The key points of the document are: 1) Physical security assessments are important to identify security risks, vulnerabilities, and opportunities to improve protection of assets, employees, and business reputation. 2) Assessments should evaluate physical, cyber, and human aspects of security using a risk management framework. 3) Effective security requires identifying assets, threats, and vulnerabilities; prioritizing risks; and implementing programs to deter threats and mitigate vulnerabilities.

1. Physical Security Assessment

2. Basic Concepts of a Physical Security Assessment Daniel R. Finger MPA, CPP, CHPA Physical Security Specialist

3. Why Do Assessment? Joint Commission OSHA Health Departments Medicare/Medicaid Other Regulatory Agencies Moral/Ethical Responsibility

4. Why Do Assessments? (Cont.) Due Diligence Reasonable Expectations to Avoid Harm to People or Property Protection of Employees, Visitors, and Patients Protection of Company Assets Business Reputation

5. Three Requirements for a Security Issue Opportunity Motive Means

6. Definition: Risk Assessment Process of identifying internal and external threats and vulnerabilities, identifying the likelihood of the event, defining the critical functions necessary to continue an organization’s operations, defining the controls in place to reduce exposure and evaluate the costs * * ASIS Business Continuity Guideline 2004

7. Evaluation Physical (Tangible Property) Cyber (Electronic) Human (Functions of People )

8. Protection Deter Threat Mitigate Vulnerabilities Minimize Consequences

9. Risk Management Framework Establish Security Goals Identify Assets, Systems, Networks, Functions Assess Risk, Threats, Vulnerabilities, Consequences Prioritize Implement Proactive Programs Measure Effectiveness (If Possible) Modify Program if Necessary

10. Common Oversights of Security Directors Having Guard Services Without Knowledge of How Company Works Ex. Cheap vs. Effective Prioritizing Appearance Over Effectiveness Failure to Secure All Perimeter Doors Allowing Administration to be Lax on Rules Neglecting to Learn New Technologies Failing to Lock and Secure Critical Rooms Overdoing (Going to an Extreme)

11. Major Categories Operations (Day to Day) Local Facility or Event Driven Operations Planning National/Local for Potential Events Administrative Issues Oversight/Compliance/Legal

12. Potential Pitfalls Funding (Lack There Of) Erosion of Security Role Standards Proliferation Changing Litigation Landscape

13. Security Master Plan Linking the Security Departments Mission into the Mission and Vision of the Organization No Link = Disconnect, Confusion, and Unfocused Objective

14. Joint Commission Security Standards It is Essential that an Organization Manages the Physical and Personal Security of Individuals and Staff (including the potential for violence coming to the organization’s buildings) Security of the Established Environment, Equipment, Supplies, and Information is Important

15. Identification of Practices Addressing Security Issues Concerning Patients, Visitors, Staff, and Property Reporting and Investigating All Security Incidents Involving Patients, Visitors, Staff, and Property Identifying Patients, Visitors, and Staff Controlling Access to Sensitive Areas as Determined by the Organization

16. Performance Elements Written Management Plan Describe Process Procedures Identification of Individual to Coordinate, Development, Implementation, and Monitoring or Security Management Activities Conducting Proactive Risk Assessments to Evaluate Potential or Real Adverse Impacts on Business Continuity

17. Performance Elements (Cont.) Identification of Anyone Entering the Organization’s Facilities Actions to be Followed in the Event of a Security Incident Identification and Implementation of Procedures that Address Infant or Pediatric Abduction

18. Performance Elements (Cont.) Select and Implement Procedures and Controls to Lower Potential Impact on Business Continuity Control of Access and Egress from Designated, Sensitive Areas Security Procedures Addressing VIPs Control of Vehicles and Emergency Care Areas

19. Security Management Program Evaluating, Prioritizing, and Having a Written Response Plan so that a Multitude of People Within Your Company Know How to Respond to an Unplanned Occurrence or Emergency

20. Physical Survey Physical Lighting and access control CCTV and Security Alarms, Fencing, Etc Infrastructure Power, Gas, Water, Communications, Back Up Services CPTED ( Crime Prevention Through Environmental Design ) Natural Surveillance Natural Access Territorial Reinforcements

21. Physical Security Examples Access Control Electronic Visual Observation Locks/Keys Restricted Keyways Management Plan Lighting Adequate Illumination Unobstructed Maximum Performance Fencing Adequate for Purpose Properly Maintained Alarms Intrusion, Panic, Detection

22. Physical Security Examples (Cont.) Parking Well designed Lots Lighting Signage Access Control Lot Designation Employee Screening Criminal Background Check Drug Financial Driver’s License

23. Physical Security Examples (Cont.) Barriers/Bollards Parking Proximity to Building Prevention of Wayward Vehicles Security Proprietary Contract Hybrid Law Enforcement Patrol Procedures Crime Analysis of Area

25. Infrastructure Underlying Foundation or Basic Framework of a System or Organization* Vulnerability or Redundant Control of… Water Gas Electric Sewer Communications Building Security Power Plant *Merriam Webster Collegiate Dictionary

26. CPTED Concept is involved at the design level with architects or designers to consider and evaluate security concerns prior to construction Defensible Space: A range of mechanisms, real and symbolic barriers, strongly defined areas of influence, and improved areas of surveillance that combine to bring the environment under control Threats Real or Perceived Perception is Reality

27. CPTED Actors Target Hardening Crime Targets Physically Difficult to Penetrate Normal Users Persons You Desire to be in a Certain Place Abnormal Users People You Do Not Desire to be in the Place Observers Persons Who Have to be in that Area to Observe the Human Function

28. Key CPTED Concepts Natural Surveillance Areas Where People and Activity Can Be Readily Observed Natural Access Control Controlling Access to a Site Territorial Behavior People Develop a Strong Sense of Ownership

30. CPTED Benefits Reduction of Crime Perceived Greater Safety and Security Improved Quality of Life Examples using Landscaping: 2’ 6’ Rule Hostile Vegetation Lights Above Tree Canopy Line of Sight Overgrown or Improperly Maintained Landscaping

31. Traffic Calming Physical Measures that Reduce the Effects of Motor Vehicle Use and Improve Conditions for Non-Motorized Street Users Examples: Speed Bumps Curved Roads Islands Chokers Median Barriers

32. Fencing Add Security Delineate Property Offer Privacy Create Barriers Provide Character for Area Must Be Properly Maintained to be Effective

33. Lighting Two Purposes Illumination of Human Activity Used for Security Quality is as Important as Quantity Uniformity is the Key

34. Lighting (Cont.) Different Styles of Lights to Adapt to Particular Usage Example: Mercury Vapor, High/Low Pressure Sodium Timers or Manual Change at Daylight Savings Properly Maintained

35. Summary The Key to CPTED is in the DESIGN phase where potential problems are thought out ahead of time. Assessments are a composite of many security and risk management concepts that must be integrated into a total picture and not piece meal.

36. “ There are risks and costs to a program of action. But they are far less than the long range risks and costs of comfortable inaction.” - John F. Kennedy

37. KRAA Security Services Managed Services Firewalls Intrusion Detection Email Security Network Defense Vulnerability Management Malware / Spyware Host Intrusion Antivirus Assessment Services Risk Assessment Policy Development Vulnerability Scanning PCI HIPAA Website Testing Security Architecture Email Encryption Online Training

38. KRAA Security Information Services Security End to End + Multi-Layer = Complete Firewall Public Internet Access Remote Sites Main Site Workstations Application Servers Web Servers Database Servers Email Servers Internal/External Scanning Remote Asessment Vulnerability Defense Website Monitoring Phishing & Pharming Firewall Intrusion Prevention Intrusion Defense Intrusion Detection Web Browsing AV Managed VPN/WAN Network Availibility Hosting Network Defense Web Content Filtering Remote VPN Identity Tokens eSecurity Training User Defense Anti Virus SPAM Filtering Content Filtering Email Defense Encrypted Email Email Archiving Hosted Email Anti Virus HIDS/HIPS Log Management System Defense Policy Compliance Remote Backup & Recovery Patch Management

39. Dan Finger Contact [email_address]