Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
The Physical Security_&_Risk_Management_book
1. SECURITY
TECHNOLOGY
BEST PRACTICES
The Physical Security Risk Management Book
BY JAMES McDONALD, PSNA A PROUD MEMBER OF INFRAGARD, IFMA, ASIS & IAHSS
3. and municipal governments across the Homeland Security Presidential Directives 7
country continue to take important steps and 8 are putting pressure on public and
to identify and assure the protection of private locations, and managed services
key assets and services within their entities to comply with a myriad amount of
jurisdictions. security and privacy issues. Within the broad
concept of the United States' national and
Federal departments and agencies are homeland security policies are several specific
working closely with industry to take policies which focus on a specific aspect of
stock of key assets and facilitate national or homeland security. These policies
protective actions, while improving the include: the National Security Strategy, the
timely exchange of important security National Infrastructure Protection Plan, the
related information. The Office of National Health Security Strategy, the
Homeland Security is working closely National Strategy for Physical Protection of
with key public- and private-sector Critical Infrastructure and Key Assets, the
entities to implement the Homeland National Strategy for Homeland Security, the
Security Advisory System across all National Counterintelligence Strategy of the
levels of government and the critical United States, the National Strategy to
sectors. Secure Cyberspace, and the National Military
Strategy of the United States of America.
As a proud member if INFRAGARD, and Each of these strategies form a part of the
their goal to promote ongoing dialogue overall national and homeland security policies
and timely communication between of the United States, and in combination defines
members and the FBI. My team and I how the United States acts to protect itself from
work hard every day to help those in key enemies, both foreign and domestic.
sectors protect their facilities,
employees and visitors from internal and Homeland Security Presidential Directive 7
external threats. In today's ever- (HSPD-7) & Physical Protection of Critical
growing regulatory compliance Infrastructure and Key Assets identified 18
landscape, organization can greatly critical infrastructure and key resources (CIKR)
benefit from implementing viable and sectors. Each sector is responsible for
proven physical security best practices developing and implementing a Sector-Specific
for their organization. Plan (SSP) and providing sector-level
performance feedback to the Department of
There are plenty of complicated Homeland Security (DHS) to enable gap
documents that can guide companies assessments of national cross-sector CIKR
through the process of designing a protection programs. SSAs are responsible for
secure facility from the gold-standard collaborating with public and private sector
specs used by the federal government security partners and encouraging the
to build sensitive facilities like development of appropriate information-sharing
embassies, to infrastructure standards and analysis mechanisms within the sector.
published by industry groups like the
Telecommunications Industry These Industry Sectors are broken down as
Association, to safety requirements from follows:
the likes of the National Fire Protection Agriculture and Food
Association. Banking and Finance
Chemical
Recent federal legislation, ranging from Commercial Facilities
the Gramm-Leach Bliley Act (GLBA), Communications
the Health Insurance Portability and Critical Manufacturing
Accountability Act (HIPAA) and The Dams
Sarbanes Oxley Act of 2002 (SOX)
3|Page
4. Defense Industrial Base
Emergency Services
Energy
Government Facilities
Healthcare and Public Health
Information Technology
National Monuments
Nuclear Reactors, Materials,
and Waste
Postal and Shipping
Transportation
Water
As a Physical Security Professional the
The Risk Assessment or Physical Security
tools we use may be the same or similar Assessment
in each sector, however the integration,
policies, goals and solution may differ.
This document is dedicated to give you
a basic overview of the different
technologies we us and some examples
Assess Identify
of how they have been used. If you Vulnerabilities Threats
have specific needs, questions and
concerns, please contact the author or a
security professional to learn more
about your needs.
Risk & Physical
Risk Management & Physical Security Management
Security Cycle
The use of appropriate physical security
technology measures can prevent or Implement Evaluate
deter a wide variety of insider and Countermeasures Countermeasures
external attacks, from staff fraud through
to the facilitation or conduct of a terrorist
attack. However, these counter-
measures can also be costly, so it is
important that they are implemented in a
way that reflects the severity of the risk.
Risk Management provides a systematic
The Risk Assessment & Physical Security
basis for proportionate and efficient
Assessment is the first step in the process to
security. From the moment an
protect any facility or location and justify the
individual arrives on the grounds and
investment in that protection. The Risk
walks through the doors, the following
Assessment or Physical Security Assessment
items should be part of a physical
process is the same they incorporate identifying
security best practices program for any
threats and assessing vulnerabilities then
facility.
evaluating and implementing countermeasures.
In this context, risk is usually understood to be
the product of two factors: the likelihood of an
event occurring, and the impact that the event
4|Page
5. would have. When each of these has Opportunity is a combination of the access that
been evaluated, they are combined to an insider has to an organization’s assets (by
provide an overall measure of risk. virtue of their role or position), together with the
Then we use our security technology vulnerability of the environment (for example,
countermeasures to further reduce the an environment that is constantly supervised or
opportunity and risk. monitored by CCTV cameras is less vulnerable
to some insider threats than an environment
Likelihood can be further broken down which is not subject to these controls). Impact
into three factors: intent, capability and should be considered in terms of the value of
opportunity. Intent is a measure of the the assets affected and any wider
insider’s determination to carry out the consequences. For example, insider fraud can
attack, while capability is the degree to have both financial and reputational impacts.
which the insider possesses the skills,
knowledge and resources to be Levels of risk assessment
successful in the attempt. I my study of
fraud as a member of the Association of There are three levels at which personnel
Certified Fraud Examiners (ACFE) I security risk assessments can be conducted:
learned that according to Donald R.
Cressey (April 27, 1919 – July 21, 1987) 1. Organization
who was an American penologist, 2. Group
sociologist, and criminologist who made 3. Individual
innovative contributions to the study of
organized crime, prisons, criminology, The first examines and prioritizes the types of
the sociology of criminal law, white- insider threats that are of concern to the
collar crime. He is also known as the organization as a whole, the second focuses on
farther of the Fraud Triangle which groups of employees with differing levels of
states that there are three factors that opportunity to commit the threats, while the
need to exist for someone to commit third deals with each employee on an individual
fraud. They are Motive or Financial basis.
Pressure, Rationalization and
Opportunity. Some things we can Most risk practitioners will find it helpful to start
control and others we cannot, I have with the simplest and highest level approach,
always focused on eliminating the the organization level risk assessment, which
Opportunity. My goal is to create the provides a useful overview of the threats facing
Perception of Detection with the the organization and an opportunity to review
security technology to stop fraud and countermeasures in general. The group level
other crimes. Besides a terrorist who is assessment will require a greater commitment
willing to die for their cause, most of time and effort, but can yield significant
people, in my experience will think twice insight into the groups of employees that give
or find another target if they feel they will most cause for concern and the proportionate
be unsuccessful or caught. application of countermeasures within the
organization. The individual level assessment is
the most labor intensive of all, looking at every
employee in turn to determine their combined
opportunity and insider potential (i.e. threat and
susceptibility).
The levels of risk assessment that you use will
depend on the threats faced by your
organization and the nature of the workforce. It
5|Page
6. is important that you understand the Design Solution Check List
way in which the three approaches The following are some key examples of points
support different types of decision. For to consider when building a new data center. I
example, if the organizational risk use this as an example because Physical and
assessment reveals that there is a Cyber Strategies share common underlying
negligible threat to the organization from policy objectives and principles. The first
an insider bringing a bomb into the objective of this Strategy is to identify and
building, this may rule out the need for assure the protection of those assets, systems,
baggage checks on entry to the site. and functions that are deemed most “critical” to
Alternatively, the group level the organization. Almost every facility today
assessment could reveal that certain has data access or data storage and in many
employees, due to their role in the cases the “Data Room or Closet” is one of the
organization, have regular access to least secured locations in the facility and is the
highly confidential or sensitive most vulnerable. The liability of data loss for
information, and they may therefore almost every organization is astronomical. The
require higher levels of supervision in customer or personal data, organizational
the office. If, at the individual level, a confidential information or trade secrets could
particular employee is considered to destroy an organization without firing a shot.
have high insider potential and a high Most MDF rooms or main equipment room is
level of opportunity, then an individually where inside and outside cables and conduit
tailored risk management plan might be terminate. It is usually referred to as the MDF
required. (Main Distribution Frame) are accessible by
everyone in the organization from the
The remaining two stages are receptionist to the janitor.
implementation, which involves putting
the new countermeasures identified by So, as you read through this next section, apply
the risk or security assessment into the principles to your facility and think of how
operation, and evaluation, during which you could enhance you security to reduce your
the effectiveness of the counter- risk of loss.
measures is reviewed. The lists of
assumptions made during the risk Build on the Right Spot
assessment will prove particularly useful Be sure the building is some distance from
during this evaluation. headquarters (20 miles is typical) and at least
100 feet from the main road. Bad neighbors:
Depending on how much time has airports, chemical facilities, power plants. Bad
passed since the risk assessment, the news: earthquake fault lines and (as we've seen
evaluation stage should also show that all too clearly this year) areas prone to
the threats identified either have or have hurricanes and floods. And scrap the "data
not been reduced by the counter- center" sign.
measures you have introduced. It is
worth bearing in mind, however, those Restrict Area Perimeter
factors outside your control, such as the
Secure and monitor the perimeter of the facility.
current threat level, or economic,
political and social issues, may also Have Redundant Utilities
have an influence. These same factors
are likely to introduce new threats to be Data centers need two sources for utilities, such
addressed in future assessments. as electricity, water, voice and data. Trace
electricity sources back to two separate
substations and water back to two different
main lines. Lines should be underground and
should come into different areas of the building,
6|Page
7. with water separate from other utilities. default, and lowered only when someone has
Use the data center's anticipated power permission to pass through.
usage as leverage for getting the
electric company to accommodate the Plan for Bomb Detection
building's special needs. For data facilities that are especially sensitive or
likely targets, have guards use mirrors to check
Deter, Detect, and Delay underneath vehicles for explosives, or provide
Deter, detect, and delay an attack, portable bomb-sniffing devices. You can
creating sufficient time between respond to a raised threat by increasing the
detection of an attack and the point at number of vehicles you check, perhaps by
which the attack becomes successful. checking employee vehicles as well as visitors
and delivery trucks.
Pay Attention to Walls
Foot-thick concrete is a cheap and Limit Entry Points
effective barrier against the elements Control access to the building by establishing
and explosive devices. For extra one main entrance, plus a back one for the
security, use walls lined with Kevlar. loading dock. This keeps costs down too.
Avoid Windows Make Fire Doors Exit Only
Think warehouse and not an office For exits required by fire codes, install doors
building. If you must have windows, that don't have handles on the outside. When
limit them to the break room or any of these doors is opened, a loud alarm
administrative area, and use bomb- should sound and trigger a response from the
resistant laminated glass. security command center.
Use Landscaping for Protection Use Plenty of Cameras
Trees, boulders and gulleys can hide Surveillance cameras should be installed
the building from passing cars, obscure around the perimeter of the building, at all
security devices (like fences), and also entrances and exits, and at every access point
help keep vehicles from getting too throughout the building. A combination of
close. Oh, and they look nice too. motion-detection devices, low-light cameras,
pan-tilt-zoom cameras and standard fixed
Keep a 100-foot Buffer Zone around the cameras is ideal. Footage should be digitally
Site recorded and stored offsite.
Where landscaping does not protect the
building from vehicles, use crash-proof Protect the Building's Machinery
barriers instead. Bollard planters are Keep the mechanical area of the building, which
less conspicuous and more attractive houses environmental systems and
than other devices. uninterruptible power supplies, strictly off limits.
If generators are outside, use concrete walls to
Use Retractable Crash Barriers at Vehicle secure the area. For both areas, make sure all
Entry Points contractors and repair crews are accompanied
Control access to the parking lot and by an employee at all times.
loading dock with a staffed guard station
that operates the retractable bollards. Personnel Surety
Use a raised gate and a green light as Perform appropriate background checks on and
visual cues that the bollards are down ensure appropriate credentials for facility
and the driver can go forward. In personnel, and, as appropriate, for unescorted
situations when extra security is visitors with access to restricted areas or critical
needed, have the barriers left up by assets.
7|Page
8. Plan for Secure Air Handling If someone tries to sneak in behind an
Make sure the heating, ventilating and authenticated user, the door gently revolves in
air-conditioning systems can be set to the reverse direction. (In case of a fire, the walls
recirculate air rather than drawing in air of the turnstile flatten to allow quick egress.)
from the outside. This could help protect
people and equipment if there were A "mantrap"
some kind of biological or chemical Provides alternate access for equipment and for
attack or heavy smoke spreading from a persons with disabilities. This consists of two
nearby fire. For added security, put separate doors with an airlock in between. Only
devices in place to monitor the air for one door can be opened at a time, and
chemical, biological or radiological authentication is needed for both doors.
contaminant.
At the Door to an Individual Computer
Ensure nothing can hide in the walls and Processing Room
ceilings This is for the room where actual servers,
In secure areas of the data center, make mainframes or other critical IT equipment is
sure internal walls run from the slab located. Provide access only on an as-needed
ceiling all the way to subflooring where basis, and segment these rooms as much as
wiring is typically housed. Also make possible in order to control and track access.
sure drop-down ceilings don't provide
hidden access points. Watch the Exits Too
Monitor entrance and exit—not only for the
Use two-factor Authentication main facility but for more sensitive areas of the
Biometric identification is becoming facility as well. It'll help you keep track of who
standard for access control to sensitive was where, when. It also helps with building
areas of data centers, with hand evacuation if there's a fire..
geometry or fingerprint scanners usually
considered less invasive than retinal Prohibit Food in the Computer Rooms
scanning. In other areas, you may be Provide a common area where people can eat
able to get away with less-expensive without getting food on computer equipment.
access cards.
Install Visitor Rest Rooms
Harden the Core with Security Layers Make sure to include rest rooms for use by
Anyone entering the most secure part of visitors and delivery people who don't have
the data center will have been access to the secure parts of the building.
authenticated at least three times,
including at the outer door. Don't forget Critical Infrastructure Monitoring
you'll need a way for visitors to buzz the "Critical infrastructure" is defined by federal law
front desk (IP Intercom works well for as "systems and assets, whether physical or
this). At the entrance to the "data" part virtual, so vital to the United States that the
of the data center. At the inner door incapacity or destruction of such systems and
separates visitor area from general assets would have a debilitating impact on
employee area. Typically, this is the security, national economic security, national
layer that has the strictest "positive public health or safety, or any combination of
control," meaning no piggybacking those matters.
allowed. For implementation, you have
two options: The Information Technology (IT) Sector is
central to the nation's security, economy, and
-A floor-to-ceiling turnstile public health and safety. Businesses,
governments, academia, and private citizens
8|Page
9. are increasingly dependent upon IT Implementation
Sector functions. These virtual and Use a proven integrator who can utilize and
distributed functions produce and integrate mutable solutions to create a physical
provide hardware, software, and IT security compliance and risk management
systems and services, and—in solution that can automate and enforce physical
collaboration with the Communications security policies, from restricting area perimeter
Sector —the Internet. and securing site assets to personnel surety
and reporting of significant security incidents;
Communication between your business this helps to ensure both governance and
alarm system and our Monitoring Center compliance utilizing an organization’s existing
is a critical part of your protective physical security and IT infrastructure.
system. Require an Underwriters’
Laboratories (U.L.) Listed Monitoring This can centrally manage all regulations and
Center with sophisticated associated controls and automate assessment,
communications operation. remediation and reporting as per defined review
cycles. Automatically trigger compliance-based
In the event of an alarm, the actions, such as rule-based generation of
CPU in your security system sends an actions/penalties, based on physical access
alarm signal to the monitoring facility events. Correlate alarms and identities to better
through the phone lines, or thru the manage situations and responses across the
network with AES radio or cellular back- security infrastructure. Incorporate real-time
up communications. The signal is then monitoring and detailed risk analysis tools to
retrieved by the monitoring center, and instantly enforce, maintain and report on
the operators quickly notify the compliance initiatives
appropriate authorities, as well as the
designated responder, of the Key External Technology Measures
emergency.
Entry Point
Monitoring Capabilities Data centers are generally designed with a
Fire central access point that’s used to filter
Hold-Up employees and visitors into the data center.
Intrusion All requests are vetted by a security guard with
Halon/Ansul an intercom link to ensure that they have a
Panic/Ambush legitimate reason for entering the premises.
Man Down
Automatic Bollards
Elevator Phones
Off-Premises Video As an alternative to a guard-controlled gate,
HVAC/Refrigeration automatic bollards can be used at entry points.
Sprinkler/Tamper/Flow These short vertical posts pop out of the ground
to prevent unauthorized vehicles from driving
Power Loss/Low Battery
onto the site. When a vehicle’s occupants are
Gas/Hazardous Chemicals
verified by a guard, an access card or other
Water Flow/Flood Alarms secure process, the bollards are quickly
Environmental Devices lowered to allow the vehicle to enter. When in
(CO2/CO/ETC.) the lowered position, the top of each bollard is
Radio/Cellular Back-Up flush with the pavement or asphalt and
Communications completely hidden. The bollards move quickly
and are designed to prevent more than one
vehicle from passing through at any one time.
9|Page
10. Closed-Circuit TV or IP Video the second one opens. In a typical mantrap, the
External video cameras, positioned in visitor needs to first “badge-in” and then once
strategic locations, including along inside must pass a biometric screening in the
perimeter fencing, provide efficient and form of an iris scan.
continuous visual surveillance. The
cameras can detect and follow the Access Control List
activities of people in both authorized Defined by the data center customer, an access
and “off limits” locations. In the event control list includes the names of individuals
someone performs an unauthorized who are authorized to enter the data center
action or commits a crime, the digitally environment. Anyone not on the list will not be
stored video can supply valuable granted access to operational areas.
evidence to supervisors, law
enforcement officials and judicial Badges and Cards
authorities. For added protection, the Visually distinctive badges and identification
video should be stored off-site on a cards, combined with automated entry points,
digital video recorder (DVR). ensure that only authorized people can access
specific data center areas. The most common
Key Internal Technology Measures identification technologies are magnetic stripe,
proximity, barcode, smart cards and various
Lobby Area biometric devices.
With proper software and surveillance
and communications tools, a staffed Guard Staff
reception desk, with one or more A well-trained staff that monitors site facilities
security guards checking visitors’ and security technologies is an essential
credentials, creates an invaluable first element in any access control plan.
line of access control.
Loading and Receiving
Surveillance
For full premises security, mantraps, card
Like their external counterparts, internal readers and other access controls located in
cameras provide constant surveillance public-facing facilities also need to be
and offer documented proof of any duplicated at the data center’s loading docks
observed wrongdoing. and storage areas.
Biometric Screening Operational Areas
Once the stuff of science fiction and spy The final line of physical protection falls in front
movies, biometric identification now of the data center’s IT resources. Private cages
plays a key role in premises security. and suites need to be equipped with dedicated
Biometric systems authorize users on access control systems while cabinets should
the basis of a physical characteristic that have locking front and rear doors for additional
doesn’t change during a lifetime, such protection.
as a fingerprint, hand or face geometry,
retina or iris features. Humans are the weakest link in any security
scheme. Security professionals can do their
Mantrap best to protect systems with layers of anti-
Typically located at the gateway malware, personal and network firewalls,
between the lobby and the rest of the biometric login authentication, and even data
data center, mantrap technology encryption, but give a good hacker (or computer
consists of two interlocking doors forensics expert) enough time with physical
positioned on either side of an enclosed access to the hardware, and there’s a good
space. The first door must close before chance they’ll break in. Thus, robust physical
10 | P a g e
11. access controls and policies are critical Authenticate individuals with regular access
elements of any comprehensive IT requirements through the use of their
security strategy. assigned permanent authenticator.
Authenticate individuals with occasional
According to a report by the SANS access requirements through the use of a
Institute, “IT security and physical personal identification mechanism that
security are no longer security silos in includes name, signature and photograph.
the IT environment; they are and must
be considered one and the same or, as Step 2
it should be called, overall security.” Verify that work to be performed has been pre-
approved or meets emergency response
It is the innermost layer—physical entry procedures:
to computer rooms—over which IT Verify against standard Change Control
managers typically have responsibility, procedures.
and the means to have effective control Verify against standard Maintenance
over human access focuses on a set of procedures.
policies, procedures, and enforcement
mechanisms. Step 3
Policy Basics Make use of logs to document the coming and
goings of people and equipment:
Given their importance and ramifications
on employees, access policies must Assign the responsibility for the
come from the top leadership. After maintenance of an access log that records
setting expectations and behavioral personnel access. Record the following:
ground rules, actual data center access Date and time of entry.
policies have several common Name of accessing individual and
elements. The most essential are authentication mechanism.
definitions of various access levels and Name and title of authorizing individual.
procedures for authenticating individuals Reason for access.
in each group and their associated Date and time of departure.
privileges and responsibilities when in
the data center. Assign the responsibility for the
maintenance of a delivery and removal log
Step 1 that records equipment that is delivered to
Authorize, identify and authenticate or removed from facilities; Record the
individuals that require physical access: following:
Identify the roles that require both Date and time of delivery/removal.
regular as well as occasional Name and type of equipment to be
physical access and identify the delivered or removed.
individuals that fill these roles. Name and employer of the individual
Provide standing authorization and a performing the delivery/removal and the
permanent authenticator to authentication mechanism used.
individuals that require regular Name and title of authorizing individual.
access. Reason for delivery/removal.
Require individuals that require
occasional access to submit a Non-Compliance
request that must be approved prior Violation of any of the constraints of these
to access being attempted or policies or procedures should be considered a
allowed. security breach and depending on the nature of
the violation, various sanctions will be taken:
11 | P a g e
12. A minor breach should result in cards. I also recommend using time-stamped
written reprimand. video surveillance in conjunction with electronic
Multiple minor breaches or a access logs and a sign-in sheet to provide a
major breach should result in paper trail.
suspension.
Multiple major breaches should Access levels and controls, with identification,
result in termination. monitoring, and logging, form the foundation of
an access policy, but two other major policy
Although older data centers typically just elements are standards of conduct and
consisted of a large, un-partitioned behaviors inside the data center such as:
raised-floor area, newer enterprise prohibitions on food and beverages or
facilities have taken a page from ISP tampering with unauthorized equipment,
designs by dividing the space into limitations and controls on the admission of
various zones—for example, a cage for personal electronics such as USB thumb drives,
high-availability servers, another area laptops, Smartphones, or cameras are critical.
for Tier 2 or 3 systems, a dedicated
network control room, and even Policies should also incorporate processes for
separate areas for facilities granting access or elevating restriction levels,
infrastructure such as PDUs and an exception process for unusual situations,
chillers. Such partitioned data centers sanctions for policy violations, and standards
provide control points for denying for reviewing and auditing policy compliance.
access to personnel with no Stahl cautions that penalties for noncompliance
responsibility for equipment that’s in will vary from company to company because
them. they must reflect each enterprise’s specific risk
tolerance, corporate culture, local employment
Identification Procedures laws, and union contracts.
The next step in a physical security
policy is to set up controls and Summary
identification procedures for It’s time to get physical—as in physically
authenticating data center users and protecting a data center and all of its assets.
granting them physical access. Although The need for ironclad virtual security measures,
biometric scanners look flashy in the such as managed firewalls, is well known. Yet
movies and certainly provide an added physical security is often placed on the back
measure of security, a magnetic stripe burner, largely forgotten about until an
badge reader is still the most common unauthorized party manages to break into or
entry technology, as it’s simple, cheap, sneak onto a site and steals or vandalizes
and effective and allows automated systems.
logging, which is a necessary audit trail.
One problem with magnetic readers, Today’s security systems include:
according is their susceptibility to Intrusion and Monitoring Systems
tailgating, or allowing unauthorized Access Control Systems
personnel to trail a colleague through an Visitor Management Systems
entryway. That’s why we advise Surveillance Systems
supplementing doors and locks with Emergency Communications Systems
recorded video surveillance. PISM Software Platforms
I also like to add a form of two-factor
authentication to entry points by The newest of these is the PISM or Physical
coupling a card reader (“something you Security Information Management system.
have”) with a PIN pad (“something you
know”), which reduces the risks of lost
12 | P a g e
13. Physical Security Information Geo-Location Engine
Management (PISM) The Geo Location Engine provides spatial
recognition for geo-location of devices and supports
situation mapping functionality. The physical
The PSIM Platform enables the position of devices is stored in an internal knowledge
integration and organization of any base as GIS/GPS positions or building coordinates.
number and type of security devices or The engine uses the information to determine
systems and provides a common set of relevance, selects, and relate devices involved in a
services for analyzing and managing the given situation. The system uses the information to
incoming information. It also serves as overlay graphical representations of security assets
the common services platform for video and activities onto Google-type maps or building
and situation management applications. layouts.
Routing Engine
Effectively maintaining security of critical
infrastructure does not happen by The Routing Engine is an intelligent switch that
accident, it means giving your security connects any security device to PISM command
interfaces or output device(s) and accommodates
professionals the best security/software
any required transformation of formats and protocols
tools available today. By unifying your between connected devices. In most cases, devices
existing surveillance system and connect directly to each other and exchange data
providing spatial context to your camera streams directly, avoiding possible bottlenecks that
feeds, PISM brings out the best of your would arise from routing all traffic through a single
equipment. centralized server. An internal knowledge base of
all connected devices and their characteristics is
To investigate day-to-day incidents, as maintained by the Routing Engine, which uses that
well as prepare for emergency information to ensure a viable communication path,
situations, the security department compatibility of signal format and acceptable quality
of service.
makes use of a vast network of video
cameras, access control points, Rules Engine
intercoms, fire and other safety systems.
PISM unifies all of these disparate The PSIM Platform contains a powerful Rules
feeds, including systems from diverse Engine that analyzes event and policy
manufacturers, into a single decision- information from multiple sources to correlate
oriented Common Operating Picture. events, make decisions based upon event
Within the PSIM Platform are five key variables and initiate activities.
components:
Dispatch Engine
Integration Services The Dispatch Engine integrates with
communications infrastructure to initiate
Multiple strategies are used for
external applications or the transmission of
connection, communication with, and
messages, data and commands. Dispatch
management of installed devices and
actions are automatically triggered by the rules
systems from multiple vendors. The
engine as it executes recommendations for
PSIM Platform offers complete support
situation resolution. Operators can manually
for the industry’s most commonly-used
initiate actions as well.
device types – out of the box. In
addition, it employs customizable
The key benefits of today’s technology is
“pipeline” architecture to receive device
allowing system users to do more with less by
events. Network connectivity is achieved
getting maximum benefits through integrated
using combinations of multiple
technologies with each system (Both new and
communications protocols.
old) and with the goals of company policies and
procedures like never before.
13 | P a g e
14. Appendix A: Understanding Physical Access Control Solutions
SOLUTION STRENGTHS WEAKNESSES COMMENTS
KEYS •Most traditional form of • Impossible to track if • Several solutions are
access control they are lost or stolen, currently available on
• Easy to use which leaves facility the market to manage
• Don’t require power for vulnerable keys and keep key
operation • Potential for holders accountable.
unauthorized sharing of
keys
• Difficult to audit their use
during incident
investigations
• Difficult to manage on
large campuses with
multiple doors
• Re-coring doors when a
key is lost or stolen is
expensive
LOCKS • Easy installation • Power always on (fail- • DC only
• Economical safe) • Comes in different
Maglock • Easy retrofit • Typically requires exit “pull” strengths
• Quiet operation device to break circuit • Check extra features,
Electric • Requires backup power such as built in door
Strike supply for 24-hour service sensor
• Can be either fail-secure
or • Door/lock hardware • Requires more door
fail-safe experience needed hardware experience
• Does not need constant than Maglock
power • Specify for life-safety
• Door knob overrides for requirements
safe exit • Can be both AC and
DC (DC lasts longer)
• Fail-safe must have
power backup
• Fail-secure most
popular
ACCESS CARDS • Access rights can be • Prone to piggybacking / • Can incorporate a
denied without the expense tailgating (when more than photo ID
of re-coring a door and one individual enters a component
issuing a new key secure area using one • Can be used for both
• Can limit access to a access card or an physical and logical
building to certain times of unauthorized person access control
the day follows an authorized • Card readers should
• Systems can provide person into a secure area have battery backup in
audit trails for incident • Users can share cards the event of power
investigations with unauthorized persons failure
• Cards can be stolen and • Tailgate detection
Magnetic used by unauthorized products, video
Stripe individuals surveillance, analytics
• Systems are more and security officers
expensive to install than can address tailgating
traditional locks issues
• Require power to • Can integrate with
operate video surveillance,
Proximity • Inexpensive to issue or intercoms and intrusion
replace detection systems for
14 | P a g e
15. enhanced security
• Not as secure as
Smart proximity cards or smart
Card cards • These are the most
• Can be duplicated with commonly used access
• Durable relative ease control cards by US
• Convenient • Subject to wear and tear campuses and facilities
• More difficult to
compromise • Cost more than
than magstripe cards magstripe cards
• Less wear and tear issues • Easier to compromise • Are widely used for
than smart cards access control
• Multiple application (although not as widely
functionality (access, as magstripe)
cashless vending, library • Currently the most
cards, events) expensive card access • Not as widely
• Enhanced security option on the market adopted as magstripe
through or proximity cards due
encryption and mutual to cost
authentication • Widely adopted in
• Less wear and tear issues Europe• Can
incorporate biometric
and
additional data such as
Photo and ATM
PIN NUMBERS • Easy to issue and change • Can be forgotten • Should be changed
(Pass codes) • Inexpensive • Difficult to manage when frequently to ensure
there are many passwords security
for different systems • Often used in
• Can be given to conjunction with other
unauthorized users access control
• Prone to tailgating/ solutions, such as
piggybacking cards or biometrics
DOOR ALARMS • Provide door intrusion, • Will not reach hearing • Appropriate for any
door forced and propped impaired without monitored door
door detection modifications application, such as
• Reduce false alarms • Will not detect tailgaters emergency exits
caused by unintentional • Door bounce can cause • Used in conjunction
door propping false alarms with other access
• Encourage staff and control solutions, such
students to maintain as card readers or
access control procedure keys
• Can be integrated
with video
surveillance for
enhanced security
TAILGATE/PIGGYBA • Monitor the entry point • Not intended for large • Appropriate for any
CK DETECTORS into secure areas utility cart and equipment monitored door
• Detect tailgate violations passage (which could application where a
(allow only one person cause the system to go higher degree of
to enter) into false alarm) security is needed,
• Detect when a door is • Not for outdoor use such as data centers,
propped research laboratories,
• Mount on the door frame etc
• Easy to install • Used in conjunction
with other access
control solutions, such
as card readers
• Can be integrated
with video surveillance
for enhanced security
PUSHBUTTON • Many button options • Anyone can press the • Used to release door
15 | P a g e
16. CONTROLS available release button (unless and shunt alarm
• Normally-open/Normally using a keyed button), so • Used for emergency
closed momentary contacts button must be positioned exits when
provide fail-safe manual in a secure location (for configured to fail-safe
override access • May be used in
• Time delay may be field control, not for life-safety) conjunction with
adjusted for 1-60 seconds • Some can be defeated request to exit (REX)
easily for door alarms and life
• Can open door to safety
stranger when • Still may require
approaching from inside mechanical device exit
button to meet life-
safety code
• With REX, careful
positioning and
selection required
MULTI-ZONE • Display the status of • 12 VDC only special • Designed to monitor
ANNUNCIATORS doors order 24 VDC option multiple doors from
and/or windows throughout • Door bounce can cause a single location
a monitored facility false alarms • May be used in
• Alert security when a door • Requires battery backup conjunction with door
intrusion occurs in case of power alarms, tailgate
• Many options available: failure detection systems and
zone shunt, zone relay and optical turnstiles
zone supervision • No annunciation at
the door; only at the
monitoring station
FULL HEIGHT • Provides a physical • Physical design ensures • Designed for
TURNSTILES barrier to a reasonable degree indoor/outdoor
at the entry location that only one authorized applications
• Easy assembly person will enter, but it will • Used in parking lots,
• Easy maintenance not detect tailgaters football fields and
• Available in aluminum along fence lines
and • Use with a
galvanized steel conventional access
control device like a
card reader
OPTICAL • Appropriate for areas with • Can be climbed over • Used in building
TURNSTILES a lot of pedestrian traffic • Not for outdoor use lobby and elevator
• Detects tailgating corridor applications
• Aesthetically pleasing and • Use with a
can be integrated into conventional access
architectural designs control device like a
• Doesn’t require separate card reader
emergency exit • To ensure
• Provides good visual and compliance, deploy
audible cues to users security officers and
video surveillance
BARRIER ARM • Appropriate for areas with • Units with metal-type • Used in building
TURNSTILES a lot of pedestrian traffic arms can be climbed over lobby and elevator
(Glass gate or • Provides a visual and or under corridor applications
metal arms) psychological barrier while • Not for outdoor use • Use with a
communicating to • Most expensive of the conventional access
pedestrians turnstile options control device like a
that authorization is • Requires battery backup card reader
required to gain access in case of power failure • To ensure
• Detects tailgating compliance, deploy
• Reliable security officers and
video surveillance
16 | P a g e
17. • Battery backup is
recommended
BIOMETRICS • Difficult to replicate • Generally much more • Except for hand
identity expensive than locks or geometry, facial and
because they rely on card access solutions finger solutions,
unique • If biometric data is biometric technology is
physical attributes of a compromised, the issue is often appropriate for
person (fingerprint, hand, very difficult to address high-risk areas
face or retina) requiring enhanced
• Users can’t forget, lose or security
have stolen their biometric
codes
• Reduces need for
password
and card management
INTERCOMS • Allow personnel to • Will not reach hearing • Appropriate for visitor
communicate with and impaired without management,
identify visitors before modifications afterhours visits,
allowing them to enter a • Not appropriate for loading docks,
facility entrances requiring stairwells, etc.
• Can be used for throughput of many • Use with conventional
emergency and non- people in a small amount access control
emergency of time solutions, such as keys
communications or access cards
• IP solutions today offer • Video surveillance
powerful communications solutions can provide
and backup systems with visual verification of a
integration visitor
17 | P a g e
18. Sample
Site Survey for Access Control Systems
Date Customer Name
Contact Name Email Address
Street City
State Zip Phone
Y
Time and /
DVR Y/N Elevator Control Y/N Photo Badging Y/N
Attendance N
Access Control
Number of Locations
Communications Method Encryption Y/N
Number of Reader Controlled Doors
Number of Controlled Doors without Readers
Number of Monitored only Doors
Number of Egress Devices
Type of Readers
Type of Cards
Type of Egress Devices
Number of Outputs for other use
Number of Inputs for other use
Number of PCs
Elevator Control
Number of Elevators Cabs to be controlled
Number of Floors to be controlled in each Cab
Photo ID Badging
Number of Badging workstations
Type of Image Gathering File Import / Live Video Capture
Number and Type of Printers
Time and Attendance
Number of Clock in Out Readers
Number of Time Display Modules
Digital Video Recorder Integration
Type of Video System to Integrate with
18 | P a g e
20. Physical Security Data or Key Facility Assessment Checklist
1. Site
2. Architectural
3. Structural Systems
4. Building Envelope
5. Utility Systems
6. Mechanical Systems
7. Plumbing and Gas Systems
8. Electrical Systems
9. Fire Alarm Systems
10. Communications and Information Technology Systems
11. Equipment Operations and Maintenance
12. Security Systems
13. Security Master Plan
20 | P a g e
21. Assessment Question Assessment Guidance Assessment Comment
ITEM
1 The Site
1.1
What major structures surround
the facility?
1.2
What are the site access points
to the facility?
1.3 What are the existing types of
anti-ram devices for the facility?
1.4 What is the anti-ram buffer zone Anti-ram protection may be
standoff distance from a building provided by adequately designed:
to unscreened vehicles or bollards, street furniture,
parking? sculpture, landscaping, walls and
fences.
1.5 Are perimeter barriers capable If the recommended distance is
of stopping vehicles? not available consider structural
hardening, perimeter barriers and
parking restrictions; relocation of
vulnerable functions within or
away from the building;
operational procedures,
acceptance of higher risk.
1.6 Does site circulation prevent
high-speed approaches by
vehicles?
1.7 Are there offsetting vehicle
entrances from the direction of a
vehicle’s approach to force a
reduction of speed?
1.8 Is there space for inspection at Design features for the vehicular
the curb line or outside the inspection point include: vehicle
protected perimeter? What is the arrest devices that prevent
minimum distance from the vehicles from leaving the
inspection location to the vehicular inspection area and
building? prevent tailgating. If screening
space cannot be provided, other
design features such as:
hardening and alternative space
for inspection.
1.9 In dense, urban areas, does Where distance from the building
curb lane parking place to the nearest curb provides
uncontrolled parked vehicles insufficient setback, restrict
unacceptably close to a facility parking in the curb lane. For
in public rights-of-way? typical city streets this may
require negotiating to close the
curb lane.
1.10 Is there a minimum setback Adjacent public parking should be
distance between the building directed to more distant or better-
and parked vehicles? protected areas, segregated from
employee parking and away from
the facility.
Does adjacent surface parking Parking within ______feet of the
1.11 maintain a minimum standoff building shall be restricted to
distance? authorized vehicles.
21 | P a g e
22. ITEM ASSESSMENT QUESTION ASSESSMENT GUIDANCE ASSESSMENT COMMENT
1.12 Do stand-alone, above ground Pedestrian paths should be
parking facilities provide planned to concentrate activity to
adequate visibility across as the extent possible. Limiting
well as into and out of the vehicular entry/exits to a minimum
parking facility? number of locations is beneficial.
Stair tower and elevator lobby
design shall be as open as code
permits. Stair and/or elevator
waiting area should be as open to
the exterior and/or the parking
areas as possible. Potential hiding
places below stairs should be
closed off; nooks and crannies
should be avoided. Elevator
lobbies should be well-lighted and
visible to both patrons in the
parking areas and the public out
on the street.
Are garages or service area
1.13 entrances for government
controlled or employee
permitted vehicles that are not
otherwise protected by site
perimeter barriers protected by
devices capable of arresting a
vehicle of the designated threat
size at the designated speed?
1.14 Does site landscaping provide
hiding places? It is desirable to hold planting
away from the facility to permit
observation of intruders.
1.15 Is the site lighting adequate Security protection can be
from a security perspective in successfully addressed through
roadway access and parking adequate lighting. The type and
areas? design of lighting including
illumination levels is critical.
IESNA guidelines can be used.
1.16 Is a perimeter fence or other
types of barrier controls in
place?
1.17 Do signs provide control of
vehicles and people?
22 | P a g e
23. ITEM ASSESSMENT QUESTION ASSESSMENT GUIDANCE ASSESSMENT COMMENT
2 Architectural
2.1 Does the site planning and The focus of CPTED is on
architectural design incorporate creating defensible space by
strategies from crime prevention employing natural access
through environmental design controls, natural surveillance and
(CPTED) perspective? territorial reinforcement to
prevent crime and influence
positive behavior, while
enhancing the intended uses of
space. Examples of CPTED
attributes include spatial
definition of space to control
vehicle and pedestrian circulation
patterns, placement of windows
to reinforce surveillance, defining
public space from
private/restricted space through
design of lobbies, corridors, door
placement, pathway and roadway
placements, walls, barriers,
signage, lighting, landscaping,
separation and access control of
employee/ visitor parking areas,
etc.
2.2 Is it a mixed-tenant facility? High-risk tenants should not be
housed with low-risk tenants.
High-risk tenants should be
separated from publicly
accessible areas. Mixed uses
may be accommodated through
such means as separating
entryways, controlling access,
and hardening shared partitions,
as well as through special
security operational counter-
measures.
2.3 Are public toilets, service spaces
or access to vertical circulation
systems located in any non-
secure areas, including the
queuing area before screening at
the public entrance?
2.4
Are areas of refuge identified,
with special consideration given
to egress?
2.5 Are loading docks and receiving Loading docks should be located
and shipping areas separated in so that vehicles will not be driven
any direction from utility rooms, into or parked under the building.
utility mains, and service If loading docks are in close
entrances including electrical, proximity to critical equipment,
telephone/data, fire detection/ the service shall be hardened for
alarm systems, fire suppression blast.
water mains, cooling and heating
mains, etc.?
23 | P a g e
24. ASSESSMENT QUESTION ASSESSMENT GUIDANCE ASSESSMENT COMMENT
ITEM
2.6 Are mailrooms located away The mailroom should be located
from facility main entrances, at the perimeter of the building
areas containing critical with an outside wall or window
services, utilities, distribution designed for pressure relief.
systems, and important assets?
Does the mailroom have
adequate space for explosive
disposal containers? Is the
mailroom located near the
loading dock?
Is space available for equipment
2.7 to examine incoming packages Off-site screening stations may be
and for special containers? cost effective, particularly if
several buildings may share one
mailroom.
2.8 Are critical building components Critical building components
located close to any main include: Emergency generator
entrance, vehicle circulation, including fuel systems, day tank,
parking, maintenance area, fire sprinkler, and water supply;
loading dock, interior parking? Normal fuel storage; Main
switchgear; Telephone distribution
and main switchgear; Fire pumps;
Building control centers; UPS
systems controlling critical
functions; Main refrigeration
systems if critical to building
operation; Elevator machinery
and controls; Shafts for stairs,
elevators, and utilities; Critical
distribution feeders for emergency
power. Evacuation and rescue
require emergency systems to
remain operational during a
disaster and they should be
located away from attack
locations. Primary and back-up
systems should not be collocated.
2.9
Do doors and walls along the
line of security screening meet
requirements of UL752
“Standard for Safety: Bullet-
Resisting Equipment”?
2.10 Do entrances avoid significant If queuing will occur within the
queuing? building footprint, the area should
be enclosed in blast-resistant
construction. If queuing is
expected outside the building, a
rain cover should be provided.
Do public and employee These include walk-through metal
2.11 entrances include space for detectors and x-ray devices, ID
possible future installation of check, electronic access card,
access control and screening and turnstiles.
equipment?
24 | P a g e
25. ASSESSMENT QUESTION ASSESSMENT GUIDANCE ASSESSMENT COMMENT
ITEM
2.12 Are there trash receptacles and The size of the trash receptacles
mailboxes in close proximity to and mailbox openings should be
the facility that can be used to restricted to prohibit insertion of
hide explosive devices? packages.
2.13 Is roof access limited to autho-
rized personnel by means of
locking mechanisms?
2.14 Stairs should not discharge into
Are stairwells required for lobbies, parking, or loading areas.
emergency egress located as
remotely as possible from high-
risk areas where blast events
might occur?
Are enclosures for emergency
2.15 egress hardened to limit the
extent of debris that might
otherwise impede safe passage
and reduce the flow of
evacuees?
2.16 Is access control provided
through main entrance points for
employees and visitors (e.g. by
lobby receptionist, sign-in, staff
escorts, issue of visitor badges,
checking forms of personal
identification, electronic access
control system’s)?
2.17 Is access to private and public
space or restricted area space
clearly defined through the
design of the space, signage,
use of electronic security
devices, etc.?
2.18
Is access to elevators distin-
guished as to those that are
designated only for employees,
patients and visitors?
2.19 Are high value or critical assets
located as far into the interior of
the building as possible?
2.20
Is high visitor activity away from
assets?
2.21 Are critical assets located in
spaces that are occupied 24
hours per day? Are assets
located in areas where they are
visible to more than one person?
Is interior glazing near high-
2.22
threat areas minimized?
25 | P a g e
26. ASSESSMENT QUESTION ASSESSMENT GUIDANCE ASSESSMENT COMMENT
ITEM
2.23 Do interior barriers differentiate
level of security within a facility?
2.24
Do foyers have reinforced
concrete walls and offset interior
and exterior doors from each
other?
2.25
Does the circulation routes have
unobstructed views of people
approaching controlled access
points?
2.26
Are pedestrian paths planned to
concentrate activity to aid in
detection?
2.27 Are ceiling and lighting systems
designed to remain in place
during emergencies?
3 Structural Systems
3.1 What type of construction? What The type of construction provides
type of concrete & reinforcing an indication of the robustness to
steel? What type of steel? What abnormal loading and load
type of foundation? reversals. Reinforced concrete
moment resisting frame provides
greater ductility and redundancy
than a flat-slab or flat-plate
construction. The ductility of steel
frame with metal deck depends
on the connection details and pre-
tensioned or post-tensioned
construction provides little
capacity for abnormal loading
patterns and load reversals. The
resistance of load-bearing wall
structures varies to a great extent,
depending on whether the walls
are reinforced or unreinforced. A
rapid screening process
developed by FEMA for assessing
structural hazard identifies the
following types of construction
with a structural score ranging
from 1.0 to 8.5. The higher the
score indicates a greater capacity
to sustain load reversals. Wood
buildings of all types - 4.5 to 8.5
Steel moment resisting frames 3.5
to 4.5 Braced steel frames - 2.5 to
3.0 Light metal buildings - 5.5 to
6.5 Steel frames with cast-in-
place concrete shear walls - 3.5 to
4.5
26 | P a g e
27. ITEM ASSESSMENT QUESTION ASSESSMENT GUIDANCE ASSESSMENT COMMENT
Concrete moment resisting
frames - 2.0 to 4.0 Concrete
shear wall buildings 3.0 to 4.0
Concrete frame with unreinforced
masonry infill walls - 1.5 to 3.0
Steel frame with unreinforced
masonry infill walls - 1.5 to 3.0
Tilt-up buildings - 2.0 to 3.5
Precast concrete frame buildings -
1.5 to 2.5 Reinforced masonry -
3.0 to 4.0 Unreinforced masonry -
1.0 to 2.
3.2 Do the reinforced concrete
structures contain symmetric
steel reinforcement (positive and
negative faces) in all floor slabs,
roof slabs, walls, beams and
girders that may be subjected to
rebound, uplift and suction
pressures? Do the lap splices
fully develop the capacity of the
reinforcement? Are lap splices
and other discontinuities
staggered? Do the connections
possess ductile details? Does
special shear reinforcement,
including ties and stirrups,
available to allow large post-
elastic behavior?
3.3 Are the steel frame connections
moment connections? Are the
column spacing minimized so
that reasonably sized members
will resist the design loads and
increase the redundancy of the
system? What are the floor-to-
floor heights?
3.4 Are critical elements vulnerable The priority for upgrades should
to failure? be based on the relative
importance of structural or non-
structural elements that are
essential to mitigating the extent
of collapse and minimize injury
and damage. Primary Structural
Elements provide the essential
parts of the building’s resistance
27 | P a g e
28. ITEM ASSESSMENT QUESTION ASSESSMENT GUIDANCE ASSESSMENT COMMENT
Catastrophic blast loads and
progressive collapse. These
include columns, girders, roof
beams, and the main lateral
resistance system; Secondary
Structural Elements consist of all
other load bearing members, such
as floor beams, slabs, etc.;
Primary Non-Structural Elements
consist of elements (including
their attachments) which are
essential for life safety systems or
elements which can cause
substantial injury if failure occurs,
including ceilings or heavy
suspended mechanical units; and
Secondary Non-Structural
Elements consist of all elements
not covered in primary non-
structural elements, such as
partitions, furniture, and light
fixtures.
3.5 Will the structure suffer an The extent of damage to the
unacceptable level of damage structure and exterior wall
resulting from the postulated systems from the bomb threat
threat? may be related to a protection
level: Low and Medium/Low Level
Protection - Major damage. The
facility or protected space will
sustain a high level of damage
without progressive collapse.
Casualties will occur and assets
will be damaged. Building
components, including structural
members, will require replace-
ment, or the building may be
completely un-repairable,
requiring demolition and
replacement. Medium Level
Protection Moderate damage,
repairable. The facility or
protected space will sustain a
significant degree of damage, but
the structure should be reusable.
Some casualties may occur and
assets may be damaged.
Building elements other than
major structural members may
require replacement. Higher Level
Protection - Minor damage,
repairable. The facility or
protected space may globally
sustain minor damage with some
28 | P a g e