Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Physical Security Assessment

Physical Security Assessment processes and procedures. Recommendations on building security.

  • Login to see the comments

Physical Security Assessment

  1. 1. Physical Security Assessment
  2. 2. Basic Concepts of a Physical Security Assessment Daniel R. Finger MPA, CPP, CHPA Physical Security Specialist
  3. 3. Why Do Assessment? <ul><li>Joint Commission </li></ul><ul><li>OSHA </li></ul><ul><li>Health Departments </li></ul><ul><li>Medicare/Medicaid </li></ul><ul><li>Other Regulatory Agencies </li></ul><ul><li>Moral/Ethical Responsibility </li></ul>
  4. 4. Why Do Assessments? (Cont.) <ul><li>Due Diligence </li></ul><ul><ul><li>Reasonable Expectations to Avoid Harm to People or Property </li></ul></ul><ul><li>Protection of Employees, Visitors, and Patients </li></ul><ul><li>Protection of Company Assets </li></ul><ul><li>Business Reputation </li></ul>
  5. 5. Three Requirements for a Security Issue Opportunity Motive Means
  6. 6. Definition: Risk Assessment <ul><li>Process of identifying internal and external threats and vulnerabilities, identifying the likelihood of the event, defining the critical functions necessary to continue an organization’s operations, defining the controls in place to reduce exposure and evaluate the costs * </li></ul><ul><li>* ASIS Business Continuity Guideline 2004 </li></ul>
  7. 7. Evaluation <ul><li>Physical (Tangible Property) </li></ul><ul><li>Cyber (Electronic) </li></ul><ul><li>Human (Functions of People ) </li></ul>
  8. 8. Protection <ul><li>Deter Threat </li></ul><ul><li>Mitigate Vulnerabilities </li></ul><ul><li>Minimize Consequences </li></ul>
  9. 9. Risk Management Framework <ul><li>Establish Security Goals </li></ul><ul><li>Identify Assets, Systems, Networks, Functions </li></ul><ul><li>Assess Risk, Threats, Vulnerabilities, Consequences </li></ul><ul><li>Prioritize </li></ul><ul><li>Implement Proactive Programs </li></ul><ul><li>Measure Effectiveness (If Possible) </li></ul><ul><li>Modify Program if Necessary </li></ul>
  10. 10. Common Oversights of Security Directors <ul><li>Having Guard Services Without Knowledge of How Company Works </li></ul><ul><ul><li>Ex. Cheap vs. Effective </li></ul></ul><ul><li>Prioritizing Appearance Over Effectiveness </li></ul><ul><li>Failure to Secure All Perimeter Doors </li></ul><ul><li>Allowing Administration to be Lax on Rules </li></ul><ul><li>Neglecting to Learn New Technologies </li></ul><ul><li>Failing to Lock and Secure Critical Rooms </li></ul><ul><li>Overdoing (Going to an Extreme) </li></ul>
  11. 11. Major Categories <ul><li>Operations (Day to Day) </li></ul><ul><ul><li>Local Facility or Event Driven </li></ul></ul><ul><li>Operations Planning </li></ul><ul><ul><li>National/Local for Potential Events </li></ul></ul><ul><li>Administrative Issues </li></ul><ul><ul><li>Oversight/Compliance/Legal </li></ul></ul>
  12. 12. Potential Pitfalls <ul><li>Funding (Lack There Of) </li></ul><ul><li>Erosion of Security Role </li></ul><ul><li>Standards Proliferation </li></ul><ul><li>Changing Litigation Landscape </li></ul>
  13. 13. Security Master Plan <ul><li>Linking the Security Departments Mission into the Mission and Vision of the Organization </li></ul><ul><li>No Link = Disconnect, Confusion, and Unfocused Objective </li></ul>
  14. 14. Joint Commission Security Standards <ul><li>It is Essential that an Organization Manages the Physical and Personal Security of Individuals and Staff (including the potential for violence coming to the organization’s buildings) </li></ul><ul><li>Security of the Established Environment, Equipment, Supplies, and Information is Important </li></ul>
  15. 15. Identification of Practices <ul><li>Addressing Security Issues Concerning Patients, Visitors, Staff, and Property </li></ul><ul><li>Reporting and Investigating All Security Incidents Involving Patients, Visitors, Staff, and Property </li></ul><ul><li>Identifying Patients, Visitors, and Staff </li></ul><ul><li>Controlling Access to Sensitive Areas as Determined by the Organization </li></ul>
  16. 16. Performance Elements <ul><li>Written Management Plan </li></ul><ul><ul><li>Describe Process Procedures </li></ul></ul><ul><li>Identification of Individual to Coordinate, Development, Implementation, and Monitoring or Security Management Activities </li></ul><ul><li>Conducting Proactive Risk Assessments to Evaluate Potential or Real Adverse Impacts on Business Continuity </li></ul>
  17. 17. Performance Elements (Cont.) <ul><li>Identification of Anyone Entering the Organization’s Facilities </li></ul><ul><li>Actions to be Followed in the Event of a Security Incident </li></ul><ul><li>Identification and Implementation of Procedures that Address Infant or Pediatric Abduction </li></ul>
  18. 18. Performance Elements (Cont.) <ul><li>Select and Implement Procedures and Controls to Lower Potential Impact on Business Continuity </li></ul><ul><li>Control of Access and Egress from Designated, Sensitive Areas </li></ul><ul><li>Security Procedures Addressing VIPs </li></ul><ul><li>Control of Vehicles and Emergency Care Areas </li></ul>
  19. 19. Security Management Program <ul><li>Evaluating, Prioritizing, and Having a Written Response Plan so that a Multitude of People Within Your Company Know How to Respond to an Unplanned Occurrence or Emergency </li></ul>
  20. 20. Physical Survey <ul><li>Physical </li></ul><ul><ul><li>Lighting and access control </li></ul></ul><ul><ul><li>CCTV and Security </li></ul></ul><ul><ul><li>Alarms, Fencing, Etc </li></ul></ul><ul><li>Infrastructure </li></ul><ul><ul><li>Power, Gas, Water, Communications, Back Up Services </li></ul></ul><ul><li>CPTED </li></ul><ul><li>( Crime Prevention Through Environmental Design ) </li></ul><ul><ul><li>Natural Surveillance </li></ul></ul><ul><ul><li>Natural Access </li></ul></ul><ul><ul><li>Territorial Reinforcements </li></ul></ul>
  21. 21. Physical Security Examples <ul><li>Access Control </li></ul><ul><ul><li>Electronic </li></ul></ul><ul><ul><li>Visual Observation </li></ul></ul><ul><li>Locks/Keys </li></ul><ul><ul><li>Restricted Keyways </li></ul></ul><ul><ul><li>Management Plan </li></ul></ul><ul><li>Lighting </li></ul><ul><ul><li>Adequate Illumination </li></ul></ul><ul><ul><li>Unobstructed Maximum Performance </li></ul></ul><ul><li>Fencing </li></ul><ul><ul><li>Adequate for Purpose </li></ul></ul><ul><ul><li>Properly Maintained </li></ul></ul><ul><li>Alarms </li></ul><ul><ul><li>Intrusion, Panic, Detection </li></ul></ul>
  22. 22. Physical Security Examples (Cont.) <ul><li>Parking </li></ul><ul><ul><li>Well designed Lots </li></ul></ul><ul><ul><li>Lighting </li></ul></ul><ul><ul><li>Signage </li></ul></ul><ul><ul><li>Access Control </li></ul></ul><ul><ul><li>Lot Designation </li></ul></ul><ul><li>Employee Screening </li></ul><ul><ul><li>Criminal Background Check </li></ul></ul><ul><ul><li>Drug </li></ul></ul><ul><ul><li>Financial </li></ul></ul><ul><ul><li>Driver’s License </li></ul></ul>
  23. 23. Physical Security Examples (Cont.) <ul><li>Barriers/Bollards </li></ul><ul><ul><li>Parking Proximity to Building </li></ul></ul><ul><ul><li>Prevention of Wayward Vehicles </li></ul></ul><ul><li>Security </li></ul><ul><ul><li>Proprietary </li></ul></ul><ul><ul><li>Contract </li></ul></ul><ul><ul><li>Hybrid </li></ul></ul><ul><ul><li>Law Enforcement </li></ul></ul><ul><ul><li>Patrol Procedures </li></ul></ul><ul><li>Crime Analysis of Area </li></ul>
  24. 25. Infrastructure <ul><li>Underlying Foundation or Basic Framework of a System or Organization* </li></ul><ul><li>Vulnerability or Redundant Control of… </li></ul><ul><ul><li>Water </li></ul></ul><ul><ul><li>Gas </li></ul></ul><ul><ul><li>Electric </li></ul></ul><ul><ul><li>Sewer </li></ul></ul><ul><ul><li>Communications </li></ul></ul><ul><li>Building Security </li></ul><ul><li>Power Plant </li></ul><ul><ul><li>*Merriam Webster Collegiate Dictionary </li></ul></ul>
  25. 26. CPTED <ul><li>Concept is involved at the design level with architects or designers to consider and evaluate security concerns prior to construction </li></ul><ul><li>Defensible Space: A range of mechanisms, real and symbolic barriers, strongly defined areas of influence, and improved areas of surveillance that combine to bring the environment under control </li></ul><ul><li>Threats </li></ul><ul><ul><li>Real or Perceived </li></ul></ul><ul><ul><li>Perception is Reality </li></ul></ul>
  26. 27. CPTED Actors <ul><li>Target Hardening </li></ul><ul><ul><li>Crime Targets Physically Difficult to Penetrate </li></ul></ul><ul><li>Normal Users </li></ul><ul><ul><li>Persons You Desire to be in a Certain Place </li></ul></ul><ul><li>Abnormal Users </li></ul><ul><ul><li>People You Do Not Desire to be in the Place </li></ul></ul><ul><li>Observers </li></ul><ul><ul><li>Persons Who Have to be in that Area to Observe the Human Function </li></ul></ul>
  27. 28. Key CPTED Concepts <ul><li>Natural Surveillance </li></ul><ul><ul><li>Areas Where People and Activity Can Be Readily Observed </li></ul></ul><ul><li>Natural Access Control </li></ul><ul><ul><li>Controlling Access to a Site </li></ul></ul><ul><li>Territorial Behavior </li></ul><ul><ul><li>People Develop a Strong Sense of Ownership </li></ul></ul>
  28. 30. CPTED Benefits <ul><li>Reduction of Crime </li></ul><ul><li>Perceived Greater Safety and Security </li></ul><ul><li>Improved Quality of Life </li></ul><ul><li>Examples using Landscaping: </li></ul><ul><ul><ul><li>2’ 6’ Rule </li></ul></ul></ul><ul><ul><ul><li>Hostile Vegetation </li></ul></ul></ul><ul><ul><ul><li>Lights Above Tree Canopy </li></ul></ul></ul><ul><ul><ul><li>Line of Sight </li></ul></ul></ul><ul><ul><ul><li>Overgrown or Improperly Maintained Landscaping </li></ul></ul></ul>
  29. 31. Traffic Calming <ul><li>Physical Measures that Reduce the Effects of Motor Vehicle Use and Improve Conditions for Non-Motorized Street Users </li></ul><ul><li>Examples: </li></ul><ul><ul><li>Speed Bumps </li></ul></ul><ul><ul><li>Curved Roads </li></ul></ul><ul><ul><li>Islands </li></ul></ul><ul><ul><li>Chokers </li></ul></ul><ul><ul><li>Median Barriers </li></ul></ul>
  30. 32. Fencing <ul><li>Add Security </li></ul><ul><li>Delineate Property </li></ul><ul><li>Offer Privacy </li></ul><ul><li>Create Barriers </li></ul><ul><li>Provide Character for Area </li></ul><ul><li>Must Be Properly Maintained to be Effective </li></ul>
  31. 33. Lighting <ul><li>Two Purposes </li></ul><ul><ul><li>Illumination of Human Activity </li></ul></ul><ul><ul><li>Used for Security </li></ul></ul><ul><li>Quality is as Important as Quantity </li></ul><ul><li>Uniformity is the Key </li></ul>
  32. 34. Lighting (Cont.) <ul><li>Different Styles of Lights to Adapt to Particular Usage </li></ul><ul><ul><li>Example: Mercury Vapor, High/Low Pressure Sodium </li></ul></ul><ul><li>Timers or Manual </li></ul><ul><li>Change at Daylight Savings </li></ul><ul><li>Properly Maintained </li></ul>
  33. 35. Summary <ul><li>The Key to CPTED is in the DESIGN phase where potential problems are thought out ahead of time. </li></ul><ul><li>Assessments are a composite of many security and risk management concepts that must be integrated into a total picture and not piece meal. </li></ul>
  34. 36. <ul><li>“ There are risks and costs to a program of action. But they are far less than the long range risks and costs of comfortable inaction.” </li></ul><ul><li>- John F. Kennedy </li></ul>
  35. 37. KRAA Security Services <ul><li>Managed Services </li></ul><ul><li>Firewalls </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Email Security </li></ul><ul><li>Network Defense </li></ul><ul><li>Vulnerability Management </li></ul><ul><li>Malware / Spyware </li></ul><ul><li>Host Intrusion </li></ul><ul><li>Antivirus </li></ul><ul><li>Assessment Services </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Policy Development </li></ul><ul><li>Vulnerability Scanning </li></ul><ul><li>PCI </li></ul><ul><li>HIPAA </li></ul><ul><li>Website Testing </li></ul><ul><li>Security Architecture </li></ul><ul><li>Email Encryption </li></ul><ul><li>Online Training </li></ul>
  36. 38. KRAA Security Information Services Security End to End + Multi-Layer = Complete Firewall Public Internet Access Remote Sites Main Site Workstations Application Servers Web Servers Database Servers Email Servers <ul><li>Internal/External Scanning </li></ul><ul><li>Remote Asessment </li></ul>Vulnerability Defense <ul><li>Website Monitoring </li></ul><ul><li>Phishing & Pharming </li></ul><ul><li>Firewall </li></ul><ul><li>Intrusion Prevention </li></ul>Intrusion Defense <ul><li>Intrusion Detection </li></ul><ul><li>Web Browsing AV </li></ul><ul><li>Managed VPN/WAN </li></ul><ul><li>Network Availibility </li></ul><ul><li>Hosting </li></ul>Network Defense <ul><li>Web Content Filtering </li></ul><ul><li>Remote VPN </li></ul><ul><li>Identity Tokens </li></ul><ul><li>eSecurity Training </li></ul>User Defense <ul><li>Anti Virus </li></ul><ul><li>SPAM Filtering </li></ul><ul><li>Content Filtering </li></ul>Email Defense <ul><li>Encrypted Email </li></ul><ul><li>Email Archiving </li></ul><ul><li>Hosted Email </li></ul><ul><li>Anti Virus </li></ul><ul><li>HIDS/HIPS </li></ul><ul><li>Log Management </li></ul>System Defense <ul><li>Policy Compliance </li></ul><ul><li>Remote Backup & Recovery </li></ul><ul><li>Patch Management </li></ul>
  37. 39. <ul><li>Dan Finger </li></ul><ul><li>Contact </li></ul><ul><li>[email_address] </li></ul>