whitepaper best practices for integrated physical security supporting ma itd sec 10
DESCRIPTION
After careful review of the Commonwealth of “Massachusetts Enterprise Physical & Environmental Security Policy”, the following Whitepaper was prepared as a response utilizing concepts, best practices and the countermeasures & tools available under contract FAC64 “Security Surveillance and Access Control Systems.”TRANSCRIPT
Auburn Regional Office
489 Washington Street
Auburn, MA 01501
Phone: (508) 453-2731
www.AmericanAlarm.com
Best Practices For Integrated Physical Security Capabilities
Supporting Massachusetts Document Reference: ITD-SEC-10.1
Dated: October 29, 2010 | Entitled
“Enterprise Physical & Environmental Security Policy”
By James E. McDonald
Integrated Systems Consultant
Government Contracts Team
An AACI White Paper
2
Contents
Executive Summary 2
The Security Policy Applies To 2
Perception of Detection and Fraud 3
Compliance Consulting Process 5
Overview 5
Commonwealth Policy Statement 6
Physical Security Best Practices 9
Critical Infrastructure and
Environmental Monitoring 15
Implementation 16
Key External Technology 16
Key Internal Technology 16
Policy Basics 17
Non-Compliance 18
Identification Procedures 18
Physical Security Information
Management (PISM) 19
In Summary 20
FAC64 State Contract 21
Contact Information 21
Appendix A: Understanding Physical
Access Control Solutions 22
Executive Summary
Physical Security Technology today is all about the
network, if you’re not on the network you are
probably not working. The physical protection of
facilities including the perception of detection of
negative human behaviors is the key to effective
physical, network security and risk management.
In response to the Commonwealth of Massachusetts
Enterprise Physical & Environmental Security Policy
(Reference # ITD-SEC-10.1 Issued Dated 10-29-2010)
issued by the Information Technology Division, this
document articulates available physical security and
monitoring solutions to meet the requirements that
Secretariats and their respective Agency or
Contractors facilities must address in defining a
policy to implement adequate physical and
environmental security controls and to secure and
protect information, assets, infrastructure and
Information Technology (IT) resources by using
solutions provided to these departments under
procurement contract Operational Services Division
(OSD) contract FAC64.
According to this policy the Secretariats and their
respective Agencies must implement the
appropriate combination of controls (administrative,
technical, physical) to provide reasonable assurance
that security objectives are met. Agencies must
achieve compliance with the overall information
security goals of the Commonwealth including
compliance with laws, regulations, legal agreements,
policies and standards to which their technology
resources and data, including but not limited to
personal information (PI), are subject. This policy
encompasses existing technologies existing within
each department and the physical security solution
technologies themselves since these integrated
solutions are also network appliances.
The Security Policy Applies To
All Commonwealth of Massachusetts Secretariats
and their respective Agencies and entities governed
by the Enterprise Information Security Policy who
must adhere to requirements of this supporting
policy.
The requirements described in the ITD-SEC-10.1
document must be followed by:
• Executive Department employees
• Executive Department Secretariats and
their respective Agencies, in addition to any agency
Any opinions, findings, conclusions, or
recommendations expressed in this publication
do not necessarily reflect the views of
American Alarm & Communications, Inc.,
(AACI). Additionally, neither AACI nor any of
its employees makes any warrantee, expressed
or implied, or assumes any legal liability or
responsibility for the accuracy, completeness,
or usefulness of any information, product, or
process included in this publication. Users of
information from this publication assume all
liability arising from such use.
3
or organization that connects to the
Commonwealth’s wide area network
(MAGNet), are required to ensure
compliance by any business partner that
accesses Executive Department IT resources
or shared environments, e.g. MAGNet; and
• Contractors or vendors performing
work in or providing goods and services to
Commonwealth managed spaces
• Visitors to any Commonwealth
managed physical space (e.g. offices,
buildings, and network closets) or resource.
Other Commonwealth entities are
encouraged to adopt, at a minimum,
security requirements in accordance with
this Enterprise Physical and Environmental
Security Policy or a more stringent agency
policy that addresses agency specific and
business related directives, laws, and
regulations.
Operational Services Division (OSD) as the
Commonwealths’ central procurement
agency whose primary role is to coordinate
the procurement activity for commodities
and services on Statewide Contracts and
Commonwealth Executive Branch
Departments. OSD Contract FAC64 for
Security, Surveillance and Access Control
Systems is a new (2010) statewide contract
that covers all security, surveillance and
access control needs with monitoring
services, locksmiths, security cameras,
lobby turnstiles, CCTV, vehicle access
barrier, metal detectors, x-ray machines
and locks. Labor under this contract is
covered under the Prevailing Wage Law.
Statewide Contracts are written to meet the
needs of public purchasers, including but
not limited to: Executive and Non-Executive
Branch departments, municipalities,
counties, public colleges and universities,
public purchasing cooperatives, local
schools, state facilities, public hospitals,
certain non-profit organizations,
independent authorities, political sub-
divisions and other states.
American Alarm has been awarded a three-
year designation as an approved provider of
video surveillance, access control, intrusion
protection, alarm monitoring and related security
systems by the Commonwealth of Massachusetts.
Covered under the state's purchasing contract
known as "FAC64 Security Surveillance and Access
Control Systems" the state's designation of American
Alarm establishes preferred pricing for any eligible
public entity in Massachusetts. Additional
information concerning this 3 year contract is
available on-line at
http://www.americanalarm.com/business-
security/fac64-state-contract
The following protective programs and technologies
involve measures designed to prevent, deter, detect,
and defend against threats; reduce vulnerability to
an attack, internal losses, and other disaster;
mitigate consequences; and enable timely, efficient
response and restoration in any post-event situation.
Protective programs that benefit the
Commonwealth are in place at many facilities.
American Alarm and Communications, Inc. (AACI)
have designed, installed and continue to monitor a
range of integrated security systems for public
entities including:
• Executive Office of Health and Human Services
(EOHHS),
• The Judicial Branch/Trial Courts,
• Department of Revenue (DOR),
• Registry of Motor Vehicles,
• Massachusetts Medical Examiner’s Office in
Boston and Holyoke,
• State Firefighting Academy in Stow,
• Hampden County Sheriff’s Outreach Center in
Springfield
• Western Massachusetts Hospital in Westfield,
among others.
Perception of Detection and Fraud
The following describes what is known as the fraud
triangle. In order for fraud or most crime and
“Negative Behaviors” to occur, all three elements
have to be present. The Commonwealth and its
individual Departments can takes steps to influence
all three legs. Commonwealth employees should be
cognizant of pressures and how they relate to the
Commonwealth’s overall security risk.
Rationalizations can be reduced by promoting a
strong sense of ethical behavior amongst employees
and creating a positive work environment. By
4
implementing strong internal controls, the
Commonwealth can remove much of the
opportunity for negative behaviors to occur
and can increase the chances of detection.
This is the most widely accepted theory for
explaining why people steal was postulated
in the early 1950’s by Dr. Donald R. Cressey,
while working on his doctoral dissertation
on the factors that lead people to steal
from their employers. He called them ‘Trust
Violators’, he was especially interested in
the circumstances that lead otherwise
honest people to become overcome by
temptation. To serve as a basis of his work
he conducted about 200 interviews with
inmates at Midwest prisons at the time
were incarcerated for embezzlement. Today
this work still remains the classic model for
the occupational thief. Over the years his
original hypothesis has become known as
the Fraud Triangle.
Financial Pressure
Financial Pressure is what causes a person
to commit fraud. Pressure can include
almost anything including medical bills,
expensive tastes, addiction problems, etc.
Most of the time, pressure comes from a
significant financial need/problem. Often
this need/problem is non-sharable in the
eyes of the fraudster. That is, the person
believes, for whatever reason, that their
problem must be solved in secret. However,
some frauds are committed simply out of
greed alone.
Rationalization
Rationalization is a crucial component in
most frauds. Rationalization involves a
person reconciling his/her behavior (stealing) with
the commonly accepted notions of decency and
trust. Some common rationalize-tions for
committing fraud are:
• The person believes committing fraud is justified
to save a family member or loved one.
• The person believes they will lose everything –
family, home, car, etc. if they don’t take the
money.
• The person believes that no help is available
from outside.
• The person labels the theft as “borrowing”, and
fully intends to pay the stolen money back at
some point.
• The person, because of job dissatisfaction
(salaries, job environment, treatment by
managers, etc.), believes that something is
owed to him/her.
• The person is unable to understand or does not
care about the consequence of their actions or
of accepted notions of decency and trust.
Opportunity
Opportunity is the ability to commit fraud. Because
fraudsters don’t wish to be caught, they must also
believe that their activities will not be detected.
Opportunity is created by weak internal controls,
poor manage-ment oversight, and/or through use of
one’s position and authority. Failure to establish
adequate procedures to detect fraudulent activity
also increases the opportunities fraud for to occur.
Of the three elements, opportunity is the leg that
organizations have the most control over. It is
essential that organizations build processes,
procedures, use technology and controls that don’t
needlessly put employees in a position to commit
fraud and that effectively detect fraudulent activity if
it occurs.
Opportunity-Rationalization-Financial Pressure
The key is that all three of these elements must exist
for the trust violation to occur. Technology has
always been used to attack the opportunity leg to
create the perception that if you try you will be
detected. "Crede Sed Proba" or “Trust but Verify” is
the key to eliminating negative behaviors and
policies being followed, thus minimizing fraud. A
fraud prevention consultant can discuss the “Red-
Flags” of fraud in further detail.
5
Compliance Consulting Process
Our countermeasures today and services
can provide a detailed assessment of all
processes, policies and procedures such as:
purchasing, cash handling, work flow
management, information technology, and
client intake, human resources, billing, etc.
A review security goals, objectives, and
requirements; Align business and
technology strategies for protecting assets
by consolidating external compliance and
security best practice requirements into a
common control framework. Then we
review the existing policies and security
architecture against the controls necessary
to achieve compliance requirements,
review the effectiveness of policies and
procedures, conduct an audit and track and
document actual data. We prioritize gaps,
vulnerabilities, and possible loss scenarios
according to risk, present findings and
prioritized recommendations for addressing
discovered weaknesses. To assist our
customers in developing a framework of
compliance we at American Alarm and
Communications, Inc., have developed a
six-step process.
1. Set Goals and Objectives. The
Secretariats and their respective
agencies define specific outcomes,
conditions, end points or
performance targets as guiding
principles to collectively constitute
and effective physical security/risk
management posture.
2. Identify Assets, Systems. The
identification of assets and
facilities is necessary to develop an
inventory of assets that can be
analyzed further with regard to
criticality of information needing
protection.
3. Assess Risks. We approach each
security risk by evaluation
consequence, vulnerability and
threat information with regard to
attack or other hazard to produce
a comprehensive rational
assessment.
4. Prioritize. We have found that it is not
appropriate to develop a single, overarching
prioritized list for the Commonwealth,
many factors may come into play such as
locations, lease terms, etc.
5. Implement Solutions. There is no universal
solution for implementing protective
security measures, different departments
and agencies implement the most effective
solutions based on their assessments.
6. Measure Progress. By measuring the
effectiveness of protective solutions and
their performance, together we can
continually improve the security,
infrastructure at each facility.
We will collaborate with you to develop a road map
in design, implementation and best practices of
physical security solutions which are aligned with
your departments or agency’s mission and values
that will support rather than hinder its operation.
Overview
In today's ever-growing regulatory compliance
landscape, organization can greatly benefit from
implementing viable and proven physical security
best practices for their organizations.
There are plenty of complicated documents that can
guide companies through the process of designing a
secure facility from the gold-standard specs used by
the federal government to build sensitive facilities
like embassies, to infrastructure standards published
by industry groups like ASIS International, to safety
requirements from the likes of the National Fire
Protection Association.
Recent federal legislation, ranging from the Gramm-
Leach Bliley Act (GLBA), the Health Insurance
Portability and Accountability Act (HIPAA) and The
Sarbanes Oxley Act of 2002 (SOX) Homeland Security
Presidential Directive 7 (HSPD-7) are putting intense
pressure on public and private entities to comply
with a myriad amount of security and privacy issues.
What’s more, the public is looking for assurances
that a strong control environment is in place, to
protect private information with security best
practices.
Homeland Security Presidential Directive 7 (HSPD-7)
identified 18 critical infrastructure and key resources
(CIKR) sectors and designated Federal Government
6
Sector-Specific Agencies (SSAs) for each of
the sectors.
• Agriculture and Food Sector
• Banking and Finance Sector
• Chemical Sector
• Commercial Facilities Sector
• Communications Sector
• Critical Manufacturing (CM) Sector
• Dams Sector
• Defense Industrial Base (DIB)
Sector
• Emergency Services Sector (ESS)
• Energy Sector
• Government Facilities Sector
• Healthcare and Public Health
Sector
• Information Technology (IT) Sector
• National Monuments and Icons
(NM&I) Sector
• Nuclear Sector
• Postal and Shipping Sector
• Transportation Systems Sector
• Water Sector
Each sector is responsible for developing
and implementing a Sector-Specific Plan
(SSP) and providing sector-level
performance feedback to the Department
of Homeland Security (DHS) to enable gap
assessments of national cross-sector CIKR
protection programs. SSAs are responsible
for collaborating with public and private
sector security partners and encouraging
the development of appropriate
information-sharing and analysis
mechanisms within the sector.
For example the 2010 Information
Technology (IT) Sector-Specific Plan (SSP) is
the result of a collaborative effort among
the private sector; State, local, and tribal
governments; non-governmental
organizations; and the Federal Government.
The 20I0 IT SSP provides a strategic
framework for IT Sector critical
infrastructure and key resources (CIKR)
protection and resilience. The combined
efforts across IT Sector partnerships will
result in the prioritization of protection
initiatives and investments to ensure that
resources can be applied where they
contribute the most to risk mitigation by lowering
vulnerabilities, deterring threats, and minimizing the
consequences of outside attacks and other incidents.
Commonwealth Policy Statement
In this section are excerpts from the “Enterprise
Physical & Environmental Security Policy”
Secretariats and their respective Agency or
Contractors’ facilities housing information and IT
Resources (e.g. telephone networks, data networks,
servers, workstations, storage arrays, tape back-up
systems, tapes) must protect the physical space in
accordance with the data classification of the IT
Resource or the operational criticality of the
equipment.
Agencies are required to implement controls to
secure against unauthorized physical access, damage
and interference to the agency’s premises,
information and other assets including, but not
limited to, personal information (PI) and IT
Resources by implementing:
1. Workforce Security: Secretariats and their
respective Agencies must implement administrative
and managerial controls that engage the workforce
through awareness and participation. To accomplish
this, Secretariats and their respective Agencies must:
• Identify a management team that will be
responsible for managing and enforcing the
requirements detailed in this policy. The
Secretariat or Agency ISO or designee must be
part of the management team.
o Implement appropriate procedures that address
at a minimum:
o Misplaced or stolen keys or any other items
used to gain physical access.
o Suspicion of any potential physical security
threat including potential break-ins or the
presence of unauthorized persons.
o Changes in procedures for medical, fire or
security events.
o Ensure storage of and access to sensitive
information or resources on portable media are
handled in a manner that is consistent with this
policy and the classification level of the data.
o Educate any individual requiring access to
Commonwealth managed space of their
responsibility to comply with this policy prior to
providing access, including:
7
o Helping to ensure that agency access
points (entrances/exits) in work areas
remain secure. Specifically, locked
doors must remain locked and any
access codes, keys, badges or other
access devices must not be left in
accessible places or shared in an
unauthorized manner.
o Notify employees that failure to comply
with this policy and related policies and
procedures may result in disciplinary
action.
o Notify vendors, consultants, or
contractors that failure to follow this
policy or related policies and
procedures may be grounds for
termination of existing agreements and
may be considered in evaluation and
negotiation for future agreements.
2. Least privilege: Agencies must
apply the principle of least privilege when
granting physical access rights to
individuals.
• Physical access controls must be
granted at the lowest level of access,
rights, privileges, and security
permissions needed for an individual to
effectively perform authorized tasks on
any IT Resource or information or
within a Commonwealth managed
facility.
• It is important to understand the role
of the individual who is granted access
and how that role impacts the privilege
requirements. For example, the role of
a delivery driver, the individual
responsible for janitorial services in
secure areas, and the network
administrator each have different roles
that require varying levels of privilege.
• Agencies must also address the
technical, operational and managerial
controls necessary to achieve
compliance with least privilege in those
instances where authorized users have
physical access to logically separated
data, applications and/or virtualized
hosts.
3. Visitor control: Agencies must develop
and enforce procedures to monitor and control
access to secure IT facilities and offices by visitors.
Examples of visitors may include contractors,
vendors, customers, friends/family of employees
and employee candidates. Procedures must
address:
• Requirements for use and maintenance of
visitor logs.
• Requirements for visitor identification.
• Requirements specific to a given security zone,
e.g. escorted access to highly sensitive areas.
4. Facility access controls of IT Resources:
Secretariats and their respective Agencies must
implement, or ensure third party implementation of,
physical access controls for all Agency IT facilitys and
offices that they are responsible for, including access
controls for public areas, deliveries and loading
areas. Access controls must be implemented based
on the data classification or operational criticality of
the IT Resources that are housed within a given
facility or security zone. A security risk assessment
must be performed and documented to locate (map)
physical areas and the levels of security needed at
each location.
Appropriate levels of security controls must be
installed at areas needing higher levels of security.
Acceptable methods for implementing such controls
include but are not limited to:
• Electronic Card Access.
• Traditional Lock and Key Access.
• Motion and Breach Detection System.
• Video Monitoring.
• Security Service Provider or Third Party
Monitoring Service.
• Attendants, Security Guards or Police Officers.
• Paper or Electronic Logs.
5. Equipment and Environmental security:
Secretariats and their respective Agencies are
responsible for ensuring that Commonwealth
managed facilities (including IT facilities, offices or
facilities that house telephone networks, data
networks, servers, workstations, and other IT-related
systems) can implement adequate environmental
safeguards to ensure availability and protect against
damage (e.g. from high heat, high humidity, etc.).
Environmental safeguards that must be evaluated,
implemented and maintained as appropriate
include:
8
• Secure installation and maintenance of
Network cabling that protects against
damage to the physical cabling and/or
unauthorized interception of data
traversing the network cables.
• Ability to monitor and detect variation
in temperature and humidity
associated with the use of Heating,
Ventilation and Air Conditioning (HVAC)
systems.
• Use of industry standard methods for
maintaining consistent power supply
including backup generators and/or
Uninterrupted Power Supplies (UPS).
• Use of industry standard network
components including routers,
switches, intelligent hubs and
associated cabling.
• Use of leak detection devices (water).
• Use of fire detection and suppression
devices including fire extinguishers and
sprinkler systems.
• Protection against environmental
hazards such as floods, fires, etc.
Any changes to the deployed environmental
safeguards which affect the availability of
assets or information must be reported
immediately to the business owner, service
manager and ISO or management team as
required by Secretariat or Agency
procedures.
6. Equipment Maintenance:
Agencies must have maintenance
procedures in place to accomplish the
following:
• Keeping all systems and IT equipment
maintained and updated per
manufacturer recommendations to
ensure availability and integrity of the
data and services provided by the
equipment.
• Ensuring that all maintenance,
troubleshooting and repair services are
provided by authorized personnel.
• Keeping current documentation
including maintenance logs, fault logs,
diagnostic details, service records and
corrective measures taken.
• Ensuring adequate controls are
implemented for off-site equipment
prior to sending the equipment off-site for any
reason. At a minimum, Agencies must:
o Securely remove any sensitive data that does
not need to reside on the equipment.
o Have reasonable assurance that the party
responsible for the equipment while it is off site
understands and accepts responsibility for
protecting the equipment, information about
the equipment or information stored on the
equipment at the appropriate level based on the
sensitivity classification of the equipment and
associated information.
7. Secure disposal, removal, or reuse of
equipment: Agencies must document and
implement procedures to reasonably ensure secure
handling and disposal of IT-related equipment,
particularly hardware that contains data classified as
having high or medium sensitivity. Procedures must,
at a minimum, accomplish the following:
• Secure removal or overwriting of licensed
software prior to disposal.
• Effective and permanent removal of the
contents/data on the storage device of
computing equipment using industry standard
techniques or tools to make the original
information non-retrievable. Note: Using the
standard delete or format function is an
unacceptable method of achieving this goal.
• Ensure all equipment containing storage media,
e.g., fixed hard drives are checked to verify that
any licensed software or information classified
as having medium or high sensitivity are
removed or overwritten prior to disposal.
• Specify whether damaged storage devices,
particularly those containing information
classified as having high or medium sensitivity,
must be repaired or destroyed. Procedures may
require that a risk assessment be performed to
determine how the device will need to be
handled. For example, does the content of the
device indicate that the device should be
physically destroyed rather than sent out for
repair or discarded?
What should be the high-level goals for making sure
that physical security for the facility is built into the
designs, instead of being an expensive or ineffectual
afterthought?
9
From the moment an individual arrives on
the grounds and walks through the doors,
the following items should be part of a
facility physical security best practices
program.
Physical Security Best Practices
This section discusses our ideas on best in
class physical security concepts that we use
in our analysis of each department.
Computer systems and networks are
vulnerable to physical attack; therefore,
procedures should be implemented to
ensure that systems and networks are
physically secure. Physical access to a
system or network provides the opportunity
for an intruder to damage, steal, or corrupt
computer equipment, software, and
personal information. When computer
systems are networked with other
departments or agencies for the purpose of
sharing information, it is critical that each
party to the network take appropriate
measures to ensure that its system will not
be physically breached, thereby
compromising the entire network. Physical
security procedures may be the least
expensive to implement but can also be the
most costly if not implemented. The most
expensive and sophisticated computer
protection software can be overcome once
an intruder obtains physical access to the
network.
At the same time these countermeasures
are tools that not only protect the IT
network but also the employees, visitors
and citizens at Commonwealth facilities.
Purpose
This section identifies potential physical
threats to facilities, hardware, software,
and sensitive information. This section also
recommends best practices to secure
computer systems from physical intrusion.
Principles
Identify potential physical threats to
departmental computer systems and
networks. Establish policies and procedures
to thwart potential physical threats.
Conduct audits to monitor employee
compliance with department policies and
procedures.
Policies
An organization should consider including the
following physical security policies in the
organization’s overall security policy:
Identify unauthorized hardware attached to the
department computer system—make routine checks
of system hardware for unauthorized hardware.
Limit installation of hardware and software owned
by employees on department desktop workstations.
Identify, tag, and inventory all computer system
hardware. Conduct regular inspections and
inventories of system hardware. Conduct
unscheduled inspections and inventories of system
hardware. Implement policies that instruct
employees/users on how to react to intruders and
how to respond to incidents in which an intrusion
has been detected.
Physical security practices should address threats
due to theft, vandalism, and malicious internal or
external staff.
• Theft—Theft of hardware, software, or data can
be expensive due to the necessity to restore lost
data and the cost of replacing equipment and
software. Theft also causes a loss of confidence
in the department that may have compromised
the network.
• Vandalism—Vandalism in most cases is not
directed at compromising a system or network
so much as it is the senseless destruction of
property. Both external and internal
perpetrators may pose a vandalism threat. Low
morale in an organization may be the underlying
reason for vandalism caused by internal
perpetrators. The actual threat to a network
posed by vandalism is difficult to assess because
vandalism is generally not motivated by a
conscious effort to compromise a network. Like
theft, vandalism can be expensive due to the
necessity to replace damaged equipment and
software.
• Threats Posed by Internal and External Staff—
Internal and external intruders may attempt to
manipulate or destroy IT equipment,
accessories, documents, and software. The
potential of damage caused by the manipulation
of intruders increases the longer they remain
undetected, thereby increasing their knowledge
10
of the system and their ability to wreak
havoc on a network. The threats may
include unauthorized access to
sensitive data and outright destruction
of data media or IT systems. Internal
staff may attempt to modify privileges
or access unauthorized information,
either for their own purposes or for
others. This may result in system
crashes or breaches in other areas of
the network opened up through
configuration errors.
• Temporary workers, contractors, and
consultants represent a unique security
threat in that they are generally not
subject to the same background checks
as a department’s full-time employees,
but they may be granted the same high
level of access to the system and
network. Contractors and consultants
will sometimes know the applications
and operating systems running on the
network better than department
employees. Temporary employees
should be closely scrutinized until a
level of trust can be established.
Consulting firms and contract agencies
should be questioned about their hiring
policies and standards. Cleaning staff
may also cause threats either by theft
of system components or from using
the system improperly, such as by
accidentally detaching a plug-in
connection, allowing water seepage
into equipment, or mislaying or
discarding documents as trash.
• An intruder may attempt to
masquerade as or impersonate a valid
system user by obtaining a false
identity and appropriating a user ID
and password. Someone may be misled
about the identity of the party being
communicated with for the purpose of
obtaining sensitive information. An
intruder can also use masquerading to
connect to an existing connection
without having to authenticate himself,
as this step has already been taken by
the original participants in the
communication.
• Social engineering can be used by
internal or external intruders to access
sensitive information. Intruders act like
department staff and use keywords during
conversations to obtain information. “Sounding”
occurs by telephone when intruders pose as
staff, as in the following examples:
o A staff member who must urgently
complete an assignment but has
forgotten his password.
o An administrator who is attempting to
correct a system error and needs a user
password.
o A telephone technician requesting
information, such as a subscriber
number or modem configurations and
settings.
Applying the following physical security measures
mitigates these threats.
• Identification of Unauthorized Hardware
Attached to a System—Establish policies to limit
employees from attaching unauthorized
hardware to the office system. Unauthorized
hardware includes computers, modems,
terminals, printers, and disk or tape drives. The
policies should also restrict software that
employees may load onto the office system.
Implement policies regarding opening
unidentified e-mail attachments and downloads
off the Internet.
• Perform monthly audits of all systems and
peripherals attached to the network
infrastructure. Make random inspections of
equipment to search for unauthorized attached
hardware to the network. Identify missing or
misplaced hardware. Search and identify any
unauthorized hardware attached to the
network.
• Inspect computers and networks for signs of
unauthorized access. Search for intrusion or
tampering with CDs, tapes, disks, paper, and
system components that are subject to physical
compromise by damage, theft, or corruption.
• Protection against Break-In—Intruders choose
targets by weighing the risk and effort versus
the expected reward. Therefore, all measures
implemented to prevent break-ins should
increase the risk to the intruder of being caught.
The possible measures for protection against
break-ins should be adapted to each specific
11
situation. Protect doors or windows by
adding security shutters. Add additional
locks or security bars. Add additional
lighting inside and outside the building.
Seek advice from police and security
professionals. When planning physical
security measures, care must be taken
to ensure that provisions relating to fire
and personal protection (e.g., regarding
the serviceability of escape routes) are
not violated. Staff must be trained on
the anti-burglary measures that are to
be observed.
• Entry Regulations and Controls—A
fundamental but frequently overlooked
aspect of sound internal security is the
physical restrictions placed on access to
systems and networks. Having good
physical security in place is a necessary
follow-up to whatever office building
security an organization may have in
place. Know who is entering
department offices at all times, and
ensuring all secure areas are locked and
access restricted. Network security
measures can be rendered useless if an
intruder can bluff his way past the
entrance security; walk into a computer
room; and take diskettes, tapes, or
servers.
• Strangers, visitors, craftsmen, and
maintenance and cleaning staff should
be supervised. Should the need arise to
leave a stranger alone in an office, the
occupant of that office should ask
another staff member to supervise or
request the visitor to wait outside the
office. If it is not possible to accompany
outsiders, the minimum requirement
should be to secure the personal work
area: desk, cabinet, and computer. The
requirement for this measure must be
explained to the staff and should be
made part of department policy and
training.
• Control entry into buildings and rooms
housing sensitive equipment. Security
measures may range from issuance of
keys to high-tech identification
systems. When implementing policies for entry
regulation, consider the following:
• The area subject to security regulations
should be clearly defined.
• The number of persons with access should
be reduced to a minimum.
• Authorized persons should be mutually
aware of others with access authority in
order to be able to recognize unauthorized
persons.
• Visitors should only be allowed to enter
after the need to do so has been previously
verified.
• The permissions granted must be
documented.
• Access should be limited by locked
rooms/entrances, physical zones, and
identification badges.
• A record must be kept of accesses.
• Challenge protocols should be added.
Entrance Security Staff—Establishment of an
entrance control service has far-reaching, positive
effects against a number of threats. However, this
presupposes that some fundamental principles are
observed in the performance of entrance control.
Entrance security staff must observe and/or monitor
all movements of persons at the entrance. Unknown
persons must prove their identity to the entrance
security staff. Before a visitor is allowed to enter, a
check should be made with the person to be visited.
A visitor must be escorted to the person to be visited
or met by the latter at the entrance. Security staff
must know the office employees. In case of
termination of employment, security staff must be
informed of the date from which this member of
staff is to be denied access. A visitor log should be
kept to document access. The issuance of visitors’
passes should be considered. The job duties of
security staff should be designed specifically to
identify their tasks in support of other protective
measures, such as building security after business
hours, activation of the alarm system, and checking
of outside doors and windows.
Alarm System—an alarm system consists of a
number of local alarm devices that communicate
with a control center through which the alarm is
triggered. If an alarm system covering break-ins, fire,
water, CO, and other gases is installed and can be
12
expanded, surveillance provided by this
system should include, at a minimum, the IT
core areas (such as server rooms, data
media archives, and technical infrastructure
rooms, public areas). This will enable
threats such as fire, burglary, or theft to be
detected immediately so that counter-
measures can be taken. To ensure that this
is the case, it is imperative that the alarms
be sent on to a central command center
that is permanently staffed 24/7/365. It is
important that this facility have the
expertise, equipment, and personnel
required to respond to the alarm. The
guidelines of the organization concerned for
connection to the respective networks
should be considered here.
Security of Windows and Doors—Windows
and outward-leading doors (e.g., balconies,
patios) should be closed and locked
whenever a room is unoccupied.
Instructions to close windows and outside
doors should be issued, adding barriers or
films and regular checks should be made to
see that windows and doors are closed by
occupants after leaving the rooms.
The doors of unoccupied rooms should be
locked. This will prevent unauthorized
persons from obtaining access to
documents and IT equipment. It is
particularly important to lock individual
offices when located in areas accessible by
the public or where access cannot be
controlled by any other means. Staff should
be instructed to lock their offices when they
leave, and random checks should be made
to determine whether offices are locked
when their occupants leave.
In an open office, where cubicles dominate
and it is not possible to lock individual
offices, employees should lock away their
documents in their desks, and a secure
desktop workstation policy should be
implemented (additional information on
formulating this policy can be found later in
this section).
Unauthorized Admission to Rooms
Requiring Protection—If unauthorized
persons enter protected rooms, damage
may be caused by intentional and unintentional acts.
After an unauthorized intrusion, office routines may
be disrupted in order to search for damage, theft,
and unauthorized or missing hardware or software.
Intentional or unintentional damage to systems may
be caused by temporary help who are employed to
substitute for cleaning staff. Temporary help may
accidentally clean workstations and sensitive
equipment with solutions or by methods damaging
to hardware.
Identification of Secure Rooms—Secure rooms such
as the server room, computer center, data media
archives, and air conditioning unit should not be
identified on office locator boards or by name plates
affixed to the room door. Identifying these sensitive
areas enables a potential intruder to prepare more
specifically and thus have a greater chance of
success.
Location of Secure Rooms in
Unexposed Areas of Buildings—secure rooms should
not be located in areas exposed to view or potential
danger. They also should not be located on the first
floor of buildings that are open to view by passersby
or that are exposed to attack or vandalism. First-
floor rooms are more likely to be easily observed or
exposed to breaking and entering. Rooms or areas
requiring protection should be located in the center
of a building, rather than in its outer walls.
Inspection Rounds—the effectiveness of any
measure will always be commensurate to the
enforcement of that measure. Inspection rounds
offer the simplest means of monitoring the
implementation of measures and the observance of
requirements and instructions.
Inspection rounds should not be aimed at the
detection of offenders for the purpose of punishing
them. Rather, controls should be aimed primarily at
remedying perceived negligence at the earliest
possible moment, such as by closing windows or
taking documents into custody. As a secondary
objective, security breaches can be identified and
possibly avoided in the future. Inspection rounds
should also be made during office hours to inform
staff members about how and why pertinent
regulations are being applied. Thus, they will be
perceived by all persons concerned as a help rather
than a hindrance.
Proper Disposal of Sensitive Resources—Sensitive
information not properly disposed of may be the
13
source of valuable information for persons
seeking to do harm. An intruder,
competitor, or temporary staff can gain
valuable information in a low-tech manner
by simply going through trash for discarded
paperwork that might contain sensitive
information. At a minimum, shred all papers
and documentation containing sensitive
company information, network diagrams,
and systems data to prevent a security
breach by those who might seek
information by rummaging through trash.
Employees should be advised against
writing down user IDs or passwords.
In the case of functioning media, the data
should be overwritten with random
patterns. Nonfunctioning data media, such
as CDs, should be destroyed mechanically.
The recommended disposal of material
requiring protection should be detailed in a
specific directive and in training; adequate
disposal facilities should be provided. This
includes storage devices and media (i.e.,
floppy and hard disks, magnetic tapes, and
CDs/DVDs). If sensitive resources are
collected prior to their disposal, the
collected material must be kept under lock
and be protected against unauthorized
access.
Secure Desktop Workstations—the first line
of defense in physical security is to secure
desktop workstations. Effective training in
the organization’s policies and procedures
to secure desktop workstations should be a
significant part of network and information
security strategy because of the sensitive
information often stored on workstations
and their connections. Many security
problems can be avoided if the
workstations and network are appropriately
configured. Default hardware and software
configurations, however, are set by vendors
who tend to emphasize features and
functions more than security. Since vendors
are not aware of specific security needs,
new workstations must be configured to
reflect security requirements and
reconfigured as requirements change.
Remote Workstations—there is usually a
higher risk of theft at home because homes
are usually not protected to the same extent as the
workplace. Workstations at home are accessible to
family members and visitors who may intentionally
or unintentionally manipulate business-related data
on the workstation, if data is not properly protected.
Inadvertent or intentional manipulation affects the
confidentiality and integrity of the business-related
information, as well as the availability of data and IT
services on the workstation. Appropriate procedures
should be implemented to achieve a degree of
security comparable with that prevailing on office
premises. Suitable Configuration of a Remote
Workplace—It is advisable to assign a secure room
for use as a workplace at home. Such a workplace
should at least be separated from the rest of the
premises by means of a door.
IT equipment intended for professional purposes
should be provided by the employer, and the use of
these services for private purposes should be
prevented by formal policies. Employees who work
at home should be questioned regularly or
periodically as to whether their workplace complies
with security and operational requirements.
Theft of a Mobile IT System—Laptop or mobile IT
systems create a greater risk of theft or damage.
Due to the inherent nature of a mobile system, it will
often be removed from the confines of a secure
office. Therefore, policies should be implemented to
safeguard mobile IT systems.
Suitable Storage of Business-Related Documents and
Data Media— Business-related documents and data
media at the home workstations must only be
accessible to the authorized employee, and when
they are not in use, they must be kept in a locked
location. A lockable desk, safe, or cabinet must be
available for this purpose. At a minimum, the lock
must be capable of withstanding attacks using tools
that are easy to create or purchase. The degree of
protection provided by the drawer should be
appropriate to the security requirements of the
documents and data media contained therein.
In facilities and offices that operate as “Special
Facilities” or other high risk there are additional
practices that should be reviewed in the design and
planning process.
Restrict Area Perimeter
Secure and monitor the perimeter of the facility.
14
Have Redundant Utilities
JMaac10 centers need two sources for
utilities, such as electricity, water, voice and
data. Trace electricity sources back to two
separate substations and water back to two
different main lines. Lines should be
underground and should come into
different areas of the building, with water
separate from other utilities. Use the
Facility's anticipated power usage as
leverage for getting the electric company to
accommodate the building's special needs.
Deter, Detect, and Delay
Deter, detect, and delay an attack, creating
sufficient time between detection of an
attack and the point at which the attack
becomes successful.
Pay Attention to Walls
Foot-thick concrete is a cheap and effective
barrier against the elements and explosive
devices. For extra security, use walls lined
with Kevlar.
Avoid Windows
Think warehouse and not an office building.
If you must have windows, limit them to the
break room or administrative area, and use
bomb-resistant laminated glass.
Use Landscaping for Protection Trees,
boulders and gulleys can hide the building
from passing cars, obscure security devices
(like fences), and also help keep vehicles
from getting too close. Oh, and they look
nice too.
Keep a 100-foot Buffer Zone Around the Site
Where landscaping does not protect the
building from vehicles, use crash-proof
barriers instead. Bollard planters are less
conspicuous and more attractive than other
devices.
Use Retractable Crash Barriers at Vehicle
Entry Points
Control access to the parking lot and
loading dock with a staffed guard station
that operates the retractable bollards. Use
a raised gate and a green light as visual cues
that the bollards are down and the driver can go
forward. In situations when extra security is needed,
have the barriers left up by default, and lowered
only when someone has permission to pass through.
Plan for Bomb Detection
For facilities that are especially sensitive or likely
targets, have guards use mirrors to check
underneath vehicles for explosives, or provide
portable bomb-sniffing devices. You can respond to
a raised threat by increasing the number of vehicles
you check, perhaps by checking employee vehicles
as well as visitors and delivery trucks.
Limit Entry Points
Control access to the building by establishing one
main entrance, plus a another one for the loading
dock. This keeps costs down too.
Make Fire Doors Exit Only
For exits required by fire codes, install doors that
don't have handles on the outside. When any of
these doors is opened, a loud alarm should sound
and trigger a response from the security command
center.
Use Plenty of Cameras
Surveillance cameras should be installed around the
perimeter of the building, at all entrances and exits,
and at every access point throughout the building. A
combination of motion-detection devices, low-light
cameras, pan-tilt-zoom cameras and standard fixed
cameras is ideal. Footage should be digitally
recorded and stored offsite.
Protect the Building's Machinery
Keep the mechanical area of the building, which
houses environmental systems and uninterruptible
power supplies, strictly off limits. If generators are
outside, use concrete walls to secure the area. For
both areas, make sure all contractors and repair
crews are accompanied by an employee at all times.
Personnel Surety
Perform appropriate background checks on and
ensure appropriate credentials for facility personnel,
and, as appropriate, for unescorted visitors with
access to restricted areas or critical assets.
15
Plan for Secure Air Handling
Make sure the heating, ventilating and air-
conditioning systems can be set to
recirculate air rather than drawing in air
from the outside. This could help protect
people and equipment if there were some
kind of biological or chemical attack or
heavy smoke spreading from a nearby fire.
For added security, put devices in place to
monitor the air for chemical, biological or
radiological contaminant.
Ensure nothing can hide in the walls and
ceilings
In secure areas of the facility, make sure
internal walls run from the slab ceiling all
the way to subflooring where wiring is
typically housed. Also make sure drop-down
ceilings don't provide hidden access points.
Use two-factor authentication Biometric
identification is becoming standard for
access control to sensitive areas of facilities,
with hand geometry or fingerprint scanners
usually considered less invasive than retinal
scanning. In other areas, you may be able to
get away with less-expensive access cards.
Harden the Core with Security Layers
Anyone entering the most secure part of
the facility will have been authenticated at
least three times, including at the outer
door. Don't forget you'll need a way for
visitors to buzz the front desk (IP Intercom
works well for this). At the entrance to the
"data" part of the facility. At the inner door
separates visitor area from general
employee area. Typically, this is the layer
that has the strictest "positive control,"
meaning no piggybacking allowed. For
implementation, you have two options:
-A floor-to-ceiling turnstile
If someone tries to sneak in behind an
authenticated user, the door gently
revolves in the reverse direction. (In case of
a fire, the walls of the turnstile flatten to
allow quick egress.)
-A "mantrap"
Provides alternate access for equipment
and for persons with disabilities. This
consists of two separate doors with an
airlock in between. Only one door can be opened at
a time, and authentication is needed for both doors.
At the Door to an Individual Computer Processing
Room
This is for the room where actual servers,
mainframes or other critical IT equipment is located.
Provide access only on an as-needed basis, and
segment these rooms as much as possible in order to
control and track access.
Watch the Exits Too
Monitor entrance and exit—not only for the main
facility but for more sensitive areas of the facility as
well. It'll help you keep track of who was where,
when. It also helps with building evacuation if there's
a fire..
Prohibit Food in the Computer Rooms Provide a
common area where people can eat without getting
food on computer equipment.
Install Visitor Rest Rooms
Make sure to include rest rooms for use by visitors
and delivery people who don't have access to the
secure parts of the building.
Critical Infrastructure and Environmental
Monitoring
"Critical infrastructure" is defined by federal law as
"systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or
destruction of such systems and assets would have a
debilitating impact on security, national economic
security, national public health or safety, or any
combination of those matters.
American Alarm & Communications, Inc. provides
technology and services to monitor many key areas
of your operation.
Communication between your business alarm
system and our Monitoring Center is a critical part of
your protective system. Our Underwriters’
Laboratories (U.L.) Listed Monitoring Center is the
core of American Alarm’s sophisticated
communications operation. In the event of an alarm,
the
CPU in your security system sends an alarm signal to
our monitoring facility through the phone lines (800
numbers are not used, given their unreliability). The
signal is then retrieved by our monitoring center,
and our operators quickly notify the appropriate
16
authorities, as well as the designated
responder, of the emergency.
AACI Monitoring Capabilities
• Fire
• Hold-Up
• Intrusion
• Halon/Ansul
• Panic/Ambush
• Man Down
• Elevator Phones
• Off-Premises Video
• HVAC/Refrigeration
• Sprinkler/Tamper/Flow
• Power Loss/Low Battery
• Gas/Hazardous Chemicals
• Water Flow/Flood Alarms
• Environmental Devices
(CO2/CO/ETC.)
• Radio/Cellular Back-Up
Communications
Implementation
At American Alarm and Communications,
Inc., we utilize and integrate mutable
solutions to create a physical security
compliance and risk management solution
that can automate and enforce physical
security policies, from restricting area
perimeter and securing site assets to
personnel surety and reporting of
significant security incidents; this helps to
ensure both governance and compliance
utilizing an organization’s existing physical
security and IT infrastructure.
We can centrally manage all regulations and
associated controls and automate
assessment, remediation and reporting as
per defined review cycles. Automatically
trigger compliance-based actions, such as
rule-based generation of actions/penalties, based on
physical access events.
Correlate alarms and identities to better manage
situations and responses across the security
infrastructure. Incorporate real-time monitoring and
detailed risk analysis tools to instantly enforce,
maintain and report on compliance initiatives
Key External Technology
Entry Point
Facilities are generally designed with a central access
point that’s used to filter employees and visitors into
the facility.
All requests are vetted by a security guard with an
intercom link to ensure that they have a legitimate
reason for entering the premises.
Automatic Bollards
As an alternative to a guard-controlled gate,
automatic bollards can be used at entry points.
These short vertical posts pop out of the ground to
prevent unauthorized vehicles from driving onto the
site. When a vehicle’s occupants are verified by a
guard, an access card or other secure process, the
bollards are quickly lowered to allow the vehicle to
enter. When in the lowered position, the top of each
bollard is flush with the pavement or asphalt and
completely hidden. The bollards move quickly and
are designed to prevent more than one vehicle from
passing through at any one time.
Closed-Circuit TV / Surveillance
External video cameras, positioned in strategic
locations, including along perimeter fencing, provide
efficient and continuous visual surveillance. The
cameras can detect and follow the activities of
people in both authorized and “off limits” locations.
In the event someone performs an unauthorized
action or commits a crime, the digitally stored video
can supply valuable evidence to supervisors, law
enforcement officials and judicial authorities. For
added protection, the video should be stored off-site
on a digital video recorder (DVR).
Key Internal Technology
Lobby/Public Areas
With proper software and surveillance and
communications tools, a staffed reception desk, with
one or more security guards checking visitors’
17
credentials, creates an invaluable first line
of access control.
Surveillance
Like their external counterparts, internal
cameras provide constant surveillance and
offer documented proof of any observed
wrongdoing.
Biometric Screening
Once the stuff of science fiction and spy
movies, biometric identification now plays a
key role in premises security. Biometric
systems authorize users on the basis of a
physical characteristic that doesn’t change
during a lifetime, such as a fingerprint, hand
or face geometry, retina or iris features.
Mantrap
Typically located at the gateway between
the lobby and the rest of the facility,
mantrap technology consists of two
interlocking doors positioned on either side
of an enclosed space. The first door must
close before the second one opens. In a
typical mantrap, the visitor needs to first
“badge-in” and then once inside must pass
a biometric screening in the form of an iris
scan.
Access Control List
Defined by the facility customer, an access
control list includes the names of
individuals who are authorized to enter the
facility environment. Anyone not on the list
will not be granted access to operational
areas.
Badges and Cards
Visually distinctive badges and identification
cards, combined with automated entry
points, ensure that only authorized people
can access specific facility areas. The most
common identification technologies are
magnetic stripe, proximity, barcode, smart
cards and various biometric devices.
Guard Staff
A well-trained staff that monitors site
facilities and security technologies is an
essential element in any access control plan.
Loading and Receiving
For full premises security, mantraps, card readers
and other access controls located in public-facing
facilities also need to be duplicated at the facility’s
loading docks and storage areas.
Operational Areas
The final line of physical protection falls in front of
the facility’s IT resources. Private cages and suites
need to be equipped with dedicated access control
systems while cabinets should have locking front and
rear doors for additional protection.
Humans are the weakest link in any security scheme.
Security professionals can do their best to protect
systems with layers of anti-malware, personal and
network firewalls, biometric login authentication,
and even data encryption, but give a good hacker (or
computer forensics expert) enough time with
physical access to the hardware, and there’s a good
chance they’ll break in. Thus, robust physical access
controls and policies are critical elements of any
comprehensive IT security strategy.
According to a report by the SANS Institute, “IT
security and physical security are no longer security
silos in the IT environment; they are and must be
considered one and the same or, as it should be
called, overall security.”
It is the innermost layer—physical entry to computer
rooms—over which IT managers typically have
responsibility, and the means to have effective
control over human access focuses on a set of
policies, procedures, and enforcement mechanisms.
Policy Basics
Given their importance and ramifications on
employees, access policies must come from the top
leadership. After setting expectations and behavioral
ground rules, actual facility access policies have
several common elements. The most essential are
definitions of various access levels and procedures
for authenticating individuals in each group and their
associated privileges and responsibilities when in the
facility.
Step 1
Authorize, identify and authenticate individuals that
require physical access:
18
• Identify the roles that require both
regular as well as occasional physical
access and identify the individuals that
fill these roles.
• Provide standing authorization and a
permanent authenticator to individuals
that require regular access.
• Require individuals that require
occasional access to submit a request
that must be approved prior to access
being attempted or allowed.
• Authenticate individuals with regular
access requirements through the use of
their assigned permanent
authenticator.
• Authenticate individuals with
occasional access requirements
through the use of a personal
identification mechanism that includes
name, signature and photograph.
Step 2
Verify that work to be performed has been
pre-approved or meets emergency
response procedures:
• Verify against standard Change
Control procedures.
• Verify against standard
Maintenance procedures.
Step 3
Make use of logs to document the coming
and goings of people and equipment:
• Assign the responsibility for the
maintenance of an access log that
records personnel access. Record the
following:
• Date and time of entry.
• Name of accessing individual and
authentication mechanism.
• Name and title of authorizing
individual.
• Reason for access.
• Date and time of departure.
• Assign the responsibility for the
maintenance of a delivery and removal
log that records equipment that is
delivered to or removed from facilities; Record
the following:
• Date and time of delivery/removal.
• Name and type of equipment to be
delivered or removed.
• Name and employer of the individual
performing the delivery/removal and the
authentication mechanism used.
• Name and title of authorizing individual.
• Reason for delivery/removal.
Non-Compliance
Violation of any of the constraints of these policies
or procedures should be considered a security
breach and depending on the nature of the violation,
various sanctions will be taken:
• A minor breach should result in written
reprimand.
• Multiple minor breaches or a major breach
should result in suspension.
• Multiple major breaches should result in
termination.
Although older facilities typically just consisted of a
large, un-partitioned raised-floor area, newer
enterprise facilities have taken a page from ISP
designs by dividing the space into various zones—for
example, a cage for high-availability servers, another
area for Tier 2 or 3 systems, a dedicated network
control room, and even separate areas for facilities
infrastructure such as PDUs and chillers. Such
partitioned facilities provide control points for
denying access to personnel with no responsibility
for equipment that’s in them.
Identification Procedures
The next step in a physical security policy is to set up
controls and identification procedures for
authenticating facility users and granting them
physical access. Although biometric scanners look
flashy in the movies and certainly provide an added
measure of security, a magnetic stripe badge reader
is still the most common entry technology, as it’s
simple, cheap, and effective and allows automated
logging, which is a necessary audit trail.
One problem with magnetic readers, according is
their susceptibility to tailgating, or allowing
unauthorized personnel to trail a colleague through
an entryway. That’s why we advise supplementing
doors and locks with recorded video surveillance.
19
I also like to add a form of two-factor
authentication to entry points by coupling a
card reader (“something you have”) with a
PIN pad (“something you know”), which
reduces the risks of lost cards. I also
recommend using time-stamped video
surveillance in conjunction with electronic
access logs and a sign-in sheet to provide a
paper trail.
Access levels and controls, with
identification, monitoring, and logging, form
the foundation of an access policy, but two
other major policy elements are standards
of conduct and behaviors inside the facility
such as: prohibitions on food and beverages
or tampering with unauthorized equipment,
limitations and controls on the admission of
personal electronics such as USB thumb
drives, laptops, smart-phones, or cameras
are critical.
Policies should also incorporate processes
for granting access or elevating restriction
levels, an exception process for unusual
situations, sanctions for policy violations,
and standards for reviewing and auditing
policy compliance. Stahl cautions that
penalties for noncompliance will vary from
company to company because they must
reflect each enterprise’s specific risk
tolerance, corporate culture, local
employment laws, and union contracts.
Physical Security Information
Management (PISM)
The PSIM Platform enables the integration
and organization of any number and type of
security devices or systems and provides a
common set of services for analyzing and
managing the incoming information. It also
serves as the common services platform for
video and situation management
applications.
Effectively maintaining security of critical
infrastructure does not happen by accident,
it means giving your security professionals
the best security/software tools available
today. By unifying your existing surveillance
system and providing spatial context to
your camera feeds, PISM brings out the best of your
equipment.
To investigate day-to-day incidents, as well as
prepare for emergency situations, the security
department makes use of a vast network of video
cameras, access control points, intercoms, fire and
other safety systems. PISM unifies all of these
disparate feeds, including systems from diverse
manufacturers, into a single decision-oriented
Common Operating Picture. Within the PSIM
Platform are five key components:
Integration Services – Multiple strategies are used
for connection, communication with, and
management of installed devices and systems from
multiple vendors. The PSIM Platform offers complete
support for the industry’s most commonly-used
device types – out of the box. In addition, it employs
customizable “pipeline” architecture to receive
device events. This architecture exploits
commonalities among similar devices (including
format and protocol) and reduces the need for one-
off adaptations. Network connectivity is achieved
using combinations of multiple communications
protocols.
Geo-Location Engine – The Geo Location Engine
provides spatial recognition for geo-location of
devices and supports situation mapping
functionality. The physical position of devices is
stored in an internal knowledge base as GIS/GPS
positions or building coordinates. The engine uses
the information to determine relevance, selects, and
relate devices involved in a given situation. The
system uses the information to overlay graphical
representations of security assets and activities onto
Google-type maps or building layouts.
Routing Engine – The Routing Engine is an intelligent
switch that connects any security device to PISM
command interfaces or output device(s) and
accommodates any required transformation of
formats and protocols between connected devices.
In most cases, devices connect directly to each other
and exchange data streams directly, avoiding
possible bottlenecks that would arise from routing
all traffic through a single centralized server. An
internal knowledge base of all connected devices
and their characteristics is maintained by the
Routing Engine, which uses that information to
ensure a viable communication path, compatibility
of signal format and acceptable quality of service.
20
Rules Engine – The PSIM Platform contains
a powerful Rules Engine that analyzes event
and policy information from multiple
sources to correlate events, make decisions
based upon event variables and initiate
activities. Pre-packaged or user written
rules define the events or event
combinations for identifying and resolving
situations in real time according to business
policies.
Dispatch Engine – The Dispatch Engine
integrates with communications
infrastructure to initiate external
applications or the transmission of
messages, data and commands. Dispatch
actions are automatically triggered by the
rules engine as it executes
recommendations for situation resolution.
Operators can manually initiate actions as
well. The system integrates and analyzes
information from disparate traditional
physical security devices including analog
and digital video.
The key benefits of today’s technology is
allowing system users to do more with less
by getting maximum benefits through
integrated technologies with each system
(Both new and old) and with the goals of
company policies and procedures like never
before.
In Summary
American Alarm and Communications, Inc.,
is in a unique position to improve personal
protection of key individuals as a
Massachusetts based Underwriters
Laboratories (UL) Listed, and United States
Federal Government (DOD) recognized 24-
hour Security Command Center and Central
Station. Every day we manage a full range
of security, communication and escalation
procedures specifically designed for our key
customers. Our founders, three engineers
from the Massachusetts Institute of
Technology (MIT), have worked to bring the
benefits of new technology and solutions to
our customers. Though we have grown over
the years, our mission has remained the
same: to provide the best possible security
technologies across Massachusetts.
Key Services and Capabilities
• Physical Security Site Surveys
• Physical Security Information Management
(PSIM)
• Privacy Protecting Camera Systems (PPCS)
• Design, Engineering and Consulting
• Installation, Maintenance and Monitoring of
Fire & Life Safety Solutions
• Integrated Access Control, Intrusion Detection
and Surveillance Solutions
• Emergency Communications with Wired and
Wireless and Networks
• Burglar, Fire Alarm Monitoring (In Our Own
Massachusetts UL Listed & DOD Certified
Central Station)
In our experience working with management, facility
and security professionals within the
Commonwealth has been rewarding. Compliance to
this policy for most departments has been the goal
and the new the budget year begins we look forward
to continuing our work to further compliance and
improve the physical security technologies and
monitoring to implement measures to protect
personnel, equipment and property and the network
against anticipated threats.
It’s time to get physical—as in physically protecting
all facilities and all of their assets. Yet physical
security is often placed on the back burner, largely
forgotten about until an unauthorized party
manages to break into or sneak onto a site and
steals or vandalizes systems.
Today’s security systems include:
• Intrusion and Monitoring Systems
• Access Control Systems
• Visitor Management Systems
• Surveillance Systems
• Emergency Communications Systems
• Physical Security Information Management
(PISM) Software Platforms
Our commitment to supporting the terms of the
contract are best stated by our President Wells
Sampson, “We continue to serve the unique needs of
public clients, and our track record of strong service
was one of the reasons the Commonwealth
expressed continuing confidence in our company and
approved our program for another three years.”
As a manager, you have the responsibility to support
this physical and environmental security policy
implementation throughout your respective
21
departments and/or Agencies by creating a
culture that embraces, reinforces and
demands security best practices and are
consistent with the policy and the facility.
Within this culture is the need to
understand the human variable. This
encompasses anyone who interfaces with
operations, including managers, facility
operators, maintenance personnel, other
employees, customers, delivery people,
clients and visitors.
The human element affects everything with
regard to security and reliability. How it is
addressed may depend on external factors
such as the law, collective bargaining
guidelines and even prudent management
practices. Within each Agency or
Department, responsibility assignments for
policy compliance should be defined.
Therefore, all policies and procedures must
take into account the human variable. Best
practices require that physical security be
treated as a fundamental value.
FAC64 State Contract
The FAC64 contract gives you a way to
acquire all the tools necessary for your
department or Agency. All with a three
year warranty on all parts and labor.
Countermeasures are constantly improving
and changing and can be used to counter
multiple risks beyond the scope of this
discussion. The need for these solutions
goes back to a time before the Roman
Empire. The tools evolve but the needs
remain the same.
All departments and agencies are subject to
security & fraud risks and need to complete
a physical security/fraud risk assessment for
their agency on a periodic basis.
Contact Information
James E. McDonald
Integrated Systems Consultant
Government Contracts Team
American Alarm and Communications, Inc.
489 Washington Street
Auburn, Massachusetts 01501
Direct Phone: (508) 453-2731
Direct Fax: (781) 645-7537
Email: [email protected]
Links:
American Alarm Website: www.AmericanAlarm.com
Blog: www.SecurityTalkingPoints.com
Twitter: www.Twitter.com/physectech
Bio: http://www.linkedin.com/in/physicalsecuritytechnologist
Site Survey Request: http://fs2.formsite.com/physectech/form1/index.html
Association Memberships: ASIS International, ASIS
Boston, International Association for Healthcare
Security and Safety, IAHSS Boston, Association of
Certified Fraud Examiners (ACFE)
22
Appendix A: Understanding Physical Access Control Solutions
SOLUTION STRENGTHS WEAKNESSES COMMENTS KEYS •Most traditional form of
access control • Easy to use • Don’t require power for operation
• Impossible to track if they are lost or stolen, which leaves facility vulnerable • Potential for unauthorized sharing of keys • Difficult to audit their use during incident investigations • Difficult to manage on large campuses with multiple doors • Re-coring doors when a key is lost or stolen is expensive
• Several solutions are currently available on the market to manage keys and keep key holders accountable.
LOCKS
Maglock
Electric
Strike
• Easy installation • Economical • Easy retrofit • Quiet operation • Can be either fail-secure or fail-safe • Does not need constant power • Door knob overrides for safe exit
• Power always on (fail-safe) • Typically requires exit device to break circuit • Requires backup power supply for 24-hour service • Door/lock hardware experience needed
• DC only • Comes in different “pull” strengths • Check extra features, such as built in door sensor • Requires more door hardware experience than Maglock • Specify for life-safety requirements • Can be both AC and DC (DC lasts longer) • Fail-safe must have power backup • Fail-secure most popular
ACCESS CARDS
Magnetic
Stripe
• Access rights can be denied without the expense of re-coring a door and issuing a new key • Can limit access to a building to certain times of the day • Systems can provide audit trails for incident investigations • Inexpensive to issue or replace • Durable • Convenient • More difficult to compromise
• Prone to piggybacking / tailgating (when more than one individual enters a secure area using one access card or an unauthorized person follows an authorized person into a secure area • Users can share cards with unauthorized persons • Cards can be stolen and used by unauthorized individuals • Systems are more expensive to install than traditional locks • Require power to operate • Not as secure as proximity cards or smart cards • Can be duplicated with relative ease • Subject to wear and tear • Cost more than magstripe cards
• Can incorporate a photo ID component • Can be used for both physical and logical access control • Card readers should have battery backup in the event of power failure • Tailgate detection products, video surveillance, analytics and security officers can address tailgating issues • Can integrate with video surveillance, intercoms and intrusion detection systems for enhanced security • These are the most commonly used access control cards by US campuses and facilities
23
Proximity
Smart
Card
than magstripe cards • Less wear and tear issues • Multiple application functionality (access, cashless vending, library cards, events) • Enhanced security through encryption and mutual authentication • Less wear and tear issues
• Easier to compromise than smart cards • Currently the most expensive card access option on the market
• Are widely used for access control (although not as widely as magstripe) • Not as widely adopted as magstripe or proximity cards due to cost • Widely adopted in Europe• Can incorporate biometric and additional data such as Photo and ATM
PIN NUMBERS
(Pass codes)
• Easy to issue and change • Inexpensive
• Can be forgotten • Difficult to manage when there are many passwords for different systems • Can be given to unauthorized users • Prone to tailgating/ piggybacking
• Should be changed frequently to ensure security • Often used in conjunction with other access control solutions, such as cards or biometrics
DOOR ALARMS • Provide door intrusion, door forced and propped door detection • Reduce false alarms caused by unintentional door propping • Encourage staff and students to maintain access control procedure
• Will not reach hearing impaired without modifications • Will not detect tailgaters • Door bounce can cause false alarms
• Appropriate for any monitored door application, such as emergency exits • Used in conjunction with other access control solutions, such as card readers or keys • Can be integrated with video surveillance for enhanced security
TAILGATE/
PIGGYBACK
DETECTORS
• Monitor the entry point into secure areas • Detect tailgate violations (allow only one person to enter) • Detect when a door is propped • Mount on the door frame • Easy to install
• Not intended for large utility cart and equipment passage (which could cause the system to go into false alarm) • Not for outdoor use
• Appropriate for any monitored door application where a higher degree of security is needed, such as facilitys, research laboratories, etc • Used in conjunction with other access control solutions, such as card readers • Can be integrated with video surveillance for enhanced security
PUSH BUTTON
CONTROLS
• Many button options available • Normally-open/Normally closed momentary contacts provide fail-safe manual override • Time delay may be field adjusted for 1-60 seconds
• Anyone can press the release button (unless using a keyed button), so button must be positioned in a secure location (for access control, not for life-safety) • Some can be defeated easily • Can open door to stranger when approaching from inside
• Used to release door and shunt alarm • Used for emergency exits when configured to fail-safe • May be used in conjunction with request to exit (REX) for door alarms and life safety • Still may require mechanical device exit button to meet life-safety code • With REX, careful positioning and selection required
24
MULTI-ZONE
ANNUNCIATORS
• Display the status of doors and/or windows throughout a monitored facility • Alert security when a door intrusion occurs • Many options available: zone shunt, zone relay and zone supervision
• 12 VDC only special order 24 VDC option • Door bounce can cause false alarms • Requires battery backup in case of power failure
• Designed to monitor multiple doors from a single location • May be used in conjunction with door alarms, tailgate detection systems and optical turnstiles • No annunciation at the door; only at the monitoring station
FULL HEIGHT
TURNSTILES
• Provides a physical barrier at the entry location • Easy assembly • Easy maintenance • Available in aluminum and galvanized steel
• Physical design ensures to a reasonable degree that only one authorized person will enter, but it will not detect tailgaters
• Designed for indoor/outdoor applications • Used in parking lots, football fields and along fence lines • Use with a conventional access control device like a card reader
OPTICAL
TURNSTILES
• Appropriate for areas with a lot of pedestrian traffic • Detects tailgating • Aesthetically pleasing and can be integrated into architectural designs • Doesn’t require separate emergency exit • Provides good visual and audible cues to users
• Can be climbed over • Not for outdoor use
• Used in building lobby and elevator corridor applications • Use with a conventional access control device like a card reader • To ensure compliance, deploy security officers and video surveillance
BARRIER ARM
TURNSTILES
(Glass gate or metal arms)
• Appropriate for areas with a lot of pedestrian traffic • Provides a visual and psychological barrier while communicating to pedestrians that authorization is required to gain access • Detects tailgating • Reliable
• Units with metal-type arms can be climbed over or under • Not for outdoor use • Most expensive of the turnstile options • Requires battery backup in case of power failure
• Used in building lobby and elevator corridor applications • Use with a conventional access control device like a card reader • To ensure compliance, deploy security officers and video surveillance • Battery backup is recommended
BIOMETRICS • Difficult to replicate identity because they rely on unique physical attributes of a person (fingerprint, hand, face or retina) • Users can’t forget, lose or have stolen their biometric codes • Reduces need for password and card management
• Generally much more expensive than locks or card access solutions • If biometric data is compromised, the issue is very difficult to address
• Except for hand geometry, facial and finger solutions, biometric technology is often appropriate for high-risk areas requiring enhanced security
INTERCOMS • Allow personnel to communicate with and identify visitors before allowing them to enter a facility • Can be used for emergency and non-emergency communications • IP solutions today offer powerful communications and backup systems with integration
• Will not reach hearing impaired without modifications • Not appropriate for entrances requiring throughput of many people in a small amount of time
• Appropriate for visitor management, afterhours visits, loading docks, stairwells, etc. • Use with conventional access control solutions, such as keys or access cards • Video surveillance solutions can provide visual verification of a visitor