Deadly terrorist attacks on buildings have highlighted the need of a well-designedand well implemented physical security programme What constitutes a well-designed physical security programme? Deadly terrorist attacks on buildings such as the San Bernardino Administrative Centre, Riverside Countyin California., have highlight the need of a well-designed and well implemented physical security programme. S.Steven Oplinger, Chair of the ASIS Physical Security Council, outlines 5 basic principles for any effective security plan that should be executed by all security stakeholders including building owners, construction managers, security integrators and security supervisors. Terrorist attack on the San Bernardio Administrative Center in California Since the 2nd December terrorist attack on the San Bernardino center in which 14 people were killed, uniformed private security officers are now inspecting visitors’ purses, briefcases, bags and containers at the facility’s main entrance. In addition, a small public entrance has now become an employee-only entrance. Security officers will check employee IDs at that door. The moves have required Riverside County to hire additional security guards.Other public entrances have been locked or converted to card-access for employees and other authorised personnel. Prior to the attack, the physical security programme protecting the centre included security officers, cameras, card-access controlled doors and protective glass in front of service counters. It was a good system, but not good enough to protect against a completely unexpected onslaught by terrorists armed with semi-automatic weapons and pipe bombs. One of the security lessons that can be drawn from this tragedy is the importance of a well-designed and implemented physical security programme. Five basics of physical security According to S. Steven Oplinger, Chair of the ASIS Physical Security Council, there are five basics that practitioners must learn and master: Communicating clearly about physical security Assessing existing security programmes and analysing needs for new programmes Maximising security value and protecting security system investments Understanding the basics of the networks and infrastructure that support security technology Identifying and communicating the returns available from security investments Oplinger recommends designing security programmes by working through these basics on paper. “If you make sure it works on paper first, you won’t have nearly as many expensive problems to solve when you install it in the field,” he says. With the explosion of security technology needs, most large security systems today operate on their own network independent of IT, sending video, access control requests and alarm signals to a security command centre where officers monitor building security 1. Clear communications “Start off by establishing a language with stakeholders by defining terms,” says Oplinger, who is also a system design executive with Fort Meyers, Florida.-based Integrated Fire and Security Solutions. Stakeholders include owners, construction managers, security integrators, finance people, security supervisors, officers and others with an interest in a facility’s physical security. “We often talk about the same things but use different terms,” continues Oplinger. “It can be confusing when you refer to a video surveillance system and someone else says closed circuit TV (CCTV). These are two different things. Which term describes what you have?” Oplinger offers other examples. How do you define video recording systems and digital video recorders, he asks? What’s a server farm? What’s the cloud? 2. Assess your security Programme: What do you need? Once the stakeholders are communicating clearly, the discussion can turn to an analysis of security needs or an assessment of an existing programme. Why is security important to this facility? What are the risks and vulnerabilities? How do you mitigate risks and mitigate vulnerabilities? Focus on what you need at specific locations, continues Oplinger. “What do you need to do at this door?” he asks. “Do you need access control? A camera? An intrusion alarm? A combination of all three? Do enough to accomplish what you want and then stop. Don’t throw bells and whistles at anything. Bells and whistles only raise costs.” 3. Maximise the value of security investments Next, review each piece of the security program laid out in step two. “Define every single device,” Oplinger says. “What is its purpose? If you can’t clearly define its purpose, the device has no value and would be a wasted investment. Get rid of it. “What is the purpose of the camera you specified at this door? How will it add to security? If you can’t answer these questions, you probably don’t need the device.” 4. Learn the basics of security networks and infrastructure When security first logged on to company IT networks a number of years ago, a tug-of-war broke out over bandwidth between the IT and security departments. With card-access control, owners no longer have to change the locks when someone loses a key. When an employee loses an access card, you simply turn off the lost card and issue a new one with different permission codes With the explosion of security technology needs, most large security systems today operate on their own network independent of IT, sending video, access control requests and alarm signals to a security command centre where officers monitor building security. “More and more, the signals ride through the building to a server farm somewhere or up to a cloud,” Oplinger says. “You don’t need to learn how to wire and repair the technology, but you do have to match up the equipment you buy with existing in-house equipment. Moreover, if you are working with a cloud service, you have to match up your technology with the cloud’s technology.” 5. Identify and communicate return on investment Today’s security directors must justify security budgets for chief financial officers (CFOs). “I’ve seen instances where the security director puts together a great plan, and the CEO says yes, but the CFO says no,” Oplinger warns. “You have to explain to the CFO how your system will save money,” he continues. “Perhaps you can reduce the number of security officers you need.” Some service, manufacturing and other labour-intensive businesses function more efficiently when security cameras appear. “The best example of this that I have occurred years ago,” Oplinger says. “We tested a four-camera system in a restaurant for a prospective client. We watched the video, looking for an employee doing a good deed, and we found a young waiter helping an elderly couple maneuver through the restaurant. “The owner phoned the store, asked to speak to the waiter and complimented him on his excellent work. Suddenly everyone working in the restaurant realised they were being watched. Thirty percent of the staff quit the next day. “The owner found that he didn’t have to replace anyone. The restaurant operated just fine without the 30% of staff that weren’t doing any work.” Oplinger observes that security cameras can show ROI pretty easily. ROI for access control shows up in savings on hardware and labour. With card-access control, owners no longer have to change the locks when someone loses a key. When an employee loses an access card, you simply turn off the lost card and issue a new one with different permission codes. Alarm systems justify themselves by alarming when a door or window opens without authorisation. As long as you’ve tailored the system to limit false alarms, there is no quarreling about the value of being able to respond to an unauthorised intruder. In summary, a well-designed security programme requires speaking a common language. Security personnel and interested stakeholders continually assess the existing programme and analyse needs for new features. The programme pursues strategies designed to maximise security value and protect investments in security. And, finally, it aims to produce a return on investment at every opportunity.