Assessment and Mitigation of Risks to Physical Security, Information Security, and Operational Security
By Terrence J. Gillick - February 2005 - Security
More than three years after the attacks on the World Trade Center, facility executives find themselves increasingly focused on the safety of tenants and employees when assessing physical risks and vulnerabilities, and other pressing concerns about security.
This attention to real-world concerns requires a comprehensive planning approach. Today, security safeguards generally fall into one of three categories: physical security, information security and operational security.
Physical security involves measures undertaken to protect personnel, equipment and property against anticipated threats. It includes both passive and active measures. Passive measures include the effective use of architecture, landscaping and lighting to achieve improved security by deterring, disrupting or mitigating potential threats. Active measures include the use of proven systems and technologies designed to deter, detect, report and react against threats.
Information security is the process of protecting the confidentiality, integrity and availability of data from accidental or intentional misuse by people inside or outside an organization or facility. Key elements of information security include limiting information exclusively to authorized entities; preventing unauthorized changes to or the corruption of proprietary data; guaranteeing authorized individuals the appropriate access to critical information and systems; ensuring that data is transmitted to, received by or shared with only the intended party; and providing security for ownership of information.
Operational security is the process of creating policies and procedures, and establishing controls, to preserve privileged information regarding organizational capabilities and vulnerabilities. This is done by identifying, controlling and protecting those interests associated with the integrity and the unimpeded performance of a facility. Key elements of operational security are staff — trained security personnel to protect and enforce the security procedures and policies governing a building’s or business’ operations — and established policies and procedures. Policies and procedures establish controls to prevent unauthorized access to a facility, tenant space and business assets, whether through carelessness, criminal intent or an outside threat.
Properly conceived and implemented security policies, programs and technologies are essential to ensure a facility’s resistance to myriad threats while meeting demanding uptime, reliability and performance objectives. Security programs are also critical to safeguard the people, processes, information and equipment housed within a facility and within boundaries of the protected space.
It is a given that many, if not most, security plans have an Achilles’ heel. More often than not, the weakness is lack of a comprehensive risk and vulnerability assessment. Most assessments address security from an electronics systems perspective instead of from an overall security program viewpoint that is part of a corporate risk-mitigation strategy.
A security risk assessment should identify which assets need to be protected and how critical each asset is. This requires looking at each asset with regard to human resources and infrastructure. Facility executives should also determine the extent to which core business activities rely on continuous and uncorrupted operations.
A security risk assessment should also identify and characterize threats. These should be viewed as potential occurrences with a hostile intent that will directly affect the host building or organization and be capable of causing damage to others. An assessment of vulnerabilities is critical as well, derived from a systematic survey approach that considers physical, informational and operational features, as well as assets and threats to the building or company.
There are three levels of risk. The first involves the damage resulting from the failure to protect confidential data or from unscheduled downtime. This affects the short-term performance of an organization.
The second risk level is the failure to protect confidential data that can have a ripple effect beyond the company’s organization — suppliers, customers and partners, for example. Losses in this instance could be extensive with both temporary and permanent damage to business operations and organizational assets.
The third level of risk is the failure to protect confidential data or to prevent unscheduled downtime that has a cascading effect with potentially devastating consequences felt well beyond the host organization. The resulting damage and losses may be enormous with potential global implications. Unscheduled downtime can potentially threaten public safety, financial stability, regulatory compliance and even cause loss of life.
Once risks and vulnerabilities are assessed, they should be prioritized along with means to counter and respond to them. This final step allows particular weaknesses to be identified and addressed accordingly.
A comprehensive risk assessment of security systems is critical from a budgeting standpoint as well. Senior management must have a thorough analysis of all risks and vulnerabilities to make informed decisions on the allocation of capital resources. Responses that can mitigate revenue losses, liabilities and disruptions to ongoing business must be developed as part of this process.
All security plans need to be updated periodically to ensure they are still meeting the organization’s objectives. A common mistake when upgrading corporate security plans occurs in buildings with multiple tenants. In these situations, there are often incompatibilities between the base building management system and the security system used by a tenant. The result can be redundant and incompatible systems that raise the costs for all involved.
For example, there may be two security access systems put in place, one for the building at its base and another to enter the tenant space. The best solution is to have a single user interface implemented using tenant input for security measures deployed at the base of the building.
Another common mistake made by facility executives and tenants in upgrading security in a corporate office setting is that both often deploy a large number of closed-circuit television (CCTV) cameras without accounting for the personnel required to monitor the cameras on a 24/7 basis. The time needed to review, archive and store the digital or analog information is also not considered. The number of CCTV cameras deployed needs to be balanced with the number of security officers available. An average is usually one person per 20 CCTV cameras.
CCTV cameras can be augmented using an intrusion detection system. These are usually deployed in logical or critical areas to detect attempted unauthorized human entry. An intrusion detection system should be network-based and include, based on a needs assessment, motion, infrared, acoustical, heat-activated and vibration detectors and alarms, as well as a premise control unit, dedicated response force personnel, and security response procedures and protocols.
Failing to provide sufficient administrative support to properly enroll, remove and restrict employees within the security system is a common mistake. Another involves the lack of proper precautions for security system remote access, including installation of firewalls and encryption software to prevent access by both unauthorized personnel and hackers.
Most Fortune 100 companies perform security system upgrades as a common practice even without a threat and vulnerability assessment. Many have a staff that can handle much of the task. However, mid-tier corporate America is less apt to conduct regular risk and vulnerability studies because these companies lack the capital resources to do it. Consulting with a security expert can help determine the most cost-effective plan of action, given each company’s individual circumstances.
Facility executives also should look at where technology is being ineffectively implemented. That happens if there is a lack of support to administer, maintain and operate security equipment at peak efficiency.
Training is another important issue, especially for smaller organizations. Training efforts must be tied directly into each identified risk and vulnerability. Once each risk and vulnerability has been determined, training measures can be developed along with physical and operational security initiatives.
Finally, one of the biggest misconceptions is that there is a single technology that can provide comprehensive security for any organization. No single technology can do this. Multiple technologies integrated into all operational and informational systems are required.
Management has responsibilities, too. Senior executives should create a corporate culture that embraces, reinforces and demands security practices that are consistent with the user’s space. Within this corporate culture is the need to understand the human variable. This encompasses anyone who interfaces with operations, including managers, facility operators, maintenance personnel, other employees, customers, delivery people, clients and visitors. The human element affects everything with regard to security and reliability. How it is addressed may depend on external factors such as the law, industry trade group guidelines or even prudent management practices.
Within each organization, responsibility assignments for policy compliance should be defined. Therefore, all policies and procedures must take into account the human variable. Best practices require that security be treated as a fundamental value.
Terrence Gillick is a vice president and head of security consulting in the New York City office of Syska Hennessy Group, a consulting, engineering, technology and construction firm.
Planning a course of action
When a security assessment is conducted, owners and users should be looking at electronic security control, personnel and what can be done with regard to personnel screening, background checks and training. An intellectual property perspective is key. The assessment should take into account personnel data, product formulas, patents or designs, and revenue-generating services or products.
A comprehensive security plan should determine how to store and back up critical documents for every application and client. This calls for secure off-site storage of hard copies of electronic documents and financial records, as well as access to needed resources that will allow a business to be operational in case of an emergency. Facility data is critical as well, including design development guidelines and specifications; facility and systems construction information; and copies of policies, standards, operating guidelines and operating procedures. Some of these documents should be archived for historical reference, while others will evolve over time to adapt to new operating environments.
Policies and procedures for secure communications should also be addressed. These assessments need to look at the physical side of a facility or business. For this reason, an organization should conduct a thorough assessment of hard and soft assets.
Security planning and other building systems
One potential security weakness could be the lack of a comprehensive assessment of life safety systems, polices and procedures, and training. Fire safety and life safety systems require special consideration. Depending on the risk level, they could include use of a dry pipe preaction sprinkler system, under-floor fire detection and suppression system, very early smoke detection apparatus system, secure access to a dedicated water supply, use of limited-combustible, low-smoke, nontoxic telecommunications cabling, fireproofing and fire-stopping technologies and methods, and a public address system.
In addition, utility and power systems should be redundant, be located underground so they are protected from adverse environmental impacts or tampering, and have points of access for maintenance. Other recommendations include maintaining access to an emergency lighting system with at least a 12-hour battery backup and having a dedicated emergency backup generator along with fuel for the emergency generator located underground or in a screened enclosure.
The security planner needs to assess a building’s low-voltage systems, such as elevator controls, lighting controls, life safety systems and even the public address system, and see how they are integrated into the building automation system and other building IT systems. All of these systems are code-driven. Their integration is not only essential to good security planning, but can provide a cost savings that will free critical dollars for other security investments.