|
Designing & Administering a Security Program (General Concepts of Good Security):
The
following lecture given by me to security professionals includes the writer's personal opinions. The information presented
herein is, therefore, considered proprietary and generally not suitable for unfocused distribution. The comments and
recommendations are considered a management tool, and should not constitute the sole basis for significant security decisions.
That said, the recommendations are generic and universal, and might be of value to those interested in facility or installation
security. And, in consideration of the Nation's need for increased security awareness, I am making available the basic
tenets for ‘Designing and Administering a Security Program.' Contact me regarding questions or comments. True
Nelson
Perfect Security: Imagine
a building located on a small island in San Francisco Bay. This building or structure has walls, floor, and roof of
reinforced concrete that is four feet thick. There are no doors, no windows, vents, or passages of any kind with which
entry might be gained. A fence surrounds the structure. The fence, although having no gate, is eight feet high;
seven feet of heavy gauge chain-link and topped with barbed wire ‘top guards' angled 45 degrees toward the outside.
A vibration sensor on the fence and a motion detection device that covers the interior are designed to immediately alert a
Security Officer of any activity within the enclosure. The Security Officer, stationed just outside the fence on a twenty-four
hour basis, is armed and well trained in handling all contingencies. Furthermore, the building is known to contain only
one item, the mummified remains of the last passenger pigeon, which died in 1914. Perfect security? Answer: Very nearly.
Now imagine the same structure. The same security
measures, but inside the building is the pear shaped "Greater Star of Africa" diamond, which weighs 530.2 carats
and is considered to be the second largest cut diamond in the world. Perfect security? Answer: Not even close.
The point to be made is that there is no such thing as "perfect security"
and that any such expectations are unrealistic. However, there is a standard of acceptable security - although, at times,
it may seem somewhat subjective and inconstant. Generally speaking, the object is to identify the risk, and to then
take corrective measures that are well thought out and consistent with what an ‘informed' manager would do under similar
circumstances. The standard is based upon what is considered reasonable and appropriate. This, of course, does
not give a great deal of comfort to the security practitioner. Nonetheless, it is a start. If reasonable and appropriate
efforts have been made to identify a potential security problem or risk, and reasonable and appropriate measures have been
taken to correct the problem or to neutralize the risk, then the security, if not perfect, is at least acceptable.
Successful Security: A successful security system is composed of four
principal elements: - Witness
Potential
- Delaying Tactics
- Intrusion Technology
- Security Policies / Procedures
Witness Potential: What primarily
discourages those intent upon committing criminal acts are not just barriers, locks, or alarm systems; but more importantly
the potential for having a witness (or video recording) to a crime. ‘Witness Potential' incorporates security
concepts such as the cultivation of vigilant neighbors, informed employees, cooperating and informed law enforcement personnel,
well trained security patrols, cameras, etc.
Delaying Tactics: These are the
tried and true basics of security that have been used for centuries. These include such tactics as barriers (both natural
and artificial), walls, fencing and locks. And, we might also include signs: ‘keep out', ‘no trespassing',
‘private property'. Such efforts are used to discourage or delay three types of penetration - by accident, by
force, or by stealth.
Intrusion Technology: The use of alarm techniques for security
purposes, other than very crude mechanical devices, first started in the early 1900s. They were mainly used to protect
banks and retail establishments against burglary. In modern society, alarm systems have become ubiquitous and highly
reliable. An alarm system is designed to report the presence of an intruder entering or moving about in a protected
area.
Security Policies/Procedures: This is the backbone of any security program.
Security systems are of little value if there are not current, clear, and written policies and procedures as to what action
is to be taken under what set of circumstances.
Problem Definition:
Security remedies
and pro-active strategies cannot be effective unless they are based upon a clear understanding of the actual risks they are
designed to control. It makes no difference whether the problem being considered involves negotiable instruments such
as cash or checks; assets such as equipment or timber; or even intangible assets like trade secrets or a safe working environment
for employees. Until the specific threat to those assets is defined, precautions and countermeasures are little more
than guesswork - constituting mostly ineffective, usually very costly, guesswork.
Problem definition comes first; then comes countermeasures
design. A useful definition of a security problem requires the evaluation of three things: •1. LOSS EVENT PROFILE: The kinds of threats or risks affecting
the assets to be safeguarded. •2.
LOSS EVENT PROBABILITY: The likelihood or probability of those threats becoming actual loss events. •3. LOSS
EVENT CRITICALITY: The impact or effect upon assets, or upon the business, if the loss occurs. The
understanding and relationship of these three aspects of a potential loss/incident will be the fundamental element of any
system of countermeasures.
Example #1: Numerous items including tools, easily transportable office equipment,
and supplies have been disappearing from the facility's inventory. The problem has been occurring for some time, and
even efforts to record all available serial numbers and mark all tools for positive identification have failed to stem the
flow of misappropriated property. The facility is experiencing a security problem that incorporates high Loss
Event Probability with a relatively low Loss Event Criticality. Based on the problem definition, and after obtaining
guidance on appropriate procedures, the facility decides to implement random inspections of vehicles, parcels, lunch pails,
duffels, and other containers.
Example #2: A rather specific, but anonymous report, has furnished information
that a vital process within the facility is to be sabotaged. This will not only cause serious disruption to the operation,
but will also endanger the employees working in the area. We now have a fairly low Loss Event Probability, but
a high Loss Event Criticality. It is decided that, among other security measures, random inspections or searches
of employees, contractors, and vendors is justified.
What we have are two very different scenarios leading to very similar security
countermeasures.
Preventing Crime:
Facility managers, in providing a safe and secure working environment, and in protecting
company assets, should strive for the following: 1. Insure that a
well-trained and properly motivated security presence is in place to prevent acts of criminality. 2. Prevent physical deterioration of the facility
to reduce offenders' perceptions that areas are vulnerable to crime. The "Broken Window Theory" holds that if a
window in a building is broken and is not repaired; all the remaining windows in the building will soon be broken. Maintaining
a facility in a state of good repair may deter, perhaps even prevent, vandalism and some associated crimes. 3. Institute measures to insure security officers
and employees do not give the perception that they are disinclined to act in questioning a suspicious occurrence or to prevent
a crime. It must be emphasized that security is everyone's responsibility. Raise employee awareness and promote a community
watch program. Establish the principle that we are all responsible for one another. If a person is unfamiliar to an
employee and/or the person appears to have unauthorized access to a given area, employees should approach and politely challenge
said individual - asking if they might be of assistance. Offenders are known to decide whether or not to commit a crime after
evaluating the following: How easy will it be to enter the area? How visible, attractive, or vulnerable is the target? What
are the chances of being seen? If seen, will people in the area do something about it? Is there a quick, direct route for
leaving the area after the crime has been committed? 4. Pay attention to facility design and potential risks. When there are perceived risks, take corrective action. 5. Reduce availability or visibility of crime targets. 6. Remove obstructions that facilitate crime, give
concealment, or prevent easy detection of an offense in progress. 7. Increase physical obstacles, systems, and controls that prevent crime. 8. Use signage that indicates the facility is occupied
by vigilant residents. 9. Pay particular attention to providing adequate lighting and other security measures where employees may, at times,
be isolated (parking areas, stairwells, elevators, remote locations). 10. Remember that security requirements may change from time to time, and that
security systems should undergo continual evaluation.
A security plan requires the following:
Promote security awareness and community involvement:
Internal Controls:
The Ten Basic Considerations in Designing & Administering a Security Program
1. It should go without saying that close supervision of company owned and contractually controlled property is essential,
and should include: frequent visits; verification of property lines; aerial photos; locked gates; and proper signage. 2. Thorough background checks on applicants for employment
and reference checks on potential contractors are a must. 3. There should never be double standards. In other words, rules, policies, and
requirements apply to everyone equally. 4. Most liability issues, that target inadequate security, involve harm to employees, contractors, or visitors to
your facility or property holdings. It is a management responsibility not to compromise or neglect the safety and security
of employees and visitors. The majority of lawsuits charging inadequate or improper security involve incidents that took place
in a facility or nearby in the facility's parking lot (inadequate lighting, failure to consider the seriousness of previous
crimes or incidents, poor supervision of employees or visitors, etc). 5. Potential workplace violence issues should be treated very seriously. 6. Loss / Incident reporting is everyone's responsibility.
Procedures should be set forth in writing. Report forms supplied. A manager should be designated to receive and correlate
the information. 7.
Whenever possible a community watch program should be promoted. Contact property's neighbors and develop a rapport. Get to
know your local law enforcement. Train employees to be observant. Consider a ‘hot-line' program for anonymous tips. 8. There should be appropriate separation of job
responsibilities, with appropriate supervisory oversight. 9. Crimes against the company should be consistently prosecuted. Don't cut deals.
Regarding prosecution, if you don't treat everyone equally, you will ultimately regret it. 10. Develop the capability to conduct ‘investigative
auditing'. This should include: security reviews of various aspects of the operation; close review of variance reports; analysis
of suspicious activities; and the proper placement of CCTV cameras for deterrence, verification and subsequent inquiry.
What can a security consultant do for me? Consulting on security issues where the company's personnel or assets are at risk
and/or give investigative assistance. Advice may include topics such as pre-employment screening, visitor control, emergency
reaction planning, writing security related directives or standard operating procedures, and inquiries regarding assets that
have been adversely impacted - including those matters of criminality (real or suspected), i.e., white collar crime, theft,
defalcations, suspected vendor/contractor dishonesty, sabotage, etc.
Pro-active security awareness programs and security surveys to insure that appropriate and cost-effective measures
are brought to the attention of management. These measures include, but are not limited to, physical plant security, access
control, security alarms, fencing/gates, lighting, CCTV systems, contracting with security companies, and establishing security
audit procedures.
|
