printer friendly version

Building an effective security programme

Now more than ever, corporate executives are asking, "Is our facility safe? What security measures are in place? Are we prepared for a worst-case scenario disaster? What changes do we need to make?" The BOMI Institute has outlined numerous key issues every business should consider.

Stage 1: Risk analysis

Step 1 - Conducting a security survey.

A risk analysis consists of three major steps:

* Noting an organisation's assets.

* Defining their value.

* Identifying potential threats.

Those assets can be defined by taking a walk through the facility and talking to employees in order to determine the potential risks posed by the building's design. The physical areas worthy of inspection include the perimeter, offices themselves, and any areas where deliveries are received. Prior to a walk through, facility management should prepare worksheets or checklists to guide those conducting the security survey.

Some of the assets that should be considered in the risk analysis include:

* Employees.

* The facility itself.

* Money.

* Manufactured products.

* Raw materials.

* Industrial processes.

As each asset is identified, the sources of external and internal threats should also be noted.

External threats to a facility and the people in it include - but are not limited to - burglary of equipment, assault, or perceived threats from loiterers. One means of evaluating external threats is to examine the community's most recent crime statistics to find out if the trends in rape, murder, theft, and burglaries are heading up or down.

Once this has been determined, it is important to know how long, and why, the trends have been going that way. (Statistics of criminal incidents for each calendar year should be available from the SAPS in South Africa, but in recent years have been downplayed, and have generally NOT been made publicly available.)

Internal threats may come from disgruntled or dishonest employees. Examples of internal threats to assets are theft, fraud, destruction of property, arson, assaults, and crimes of passion resulting from interoffice romances. Companies should record all crimes, no matter how insignificant, that occur at the facility(ies) they own/operate. Analysis of the incidents can reveal patterns of crime, which in turn can lead to identifying the perpetrators. Maintaining these records can also help owners avoid litigation for negligent security, as well as support decisions to invest in new security measures.

Step 2 - Estimating probability

The second step in a risk analysis is identifying the probability that a risk will occur. When assessing risks for security planning, employ this rule: the more ways a particular event can occur, the greater the probability is that it will occur.

For example, to evaluate the risk posed to office equipment, ask and answer these questions:

* Is the equipment stored within secured rooms?

* Is the equipment secured within the room by anchor pads or other physical locking devices? Or is it protected by electronic asset protection devices?

* How frequently do security patrols tour the area?

* How easy would it be for a thief to dispose of an item for profit?

* Is there a record of the serial numbers of the equipment?

Step 3 - Determining criticality of assets

When determining how critical an asset is to an organisation, consider both the direct and indirect costs that will result from the loss of the asset.

For example, many companies depend on the continuous and secure flow of electronic data inside and outside the facility. If the data flow were interrupted, the company would be unable to do business. The data, the facility where people use or manipulate it, and the connection lines the data travel over are all essential assets to the operation of many businesses. Therefore, data processing centres, telecommunications equipment, and the building infrastructure that supports them all have very high criticality.

Direct costs of the loss of an asset include permanent replacement, temporary substitution, or lost income. The indirect costs that should not be overlooked include the adverse effect on the enterprise's reputation and employee morale, loss of goodwill, and possible employee turnover.

To complete the risk analysis, the information gathered from the security survey, probability estimates, and criticality decisions must be integrated to determine which assets are to be protected and which are not. Prioritising assets and determining how vulnerable they are helps management decide the number of resources to devote to security measures.

Stage 2: System selection

Once the risk analysis is complete and a need for an electronic security system has been established, the next step is to explore the types of systems available. Because there are innumerable security systems with innumerable components, it is a good idea to break up research into four areas:

* Access control.

* Intrusion detection.

* Surveillance.

* Command and control.

Access control

Access control systems regulate who is able to enter a building through devices such as electronic card readers and electronic locks on doors. Some of the most popular capabilities of access control systems include:

* User card number: a basic feature that identifies the access card user by a distinct alphanumeric code defined by the system manufacturer.

* Anti-pass back: a time-delay feature that prevents a cardholder from passing his or her access card back through (or under) a closed or controlled door to be used by another person who may not be authorised to enter.

* Different or multiple access levels: a feature that assigns different levels of access to different building areas and allows a facility to be partitioned to prevent access to some areas while simultaneously granting access to other areas. It can also define what days and hours occupants can use the access card.

* Historical access and departure reports: a feature that provides reports of entries and departures from a building, or specific areas of a building, during certain dates and times.

Intrusion detection

Intrusion detectors use sensors to detect either the open or closed status of protected points of entry. They can also determine the presence of a person in an area and the place where the alarm terminates.

Intrusion detection sensors are integrated into a system that transmits alarms to a processing location. The specific components, such as the status of latches, latch bolts or deadbolts (locked or unlocked); related power relays; switches; fittings; and keypads vary according to the type and level of protection.

Surveillance

Surveillance systems use video cameras and monitors to alert people to events that occur. Surveillance equipment is generally comprised of television cameras and monitors, video amplifiers, video switches, video tape recorders, audio tape recorders, and related cables, fittings, and attachments.

Closed circuit television (CCTV) has long been associated with the security function. In the modern commercial building environment, its highest value is in providing an audit trail, which is critical in investigating a security breach or a violation of the law after such an event has occurred. (Very little crime is discovered through the CCTV surveillance system as it occurs.)

Studies of individuals assigned to security consoles where CCTV cameras are monitored often indicate that console operators spend very little time watching the monitors; however, the gaming casino industry and retail environments use it to look for fraud or shoplifting. High security environments, such as the nuclear industry, military, and airports take a more vigilant approach to the use of CCTV in realtime environments. The features needed in a CCTV system depend on the purposes of security equipment as revealed by the risk analysis.

If the purpose of installing the camera is to reduce crime by immediately alerting an operator so the security force can be dispatched, the CCTV camera should be coupled with an alarm sensor device, such as a motion detector.

If the purpose of the installation is to record events, such as entries and departures, the recordings must be clear enough in terms of focus, resolution, and light levels to permit a positive identification of individuals and their activities.

If the video images and events will be used later in an investigation and criminal prosecution, the equipment must be able to produce the desired results. A management program must be devised to ensure proper archiving of the recorded events on videotape or CD-ROM for future use.

Command and control

A central command and control station is required to manage the above-listed items and equipment. This station coordinates the control equipment and devices throughout a business's facility.

This system includes a central console that coordinates the control equipment and devices required to manage the other equipment. It also has central and remote signal processors that receive, transmit, discriminate, process, and convert signals from various security equipment into displayed and recorded intelligence or command and control functions. It has printing equipment to make permanent records of significant changes of status and graphic display equipment to project two-dimensional views of protected areas.

Stage 3: Managing the programme

The third and final stage in setting up an effective security program is managing the program. Electronic security systems require more management after they are turned on than they do before and during installation, including attention to systems integration, the network they are connected to, the hardware, and the people using the system.

Occupant orientation

Perhaps the most sensitive aspect of security integration is public awareness. All building occupants should be made aware of how the system will operate during an emergency requiring building evacuation, local work rules, admittance procedures, and entry control system operation. In some cases, all personnel should view a brief videotape describing the local security and emergency procedures before they are issued access or identification cards.

Managing the system

The person responsible for managing a security system has duties to perform related to three primary areas: system administration, network operations, and hardware maintenance. System administration incorporates the management of the access control systems and the intrusion detection and fire alarm systems. These are the key responsibilities of a security system's manager.

Actual intrusions cause less than 1% of the alarms generated by electronic security systems. Many of these false alarms are triggered by faulty equipment, doors propped open, user error, someone exiting from an emergency door, an airconditioning or heating system activating a sensor, or a person trying to use a mechanical key to enter a door controlled by a card reader.

The system's manager should analyse and categorise the alarms and initiate corrective action to eliminate or minimise false alarms through prompt repair of faulty equipment, user retraining, adjustment of sensor sensitivity, or retrieval of mechanical keys from individuals who are violating access control procedures.

The access control system database usually contains two main types of information: the badge records of authorised individuals to locations where card readers are installed and the information used to lock and unlock doors automatically.

A security system manager should ensure that one person and a backup are assigned system administration duties, which include:

* Deleting system records of people who have left the payroll or tenancy, or whose entry privileges have expired. This task requires close collaboration with the human resources department and organisations responsible for hiring contracted workers.

* Printing hard-copy access reports from the system for a given period and retaining them for a specified period of time - usually three to six months.

* Periodically polling the system to determine whether cardholders have stopped using their cards or have left the payroll or tenancy without notifying the security department.

* Programming the system to deny entry privileges to a certain person or groups of people as business needs dictate.

* Programming door schedules to accommodate user requirements.

* Providing archived reports of entries and departures of specific individuals and matching the reports to video recordings of entries and departures for investigative purposes.

* Assuring that the time stamp for the entry control system is perfectly synchronised with the time stamp for the video surveillance system so actual facility entry and departure times are properly matched with recorded times.

Intrusion detection and fire alarm system databases will usually contain the name of each protected department within the facility (referred to as an account), its location, device numbers, contact names, telephone numbers, pass codes, and response directions. In addition, the database may also contain the name and phone numbers of the head person of the protected area. The database also requires updating when a new employee is hired, or a new device is added to or removed from the system.

Network operations

The network established to link components of the access control and intrusion detection systems may consist of several different integrated transmission systems: copper wire, point-to-point fibre-optic cabling, radio or microwave signals, and either proprietary or leased telephone lines that require maintenance.

Whether the transmission system is a single dedicated system or a fragmented system, arrangements must be made for maintenance and repair. Provision should be made for annual preventive maintenance, particularly when the transmission system is complex.

During this annual inspection, all equipment, such as routers, switches, and transmitting or receiving devices should be examined to assure the equipment is operating according to specifications. Any equipment found deficient must be properly calibrated or replaced if necessary. Arrangements also must be made to provide immediate repair in case the network fails.

Hardware maintenance

Most security system manufacturers and installers guarantee or warrant the reliable operation of their system and components for at least one year. Before a warranty period expires, be sure to execute a service contract with knowledgeable suppliers certified by the manufacturers to service the equipment. This will help minimise awkward (and potentially dangerous) gaps in service.

An effective security plan is a complex and challenging task. However, once a thorough and effective plan is in place, the results can be priceless - in terms of both people and property protection.

Share this article:

Further reading: