Keys to a More Successful Physical Security Program

2,413 views

Published on

An effective security program is a living thing.  It is comprised of a myriad of equipment, actions, policies, and procedures all of which interconnect and rely on each other in order to provide a comprehensive and effective program. 
 
The collection of documents, together forming the security program, must be, by design and intent, focused on three primary missions: remedial measures, preventative measures, and, overlapping both of these, education.  The security plan must accurately describe situations both present and future; capture potential scenarios and consequences; detail the organization’s actions both during and following specific events; and, educate the organization on the specific roles specific groups play. Joachim Gloschat's presentation will address all this and more as he explores what makes a successful physical program security.

Published in: Technology
  • Be the first to comment

Keys to a More Successful Physical Security Program

  1. 1. Background US Army  Russian Cryptography Interceptor ○ 1984 to 1987  Mandarin Chinese Intelligence Officer ○ 1989 to 2001
  2. 2. Sept 11, 2001World Trade Centers
  3. 3. “Working in security is doing God’s work as far as I am concerned. Security work is an opportunity to serve fellow man…There is nothing greater than saving lives.” Dr. Ona Ekhomu, CPP Security Management Magazine, March 2007 First Nigerian ASIS Certified Protection Professional
  4. 4. Background Antiterrorism/Force Protection  2001 – US Corps of Engineers  2002 – Operation Enduring Freedom  2003 – Operation Iraqi Freedom  2004 – Security Management Solutions ○ Federal Energy Regulatory Commission ○ Association of State Dam Safety Officials ○ InterAgency Forum for Infrastructure Protection
  5. 5. Post 9/11
  6. 6. A Paradigm Shift
  7. 7. Threat Dimensions 1. Non-linear/Asymmetrical 2. Off-the-shelf technology 3. WMD and mass casualties Low Tech vs. High Tech Urban vs. Rural fights 4. Urban fights 5. Avoid decisive battle W. Foos, SMS
  8. 8. Physical AttacksApril 19, 1995Murrah Federal Aug 7, 1998 Sept 11, 2001 Building US Embassy Nairobi World Trade Centers
  9. 9. Physical Attacks 11 March 2004 Sept 2004 Madrid Train Bombings: Chechnya Rebels Spain
  10. 10. Cyber Attacks 2003-2007 - TITAN RAIN 2006-present - SHADY RAT 2008- DOD Classified and Unclassified Systems-Contaminated thumb drive 2010 - STUXNET 2011 - 50 DAYS OF LULZ
  11. 11. Cyber Attacks 2012 13.37 million recorded compromised 189 total breaches NY Electric and Gas 1.8m Global Payments 1.5m CA Dept. of Child Support 800k Utah Dept. of Technical Services 780k
  12. 12. W. Foos, SMS
  13. 13. Why is a Security Program sovital?
  14. 14. How does a Security Program Work? A Security Program protects assets or facilities against: 1. Theft 2. Sabotage 3. Malevolent human attacks 4. Natural Events
  15. 15. What does a Security ProgramEncompass? 1. Physical Security 2. Cyber Security 3. Personnel Security 4. Information Security 5. Business Continuity 6. Crisis Management
  16. 16. Three Components of a Education Security Program 1. R&D Remediation 2. SOPs 1. Upgrading PPS 3. Emergency Response Plan 2. Upgrading Security Program 4. Physical Security Plans Education 3. Responding to Incidents 5. Define, Establish, & Update 4. Implementing Risk Reduction HLS security procedures Recommendations 6. Guard Contracts PreventionPrevention Remediation1. Maintenance of Systems2. Assessment – Evaluations3. SOP Development4. Integration of Security Security Documents: Operations5. Training & Exercise of EAPs -Threat Assessments6. Implementation of - Vulnerability Study Heightened Security Procedures W. Foos, SMS
  17. 17. Fundamentals of Security Integration Policies People Procedures EquipmentAn EffectiveSecurity Programties it all together.
  18. 18. Security Program Measures1. Preventative measures – Reduce the likelihood of an attack, delay the success of the attack, protect the assets or make it less vulnerable of being compromised.2. Detective measures – Discover the attack and activate corrective or mitigative action.3. Corrective measures – Reduce the effects of an attack and restore to normal operations. W. Foos, SMS
  19. 19. What are The StepsNecessary? 1. Evaluate 2. Establish 3. Sustain
  20. 20. Step One: Evaluation 1. Mission 2. Assets 3. Consequences 4. Threats 5. Security System Effectiveness
  21. 21. Step One: Evaluation(Mission) 1. What do I buy? 2. What do I sell? 3. How do I produce it? 4. What components do I need to make what I make? 5. What does it take to get those components and deliver the finished product?
  22. 22. How Missions lead to Assets Company Mission Company Vision License Requirements Shareholder Mandates Products of the facility Vendors Inventory System Shipping and Receiving Operational involvement & location of senior executives W. Foos, SMS
  23. 23. Step One: Evaluation(Assets)1. Physical2. People3. Knowledge4. Information Technology5. Clientele6. Any activity that has a positive value to its owner
  24. 24. Step One: Evaluation(Consequences)  What would it take to disrupt operations?  What would it take to stop operations?  What would happen to the vendors, your company, your customers, if operations paused or ceased?  Who and What would be impacted?
  25. 25. Step One: Evaluation (Threat) The Security Program Arch THREAT
  26. 26. Step One: Evaluation (Threat)  Natural  Intentional  Unintentional
  27. 27. W. Foos, SMS
  28. 28. Threat Categories Terrorists (CONUS  Saboteurs or OCONUS)  Criminals  Ecological  Cyber Threat  Militia / Paramilitary  Gangs  Rogue  Other  Racist  Insider(s) Extremist Group Vandals TM RAM
  29. 29. Identifyingthe Design Basis Threat  Motivation  Capability  History and Behavior Patterns  Current Activity  Geographic Access  Organization & Numbers  Mobility  Technology/ Tactics TM RAM
  30. 30. Design Basis Threat(Example)Adversary Type Militia/Paramilitary Terrorist GroupMotivation Ideological/Political/PublicityGroup Terrorist Cell - 2 to 7 persons – well organizedTactics Large scale sabotageEquipment Hand tools, construction equipment, 2-way radiosWeapons Small handguns, rifles, submachine gunsExplosives Vegan Jell-O, TNT or Equivalent ExplosivesTransportation Sport utility vehicles, all-terrain vehicles, vans, 4x4s, foot accessIntelligence Surveillance, Internet research, public record reviewgathering meansTechnical skills and Sophisticated technical educationknowledgeFinancial resources Assumed unlimitedPotential for collusion Disgruntled or planted employee or contractor TM RAM
  31. 31. Intelligence Methods used byAdversaries  Open Source Research  FOIA  Internet  Public Domain Technical Reports  People  Informers  Intelligence Agents  Communications  Photographs / Surveillance  Trash W. Foos, SMS
  32. 32. Step One: Evaluation (SecuritySystem Effectiveness)  Based on analysis of Asset and Threats, create Asset-Threat Pairing  Not every Asset is considered attractive to the same Threat  Every asset’s protection must be evaluated against its own Design Basis Threat
  33. 33. Basics of Security1. Detect2. Assess3. Delay4. Respond5. Integration and Communication
  34. 34. Fundamentals of SecurityProtection in Depth & Balanced Protection Outer Perimeter Intermediate Perimeter Inner Perimeter Exclusion Zone O Asset
  35. 35. What are The StepsNecessary? 1. Evaluate 2. Establish 3. Sustain
  36. 36. Step Two: Establish 1. Fill in the gaps 2. Create what wasn’t there 3. Accept versus Reject Risk 4. Risk Reduction Measures
  37. 37. Three Components of a Education Security Program 1. R&D Remediation 2. SOPs 1. Upgrading PPS 3. Emergency Response Plan 2. Upgrading Security Program 4. Physical Security Plans Education 3. Responding to Incidents 5. Define, Establish, & Update 4. Implementing Risk Reduction HLS security procedures Recommendations 6. Guard Contracts PreventionPrevention Remediation1. Maintenance of Systems2. Assessment – Evaluations3. SOP Development4. Integration of Security Security Documents: Operations5. Training & Exercise of EAPs -Threat Assessments6. Implementation of - Vulnerability Study Heightened Security Procedures W. Foos, SMS
  38. 38. Security Policies andProcedures  Establish strategic security objectives and priorities for organization  Identify personnel responsible for security functions  Identify the employee responsibilities  Should be aligned with the objectives of the organization  Should cover the following topics - People - Property - Information
  39. 39. What are The StepsNecessary? 1. Evaluate 2. Establish 3. Sustain
  40. 40. Step Three: Sustain 1. Education 2. Exercises 3. Relationships 4. Reevaluation

×