Special Report: Do You Have A Security Blueprint?
By John P. Parkinson
Published in the March 2008 issue of Today’s Facility Manager
Published in the March 2008 issue of Today’s Facility Manager
“An ounce of prevention is worth a pound of cure.”
Events such as disgruntled employee or student shootings, domestic or international terrorism, identity theft, and data losses are all extreme situations, but they are very possible threats in the workplace today. Combine those scenarios with the fact that facility managers (fms) are increasingly being asked to take on some type of responsibility for their organizations’ security, and it becomes apparent fms need to have a better overall understanding of things like vulnerability assessments and IP-based CCTVs in order to protect their fellow employees and organizational assets.
Even for those facilities with a chief security officer (CSO) and proprietary security personnel in place, fms may be called upon to assist CSOs and their staff during a crisis situation. So, whether a facility professional is tasked with larger security responsibilities or just needs to play a supporting role, knowledge is still paramount.
Seeing the Whole Picture
Robert Wetherell, CPP, CFM, facility manager, for Cedar Rapids, IA-based Pearson Education believes in taking a holistic approach to security. From assessing physical security needs to drafting a product proposal to talking to upper management, he understands the big picture and sees it as a comprehensive process.
“You have to align yourself with your company’s mission, goals, and objectives,” says Wetherell. “Once you have done that, you will be able to make the case to the CFO or the CEO. You need to be able to put the business case together and say, ‘this is what makes sense for us to do, and this is why it makes sense for us to do it.’”
James Bomba, CPP, supervisor of facilities security at Erie PA-based Erie Insurance, agrees with Wetherell that it is a process. He believes it starts with a vulnerability assessment and follows through to a potential solution. He further stresses that a security solution should be cost-effective and fall in line with the company’s business objectives.
“What I do as a security professional impacts what I do in my business environment first and foremost,” Bomba says.
Bomba conducts a vulnerability assessment survey first to see what internal and external threats or risks could potentially affect employees and company assets.
“Once you have gone through the [survey] checklist and analyzed all the components, you should develop items for improvement, find effective measures for mitigating risk, and evaluate them based on the cost-effectiveness of the plan you have in place and the asset you are trying to protect,” he explains.
Bomba says the formula he uses breaks down into these elements:
• The risk to the asset;
• The probability (and/or frequency) the risk may become an actual loss event; and
• The effect on the asset or business if the loss occurs.
Through the use of countermeasures such as equipment, personnel, and policies/procedures, Bomba attempts to reduce these risks from becoming a reality.
As part of his approach, Wetherell has tailored a facility characterization worksheet, which he uses during his assessment. The elements he looks for are:
• Facility data;
• Security management;
• Access control;
• Security staff;
• Electronic access control system;
• Alarm system;
• Key and lock control;
• Emergency and disaster planning; and
• Theft and vandalism statistics.
Since security is multifaceted, there are other aspects that make up security assessments. Here are a few to consider:
Location. Every location is distinct in terms of vulnerability assessments. For instance, airport security has been under a great deal of scrutiny since 9/11. Passenger safety is one particular area of vulnerability that has been refined several times—particularly in terms of luggage handling.
TSA agents currently have the authority to cut off locks on pieces of luggage needing more thorough inspections. Some luggage locking devices—such as Prestoseals™ from Wheeling, IL-based CCL Security Products—cannot be removed without destroying their security features. So if the lock is not present when a traveler retrieves his or her luggage and a federal TSA seal has not been used to re-seal the luggage as required by law, it means that an unauthorized person may have gone through the luggage. (TSA Agents are also required to leave an official TSA Notice of Inspection inside any piece of luggage which was hand searched out of the view of the traveler.)
At this point, travelers are urged to take their luggage to a security person to determine if anything is missing, or worse yet, to determine if anything has been added.
Visitor management. This is another post 9/11 element of security that has witnessed greater attention through product developments such as cameras, visitation logging, and sophisticated ID badges. Keeping better track of people (especially visitors) in buildings is one of the newer pieces of the security puzzle to come to the forefront sincethe threat of terrorism has become more feasible on American soil.
Consequently, the development of visitor management products and systems helps check visitors in by reading valid identification documents and printing up badges.Visitor management systems give companies an enhanced ability to know exactly who is in the facility at any given time.
When designing ID cards for any company, fms should be certain to include layers of features to make sure cards are truly secure and difficult to counterfeit or modify, explains Shane Cunningham, marketing manager for U.S./Canada for Greer, SC-based Digital Identification Solutions.
“The most effective ID cards will include at least one feature embedded into the card body itself, like foil stamping, preprinted audit numbers, or a watermark,” says Cunningham. He also says background checks should be considered, because without a true sense of identity, a fraudulent employee card or visitor’s badge can be used to gather other forms of ID.
Perimeter protection (including parking lots and areas outside buildings). Security personnel, CCTVs, and self-expiring parking permits all may encompass protection measures for these areas. Bomba says that while all work environments vary, consistent patterns should be considered as well. For example, Bomba says an urban environment will typically have a lot more pedestrian traffic than a rural or suburban location.
Building protection. In extreme cases, building protection can mean safeguarding against catastrophic events like hurricanes or explosions. And in order to protect against the latter scenario especially, anti-blast windows may be considered.
Joshua Early, product manager of architectural products for Cranberry Township, PA-based Traco, asserts that there are a few different scenarios when anti-blast windows may be warranted. Early says federal government buildings are already mandated to have anti-blast products because of their threat levels, but fms in buildings surrounding government structures may want to consider this protection as well in order to avoid potential collateral damage. Anti-blast products might also be suitable for buildings if they are deemed a high potential target for terrorism or have public perception issues, adds Early.
Technology And Trends
In the recent past, security choices were limited to either an expensive access system or mechanical locks on the door. End users agree that today’s level of sophistication in technology aids them greatly.
“Enhancement of security technology is allowing us to improve upon the capabilities of staff without having to add more people,” explains Bomba. These technologies add more “eyes and ears.”
“Technology is going to benefit everybody in the long run,” states Wetherell. Particularly, he likes the direction of convergence and its ability to marry physical and logical access.
Many believe one feature of today’s sophisticated technologies—integration—simplifies security and makes it more effective. One questionable action or motion picked up on a camera can set off a series of electronic automatic responses. So if an event occurs and someone opens a door they are not supposed to, the door not only notifies the fm with an e-mail, but spins the cameras around automatically and zeroes in on the violation.
Edge Of Network With Doors
Even the sophistication of doors has changed expectations. Developments like Power over Ethernet (PoE) have changed capabilities and wiring demands.
Joe Hooper, physical security professional with HES of Phoenix, AZ, says, “We are going to the edge of the network, meaning we don’t have to reside in the closet; we can actually bring CAT 5 cable right to the door.”
There are also card connected solutions available that can eliminate much of the labor, door controllers, and cable routing expenses associated with wired doors, so fms can add more access points. These newer door solutions are less expensive due to the ease of installation.
With so many door possibilities, fms should follow some considerations first.
“They should consider the opening first; what type it is; what type of hardware is on that opening; and how they would like to see that opening work with access control components,” states Hooper.
Furthermore, fms should access each door and secure it accordingly. One suggestion is to work from the outside in—from main entrance to closet—and develop appropriate profiles.
Traditionally, security vendors have used proprietary products and systems that could not be used in conjunction with other vendors’ products, but the development of open architecture is one of the biggest continuing trends in the industry. Simply defined, open architecture is the ability to take separate products and systems and interface them.
First and foremost, open architecture gives fms greater flexibility to choose different or new products without affecting legacy security products already installed.
According to experts at Irvine, CA-based HID, a provider of access and ID management solutions, smaller facilities used to rely on a complete change out of cards and readers, while larger facilities selected multitechnology cards for their upgrade solutions. In fact, large installations with multiple or multinational facilities with mixed technology cards are good candidates for multitechnology readers.
Experts at Phoenix, AZ-based Knox explain that the movement toward retrofitting existing buildings is on the rise. As the real estate economy recovers from the recent slowdown, the concept of remodeling and retrofitting older, existing structures will look even more economically attractive.
For example, if a facility professional has a building with ABC locks in place but wants to add more access points or change some doors to XYZ locks, the fm can choose the hardware on the door. This allows customers to add more access points at less cost, since they don’t have to run any wires to the updated equipment. A new standalone lock can be installed and integrated into an existing security system.
Data Protection And IT’s Security Role
While Bomba handles physical security for access into places like the data centers, his IT department still handles most of the computer security. Vendors are reporting that, with the emergence of newer technologies, IT personnel are delving into other security initiatives besides saving the network from being compromised.
For example, many more security products ranging from CCTVs to card readers are IP-enabled, allowing companies to perform surveillance or view physical access points through network infrastructures, therefore playing into the strengths of fms with IT oversight.
An enterprise wide approach is recommended by DSX Access Systems, Inc., a Dallas, TX-based provider of security software solutions. The company’s WinDSX product is a 32-bit application that works with Windows 2000/Server 2003/XP Pro/Vista Business and is available in Microsoft Access and SQL versions.
IT and facility management (FM) departments are also trying to combine their employee logical and physical access through the use of single solution ID cards, according to Rob Zivney, vice president of marketing for Santa Ana, CA-based Hirsch Electronics. Hirsch has a feature called role based access control, which can take logical access and group people together.
For example, everyone in the marketing department can have certain computer privileges or access to certain areas of the building.
Today’s access control systems can alert necessary in-house personnel if a break-in occurs or something suspicious pops up on a company’s network. Since it is handled with real time monitoring, it is more hands off for the end user.
While the main emphasis of data protection has shifted toward computer network security measures, paperwork, if not properly discarded, can also cause company information to be compromised. It is simply good business practice to take the proper steps to manage information from creation to destruction.
Vendors report that numerous organizations across vertical markets are seeking more sophisticated products and systems. Some manufacturers say that not only are the traditional markets like government agencies purchasing electronic comprehensive systems, but newer markets are getting into the act.
Recent high profile shootings at colleges such as Virginia Tech and Northern Illinois University serve as reminders of how vulnerable schools have become. For instance, K-12 schools, universities, and hospitals are buying badges. Typically, these have been open environments, but many are now looking to close the loop.
Another byproduct of domestic security threats is the growth of mass notification systems. This technology is like a gigantic public address system that provides pre-recorded or live voice communication to personnel over a wide area through a highly secure encrypted wireless network.
Back in 2004, these systems were mandated in most United States Department of Defense (DOD) facilities. Now, these systems are moving into other vital government agencies (like OSHA, the Nuclear Regulatory Commission, the EPA, and FEMA), as well as hospitals and large school campuses.
SimplexGrinnell of Westminster, MA, has skilled technicians and partners who can design, install, test, and maintain mass notification systems that often exceed Unified Facilities Criteria specifications. The company’s mass notification systems incorporate primary and back-up control centers, individual building systems, giant voice, telephone alerting systems, and other customizable options.
Advances in closed circuit television continue to create new models with vast improvements over their older predecessors. In the past, CCTV’s motion detectors were sensitive to all movements. But today, special preset instructions can be programmed into modern camera systems so there is more specificity to the cameras’ surveillance, according to Miguel Lazatin, senior marketing manager for security at Park Ridge, NJ-based Sony.
Some other special features include alarms, facial recognition technology, and IP-based cameras. One of the bigger new developments in CCTV products is taking analog camera feed information and being able to use a digital video recorder to turn it into digital data.
Lazatin says considerations like budget, type of industry, and objects being monitored are all things to think about before upgrading to an IP-based camera product. “When there are enough sources to be dedicated to an IP-based surveillance system, that might be a good time to consider an IP-based solution,” he explains.
On the other hand, some experts suggest IP-networked cameras for all new facilities, if possible.
The Future Is Here
According to Steve Lucas, security business manager of Richmond, VA-based Tridium, open building systems allow different products to coordinate simultaneously. Lucas gives the example of a company with multiple buildings on a corporate campus. Within each of these buildings, various locks are used from different vendors, but with open architecture and interoperable systems, door locks can be simultaneously coordinated—should an emergency arise and a company switch to lockdown mode.
While Lucas sees the development of open standards as a good thing, he does acknowledge that no one standard has risen to the top. Zivney also sees the lack of one clear standard as holding things back a “little bit,” but going from proprietary products and systems to open architecture is naturally going to suffer some growing pains. Ultimately, Zivney believes progress is being made in addition to cooperation and understanding within the various security, IT, and building automation industries, which will help to achieve true interoperability.
Where To Go?
With so much information and complexity, fms may find it a bit daunting to start the security assessment process. However, the Internet, vendors, and organizations like ASIS International and SIA all have information that can help. And events like The TFM Show provide a venue for fms to share experiences with other fms who have been through the process.
Bomba believes organizations like ASIS International, with its increased emphasis on board certified programs and development of security standards, are a particularly important resource.
Wetherell also sees great value in security organizations. “ASIS International and Microsoft have entered into a partnership that will promote ASIS certifications, raise IT security awareness among members, and educate IT professionals about physical security,” he states. “Also, ASIS certification programs have received ISO registration.” He says this adds credibility to such programs.
Wetherell says fms and security professionals need to see the importance of their overall businesses and understand how to present security initiatives to their organizations when needed. This will go a long way toward securing the funding they need. With safety of people and property such a high priority, fms must be suitably prepared to take an active role in sitewide security strategies.
Parkinson is a freelance writer and former managing editor of Today’s Facility Manager.