Physical Security Assessment

Basic Concepts of a Physical Security

AssessmentDaniel R. Finger MPA, CPP, CHPA

Physical Security Specialist

Why Do Assessment?

• Joint Commission• OSHA• Health Departments• Medicare/Medicaid• Other Regulatory Agencies• Moral/Ethical Responsibility

Why Do Assessments? (Cont.)

• Due Diligence• Reasonable Expectations to Avoid Harm to People or

Property

• Protection of Employees, Visitors, and Patients• Protection of Company Assets• Business Reputation

Three Requirements for a Security Issue

Opportunity

MotiveMeans

Definition: Risk Assessment

• Process of identifying internal and external threats and vulnerabilities, identifying the likelihood of the event, defining the critical functions necessary to continue an organization’s operations, defining the controls in place to reduce exposure and evaluate the costs*

* ASIS Business Continuity Guideline 2004

Evaluation

• Physical (Tangible Property)

• Cyber (Electronic)

• Human (Functions of People)

Protection

• Deter Threat

• Mitigate Vulnerabilities

• Minimize Consequences

Risk Management Framework

• Establish Security Goals• Identify Assets, Systems, Networks, Functions• Assess Risk, Threats, Vulnerabilities,

Consequences• Prioritize• Implement Proactive Programs• Measure Effectiveness (If Possible)• Modify Program if Necessary

Common Oversights of Security Directors

• Having Guard Services Without Knowledge of How Company Works• Ex. Cheap vs. Effective

• Prioritizing Appearance Over Effectiveness• Failure to Secure All Perimeter Doors• Allowing Administration to be Lax on Rules• Neglecting to Learn New Technologies• Failing to Lock and Secure Critical Rooms• Overdoing (Going to an Extreme)

Major Categories

• Operations (Day to Day)• Local Facility or Event Driven

• Operations Planning• National/Local for Potential Events

• Administrative Issues• Oversight/Compliance/Legal

Potential Pitfalls

• Funding (Lack There Of)

• Erosion of Security Role

• Standards Proliferation

• Changing Litigation Landscape

Security Master Plan

• Linking the Security Departments Mission into the Mission and Vision of the Organization

• No Link = Disconnect, Confusion, and Unfocused Objective

Joint Commission Security Standards

• It is Essential that an Organization Manages the Physical and Personal Security of Individuals and Staff (including the potential for violence coming to the organization’s buildings)

• Security of the Established Environment, Equipment, Supplies, and Information is Important

Identification of Practices• Addressing Security Issues Concerning Patients,

Visitors, Staff, and Property• Reporting and Investigating All Security Incidents

Involving Patients, Visitors, Staff, and Property• Identifying Patients, Visitors, and Staff• Controlling Access to Sensitive Areas as

Determined by the Organization

Performance Elements• Written Management Plan

•Describe Process Procedures• Identification of Individual to Coordinate,

Development, Implementation, and Monitoring or Security Management Activities

• Conducting Proactive Risk Assessments to Evaluate Potential or Real Adverse Impacts on Business Continuity

Performance Elements (Cont.)• Identification of Anyone Entering the

Organization’s Facilities• Actions to be Followed in the Event of a Security

Incident• Identification and Implementation of Procedures

that Address Infant or Pediatric Abduction

Performance Elements (Cont.)• Select and Implement Procedures and Controls to

Lower Potential Impact on Business Continuity• Control of Access and Egress from Designated,

Sensitive Areas• Security Procedures Addressing VIPs• Control of Vehicles and Emergency Care Areas

Security Management Program• Evaluating, Prioritizing, and Having a Written

Response Plan so that a Multitude of People Within Your Company Know How to Respond to an Unplanned Occurrence or Emergency

Physical Survey• Physical

• Lighting and access control• CCTV and Security • Alarms, Fencing, Etc

• Infrastructure• Power, Gas, Water, Communications, Back Up

Services

• CPTED (Crime Prevention Through Environmental Design)

• Natural Surveillance• Natural Access• Territorial Reinforcements

Physical Security Examples• Access Control

• Electronic• Visual Observation

• Locks/Keys• Restricted Keyways• Management Plan

• Lighting• Adequate Illumination• Unobstructed Maximum Performance

• Fencing• Adequate for Purpose• Properly Maintained

• Alarms• Intrusion, Panic, Detection

Physical Security Examples (Cont.)• Parking

• Well designed Lots• Lighting• Signage• Access Control• Lot Designation

• Employee Screening• Criminal Background Check• Drug• Financial• Driver’s License

Physical Security Examples (Cont.)• Barriers/Bollards

• Parking Proximity to Building• Prevention of Wayward Vehicles

• Security• Proprietary• Contract• Hybrid• Law Enforcement• Patrol Procedures

• Crime Analysis of Area

Infrastructure

• Underlying Foundation or Basic Framework of a System or Organization*

• Vulnerability or Redundant Control of…• Water• Gas• Electric• Sewer• Communications

• Building Security • Power Plant

*Merriam Webster Collegiate Dictionary

CPTED

• Concept is involved at the design level with architects or designers to consider and evaluate security concerns prior to construction

• Defensible Space: A range of mechanisms, real and symbolic barriers, strongly defined areas of influence, and improved areas of surveillance that combine to bring the environment under control

• Threats• Real or Perceived• Perception is Reality

CPTED Actors• Target Hardening

• Crime Targets Physically Difficult to Penetrate

• Normal Users• Persons You Desire to be in a Certain Place

• Abnormal Users• People You Do Not Desire to be in the Place

• Observers• Persons Who Have to be in that Area to Observe the

Human Function

Key CPTED Concepts• Natural Surveillance

• Areas Where People and Activity Can Be Readily Observed

• Natural Access Control• Controlling Access to a Site

• Territorial Behavior• People Develop a Strong Sense of Ownership

CPTED Benefits• Reduction of Crime• Perceived Greater Safety and Security• Improved Quality of Life• Examples using Landscaping:

• 2’ 6’ Rule• Hostile Vegetation• Lights Above Tree Canopy• Line of Sight• Overgrown or Improperly Maintained

Landscaping

Traffic Calming• Physical Measures that Reduce the Effects of

Motor Vehicle Use and Improve Conditions for Non-Motorized Street Users

• Examples:• Speed Bumps• Curved Roads• Islands• Chokers• Median Barriers

Fencing• Add Security• Delineate Property• Offer Privacy• Create Barriers• Provide Character for Area

Must Be Properly Maintained to be Effective

Lighting• Two Purposes

• Illumination of Human Activity• Used for Security

• Quality is as Important as Quantity

• Uniformity is the Key

Lighting (Cont.)• Different Styles of Lights to Adapt to Particular

Usage• Example: Mercury Vapor, High/Low Pressure

Sodium• Timers or Manual• Change at Daylight Savings• Properly Maintained

Summary

• The Key to CPTED is in the DESIGN phase where potential problems are thought out ahead of time.

• Assessments are a composite of many security and risk management concepts that must be integrated into a total picture and not piece meal.

“There are risks and costs to a program of action. But they are far less than the long range risks and

costs of comfortable inaction.”

- John F. Kennedy

KRAA Security ServicesManaged Services• Firewalls• Intrusion Detection• Email Security• Network Defense• Vulnerability

Management• Malware / Spyware• Host Intrusion• Antivirus

Assessment Services• Risk Assessment• Policy Development• Vulnerability

Scanning• PCI• HIPAA• Website Testing• Security Architecture• Email Encryption• Online Training

KRAA Security Information ServicesSecurity End to End + Multi-Layer =

Complete

Firewall

Public InternetAccess

Remote Sites

Main SiteWorkstations

ApplicationServers Web

Servers DatabaseServers

EmailServers

Internal/External Scanning Remote Asessment

VulnerabilityDefense

Website Monitoring Phishing & Pharming

Firewall Intrusion Prevention

IntrusionDefense

Intrusion Detection Web Browsing AV

Managed VPN/WAN Network Availibility Hosting

NetworkDefense

Web Content Filtering Remote VPN Identity Tokens eSecurity Training

UserDefense

Anti Virus SPAM Filtering Content Filtering

EmailDefense

Encrypted Email Email Archiving Hosted Email

Anti Virus HIDS/HIPS Log Management

SystemDefense

Policy Compliance Remote Backup & Recovery Patch Management

Dan FingerContact

Info@kraasecurity.com