This attention to real-world concerns requires a comprehensive planning approach
ID: 3599356 • Letter: T
Question
This attention to real-world concerns requires a comprehensive planning approach. Today, security safeguards generally fall into one of three categories: physical security, information security and operational security.
Physical security involves measures undertaken to protect personnel, equipment and property against anticipated threats. It includes both passive and active measures. Passive measures include the effective use of architecture, landscaping and lighting to achieve improved security by deterring, disrupting or mitigating potential threats. Active measures include the use of proven systems and technologies designed to deter, detect, report and react against threats.
Information security is the process of protecting the confidentiality, integrity and availability of data from accidental or intentional misuse by people inside or outside an organization or facility. Key elements of information security include limiting information exclusively to authorized entities; preventing unauthorized changes to or the corruption of proprietary data; guaranteeing authorized individuals the appropriate access to critical information and systems; ensuring that data is transmitted to, received by or shared with only the intended party; and providing security for ownership of information.
Operational security is the process of creating policies and procedures, and establishing controls, to preserve privileged information regarding organizational capabilities and vulnerabilities. This is done by identifying, controlling and protecting those interests associated with the integrity and the unimpeded performance of a facility. Key elements of operational security are staff — trained security personnel to protect and enforce the security procedures and policies governing a building’s or business’ operations — and established policies and procedures. Policies and procedures establish controls to prevent unauthorized access to a facility, tenant space and business assets, whether through carelessness, criminal intent or an outside threat.
Security assessment
Properly conceived and implemented security policies, programs and technologies are essential to ensure a facility’s resistance to myriad threats while meeting demanding uptime, reliability and performance objectives. Security programs are also critical to safeguard the people, processes, information and equipment housed within a facility and within boundaries of the protected space.
It is a given that many, if not most, security plans have an Achilles’ heel. More often than not, the weakness is lack of a comprehensive risk and vulnerability assessment. Most assessments address security from an electronics systems perspective instead of from an overall security program viewpoint that is part of a corporate risk-mitigation strategy.
A security risk assessment should identify which assets need to be protected and how critical each asset is. This requires looking at each asset with regard to human resources and infrastructure. Facility executives should also determine the extent to which core business activities rely on continuous and uncorrupted operations.
A security risk assessment should also identify and characterize threats. These should be viewed as potential occurrences with a hostile intent that will directly affect the host building or organization and be capable of causing damage to others. An assessment of vulnerabilities is critical as well, derived from a systematic survey approach that considers physical, informational and operational features, as well as assets and threats to the building or company.
There are three levels of risk. The first involves the damage resulting from the failure to protect confidential data or from unscheduled downtime. This affects the short-term performance of an organization.
The second risk level is the failure to protect confidential data that can have a ripple effect beyond the company’s organization — suppliers, customers and partners, for example. Losses in this instance could be extensive with both temporary and permanent damage to business operations and organizational assets.
The third level of risk is the failure to protect confidential data or to prevent unscheduled downtime that has a cascading effect with potentially devastating consequences felt well beyond the host organization. The resulting damage and losses may be enormous with potential global implications. Unscheduled downtime can potentially threaten public safety, financial stability, regulatory compliance and even cause loss of life.
Once risks and vulnerabilities are assessed, they should be prioritized along with means to counter and respond to them. This final step allows particular weaknesses to be identified and addressed accordingly.
A comprehensive risk assessment of security systems is critical from a budgeting standpoint as well. Senior management must have a thorough analysis of all risks and vulnerabilities to make informed decisions on the allocation of capital resources. Responses that can mitigate revenue losses, liabilities and disruptions to ongoing business must be developed as part of this process.
Mitigation responses
All security plans need to be updated periodically to ensure they are still meeting the organization’s objectives. A common mistake when upgrading corporate security plans occurs in buildings with multiple tenants. In these situations, there are often incompatibilities between the base building management system and the security system used by a tenant. The result can be redundant and incompatible systems that raise the costs for all involved.
For example, there may be two security access systems put in place, one for the building at its base and another to enter the tenant space. The best solution is to have a single user interface implemented using tenant input for security measures deployed at the base of the building.
Another common mistake made by facility executives and tenants in upgrading security in a corporate office setting is that both often deploy a large number of closed-circuit television (CCTV) cameras without accounting for the personnel required to monitor the cameras on a 24/7 basis. The time needed to review, archive and store the digital or analog information is also not considered. The number of CCTV cameras deployed needs to be balanced with the number of security officers available. An average is usually one person per 20 CCTV cameras.
CCTV cameras can be augmented using an intrusion detection system. These are usually deployed in logical or critical areas to detect attempted unauthorized human entry. An intrusion detection system should be network-based and include, based on a needs assessment, motion, infrared, acoustical, heat-activated and vibration detectors and alarms, as well as a premise control unit, dedicated response force personnel, and security response procedures and protocols.
Failing to provide sufficient administrative support to properly enroll, remove and restrict employees within the security system is a common mistake. Another involves the lack of proper precautions for security system remote access, including installation of firewalls and encryption software to prevent access by both unauthorized personnel and hackers.
System upgrades
Most Fortune 100 companies perform security system upgrades as a common practice even without a threat and vulnerability assessment. Many have a staff that can handle much of the task. However, mid-tier corporate America is less apt to conduct regular risk and vulnerability studies because these companies lack the capital resources to do it. Consulting with a security expert can help determine the most cost-effective plan of action, given each company’s individual circumstances.
Facility executives also should look at where technology is being ineffectively implemented. That happens if there is a lack of support to administer, maintain and operate security equipment at peak efficiency.
Training is another important issue, especially for smaller organizations. Training efforts must be tied directly into each identified risk and vulnerability. Once each risk and vulnerability has been determined, training measures can be developed along with physical and operational security initiatives.
Finally, one of the biggest misconceptions is that there is a single technology that can provide comprehensive security for any organization. No single technology can do this. Multiple technologies integrated into all operational and informational systems are required.
Management has responsibilities, too. Senior executives should create a corporate culture that embraces, reinforces and demands security practices that are consistent with the user’s space. Within this corporate culture is the need to understand the human variable. This encompasses anyone who interfaces with operations, including managers, facility operators, maintenance personnel, other employees, customers, delivery people, clients and visitors. The human element affects everything with regard to security and reliability. How it is addressed may depend on external factors such as the law, industry trade group guidelines or even prudent management practices.
Within each organization, responsibility assignments for policy compliance should be defined. Therefore, all policies and procedures must take into account the human variable. Best practices require that security be treated as a fundamental value.
RISK ASSESSMENT Risk is the potential for a loss of or damage to an asset. It is measured based upon the value of the asset in relation to the threats and vulnerabilities associated with it. Risk is based on the likelihood or probability of the hazard occurring and the consequences of the occurrence. A risk assessment analyzes the threat (probability of occurrence), and asset value and vulnerabilities (consequences of the occurrence) to ascertain the level of risk for each asset against each applicable threat/hazard. The risk assessment provides engineers and architects with a relative risk profile that defines which assets are at the greatest risk against specific threats.
There are numerous methodologies and technologies for conducting a risk assessment. One approach is to assemble the results of the asset value assessment, threat assessment, and vulnerability assessment, and determine a numeric value of risk for each asset and threat/hazard pair in accordance with the following formula: Risk = Asset Value x Threat Rating x Vulnerability Rating This methodology can be used for new buildings during the design process, as well as for existing structures. The first task is to identify the value of assets and people that need to be protected. Next, a threat assessment is performed to identify and define the threats and hazards that could cause harm to a building and its inhabitants. After threats and assets are identified, a vulnerability assessment is performed to identify weaknesses that might be exploited by a terrorist or aggressor. Using the results of the asset value, threat, and vulnerability assessments, risk can be computed. After the architect and building engineer know how people and assets are at greatest risk against specific threats, they can then identify mitigation measures to reduce risk. Because it is not possible to completely eliminate risk, and every project has resource limitations, architects and engineers must analyze how mitigation measures would affect risk and decide on the best and most cost effective measures to implement to achieve the desired level of protection (risk management). There are numerous checklists and techniques to use for conducting an individual building risk assessment
Three factors or elements of risk are considered for each function or system against each threat previously identified. The first factor is the value of the asset or degree of debilitating impact that would be caused by the incapacity or destruction of the asset. A value on a scale of 1 to 10 is assigned. A value on a scale of 1 to 10 is assigned (as shown in Table 1-18), 1 being a very low impact or consequence and 10 being very high or an exceptionally grave consequence. The next factor is the threat rating or subjective judgment of a terrorist threat based on existence, capability, history, intentions, and targeting. Again, on a scale of 1 to 10, 1 is a very low probability and 10 is a very high probability of a terrorist attack. The third factor of risk is vulnerability, or any weaknesses that can be exploited by an aggressor. A value of 1 to 10 is assigned, 1 being very low or no weaknesses exist, and 10 being very high vulnerability, meaning one or more major weaknesses make an asset extremely susceptible to an aggressor. Multiplying the values assigned to each of the three factors provides quantification of total risk.
In every design and renovation project, the owner ultimately has three choices when addressing the risk posed by terrorism. He or she can: 1. Do nothing and accept the risk 2. Perform a risk assessment and manage the risk by installing reasonable mitigation measures 3. Harden the building against all threats to achieve the least amount of risk.
The Building Vulnerability Assessment Checklist based on the checklist developed by the Department of Veterans Affairs (VA) and compiles many best practices based on technologies and scientific research to consider during the design of a new building or renovation of an existing building. It allows a consistent security evaluation of designs at various levels. The checklist can be used as a screening tool for preliminary design vulnerability assessment. In addition to examining design issues that affect vulnerability, the checklist includes questions that determine if critical systems continue to function in order to enhance deterrence, detection, denial, and damage limitation, and to ensure that emergency systems function during a threat or hazard situation.
The checklist is organized into the 13 sections listed below. To conduct a vulnerability assessment of a building or preliminary design, each section of the checklist should be assigned to an engineer, architect, or subject matter expert who is knowledgeable and qualified to perform an assessment of the assigned area. Each assessor should consider the questions and guidance provided to help identify vulnerabilities and document results in the observations column. If assessing an existing building, vulnerabilities can also be documented with photographs, if possible. The results of the 13 assessments should be integrated into a master vulnerability assessment and provide a basis for determining vulnerability ratings during the assessment process
1. Site 2. Architectural 3. Structural Systems 4. Building Envelope 5. Utility Systems 6. Mechanical Systems (heating, ventilation, and air conditioning (HVAC) and CBR) 7. Plumbing and Gas Systems 8. Electrical Systems 9. Fire Alarm Systems 10. Communications and Information Technology (IT) Systems 11. Equipment Operations and Maintenance 12. Security Systems 13. Security Master Plan
Please write this article in your own words
Explanation / Answer
A comprehensive planning approach is required for Security safeguards generally fall into one of three categories: physical security, information security and operational security.
Physical security includes measures undertaken to protect personnel, equipment and property against anticipated threats. It includes both passive and active measures. Passive measures include the effective use of architecture, landscaping and lighting to achieve improved security by deterring, disrupting or mitigating potential threats.
Information security means protecting the confidentiality, integrity and availability of data from accidental or intentional misuse by people inside or outside an organization or facility. Key elements of information security include limiting information exclusively to authorized entities; preventing unauthorized changes to or the corruption of proprietary data; guaranteeing authorized individuals the appropriate access to critical information and systems; ensuring that data is transmitted to, received by or shared with only the intended party; and providing security for ownership of information.
Operational security includes creating policies and procedures, and establishing controls, to preserve privileged information regarding organizational capabilities and vulnerabilities. This is done by identifying, controlling and protecting those interests associated with the integrity and the unimpeded performance of a facility. Key elements of operational security are staff — trained security personnel to protect and enforce the security procedures and policies governing a building’s or business’ operations — and established policies and procedures. Policies and procedures establish controls to prevent unauthorized access to a facility, tenant space and business assets, whether through carelessness, criminal intent or an outside threat.
Security assessment is of utmost importance in todays world. Properly conceived and implemented security policies, programs and technologies are essential to ensure a facility’s resistance to myriad threats while meeting demanding uptime, reliability and performance objectives. Security programs are also critical to safeguard the people, processes, information and equipment housed within a facility and within boundaries of the protected space.
Levels of Risk There are three levels of risk. The first involves the damage resulting from the failure to protect confidential data or from unscheduled downtime. This affects the short-term performance of an organization.
The second risk level is the failure to protect confidential data that can have a ripple effect beyond the company’s organization — suppliers, customers and partners, for example. Losses in this instance could be extensive with both temporary and permanent damage to business operations and organizational assets.
The third level of risk is the failure to protect confidential data or to prevent unscheduled downtime that has a cascading effect with potentially devastating consequences felt well beyond the host organization. The resulting damage and losses may be enormous with potential global implications. Unscheduled downtime can potentially threaten public safety, financial stability, regulatory compliance and even cause loss of life.
Once risks and vulnerabilities are assessed, they should be prioritized along with means to counter and respond to them. This final step allows particular weaknesses to be identified and addressed accordingly.
All security plans need to be updated periodically to ensure they are still meeting the organization’s objectives. A common mistake when upgrading corporate security plans occurs in buildings with multiple tenants. In these situations, there are often incompatibilities between the base building management system and the security system used by a tenant. The result can be redundant and incompatible systems that raise the costs for all involved.
For example, there may be two security access systems put in place, one for the building at its base and another to enter the tenant space. The best solution is to have a single user interface implemented using tenant input for security measures deployed at the base of the building.
Three factors or elements of risk are considered for each function or system against each threat previously identified. The first factor is the value of the asset or degree of debilitating impact that would be caused by the incapacity or destruction of the asset. A value on a scale of 1 to 10 is assigned. A value on a scale of 1 to 10 is assigned (as shown in Table 1-18), 1 being a very low impact or consequence and 10 being very high or an exceptionally grave consequence. The next factor is the threat rating or subjective judgment of a terrorist threat based on existence, capability, history, intentions, and targeting. Again, on a scale of 1 to 10, 1 is a very low probability and 10 is a very high probability of a terrorist attack. The third factor of risk is vulnerability, or any weaknesses that can be exploited by an aggressor. A value of 1 to 10 is assigned, 1 being very low or no weaknesses exist, and 10 being very high vulnerability, meaning one or more major weaknesses make an asset extremely susceptible to an aggressor. Multiplying the values assigned to each of the three factors provides quantification of total risk.
In every design and renovation project, the owner ultimately has three choices when addressing the risk posed by terrorism.
1. Do nothing and accept the risk
2. Perform a risk assessment and manage the risk by installing reasonable mitigation measures
3. Harden the building against all threats to achieve the least amount of risk.
The checklist is organized into the 13 sections listed below. To conduct a vulnerability assessment of a building or preliminary design, each section of the checklist should be assigned to an engineer, architect, or subject matter expert who is knowledgeable and qualified to perform an assessment of the assigned area.
The results of the 13 assessments should be integrated into a master vulnerability assessment and provide a basis for determining vulnerability ratings during the assessment process: