Facility Security Plan An Interagency Security Committee Gu.docx

Facility Security Plan:
An Interagency Security Committee Guide
February 2015
1st Edition
This page left intentionally blank.
ii Facility
Security Plan: An Interagency Security Committee Guide
Message from the Interagency Security Committee
Executive Director
One of the Department of Homeland Security’s (DHS) priorities
is the protection of Federal
employees and private citizens who work within and visit U.S.
Government-owned or leased
facilities. The Interagency Security Committee (ISC), chaired
by DHS, consists of 54 Federal
departments and agencies and has as its mission the
development of security standards and best
practices for nonmilitary Federal facilities in the United States.
As Executive Director of the ISC, I am pleased to introduce the
new ISC document titled Facility

(Guide). This ISC Guide aims to
provide guidance for organizations in formulating and
ultimately implementing an operable and
effective Facility Security Plan (FSP). A Facility Security Plan
is a critical component of an
effective security program. The guidelines contained in this
document are based on recognized
industry best practices and provide broad recommendations for
the protection of Federal facilities
and Federal employees, contractors, and visitors within them.
Consistent with Executive Order 12977 (October 19, 1995),
Facility Security Plan: An
Interagency Security Committee Guide is intended to be applied
to all buildings and facilities
in the United States occupied by Federal employees for
nonmilitary activities. These include
existing owned, to be purchased or leased facilities; stand-alone
facilities; Federal campuses;
individual facilities on Federal campuses; and special-use
facilities.
This standard represents exemplary collaboration within the ISC
working groups and across
the entire ISC. ISC primary members approved the Guide with
full concurrence on February
20, 2015 and will review and update this document as
necessary.
Austin Smith
Executive Director, Interagency Security Committee
Facility Security Plan: An Interagency Security Committee
Guide iii

Message from the Executive Director
This page left intentionally blank.
iv Facility
Table of Contents
Message from the Interagency Security Committee Executive
Director ................................ iii
1 Background
...............................................................................................
................................. 1
2 Applicability and Scope
...............................................................................................
.............. 2
3 Document Control
...............................................................................................
...................... 3
3.1 Identification
...............................................................................................
......................... 3
3.2 Storage and Distribution
...............................................................................................
........ 3
3.3 Retention
...............................................................................................
............................... 3
3.4

Disposition..............................................................................
.............................................. 3
3.5 Protection and Classification
......................................................................................... ......
. 3
4 Roles and Responsibilities for Plan
Development................................................................... 4
4.1 Facility Security Committee
.............................................................................................. .
.. 4
4.2 Designated
Official...................................................................................
............................ 4
4.3 Security Organization
....................................................................................... ........
............ 4
4.4 Organizational Director of Security/Chief Security Officer
................................................ 4
4.5 Tenant Security Representative
.................................................................................... ........ 5
4.6 Tenant Managers/Supervisors
..............................................................................................
5
4.7 Facility Occupant
.............................................................................................. .
.................. 5
4.8 Financial
Authority................................................................................
............................... 5
4.9 Chief Information Officer
...............................................................................................
..... 5
5 Plan Development
...............................................................................................

....................... 6
5.1 Risk Management
Process...................................................................................
................. 6
5.1.1 Process
...............................................................................................
........................... 6
5.1.1.1 Threat Assessment
...............................................................................................
.. 6
5.1.1.2 Consequence (Criticality) Assessment
.................................................................. 7
5.1.1.3 Vulnerability Assessment
...................................................................................... 7
5.1.1.4 Risk Assessment
...............................................................................................
..... 7
5.2 Elements of a Facility Security Plan
.................................................................................... 8
5.2.1 Facility
Profile....................................................................................
........................... 8
5.2.2 Roles and Responsibilities
............................................................................................ 8
5.2.3 Risk Management Strategy
........................................................................................... 8
5.2.4 Security
Countermeasures.....................................................................
........................ 9
Guide v
Message from the Executive Director

5.2.5 Maintenance, Repair, and Testing Procedures
.............................................................. 9
5.2.6 Incident Response Management and Procedures
.......................................................... 9
5.2.7 Facility Specific Policies
...............................................................................................
9
5.2.8 Special Events
...............................................................................................
................ 9
5.2.9 Information Security
...............................................................................................
...... 9
5.2.10 Cyber Security
...............................................................................................
........... 10
5.2.11 Government Property
.......................................................................................... .....
. 10
5.2.12 Training and Exercising the Plan
.............................................................................. 10
5.2.13 Program Review
...............................................................................................
........ 10
5.2.14 Resource Support
...............................................................................................
....... 10
6 Training and Exercises
...............................................................................................
............. 11
6.1 Training
...............................................................................................
............................... 11

6.2 Exercises
.................................................................................. .............
.............................. 11
6.3 Occupant Emergency Plan Exercise Coordination
............................................................ 11
7 Plan Maintenance
...............................................................................................
..................... 12
8 References and Resources
...............................................................................................
........ 13
9 Interagency Security Committee Participants
...................................................................... 14
List of Abbreviations/Acronyms/Initializations
....................................................................... 15
Glossary of Terms
...............................................................................................
........................ 16
Appendix A: Facility Security Plan
Template.......................................................................... 19
vi Faci lity
Contents
1 Background
On April 20, 1995, the day after the bombing of the Alfred P.
Murrah Building in Oklahoma
City, Oklahoma, the President directed the U.S. Department of
Justice (DOJ) to assess the
vulnerability of Federal facilities to terrorism and other acts of
violence. On June 28, 1995, DOJ
issued the Vulnerability Assessment of Federal Facilities Report

(1995 Report) establishing
government-wide facility security standards. The 1995 Report
laid the foundation for all
subsequent Interagency Security Committee (ISC) security
standards documents.
In 2013, the ISC released The Risk Management Process for
Federal Facilities: An Interagency
Security Committee Standard (RMP) which includes a list of
physical security criteria. The intent
of the document is to provide cohesive guidance for the
application of physical security
countermeasures at Federal facilities. In May 2013, the ISC
established the Facility Security Plan
Working Group in response to concerns raised by its
membership. The Working Group was
tasked with preparing reference guidance for agencies to use in
developing and implementing an
operable and effective Facility Security Plan (FSP) as required
by the physical security criteria
set forth in the RMP.
Guide 1
Background
2 Applicability and Scope
This document is issued pursuant to the authority granted to the
Interagency Security Committee
(ISC) in Executive Order (EO) 12977 as amended by Executive
Order 13286. The EO directs the
ISC to “…take such actions as may be necessary to enhance the
quality and effectiveness of
security and protection of Federal facilities.” The purpose of

this document is to provide
guidance for organizations in formulating and ultimately
implementing an operable and effective
Facility Security Plan (FSP).
A Facility Security Plan is a critical component of an effective
security program. The guidelines
contained in this document are based on recognized industry
best practices and provide broad
recommendations for the protection of Federal facilities and
Federal employees, contractors, and
visitors within them. Facility Security Plan: An Interagency
Security Committee Guide identifies
and defines the basic guidelines and procedures used in
establishing and implementing an FSP.
This document is generally applicable to all buildings and
facilities in the United States occupied
by Federal employees, including:
• Buildings and facilities owned or leased by the Federal
government;
• Federally leased rooms or suites within privately owned
buildings;
• Stand-alone Federal facilities;
• Federal campuses; and
• Individual facilities on Federal campuses and special-use
facilities where appropriate.
This document is intended to provide the initial guidance to be
used by all agencies and facilities.
When developing an FSP, departments and agencies may make
the necessary adjustments to the
basic guidelines and procedures presented to meet specific

requirements or needs. Regardless of
the FSP developed by an agency, it should have mechanisms in
place to validate the plan’s
effectiveness and manage its maintenance.
This guidance may be used to assist Federal agencies in
selecting, implementing, and evaluating
appropriate protective measures and practices against
identifiable security risks and threats; and
to implement appropriate responses and countermeasures. When
utilizing this guidance, an
agency may choose to consider all or part of its overall facility
security strategy. This document
is not meant to supersede agency policies and funding
guidelines, or impose any undue burdens
on an agency.
2 Facility
Applicability and Scope
3 Document Control
3.1 Identification
The document can be titled as the “Facility Security Plan”
(FSP) or similar title as required by
individual agency policy.
3.2 Storage and Distribution
At a minimum, the FSP should be stored in an electronic format
in a central location for ease of
access. The Designated Official (DO) and other emergency
management personnel (i.e. security
organizations, facility managers, etc.) must have access to the
document 24 hours a day.

3.3 Retention
Current copies of the Facility Security Plan should be retained
for three years or until
superseded. Where there are conflicts, retention periods
outlined in agency-specific requirements
for storage, retention, disposition, and protection of FSPs will
supersede all other guidelines.
3.4 Disposition
The plan should be discarded in accordance with agency-
specific policies for destruction, based
on the overall classification of the document.
3.5 Protection and Classification
At a minimum, protect the FSP as “For Official Use Only”
(FOUO) or in accordance with
agency-specific classification guidelines. Consideration should
be given to the sensitivity of a
customized FSP developed by individual agencies and
departments (i.e., floor plans, specific
facility information, etc.) and how this information should be
protected. Plans including National
Security Information (classified information) shall be classified
in accordance with applicable
classification standards and access to the document shall be
restricted to appropriately cleared
personnel with a valid need-to-know.
Guide 3
Document Control
4 Roles and Responsibilities for Plan Development

4.1 Facility Security Committee
The Facility Security Committee (FSC) is the committee
responsible for addressing facility-
specific security issues and approving the implementation of
protective measures and practices.
At facilities where an FSC is required in accordance with
Interagency Security Committee (ISC)
standards, the Facility Security Plan should be submitted for
review and approval prior to
implementation. Additional guidance for FSC operations can be
found in Appendix D of the Risk
Management Process for Federal Facilities: An Interagency
Security Committee Standard
(RMP).
4.2 Designated Official
The Designated Official (DO) is the highest ranking official of
the primary tenant agency of a
Federal facility, or a designee as determined by individual
agency policy. Alternatively, a
designee may be selected by mutual agreement of tenant agency
officials. The DO should be the
final decision authority on any issues regarding the FSP.
4.3 Security Organization
The Security Organization (SO) is the government agency or
internal agency component
responsible for physical security at a specific facility. The SO
also has the following
responsibilities:
• Advise the FSC;
• Perform the Facility Security Level (FSL) assessment and
present it to the FSC for
review and approval;

• Prepare, present, and distribute a Facility Security Assessment
(FSA) in accordance
with the time intervals established by the ISC based on the FSL;
• Evaluate the facility to determine whether the baseline level of
protection (LOP) is
adequate or if a customized LOP is necessary;
• Present written plans for proposed countermeasures
identifying how it will mitigate
the risks associated with specific, credible threats;
• Present written operating procedures for countermeasures;
• Present written cost impact for proposed countermeasures; and
• Provide technical assistance and guidance to the FSC as
appropriate.
4.4 Organizational Director of Security/Chief Security Officer
Security managers at the headquarters level are responsible for
the effective implementation of
security policies, programs, directives, and training within their
organization. These managers
should ensure there are policies and procedures in place to draft
and implement organization-
wide and/or site-specific Facility Security Plans.
4 Facility
Roles and Responsibilities for Plan Development
4.5 Tenant Security Representative

The Tenant Security Representative is an individual appointed
by their respective agency and is
responsible for implementation and administration of day-to-day
security operations (including
the FSP) at a specific site or facility. Depending on the facility
or campus size, more than one
representative may be necessary.
4.6 Tenant Managers/Supervisors
Tenant managers and supervisors are persons with supervisory
responsibility of facility
occupants. Tenant managers/supervisors should:
• Assist, as needed, in the implementation of security policies
and programs, and
• Ensure facility occupants are aware of site-specific security
and access control
procedures, operational security protocols, and provide training
as needed to meet this
requirement.
4.7 Facility Occupant
A facility occupant is any person permanently or regularly
assigned to the facility and displays
the required identification badge/pass for access. The Facility
Security Committee establishes
thresholds for determining who qualifies for “occupant” status.
All facility occupants should
become familiar with their responsibilities within the FSP.
4.8 Financial Authority
The financial authority is an organizational element, usually at
the headquarters level,
responsible for finance and budget decisions. Organizations
should obtain guidance from their

respective financial authority on issues such as:
• Identifying available funding sources, and
• Coordinating funding documents to ensure mitigation of site-
specific vulnerabilities
or implementation of threat-based protective measures.
4.9 Chief Information Officer
The Chief Information Officer (CIO) is the person responsible
for the management,
implementation, and usability of information and computer
technologies. Tenant CIO
representatives can provide technical reviews when considering
implementation or modification
of security measures that require use of an information
technology system (e.g., physical access
control system [PACS] and closed circuit television [CCTV]).
Guide 5
Roles and Responsibilities for Plan Development
5 Plan Development
5.1 Risk Management Process
Implementing an effective Facility Security Plan (FSP) requires
an understanding of events that
could present a threat to personnel, operations, and information.
Assessing and categorizing the
consequences of these events is the basic function of a risk
management process. Once risks to a
facility are accurately assessed, the Facility Security Committee
(FSC) can determine whether
countermeasures in place are adequate to address or mitigate

those risks or if additional
procedural, programmatic, or physical security countermeasures
must be implemented.
5.1.1 Process
Agencies may utilize any agency-approved risk management
methodology to perform the risk
assessment. The methodology used should adhere to the
fundamental principles of a sound risk
management methodology and be:
• Credible and assess the threat, vulnerability, and consequences
of specific acts;
• Reproducible and produce similar or identical results when
applied by various security
professionals; and
• Defensible and provide sufficient justification for deviation
from the baseline.
The methodology should also develop actions to reduce risk to
an acceptable level and
incorporate the Interagency Security Committee standard for
identifying the necessary level of
protection (LOP) to mitigate security risks. The ISC Risk
Management Process (RMP) presents a
process that corresponds directly to the ISC Physical Security
Criteria and provides a step-by-
step method to provide the FSC with an assessment of key
security risks, necessary measures (in
accordance with applicable threat events), and options that meet
ISC standards. The following
sub-sections (5.1.1.1 through 5.1.1.4) outline key elements of
this process.
5.1.1.1 Threat Assessment

A threat assessment is the process of identifying or evaluating
entities, actions, or occurrences
(natural or man-made) that possess or indicate the potential to
harm or destroy government
assets.1 A threat assessment considers the full spectrum of
threats (i.e., natural, criminal,
terrorist, accidental, etc.) for a given facility/location. Threat
data can be derived from various
resources including security organizations, intelligence
community reports and assessments, as
well as state and local authorities. The ISC publishes the
Design-Basis Threat Report (DBT)
used to identify a broad range of threats to Federal facilities and
is updated regularly based on
threat trends and data provided. This report can be utilized in
conjunction with other threat
assessment and agency/site-specific data, or used to determine a
baseline threat if timely data and
intelligence resources are not readily available.
There are a variety of threats and resources to consider when
conducting a threat assessment. For
natural hazards, historical data and future trend analysis
concerning frequency of occurrence for
given natural disasters such as tornadoes, hurricanes, floods,
fires, or earthquakes can be used to
determine the likelihood of the given threat. For criminal
threats, the crime rates in the
surrounding area provide a good indicator of the type of
criminal activity that may put the
1 As defined in the DHS Risk Lexicon
6 Facility
Plan Development

facility at risk. In addition, the type of assets and/or activities
housed in the facility may also
increase the target attractiveness in the eyes of an aggressor.
The type of assets and/or activities
at the facility will also relate directly to the likelihood of
various types of accidents. For example,
a facility using heavy industrial machinery will be at higher risk
for serious or life-threatening
job-related accidents than a typical office building. For terrorist
threats, the symbolic value of the
facility as a target is a primary consideration. In addition, the
type of terrorist act may vary based
on the potential adversary and the method of attack most likely
to be successful for a given
scenario.
5.1.1.2 Consequence (Criticality) Assessment
A consequence assessment is the process of identifying or
evaluating the potential or actual
effects of an event, incident, or occurrence.2 Determining the
relative importance to the tenant’s
mission provides the security manager with an understanding of
how to develop an effective
protection strategy. The ISC process incorporates a consequence
assessment within the Facility
Security Level (FSL) determination process by evaluating
tenant data such as population, square
footage, mission-related information, etc. This is then adjusted
according to the impartial,
documented, and defensible assessment to address the
occurrence of a specific undesirable event
and the tenant agency’s ability to continue its mission should an
event occur. The results of a

consequence assessment can also be used to inform the
prioritization of resources.
5.1.1.3 Vulnerability Assessment
Once credible threats are identified, a vulnerability assessment
must be performed. A
vulnerability assessment is the process of identifying physical
features or operational attributes
that may render an entity, asset, system, network, or geographic
area susceptible or exposed to
hazards.3 Existing countermeasures must be compared to those
stipulated by the baseline LOP,
given the Facility Security Level, to determine if deficiencies
exist. The lack of appropriate
and/or effective countermeasures would equate to vulnerability.
Site-specific vulnerability
assessment data must be protected in accordance with
appropriate agency guidance.
5.1.1.4 Risk Assessment
After the above data is considered, a risk assessment can be
conducted. Assessing risk is the
process of collecting information and assigning values to risks
for the purpose of informing
priorities, developing or comparing courses of action, and
informing decision making.4 To assess
risk effectively, information that is timely, reliable, and
actionable regarding threats,
vulnerabilities, and consequences is needed. Factors such as the
likelihood of an undesirable
event and the consequence(s) of the event’s occurrence can then
be quantified. The method of
determining and quantifying risk is dictated by the organization
performing the assessment,
usually a security organization.

The Risk Management Process for Federal Facilities: An
Standard quantifies risk from Level I (Low Risk) to Level V
(Very High Risk). The risk
Guide 7
Plan Development
assessment should, as much as possible, conform to ISC
standards. For example, the assessment
should identify whether the facility meets the ISC
countermeasures criteria or documents the risk
management strategy used to mitigate any deficiencies to
achieve the necessary level of
protection. The assessment should incorporate some type of
documentation acknowledging the
risks associated with the implementation of countermeasures
that do not achieve the necessary
LOP. Organizations must periodically re-assess at
predetermined intervals according to the
established FSL, or as changes occur to threat, vulnerability, or
consequence factors.
5.2 Elements of a Facility Security Plan
The Risk Management Process for Federal Facilities: An
Standard is the key starting point for the development of a
Facility Security Plan. Once the RMP
is applied, other critical elements can be added to make the plan

a more robust document. The
elements listed in this section are recommendations that should
be considered when developing
an FSP. Additional items that are not included in this document
may be included in the plan
based on the needs of the facility or tenant organizations. The
level of detail to which the plan is
written may vary based on the nature of the facility (e.g., Level
I facilities may have an
abbreviated document). The Facility Security Committee will
make final determinations of the
content of the facility’s final, comprehensive plan. A sample
plan template is provided in
Appendix A.
5.2.1 Facility Profile
The facility profile should provide a description of the facility
including the following:
• Type of facility (e.g., single or multi-story, campus, mixed-
use, etc.);
• Population (e.g., single or multi-tenant, Federal and/or non-
Federal, child care center,
visitors, etc.);
• Mission and critical functions conducted at the facility (e.g.,
administration, operations
center, classified information, continuity of operations [COOP]
site, etc.);
• Utilities (e.g., power, water, gas, communications, etc.); and
• The most current facility diagrams, construction documents
and specifications.

5.2.2 Roles and Responsibilities
Identify facility-specific positions and explain roles and
responsibilities for security-related
tasks. Include who is responsible for preparing and approving
the plan. Also, include contacts for
all first-responder and/or support organizations responsible for
securing the facility (i.e., local
law enforcement, security organization(s), and building
management), and requirements based
on the Occupant Emergency Program or Plan(s) (OEP), and
applicable memoranda of
understanding (MOU)/memoranda of agreement (MOA).
5.2.3 Risk Management Strategy
Utilizing information from the RMP, outline and prioritize
threats to the facility, tenant agencies,
and/or operations; and prepare an overview of the strategies
used to mitigate them. Explain any
risks accepted as part of the risk management process and any
possible consequences.
8 Facility
Plan Development
5.2.4 Security Countermeasures
Identify and describe in detail all current and planned security
countermeasures (including floor
plans when available) to address all identified threats. The list
can be derived from the ISC RMP
or other similar agency-specific criteria. As much as possible,
ensure countermeasures are
scalable to allow for an increased or decreased security posture
as the threat evolves (i.e.,

upgrades in the National Terrorism Advisory System/Force
Protection Conditions, etc.).
5.2.5 Maintenance, Repair, and Testing Procedures
Describe requirements in detail for operator and manufacturer
maintenance/repair of security
countermeasures. Outline a testing schedule performed by the
security manager at Level IV and
V facilities.
5.2.6 Incident Response Management and Procedures
Describe in detail the procedures for responding to security
incidents and emergencies. Details
should include:
• Reporting: How do employees report incidents? Do they call
an internal operations
center or 911?
• Notification: How are first responders and facility occupants
notified an incident is
taking place or has occurred? How are changes in the facility’s
security posture
communicated?
• Response: Who should respond and how should they respond?
What is the chain of
command?
o Law Enforcement/Security Organizations
o Fire Department
o Medical
o Alarm Response
• Recovery: Once incident response is terminated, what is the
process to resume normal

operations?
• Documentation: How is an incident documented? Where is the
information maintained?
Who has authorized access to that information?
5.2.7 Facility Specific Policies
Include any unique requirements to address issues such as
landlord/tenant agreements or special
missions (i.e., classified areas, operations centers, network
control centers, child care centers,
etc.).
5.2.8 Special Events
Protocols should be included to manage requirements for special
events, such as temporary
increases in population, traffic/parking control, and the media.
5.2.9 Information Security
Address issues related to the protection of sensitive but
unclassified information as well as
classified information, if applicable.
Guide 9
Plan Development
5.2.10 Cyber Security
Collaborate with all tenant Chief Information Officers to
develop a plan for the physical and
logical protection of information technology systems and
equipment associated with security
countermeasures.

5.2.11 Government Property
Include procedures to control pilferage, destruction, and
disposal of government-owned property.
5.2.12 Training and Exercising the Plan
Develop a strategy or program to train personnel and exercise
all aspects of the FSP. Exercises
simulate realistic, fluid situations where critical decision-
making tools are applied and occupants
are familiarized with the Facility Security Plan. Exercises help
to broaden understanding of the
plan and identify areas for improvement. These exercises can be
table-top, drills, or full-scale
exercises and should be coordinated with Occupant Emergency
Program or Plan (OEP)
requirements.
5.2.13 Program Review
Provide program review guidelines within the plan. It cannot be
overstated that the FSP and
security program are ultimately the responsibility of senior
leadership and/or the Facility
Security Committee. These officials have the authority and
responsibility to alter or add to the
program as deemed necessary to accommodate tenant needs and
operational constraints. Program
reviews should be conducted at least annually.
5.2.14 Resource Support
Outline fiscal instructions on how funding support is gained to
sustain security operations from
pre-incident to post-incident.
10 Facility

Plan Development
6 Training and Exercises
6.1 Training
All occupants should be familiar with and trained on the
Facility Security Plan (FSP). Any
personnel holding key positions, as identified in the FSP, should
be trained in his/her assigned
duties. Organizational security directors, with assistance from
Tenant Security Representatives,
are responsible for this training as indicated in section 4.4. The
security organization associated
with the facility and any assigned security specialists may also
provide assistance, such as
preparing a training plan and recommending training materials.
6.2 Exercises
Exercises are an effective and cost-efficient method of
validating FSPs, identifying areas for
improvement, and soliciting feedback from those who will be
executing security plans.
• Exercises may be:5
o Discussion-Based (e.g., seminars, workshops, table-top, etc.);
or
o Operations-Based (e.g., drills, functional, full scale, etc.); or
o Any combination of the two.
• Exercises may be facility-specific or part of a cooperative
exercise program.
• All aspects of the FSP should be exercised including testing
communication and

notification procedures, elements of coordination, resource
availability, and response.
• At a minimum, the FSP should be exercised annually with
participation at all levels from
the security organization to facility occupants.
6.3 Occupant Emergency Plan Exercise Coordination
All aspects of the Facility Security Plan should be matched
against the current Occupant
Emergency Program or Plan(s) (OEP) for the facility. This will
ensure that all pertinent security
and emergency items are included. A review of the FSP and
OEP should also ensure that the
Facility Security Committee, Tenant Security Representatives,
and other key personnel with
assigned duties under the FSP and/or OEP are not overly tasked
or have responsibilities that
require them to be at two places at the same time. Close
coordination between the developers of
the OEP and FSP is essential to ensure the both plans
complement each other.
5 Homeland Security Exercise and Evaluation Program
(HSEEP), April 2013
Guide 11
References and Resources
7 Plan Maintenance
The Facility Security Plan should be reviewed at a minimum
annually, or as required when
significant changes to the tenant mission, facility population,

site composition, or threat occur.
Review exercise documentation to ensure lessons learned are
addressed and incorporated.
12 F acility
Interagency Security Committee Participants
8 References and Resources
1. The Risk Management Process: An Interagency Security
Committee Standard
Committee Standard, Appendix A:
Design Basis Threat Report (FOUO)
Committee Standard, Appendix B:
Countermeasures (FOUO)
Committee Standard, Appendix D:
How to Conduct a Facility Security Committee
5. Best Practices for Mail Handling Processes: A Guide for the
Public and Private Sectors
6. Federal Protective Service Facility Security Assessment
Manual 15.8.1.1, March 2014
7. Homeland Security Exercise and Evaluation Program
(HSEEP), April 2013
8. DHS Risk Lexicon, September 2008
Guide 13
References and Resources

9 Interagency Security Committee Participants
Bernard Holt
Deputy Executive Director
Interagency Security Committee Representative
Anthony Evernham
Working Group Chair
Marcus James
Executive Office of the President, Office of Administration
Working Group Participants
Dwayne Deaver
Department of Justice
Glen Legus
United States Marshals Service
Brett Knutson
United States Marshals Service
Dave Lively
Department of State
Joseph Cassone
Pentagon Force Protection Agency
Shawn Frensley

Pentagon Force Protection Agency
Raymond Gauvin
Federal Protective Service
14 Facility
Interagency Security Committee Participants
List of Abbreviations/Acronyms/Initializations
TERM DEFINITION
CCTV Closed Circuit Television
CIO Chief Information Officer
COOP Continuity of Operations
DBT Design Basis Threat
DHS Department of Homeland Security
DO Designated Official
DOJ Department of Justice
EO Executive Order
FOUO For Official Use Only
FSA Facility Security Assessment
FSC Facility Security Committee
FSL Facility Security Level
FSP Facility Security Plan
HSEEP Homeland Security Exercise and Evaluation Program
ISC Interagency Security Committee
LOP Level of Protection
MOA Memorandum of Agreement
MOU Memorandum of Understanding
OEP Occupant Emergency Program or Plan
PACS Physical Access Control System
RMP The Risk Management Process for Federal Facilities: An
Interagency Security

Committee Standard
SO Security Organization
Guide 15
Abbreviations/Acronyms/Initializations
Glossary of Terms
Building: An enclosed structure (above or below grade).
Building Entry: An access point into, or exit from, the
building.
Campus: Two or more Federal facilities located on site and
typically sharing some aspects of
the environment, such as parking, courtyards, private vehicle
access roads, or gates and entrances
to connected buildings. A campus also may be referred to as a
“Federal center” or “complex”.
Consequence: The level, duration, and nature of the loss
resulting from an undesirable event.
Countermeasure: A specific action taken to mitigate an
undesirable event.
Criticality: Any facility, equipment, service, or resource
considered essential to operations and
warranting measures and precautions to ensure their continued
efficient operation; protection
from disruption, degradation, or disruption; and timely
restoration.
Exercise: An instrument to train for, assess, practice, and
improve performance in prevention,
protection, mitigation, response, and recovery capabilities in a
risk-free environment.

Exterior: Area between the building envelope and the site
perimeter.
Facility: Space built or established to serve a particular
purpose. The facility is inclusive of a
building or suite and associated support infrastructure (e.g.,
parking or utilities) and land.
Facility Security Assessment: The process and final product
documenting an evaluation of the
security-related risks to a facility. The process analyzes
potential threats, vulnerabilities, and
estimated consequences culminating in the risk impacting a
facility using a variety of sources
and information.
Facility Security Committee: A committee that is responsible
for addressing facility-specific
security issues and approving the implementation of security
measures and practices. The
Facility Security Committee (FSC) consists of representatives
of all Federal tenants in the
facility, the security organization, and the owning or leasing
department or agency. In the case of
new construction or pending lease actions, the FSC will also
include the project team and the
planned tenant(s). The FSC was formerly known as the Building
Security Committee “BSC.”
Facility Security Level: A categorization based on the analysis
of several security-related
facility factors, which serves as the basis for the
implementation of physical security measures
specified in ISC standards.
Facility Security Plan: A plan that provides direction to key
personnel on the security
management and policies of a building or facility.
Federal Departments or Agencies: Those executive departments

enumerated in 5 U.S.C. 101
and DHS, independent establishments as defined by 5 U.S.C.
104(1), Government corporations
as defined by 5 U.S.C. 103(1), and the U.S Postal Service.
Federal Facilities: Leased and owned facilities in the United
States (inclusive of its territories)
occupied by executive branch Federal employees for
nonmilitary activities.
Government-Owned: A facility owned by the United States and
under the custody and control
of a Federal department of agency.
Interior: Space inside a building controlled or occupied by the
Government.
16 Facility
Glossary of Terms
Level of Protection (LOP): The degree of security provided by
a particular countermeasure or
set of countermeasures. Levels of protection used in this
Standard are Minimum, Low, Moderate,
High, and Very High.
Level of Risk: The combined measure of the threat,
vulnerability, and consequence posed to a
facility from a specified undesirable event.
National Terrorism Advisory System (NTAS): This system
effectively communicates
information about terrorist threats by providing timely, detailed

information to the public,
government agencies, first responders, airports and other
transportation hubs, and the private
sector. These alerts will include a clear statement that there is
an imminent threat (warning of a
credible, specific, and impending terrorist threat against the
United States) or elevated threat
(warns of a credible terrorist threat against the United States).
Using available information, the
alerts will provide a concise summary of the potential threat,
information about actions being
taken to ensure public safety, and recommend steps that
individuals, communities, businesses
and government can take to help prevent, mitigate or respond to
the threat.
Occupant: Any person who is permanently or regularly
assigned to the government facility and
displays the required identification badge/pass for access. The
facility security committee
establishes the thresholds for the determining who qualifies for
“occupant” status.
Risk: A measure of potential harm from an undesirable event
that encompasses threat,
vulnerability, and consequence.
Risk Acceptance: The explicit or implicit decision not to take
an action that would affect all or
part of a particular risk.
Risk Assessment Report: The documentation of the risk
assessment process to include the
identification of undesirable events, consequences, and
vulnerabilities and the recommendation
of specific security measures commensurate with the level of

risk.
Risk Management: A comprehensive approach to allocating
resources for the protection of a
facility, assets, and occupants to achieve an acceptable level of
risk. Risk management decisions
are based on the application of risk assessment, risk mitigation,
and – when necessary – risk
acceptance.
Security Organization: The Government agency or an internal
agency component responsible
for physical security for the specific facility.
Site: The physical land area controlled by the Government by
right of ownership, leasehold
interest, permit, or other legal conveyance, upon which a
facility is placed.
Site Entry: A vehicle or pedestrian access point into, or exit
from, the site.
Site Perimeter: The outermost boundary of a site. The site
perimeter is often delineated by the
property line.
Special-Use Facilities: An entire facility or space within a
facility itself that contains
environments, equipment, or data normally not housed in a
typical office, storage, or public
access facilities. Examples of special-use facilities include, but
are not limited to, high-security
laboratories, hospitals, aircraft and spacecraft hangars, or
unique storage facilities designed
specifically for such things as chemicals and explosives.
Suite: One or more contiguous rooms occupied as a unit.

Guide 17
Glossary of Terms
Threat: The intention and capability of an adversary to initiate
an undesirable event.
Undesirable Event: An incident that has an adverse impact on
the operation of the facility or
mission of the agency.
Visitor: Any person entering a government facility that does
not possess the required
identification badge or pass for access or who otherwise does
not qualify as an “occupant”.
Vulnerability: A weakness in the design or operation of a
facility that an adversary can exploit.
18 Facility
Glossary of Terms
Appendix A: Facility Security Plan Template
The following pages contain a basic Facility Security Plan
template that meets the requirements
outlined in Appendix B of The Risk Management Process for
Federal Facilities: An Interagency
Security Committee Standard.
Guide 19

[Insert Agency/Facility Name]
Facility Security Plan
Date: [For tracking updates]
1. Introduction
This Facility Security Plan (FSP) outlines the procedures and
measures employed by
[agency/facility name] to address security needs at various risk
levels and respond effectively
during instances when undesirable events occur. In addition,
this document contains a wealth of
information unique to this facility and its occupants that should
be used in conjunction with the
Occupant Emergency Plan (OEP) [and/or other applicable
plan(s)].
2. Facility Profile
[Provide a description of the facility including the physical
address for first responders.]
Facility Type:
• Mixed-Tenant: A facility that includes one Federal tenant as
well as non-Federal
tenants, including commercial and State/local government
tenants.
• Mixed-Multi-Tenant: A facility that includes tenants from
multiple Federal
departments and agencies as well as one or more non-Federal

tenants.
• Multi-Tenant: A facility that includes tenants from multiple
Federal departments and
agencies but no non-Federal tenants.
• Single-Tenant: A facility that only includes one Federal
tenant or multiple
components of the same Federal department or agency that fall
under one “umbrella”
for security purposes.
• Special-Use: An entire facility or space within a facility that
contains environments,
equipment, or data normally not housed in typical office,
storage, or public access
facilities. Examples of special-use facilities include, but are not
limited to, high-
security laboratories, hospitals, aircraft and spacecraft hangers,
or unique storage
facilities designed specifically for such things as chemicals and
explosives.
Construction: Describe the physical construction of the facility.
Attach floor plans or describe
location where floor plans are located.
Facility Security Level: A categorization based on the analysis
of several security-related
facility factors, which then serves as the basis for the
implementation of certain protective
security measures specified in other ISC standards.
Population: How many employees/contractors/daily visitors to
the facility? List all tenant
agencies and points of contact for each.

General functions performed at the facility: What functions are
performed at this facility
(e.g., administration, operations center, child care, etc.)?
20 Facility
Essential functions: List essential government functions (e.g.,
provide vital services, exercise
civil authority, maintain the safety and well-being of the
general populace, sustain the
industrial/economic base in an emergency, etc.)
Utilities: List all utilities used at the facility (include
provider’s name and contact information)
and details of how they enter and are distributed throughout the
facility. Identify procedures to
mitigate the effects due to service interruption or
contamination.
Sample Description Spreadsheet:
General Facility Description:
Lessor’s Name: Contact Number:
Lessor’s Address:
Lessor’s City: State: Zip:
Building Management Name:
Building Management POC: Title:
Contact Number: e-mail address:
Date Building was constructed: Total Square Footage: Lease
Footage:
Total Number of Floors above Ground: Total Number of floors

below Ground:
Total Number of Occupants in Bldg.: Total Number of Daily
Visitors for Bldg.:
Total Number of Occupants in
Component’s Space:
Total Number of Daily Visitors for Space:
General Hours of Operation for the Building: Notes:
General Hours of Operation for the Component
Space:
Notes:
Distance in feet from the building to the nearest public street:
Distance in feet from the building to the nearest public on-street
parking:
Distance in yards from the building to the nearest public
Parking Lot:
Facility Structure Information: i.e., composition of walls, slabs,
roof (brick, block, concrete [pre-cast or
poured]), medal panels, glass exterior, metal framing or
reinforced concrete.
Building Facade: i.e., composition of walls (brick, block,
concrete [pre-cast or poured]), metal panels, glass
exterior, metal framing or reinforced concrete.
3. Roles and Responsibilities
List key positions with responsibility to execute this plan to
include facility occupants and public
affairs personnel. Also, include contact information for each
key individual.

Security Organization: The government agency or an internal
agency component responsible for
physical security at the facility (e.g., Federal Protective
Service, United States Marshals Service,
U.S. Environmental Protection Agency’s Security Management
Division).
4. Risk Management Strategy
Utilizing information derived from the Risk Management
Process (RMP), outline and prioritize
threats to the facility, tenant agencies, and/or operations; and
develop an overview of the
Guide 21
strategies used to mitigate them. Explain any risks that have
been accepted as part of the risk
management process and any potential consequences.
5. Security Countermeasures
Describe in detail all current and planned countermeasures
(both physical and procedural) to
address all identified threats. Consider scalable actions to allow
for increases and decreases in
security posture as the threat level changes.
Security of Facility Exterior Areas (public areas outside the
building):
A. Security at all pedestrian entrances:
1. Consideration should be given to reducing the number of

public entrances if there
are too many to ensure security. This may require approval from
the building
manager.
2. Consider the use of metal detectors and X-ray machines at
pedestrian/public
entrances.
3. Security screening may be done at employee entrances;
however, because not all
facilities have restricted entrances for employees, the merits of
this precaution
need to be evaluated for each facility.
B. Security at vehicle entrances:
1. Describe the security available for employee vehicles parked
inside and outside
the building.
2. Numbers, not names or agency identification, should be used
to indicate reserved
parking spaces.
3. Security officers and/or security devices that may be used at
vehicle entrances.
C. The overall physical security of the building should be
considered, especially
windows, doors, utility grates, and air intakes at or near ground
level.
D. Appropriate security responses to disturbances in this area
should be developed.

Security of Facility Interior Areas - Public areas inside the
building (excluding Critical Areas):
A. Location, level, and adequacy of security provided in this
area;
B. Access control procedures; and
C. Mail handling procedures.
Security of Critical/Restricted Areas (Limited Access or
Exclusionary Zones):
A. Location, level, and adequacy of security provided in this
area; and
B. Access control procedures.
6. Countermeasure Maintenance, Repair, and Testing
22 Facil ity
Describe in detail requirements for operator and manufacturer
maintenance and repair of security
countermeasures.
Outline testing schedule performed by the security manager at
level IV and V facilities.
7. Incident Response Management
Describe procedures for responding to security incidents and
emergencies.

A. Reporting: How do employees report incidents? Do they
call an internal operations
center or 911?
B. Notification: How are first responders and the facility
occupants notified an incident
has occurred or is in progress?
C. Response: Who should respond and how should they
respond? What is the Chain of
Command?
• Law Enforcement/Security Organizations
• Fire Department
• Medical
• Alarm Response
D. Recovery: Once an incident response is terminated, what is
the process to resume
normal operations? Consider employee, facility, and process
recovery procedures.
E. Documentation: How is an incident documented, where is
the information
maintained, and who has authorized access to it?
8. Facility-Specific Policies
Specify any unique requirements to address issues such as
landlord/tenant agreements or special
missions (i.e., classified areas, operations centers, and network
control centers).

9. Special Events
Additional protocols should be included to address requirements
for special events such as
temporary increases in population, traffic/parking control, and
the media.
10. Information Security
Address issues related to the protection of sensitive but
unclassified information (also known as
controlled unclassified information) as well as classified
information, if applicable.
11. Cyber Security
Collaborate with all tenant Chief Information Officers (CIO) or
office representatives to develop
a plan to address the physical and logical protection of
information technology systems and
equipment associated with security countermeasures.
12. Government Property
Guide 23
Procedures to control pilferage, destruction, and disposal of
government owned property.
13. Training
Describe plans and procedures for training employees and
managers and coordination with first
responders for execution of this plan.
14. Exercises

Describe the participants, type, frequency, and how exercises
will be executed and documented.
Exercises can be coordinated and conducted in conjunction with
OEP requirements.
15. Plan Review
Outline program review and approval guidelines.
16. Resource Support
Fiscal instructions on how funding support is gained to sustain
security operations from pre-
incident to post-incident.
Approved by:
[Signature of Approving Authority]
NAME
TITLE
24 Facility
Message from the Interagency Security Committee Executive
Director1 Background2 Applicability and Scope3 Document
Control3.1 Identification3.2 Storage and Distribution3.3
Retention3.4 Disposition3.5 Protection and Classification4
Roles and Responsibilities for Plan Development4.1 Facility
Security Committee4.2 Designated Official4.3 Security
Organization4.4 Organizational Director of Security/Chief
Security Officer4.5 Tenant Security Representative4.6 Tenant
Managers/Supervisors4.7 Facility Occupant4.8 Financial
Authority4.9 Chief Information Officer5 Plan Development5.1
Risk Management Process5.1.1 Process5.1.1.1 Threat
Assessment5.1.1.2 Consequence (Criticality)
Assessment5.1.1.3 Vulnerability Assessment5.1.1.4 Risk

Assessment5.2 Elements of a Facility Security Plan5.2.1
Facility Profile5.2.2 Roles and Responsibilities5.2.3 Risk
Management Strategy5.2.4 Security Countermeasures5.2.5
Maintenance, Repair, and Testing Procedures5.2.6 Incident
Response Management and Procedures5.2.7 Facility Specific
Policies5.2.8 Special Events5.2.9 Information Security5.2.10
Cyber Security5.2.11 Government Property5.2.12 Training and
Exercising the Plan5.2.13 Program Review5.2.14 Resource
Support6 Training and Exercises6.1 Training6.2 Exercises6.3
Occupant Emergency Plan Exercise Coordination7 Plan
Maintenance8 References and Resources9 Interagency Security
Committee ParticipantsList of
Abbreviations/Acronyms/InitializationsGlossary of
TermsAppendix A: Facility Security Plan Template
Laptop theft: a case study on effectiveness of
security mechanisms in open organizations
Trajce Dimkov, Wolter Pieters, Pieter Hartel
Distributed and Embedded Security Group
University of Twente, The Netherlands
{trajce.dimkov, wolter.pieters, pieter.hartel}@utwente.nl
Abstract—Organizations rely on physical, technical and
procedural mechanisms to protect their physical assets. Of
all physical assets, laptops are the probably the most trouble-
some to protect, since laptops are easy to remove and conceal.
Organizations open to the public, such as hospitals and
universities, are easy targets for laptop thieves, since every
day hundreds of people not employed by the organization
wander in the premises. The problem security professionals
face is how to protect the laptops in such open organizations.

In this study, we look at the effectiveness of the security
mechanisms against laptop theft in two universities. We
analyze the logs from laptop thefts in both universities and
complement the results with penetration tests. The results
from the study show that surveillance cameras and access
control have a limited role in the security of the organization
and that the level of security awareness of the employees
plays the biggest role in stopping theft. The results of
this study are intended to aid security professionals in the
prioritization of security mechanisms.
Keywords: laptop theft, case study, penetration tests, phys-
ical security, security awareness.
I. Introduction
Of all physical assets, laptops are particularly hard
to protect. Laptops are mobile, easily concealable, there
is a big market to sell the hardware and there can
be hundreds of them in a single building. With the
increased data storage capabilities of laptops, the loss
of even a single laptop can induce dramatical costs to
the organization [1]. Thus, although there can be a large
number of laptops in an organization, losing even a
single laptop may not be acceptable.
Organizations open to the public are particularly at
risk from laptop theft. Hospitals and universities, for
example, accept hundreds of people that can wander
in the premises every day. Marshall et al. [2] stress
that 46% of data breaches occur in institutions open to
the public: education, health care and the government.
Laptops containing sensitive medical or academic data
become highly vulnerable in these environments.

The problem security professionals face is how to
protect the laptops in such open organizations. There
are three types of security mechanisms to secure laptops
This research is supported by the Sentinels program of the
Tech-
nology Foundation STW, applied science division of NWO and
the
technology programme of the Ministry of Economic Affairs
under
project number TIT.7628.
in a buildings: physical, technical and procedural mech-
anisms. Physical mechanisms, such as doors and cam-
eras, physically isolate the thief from the laptop and/or
identify her in case of an incident. Technical mechanisms
such as laptop tracking and remote data deletion protect
the laptop and the data in the laptop by using software.
Procedural mechanisms such as organizational policies
and rules decrease the number of mistakes by employees
and increase the resilience of employees toward social
engineering.
The contribution of this paper is evaluation of the ex-
isting security mechanisms for protecting laptops based
on (1) logs of laptop thefts which occurred in a period
of two years in two universities in Netherlands, and (2)
14 penetration tests in the same universities, where the
goal was to gain possession of a marked laptop from an
employee unaware of the penetration test. We look at all
successful and unsuccessful laptop thefts and provide a
guideline of which mechanisms should be considered
first in implementing security mechanisms.
The outline of the rest of the paper is as follows. In
section 2 we introduce related work. In section 3 we

evaluate the logs of the laptop thefts and in section 4
we describe the penetration tests and the results from the
tests. Section 5 summarizes our conclusions and suggests
a guideline for which mechanisms should be considered
first in adding security mechanisms. Section 6 concludes
the paper.
II. Related Work
Protection against laptop theft is researched by the
computer science and the crime science community.
In the computer science community, the accent is on
protecting the data residing in the laptop and finding the
location of the stolen laptop. Several security products,
such as TrueCrypt1 and BitLocker2 provide encryption
for the whole hard drive. A few manufactures even pro-
duce self-encrypting hard drives where the encryption
key never leaves the drive [3, 4]. These approaches suffer
from two problems. First, when the thief has physical
possession of the laptop, she can always successfully
1www.truecrypt.org
2blogs.technet.com/bitlocker
Locked office Open office Restricted location Public location
No details Total
(burglary)
Stolen laptops 18 11 2 27 1 59
Cut Kensington locks 1 5 0 1 0 7
Other physical damage 16 0 0 0 0 16
Figure 1. Information from the logs. The logs from both

universities are merged to anonymize the data.
execute a number of attacks [5, 6, 7]. Second, these
approaches seem to ignore the human element, or more
precisely, induce performance overhead and decrease
the usability of the laptop. A recent study by Panemon
[8] shows that the majority of non-IT individuals, even
when provided with an encrypted laptop, turn off the
encryption software.
A number of tracking applications, such as Adeona [9]
and LoJack [10], can track the location of the laptop
they are installed on. In case of theft, these solutions use
Internet to provide the owner with the current location of
the laptop. These solutions suffer from two problems: (1)
if the goal of the theft is obtaining data from the laptop,
the thief might never connect the laptop to Internet and
(2) the thief may remove the application by flashing
the BIOS and/or formating the hard drive, making the
tracking impossible.
The approach from the crime science community is
more general, and considers the laptop and its environ-
ment. The goal in this field is to prevent a thief from
stealing the laptop in the first place, by either changing
the environment surrounding the laptop or by creating
situations that will deter a thief [11]. Kitteringham [12]
provides a a list of 117 strategies how to prevent a
laptop theft. The strategies include implementation of
physical, technical and procedural mechanisms. The list
is quite elaborate, although the effectiveness of these
mechanisms of each of them is unclear.
Willison and Sipnonen [13] use 25 techniques [11] on
how the environment can reduce the risk of theft and
link them with attack scripts. These results are used to

understand how a specific class of attacks could have
been stopped. Similarly, we also link these techniques
with attack scripts, but we look at which mechanisms
were in place and which failed to protect the laptops.
There are few reports which analyze laptop theft.
These reports focus on the money loss from a stolen
laptop [1] and the frequency of laptop theft and the
most affected sectors [2]. Our results are complementary,
and look at the effectiveness of conventional security
mechanisms in stopping laptop theft.
III. Methodology
We used two approaches to look at the security mech-
anisms in use and their effectiveness.
First, we looked at logs of the laptop thefts in two
universities in Netherlands. From the logs we got in-
formation about: the main reason for the laptop theft,
alarms raised by the theft and the role of technical
and physical mechanisms in securing the laptop and
finding the thief, such as access control and surveillance
cameras.
However, the logs provide limited information about
the level of security awareness of the employees. In par-
ticular, the logs do not provide any information of pos-
sible violation of the procedural security mechanisms,
such as letting strangers inside an office and sharing
credentials between employees.
Therefore, as a second step, we orchestrated 14 pene-
tration tests where we used social engineering to steal a
laptop.

A. Log analysis
In a period of two years, the universities reported 59
laptop thefts (Figure 1 and 2). A sample log is shown
in Appendix A. The logs from the thefts provide (1) the
location from where the laptop was stolen, (2) protection
mechanisms on the laptop, and (3) how the theft was
discovered.
��
��
��
��
�� !"�#$!%&� '!
()#�$�*+
Figure 2. In majority of the cases, the theft occurred because the
employee either left the laptop in a public location or forgot to
lock
the office door.
1) Location of the theft: In 46% of the thefts, the laptop
was stolen when the employee left it unattended in a
public location, such as a cafeteria or meeting room. In
19% of the cases, the theft occurred when the employee
left the office for a short period of time without locking
the door.
Figure 3. During three of the laptop thefts the students produced
a fake e-mail giving them permission to take a laptop and went
to the janitor.
When the third team approached the janitor, he just gave them
the keys and let the students go alone in the office.

In 30% of the thefts, the thief broke into a locked office
either by forcing the door or breaking a window. In two
of these burglaries there is no evidence of used force, and
the guards assumed the thief used a master key or other
credential to gain access. These two cases are targeted
thefts, since the thief stole only a laptop and nothing
else.
2) Protection mechanisms on the laptop: From the logs
we could not deduce if any software protected the
laptop.
In five of the thefts that occurred in an unlocked office,
the laptop was locked with Kensington lock. Only one of
the laptops stolen in a public location was locked with
a Kensington lock.
3) Theft discovery: The majority of the thefts (93%)
were reported by the laptop owner. In a few cases the
report came from an employee who observed a broken
door or window (5%). Only one of the thefts triggered
an alarm. In this case, the thief grabbed the laptop while
the employee went to collect print outs and left through
the fire door, triggering the fire alarm.
In all buildings, in both universities, there are surveil-
lance cameras (CCTV) and either partially or fully cen-
tralized access control systems able to log access re-
quests. Surprisingly, the systems provided no useful
information in any of the thefts. These mechanisms are
further analyzed in section IV.
The information we obtained from the logs is limited.
The logs provide information obtained after the theft
took place, based on evidence found by the police and

the security guards. The logs do not provide information
on how the thief reached the location nor on whether
the security awareness of the employees contributed to
the theft. To check the effectiveness of the procedural
mechanisms, we performed a set of penetration tests
where we used social engineering as a means to obtain
a laptop.
B. The penetration tests
To perform the penetration tests, we got help from
45 master students in computer security which took
the role of penetration testers. Before performing the
tests we informed and got permission from the chief
security officers in both universities. We informed the
officers exactly which locations we were going to test
and the names of the staff and students involved. No
other security person in the universities knew of the
tests. The tests were approved by the legal department
from the university.
The students were divided in teams of three. The goal
of each team was to steal a clearly marked laptop from
an employee who is unaware of the penetration test.
First, we did a pilot study with only three teams and
three laptops. Based on the results and insights of the
pilot study, we performed an additional 11 penetration
tests the next year. The methodology used for perform-
ing the tests and the design decisions of the tests are
thoroughly described in [14].
The rest of the section (1) defines the roles in a
penetration test, describes the (2) setup, (3) execution
and (4) the closure phase in the test, and discusses (5)
the results and (6) the limitations of the tests.

1) Roles in the penetration test: We define five roles in
the penetration tests.
1 Coordinator - an employee responsible for the ex-
periment and the behavior of the penetration tester.
The coordinator orchestrates the penetration tests.
2 Penetration tester - a student who attempts to gain
possession of the asset without being caught.
3 Contact person - an employee who volunteers to
distribute the asset to the custodians.
4 Custodian - an employee at whose office the laptop
is placed.
5 Employee - person in the university who has none
of the roles above.
2) Setup of the environment: At the start of the study,
we chose four volunteers as contact persons, who in
turn found custodians who volunteered to take part in
the study. The selection of contact persons and custodi-
ans was pseudo-random. The common attribute among
these participants was that the contact persons were
Figure 4. In nine of the tests the custodians willingly gave the
laptop,
either believing that the teams were from the help desk or that
they
were sent by the coordinator.
acquaintances to the authors, and the custodians were

acquaintances to the contact persons.
After selecting the contact people and the custodi-
ans, we bought and marked the laptops that need to
be stolen. The contact persons asked the custodians
to sign an informed consent, and then distributed the
clearly marked laptops, each with a web-camera and a
Kensington lock. The custodians resided in two different
universities in nine different buildings. To steal any of
the laptops, the penetration testers needed to circum-
vent three layers of access control: the entrance of the
building, the entrance of the office where the custodian
works and the Kensington lock.
The contact people told the custodians the universities
are doing a usability study on the new laptops, and
thus they needed to measure the satisfaction level of
the custodians. They informed the custodians that the
level of satisfaction would be measured using motion
detection web-cameras that would record the usage of
the laptops. The data collected by the cameras was stored
on a PC inside their office. Furthermore, for security
reasons, the contact people instructed the custodians to
lock the laptops with a Kensington lock and to leave the
cameras recording at all times. bg The contact people
also asked the custodians not to leave any private nor
work related data on the laptops. With these measures,
we tried to reduce the risk of data leakage and loss of
productivity caused by any theft.
In a few cases a custodian asked a contact person what
is precisely measured with the cameras. The answer was
that the moment the contact person tells the custodian
which behavior is measured, the custodian might change
his behavior and invalidate the study.

3) Execution of the penetration tests: After setting up
the environment, we gave to each of the penetration
teams the location of a single laptop they should obtain.
The penetration tests lasted for two weeks. In the first
week, each team scouted their location and collected
as much information as possible about the custodian
1. Social engineer night pass from an employee.
2. Enter the building early in the morning.
3. Social engineer the cleaning lady to access the office.
4. Cut any protection on the laptop using a bolt cutter.
5. Leave the building during office hours.
Figure 6. Example of an attack scenario
and the security mechanisms at the location. Then, each
team proposed a list of attack scenarios they wanted
to conduct. A sample attack scenario is presented in
Figure 6. During the second week of the test, after getting
approval for executing the scenarios by the coordinator,
the teams started testing.
The actions of the teams were logged using the CCTV
system, the web-cameras we positioned in the offices of
the custodians and through recording devices carried by
the teams during the attacks. We used such excessive
recordings (1) to have a better overview of why the
attacks succeeded/failed and (2) to be sure the employees
were treated with respect by the penetration testers.
After each successful or failed attempt, the teams
provided an attack trace of which mechanisms they
circumvented and, in case of failed attempts, which
mechanism caused the attack to fail.
4) Closure: After all penetration tests were over, we

debriefed the custodians and the contact people through
a group presentation, where we explained the pene-
tration test and its goal. All custodians and contact
people were thanked and rewarded for helping in the
assessment of the security in their university.
5) Results: Eventually, all teams were successful in
stealing their laptop. Besides the 14 successful thefts,
there were an additional 11 unsuccessful attempts.
The favorite approach of the teams was to directly
confront the custodian and ask for the laptop. Nine of
the teams took roles as service desk employees, students
that urgently needed a laptop for a few hours or claimed
they were sent by the coordinator. Four teams used
mobile phones or pocket video cameras to record the
conversation with the employees. In one case they took
a professional camera and a cameraman, and told the
custodian the recording is part of a study to measure
the service quality of the service desk.
Approach Disguise
Social engineered the custodian as coordinator helpers 5
as help desk 2
as students 2
Social engineered the janitor as students 4
Social engineered the cleaning lady as PhD student 1
Figure 7. From 9 of the teams that social engineered the
custodian, 5
as a people sent by the coordinator, 2 of the teams took a role as
help
desk employees and 2 as students. 4 teams approached the
janitor as

students that needed to pick up a laptop, with a fake email as a
proof,
and 1 team took a role as a PhD student who forgot the key to
his
office
Figure 5. In five tests the teams social engineered a person
other than the custodian. In two of these cases the students used
a bolt cutter to
cut the Kensington lock, and in three found the keys from the
lock in the office.
The resistance of the employees varied. In six cases,
the custodians gave the laptop easily after being shown a
fake email and being promised they would get the laptop
back in a few hours. In two cases the custodian wanted a
confirmation from the coordinator. The teams succeeded
in the attempt because the custodian called a number
provided by the penetration testers. Needless to say, the
number was of another team member pretending to be
the coordinator. In one case a colleague of the custodian
got suspicious and sent an email to campus security.
Since only the chief security officer knew about the
penetration test, in a few hours the security guards all
over the campus were all alerted and started searching
for suspicious students.
However, in five cases the students were not able to
social engineer the custodian directly and were forced
to look for alternative approaches. For example, in one
of the cases the students entered the building before
working hours. At this time a cleaning lady cleaned the
offices, and under the assumption it was their office let
the students inside. After entering the office, the students

cut the Kensington lock and left the building before the
custodian arrived. On the way out, they even asked the
same cleaning lady to lock again the office door.
6) Limitations of the test: During the analysis of the
recordings from the tests, we observed that a few cus-
todians were easily persuaded to hand in the marked
laptop. The reason might be that employees are less
reluctant to give in a temporary laptop than their own
laptop.
Another limitation of the test might be the high self-
confidence of the testers. The security guards were not
aware of the penetration test. If caught, the identification
process would be unpleasant experience for the testers.
Nevertheless, they knew they will not go to jail for their
actions. A thief might rather wait for the laptop to be
left unattended than approaching an employee directly
and asking for their laptop.
The results of the test are based on only two univer-
sities and their security mechanisms. Other institutions
might have different specter of mechanisms for protect-
ing their laptops.
IV. Observations
The observations presented in this section focus on
the effectiveness of security mechanisms in two open
institutions to protect laptops. The observations should
probably apply also to any mobile asset, such as medical
equipment, beamers and mobile phones.
We observed three main security mechanisms in the
universities: surveillance cameras, access control and a
level of security awareness of the employees.

A. Surveillance cameras
Security officers do not use cameras as alarming mech-
anisms, but use them a posteriori, to identify an offender
after an accident has taken place. The security officers
cannot afford to monitor all surveillance cameras. The
cameras work only when a motion is detected, and
automatically store the recording in a back end server.
The delay between the occurrence and report of the theft
gives the thief sufficient time to leave the building.
Even when used to identify the thief a posteriori, the
cameras provide limited information about the thief. In
none of the logs nor during any of the penetration tests
the cameras provided enough information to reveal the
identity of the thief.
The CCTV cameras are not able to identify the thief
because (1) they are not mounted in offices, (2) the thief
can easily conceal the laptop and (3) thieves usually
know the position of the cameras and obscure their face.
The cameras are not mounted in offices. All pene-
tration tests and 49% of the thefts took place in an
office. Cameras are not mounted in offices to preserve the
privacy of the employees and because mounting cameras
in every office is not cost effective. Without surveillance
in these offices, it is impossible to identify a thief during
the act.
Instead of in offices, the cameras are usually mounted
on entrance doors. Many people pass through the en-

trances with bags, and each of the bags might conceal
the stolen laptop. Even if there are only two persons
observed by the camera, if the persons are not caught
on the spot and challenged by the security guards, the
evidence from the surveillance camera can not be used
against them.
Cameras positioned to monitor public locations, such
as cafeterias, halls and reception desks can record the
thief during the theft. The logs show that 46% of the
laptop thefts happened in public locations. During the
penetration tests we noticed that these cameras are
usually set on motion detection, and are not actively
monitored by the security guards. A careful thief would
obscure her face from the cameras using a hat, a hood or
just covering her face with her hands before she steals
the laptop. In one of the penetration tests, three penetra-
tion testers wandered with newspapers on top of their
faces through the building without being challenged by
anybody.
In conclusion, the surveillance system provides no
help in stopping the theft and has limited usage in
identifying the thief a posteriori.
B. Access control
The security logs and from the penetration tests show
that although there are multiple layers of access control
in both universities, it is still possible to steal a laptop.
We spotted two weaknesses on the access control in
the universities. Locks are usually bypassed because (1)
they are disabled during working hours and (2) the
doors and windows where the locks reside are easy to
force.

The access controls on the entrances of the building
are easily bypassed because they are disabled during
working hours and because there are too many people
with credentials that can open the door. From the 14
penetration teams, 13 bypassed the entrance locks by
attacking during working hours and one team social
engineered credentials from an employee to enter the
building out of working hours.
Another attack vector for stealing a laptop is to force
a door or a window. The penetration teams were not
allowed to damage any property of the universities
except cutting the Kensington locks. However, the logs
from actual laptop thefts show that in 30% of the thefts,
the thief broke a door or a window to get access to the
office.
Similarly to recordings from surveillance cameras, logs
from the access control systems provide limited help in
identifying the thief. The logs show whose credential
was used to enter a restricted area at a specific time
period. Since the credentials are easy to steal or social
engineer and because there are many people entering
and leaving the area where the theft occurs, it is very
hard to deduce which person is the thief.
In conclusion, the typical access control mechanisms
deployed in the universities are mainly used to deter
opportunistic thieves, but provide no help against a
determined thief.
C. Security awareness of the employees
The level of security awareness of the employees plays

a crucial role in success or failure of a theft.
The human element is the main reason behind the
success of the laptop thefts. In 69% of the laptop thefts
and 100% of the penetration tests, the theft occurred
either because the employee left the laptop unattended
in a public location or did not lock the door when
leaving the office. Similarly, during the penetration tests,
employees opened door from offices of their colleagues,
shared credentials or handed in laptops without any
identification. Therefore, even with strong access control
in place, if the security awareness of the employees is
low, the access control can easily be circumvented.
On the other hand, the human element is the main
reason behind the failure of 67% of all failed penetration
tests. In these cases, an employee informed the security
guards for suspicious activities, rejected to open a door
for the tester, rejected to unlock a laptop without permis-
sion from the custodian or interrupted the tester during
the theft. In these cases, the employees besides enforcing
the access control mechanisms, also played a role as an
additional surveillance layer around the laptop.
Employees are usually considered as the weakest link
in the security of an organization [15]. We observe that
employees can also be the strongest link in the security
of open organization. A proper security education of
employees increases the employee’s resistance to social
engineering, and increases effectiveness of the other
security mechanisms.
V. Conclusion
In this paper we analyzed the logs of laptop thefts
which occurred in a period of two years in two universi-

ties in Netherlands. We complemented the findings from
these logs with 14 penetration tests which we conducted
in the same universities.
Based on the logs and the penetration tests, we con-
clude that physical security mechanisms provide deter-
rent rather than protective security role in laptop theft in
open organizations. Security awareness of the employees
is the main element which determines if a theft will be
successful or not and influences the effectiveness of the
other security mechanisms.
In the future we plan to repeat the penetration tests.
This time, to make the penetration tests more realistic,
we plan to randomly select of contact persons and
custodians and give the laptops to the custodians few
months before the start of the tests.
References
[1] L. Ponemon. Cost of a lost laptop. Technical report,
Ponemon Institute, April 2009.
[2] M. Marshall, M. Martindale, R. Leaning, and D. Das.
Data Loss Barometer. September 2008.
[3] Seagate Technology. Can your computer keep a
secret? 2007.
[4] Seagate Technology. Drivetrust technology:a tech-
nical overview. 2007.
[5] P. Kleissner. Stoned bootkit. In Black Hat USA, 2009.
[6] Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David,

Reza Farivar, and Roy H. Campbell. Bootjacker:
compromising computers using forced restarts. In
CCS ’08: Proceedings of the 15th ACM conference on
Computer and communications security, pages 555–
564, New York, NY, USA, 2008. ACM.
[7] Sven Türpe, Andreas Poller, Jan Steffan, Jan-Peter
Stotz, and Jan Trukenmüller. Attacking the bitlocker
boot process. In Trust ’09: Proceedings of the 2nd
International Conference on Trusted Computing, pages
183–196, Berlin, Heidelberg, 2009. Springer-Verlag.
[8] L. Ponemon. The human factor in laptop encryp-
tion. Technical report, Ponemon Institute, December
2008.
[9] Thomas Ristenpart, Gabriel Maganis, Arvind Kr-
ishnamurthy, and Tadayoshi Kohno. Privacy-
preserving location tracking of lost or stolen
devices: cryptographic techniques and replacing
trusted third parties with dhts. In SS’08: Proceedings
of the 17th conference on Security symposium, pages
275–290, Berkeley, CA, USA, 2008. USENIX Associ-
ation.
[10] Absolute Software. Lojack for laptops
www.lojackforlaptops.com.
[11] D.B. Cornish and R.V. Clarke. Opportunities, pre-
cipitators and criminal decisions: A reply to Wort-
ley’s critique of situational crime prevention. Crime
Prevention Studies, 16:41–96, 2003.
[12] G. Kitteringham. Lost laptops = lost data: Mea-
suring costs, managing threats. Crisp report, ASIS
International Foundation, 2008.

[13] R. Willison and M. Siponen. Overcoming the in-
sider: reducing employee computer crime through
situational crime prevention. Communications of the
ACM, 52(9):133–137, 2009.
[14] T. Dimkov, W. Pieters, and P. Hartel. Two method-
ologies for physical penetration testing using social
engineering. Technical report, CTIT, December 2009.
[15] N. Barrett. Penetration testing and social engineer-
ing hacking the weakest link. Information Security
Technical Report, 8(4):56–64, 2003.
Title Layout
Subtitle
Title and Content Layout with List
Add your first bullet point here
Add your second bullet point here
Add your third bullet point here
Title and Content Layout with Chart
Series 1 Category 1 Category 2 Category 3
Category 4 4.3 2.5 3.5 4.5 Series 2 Category 1
Category 2 Category 3 Category 4 2.4

4.400000000000000 4 1.8 2.8 Series 3 Category 1
Category 2 Category 3 Category 4 2 2 3
5
Two Content Layout with Table
First bullet point here
Second bullet point here
Third bullet point hereClassGroup 1Group 2Class 18295Class
27688Class 38490
Title and Content Layout with SmartArt
Step 1 Title
Task description
Task description
Task description
Task description

Step 2 Title
Task description
Task description
Task description
Step 3 Title
Task description
Task description
Step 4 Title
Task description
Task description
REFERENCES

Project Evaluation Rubric
Component
Exemplary (3)
Adequate (2)
Inadequate (1)
Score
Project overview
Effectively and insightfully develops a set of testable,
supportable and impactful study hypotheses.
Develops a set of testable and supportable hypotheses.
Hypotheses are not testable or justifiable.
Justification for hypotheses
The introduction section provides a cogent overview of
conceptual and theoretical issues related to the study
hypotheses. Demonstrates outstanding critical thinking.
The introduction section provides a logical overview of
conceptual and theoretical issues related to the study
hypotheses. Demonstrates competent critical thinking.
Very little support for the conceptual and theoretical relevant to
the study hypotheses was provided. Provides little evidence of
sound critical thinking.
Supporting evidence
Provides clearly appropriate evidence to support position
Provides adequate evidence to support position
Provides little or no evidence to support position
Review of relevant research
Sophisticated integration, synthesis, and critique of literature
from related fields. Places work within larger context.
Provides a meaningful summary of the literature. Shows
understanding of relevant literature
Provides little or no relevant scholarship.

Maintains purpose/focus
The project is well organized and has a tight and cohesive focus
that is integrated throughout the document
The project has an organizational structure and the focus is
clear throughout.
The document lacks focus or contains major drifts in focus
Methodology
· Sample
· Procedures
· Measures
· Data analytic plan
Identifies appropriate methodologies and research techniques
(e.g., justifies the sample, procedures, and measures). Data
analytic plan is suitable to test study hypotheses. Provides
appropriate justification for controls. Project is feasible
Identifies appropriate methodologies and research techniques
but some details are missing or vague.
The methodologies described are either not suited or poorly
suited to test hypotheses. The methodology is under-developed
and/or is not feasible.
Grammar, clarity, and organization
The manuscript is well written and ideas are well developed and
explained. Sentences and paragraphs are grammatically correct.
Uses subheadings appropriately.
The manuscript effectively communicates ideas. The writing is
grammatically correct, but some sections lack clarity.
The manuscript is poorly written and confusing. Ideas are not
communicated effectively.
References and citations
Properly and explicitly cited. Reference list matches citations
Properly cited. May have a few instances in which proper
citations are missing.
The manuscript lacks proper citations or includes no citations.

Overall Total: ______________
PowerPoint Presentation Rubric 1
Group#
20 Points
15 Points
10 Points
5 Points
Total Points
Content
Main points are clearly covered, demonstrating excellent
knowledge of subject. Content is based upon sound research,
and hyperlinks to relevant sites are included.
Main points are clearly covered. Content is research-based, and
a hyperlink to a relevant site is included.
Subject is mostly covered, but good research basis is not
evident. No hyperlinks to more information.
Subject is poorly covered, and some information is incorrect,
suggesting little or no research.
Clarity and Organization
Information is organized in a logical way, making the
sequencing of slides easy to follow and comprehend.
Most information is logically sequenced for clarity and
comprehension. One piece of information or one slide may
seem out of place.
Information is somewhat logically sequenced. An occasional
slide or piece of information seems out of place, distracting
from comprehension.
There is no clear plan for organization of this material, making

it difficult to follow and comprehend.
Presentation
Presenter is prepared and has obviously rehearsed. Speech is
loud and clear, and presenter uses slides as a supplement to
presentation, rather than reading from them.
Presenter is prepared. Speech is loud and clear, and presenter
mostly uses slides to supplement information, rarely reading
from them. Good volume and eye contact are present most of
the time.
Presenter may have benefitted from more preparation. Slides are
often reread to audience, perhaps with a little embellishment by
presenter. Volume and eye contact may be insufficient.
Presenter is unprepared. Slides are presented to audience nearly
verbatim. Speaker can rarely be heard, or hardly looks at
audience.
Slide Format
Slide elements have been carefully planned to enhance
readability and content. Color, graphics, bulleting and
transitions are attractive, easy to read and enhance content.
Slide elements have been planned to enhance readability.
Color, graphics, backgrounds, transitions are attractive and easy
to read.
Formatting of text, color, background, etc. may make slides a
little hard to read, but does not interfere with understanding.
Material is hard to read or understand due to poor formatting.
Mechanics
No errors in spelling, capitalization, punctuation or grammar.
Contains 1 to 2 errors in spelling, capitalization, punctuation or
grammar, but errors do not distract reader.
Contains 3-4 errors in spelling, capitalization, punctuation or
grammar, which may be a distraction.

Contains more than 5 errors in spelling, capitalization,
punctuation or grammar.
GRAND TOTAL: ___________
Guidelines for Group Participation
1. Everyone should contribute and take turns to speak.
2. All ideas should be shared and considered.
3. Ideas should be justified with reasons.
4. Challenges are encouraged but students must disagree with
the point, not the person.
5. Try to reach agreement, don’t just agree to differ.
6. Set clear expectations for each member of the group
7. Communicate often when issues or concerns arise
8. Distribute work, each team member should be responsible for
a section of the paper and presentation.
9. Ensure a fair use of time within the group
10. Spend time reading your classmates work and make notes to
help you give some constructive feedback

Facility Security Plan An Interagency Security Committee Gu.docx

Recommended

Recommended

More Related Content

Similar to Facility Security Plan An Interagency Security Committee Gu.docx

Similar to Facility Security Plan An Interagency Security Committee Gu.docx (20)

More from mecklenburgstrelitzh

More from mecklenburgstrelitzh (20)

Recently uploaded

Recently uploaded (20)

Facility Security Plan An Interagency Security Committee Gu.docx