on how they will be used and also on the value of the assets in them. Open work areas such as large bullpen areas, where many employees sit at work stations performing their daily duties, may not require additional controls. Once inside the building, employees and visitors may need to move freely in these areas. Since access authorization has already been verified at either the outermost layer of security control (outer perimeter gate leading into the facility) or the first control of the inner perimeter (door or lobby allowing entry into the building), additional checks for general access may not be necessary-again, based on risk management. Moreover, access to general office areas and rooms such as conference rooms, cafeterias, or rooms housing other employee services may not need additional controls. Employees in these areas must understand that they also have a responsibility for controlling access in that all individuals not known to them, or not wearing a current, corporate badge, should be challenge as to their need to be in the area.
            Areas or rooms where more sensitive work is done or sensitive information and materials are located require additional controls. The simplest means for applying these controls is through the use of locking devices or access control systems on each entryway. From simple locking devices on doors to the use of electronic card readers or electronic personal recognition systems, varying degrees of physical control can, and should, be used to limit access to sensitive work areas. The methods used depend on the application of a cost-risk philosophy.
            Safes can be used for the most sensitive information or material. Safes are available in various sizes and strengths. Depending on the sensitivity of the information or material protected, simple combination lock or key lock safes may be sufficient. These safes can be obtained from a variety of manufacturers. For the most sensitive information and material, high-security safes and vaults may be necessary. For example, working with government classified material requires the use of government approved storage containers. The higher the classification of government material, the more stringent the requirement for storage containers becomes. The same philosophy should be applied for protecting sensitive company information.

Access Controls
            Controlling access is a critical component of security in layers to protect company assets. Ensuring that only authorized personnel and vehicle enter and exit the company facilities reduce the risk of loss or damage to all assets. Effective access control requires the integration of different security functions that serve as individual layers of protection. Used as part of an integrated system, the following are useful access control tools.
  • Guards
  • Locks: combination, code, or key
  • Card reader systems: magnetic stripe, optical bar code, proximity cards, biometric system (fingerprints, signatures, face or hand geometry, voice recognition, and retina recognition)
Part of the site physical security survey should focus on identifying access control vulnerabilities and existing access control practices. When vulnerabilities and existing practices are compared with what is actually needed, an access control profile that best fits company site can be developed and implemented. The access control profile must address who should have authorized access to the facility and under what conditions (e.g. weekdays but not weekends, normal business hours but not after business hours). It should also identify the individual security process and tools needed to effectively design and implement proper access controls.

What Should Be Controlled?
Vehicles
All vehicles entering and exiting the facility must be controlled. Only authorized vehicles should be allowed on site. Procedures establishing traffic flow and parking need to be written and communicated. Violations of these procedures must be enforced. Not enforcing traffic and parking rules and regulations will quickly lead to a breakdown and abuse of controls. At the very least, consideration should be given to random inbound and outbound searches of vehicles to ensure that anything entering the facility or leaving the facility has proper authorization.

Employees
Employees need easy access to their work areas, and access control procedures should be designed to facilitate their prompt and efficient movement in and out of the facility. Access control procedures should be the same for all employees, thereby creating a culture of respect and adherence to the process and practice, requiring employees to use some form of identification to be authorized access to a site is a standard practice. Badges, access identification cards, and other forms of physical controls can be used to validate that a person is actually an employee and quickly allows him or her entry into or exit from the facility. If the site employee population is large (e.g. exceeds 50 people), do not rely only on personal recognition for access authorization. Personnel changes take place regularly, and keeping up with employee changes and turnover is better accomplished with automated system than with the memories of security personnel. Furthermore, all employees should be subject to random entry and exit searches as determined necessary by the degree of assts protection required. To this practice there should be no exemptions.
Often the CEO and executive management set the tone. Their support or lack thereof is quickly seen and adopted by the employees. That is why the CEO and executive management must also wear badges, even if “everyone should know who they are.” As with all asset protection requirements, they must set the example.

Vendors, Suppliers, Customers, and Visitors
Very few people who are not employees should be allowed free and complete access to the facilities. If vendors or suppliers are assigned to a company site on full-time basis and do require unrestricted site access to perform their work, they are to be provided with identification that indicates that they are not employees. Moreover, this status should be subjected to scheduled periodic review to revalidate the need. Any identification provided to allow access should have an established expiration date. As with employees, all must be subject to random entry and exit searches. For contract employees, the expiration date of the badge should not exceed their contract expiration date.

How to Control Them
Vehicle and Personnel Gates
The first line of protection for access to a facility is at the vehicle and pedestrian gates. Through these gates, employees and visitors will enter the facility. Control must begin there. Processes should be in place to allow employees through and to properly process all visitors according to established procedures or parameters. The use of employee identification badges coupled with an electronic card identification system is one of the most common tools used for this purpose.

Building Lobbies and Doors
The same controls used for gates are generally effective for lobbies and doors. Some lobbies have guards who are also receptionists, or receptionists who double as guards. In either case, it is important that those people understand that their priority is access control and being a guard rather than a receptionist. If there is a conflict in the dual role, the security manager should ensure the separation of those functions by having two individuals perform the separate functions, for example, a receptionist as part of the human resources budget and a guard as part of the security budget. Executive management’s idea is almost always to have the lobby personnel appear very friendly and helpful. However, in some lobbies or access control areas they may want to provide the appearance of a no-nonsense security presence.

Interior Area and Rooms
Inside a building, access is generally controlled by three effective mechanisms, two of which were discussed earlier. They are the following:
  • Lock and key devices
  • Card key access system
  • Other employees
Employees play an important role in controlling access to internal areas and rooms. When they encounter an unauthorized person inside an area or room, they should be trained to challenge that person and report the incident to security. This conditioning does not occur naturally, and will require employee awareness training to be conducted for all employees. Moreover, this type of behavior is best encouraged through positive recognition and reward.

Badges
The primary use of badges is employee identification. Badges can also be coupled with access control systems, expanding their use and effectiveness. Magnetic codes, bar codes, and proximity cards, which activate electronic locking devices, can be linked to the identification of badge, making it a multi-functional identification and access tool. This tool can contain information pertaining to the specific characteristics of an employee. Identifying each individual by name and other specific personal information, such as photographs, encoded access authorizations, and pin numbers, is easily accomplished and makes badge a very reliable authentication device. Sophisticated badge and access control systems are available from a variety of manufactures. Computer technology advancements in general have made the process of making badges more efficient, effective and reliable.
To ensure reliability and effectiveness, the process of using a badge for employee identification must be controlled. Specific parameters for use must be established and maintained for the badge process to maintain its integrity. Rules governing the following aspects of a badge process will help ensure a very reliable system.
  • Determine who is authorized to have a badge
  • Identify on what data is needed on each badge
  • Security must control production, issuance, and accountability of badges
  • Badges must be recovered from employees who leave the company
  • Lost or stolen badges are reported and removed from the system
  • Worn or damaged badges are exchanged for new badges
  • A tracking system is used to ensure internal accountability of unused badge stock
  • A periodic review of the badge issuing process is conducted
  • Badges made but not in use must be controlled or destroyed
  • Tamper-resistant features such as holography should be used to make counterfeiting more difficult
  • Employees must understand the need or the badge process and adhere to proper usage
At small facilities such as satellite offices, personal recognition is usually the best form of identification-as long as the process is in place to also identify those who have left the company. For larger facilities, generally with 50 or more employees, personal recognition is no longer practical. Use a more reliable employee identification system is needed. Badge systems generally fulfill this need. Again, the security manager must consider the risk of each option.
It may also be necessary to control the access and movement of visitors, suppliers, and customers. For this, a badge process for non-employees should be used. It should be similar to that of the employees badge process but more restrictive in the sense that it clearly identifies the visitor as someone who is not an employee and has obvious indicators on the badge calling our appropriate restrictions. Escort requirement, badge expiration dates, and specific areas authorized to visit are some of the useful data necessary for the visitor badge.
Employees must be familiar with the badge process. They should receive guidance and training as to how the process for employees and non-employees works. Employees should be able to recognize authorized badges and react to unauthorized badges. Persons not wearing an appropriate badge or violating the parameters of the badge process should be challenged. Without the active participation of all employees, any badge process will be rendered ineffective.

Guards
Guards or plant protection officers can be an integral part of a physical security profile. Depending on specific needs and the type of facility, their use will vary.
Guards add a human element to the physical security profile. They are used situations where observation, training, and judgment are required to apply effective asset protection controls.  For example, guards are often used for vehicle access control functions. They not only check proper identification of the vehicle and driver, but they also provide greater flexibility for vehicle inspection on a variety of cars and trucks that may have a need to react instantly to the situation by reporting or challenging those with questionable identification. Moreover, they can make an assessment of a situation and determine if additional assistance is needed (e.g., responding to an alarm and determining whether an intrusion occurred or if the alarm was false).
Guards also provide the capability of patrolling a site or facility, making observation and taking not of changes or irregularities, all of which can be further investigated. The mobility of guards makes them particularly valuable, because their services can be quickly applied to a particular need or situation.
One of the most common security functions to be outsourced is the guard force, since it obviously is human intensive and thus is one of the more costly aspects of an assets protection program. Furthermore, high technology devices are replacing some of the security guard posts. The trend now is outsourcing  contract guard force in lieu of maintaining company guard force. The security manager has decided that this function will be the first security function that will be evaluated for outsourcing as soon as the initial assets protection baseline is established for the company that includes the initial implementation of company assets protection program.
Another factor that must be considered is the use of armed guards. Executive management usually does not want an armed guard presence, and some laws may prohibit their use. However, if you want to create a presence of serious security, there is nothing like an armed guard at the corporate lobby to give that impression. There are many pros and cons of the use of armed guards. Because of the high value of some corporate assets, it may be deemed appropriate to have armed guards at some locations but not others. That presents the problem of who is placed in what guard positions and decreases the effective and efficient use of guards to fill any guard job within the corporation. In addition, the armed guards are more highly trained and may also press for higher pay for being armed. The reasoning is that if they are armed, they are more trusted than those who are not armed, their job is more dangerous, and they are more highly skilled.
The use of armed guards is a serious issue that each security manager must address. At various companies, none of the guards is armed and an armed response from the local police has been deemed sufficient for the company assets protection needs. This was based on a meeting between the security manager and local law enforcement personnel where the response needs of company and the response time that the security manager could generally expect from patrol car officers and a SWAT team were discussed.

Alarm and Surveillance within the Inner Layer
            The application of alarms and surveillance within the inner layer of security requires the same considerations as the application to the outer layer. The extent to which they are used or not used depends on threats, vulnerabilities, risks, and the criticality of assets within.
            Most common alarm devices uses in inner layers are: Photoelectric beam, ultrasonic wave, microwave, and infrared.

Conclusion
            The cost of physical security is always a concern. Reaching an appropriate balance between adequate levels of protection and the cost of that physical protection can be difficult. Too little security leaves vulnerabilities in place, increasing risks. Too much security may mitigate threats and vulnerabilities and reduce risks, but leads to unnecessary expenditures. Inefficient application of security controls (spending more than you need for a physical security service or product) may use scarce resources that otherwise would be available for additional protective measures. Furthermore, objectively demonstrating to management the effectiveness of security controls can be problematic. It is difficult to quantify the value of deterrence achieved through the application of physical protective measures.
            A common security axiom is: The more doors and openings a building has, the more difficult it will be to control access. There is a trade-off here: the cost of security weighed against the convenience of employees and others. It all comes down to costs and what executive management considers acceptable level of risk.
            It is important that the security manager knows the fundamental to developing effective physical security profile as part of the company assets protection program. Understanding various threats to company assets and the likelihood of an actual occurrence and recognizing threats allow for cost-effective implementation of security measures. Implementing security measures that have little or no relationship to the type of threat associated with the company assets may very well be inefficient use of resources. Moreover, implementing redundant protective measures may not improve assets protection but will certainly consume resources that can better spent elsewhere. 
            Assessing the physical threats after identifying vulnerabilities is not easy. It requires an understanding of the business environment. One way to better assist the security manager in the effort to understand the physical threats to company assets is through benchmarking. Identify business similar to your company and discuss to them about their perceive threats. Try to find out what protective measures they implemented to mitigate physical threats. There are no other means of threat assessment. Consider the following:
  • Consult expert in your line of business
  • Seek the guidance of security professionals in similar situations
  • Consult with your insurance provider
  • Talk to risk managers
  • Talk to the local police about crime in the company facilities/areas

Risk assessment is the product of determining the threats and understanding their consequences. If the consequences are significant, protective measures should be implemented. If the consequences are not significant, implementing additional protective measures may be an inefficient use of resources, and not adding value. Implementing physical security measures to the extent that all threats are eliminated is an action of risk avoidance. For some business, risks avoidance is appropriate. For most business, it is not.

Recommendation
            The physical security function is the foundation of the companies’ basic assets protection measures. To this foundation, or baseline, additional controls for protection of company assets are added, creating a complete protection profile. No single physical security control can satisfy all of the assets protection needs. Physical security is built in layers. Each layer of security control serves a specific purpose by providing specific protections. Many controls used in conjunction with each other help to create a secure environment.
            To this end, conducting an on-site physical security survey should enable the gathering of all information necessary to make an intelligent and informed risk assessment of the sites or facilities and create a physical security profile. From this point, additional controls can be developed and implemented to provide the most cost-effective security profile tailored to the specific needs of the enterprise.

References

1. http://wwww.dss.mil/isec/nispom.htm. The National Industrial Security Program Operating Manual (DoD 5220.22-M), dated January 1995, is published by the United States Department of Defense. It was issued in accordance with the National Industrial Security Program as authorized by Executive Order 12829.
2. Gerald L. Kovacich & Edward P. Halibozek. The Manager’s Handbook for Corporate Security. Butterworth-Heinemann, 2003: (Elsevier Science 200 Wheeler Road, Burlington, MA 01803)
3. Gion Green & Robert J. Fisher. Introduction to Security. Butterworth Publisher, 1987: (80 Monvale Avenue Stoneham, MA 02180)
4. Keith Hearnden & Alec Moore. The Handbook of Business Security, 2nd Ed. Kogan Page Limited, 1999: (Pentonville Road, London N1 9JN, UK)
5. Louis A. Tyska & Lawrence Fennely. Physical Security: 150 Things You Should Know. Butterworth-Heinemann, 2000: (225 Wildwood Avenue. Woburn, MA 01801-1341)
6. Mary Lyn Garcia. The Design and Evaluation of Physical Protection System. Butterworth-Heinemann, 2001: (Elsevier Science 200 Wheeler Road, Burlington, MA 01803)
7. Russe L. Bintliff. The Complete Manual and Corporate and Industrial Security. Prentice Hall, Inc., 1992: (Englewood Cliffs, NJ)
8. Timothy Walsh & Richard J. Healy. Protection of Assets Manual: Vol. III, Meritt Company, 1982: (1661 Ninth Street/ P.O. Box 955).

ms8_faustino@hotmail.comhttp://www.facebook.com/
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)