What are the basic rules or fundamentals to be followed when compiling a security plan? The following article is based, in part, on a paper presented at last year’s annual CAMPROSA (Campus Protection Association of Southern Africa) Security Conference.
The following list of the fundamentals is not in any order of priority:
* Physical protection system: Possibly one of the most misused (or misunderstood) terms used by consultants is security system. An access control system is referred to as security system. An intrusion detection system is considered a security system. A combination of these types of systems is also called a security system. What is often forgotten by technical security consultants is that people and procedures also form part of the overall security system. A better term, to characterise this overall system, is the Physical Protection System (PPS).
A physical protection system can therefore be described as a system using people, procedures and products combined in such a manner so as to prevent unauthorised entry into an area, theft of property and/or information, acts of vandalism or sabotage against a facility or specific item (or items) of equipment, or acts of violence against people, etc. These three elements must be included in any security plan as they all have a role to play in arriving at a meaningful technical security design.
* People: The obvious persons involved in the physical protection system are the on-site security officers and operators. In addition, external armed reaction units or the South African Police Service could be used, and for high risk, sensitive facilities, the South African Defence Force could also be involved. The people who tend to be forgotten by consultants are the clients own staff (that is, the actual users of the security systems), visitors (customers and contractors, etc) and maintenance personnel.
* Procedures: This type of documentation lays down the actions to be taken, for example, in the event of an incident or attempted intrusion attempt. They would also be used to manage the operation of the site and the various hardware subsystems - not only in respect of the security officers, but also in respect of the client's own personnel affected by the security measures being implemented. Certain procedures, for example, would detail how the client's personnel must interact with the access control system. It is essential that everyone involved in the operation of a physical protection system know his or her specific role for it to be effective. Operating and maintenance manuals for the system would also fall under this heading.
* Products: Products comprise the hardware of the physical protection system and would include various subsystems, such as access control, intrusion detection, surveillance, physical barriers, lighting, reporting and communication, etc.
* Objectives of the physical protection system: Another area of concern is that consultants, although they may have an idea, do not clearly understand the objectives of the PPS. The elements of the physical protection system are aimed at primarily deterring any further action against the site/facility or specific component of the site/facility. If the security measures force a perpetrator/adversary to desist from further action or to find another target, then the physical protection system has been one hundred percent successful. Just the perception that a site is well protected could act as a very effective deterrent without the need to spend large amounts of money. Should this fail, then the PPS should detect (using a variety of means) any intrusion attempt, communicate it to the appropriate authority and then delay (application of physical barriers) the success of the action until the necessary response can be taken to destroy the threat. These can be summarised as deter, detect, delay, and destroy.
* Risk assessment analysis: Risk consists of two types, namely speculative and pure. Speculative or entrepreneurial risk is concerned with the chances people take to further their business or personal interests (that is, the difference between loss and gain) Pure risk is concerned with the unwanted events or happenings which disrupt the orderly progress of human life and only leads to loss, damage, injury and death. Security is concerned with pure risk.
In the context of this article risk can be seen as a threat posed to the business; and is determined from the probability of something detrimental to the business taking place and the impact it will have on business should it take place. A threat can be either intentional eg burglary, robbery, fraud, labour unrest, etc) or accidental eg malfunctioning of a vital piece of equipment, flooding, fire, structural collapse, etc.
Risk assessment analysis is a process that systematically identifies the assets that need protection; determines the threats to those assets, the vulnerability of the assets to the threats and the probabilities of the threats occurring; and quantifies the impact or effect (in monetary values if possible) if a given threat does occur.
Although risk assessment is a specialised area of expertise it is one, which the security consultant must take into consideration as part of his/her security plan. For without identifying the threats, probabilities and impacts he/she cannot hope to develop meaningful security measures to counter the identified risks.
* Security plan: An important area in which many security consultants fail is in not providing quality documentation from the security design phase through to the enquiry phase. A major flaw is that a comprehensive security plan (also referred to as the security survey report) is not compiled. A well-presented document will allow the client to understand his risks and have a basic understanding of the security measures to be implemented, together with budget pricing in order to assess the cost benefits of the proposed solution. Once the basic concept has been approved a security design detailing the physical protection measures to be implemented can be compiled.
Although this document could take different forms, depending on the actual scope of work, it is recommended that the following sections be included as a minimum requirement:
* Introduction - An overview of the propose security project.
* Scope (objectives) of the work (project).
* Intelligence review - overview of pertinent crime information and trends, both national and local.
* Risk assessment analysis - define all threats, risks, etc.
* Operational requirements - forms the foundation for the design phase - see below.
* Security technology - overview of the sub systems to be provided.
* Security personnel - overview of the manpower requirements.
* Procedures - overview of all proposed procedures to be compiled and implemented.
* Budget - estimate of the cost of the security measures to be implemented.
* Operational requirements: The operational requirements document can be considered a key document for security system designers as it states clearly what the client expects the physical protection system to be capable of doing. The development process encourages clear thinking about the what, where, when, by whom and in particular, the why in relation to the system. Without an operational requirement and matching test procedure there can be no guarantee that the system will be capable of performing its intended function.
* Enquiry documentation: A properly compiled (unfortunately, not the general rule) enquiry (that is, the tender documentation) will be based on the principle of concise, complete and unambiguous information being provided and can be either:
* Needs based - that is, the operational requirements based tender, which will require the tenderer to provide all the technical information. All that is required from the end-user is the need. The what, where, why and how is the responsibility of the tenderer.
* Technically based - requiring only a cost based response from the tenderers, or
* A combination of both types. By inviting tenders on the basis of the operational requirements, a clear signal is sent to tenderers that submissions for the work (project) will be judged on the basis of performance and functionality as well as price. It enables tenderers to be clear about the wishes of the client and to know that their proposals will be compared on a like-for-like basis. This approach is an ideal method to follow. Unfortunately, a lack of technical knowledge/skills, and in some instances integrity, on the part of some South African companies leads to vague statements being made and underpricing to get the business, followed by the inevitable dissatisfaction of the client due to corner cutting, cost overruns or performance shortfalls.
Therefore, it is recommended that the combined approach of a 'needs' and 'technical' tender be adopted. This will provide all tenderers with a common understanding of the needs of the client, in terms of the measures to be applied, as well as specifying limited technical details of the equipment/systems to be installed. This will, hopefully, eliminate the disadvantages previously described.
The evaluation of tenders should be carried out using a compliancy matrix against the design requirements. Both performance and price can be assessed in this way. In drawing up an enquiry document careful attention to detail will be needed if unsuitable tenderers are to be excluded or their tenders declared non compliant. Often the compliancy matrix will reveal tenderers who declare their compliance but are in fact unable to comply
Conclusion
This article covers the basic rules that security consultants need to follow, if they are to provide a physical protection system that meets the needs of client. Although the rules may appear to be more applicable to the larger technology based systems, the fundamentals discussed still apply to the design and implementation of any physical protection system. One of the most important documents that can be compiled as part of the security design process is the operational requirements of the system - for it is this document that details exactly what the client expects the functions of the system to do. It is imperative not to rush into high-tech solutions without careful consideration of what the client actually needs and not what you think he wants. The outcome from an operational requirements document (however brief in content) could well indicate that only basic security measures need to be applied. For example, a good perimeter fence, one or two well-trained security guards and the implementation of basic access control procedures.
Having said this, it is the belief of the author that the future of the security industry will come from the utilisation of sophisticated (IT based) security technology and that clients will move away from man-guarding to techno-guarding - as guards are becoming expensive to employ. However, more important factors to consider are the lack of cognitive skills, unreliability and the questionable honesty of the guard force and/or the law enforcement agencies, where collusion in detected crime is being reported on a daily basis. This move to high-tech solutions makes it even more imperative that a comprehensive security plan is developed based on the actual needs of the client.
AUTHOR:
Brian Barnes of Hodari Security Technologies has travelled extensively in the course of his career - having lived and worked in the United Kingdom, Cyprus, Bahrain, Uganda, and Kenya and visited countries such as Botswana, Swaziland, India, Israel, Belgium, Germany, Abu Dhabi, Namibia, Tanzania and the United States of America in connection with his work. He has presented several technical papers at international venues and holds a Master's Degree in Commerce, is a Chartered Engineer and registered European Engineer, and is a Member of the Electrical Engineers Institution.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version