Whitepaper best practices for integrated physical security supporti…

SubmitSearch
Upload
Login
Signup
Search SlideShare
Explore
Like this document? Why not share!
Share
Email
Physical security.ppt
5387 views
Chemsec Cfats
Riskbased Performance... 3558 views
Physical Security
Domain 9460 views
The Perimeter
Protection Issues, Te... 282 views
Share Email Embed Like Save
by Faheem Hasan by guest0a566eby amiable_indianby Hafiza Abasby Nc Dasby Proexportby oomagooliesby Imran Khanby Faheem Hasanby jbmills1634by Moment_of_Revelationby leminhvuong

Hospital security
services 6828 views
1. c tpat minimum
security criteria 775 views
Rapid data services
limited 937 views
Development of
security architecture 454 views
Physical Security
Assessment 2633 views
It security-plan-
template 197 views

Applying
securitypractices 114 views
Module 10 Physical
Security 4755 views
Follow
Physical security.ppt
5387 views
Like
Chemsec Cfats Riskbased
Performance Standards[1]
3558 views
Like
Physical Security Domain
9461 views
Like
The Perimeter Protection Issues,
Technique and Operation
283 views
Like
Hospital security services
6831 views
Like
1. c tpat minimum security criteria
775 views
Like
Rapid data services limited
937 views
Like
Development of security
architecture
455 views
Related More

Like
Physical Security Assessment
2633 views
Like
It security-plan-template
197 views
Like
Applying securitypractices
114 views
Like
Module 10 Physical Security
4755 views
Like
Chap5 2007 Cisa Review Course
2789 views
Like
mta lesson 1 slides
38 views
Like
SIM - Mc leod ch09
85 views
Like
DS-5
727 views
Like
Physical Security Assessment
5712 views
Like
Do d directives regarding wireless
lan
317 views
Like
Attachment I
524 views
Like
TSA 2011 Pipeline Security
Guidelines
239 views

Like
CISSP week 26
702 views
Like
Information Security Management
System
4477 views
Like
Physical Security Presentation
620 views
Like
Chapter008
926 views
Like
Isps code guidelines
4933 views
Like
9781423903055 ppt ch10
1551 views
Like
HIPAA Security Summi..
904 views
Like
Physical security of an
Organization
121 views
Like
Maritime security operative isps
357 views
Like
Operations_Security - Richard
Mosher
2533 views
Like
Micro Networks Electronic Security
System Capabilities
92 views
Like
Material best practices in network
security using ethical hacking

1019 views
Like
Gao cybersecurity
90 views
Like
Open Source Security Testing
Methodology Manual - OSSTMM
2.1
2061 views
Like
Designing a security policy to
protect your automation solution
220 views
Like
The 300 Leonidas Solution
2243 views
Like
Hipaa Training Final Draft
2051 views
Like
Hirsch Identive | White Paper |
Securing the Enterprise in a
Networked World
752 views
Like
IT Security for the Physical
Security Professional
1367 views
Like

Whitepaper best practices for integrated physical security supporti…

3 months ago
Whitepaper Best Practices For Integrated Physical Security
Supporting Ma Itd Sec 10
Document Transcript
1. An AACI White Paper Auburn Regional Office 489 Washington Street Auburn, MA 01501 Phone:
(508) 453-2731 www.AmericanAlarm.com Best Practices For Integrated Physical Security Capabilities
Supporting Massachusetts Document Reference: ITD-SEC-10.1 Dated: October 29, 2010 | Entitled
1
‹ ›
/24
Like Share Save
After careful review of the Commonwealth of “Massachusetts Enterprise Physical & Environmental Security
Policy”, the following Whitepaper was prepared as a response utilizing concepts, best ...
Whitepaper Best Practices For Integrated Physical
Security Supporting Ma Itd Sec 10
by James McDonald, Security & Loss Prevention Consultant at
ASIS/ACFE/MassBiz/PHYSECTESC
on May 16, 2011
Tweet 0 0
3,262
views
0Like Share
Show more
No comments yet 1 Like
naarasimharanagani

“Enterprise Physical & Environmental Security Policy” By James E. McDonald Integrated Systems
Consultant Government Contracts Team
2. Executive Summary Contents Physical Security Technology today is all about the network, if you’re
not on the network you are probably not working. The physical protection of Executive Summary 2
facilities including the perception of detection of The Security Policy Applies To 2 negative human
behaviors is the key to effective physical, network security and risk management. Perception of
Detection and Fraud 3 Compliance Consulting Process 5 In response to the Commonwealth of
Massachusetts Overview 5 Enterprise Physical & Environmental Security Policy (Reference # ITD-SEC-
10.1 Issued Dated 10-29-2010) Commonwealth Policy Statement 6 issued by the Information
Technology Division, this Physical Security Best Practices 9 document articulates available physical
security and monitoring solutions to meet the requirements that Critical Infrastructure and Secretariats
and their respective Agency or Environmental Monitoring 15 Contractors facilities must address in
defining a policy to implement adequate physical and Implementation 16 environmental security controls
and to secure and Key External Technology 16 protect information, assets, infrastructure and Key
Internal Technology 16 Information Technology (IT) resources by using solutions provided to these
departments under Policy Basics 17 procurement contract Operational Services Division Non-Compliance
18 (OSD) contract FAC64. Identification Procedures 18 According to this policy the Secretariats and
their Physical Security Information respective Agencies must implement the appropriate combination of
controls (administrative, Management (PISM) 19 technical, physical) to provide reasonable assurance In
Summary 20 that security objectives are met. Agencies must achieve compliance with the overall
information FAC64 State Contract 21 security goals of the Commonwealth including Contact Information
21 compliance with laws, regulations, legal agreements, Appendix A: Understanding Physical policies and
standards to which their technology resources and data, including but not limited to Access Control
Solutions 22 personal information (PI), are subject. This policy encompasses existing technologies
existing within each department and the physical security solution technologies themselves since these
integrated solutions are also network appliances. The Security Policy Applies ToAny opinions, findings,
conclusions, or All Commonwealth of Massachusetts Secretariatsrecommendations expressed in this
publication and their respective Agencies and entities governeddo not necessarily reflect the views of by
the Enterprise Information Security Policy whoAmerican Alarm & Communications, Inc.,(AACI).
Additionally, neither AACI nor any of must adhere to requirements of this supportingits employees makes
any warrantee, expressed policy.or implied, or assumes any legal liability orresponsibility for the
accuracy, completeness, The requirements described in the ITD-SEC-10.1or usefulness of any
information, product, or document must be followed by:process included in this publication. Users of •
Executive Department employeesinformation from this publication assume all • Executive Department
Secretariats andliability arising from such use. their respective Agencies, in addition to any agency 2
3. or organization that connects to the protection, alarm monitoring and related securityCommonwealth’s
wide area network systems by the Commonwealth of Massachusetts.(MAGNet), are required to
ensurecompliance by any business partner that Covered under the states purchasing contractaccesses
Executive Department IT resources known as "FAC64 Security Surveillance and Accessor shared
environments, e.g. MAGNet; and Control Systems" the states designation of American• Contractors or
vendors performing Alarm establishes preferred pricing for any eligiblework in or providing goods and
services to public entity in Massachusetts. AdditionalCommonwealth managed spaces information
concerning this 3 year contract is• Visitors to any Commonwealth available on-line atmanaged physical
space (e.g. offices, http://www.americanalarm.com/business-buildings, and network closets) or
resource. security/fac64-state-contractOther Commonwealth entities are The following protective
programs and technologiesencouraged to adopt, at a minimum, involve measures designed to prevent,
deter, detect,security requirements in accordance with and defend against threats; reduce vulnerability
tothis Enterprise Physical and Environmental an attack, internal losses, and other disaster;Security Policy
or a more stringent agency mitigate consequences; and enable timely, efficientpolicy that addresses
agency specific and response and restoration in any post-event situation.business related directives, laws,
and Protective programs that benefit theregulations. Commonwealth are in place at many facilities.
American Alarm and Communications, Inc. (AACI)Operational Services Division (OSD) as the have
designed, installed and continue to monitor aCommonwealths’ central procurement range of integrated
security systems for publicagency whose primary role is to coordinate entities including:the procurement
activity for commoditiesand services on Statewide Contracts and • Executive Office of Health and Human

ServicesCommonwealth Executive Branch (EOHHS),Departments. OSD Contract FAC64 for • The
Judicial Branch/Trial Courts,Security, Surveillance and Access Control • Department of Revenue
(DOR),Systems is a new (2010) statewide contract • Registry of Motor Vehicles,that covers all security,
surveillance and • Massachusetts Medical Examiner’s Office inaccess control needs with monitoring
Boston and Holyoke,services, locksmiths, security cameras, • State Firefighting Academy in Stow,lobby
turnstiles, CCTV, vehicle access • Hampden County Sheriff’s Outreach Center inbarrier, metal detectors,
x-ray machines Springfieldand locks. Labor under this contract is • Western Massachusetts Hospital in
Westfield,covered under the Prevailing Wage Law. among others.Statewide Contracts are written to meet
the Perception of Detection and Fraudneeds of public purchasers, including but The following describes
what is known as the fraudnot limited to: Executive and Non-Executive triangle. In order for fraud or
most crime andBranch departments, municipalities, “Negative Behaviors” to occur, all three
elementscounties, public colleges and universities, have to be present. The Commonwealth and itspublic
purchasing cooperatives, local individual Departments can takes steps to influenceschools, state facilities,
public hospitals, all three legs. Commonwealth employees should becertain non-profit organizations,
cognizant of pressures and how they relate to theindependent authorities, political sub- Commonwealth’s
overall security risk.divisions and other states. Rationalizations can be reduced by promoting aAmerican
Alarm has been awarded a three- strong sense of ethical behavior amongst employeesyear designation as
an approved provider of and creating a positive work environment. Byvideo surveillance, access control,
intrusion3
4. implementing strong internal controls, the person reconciling his/her behavior (stealing)
withCommonwealth can remove much of the the commonly accepted notions of decency andopportunity
for negative behaviors to occur trust. Some common rationalize-tions forand can increase the chances of
detection. committing fraud are: • The person believes committing fraud is justifiedThis is the most
widely accepted theory for to save a family member or loved one.explaining why people steal was
postulated • The person believes they will lose everything –in the early 1950’s by Dr. Donald R. Cressey,
family, home, car, etc. if they don’t take thewhile working on his doctoral dissertation money.on the
factors that lead people to steal • The person believes that no help is availablefrom their employers. He
called them ‘Trust from outside.Violators’, he was especially interested in • The person labels the theft as
“borrowing”, andthe circumstances that lead otherwise fully intends to pay the stolen money back
athonest people to become overcome by some point.temptation. To serve as a basis of his work • The
person, because of job dissatisfactionhe conducted about 200 interviews with (salaries, job environment,
treatment byinmates at Midwest prisons at the time managers, etc.), believes that something iswere
incarcerated for embezzlement. Today owed to him/her.this work still remains the classic model for •
The person is unable to understand or does notthe occupational thief. Over the years his care about the
consequence of their actions ororiginal hypothesis has become known as of accepted notions of decency
and trust.the Fraud Triangle. Opportunity Opportunity is the ability to commit fraud. Because fraudsters
don’t wish to be caught, they must also believe that their activities will not be detected. Opportunity is
created by weak internal controls, poor manage-ment oversight, and/or through use of one’s position and
authority. Failure to establish adequate procedures to detect fraudulent activity also increases the
opportunities fraud for to occur. Of the three elements, opportunity is the leg that organizations have the
most control over. It is essential that organizations build processes,Financial Pressure procedures, use
technology and controls that don’t needlessly put employees in a position to commitFinancial Pressure is
what causes a person fraud and that effectively detect fraudulent activity ifto commit fraud. Pressure can
include it occurs.almost anything including medical bills,expensive tastes, addiction problems, etc.
Opportunity-Rationalization-Financial PressureMost of the time, pressure comes from asignificant
financial need/problem. Often The key is that all three of these elements must existthis need/problem is
non-sharable in the for the trust violation to occur. Technology haseyes of the fraudster. That is, the
person always been used to attack the opportunity leg tobelieves, for whatever reason, that their create
the perception that if you try you will beproblem must be solved in secret. However, detected. "Crede
Sed Proba" or “Trust but Verify” issome frauds are committed simply out of the key to eliminating
negative behaviors andgreed alone. policies being followed, thus minimizing fraud. A fraud prevention
consultant can discuss the “Red-Rationalization Flags” of fraud in further detail.Rationalization is a crucial
component inmost frauds. Rationalization involves a4
5. Compliance Consulting Process 4. Prioritize. We have found that it is notOur countermeasures today
and services appropriate to develop a single, overarchingcan provide a detailed assessment of all

prioritized list for the Commonwealth,processes, policies and procedures such as: many factors may
come into play such aspurchasing, cash handling, work flow locations, lease terms, etc.management,
information technology, and 5. Implement Solutions. There is no universalclient intake, human resources,
billing, etc. solution for implementing protective security measures, different departmentsA review
security goals, objectives, and and agencies implement the most effectiverequirements; Align business
and solutions based on their assessments.technology strategies for protecting assets 6. Measure
Progress. By measuring theby consolidating external compliance and effectiveness of protective solutions
andsecurity best practice requirements into a their performance, together we cancommon control
framework. Then we continually improve the security,review the existing policies and security
infrastructure at each facility.architecture against the controls necessaryto achieve compliance
requirements, We will collaborate with you to develop a road mapreview the effectiveness of policies and
in design, implementation and best practices ofprocedures, conduct an audit and track and physical
security solutions which are aligned withdocument actual data. We prioritize gaps, your departments or
agency’s mission and valuesvulnerabilities, and possible loss scenarios that will support rather than hinder
its operation.according to risk, present findings andprioritized recommendations for addressing
Overviewdiscovered weaknesses. To assist our In todays ever-growing regulatory compliancecustomers
in developing a framework of landscape, organization can greatly benefit fromcompliance we at
American Alarm and implementing viable and proven physical securityCommunications, Inc., have
developed a best practices for their organizations.six-step process. There are plenty of complicated
documents that can 1. Set Goals and Objectives. The guide companies through the process of designing
a Secretariats and their respective secure facility from the gold-standard specs used by agencies define
specific outcomes, the federal government to build sensitive facilities conditions, end points or like
embassies, to infrastructure standards published performance targets as guiding by industry groups like
ASIS International, to safety principles to collectively constitute requirements from the likes of the
National Fire and effective physical security/risk Protection Association. management posture. 2. Identify
Assets, Systems. The Recent federal legislation, ranging from the Gramm- identification of assets and
Leach Bliley Act (GLBA), the Health Insurance facilities is necessary to develop an Portability and
Accountability Act (HIPAA) and The inventory of assets that can be Sarbanes Oxley Act of 2002 (SOX)
Homeland Security analyzed further with regard to Presidential Directive 7 (HSPD-7) are putting intense
criticality of information needing pressure on public and private entities to comply protection. with a
myriad amount of security and privacy issues. 3. Assess Risks. We approach each What’s more, the
public is looking for assurances security risk by evaluation that a strong control environment is in place,
to consequence, vulnerability and protect private information with security best threat information with
regard to practices. attack or other hazard to produce a comprehensive rational Homeland Security
Presidential Directive 7 (HSPD-7) assessment. identified 18 critical infrastructure and key resources
(CIKR) sectors and designated Federal Government5
6. Sector-Specific Agencies (SSAs) for each of contribute the most to risk mitigation by loweringthe
sectors. vulnerabilities, deterring threats, and minimizing the consequences of outside attacks and other
incidents. • Agriculture and Food Sector • Banking and Finance Sector Commonwealth Policy Statement •
Chemical Sector In this section are excerpts from the “Enterprise • Commercial Facilities Sector Physical
& Environmental Security Policy” • Communications Sector Secretariats and their respective Agency or •
Critical Manufacturing (CM) Sector Contractors’ facilities housing information and IT • Dams Sector
Resources (e.g. telephone networks, data networks, • Defense Industrial Base (DIB) servers,
workstations, storage arrays, tape back-up Sector systems, tapes) must protect the physical space in •
Emergency Services Sector (ESS) accordance with the data classification of the IT • Energy Sector
Resource or the operational criticality of the • Government Facilities Sector equipment. • Healthcare and
Public Health Sector Agencies are required to implement controls to • Information Technology (IT)
Sector secure against unauthorized physical access, damage and interference to the agency’s premises, •
National Monuments and Icons information and other assets including, but not (NM&I) Sector limited to,
personal information (PI) and IT • Nuclear Sector Resources by implementing: • Postal and Shipping
Sector • Transportation Systems Sector 1. Workforce Security: Secretariats and their • Water Sector
respective Agencies must implement administrative and managerial controls that engage the
workforceEach sector is responsible for developing through awareness and participation. To
accomplishand implementing a Sector-Specific Plan this, Secretariats and their respective Agencies must:
(SSP) and providing sector-levelperformance feedback to the Department • Identify a management team
that will beof Homeland Security (DHS) to enable gap responsible for managing and enforcing

theassessments of national cross-sector CIKR requirements detailed in this policy. Theprotection
programs. SSAs are responsible Secretariat or Agency ISO or designee must befor collaborating with
public and private part of the management team.sector security partners and encouraging o Implement
appropriate procedures that addressthe development of appropriate at a minimum:information-sharing and
analysis o Misplaced or stolen keys or any other itemsmechanisms within the sector. used to gain
physical access. o Suspicion of any potential physical securityFor example the 2010 Information threat
including potential break-ins or theTechnology (IT) Sector-Specific Plan (SSP) is presence of
unauthorized persons.the result of a collaborative effort among o Changes in procedures for medical, fire
orthe private sector; State, local, and tribal security events.governments; non-governmental o Ensure
storage of and access to sensitiveorganizations; and the Federal Government. information or resources on
portable media areThe 20I0 IT SSP provides a strategic handled in a manner that is consistent with
thisframework for IT Sector critical policy and the classification level of the data.infrastructure and key
resources (CIKR) o Educate any individual requiring access toprotection and resilience. The combined
Commonwealth managed space of theirefforts across IT Sector partnerships will responsibility to comply
with this policy prior toresult in the prioritization of protection providing access, including:initiatives and
investments to ensure thatresources can be applied where they6
7. o Helping to ensure that agency access 3. Visitor control: Agencies must develop points
(entrances/exits) in work areas and enforce procedures to monitor and control remain secure.
Specifically, locked access to secure IT facilities and offices by visitors. doors must remain locked and
any Examples of visitors may include contractors, access codes, keys, badges or other vendors,
customers, friends/family of employees access devices must not be left in and employee candidates.
Procedures must accessible places or shared in an address: unauthorized manner. • Requirements for use
and maintenance ofo Notify employees that failure to comply visitor logs. with this policy and related
policies and • Requirements for visitor identification. procedures may result in disciplinary • Requirements
specific to a given security zone, action. e.g. escorted access to highly sensitive areas.o Notify vendors,
consultants, or contractors that failure to follow this 4. Facility access controls of IT Resources: policy
or related policies and Secretariats and their respective Agencies must procedures may be grounds for
implement, or ensure third party implementation of, termination of existing agreements and physical
access controls for all Agency IT facilitys and may be considered in evaluation and offices that they are
responsible for, including access negotiation for future agreements. controls for public areas, deliveries
and loading areas. Access controls must be implemented based2. Least privilege: Agencies must on the
data classification or operational criticality ofapply the principle of least privilege when the IT Resources
that are housed within a givengranting physical access rights to facility or security zone. A security risk
assessmentindividuals. must be performed and documented to locate (map) physical areas and the levels
of security needed at• Physical access controls must be each location. granted at the lowest level of
access, rights, privileges, and security Appropriate levels of security controls must be permissions
needed for an individual to installed at areas needing higher levels of security. effectively perform
authorized tasks on any IT Resource or information or Acceptable methods for implementing such
controls within a Commonwealth managed include but are not limited to: facility. • Electronic Card
Access.• It is important to understand the role • Traditional Lock and Key Access. of the individual who
is granted access • Motion and Breach Detection System. and how that role impacts the privilege • Video
Monitoring. requirements. For example, the role of • Security Service Provider or Third Party a delivery
driver, the individual Monitoring Service. responsible for janitorial services in • Attendants, Security
Guards or Police Officers. secure areas, and the network • Paper or Electronic Logs. administrator each
have different roles 5. Equipment and Environmental security: that require varying levels of privilege.
Secretariats and their respective Agencies are• Agencies must also address the responsible for ensuring
that Commonwealth technical, operational and managerial managed facilities (including IT facilities,
offices or controls necessary to achieve facilities that house telephone networks, data compliance with
least privilege in those networks, servers, workstations, and other IT-related instances where authorized
users have systems) can implement adequate environmental physical access to logically separated
safeguards to ensure availability and protect against data, applications and/or virtualized damage (e.g.
from high heat, high humidity, etc.). hosts. Environmental safeguards that must be evaluated,
implemented and maintained as appropriate include:7
8. • Secure installation and maintenance of prior to sending the equipment off-site for any Network
cabling that protects against reason. At a minimum, Agencies must: damage to the physical cabling and/or

unauthorized interception of data o Securely remove any sensitive data that does traversing the network
cables. not need to reside on the equipment.• Ability to monitor and detect variation o Have reasonable
assurance that the party in temperature and humidity responsible for the equipment while it is off site
associated with the use of Heating, understands and accepts responsibility for Ventilation and Air
Conditioning (HVAC) protecting the equipment, information about systems. the equipment or information
stored on the• Use of industry standard methods for equipment at the appropriate level based on the
maintaining consistent power supply sensitivity classification of the equipment and including backup
generators and/or associated information. Uninterrupted Power Supplies (UPS).• Use of industry standard
network 7. Secure disposal, removal, or reuse of components including routers, equipment: Agencies
must document and switches, intelligent hubs and implement procedures to reasonably ensure secure
associated cabling. handling and disposal of IT-related equipment,• Use of leak detection devices (water).
particularly hardware that contains data classified as• Use of fire detection and suppression having high or
medium sensitivity. Procedures must, devices including fire extinguishers and at a minimum, accomplish
the following: sprinkler systems.• Protection against environmental • Secure removal or overwriting of
licensed hazards such as floods, fires, etc. software prior to disposal. • Effective and permanent removal
of theAny changes to the deployed environmental contents/data on the storage device ofsafeguards which
affect the availability of computing equipment using industry standardassets or information must be
reported techniques or tools to make the originalimmediately to the business owner, service information
non-retrievable. Note: Using themanager and ISO or management team as standard delete or format
function is anrequired by Secretariat or Agency unacceptable method of achieving this goal.procedures. •
Ensure all equipment containing storage media, e.g., fixed hard drives are checked to verify that6.
Equipment Maintenance: any licensed software or information classifiedAgencies must have maintenance
as having medium or high sensitivity areprocedures in place to accomplish the removed or overwritten
prior to disposal.following: • Specify whether damaged storage devices,• Keeping all systems and IT
equipment particularly those containing information maintained and updated per classified as having high
or medium sensitivity, manufacturer recommendations to must be repaired or destroyed. Procedures may
ensure availability and integrity of the require that a risk assessment be performed to data and services
provided by the determine how the device will need to be equipment. handled. For example, does the
content of the• Ensuring that all maintenance, device indicate that the device should be troubleshooting
and repair services are physically destroyed rather than sent out for provided by authorized personnel.
repair or discarded?• Keeping current documentation including maintenance logs, fault logs, What should
be the high-level goals for making sure diagnostic details, service records and that physical security for
the facility is built into the corrective measures taken. designs, instead of being an expensive or
ineffectual• Ensuring adequate controls are afterthought? implemented for off-site equipment8
9. From the moment an individual arrives on compliance with department policies andthe grounds and
walks through the doors, procedures.the following items should be part of afacility physical security best
practices Policiesprogram. An organization should consider including the following physical security
policies in thePhysical Security Best Practices organization’s overall security policy:This section
discusses our ideas on best in Identify unauthorized hardware attached to theclass physical security
concepts that we use department computer system—make routine checksin our analysis of each
department. of system hardware for unauthorized hardware.Computer systems and networks are Limit
installation of hardware and software ownedvulnerable to physical attack; therefore, by employees on
department desktop workstations.procedures should be implemented to Identify, tag, and inventory all
computer systemensure that systems and networks are hardware. Conduct regular inspections
andphysically secure. Physical access to a inventories of system hardware. Conductsystem or network
provides the opportunity unscheduled inspections and inventories of systemfor an intruder to damage,
steal, or corrupt hardware. Implement policies that instructcomputer equipment, software, and
employees/users on how to react to intruders andpersonal information. When computer how to respond
to incidents in which an intrusionsystems are networked with other has been detected.departments or
agencies for the purpose ofsharing information, it is critical that each Physical security practices should
address threatsparty to the network take appropriate due to theft, vandalism, and malicious internal
ormeasures to ensure that its system will not external staff.be physically breached, therebycompromising
the entire network. Physical • Theft—Theft of hardware, software, or data cansecurity procedures may
be the least be expensive due to the necessity to restore lostexpensive to implement but can also be the
data and the cost of replacing equipment andmost costly if not implemented. The most software. Theft
also causes a loss of confidenceexpensive and sophisticated computer in the department that may have

compromisedprotection software can be overcome once the network.an intruder obtains physical access
to the • Vandalism—Vandalism in most cases is notnetwork. directed at compromising a system or
network so much as it is the senseless destruction ofAt the same time these countermeasures property.
Both external and internalare tools that not only protect the IT perpetrators may pose a vandalism threat.
Lownetwork but also the employees, visitors morale in an organization may be the underlyingand citizens
at Commonwealth facilities. reason for vandalism caused by internal perpetrators. The actual threat to a
networkPurpose posed by vandalism is difficult to assess becauseThis section identifies potential physical
vandalism is generally not motivated by athreats to facilities, hardware, software, conscious effort to
compromise a network. Likeand sensitive information. This section also theft, vandalism can be
expensive due to therecommends best practices to secure necessity to replace damaged equipment
andcomputer systems from physical intrusion. software. • Threats Posed by Internal and External Staff
—Principles Internal and external intruders may attempt toIdentify potential physical threats to manipulate
or destroy IT equipment,departmental computer systems and accessories, documents, and software.
Thenetworks. Establish policies and procedures potential of damage caused by the manipulationto thwart
potential physical threats. of intruders increases the longer they remainConduct audits to monitor
employee undetected, thereby increasing their knowledge9
10. of the system and their ability to wreak sensitive information. Intruders act like havoc on a network.
The threats may department staff and use keywords during include unauthorized access to conversations
to obtain information. “Sounding” sensitive data and outright destruction occurs by telephone when
intruders pose as of data media or IT systems. Internal staff, as in the following examples: staff may
attempt to modify privileges o A staff member who must urgently or access unauthorized information,
complete an assignment but has either for their own purposes or for forgotten his password. others. This
may result in system o An administrator who is attempting to crashes or breaches in other areas of
correct a system error and needs a user the network opened up through password. configuration errors.
o A telephone technician requesting• Temporary workers, contractors, and information, such as a
subscriber consultants represent a unique security number or modem configurations and threat in that
they are generally not settings. subject to the same background checks as a department’s full-time
employees, Applying the following physical security measures but they may be granted the same high
mitigates these threats. level of access to the system and network. Contractors and consultants •
Identification of Unauthorized Hardware will sometimes know the applications Attached to a System—
Establish policies to limit and operating systems running on the employees from attaching unauthorized
network better than department hardware to the office system. Unauthorized employees. Temporary
employees hardware includes computers, modems, should be closely scrutinized until a terminals,
printers, and disk or tape drives. The level of trust can be established. policies should also restrict
software that Consulting firms and contract agencies employees may load onto the office system. should
be questioned about their hiring Implement policies regarding opening policies and standards. Cleaning
staff unidentified e-mail attachments and downloads may also cause threats either by theft off the
Internet. of system components or from using • Perform monthly audits of all systems and the system
improperly, such as by peripherals attached to the network accidentally detaching a plug-in
infrastructure. Make random inspections of connection, allowing water seepage equipment to search for
unauthorized attached into equipment, or mislaying or hardware to the network. Identify missing or
discarding documents as trash. misplaced hardware. Search and identify any• An intruder may attempt to
unauthorized hardware attached to the masquerade as or impersonate a valid network. system user by
obtaining a false identity and appropriating a user ID • Inspect computers and networks for signs of and
password. Someone may be misled unauthorized access. Search for intrusion or about the identity of the
party being tampering with CDs, tapes, disks, paper, and communicated with for the purpose of system
components that are subject to physical obtaining sensitive information. An compromise by damage,
theft, or corruption. intruder can also use masquerading to connect to an existing connection • Protection
against Break-In—Intruders choose without having to authenticate himself, targets by weighing the risk
and effort versus as this step has already been taken by the expected reward. Therefore, all measures the
original participants in the implemented to prevent break-ins should communication. increase the risk to
the intruder of being caught.• Social engineering can be used by The possible measures for protection
against internal or external intruders to access break-ins should be adapted to each specific10
11. situation. Protect doors or windows by systems. When implementing policies for entry adding
security shutters. Add additional regulation, consider the following: locks or security bars. Add additional

lighting inside and outside the building. • The area subject to security regulations Seek advice from police
and security should be clearly defined. professionals. When planning physical • The number of persons
with access should security measures, care must be taken be reduced to a minimum. to ensure that
provisions relating to fire • Authorized persons should be mutually and personal protection (e.g.,
regarding aware of others with access authority in the serviceability of escape routes) are order to be able
to recognize unauthorized not violated. Staff must be trained on persons. the anti-burglary measures that
are to • Visitors should only be allowed to enter be observed. after the need to do so has been previously
verified.• Entry Regulations and Controls—A • The permissions granted must be fundamental but
frequently overlooked documented. aspect of sound internal security is the • Access should be limited by
locked physical restrictions placed on access to rooms/entrances, physical zones, and systems and
networks. Having good identification badges. physical security in place is a necessary • A record must be
kept of accesses. follow-up to whatever office building • Challenge protocols should be added. security
an organization may have in place. Know who is entering Entrance Security Staff—Establishment of an
department offices at all times, and entrance control service has far-reaching, positive ensuring all secure
areas are locked and effects against a number of threats. However, this access restricted. Network
security presupposes that some fundamental principles are measures can be rendered useless if an
observed in the performance of entrance control. intruder can bluff his way past the Entrance security
staff must observe and/or monitor entrance security; walk into a computer all movements of persons at
the entrance. Unknown room; and take diskettes, tapes, or persons must prove their identity to the
entrance servers. security staff. Before a visitor is allowed to enter, a check should be made with the
person to be visited.• Strangers, visitors, craftsmen, and maintenance and cleaning staff should A visitor
must be escorted to the person to be visited be supervised. Should the need arise to or met by the latter at
the entrance. Security staff leave a stranger alone in an office, the must know the office employees. In
case of occupant of that office should ask termination of employment, security staff must be another
staff member to supervise or informed of the date from which this member of request the visitor to wait
outside the staff is to be denied access. A visitor log should be office. If it is not possible to accompany
kept to document access. The issuance of visitors’ outsiders, the minimum requirement passes should be
considered. The job duties of should be to secure the personal work security staff should be designed
specifically to area: desk, cabinet, and computer. The identify their tasks in support of other protective
requirement for this measure must be measures, such as building security after business explained to the
staff and should be hours, activation of the alarm system, and checking made part of department policy
and of outside doors and windows. training. Alarm System—an alarm system consists of a• Control
entry into buildings and rooms number of local alarm devices that communicate housing sensitive
equipment. Security with a control center through which the alarm is measures may range from issuance
of triggered. If an alarm system covering break-ins, fire, keys to high-tech identification water, CO, and
other gases is installed and can be11
12. expanded, surveillance provided by this may be caused by intentional and unintentional acts.system
should include, at a minimum, the IT After an unauthorized intrusion, office routines maycore areas
(such as server rooms, data be disrupted in order to search for damage, theft,media archives, and
technical infrastructure and unauthorized or missing hardware or software.rooms, public areas). This will
enable Intentional or unintentional damage to systems maythreats such as fire, burglary, or theft to be be
caused by temporary help who are employed todetected immediately so that counter- substitute for
cleaning staff. Temporary help maymeasures can be taken. To ensure that this accidentally clean
workstations and sensitiveis the case, it is imperative that the alarms equipment with solutions or by
methods damagingbe sent on to a central command center to hardware.that is permanently staffed
24/7/365. It isimportant that this facility have the Identification of Secure Rooms—Secure rooms
suchexpertise, equipment, and personnel as the server room, computer center, data mediarequired to
respond to the alarm. The archives, and air conditioning unit should not beguidelines of the organization
concerned for identified on office locator boards or by name platesconnection to the respective networks
affixed to the room door. Identifying these sensitiveshould be considered here. areas enables a potential
intruder to prepare more specifically and thus have a greater chance ofSecurity of Windows and Doors—
Windows success.and outward-leading doors (e.g., balconies, Location of Secure Rooms inpatios)
should be closed and lockedwhenever a room is unoccupied. Unexposed Areas of Buildings—secure
rooms shouldInstructions to close windows and outside not be located in areas exposed to view or
potentialdoors should be issued, adding barriers or danger. They also should not be located on the
firstfilms and regular checks should be made to floor of buildings that are open to view by passersbysee

that windows and doors are closed by or that are exposed to attack or vandalism. First-occupants after
leaving the rooms. floor rooms are more likely to be easily observed or exposed to breaking and entering.
Rooms or areasThe doors of unoccupied rooms should be requiring protection should be located in the
centerlocked. This will prevent unauthorized of a building, rather than in its outer walls.persons from
obtaining access todocuments and IT equipment. It is Inspection Rounds—the effectiveness of
anyparticularly important to lock individual measure will always be commensurate to theoffices when
located in areas accessible by enforcement of that measure. Inspection roundsthe public or where access
cannot be offer the simplest means of monitoring thecontrolled by any other means. Staff should
implementation of measures and the observance ofbe instructed to lock their offices when they
requirements and instructions.leave, and random checks should be madeto determine whether offices are
locked Inspection rounds should not be aimed at thewhen their occupants leave. detection of offenders
for the purpose of punishing them. Rather, controls should be aimed primarily atIn an open office, where
cubicles dominate remedying perceived negligence at the earliestand it is not possible to lock individual
possible moment, such as by closing windows oroffices, employees should lock away their taking
documents into custody. As a secondarydocuments in their desks, and a secure objective, security
breaches can be identified anddesktop workstation policy should be possibly avoided in the future.
Inspection roundsimplemented (additional information on should also be made during office hours to
informformulating this policy can be found later in staff members about how and why pertinentthis
section). regulations are being applied. Thus, they will be perceived by all persons concerned as a help
ratherUnauthorized Admission to Rooms than a hindrance.Requiring Protection—If unauthorized Proper
Disposal of Sensitive Resources—Sensitivepersons enter protected rooms, damage information not
properly disposed of may be the12
13. source of valuable information for persons are usually not protected to the same extent as theseeking
to do harm. An intruder, workplace. Workstations at home are accessible tocompetitor, or temporary
staff can gain family members and visitors who may intentionallyvaluable information in a low-tech
manner or unintentionally manipulate business-related databy simply going through trash for discarded on
the workstation, if data is not properly protected.paperwork that might contain sensitive Inadvertent or
intentional manipulation affects theinformation. At a minimum, shred all papers confidentiality and
integrity of the business-relatedand documentation containing sensitive information, as well as the
availability of data and ITcompany information, network diagrams, services on the workstation.
Appropriate proceduresand systems data to prevent a security should be implemented to achieve a degree
ofbreach by those who might seek security comparable with that prevailing on officeinformation by
rummaging through trash. premises. Suitable Configuration of a RemoteEmployees should be advised
against Workplace—It is advisable to assign a secure roomwriting down user IDs or passwords. for use
as a workplace at home. Such a workplace should at least be separated from the rest of theIn the case of
functioning media, the data premises by means of a door.should be overwritten with randompatterns.
Nonfunctioning data media, such IT equipment intended for professional purposesas CDs, should be
destroyed mechanically. should be provided by the employer, and the use ofThe recommended disposal
of material these services for private purposes should berequiring protection should be detailed in a
prevented by formal policies. Employees who workspecific directive and in training; adequate at home
should be questioned regularly ordisposal facilities should be provided. This periodically as to whether
their workplace compliesincludes storage devices and media (i.e., with security and operational
requirements.floppy and hard disks, magnetic tapes, andCDs/DVDs). If sensitive resources are Theft of
a Mobile IT System—Laptop or mobile ITcollected prior to their disposal, the systems create a greater
risk of theft or damage.collected material must be kept under lock Due to the inherent nature of a mobile
system, it willand be protected against unauthorized often be removed from the confines of a
secureaccess. office. Therefore, policies should be implemented to safeguard mobile IT systems.Secure
Desktop Workstations—the first lineof defense in physical security is to secure Suitable Storage of
Business-Related Documents anddesktop workstations. Effective training in Data Media— Business-
related documents and datathe organization’s policies and procedures media at the home workstations
must only beto secure desktop workstations should be a accessible to the authorized employee, and
whensignificant part of network and information they are not in use, they must be kept in a
lockedsecurity strategy because of the sensitive location. A lockable desk, safe, or cabinet must
beinformation often stored on workstations available for this purpose. At a minimum, the lockand their
connections. Many security must be capable of withstanding attacks using toolsproblems can be avoided
if the that are easy to create or purchase. The degree ofworkstations and network are appropriately

protection provided by the drawer should beconfigured. Default hardware and software appropriate to
the security requirements of theconfigurations, however, are set by vendors documents and data media
contained therein.who tend to emphasize features andfunctions more than security. Since vendors In
facilities and offices that operate as “Specialare not aware of specific security needs, Facilities” or other
high risk there are additionalnew workstations must be configured to practices that should be reviewed in
the design andreflect security requirements and planning process.reconfigured as requirements change.
Restrict Area PerimeterRemote Workstations—there is usually a Secure and monitor the perimeter of the
facility.higher risk of theft at home because homes13
14. Have Redundant Utilities that the bollards are down and the driver can goJMaac10 centers need two
sources for forward. In situations when extra security is needed,utilities, such as electricity, water, voice
and have the barriers left up by default, and lowereddata. Trace electricity sources back to two only
when someone has permission to pass through.separate substations and water back to twodifferent main
lines. Lines should be Plan for Bomb Detectionunderground and should come into For facilities that are
especially sensitive or likelydifferent areas of the building, with water targets, have guards use mirrors to
checkseparate from other utilities. Use the underneath vehicles for explosives, or provideFacilitys
anticipated power usage as portable bomb-sniffing devices. You can respond toleverage for getting the
electric company to a raised threat by increasing the number of vehiclesaccommodate the buildings
special needs. you check, perhaps by checking employee vehicles as well as visitors and delivery
trucks.Deter, Detect, and DelayDeter, detect, and delay an attack, creating Limit Entry Pointssufficient
time between detection of an Control access to the building by establishing oneattack and the point at
which the attack main entrance, plus a another one for the loadingbecomes successful. dock. This keeps
costs down too.Pay Attention to Walls Make Fire Doors Exit OnlyFoot-thick concrete is a cheap and
effective For exits required by fire codes, install doors thatbarrier against the elements and explosive dont
have handles on the outside. When any ofdevices. For extra security, use walls lined these doors is
opened, a loud alarm should soundwith Kevlar. and trigger a response from the security command
center.Avoid WindowsThink warehouse and not an office building. Use Plenty of CamerasIf you must
have windows, limit them to the Surveillance cameras should be installed around thebreak room or
administrative area, and use perimeter of the building, at all entrances and exits,bomb-resistant laminated
glass. and at every access point throughout the building. A combination of motion-detection devices,
low-lightUse Landscaping for Protection Trees, cameras, pan-tilt-zoom cameras and standard
fixedboulders and gulleys can hide the building cameras is ideal. Footage should be digitallyfrom passing
cars, obscure security devices recorded and stored offsite.(like fences), and also help keep vehiclesfrom
getting too close. Oh, and they look Protect the Buildings Machinerynice too. Keep the mechanical area
of the building, which houses environmental systems and uninterruptibleKeep a 100-foot Buffer Zone
Around the Site power supplies, strictly off limits. If generators areWhere landscaping does not protect
the outside, use concrete walls to secure the area. Forbuilding from vehicles, use crash-proof both areas,
make sure all contractors and repairbarriers instead. Bollard planters are less crews are accompanied by
an employee at all times.conspicuous and more attractive than otherdevices. Personnel Surety Perform
appropriate background checks on andUse Retractable Crash Barriers at Vehicle ensure appropriate
credentials for facility personnel,Entry Points and, as appropriate, for unescorted visitors withControl
access to the parking lot and access to restricted areas or critical assets.loading dock with a staffed
guard stationthat operates the retractable bollards. Usea raised gate and a green light as visual cues14
15. Plan for Secure Air Handling airlock in between. Only one door can be opened atMake sure the
heating, ventilating and air- a time, and authentication is needed for both doors.conditioning systems can
be set torecirculate air rather than drawing in air At the Door to an Individual Computer Processingfrom
the outside. This could help protect Roompeople and equipment if there were some This is for the room
where actual servers,kind of biological or chemical attack or mainframes or other critical IT equipment is
located.heavy smoke spreading from a nearby fire. Provide access only on an as-needed basis, andFor
added security, put devices in place to segment these rooms as much as possible in order tomonitor the
air for chemical, biological or control and track access.radiological contaminant. Watch the Exits
TooEnsure nothing can hide in the walls and Monitor entrance and exit—not only for the mainceilings
facility but for more sensitive areas of the facility asIn secure areas of the facility, make sure well. Itll
help you keep track of who was where,internal walls run from the slab ceiling all when. It also helps with
building evacuation if theresthe way to subflooring where wiring is a fire..typically housed. Also make
sure drop-downceilings dont provide hidden access points. Prohibit Food in the Computer Rooms

Provide aUse two-factor authentication Biometric common area where people can eat without
gettingidentification is becoming standard for food on computer equipment.access control to sensitive
areas of facilities,with hand geometry or fingerprint scanners Install Visitor Rest Roomsusually
considered less invasive than retinal Make sure to include rest rooms for use by visitorsscanning. In other
areas, you may be able to and delivery people who dont have access to theget away with less-expensive
access cards. secure parts of the building.Harden the Core with Security Layers Critical Infrastructure
and EnvironmentalAnyone entering the most secure part of Monitoringthe facility will have been
authenticated at "Critical infrastructure" is defined by federal law asleast three times, including at the
outer "systems and assets, whether physical or virtual, sodoor. Dont forget youll need a way for vital to
the United States that the incapacity orvisitors to buzz the front desk (IP Intercom destruction of such
systems and assets would have aworks well for this). At the entrance to the debilitating impact on
security, national economic"data" part of the facility. At the inner door security, national public health or
safety, or anyseparates visitor area from general combination of those matters.employee area. Typically,
this is the layer American Alarm & Communications, Inc. providesthat has the strictest "positive control,"
technology and services to monitor many key areasmeaning no piggybacking allowed. For of your
operation.implementation, you have two options: Communication between your business alarm-A floor-
to-ceiling turnstile system and our Monitoring Center is a critical part ofIf someone tries to sneak in
behind an your protective system. Our Underwriters’authenticated user, the door gently Laboratories
(U.L.) Listed Monitoring Center is therevolves in the reverse direction. (In case of core of American
Alarm’s sophisticateda fire, the walls of the turnstile flatten to communications operation. In the event of
an alarm,allow quick egress.) the CPU in your security system sends an alarm signal to-A "mantrap" our
monitoring facility through the phone lines (800Provides alternate access for equipment numbers are not
used, given their unreliability). Theand for persons with disabilities. This signal is then retrieved by our
monitoring center,consists of two separate doors with an and our operators quickly notify the
appropriate15
16. authorities, as well as the designated rule-based generation of actions/penalties, based onresponder, of
the emergency. physical access events. Correlate alarms and identities to better manage situations and
responses across the security infrastructure. Incorporate real-time monitoring and detailed risk analysis
tools to instantly enforce, maintain and report on compliance initiatives Key External Technology Entry
Point Facilities are generally designed with a central access point that’s used to filter employees and
visitors intoAACI Monitoring Capabilities the facility. • Fire All requests are vetted by a security guard
with an • Hold-Up intercom link to ensure that they have a legitimate • Intrusion reason for entering the
premises. • Halon/Ansul Automatic Bollards • Panic/Ambush • Man Down As an alternative to a guard-
controlled gate, • Elevator Phones automatic bollards can be used at entry points. • Off-Premises Video
These short vertical posts pop out of the ground to • HVAC/Refrigeration prevent unauthorized vehicles
from driving onto the • Sprinkler/Tamper/Flow site. When a vehicle’s occupants are verified by a guard,
an access card or other secure process, the • Power Loss/Low Battery bollards are quickly lowered to
allow the vehicle to • Gas/Hazardous Chemicals enter. When in the lowered position, the top of each •
Water Flow/Flood Alarms bollard is flush with the pavement or asphalt and • Environmental Devices
completely hidden. The bollards move quickly and (CO2/CO/ETC.) are designed to prevent more than
one vehicle from • Radio/Cellular Back-Up passing through at any one time. Communications Closed-
Circuit TV / SurveillanceImplementation External video cameras, positioned in strategicAt American
Alarm and Communications, locations, including along perimeter fencing, provideInc., we utilize and
integrate mutable efficient and continuous visual surveillance. Thesolutions to create a physical security
cameras can detect and follow the activities ofcompliance and risk management solution people in both
authorized and “off limits” locations.that can automate and enforce physical In the event someone
performs an unauthorizedsecurity policies, from restricting area action or commits a crime, the digitally
stored videoperimeter and securing site assets to can supply valuable evidence to supervisors,
lawpersonnel surety and reporting of enforcement officials and judicial authorities. Forsignificant security
incidents; this helps to added protection, the video should be stored off-siteensure both governance and
compliance on a digital video recorder (DVR).utilizing an organization’s existing physicalsecurity and IT
infrastructure. Key Internal TechnologyWe can centrally manage all regulations andassociated controls
and automate Lobby/Public Areasassessment, remediation and reporting as With proper software and
surveillance andper defined review cycles. Automatically communications tools, a staffed reception desk,
withtrigger compliance-based actions, such as one or more security guards checking visitors’16

17. credentials, creates an invaluable first line essential element in any access control plan.of access
control. Loading and ReceivingSurveillance For full premises security, mantraps, card readersLike their
external counterparts, internal and other access controls located in public-facingcameras provide constant
surveillance and facilities also need to be duplicated at the facility’soffer documented proof of any
observed loading docks and storage areas.wrongdoing. Operational AreasBiometric Screening The final
line of physical protection falls in front ofOnce the stuff of science fiction and spy the facility’s IT
resources. Private cages and suitesmovies, biometric identification now plays a need to be equipped with
dedicated access controlkey role in premises security. Biometric systems while cabinets should have
locking front andsystems authorize users on the basis of a rear doors for additional protection.physical
characteristic that doesn’t changeduring a lifetime, such as a fingerprint, hand Humans are the weakest
link in any security scheme.or face geometry, retina or iris features. Security professionals can do their
best to protect systems with layers of anti-malware, personal andMantrap network firewalls, biometric
login authentication,Typically located at the gateway between and even data encryption, but give a good
hacker (orthe lobby and the rest of the facility, computer forensics expert) enough time withmantrap
technology consists of two physical access to the hardware, and there’s a goodinterlocking doors
positioned on either side chance they’ll break in. Thus, robust physical accessof an enclosed space. The
first door must controls and policies are critical elements of anyclose before the second one opens. In a
comprehensive IT security strategy.typical mantrap, the visitor needs to first“badge-in” and then once
inside must pass According to a report by the SANS Institute, “ITa biometric screening in the form of an
iris security and physical security are no longer securityscan. silos in the IT environment; they are and
must be considered one and the same or, as it should beAccess Control List called, overall
security.”Defined by the facility customer, an access It is the innermost layer—physical entry to
computercontrol list includes the names of rooms—over which IT managers typically haveindividuals
who are authorized to enter the responsibility, and the means to have effectivefacility environment.
Anyone not on the list control over human access focuses on a set ofwill not be granted access to
operational policies, procedures, and enforcement mechanisms.areas. Policy BasicsBadges and Cards
Given their importance and ramifications onVisually distinctive badges and identification employees,
access policies must come from the topcards, combined with automated entry leadership. After setting
expectations and behavioralpoints, ensure that only authorized people ground rules, actual facility access
policies havecan access specific facility areas. The most several common elements. The most essential
arecommon identification technologies are definitions of various access levels and proceduresmagnetic
stripe, proximity, barcode, smart for authenticating individuals in each group and theircards and various
biometric devices. associated privileges and responsibilities when in the facility.Guard StaffA well-trained
staff that monitors site Step 1facilities and security technologies is an Authorize, identify and authenticate
individuals that require physical access:17
18. delivered to or removed from facilities; Record• Identify the roles that require both the following:
regular as well as occasional physical access and identify the individuals that • Date and time of
delivery/removal. fill these roles. • Name and type of equipment to be• Provide standing authorization and
a delivered or removed. permanent authenticator to individuals • Name and employer of the individual that
require regular access. performing the delivery/removal and the• Require individuals that require
authentication mechanism used. occasional access to submit a request • Name and title of authorizing
individual. that must be approved prior to access • Reason for delivery/removal. being attempted or
allowed.• Authenticate individuals with regular Non-Compliance access requirements through the use of
Violation of any of the constraints of these policies their assigned permanent or procedures should be
considered a security authenticator. breach and depending on the nature of the violation,• Authenticate
individuals with various sanctions will be taken: occasional access requirements through the use of a
personal • A minor breach should result in written identification mechanism that includes reprimand.
name, signature and photograph. • Multiple minor breaches or a major breach should result in
suspension.Step 2 • Multiple major breaches should result in termination.Verify that work to be
performed has beenpre-approved or meets emergency Although older facilities typically just consisted of
aresponse procedures: large, un-partitioned raised-floor area, newer enterprise facilities have taken a page
from ISP • Verify against standard Change designs by dividing the space into various zones—for Control
procedures. example, a cage for high-availability servers, another • Verify against standard area for Tier 2
or 3 systems, a dedicated network Maintenance procedures. control room, and even separate areas for
facilitiesStep 3 infrastructure such as PDUs and chillers. SuchMake use of logs to document the coming
partitioned facilities provide control points forand goings of people and equipment: denying access to

personnel with no responsibility for equipment that’s in them.• Assign the responsibility for the
maintenance of an access log that Identification Procedures records personnel access. Record the The
next step in a physical security policy is to set up following: controls and identification procedures for •
Date and time of entry. authenticating facility users and granting them • Name of accessing individual and
physical access. Although biometric scanners look authentication mechanism. flashy in the movies and
certainly provide an added • Name and title of authorizing measure of security, a magnetic stripe badge
reader individual. is still the most common entry technology, as it’s • Reason for access. simple, cheap,
and effective and allows automated • Date and time of departure. logging, which is a necessary audit trail.
One problem with magnetic readers, according is• Assign the responsibility for the their susceptibility to
tailgating, or allowing maintenance of a delivery and removal unauthorized personnel to trail a colleague
through log that records equipment that is an entryway. That’s why we advise supplementing doors and
locks with recorded video surveillance.18
19. I also like to add a form of two-factor your camera feeds, PISM brings out the best of
yourauthentication to entry points by coupling a equipment.card reader (“something you have”) with
aPIN pad (“something you know”), which To investigate day-to-day incidents, as well asreduces the
risks of lost cards. I also prepare for emergency situations, the securityrecommend using time-stamped
video department makes use of a vast network of videosurveillance in conjunction with electronic
cameras, access control points, intercoms, fire andaccess logs and a sign-in sheet to provide a other
safety systems. PISM unifies all of thesepaper trail. disparate feeds, including systems from diverse
manufacturers, into a single decision-orientedAccess levels and controls, with Common Operating
Picture. Within the PSIMidentification, monitoring, and logging, form Platform are five key
components:the foundation of an access policy, but twoother major policy elements are standards
Integration Services – Multiple strategies are usedof conduct and behaviors inside the facility for
connection, communication with, andsuch as: prohibitions on food and beverages management of
installed devices and systems fromor tampering with unauthorized equipment, multiple vendors. The
PSIM Platform offers completelimitations and controls on the admission of support for the industry’s
most commonly-usedpersonal electronics such as USB thumb device types – out of the box. In addition,
it employsdrives, laptops, smart-phones, or cameras customizable “pipeline” architecture to receiveare
critical. device events. This architecture exploits commonalities among similar devices (includingPolicies
should also incorporate processes format and protocol) and reduces the need for one-for granting access
or elevating restriction off adaptations. Network connectivity is achievedlevels, an exception process for
unusual using combinations of multiple communicationssituations, sanctions for policy violations,
protocols.and standards for reviewing and auditingpolicy compliance. Stahl cautions that Geo-Location
Engine – The Geo Location Enginepenalties for noncompliance will vary from provides spatial recognition
for geo-location ofcompany to company because they must devices and supports situation
mappingreflect each enterprise’s specific risk functionality. The physical position of devices istolerance,
corporate culture, local stored in an internal knowledge base as GIS/GPSemployment laws, and union
contracts. positions or building coordinates. The engine uses the information to determine relevance,
selects, andPhysical Security Information relate devices involved in a given situation. TheManagement
(PISM) system uses the information to overlay graphical representations of security assets and activities
ontoThe PSIM Platform enables the integration Google-type maps or building layouts.and organization of
any number and type ofsecurity devices or systems and provides a Routing Engine – The Routing Engine
is an intelligentcommon set of services for analyzing and switch that connects any security device to
PISMmanaging the incoming information. It also command interfaces or output device(s) andserves as
the common services platform for accommodates any required transformation ofvideo and situation
management formats and protocols between connected devices.applications. In most cases, devices
connect directly to each other and exchange data streams directly, avoidingEffectively maintaining
security of critical possible bottlenecks that would arise from routinginfrastructure does not happen by
accident, all traffic through a single centralized server. Anit means giving your security professionals
internal knowledge base of all connected devicesthe best security/software tools available and their
characteristics is maintained by thetoday. By unifying your existing surveillance Routing Engine, which
uses that information tosystem and providing spatial context to ensure a viable communication path,
compatibility of signal format and acceptable quality of service.19
20. Rules Engine – The PSIM Platform contains Key Services and Capabilitiesa powerful Rules Engine
that analyzes event • Physical Security Site Surveysand policy information from multiple • Physical

Security Information Managementsources to correlate events, make decisions (PSIM)based upon event
variables and initiate • Privacy Protecting Camera Systems (PPCS)activities. Pre-packaged or user written
• Design, Engineering and Consultingrules define the events or event • Installation, Maintenance and
Monitoring ofcombinations for identifying and resolving Fire & Life Safety Solutionssituations in real time
according to business • Integrated Access Control, Intrusion Detectionpolicies. and Surveillance Solutions
• Emergency Communications with Wired andDispatch Engine – The Dispatch Engine Wireless and
Networksintegrates with communications • Burglar, Fire Alarm Monitoring (In Our Owninfrastructure to
initiate external Massachusetts UL Listed & DOD Certifiedapplications or the transmission of Central
Station)messages, data and commands. Dispatch In our experience working with management,
facilityactions are automatically triggered by the and security professionals within therules engine as it
executes Commonwealth has been rewarding. Compliance torecommendations for situation resolution.
this policy for most departments has been the goalOperators can manually initiate actions as and the new
the budget year begins we look forwardwell. The system integrates and analyzes to continuing our work
to further compliance andinformation from disparate traditional improve the physical security
technologies andphysical security devices including analog monitoring to implement measures to
protectand digital video. personnel, equipment and property and the network against anticipated
threats.The key benefits of today’s technology isallowing system users to do more with less It’s time to
get physical—as in physically protectingby getting maximum benefits through all facilities and all of their
assets. Yet physicalintegrated technologies with each system security is often placed on the back burner,
largely(Both new and old) and with the goals of forgotten about until an unauthorized partycompany
policies and procedures like never manages to break into or sneak onto a site andbefore. steals or
vandalizes systems. Today’s security systems include:In Summary • Intrusion and Monitoring
SystemsAmerican Alarm and Communications, Inc., • Access Control Systemsis in a unique position to
improve personal • Visitor Management Systemsprotection of key individuals as a • Surveillance
SystemsMassachusetts based Underwriters • Emergency Communications SystemsLaboratories (UL)
Listed, and United StatesFederal Government (DOD) recognized 24- • Physical Security Information
Managementhour Security Command Center and Central (PISM) Software PlatformsStation. Every day
we manage a full rangeof security, communication and escalation Our commitment to supporting the
terms of theprocedures specifically designed for our key contract are best stated by our President
Wellscustomers. Our founders, three engineers Sampson, “We continue to serve the unique needs
offrom the Massachusetts Institute of public clients, and our track record of strong serviceTechnology
(MIT), have worked to bring the was one of the reasons the Commonwealthbenefits of new technology
and solutions to expressed continuing confidence in our company andour customers. Though we have
grown over approved our program for another three years.”the years, our mission has remained thesame:
to provide the best possible security As a manager, you have the responsibility to supporttechnologies
across Massachusetts. this physical and environmental security policy implementation throughout your
respective20
21. departments and/or Agencies by creating a Contact Informationculture that embraces, reinforces
anddemands security best practices and are James E. McDonaldconsistent with the policy and the
facility. Integrated Systems ConsultantWithin this culture is the need to Government Contracts
Teamunderstand the human variable. This American Alarm and Communications, Inc.encompasses
anyone who interfaces with 489 Washington Streetoperations, including managers, facility Auburn,
Massachusetts 01501operators, maintenance personnel, other Direct Phone: (508) 453-2731employees,
customers, delivery people, Direct Fax: (781) 645-7537clients and visitors. Email:
JMcDonald@AmericanAlarm.comThe human element affects everything withregard to security and
reliability. How it is Links:addressed may depend on external factors American Alarm Website:
www.AmericanAlarm.comsuch as the law, collective bargaining Blog:
www.SecurityTalkingPoints.comguidelines and even prudent management Twitter:
www.Twitter.com/physectechpractices. Within each Agency or Bio:
http://www.linkedin.com/in/physicalsecuritytechnologistDepartment, responsibility assignments for Site
Survey Request:policy compliance should be defined.
http://fs2.formsite.com/physectech/form1/index.htmlTherefore, all policies and procedures musttake into
account the human variable. Best Association Memberships: ASIS International, ASISpractices require
that physical security be Boston, International Association for Healthcaretreated as a fundamental value.
Security and Safety, IAHSS Boston, Association of Certified Fraud Examiners (ACFE)FAC64 State
ContractThe FAC64 contract gives you a way toacquire all the tools necessary for yourdepartment or

Agency. All with a threeyear warranty on all parts and labor.Countermeasures are constantly
improvingand changing and can be used to countermultiple risks beyond the scope of thisdiscussion. The
need for these solutionsgoes back to a time before the RomanEmpire. The tools evolve but the
needsremain the same.All departments and agencies are subject tosecurity & fraud risks and need to
completea physical security/fraud risk assessment fortheir agency on a periodic basis.21
22. Appendix A: Understanding Physical Access Control SolutionsSOLUTION STRENGTHS
WEAKNESSES COMMENTSKEYS •Most traditional form of • Impossible to track if • Several solutions
are access control they are lost or stolen, currently available on • Easy to use which leaves facility the
market to manage • Don’t require power for vulnerable keys and keep key operation • Potential for
unauthorized holders accountable. sharing of keys • Difficult to audit their use during incident
investigations • Difficult to manage on large campuses with multiple doors • Re-coring doors when a key
is lost or stolen is expensiveLOCKS • Easy installation • Power always on (fail- • DC only • Economical
safe) • Comes in different • Easy retrofit • Typically requires exit “pull” strengths • Quiet operation device
to break circuit • Check extra features, Maglock • Requires backup power such as built in door supply
for 24-hour service sensor • Can be either fail-secure or Electric fail-safe • Door/lock hardware •
Requires more door Strike • Does not need constant experience needed hardware experience power than
Maglock • Door knob overrides for • Specify for life-safety safe exit requirements • Can be both AC and
DC (DC lasts longer) • Fail-safe must have power backup • Fail-secure most popularACCESS CARDS •
Access rights can be • Prone to piggybacking / • Can incorporate a denied without the expense tailgating
(when more than photo ID of re-coring a door and one individual enters a component issuing a new key
secure area using one • Can be used for both • Can limit access to a access card or an physical and
logical building to certain times of unauthorized person follows access control the day an authorized
person into a • Card readers should • Systems can provide secure area have battery backup in audit trails
for incident • Users can share cards the event of power investigations with unauthorized persons failure •
Cards can be stolen and • Tailgate detection used by unauthorized products, video individuals
surveillance, analytics • Systems are more and security officers can expensive to install than address
tailgating issues traditional locks • Can integrate with • Require power to operate video surveillance,
intercoms and intrusion Magnetic • Inexpensive to issue or detection systems for replace enhanced
security Stripe • Not as secure as proximity cards or smart cards • These are the most • Can be
duplicated with commonly used access relative ease control cards by US • Durable • Subject to wear and
tear campuses and facilities • Convenient • More difficult to • Cost more than magstripe compromise
cards22
23. than magstripe cards • Easier to compromise • Are widely used for Proximity • Less wear and tear
issues than smart cards access control (although not as widely as • Multiple application magstripe)
functionality (access, • Currently the most cashless vending, library expensive card access • Not as
widely adopted cards, events) option on the market as magstripe or Smart • Enhanced security through
proximity cards due to encryption and mutual cost Card authentication • Widely adopted in • Less wear
and tear issues Europe• Can incorporate biometric and additional data such as Photo and ATMPIN
NUMBERS • Easy to issue and change • Can be forgotten • Should be changed • Inexpensive • Difficult to
manage when frequently to ensure(Pass codes) there are many passwords security for different systems
• Often used in • Can be given to conjunction with other unauthorized users access control solutions, •
Prone to tailgating/ such as cards or piggybacking biometricsDOOR ALARMS • Provide door intrusion, •
Will not reach hearing • Appropriate for any door forced and propped impaired without monitored door
door detection modifications application, such as • Reduce false alarms • Will not detect tailgaters
emergency exits caused by unintentional • Door bounce can cause • Used in conjunction door propping
false alarms with other access • Encourage staff and control solutions, such students to maintain as card
readers or keys access control procedure • Can be integrated with video surveillance for enhanced
securityTAILGATE/ • Monitor the entry point • Not intended for large • Appropriate for any into secure
areas utility cart and equipment monitored doorPIGGYBACK • Detect tailgate violations passage (which
could cause application where aDETECTORS (allow only one person the system to go into false higher
degree of to enter) alarm) security is needed, such • Detect when a door is • Not for outdoor use as
facilitys, research propped laboratories, etc • Mount on the door frame • Used in conjunction • Easy to
install with other access control solutions, such as card readers • Can be integrated with video
surveillance for enhanced securityPUSH BUTTON • Many button options • Anyone can press the • Used
to release door available release button (unless and shunt alarmCONTROLS • Normally-open/Normally

using a keyed button), so • Used for emergency closed momentary contacts button must be positioned
exits when provide fail-safe manual in a secure location (for configured to fail-safe override access • May
be used in • Time delay may be field control, not for life-safety) conjunction with request adjusted for 1-
60 seconds • Some can be defeated to exit (REX) for door easily alarms and life safety • Can open door
to • Still may require stranger when approaching mechanical device exit from inside button to meet life-
safety code • With REX, careful positioning and selection required23
24. MULTI-ZONE • Display the status of doors • 12 VDC only special order • Designed to monitor
and/or windows throughout 24 VDC option multiple doors fromANNUNCIATORS a monitored facility •
Door bounce can cause a single location • Alert security when a door false alarms • May be used in
intrusion occurs • Requires battery backup conjunction with door • Many options available: in case of
power alarms, tailgate zone shunt, zone relay and failure detection systems and zone supervision optical
turnstiles • No annunciation at the door; only at the monitoring stationFULL HEIGHT • Provides a
physical barrier • Physical design ensures • Designed for at the entry location to a reasonable degree that
indoor/outdoorTURNSTILES • Easy assembly only one authorized person applications • Easy
maintenance will enter, but it will not • Used in parking lots, • Available in aluminum and detect tailgaters
football fields and along galvanized steel fence lines • Use with a conventional access control device like a
card readerOPTICAL • Appropriate for areas with • Can be climbed over • Used in building lobby a lot of
pedestrian traffic • Not for outdoor use and elevator corridorTURNSTILES • Detects tailgating
applications • Aesthetically pleasing and • Use with a can be integrated into conventional access
architectural designs control device like a • Doesn’t require separate card reader emergency exit • To
ensure compliance, • Provides good visual and deploy security officers audible cues to users and video
surveillanceBARRIER ARM • Appropriate for areas with • Units with metal-type • Used in building lobby a
lot of pedestrian traffic arms can be climbed over and elevator corridorTURNSTILES • Provides a visual
and or under applications(Glass gate or psychological barrier while • Not for outdoor use • Use with a
communicating to • Most expensive of the conventional accessmetal arms) pedestrians turnstile options
control device like a that authorization is required • Requires battery backup card reader to gain access in
case of power failure • To ensure compliance, • Detects tailgating deploy security officers • Reliable and
video surveillance • Battery backup is recommendedBIOMETRICS • Difficult to replicate • Generally
much more • Except for hand identity expensive than locks or geometry, facial and because they rely on
unique card access solutions finger solutions, physical attributes of a • If biometric data is biometric
technology is person (fingerprint, hand, compromised, the issue is often appropriate for face or retina)
very difficult to address high-risk areas • Users can’t forget, lose or requiring enhanced have stolen their
biometric security codes • Reduces need for password and card managementINTERCOMS • Allow
personnel to • Will not reach hearing • Appropriate for visitor communicate with and impaired without
management, identify visitors before modifications afterhours visits, loading allowing them to enter a •
Not appropriate for docks, stairwells, etc. facility entrances requiring • Use with conventional • Can be
used for throughput of many people access control solutions, emergency and non- in a small amount of
time such as keys or access emergency communications cards • IP solutions today offer • Video
surveillance powerful communications solutions can provide and backup systems with visual verification
of a integration visitor24
Android App
Linkedin Facebook Twitter Google Plus RSS Feeds
About
Careers
Dev & API
Press
Blog
Terms
Privacy
Copyright
Support
ENGLISH
English

Whitepaper best practices for integrated physical security supporti…

More Related Content

What's hot (19)

Viewers also liked (12)

Similar to Whitepaper best practices for integrated physical security supporti… (20)

Recently uploaded (20)

Whitepaper best practices for integrated physical security supporti…