Your SlideShare is downloading. ×
An AACI White Paper       Auburn Regional Office                                                              489 Washingt...
Executive Summary Contents                                            Physical Security Technology today is all about the ...
or organization that connects to the            protection, alarm monitoring and related securityCommonwealth’s wide area ...
implementing strong internal controls, the      person reconciling his/her behavior (stealing) withCommonwealth can remove...
Compliance Consulting Process                        4.   Prioritize. We have found that it is notOur countermeasures toda...
Sector-Specific Agencies (SSAs) for each of     contribute the most to risk mitigation by loweringthe sectors.            ...
o   Helping to ensure that agency access        3.       Visitor control: Agencies must develop    points (entrances/exits...
•   Secure installation and maintenance of          prior to sending the equipment off-site for any    Network cabling tha...
From the moment an individual arrives on        compliance with department policies andthe grounds and walks through the d...
of the system and their ability to wreak       sensitive information. Intruders act like     havoc on a network. The threa...
situation. Protect doors or windows by           systems. When implementing policies for entry     adding security shutter...
expanded, surveillance provided by this          may be caused by intentional and unintentional acts.system should include...
source of valuable information for persons     are usually not protected to the same extent as theseeking to do harm. An i...
Have Redundant Utilities                           that the bollards are down and the driver can goJMaac10 centers need tw...
Plan for Secure Air Handling                       airlock in between. Only one door can be opened atMake sure the heating...
authorities, as well as the designated          rule-based generation of actions/penalties, based onresponder, of the emer...
credentials, creates an invaluable first line    essential element in any access control plan.of access control.          ...
delivered to or removed from facilities; Record•    Identify the roles that require both           the following:     regu...
I also like to add a form of two-factor         your camera feeds, PISM brings out the best of yourauthentication to entry...
Rules Engine – The PSIM Platform contains       Key Services and Capabilitiesa powerful Rules Engine that analyzes event  ...
departments and/or Agencies by creating a       Contact Informationculture that embraces, reinforces anddemands security b...
Whitepaper Best Practices For Integrated Physical Security   Supporting Ma Itd Sec 10
Whitepaper Best Practices For Integrated Physical Security   Supporting Ma Itd Sec 10
Whitepaper Best Practices For Integrated Physical Security   Supporting Ma Itd Sec 10
Upcoming SlideShare
Loading in...5

Whitepaper Best Practices For Integrated Physical Security Supporting Ma Itd Sec 10


Published on

After careful review of the Commonwealth of “Massachusetts Enterprise Physical & Environmental Security Policy”, the following Whitepaper was prepared as a response utilizing concepts, best practices and the countermeasures & tools available under contract FAC64 “Security Surveillance and Access Control Systems.”

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Transcript of "Whitepaper Best Practices For Integrated Physical Security Supporting Ma Itd Sec 10"

  1. 1. An AACI White Paper Auburn Regional Office 489 Washington Street Auburn, MA 01501 Phone: (508) 453-2731 Best Practices For Integrated Physical Security Capabilities Supporting Massachusetts Document Reference: ITD-SEC-10.1 Dated: October 29, 2010 | Entitled “Enterprise Physical & Environmental Security Policy” By James E. McDonald Integrated Systems Consultant Government Contracts Team
  2. 2. Executive Summary Contents Physical Security Technology today is all about the network, if you’re not on the network you are probably not working. The physical protection of Executive Summary 2 facilities including the perception of detection of The Security Policy Applies To 2 negative human behaviors is the key to effective physical, network security and risk management. Perception of Detection and Fraud 3 Compliance Consulting Process 5 In response to the Commonwealth of Massachusetts Overview 5 Enterprise Physical & Environmental Security Policy (Reference # ITD-SEC-10.1 Issued Dated 10-29-2010) Commonwealth Policy Statement 6 issued by the Information Technology Division, this Physical Security Best Practices 9 document articulates available physical security and monitoring solutions to meet the requirements that Critical Infrastructure and Secretariats and their respective Agency or Environmental Monitoring 15 Contractors facilities must address in defining a policy to implement adequate physical and Implementation 16 environmental security controls and to secure and Key External Technology 16 protect information, assets, infrastructure and Key Internal Technology 16 Information Technology (IT) resources by using solutions provided to these departments under Policy Basics 17 procurement contract Operational Services Division Non-Compliance 18 (OSD) contract FAC64. Identification Procedures 18 According to this policy the Secretariats and their Physical Security Information respective Agencies must implement the appropriate combination of controls (administrative, Management (PISM) 19 technical, physical) to provide reasonable assurance In Summary 20 that security objectives are met. Agencies must achieve compliance with the overall information FAC64 State Contract 21 security goals of the Commonwealth including Contact Information 21 compliance with laws, regulations, legal agreements, Appendix A: Understanding Physical policies and standards to which their technology resources and data, including but not limited to Access Control Solutions 22 personal information (PI), are subject. This policy encompasses existing technologies existing within each department and the physical security solution technologies themselves since these integrated solutions are also network appliances. The Security Policy Applies ToAny opinions, findings, conclusions, or All Commonwealth of Massachusetts Secretariatsrecommendations expressed in this publication and their respective Agencies and entities governeddo not necessarily reflect the views of by the Enterprise Information Security Policy whoAmerican Alarm & Communications, Inc.,(AACI). Additionally, neither AACI nor any of must adhere to requirements of this supportingits employees makes any warrantee, expressed policy.or implied, or assumes any legal liability orresponsibility for the accuracy, completeness, The requirements described in the ITD-SEC-10.1or usefulness of any information, product, or document must be followed by:process included in this publication. Users of • Executive Department employeesinformation from this publication assume all • Executive Department Secretariats andliability arising from such use. their respective Agencies, in addition to any agency 2
  3. 3. or organization that connects to the protection, alarm monitoring and related securityCommonwealth’s wide area network systems by the Commonwealth of Massachusetts.(MAGNet), are required to ensurecompliance by any business partner that Covered under the states purchasing contractaccesses Executive Department IT resources known as "FAC64 Security Surveillance and Accessor shared environments, e.g. MAGNet; and Control Systems" the states designation of American• Contractors or vendors performing Alarm establishes preferred pricing for any eligiblework in or providing goods and services to public entity in Massachusetts. AdditionalCommonwealth managed spaces information concerning this 3 year contract is• Visitors to any Commonwealth available on-line atmanaged physical space (e.g. offices,, and network closets) or resource. security/fac64-state-contractOther Commonwealth entities are The following protective programs and technologiesencouraged to adopt, at a minimum, involve measures designed to prevent, deter, detect,security requirements in accordance with and defend against threats; reduce vulnerability tothis Enterprise Physical and Environmental an attack, internal losses, and other disaster;Security Policy or a more stringent agency mitigate consequences; and enable timely, efficientpolicy that addresses agency specific and response and restoration in any post-event related directives, laws, and Protective programs that benefit theregulations. Commonwealth are in place at many facilities. American Alarm and Communications, Inc. (AACI)Operational Services Division (OSD) as the have designed, installed and continue to monitor aCommonwealths’ central procurement range of integrated security systems for publicagency whose primary role is to coordinate entities including:the procurement activity for commoditiesand services on Statewide Contracts and • Executive Office of Health and Human ServicesCommonwealth Executive Branch (EOHHS),Departments. OSD Contract FAC64 for • The Judicial Branch/Trial Courts,Security, Surveillance and Access Control • Department of Revenue (DOR),Systems is a new (2010) statewide contract • Registry of Motor Vehicles,that covers all security, surveillance and • Massachusetts Medical Examiner’s Office inaccess control needs with monitoring Boston and Holyoke,services, locksmiths, security cameras, • State Firefighting Academy in Stow,lobby turnstiles, CCTV, vehicle access • Hampden County Sheriff’s Outreach Center inbarrier, metal detectors, x-ray machines Springfieldand locks. Labor under this contract is • Western Massachusetts Hospital in Westfield,covered under the Prevailing Wage Law. among others.Statewide Contracts are written to meet the Perception of Detection and Fraudneeds of public purchasers, including but The following describes what is known as the fraudnot limited to: Executive and Non-Executive triangle. In order for fraud or most crime andBranch departments, municipalities, “Negative Behaviors” to occur, all three elementscounties, public colleges and universities, have to be present. The Commonwealth and itspublic purchasing cooperatives, local individual Departments can takes steps to influenceschools, state facilities, public hospitals, all three legs. Commonwealth employees should becertain non-profit organizations, cognizant of pressures and how they relate to theindependent authorities, political sub- Commonwealth’s overall security risk.divisions and other states. Rationalizations can be reduced by promoting aAmerican Alarm has been awarded a three- strong sense of ethical behavior amongst employeesyear designation as an approved provider of and creating a positive work environment. Byvideo surveillance, access control, intrusion3
  4. 4. implementing strong internal controls, the person reconciling his/her behavior (stealing) withCommonwealth can remove much of the the commonly accepted notions of decency andopportunity for negative behaviors to occur trust. Some common rationalize-tions forand can increase the chances of detection. committing fraud are: • The person believes committing fraud is justifiedThis is the most widely accepted theory for to save a family member or loved one.explaining why people steal was postulated • The person believes they will lose everything –in the early 1950’s by Dr. Donald R. Cressey, family, home, car, etc. if they don’t take thewhile working on his doctoral dissertation money.on the factors that lead people to steal • The person believes that no help is availablefrom their employers. He called them ‘Trust from outside.Violators’, he was especially interested in • The person labels the theft as “borrowing”, andthe circumstances that lead otherwise fully intends to pay the stolen money back athonest people to become overcome by some point.temptation. To serve as a basis of his work • The person, because of job dissatisfactionhe conducted about 200 interviews with (salaries, job environment, treatment byinmates at Midwest prisons at the time managers, etc.), believes that something iswere incarcerated for embezzlement. Today owed to him/her.this work still remains the classic model for • The person is unable to understand or does notthe occupational thief. Over the years his care about the consequence of their actions ororiginal hypothesis has become known as of accepted notions of decency and trust.the Fraud Triangle. Opportunity Opportunity is the ability to commit fraud. Because fraudsters don’t wish to be caught, they must also believe that their activities will not be detected. Opportunity is created by weak internal controls, poor manage-ment oversight, and/or through use of one’s position and authority. Failure to establish adequate procedures to detect fraudulent activity also increases the opportunities fraud for to occur. Of the three elements, opportunity is the leg that organizations have the most control over. It is essential that organizations build processes,Financial Pressure procedures, use technology and controls that don’t needlessly put employees in a position to commitFinancial Pressure is what causes a person fraud and that effectively detect fraudulent activity ifto commit fraud. Pressure can include it occurs.almost anything including medical bills,expensive tastes, addiction problems, etc. Opportunity-Rationalization-Financial PressureMost of the time, pressure comes from asignificant financial need/problem. Often The key is that all three of these elements must existthis need/problem is non-sharable in the for the trust violation to occur. Technology haseyes of the fraudster. That is, the person always been used to attack the opportunity leg tobelieves, for whatever reason, that their create the perception that if you try you will beproblem must be solved in secret. However, detected. "Crede Sed Proba" or “Trust but Verify” issome frauds are committed simply out of the key to eliminating negative behaviors andgreed alone. policies being followed, thus minimizing fraud. A fraud prevention consultant can discuss the “Red-Rationalization Flags” of fraud in further detail.Rationalization is a crucial component inmost frauds. Rationalization involves a4
  5. 5. Compliance Consulting Process 4. Prioritize. We have found that it is notOur countermeasures today and services appropriate to develop a single, overarchingcan provide a detailed assessment of all prioritized list for the Commonwealth,processes, policies and procedures such as: many factors may come into play such aspurchasing, cash handling, work flow locations, lease terms,, information technology, and 5. Implement Solutions. There is no universalclient intake, human resources, billing, etc. solution for implementing protective security measures, different departmentsA review security goals, objectives, and and agencies implement the most effectiverequirements; Align business and solutions based on their strategies for protecting assets 6. Measure Progress. By measuring theby consolidating external compliance and effectiveness of protective solutions andsecurity best practice requirements into a their performance, together we cancommon control framework. Then we continually improve the security,review the existing policies and security infrastructure at each facility.architecture against the controls necessaryto achieve compliance requirements, We will collaborate with you to develop a road mapreview the effectiveness of policies and in design, implementation and best practices ofprocedures, conduct an audit and track and physical security solutions which are aligned withdocument actual data. We prioritize gaps, your departments or agency’s mission and valuesvulnerabilities, and possible loss scenarios that will support rather than hinder its operation.according to risk, present findings andprioritized recommendations for addressing Overviewdiscovered weaknesses. To assist our In todays ever-growing regulatory compliancecustomers in developing a framework of landscape, organization can greatly benefit fromcompliance we at American Alarm and implementing viable and proven physical securityCommunications, Inc., have developed a best practices for their organizations.six-step process. There are plenty of complicated documents that can 1. Set Goals and Objectives. The guide companies through the process of designing a Secretariats and their respective secure facility from the gold-standard specs used by agencies define specific outcomes, the federal government to build sensitive facilities conditions, end points or like embassies, to infrastructure standards published performance targets as guiding by industry groups like ASIS International, to safety principles to collectively constitute requirements from the likes of the National Fire and effective physical security/risk Protection Association. management posture. 2. Identify Assets, Systems. The Recent federal legislation, ranging from the Gramm- identification of assets and Leach Bliley Act (GLBA), the Health Insurance facilities is necessary to develop an Portability and Accountability Act (HIPAA) and The inventory of assets that can be Sarbanes Oxley Act of 2002 (SOX) Homeland Security analyzed further with regard to Presidential Directive 7 (HSPD-7) are putting intense criticality of information needing pressure on public and private entities to comply protection. with a myriad amount of security and privacy issues. 3. Assess Risks. We approach each What’s more, the public is looking for assurances security risk by evaluation that a strong control environment is in place, to consequence, vulnerability and protect private information with security best threat information with regard to practices. attack or other hazard to produce a comprehensive rational Homeland Security Presidential Directive 7 (HSPD-7) assessment. identified 18 critical infrastructure and key resources (CIKR) sectors and designated Federal Government5
  6. 6. Sector-Specific Agencies (SSAs) for each of contribute the most to risk mitigation by loweringthe sectors. vulnerabilities, deterring threats, and minimizing the consequences of outside attacks and other incidents. • Agriculture and Food Sector • Banking and Finance Sector Commonwealth Policy Statement • Chemical Sector In this section are excerpts from the “Enterprise • Commercial Facilities Sector Physical & Environmental Security Policy” • Communications Sector Secretariats and their respective Agency or • Critical Manufacturing (CM) Sector Contractors’ facilities housing information and IT • Dams Sector Resources (e.g. telephone networks, data networks, • Defense Industrial Base (DIB) servers, workstations, storage arrays, tape back-up Sector systems, tapes) must protect the physical space in • Emergency Services Sector (ESS) accordance with the data classification of the IT • Energy Sector Resource or the operational criticality of the • Government Facilities Sector equipment. • Healthcare and Public Health Sector Agencies are required to implement controls to • Information Technology (IT) Sector secure against unauthorized physical access, damage and interference to the agency’s premises, • National Monuments and Icons information and other assets including, but not (NM&I) Sector limited to, personal information (PI) and IT • Nuclear Sector Resources by implementing: • Postal and Shipping Sector • Transportation Systems Sector 1. Workforce Security: Secretariats and their • Water Sector respective Agencies must implement administrative and managerial controls that engage the workforceEach sector is responsible for developing through awareness and participation. To accomplishand implementing a Sector-Specific Plan this, Secretariats and their respective Agencies must:(SSP) and providing sector-levelperformance feedback to the Department • Identify a management team that will beof Homeland Security (DHS) to enable gap responsible for managing and enforcing theassessments of national cross-sector CIKR requirements detailed in this policy. Theprotection programs. SSAs are responsible Secretariat or Agency ISO or designee must befor collaborating with public and private part of the management team.sector security partners and encouraging o Implement appropriate procedures that addressthe development of appropriate at a minimum:information-sharing and analysis o Misplaced or stolen keys or any other itemsmechanisms within the sector. used to gain physical access. o Suspicion of any potential physical securityFor example the 2010 Information threat including potential break-ins or theTechnology (IT) Sector-Specific Plan (SSP) is presence of unauthorized persons.the result of a collaborative effort among o Changes in procedures for medical, fire orthe private sector; State, local, and tribal security events.governments; non-governmental o Ensure storage of and access to sensitiveorganizations; and the Federal Government. information or resources on portable media areThe 20I0 IT SSP provides a strategic handled in a manner that is consistent with thisframework for IT Sector critical policy and the classification level of the data.infrastructure and key resources (CIKR) o Educate any individual requiring access toprotection and resilience. The combined Commonwealth managed space of theirefforts across IT Sector partnerships will responsibility to comply with this policy prior toresult in the prioritization of protection providing access, including:initiatives and investments to ensure thatresources can be applied where they6
  7. 7. o Helping to ensure that agency access 3. Visitor control: Agencies must develop points (entrances/exits) in work areas and enforce procedures to monitor and control remain secure. Specifically, locked access to secure IT facilities and offices by visitors. doors must remain locked and any Examples of visitors may include contractors, access codes, keys, badges or other vendors, customers, friends/family of employees access devices must not be left in and employee candidates. Procedures must accessible places or shared in an address: unauthorized manner. • Requirements for use and maintenance ofo Notify employees that failure to comply visitor logs. with this policy and related policies and • Requirements for visitor identification. procedures may result in disciplinary • Requirements specific to a given security zone, action. e.g. escorted access to highly sensitive areas.o Notify vendors, consultants, or contractors that failure to follow this 4. Facility access controls of IT Resources: policy or related policies and Secretariats and their respective Agencies must procedures may be grounds for implement, or ensure third party implementation of, termination of existing agreements and physical access controls for all Agency IT facilitys and may be considered in evaluation and offices that they are responsible for, including access negotiation for future agreements. controls for public areas, deliveries and loading areas. Access controls must be implemented based2. Least privilege: Agencies must on the data classification or operational criticality ofapply the principle of least privilege when the IT Resources that are housed within a givengranting physical access rights to facility or security zone. A security risk assessmentindividuals. must be performed and documented to locate (map) physical areas and the levels of security needed at• Physical access controls must be each location. granted at the lowest level of access, rights, privileges, and security Appropriate levels of security controls must be permissions needed for an individual to installed at areas needing higher levels of security. effectively perform authorized tasks on any IT Resource or information or Acceptable methods for implementing such controls within a Commonwealth managed include but are not limited to: facility. • Electronic Card Access.• It is important to understand the role • Traditional Lock and Key Access. of the individual who is granted access • Motion and Breach Detection System. and how that role impacts the privilege • Video Monitoring. requirements. For example, the role of • Security Service Provider or Third Party a delivery driver, the individual Monitoring Service. responsible for janitorial services in • Attendants, Security Guards or Police Officers. secure areas, and the network • Paper or Electronic Logs. administrator each have different roles 5. Equipment and Environmental security: that require varying levels of privilege. Secretariats and their respective Agencies are• Agencies must also address the responsible for ensuring that Commonwealth technical, operational and managerial managed facilities (including IT facilities, offices or controls necessary to achieve facilities that house telephone networks, data compliance with least privilege in those networks, servers, workstations, and other IT-related instances where authorized users have systems) can implement adequate environmental physical access to logically separated safeguards to ensure availability and protect against data, applications and/or virtualized damage (e.g. from high heat, high humidity, etc.). hosts. Environmental safeguards that must be evaluated, implemented and maintained as appropriate include:7
  8. 8. • Secure installation and maintenance of prior to sending the equipment off-site for any Network cabling that protects against reason. At a minimum, Agencies must: damage to the physical cabling and/or unauthorized interception of data o Securely remove any sensitive data that does traversing the network cables. not need to reside on the equipment.• Ability to monitor and detect variation o Have reasonable assurance that the party in temperature and humidity responsible for the equipment while it is off site associated with the use of Heating, understands and accepts responsibility for Ventilation and Air Conditioning (HVAC) protecting the equipment, information about systems. the equipment or information stored on the• Use of industry standard methods for equipment at the appropriate level based on the maintaining consistent power supply sensitivity classification of the equipment and including backup generators and/or associated information. Uninterrupted Power Supplies (UPS).• Use of industry standard network 7. Secure disposal, removal, or reuse of components including routers, equipment: Agencies must document and switches, intelligent hubs and implement procedures to reasonably ensure secure associated cabling. handling and disposal of IT-related equipment,• Use of leak detection devices (water). particularly hardware that contains data classified as• Use of fire detection and suppression having high or medium sensitivity. Procedures must, devices including fire extinguishers and at a minimum, accomplish the following: sprinkler systems.• Protection against environmental • Secure removal or overwriting of licensed hazards such as floods, fires, etc. software prior to disposal. • Effective and permanent removal of theAny changes to the deployed environmental contents/data on the storage device ofsafeguards which affect the availability of computing equipment using industry standardassets or information must be reported techniques or tools to make the originalimmediately to the business owner, service information non-retrievable. Note: Using themanager and ISO or management team as standard delete or format function is anrequired by Secretariat or Agency unacceptable method of achieving this goal.procedures. • Ensure all equipment containing storage media, e.g., fixed hard drives are checked to verify that6. Equipment Maintenance: any licensed software or information classifiedAgencies must have maintenance as having medium or high sensitivity areprocedures in place to accomplish the removed or overwritten prior to disposal.following: • Specify whether damaged storage devices,• Keeping all systems and IT equipment particularly those containing information maintained and updated per classified as having high or medium sensitivity, manufacturer recommendations to must be repaired or destroyed. Procedures may ensure availability and integrity of the require that a risk assessment be performed to data and services provided by the determine how the device will need to be equipment. handled. For example, does the content of the• Ensuring that all maintenance, device indicate that the device should be troubleshooting and repair services are physically destroyed rather than sent out for provided by authorized personnel. repair or discarded?• Keeping current documentation including maintenance logs, fault logs, What should be the high-level goals for making sure diagnostic details, service records and that physical security for the facility is built into the corrective measures taken. designs, instead of being an expensive or ineffectual• Ensuring adequate controls are afterthought? implemented for off-site equipment8
  9. 9. From the moment an individual arrives on compliance with department policies andthe grounds and walks through the doors, procedures.the following items should be part of afacility physical security best practices Policiesprogram. An organization should consider including the following physical security policies in thePhysical Security Best Practices organization’s overall security policy:This section discusses our ideas on best in Identify unauthorized hardware attached to theclass physical security concepts that we use department computer system—make routine checksin our analysis of each department. of system hardware for unauthorized hardware.Computer systems and networks are Limit installation of hardware and software ownedvulnerable to physical attack; therefore, by employees on department desktop workstations.procedures should be implemented to Identify, tag, and inventory all computer systemensure that systems and networks are hardware. Conduct regular inspections andphysically secure. Physical access to a inventories of system hardware. Conductsystem or network provides the opportunity unscheduled inspections and inventories of systemfor an intruder to damage, steal, or corrupt hardware. Implement policies that instructcomputer equipment, software, and employees/users on how to react to intruders andpersonal information. When computer how to respond to incidents in which an intrusionsystems are networked with other has been detected.departments or agencies for the purpose ofsharing information, it is critical that each Physical security practices should address threatsparty to the network take appropriate due to theft, vandalism, and malicious internal ormeasures to ensure that its system will not external physically breached, therebycompromising the entire network. Physical • Theft—Theft of hardware, software, or data cansecurity procedures may be the least be expensive due to the necessity to restore lostexpensive to implement but can also be the data and the cost of replacing equipment andmost costly if not implemented. The most software. Theft also causes a loss of confidenceexpensive and sophisticated computer in the department that may have compromisedprotection software can be overcome once the intruder obtains physical access to the • Vandalism—Vandalism in most cases is notnetwork. directed at compromising a system or network so much as it is the senseless destruction ofAt the same time these countermeasures property. Both external and internalare tools that not only protect the IT perpetrators may pose a vandalism threat. Lownetwork but also the employees, visitors morale in an organization may be the underlyingand citizens at Commonwealth facilities. reason for vandalism caused by internal perpetrators. The actual threat to a networkPurpose posed by vandalism is difficult to assess becauseThis section identifies potential physical vandalism is generally not motivated by athreats to facilities, hardware, software, conscious effort to compromise a network. Likeand sensitive information. This section also theft, vandalism can be expensive due to therecommends best practices to secure necessity to replace damaged equipment andcomputer systems from physical intrusion. software. • Threats Posed by Internal and External Staff—Principles Internal and external intruders may attempt toIdentify potential physical threats to manipulate or destroy IT equipment,departmental computer systems and accessories, documents, and software. Thenetworks. Establish policies and procedures potential of damage caused by the manipulationto thwart potential physical threats. of intruders increases the longer they remainConduct audits to monitor employee undetected, thereby increasing their knowledge9
  10. 10. of the system and their ability to wreak sensitive information. Intruders act like havoc on a network. The threats may department staff and use keywords during include unauthorized access to conversations to obtain information. “Sounding” sensitive data and outright destruction occurs by telephone when intruders pose as of data media or IT systems. Internal staff, as in the following examples: staff may attempt to modify privileges o A staff member who must urgently or access unauthorized information, complete an assignment but has either for their own purposes or for forgotten his password. others. This may result in system o An administrator who is attempting to crashes or breaches in other areas of correct a system error and needs a user the network opened up through password. configuration errors. o A telephone technician requesting• Temporary workers, contractors, and information, such as a subscriber consultants represent a unique security number or modem configurations and threat in that they are generally not settings. subject to the same background checks as a department’s full-time employees, Applying the following physical security measures but they may be granted the same high mitigates these threats. level of access to the system and network. Contractors and consultants • Identification of Unauthorized Hardware will sometimes know the applications Attached to a System—Establish policies to limit and operating systems running on the employees from attaching unauthorized network better than department hardware to the office system. Unauthorized employees. Temporary employees hardware includes computers, modems, should be closely scrutinized until a terminals, printers, and disk or tape drives. The level of trust can be established. policies should also restrict software that Consulting firms and contract agencies employees may load onto the office system. should be questioned about their hiring Implement policies regarding opening policies and standards. Cleaning staff unidentified e-mail attachments and downloads may also cause threats either by theft off the Internet. of system components or from using • Perform monthly audits of all systems and the system improperly, such as by peripherals attached to the network accidentally detaching a plug-in infrastructure. Make random inspections of connection, allowing water seepage equipment to search for unauthorized attached into equipment, or mislaying or hardware to the network. Identify missing or discarding documents as trash. misplaced hardware. Search and identify any• An intruder may attempt to unauthorized hardware attached to the masquerade as or impersonate a valid network. system user by obtaining a false identity and appropriating a user ID • Inspect computers and networks for signs of and password. Someone may be misled unauthorized access. Search for intrusion or about the identity of the party being tampering with CDs, tapes, disks, paper, and communicated with for the purpose of system components that are subject to physical obtaining sensitive information. An compromise by damage, theft, or corruption. intruder can also use masquerading to connect to an existing connection • Protection against Break-In—Intruders choose without having to authenticate himself, targets by weighing the risk and effort versus as this step has already been taken by the expected reward. Therefore, all measures the original participants in the implemented to prevent break-ins should communication. increase the risk to the intruder of being caught.• Social engineering can be used by The possible measures for protection against internal or external intruders to access break-ins should be adapted to each specific10
  11. 11. situation. Protect doors or windows by systems. When implementing policies for entry adding security shutters. Add additional regulation, consider the following: locks or security bars. Add additional lighting inside and outside the building. • The area subject to security regulations Seek advice from police and security should be clearly defined. professionals. When planning physical • The number of persons with access should security measures, care must be taken be reduced to a minimum. to ensure that provisions relating to fire • Authorized persons should be mutually and personal protection (e.g., regarding aware of others with access authority in the serviceability of escape routes) are order to be able to recognize unauthorized not violated. Staff must be trained on persons. the anti-burglary measures that are to • Visitors should only be allowed to enter be observed. after the need to do so has been previously verified.• Entry Regulations and Controls—A • The permissions granted must be fundamental but frequently overlooked documented. aspect of sound internal security is the • Access should be limited by locked physical restrictions placed on access to rooms/entrances, physical zones, and systems and networks. Having good identification badges. physical security in place is a necessary • A record must be kept of accesses. follow-up to whatever office building • Challenge protocols should be added. security an organization may have in place. Know who is entering Entrance Security Staff—Establishment of an department offices at all times, and entrance control service has far-reaching, positive ensuring all secure areas are locked and effects against a number of threats. However, this access restricted. Network security presupposes that some fundamental principles are measures can be rendered useless if an observed in the performance of entrance control. intruder can bluff his way past the Entrance security staff must observe and/or monitor entrance security; walk into a computer all movements of persons at the entrance. Unknown room; and take diskettes, tapes, or persons must prove their identity to the entrance servers. security staff. Before a visitor is allowed to enter, a check should be made with the person to be visited.• Strangers, visitors, craftsmen, and maintenance and cleaning staff should A visitor must be escorted to the person to be visited be supervised. Should the need arise to or met by the latter at the entrance. Security staff leave a stranger alone in an office, the must know the office employees. In case of occupant of that office should ask termination of employment, security staff must be another staff member to supervise or informed of the date from which this member of request the visitor to wait outside the staff is to be denied access. A visitor log should be office. If it is not possible to accompany kept to document access. The issuance of visitors’ outsiders, the minimum requirement passes should be considered. The job duties of should be to secure the personal work security staff should be designed specifically to area: desk, cabinet, and computer. The identify their tasks in support of other protective requirement for this measure must be measures, such as building security after business explained to the staff and should be hours, activation of the alarm system, and checking made part of department policy and of outside doors and windows. training. Alarm System—an alarm system consists of a• Control entry into buildings and rooms number of local alarm devices that communicate housing sensitive equipment. Security with a control center through which the alarm is measures may range from issuance of triggered. If an alarm system covering break-ins, fire, keys to high-tech identification water, CO, and other gases is installed and can be11
  12. 12. expanded, surveillance provided by this may be caused by intentional and unintentional acts.system should include, at a minimum, the IT After an unauthorized intrusion, office routines maycore areas (such as server rooms, data be disrupted in order to search for damage, theft,media archives, and technical infrastructure and unauthorized or missing hardware or software.rooms, public areas). This will enable Intentional or unintentional damage to systems maythreats such as fire, burglary, or theft to be be caused by temporary help who are employed todetected immediately so that counter- substitute for cleaning staff. Temporary help maymeasures can be taken. To ensure that this accidentally clean workstations and sensitiveis the case, it is imperative that the alarms equipment with solutions or by methods damagingbe sent on to a central command center to hardware.that is permanently staffed 24/7/365. It isimportant that this facility have the Identification of Secure Rooms—Secure rooms suchexpertise, equipment, and personnel as the server room, computer center, data mediarequired to respond to the alarm. The archives, and air conditioning unit should not beguidelines of the organization concerned for identified on office locator boards or by name platesconnection to the respective networks affixed to the room door. Identifying these sensitiveshould be considered here. areas enables a potential intruder to prepare more specifically and thus have a greater chance ofSecurity of Windows and Doors—Windows success.and outward-leading doors (e.g., balconies, Location of Secure Rooms inpatios) should be closed and lockedwhenever a room is unoccupied. Unexposed Areas of Buildings—secure rooms shouldInstructions to close windows and outside not be located in areas exposed to view or potentialdoors should be issued, adding barriers or danger. They also should not be located on the firstfilms and regular checks should be made to floor of buildings that are open to view by passersbysee that windows and doors are closed by or that are exposed to attack or vandalism. First-occupants after leaving the rooms. floor rooms are more likely to be easily observed or exposed to breaking and entering. Rooms or areasThe doors of unoccupied rooms should be requiring protection should be located in the centerlocked. This will prevent unauthorized of a building, rather than in its outer walls.persons from obtaining access todocuments and IT equipment. It is Inspection Rounds—the effectiveness of anyparticularly important to lock individual measure will always be commensurate to theoffices when located in areas accessible by enforcement of that measure. Inspection roundsthe public or where access cannot be offer the simplest means of monitoring thecontrolled by any other means. Staff should implementation of measures and the observance ofbe instructed to lock their offices when they requirements and instructions.leave, and random checks should be madeto determine whether offices are locked Inspection rounds should not be aimed at thewhen their occupants leave. detection of offenders for the purpose of punishing them. Rather, controls should be aimed primarily atIn an open office, where cubicles dominate remedying perceived negligence at the earliestand it is not possible to lock individual possible moment, such as by closing windows oroffices, employees should lock away their taking documents into custody. As a secondarydocuments in their desks, and a secure objective, security breaches can be identified anddesktop workstation policy should be possibly avoided in the future. Inspection roundsimplemented (additional information on should also be made during office hours to informformulating this policy can be found later in staff members about how and why pertinentthis section). regulations are being applied. Thus, they will be perceived by all persons concerned as a help ratherUnauthorized Admission to Rooms than a hindrance.Requiring Protection—If unauthorized Proper Disposal of Sensitive Resources—Sensitivepersons enter protected rooms, damage information not properly disposed of may be the12
  13. 13. source of valuable information for persons are usually not protected to the same extent as theseeking to do harm. An intruder, workplace. Workstations at home are accessible tocompetitor, or temporary staff can gain family members and visitors who may intentionallyvaluable information in a low-tech manner or unintentionally manipulate business-related databy simply going through trash for discarded on the workstation, if data is not properly protected.paperwork that might contain sensitive Inadvertent or intentional manipulation affects theinformation. At a minimum, shred all papers confidentiality and integrity of the business-relatedand documentation containing sensitive information, as well as the availability of data and ITcompany information, network diagrams, services on the workstation. Appropriate proceduresand systems data to prevent a security should be implemented to achieve a degree ofbreach by those who might seek security comparable with that prevailing on officeinformation by rummaging through trash. premises. Suitable Configuration of a RemoteEmployees should be advised against Workplace—It is advisable to assign a secure roomwriting down user IDs or passwords. for use as a workplace at home. Such a workplace should at least be separated from the rest of theIn the case of functioning media, the data premises by means of a door.should be overwritten with randompatterns. Nonfunctioning data media, such IT equipment intended for professional purposesas CDs, should be destroyed mechanically. should be provided by the employer, and the use ofThe recommended disposal of material these services for private purposes should berequiring protection should be detailed in a prevented by formal policies. Employees who workspecific directive and in training; adequate at home should be questioned regularly ordisposal facilities should be provided. This periodically as to whether their workplace compliesincludes storage devices and media (i.e., with security and operational requirements.floppy and hard disks, magnetic tapes, andCDs/DVDs). If sensitive resources are Theft of a Mobile IT System—Laptop or mobile ITcollected prior to their disposal, the systems create a greater risk of theft or damage.collected material must be kept under lock Due to the inherent nature of a mobile system, it willand be protected against unauthorized often be removed from the confines of a secureaccess. office. Therefore, policies should be implemented to safeguard mobile IT systems.Secure Desktop Workstations—the first lineof defense in physical security is to secure Suitable Storage of Business-Related Documents anddesktop workstations. Effective training in Data Media— Business-related documents and datathe organization’s policies and procedures media at the home workstations must only beto secure desktop workstations should be a accessible to the authorized employee, and whensignificant part of network and information they are not in use, they must be kept in a lockedsecurity strategy because of the sensitive location. A lockable desk, safe, or cabinet must beinformation often stored on workstations available for this purpose. At a minimum, the lockand their connections. Many security must be capable of withstanding attacks using toolsproblems can be avoided if the that are easy to create or purchase. The degree ofworkstations and network are appropriately protection provided by the drawer should beconfigured. Default hardware and software appropriate to the security requirements of theconfigurations, however, are set by vendors documents and data media contained therein.who tend to emphasize features andfunctions more than security. Since vendors In facilities and offices that operate as “Specialare not aware of specific security needs, Facilities” or other high risk there are additionalnew workstations must be configured to practices that should be reviewed in the design andreflect security requirements and planning process.reconfigured as requirements change. Restrict Area PerimeterRemote Workstations—there is usually a Secure and monitor the perimeter of the facility.higher risk of theft at home because homes13
  14. 14. Have Redundant Utilities that the bollards are down and the driver can goJMaac10 centers need two sources for forward. In situations when extra security is needed,utilities, such as electricity, water, voice and have the barriers left up by default, and lowereddata. Trace electricity sources back to two only when someone has permission to pass through.separate substations and water back to twodifferent main lines. Lines should be Plan for Bomb Detectionunderground and should come into For facilities that are especially sensitive or likelydifferent areas of the building, with water targets, have guards use mirrors to checkseparate from other utilities. Use the underneath vehicles for explosives, or provideFacilitys anticipated power usage as portable bomb-sniffing devices. You can respond toleverage for getting the electric company to a raised threat by increasing the number of vehiclesaccommodate the buildings special needs. you check, perhaps by checking employee vehicles as well as visitors and delivery trucks.Deter, Detect, and DelayDeter, detect, and delay an attack, creating Limit Entry Pointssufficient time between detection of an Control access to the building by establishing oneattack and the point at which the attack main entrance, plus a another one for the loadingbecomes successful. dock. This keeps costs down too.Pay Attention to Walls Make Fire Doors Exit OnlyFoot-thick concrete is a cheap and effective For exits required by fire codes, install doors thatbarrier against the elements and explosive dont have handles on the outside. When any ofdevices. For extra security, use walls lined these doors is opened, a loud alarm should soundwith Kevlar. and trigger a response from the security command center.Avoid WindowsThink warehouse and not an office building. Use Plenty of CamerasIf you must have windows, limit them to the Surveillance cameras should be installed around thebreak room or administrative area, and use perimeter of the building, at all entrances and exits,bomb-resistant laminated glass. and at every access point throughout the building. A combination of motion-detection devices, low-lightUse Landscaping for Protection Trees, cameras, pan-tilt-zoom cameras and standard fixedboulders and gulleys can hide the building cameras is ideal. Footage should be digitallyfrom passing cars, obscure security devices recorded and stored offsite.(like fences), and also help keep vehiclesfrom getting too close. Oh, and they look Protect the Buildings Machinerynice too. Keep the mechanical area of the building, which houses environmental systems and uninterruptibleKeep a 100-foot Buffer Zone Around the Site power supplies, strictly off limits. If generators areWhere landscaping does not protect the outside, use concrete walls to secure the area. Forbuilding from vehicles, use crash-proof both areas, make sure all contractors and repairbarriers instead. Bollard planters are less crews are accompanied by an employee at all times.conspicuous and more attractive than otherdevices. Personnel Surety Perform appropriate background checks on andUse Retractable Crash Barriers at Vehicle ensure appropriate credentials for facility personnel,Entry Points and, as appropriate, for unescorted visitors withControl access to the parking lot and access to restricted areas or critical assets.loading dock with a staffed guard stationthat operates the retractable bollards. Usea raised gate and a green light as visual cues14
  15. 15. Plan for Secure Air Handling airlock in between. Only one door can be opened atMake sure the heating, ventilating and air- a time, and authentication is needed for both doors.conditioning systems can be set torecirculate air rather than drawing in air At the Door to an Individual Computer Processingfrom the outside. This could help protect Roompeople and equipment if there were some This is for the room where actual servers,kind of biological or chemical attack or mainframes or other critical IT equipment is located.heavy smoke spreading from a nearby fire. Provide access only on an as-needed basis, andFor added security, put devices in place to segment these rooms as much as possible in order tomonitor the air for chemical, biological or control and track access.radiological contaminant. Watch the Exits TooEnsure nothing can hide in the walls and Monitor entrance and exit—not only for the mainceilings facility but for more sensitive areas of the facility asIn secure areas of the facility, make sure well. Itll help you keep track of who was where,internal walls run from the slab ceiling all when. It also helps with building evacuation if theresthe way to subflooring where wiring is a fire..typically housed. Also make sure drop-downceilings dont provide hidden access points. Prohibit Food in the Computer Rooms Provide aUse two-factor authentication Biometric common area where people can eat without gettingidentification is becoming standard for food on computer equipment.access control to sensitive areas of facilities,with hand geometry or fingerprint scanners Install Visitor Rest Roomsusually considered less invasive than retinal Make sure to include rest rooms for use by visitorsscanning. In other areas, you may be able to and delivery people who dont have access to theget away with less-expensive access cards. secure parts of the building.Harden the Core with Security Layers Critical Infrastructure and EnvironmentalAnyone entering the most secure part of Monitoringthe facility will have been authenticated at "Critical infrastructure" is defined by federal law asleast three times, including at the outer "systems and assets, whether physical or virtual, sodoor. Dont forget youll need a way for vital to the United States that the incapacity orvisitors to buzz the front desk (IP Intercom destruction of such systems and assets would have aworks well for this). At the entrance to the debilitating impact on security, national economic"data" part of the facility. At the inner door security, national public health or safety, or anyseparates visitor area from general combination of those matters.employee area. Typically, this is the layer American Alarm & Communications, Inc. providesthat has the strictest "positive control," technology and services to monitor many key areasmeaning no piggybacking allowed. For of your operation.implementation, you have two options: Communication between your business alarm-A floor-to-ceiling turnstile system and our Monitoring Center is a critical part ofIf someone tries to sneak in behind an your protective system. Our Underwriters’authenticated user, the door gently Laboratories (U.L.) Listed Monitoring Center is therevolves in the reverse direction. (In case of core of American Alarm’s sophisticateda fire, the walls of the turnstile flatten to communications operation. In the event of an alarm,allow quick egress.) the CPU in your security system sends an alarm signal to-A "mantrap" our monitoring facility through the phone lines (800Provides alternate access for equipment numbers are not used, given their unreliability). Theand for persons with disabilities. This signal is then retrieved by our monitoring center,consists of two separate doors with an and our operators quickly notify the appropriate15
  16. 16. authorities, as well as the designated rule-based generation of actions/penalties, based onresponder, of the emergency. physical access events. Correlate alarms and identities to better manage situations and responses across the security infrastructure. Incorporate real-time monitoring and detailed risk analysis tools to instantly enforce, maintain and report on compliance initiatives Key External Technology Entry Point Facilities are generally designed with a central access point that’s used to filter employees and visitors intoAACI Monitoring Capabilities the facility. • Fire All requests are vetted by a security guard with an • Hold-Up intercom link to ensure that they have a legitimate • Intrusion reason for entering the premises. • Halon/Ansul Automatic Bollards • Panic/Ambush • Man Down As an alternative to a guard-controlled gate, • Elevator Phones automatic bollards can be used at entry points. • Off-Premises Video These short vertical posts pop out of the ground to • HVAC/Refrigeration prevent unauthorized vehicles from driving onto the • Sprinkler/Tamper/Flow site. When a vehicle’s occupants are verified by a guard, an access card or other secure process, the • Power Loss/Low Battery bollards are quickly lowered to allow the vehicle to • Gas/Hazardous Chemicals enter. When in the lowered position, the top of each • Water Flow/Flood Alarms bollard is flush with the pavement or asphalt and • Environmental Devices completely hidden. The bollards move quickly and (CO2/CO/ETC.) are designed to prevent more than one vehicle from • Radio/Cellular Back-Up passing through at any one time. Communications Closed-Circuit TV / SurveillanceImplementation External video cameras, positioned in strategicAt American Alarm and Communications, locations, including along perimeter fencing, provideInc., we utilize and integrate mutable efficient and continuous visual surveillance. Thesolutions to create a physical security cameras can detect and follow the activities ofcompliance and risk management solution people in both authorized and “off limits” locations.that can automate and enforce physical In the event someone performs an unauthorizedsecurity policies, from restricting area action or commits a crime, the digitally stored videoperimeter and securing site assets to can supply valuable evidence to supervisors, lawpersonnel surety and reporting of enforcement officials and judicial authorities. Forsignificant security incidents; this helps to added protection, the video should be stored off-siteensure both governance and compliance on a digital video recorder (DVR).utilizing an organization’s existing physicalsecurity and IT infrastructure. Key Internal TechnologyWe can centrally manage all regulations andassociated controls and automate Lobby/Public Areasassessment, remediation and reporting as With proper software and surveillance andper defined review cycles. Automatically communications tools, a staffed reception desk, withtrigger compliance-based actions, such as one or more security guards checking visitors’16
  17. 17. credentials, creates an invaluable first line essential element in any access control plan.of access control. Loading and ReceivingSurveillance For full premises security, mantraps, card readersLike their external counterparts, internal and other access controls located in public-facingcameras provide constant surveillance and facilities also need to be duplicated at the facility’soffer documented proof of any observed loading docks and storage areas.wrongdoing. Operational AreasBiometric Screening The final line of physical protection falls in front ofOnce the stuff of science fiction and spy the facility’s IT resources. Private cages and suitesmovies, biometric identification now plays a need to be equipped with dedicated access controlkey role in premises security. Biometric systems while cabinets should have locking front andsystems authorize users on the basis of a rear doors for additional protection.physical characteristic that doesn’t changeduring a lifetime, such as a fingerprint, hand Humans are the weakest link in any security scheme.or face geometry, retina or iris features. Security professionals can do their best to protect systems with layers of anti-malware, personal andMantrap network firewalls, biometric login authentication,Typically located at the gateway between and even data encryption, but give a good hacker (orthe lobby and the rest of the facility, computer forensics expert) enough time withmantrap technology consists of two physical access to the hardware, and there’s a goodinterlocking doors positioned on either side chance they’ll break in. Thus, robust physical accessof an enclosed space. The first door must controls and policies are critical elements of anyclose before the second one opens. In a comprehensive IT security strategy.typical mantrap, the visitor needs to first“badge-in” and then once inside must pass According to a report by the SANS Institute, “ITa biometric screening in the form of an iris security and physical security are no longer securityscan. silos in the IT environment; they are and must be considered one and the same or, as it should beAccess Control List called, overall security.”Defined by the facility customer, an access It is the innermost layer—physical entry to computercontrol list includes the names of rooms—over which IT managers typically haveindividuals who are authorized to enter the responsibility, and the means to have effectivefacility environment. Anyone not on the list control over human access focuses on a set ofwill not be granted access to operational policies, procedures, and enforcement mechanisms.areas. Policy BasicsBadges and Cards Given their importance and ramifications onVisually distinctive badges and identification employees, access policies must come from the topcards, combined with automated entry leadership. After setting expectations and behavioralpoints, ensure that only authorized people ground rules, actual facility access policies havecan access specific facility areas. The most several common elements. The most essential arecommon identification technologies are definitions of various access levels and proceduresmagnetic stripe, proximity, barcode, smart for authenticating individuals in each group and theircards and various biometric devices. associated privileges and responsibilities when in the facility.Guard StaffA well-trained staff that monitors site Step 1facilities and security technologies is an Authorize, identify and authenticate individuals that require physical access:17
  18. 18. delivered to or removed from facilities; Record• Identify the roles that require both the following: regular as well as occasional physical access and identify the individuals that • Date and time of delivery/removal. fill these roles. • Name and type of equipment to be• Provide standing authorization and a delivered or removed. permanent authenticator to individuals • Name and employer of the individual that require regular access. performing the delivery/removal and the• Require individuals that require authentication mechanism used. occasional access to submit a request • Name and title of authorizing individual. that must be approved prior to access • Reason for delivery/removal. being attempted or allowed.• Authenticate individuals with regular Non-Compliance access requirements through the use of Violation of any of the constraints of these policies their assigned permanent or procedures should be considered a security authenticator. breach and depending on the nature of the violation,• Authenticate individuals with various sanctions will be taken: occasional access requirements through the use of a personal • A minor breach should result in written identification mechanism that includes reprimand. name, signature and photograph. • Multiple minor breaches or a major breach should result in suspension.Step 2 • Multiple major breaches should result in termination.Verify that work to be performed has beenpre-approved or meets emergency Although older facilities typically just consisted of aresponse procedures: large, un-partitioned raised-floor area, newer enterprise facilities have taken a page from ISP • Verify against standard Change designs by dividing the space into various zones—for Control procedures. example, a cage for high-availability servers, another • Verify against standard area for Tier 2 or 3 systems, a dedicated network Maintenance procedures. control room, and even separate areas for facilitiesStep 3 infrastructure such as PDUs and chillers. SuchMake use of logs to document the coming partitioned facilities provide control points forand goings of people and equipment: denying access to personnel with no responsibility for equipment that’s in them.• Assign the responsibility for the maintenance of an access log that Identification Procedures records personnel access. Record the The next step in a physical security policy is to set up following: controls and identification procedures for • Date and time of entry. authenticating facility users and granting them • Name of accessing individual and physical access. Although biometric scanners look authentication mechanism. flashy in the movies and certainly provide an added • Name and title of authorizing measure of security, a magnetic stripe badge reader individual. is still the most common entry technology, as it’s • Reason for access. simple, cheap, and effective and allows automated • Date and time of departure. logging, which is a necessary audit trail. One problem with magnetic readers, according is• Assign the responsibility for the their susceptibility to tailgating, or allowing maintenance of a delivery and removal unauthorized personnel to trail a colleague through log that records equipment that is an entryway. That’s why we advise supplementing doors and locks with recorded video surveillance.18
  19. 19. I also like to add a form of two-factor your camera feeds, PISM brings out the best of yourauthentication to entry points by coupling a equipment.card reader (“something you have”) with aPIN pad (“something you know”), which To investigate day-to-day incidents, as well asreduces the risks of lost cards. I also prepare for emergency situations, the securityrecommend using time-stamped video department makes use of a vast network of videosurveillance in conjunction with electronic cameras, access control points, intercoms, fire andaccess logs and a sign-in sheet to provide a other safety systems. PISM unifies all of thesepaper trail. disparate feeds, including systems from diverse manufacturers, into a single decision-orientedAccess levels and controls, with Common Operating Picture. Within the PSIMidentification, monitoring, and logging, form Platform are five key components:the foundation of an access policy, but twoother major policy elements are standards Integration Services – Multiple strategies are usedof conduct and behaviors inside the facility for connection, communication with, andsuch as: prohibitions on food and beverages management of installed devices and systems fromor tampering with unauthorized equipment, multiple vendors. The PSIM Platform offers completelimitations and controls on the admission of support for the industry’s most commonly-usedpersonal electronics such as USB thumb device types – out of the box. In addition, it employsdrives, laptops, smart-phones, or cameras customizable “pipeline” architecture to receiveare critical. device events. This architecture exploits commonalities among similar devices (includingPolicies should also incorporate processes format and protocol) and reduces the need for one-for granting access or elevating restriction off adaptations. Network connectivity is achievedlevels, an exception process for unusual using combinations of multiple communicationssituations, sanctions for policy violations, protocols.and standards for reviewing and auditingpolicy compliance. Stahl cautions that Geo-Location Engine – The Geo Location Enginepenalties for noncompliance will vary from provides spatial recognition for geo-location ofcompany to company because they must devices and supports situation mappingreflect each enterprise’s specific risk functionality. The physical position of devices istolerance, corporate culture, local stored in an internal knowledge base as GIS/GPSemployment laws, and union contracts. positions or building coordinates. The engine uses the information to determine relevance, selects, andPhysical Security Information relate devices involved in a given situation. TheManagement (PISM) system uses the information to overlay graphical representations of security assets and activities ontoThe PSIM Platform enables the integration Google-type maps or building layouts.and organization of any number and type ofsecurity devices or systems and provides a Routing Engine – The Routing Engine is an intelligentcommon set of services for analyzing and switch that connects any security device to PISMmanaging the incoming information. It also command interfaces or output device(s) andserves as the common services platform for accommodates any required transformation ofvideo and situation management formats and protocols between connected devices.applications. In most cases, devices connect directly to each other and exchange data streams directly, avoidingEffectively maintaining security of critical possible bottlenecks that would arise from routinginfrastructure does not happen by accident, all traffic through a single centralized server. Anit means giving your security professionals internal knowledge base of all connected devicesthe best security/software tools available and their characteristics is maintained by thetoday. By unifying your existing surveillance Routing Engine, which uses that information tosystem and providing spatial context to ensure a viable communication path, compatibility of signal format and acceptable quality of service.19
  20. 20. Rules Engine – The PSIM Platform contains Key Services and Capabilitiesa powerful Rules Engine that analyzes event • Physical Security Site Surveysand policy information from multiple • Physical Security Information Managementsources to correlate events, make decisions (PSIM)based upon event variables and initiate • Privacy Protecting Camera Systems (PPCS)activities. Pre-packaged or user written • Design, Engineering and Consultingrules define the events or event • Installation, Maintenance and Monitoring ofcombinations for identifying and resolving Fire & Life Safety Solutionssituations in real time according to business • Integrated Access Control, Intrusion Detectionpolicies. and Surveillance Solutions • Emergency Communications with Wired andDispatch Engine – The Dispatch Engine Wireless and Networksintegrates with communications • Burglar, Fire Alarm Monitoring (In Our Owninfrastructure to initiate external Massachusetts UL Listed & DOD Certifiedapplications or the transmission of Central Station)messages, data and commands. Dispatch In our experience working with management, facilityactions are automatically triggered by the and security professionals within therules engine as it executes Commonwealth has been rewarding. Compliance torecommendations for situation resolution. this policy for most departments has been the goalOperators can manually initiate actions as and the new the budget year begins we look forwardwell. The system integrates and analyzes to continuing our work to further compliance andinformation from disparate traditional improve the physical security technologies andphysical security devices including analog monitoring to implement measures to protectand digital video. personnel, equipment and property and the network against anticipated threats.The key benefits of today’s technology isallowing system users to do more with less It’s time to get physical—as in physically protectingby getting maximum benefits through all facilities and all of their assets. Yet physicalintegrated technologies with each system security is often placed on the back burner, largely(Both new and old) and with the goals of forgotten about until an unauthorized partycompany policies and procedures like never manages to break into or sneak onto a site andbefore. steals or vandalizes systems. Today’s security systems include:In Summary • Intrusion and Monitoring SystemsAmerican Alarm and Communications, Inc., • Access Control Systemsis in a unique position to improve personal • Visitor Management Systemsprotection of key individuals as a • Surveillance SystemsMassachusetts based Underwriters • Emergency Communications SystemsLaboratories (UL) Listed, and United StatesFederal Government (DOD) recognized 24- • Physical Security Information Managementhour Security Command Center and Central (PISM) Software PlatformsStation. Every day we manage a full rangeof security, communication and escalation Our commitment to supporting the terms of theprocedures specifically designed for our key contract are best stated by our President Wellscustomers. Our founders, three engineers Sampson, “We continue to serve the unique needs offrom the Massachusetts Institute of public clients, and our track record of strong serviceTechnology (MIT), have worked to bring the was one of the reasons the Commonwealthbenefits of new technology and solutions to expressed continuing confidence in our company andour customers. Though we have grown over approved our program for another three years.”the years, our mission has remained thesame: to provide the best possible security As a manager, you have the responsibility to supporttechnologies across Massachusetts. this physical and environmental security policy implementation throughout your respective20
  21. 21. departments and/or Agencies by creating a Contact Informationculture that embraces, reinforces anddemands security best practices and are James E. McDonaldconsistent with the policy and the facility. Integrated Systems ConsultantWithin this culture is the need to Government Contracts Teamunderstand the human variable. This American Alarm and Communications, Inc.encompasses anyone who interfaces with 489 Washington Streetoperations, including managers, facility Auburn, Massachusetts 01501operators, maintenance personnel, other Direct Phone: (508) 453-2731employees, customers, delivery people, Direct Fax: (781) 645-7537clients and visitors. Email: JMcDonald@AmericanAlarm.comThe human element affects everything withregard to security and reliability. How it is Links:addressed may depend on external factors American Alarm Website: www.AmericanAlarm.comsuch as the law, collective bargaining Blog: www.SecurityTalkingPoints.comguidelines and even prudent management Twitter: Within each Agency or Bio:, responsibility assignments for Site Survey Request:policy compliance should be defined., all policies and procedures musttake into account the human variable. Best Association Memberships: ASIS International, ASISpractices require that physical security be Boston, International Association for Healthcaretreated as a fundamental value. Security and Safety, IAHSS Boston, Association of Certified Fraud Examiners (ACFE)FAC64 State ContractThe FAC64 contract gives you a way toacquire all the tools necessary for yourdepartment or Agency. All with a threeyear warranty on all parts and labor.Countermeasures are constantly improvingand changing and can be used to countermultiple risks beyond the scope of thisdiscussion. The need for these solutionsgoes back to a time before the RomanEmpire. The tools evolve but the needsremain the same.All departments and agencies are subject tosecurity & fraud risks and need to completea physical security/fraud risk assessment fortheir agency on a periodic basis.21