Upload
gary-bahadur
View
7.168
Download
4
Embed Size (px)
DESCRIPTION
Physical Security Assessment processes and procedures. Recommendations on building security.
Citation preview
Physical Security Assessment
Basic Concepts of a Physical Security
AssessmentDaniel R. Finger MPA, CPP, CHPA
Physical Security Specialist
Why Do Assessment?
• Joint Commission• OSHA• Health Departments• Medicare/Medicaid• Other Regulatory Agencies• Moral/Ethical Responsibility
Why Do Assessments? (Cont.)
• Due Diligence• Reasonable Expectations to Avoid Harm to People or
Property
• Protection of Employees, Visitors, and Patients• Protection of Company Assets• Business Reputation
Three Requirements for a Security Issue
Opportunity
MotiveMeans
Definition: Risk Assessment
• Process of identifying internal and external threats and vulnerabilities, identifying the likelihood of the event, defining the critical functions necessary to continue an organization’s operations, defining the controls in place to reduce exposure and evaluate the costs*
* ASIS Business Continuity Guideline 2004
Evaluation
• Physical (Tangible Property)
• Cyber (Electronic)
• Human (Functions of People)
Protection
• Deter Threat
• Mitigate Vulnerabilities
• Minimize Consequences
Risk Management Framework
• Establish Security Goals• Identify Assets, Systems, Networks, Functions• Assess Risk, Threats, Vulnerabilities,
Consequences• Prioritize• Implement Proactive Programs• Measure Effectiveness (If Possible)• Modify Program if Necessary
Common Oversights of Security Directors
• Having Guard Services Without Knowledge of How Company Works• Ex. Cheap vs. Effective
• Prioritizing Appearance Over Effectiveness• Failure to Secure All Perimeter Doors• Allowing Administration to be Lax on Rules• Neglecting to Learn New Technologies• Failing to Lock and Secure Critical Rooms• Overdoing (Going to an Extreme)
Major Categories
• Operations (Day to Day)• Local Facility or Event Driven
• Operations Planning• National/Local for Potential Events
• Administrative Issues• Oversight/Compliance/Legal
Potential Pitfalls
• Funding (Lack There Of)
• Erosion of Security Role
• Standards Proliferation
• Changing Litigation Landscape
Security Master Plan
• Linking the Security Departments Mission into the Mission and Vision of the Organization
• No Link = Disconnect, Confusion, and Unfocused Objective
Joint Commission Security Standards
• It is Essential that an Organization Manages the Physical and Personal Security of Individuals and Staff (including the potential for violence coming to the organization’s buildings)
• Security of the Established Environment, Equipment, Supplies, and Information is Important
Identification of Practices• Addressing Security Issues Concerning Patients,
Visitors, Staff, and Property• Reporting and Investigating All Security Incidents
Involving Patients, Visitors, Staff, and Property• Identifying Patients, Visitors, and Staff• Controlling Access to Sensitive Areas as
Determined by the Organization
Performance Elements• Written Management Plan
•Describe Process Procedures• Identification of Individual to Coordinate,
Development, Implementation, and Monitoring or Security Management Activities
• Conducting Proactive Risk Assessments to Evaluate Potential or Real Adverse Impacts on Business Continuity
Performance Elements (Cont.)• Identification of Anyone Entering the
Organization’s Facilities• Actions to be Followed in the Event of a Security
Incident• Identification and Implementation of Procedures
that Address Infant or Pediatric Abduction
Performance Elements (Cont.)• Select and Implement Procedures and Controls to
Lower Potential Impact on Business Continuity• Control of Access and Egress from Designated,
Sensitive Areas• Security Procedures Addressing VIPs• Control of Vehicles and Emergency Care Areas
Security Management Program• Evaluating, Prioritizing, and Having a Written
Response Plan so that a Multitude of People Within Your Company Know How to Respond to an Unplanned Occurrence or Emergency
Physical Survey• Physical
• Lighting and access control• CCTV and Security • Alarms, Fencing, Etc
• Infrastructure• Power, Gas, Water, Communications, Back Up
Services
• CPTED (Crime Prevention Through Environmental Design)
• Natural Surveillance• Natural Access• Territorial Reinforcements
Physical Security Examples• Access Control
• Electronic• Visual Observation
• Locks/Keys• Restricted Keyways• Management Plan
• Lighting• Adequate Illumination• Unobstructed Maximum Performance
• Fencing• Adequate for Purpose• Properly Maintained
• Alarms• Intrusion, Panic, Detection
Physical Security Examples (Cont.)• Parking
• Well designed Lots• Lighting• Signage• Access Control• Lot Designation
• Employee Screening• Criminal Background Check• Drug• Financial• Driver’s License
Physical Security Examples (Cont.)• Barriers/Bollards
• Parking Proximity to Building• Prevention of Wayward Vehicles
• Security• Proprietary• Contract• Hybrid• Law Enforcement• Patrol Procedures
• Crime Analysis of Area
Infrastructure
• Underlying Foundation or Basic Framework of a System or Organization*
• Vulnerability or Redundant Control of…• Water• Gas• Electric• Sewer• Communications
• Building Security • Power Plant
*Merriam Webster Collegiate Dictionary
CPTED
• Concept is involved at the design level with architects or designers to consider and evaluate security concerns prior to construction
• Defensible Space: A range of mechanisms, real and symbolic barriers, strongly defined areas of influence, and improved areas of surveillance that combine to bring the environment under control
• Threats• Real or Perceived• Perception is Reality
CPTED Actors• Target Hardening
• Crime Targets Physically Difficult to Penetrate
• Normal Users• Persons You Desire to be in a Certain Place
• Abnormal Users• People You Do Not Desire to be in the Place
• Observers• Persons Who Have to be in that Area to Observe the
Human Function
Key CPTED Concepts• Natural Surveillance
• Areas Where People and Activity Can Be Readily Observed
• Natural Access Control• Controlling Access to a Site
• Territorial Behavior• People Develop a Strong Sense of Ownership
CPTED Benefits• Reduction of Crime• Perceived Greater Safety and Security• Improved Quality of Life• Examples using Landscaping:
• 2’ 6’ Rule• Hostile Vegetation• Lights Above Tree Canopy• Line of Sight• Overgrown or Improperly Maintained
Landscaping
Traffic Calming• Physical Measures that Reduce the Effects of
Motor Vehicle Use and Improve Conditions for Non-Motorized Street Users
• Examples:• Speed Bumps• Curved Roads• Islands• Chokers• Median Barriers
Fencing• Add Security• Delineate Property• Offer Privacy• Create Barriers• Provide Character for Area
Must Be Properly Maintained to be Effective
Lighting• Two Purposes
• Illumination of Human Activity• Used for Security
• Quality is as Important as Quantity
• Uniformity is the Key
Lighting (Cont.)• Different Styles of Lights to Adapt to Particular
Usage• Example: Mercury Vapor, High/Low Pressure
Sodium• Timers or Manual• Change at Daylight Savings• Properly Maintained
Summary
• The Key to CPTED is in the DESIGN phase where potential problems are thought out ahead of time.
• Assessments are a composite of many security and risk management concepts that must be integrated into a total picture and not piece meal.
“There are risks and costs to a program of action. But they are far less than the long range risks and
costs of comfortable inaction.”
- John F. Kennedy
KRAA Security ServicesManaged Services• Firewalls• Intrusion Detection• Email Security• Network Defense• Vulnerability
Management• Malware / Spyware• Host Intrusion• Antivirus
Assessment Services• Risk Assessment• Policy Development• Vulnerability
Scanning• PCI• HIPAA• Website Testing• Security Architecture• Email Encryption• Online Training
KRAA Security Information ServicesSecurity End to End + Multi-Layer =
Complete
Firewall
Public InternetAccess
Remote Sites
Main SiteWorkstations
ApplicationServers Web
Servers DatabaseServers
EmailServers
Internal/External Scanning Remote Asessment
VulnerabilityDefense
Website Monitoring Phishing & Pharming
Firewall Intrusion Prevention
IntrusionDefense
Intrusion Detection Web Browsing AV
Managed VPN/WAN Network Availibility Hosting
NetworkDefense
Web Content Filtering Remote VPN Identity Tokens eSecurity Training
UserDefense
Anti Virus SPAM Filtering Content Filtering
EmailDefense
Encrypted Email Email Archiving Hosted Email
Anti Virus HIDS/HIPS Log Management
SystemDefense
Policy Compliance Remote Backup & Recovery Patch Management