14.docx · web viewchapter 14 - physical security concepts and applications. objectives . define...
TRANSCRIPT
CHAPTER 14 - Physical Security Concepts and Applications
OBJECTIVES Define physical security planning List five steps of the security planning process List three options for intrusion monitoring Explain the three primary objectives of security lighting Provide the three roles of CCTV and access controls Explain the value of safes, vaults,
PHYSICAL SECURITY PLANNING What is "physical security planning?" It is a recognized security process that, if followed, will result in the selection of physical countermeasures based on appropriateness. The selected countermeasures should also be justifiable from a cost point of view.
In the security planning process, the organization identifies which assets require protection and the types of risks that could compromise those assets. This critical function determines the level of appropriate countermeasure that is required based upon a formally documented process.
Risks are usually categorized into three categories:
1. People — Human resources are usually the most critical asset within any organization, and as such, must receive a stronger consideration when assessing risk.
2. Property — Physical property or intellectual assets.
3. Legal liability — Legal risks can also affect people and property, but need to be considered as a separate category. This is due, in part, to the extent which lawsuits affect the security industry these days.
Additionally, the security planning process should determine the probability of such occurrences and the impact on the organization if loss should ever occur. These steps are critical to determine how to best protect organizational assets and must be performed periodically. An added benefit of the security planning process is the potential for increased security awareness throughout every level of the organization.
The security planning process consists of the following five steps:
1. Assets are identified.
2. Loss events are exposed.
3. Occurrence probability factors are assigned.
4. Impact of occurrence is assessed.
5. Countermeasures are selected.
Let's look at each of these steps.
1. Assets are identified At first glance, this step would appear easy; however, this is not necessarily the case. Have you ever attempted to take inventory of your personal property? The major problem seems to be "how to;" that is, do we include every nut and bolt? For the purpose of following the security process, this is not necessary. It should suffice to group assets according to category except where an item is especially attractive (from a thief's viewpoint) and valuable. The following categories should encompass the majority of assets for most companies:
Land buildings heavy machinery production equipment office equipment office furniture vehicles cash or other negotiables goodwill public image raw material finished product
Depending on the nature of the company's activities, there may be other categories. In any event, there is one asset which has not been mentioned primarily because it is controversial: employees. Employees are a company's most valuable asset, although some people do not like to group them with all the other assets.
2. Loss events are exposedThis step consists of exposing all possible threats to the assets that were identified. Similar to how we group assets, we group threats according to their nature. All threats can be grouped under the following headings: industrial disaster, natural disaster, civil disturbance, crime, and other risks. Industrial disasters — these should be easy to identify, associated threats related to on-site or adjacent activity.
Industrial disasters - The following are typical industrial disasters that might affect most companies: explosions, fires, major accidents, and structural collapse. To correctly assess the threat, you must intimately know the nature of company activity, the nature of activity on adjacent properties, dangerous routes, flight paths, and the existence of nearby major oil or gas pipelines.
Natural disasters - the potential for a natural disaster largely rests with the geographic location of the company property. If the property is located in the southeast United States, it is reasonable to identify hurricanes as possible loss events. Similarly, if the property is located in California, it would be reasonable to plan for earthquakes. Other areas may suggest the need to identify floods or tornados as threats.
Civil disturbance - most companies can be threatened either directly or indirectly by actions that can be categorized as civil disturbances. If your company is engaged in weapons technology, or indeed any activity that might be viewed as threatening the environment, it is reasonable to expect that the
company might become the target of demonstrators. All labor disputes fall under this heading.
Crime - it is relatively easy to identify crimes that might affect company operations. Any or all of the following will affect most companies: arson, assault, bomb threats, breaking and entering, theft, and vandalism. If a company is engaged in high-tech, it would be reasonable to also include espionage, extortion, and sabotage as likely threats.
Other risks - this is meant to be a catch-all for those threats that do not neatly fit the above categories. Two examples are disturbed persons and loss of utilities.
3. Occurrence probability factors are assignedHaving identified assets and exposed the threats to those assets, the next step is to quantify the possibility that the threat will occur. This is probably the most difficult step in the process. Information must be collected and carefully analyzed to determine its effect on the probability for occurrence. The following affect probability:
The physical composition of structures — for example, wood frame or concrete block
The climatic history of the area, such as number and frequency of tornados, hurricanes, earthquakes, and so on
The nature of activity at the property to be protected. For example, if the products being produced are televisions and related products, then the probability for theft will likely be high
The criminal history for the local and adjacent areas Is there community conflict in the area?
An analysis of the foregoing, coupled with a review of the activity and organization of the company to be protected, will enable one to make a determination with reasonable accuracy regarding the probability for a loss relative to specific assets or groups of assets.
The probability for occurrence will not be the same for all loss events. For this reason and to facilitate later correlation with impact factors, we must assign probability ratings. While the actual wording is not important, the following are suggested:
Certain
Highly probable
Moderately probable
Improbable
To make these words more meaningful, we can assign percentage weights to each:
Certain = 75-100%;
Highly probable = 50-75%;
Moderately probable = 25-50%; and
Improbable = 0-25%.
4. Impact of occurrence is assessedThis step is not as difficult or as uncertain as determining probability. Impact for almost all organizations has a bottom line of dollars and cents. The most important thing to remember is that dollar losses may be either direct or indirect and that they may be so high as to be crippling.
Direct costs are those that can be directly assigned as the value of the asset that has been lost or damaged. Indirect losses are those costs associated with the loss that would not have been incurred if the loss event had not occurred. An example is downtime.
The final task in relation to impact is to assign levels or classifications that will allow for correlation with the four degrees of probability. Again, the actual words are not important; however, the following are suggested:
Very serious Serious Moderately serious Unimportant
We will see the importance of these ratings shortly. Before we move to the final step, let us recap: we have taken inventory of our assets, identified the threats to those assets, assessed the probability of occurrence for the threats, and assessed the potential impact on company operations if one of these threats were to occur.
5. Countermeasures are selected This is the final step in the planning process. We now have to use all the data we have collected to protect our property in the most efficient manner, while also considering the cost of these countermeasures in relation to the value of our assets. The initial step is to decide on the level of protection needed; the level can range from low to very high.
When selecting physical security countermeasures, it is imperative that one use a systematic approach. By standardizing the process, mistakes are less likely to occur and more accurate calculations can be made. In addition, one must document the process and keep accurate written records of the recorded data. This allows for better-informed decisions regarding the selection and implementation of physical security countermeasures.
There are several methods or processes available to the security practitioner when selecting countermeasures; however, the simplest method to ascertain the desired levels of protection is a matrix. (Example on next page)
For example, consider the threat of fire. The probability of a fire can be rated as "moderately probable" for most types of businesses; from a criticality point of view, we must consider fire as potentially "very serious." Referring to our matrix, we can quickly see that the recommended level of protection is "level IV," the highest level possible. This would suggest using an effective detection system coupled with an efficient suppression system.
Threat Level Matrix
Improbable Moderately Probable
Highly Probable Certain
Unimportant I I I I
Moderately Serious
I II II II
Serious II III III IV
Very Serious III IV IV IV
Levels of SecurityI LowII MediumIII HighIV Very High
The large number and variety of assets and associated threats means that we will end up with a complex pattern of different levels of protection. This is not as confusing as we might expect, particularly if we think in terms of security-in-depth.
Security-in-depth, also known as layered protection, is a concept that means placing a series of progressively more difficult obstacles in the path of an aggressor. These obstacles are often referred to as lines of defense.
PHYSICAL SECURITY PLANNING The first line of defense is at the property line. Methods of defense at this point may be either natural, such as a river, or manmade, such as a fence. Additionally, the barrier may be psychological or physical. At the very minimum, the property boundary must be defined in some way that separates it from its neighbors. Psychological barriers, such as property definition, do not impede would-be trespassers; however, they do play an important role in the rights of the property owner.
The second line of defense is the exterior of buildings. Controls at this point should be difficult to overcome. It is important to remember that all six sides of structures (roof, floor, and walls) may present weaknesses that must be strengthened. Special attention must be given to the usual points of break and enters: doors, windows, and skylights. In fact, any opening greater than 96 square inches in area and less than 18 feet from grade must be protected. It is usually at this line of defense that electronic intrusion detection devices and electronic access controls are used. The third line of defense is interior controls or object protection. Controls at this line of defense include electronic motion and intruder detection devices, access controls, safes, vaults, document storage cabinets, quality locking devices, and fire protection.
Applying the security-in-depth concept means more than simply establishing three lines of defense that will meet all your needs. Ideally, we would apply the principle first to the property in general terms as described above, and then to each and every asset separately. An example would be an industrial complex and an asset such as information.
The complex itself will probably be protected by a perimeter fence. Each building within will be properly secured and there will be electronic intrusion detection systems within the buildings. In addition to this general protection, we should attempt to establish protective rings around the information. For example, the information should be stored in a safe (third line of defense); the safe should be in a room that has interior motion detection (second line of defense), and access to the room should be through a door equipped with proper locking hardware and possibly a card access system (the first line of defense).
Selecting appropriate countermeasures is a difficult task, requiring considerable practical experience and extensive knowledge of the various controls and their strengths and weaknesses. Effective planning will result in a cost-justified, integrated protection program.
An integrated protection program results from a systems approach to selecting controls. The following are two important points in relation to using a systems approach:
The whole, rather than its individual parts, must be considered.
Design should allow for an acceptable level of redundancy, without any unnecessary duplication of effort.
A systems approach is often referred to as "systems engineering." The remainder of this chapter will concentrate on the physical components of a protection program. While space will not permit great detail, we will attempt to explain the major points relative to security lighting, security glazing, alarm systems, card access systems, locks and keying, closed circuit television, safes and vaults, and fencing.
SECURITY LIGHTING Security lighting has three primary objectives:
1. It must act as a deterrent to intruders.
2. It must make detection likely if an intrusion is attempted. 3. It should not unnecessarily expose patrolling personnel.
Lighting systems are often referred to as "continuous," "standby," and "movable" or "emergency."
Continuous lighting is most commonly used. Lamps are mounted on fixed luminaries and are normally lit during the hours of darkness.
Standby lighting is different from continuous lighting in that the lamps are only lit as required.
Movable or emergency lighting is portable lighting that may be used to supplement either continuous or standby lighting. Light sources may be incandescent, gaseous discharge, or quartz lamps. The common light bulb emits incandescent light.
Gaseous discharge lamps are street-type lighting and may be either mercury vapor or sodium vapor lamps. Mercury vapor lamps emit a strong light with a bluish cast. Sodium vapor lamps emit a soft yellow light. Both types of gaseous discharge lamps take 2 to 5 minutes to reach maximum intensity. They are very effective in areas where fog is prevalent. A word of caution in relation to gaseous discharge lamps is that they make color identification unreliable.
Metal halide lamps are also of a gaseous type, but due to the excellent color rendition this lamp offers, it is recommended for many security applications. Metal halide lamps can be used very effectively with color CCTV cameras due to the light properties which imitate natural daylight. The downside of this lamp is that it is expensive to use.
Incandescent lamps are typically used in residential homes for lighting. They are very inefficient and have limited use for security purposes due to the short lifecycle and expense of use.
Quartz lamps emit a very bright white light. Lighting may be classified as floodlights, searchlights, fresnels, and street lighting. The difference between floodlights and searchlights is that searchlights project a highly focused beam of light, whereas floodlights project a concentrated beam. Fresnels produce a rectangular beam of light and are particularly suitable for illuminating the exterior of buildings. Streetlights produce a diffused light and are suitable for use in parking areas and driveways.
Certain lighting intensities are recommended for specific situations:
Perimeter or property boundary 0.15 to 0.4 fc Parking lots (open) 2.0 to3.0 fc Parking garage (enclosed) 5.0 to 6.0 fc Vehicle entrances 1.0 fc Pedestrian entrances (active) 5.0 fc Exterior of buildings 1.0 fc Open yards 0.2 fc
Specific circumstances may dictate different intensities. To explain the suggested intensities, "fc" means foot-candle and simply refers to the amount of light emitted within 1 square foot of a lit standard candle.
APPLICATION CONSIDERATIONS When designing a protective lighting system, consider three lines of defense: the
perimeter, open yards, and building exteriors.
All accessible exterior lamp enclosures should be in tamper- or vandal-resistive housing. This means that the receptacle and lens should be constructed of a material that will resist damage if attacked and that the mounting screws or bolts should be tamper-resistant.
If protective lighting is to be located in an area that may be subject to explosions, the housings should be explosive-resistant.
Before finalizing any decision on the installation of lighting, consider the impact that additional lighting will have on your neighbors. Failure to consult with a neighbor prior to an installation may result in costly redesign.
The foregoing is a presentation of the basics of security lighting. Prior to utilizing any of the suggested standards, please check local codes or ordinances.
GLAZING The various uses, methods of fabrication, and overabundance of trade names make the selection of an appropriate glazing material appear very confusing. In an effort to simplify the process, we will address the subject under the following headings:
• Safety/fire • Burglar /vandal-resistive • Bullet resistive • Special purpose
Safety/fire: Under this heading, we are basically looking at two types of glass: tempered and wired. Tempered glass can be considered safety glass, as it is several times stronger than ordinary glass. It is especially resistive to accidental breakage. If it does break, it will disintegrate into small pieces with dull edges, thereby minimizing risk of injury. Tempered glass is available in different thicknesses to suit different purposes.
Wired glass is glass with a wire mesh built into it. The wire is embedded in the glass when it is still in its molten state. Wire glass resists impact because of its strength. It is also listed by Underwriters Laboratories as a fire-retardant material.
Here are some suggested uses for safety/fire-retardant glass:
• Passageways • Entrance doors and adjacent panels • Sliding glass doors • Bathtub enclosures and shower doors
Burglar/vandal-resistive: Several types of burglar /vandal-resistive glazing materials are available, including laminated glass, wired glass and acrylic, and polycarbonate plastics.
Laminated glass will resist degrees of impact proportionate to its thickness. This type of glass is particularly valuable where the quality of transparency is important and where other types of
impact-resistant material may be subject to vandalism. Wired glass provides resistance of a limited nature; it will not resist prolonged attack. Acrylic plastic is particularly resistive to forced attack; however, it is not as resistive as polycarbonate. It is, however, much more transparent than polycarbonate. Polycarbonate plastic is 20 to 30 times stronger than acrylic of comparable thickness.
Bullet resistive: Bullet-resistive material is available in the form of laminated glass or acrylic and polycarbonate plastics. Bullet-resistant laminated glass consists of multiple piles of glass and plastic material laminated together. Highly transparent, bullet-resistant acrylic material is suitable for many cash-handling situations, such as those which occur in banks. Polycarbonate, consisting of several sheets of plastic laminated together, is highly resistive to ballistics; however, visibility is somewhat impaired.
Special purpose: Under this heading, we will look at transparent mirror glass, coated glass, heated glass, and rough or patterned glass.
Transparent mirror glass may be installed in a door or in a wall. From one side, it is functionally a mirror, and from the other, it permits an unobstructed view through the mirror. The primary purpose of transparent glass is for surreptitious surveillance. Flow-on or cement-on plastic coating is available for application to existing installed glass. This material may serve well as an interim measure until a more appropriate vandal-resistive material can be installed. Rough or patterned glass is available with many different designs that make it range from practically opaque to practically transparent. This type of glazing is most appropriate where there is a conflict between the need for privacy and natural light.
INTRUSION DETECTION Every intrusion detection system is meant to detect unauthorized entry, unauthorized movement within, and unauthorized access to controlled areas or objects
There are three components to an intrusion detection system:
Detectors /sensors
System controls
Signal transmission
Detectors/Sensors The design and implementation of intrusion sensors are critical for any physical security program. Intrusion sensors are typically integrated with physical barriers, such as a door or window, and must take environmental conditions into consideration to be effective.
Selection of the appropriate detector, from the numerous and varied options available, is often a difficult task. The end user is well-advised to become familiar with the different types of detectors /sensors available and must evaluate both the application and environmental conditions prior to implementation. If relying on advice from a vendor for proper intrusion sensor selection, it is essential that the end user describe their objectives and make the vendor contractually responsible for meeting those stated objectives.
In the following paragraphs, we will look at different types of detectors: magnetic switches, metallic foil, audio, vibration, ultrasonic, photoelectric, passive infrared, microwave, dual technology, and video motion.
Magnetic switches: These are often referred to as door contacts. They may be either surface-mounted or recessed. The choice is largely an aesthetic one; however, the recessed ones do afford more protection from tampering. Switches are commonly "unbalanced," which means that they may be defeated by substitution of a secondary magnetic field to keep the contacts in the open position while the detector magnet is moved away from the housing containing the contacts.
For high-security applications, a "balanced" switch is available. This switch is designed to withstand defeat by creation of a secondary magnetic field. Magnetic switches have many potential uses in addition to their traditional use on doors and windows. They may be used on desk or file cabinet drawers or to secure equipment to a fixed position.
Metallic foil: This is a narrow strip of metal foil designed to break if the surface to which it is attached is attacked. It is mostly used as a glass breakage detector and is commonly seen on storefront windows and glass doors. It may also be used as a barrier penetration detector, such as in a wall under gyprock. If properly installed, it should do its job well. A major detractor is that it is not considered aesthetically pleasing; this can also be overcome to some extent by the experienced installer.
Vibration: Vibration detectors are shock sensors. They may be used to detect persons climbing chain-link fencing, breaking through walls, or attacking safes or other containers. As glass breakage detectors, they are very effective and not too expensive.
Ultrasonic: These are motion detectors. A protected area is flooded with an oval pattern of sound waves. As the sound waves bounce off objects, they reflect a signal back to a receiver. Any movement in the protected area will cause a change in the reflected pattern, which will result in an alarm. Ultrasonic sound waves are in a frequency range that is above the capacity of the human ear. These detectors are particularly susceptible to false alarm due to air turbulence.
Photoelectric: A beam of light is transmitted to a receiver. The transmitter and receiver may be in one housing with the beam reflected. Any interruption of the beam causes an alarm. These devices are commonly used as automatic door openers or in stores to ward off a customer from entering. When used for security purposes, different methods are used to make the beam invisible to the naked eye. Either an infrared light-emitting diode is used or an infrared filter is simply placed over the light source. Either method effectively makes the beam invisible.
Infrared: These are probably the most versatile detectors currently available. Patterns of coverage are available that will protect practically any configuration of space. They can be used effectively to protect long narrow corridors, portions of rooms, or entire large rooms.
Infrared detectors are often referred to as passive detectors because they are the only detector that does not monitor an environment that has been created by the detector. Infrared detectors measure radiated energy. When activated, they simply establish the ambient temperature. From that point on, any significant deviation will result in an alarm.
Microwave: Microwave detectors use high frequency radio waves to establish a protected area. They are particularly suitable for use in areas where air turbulence or changing air temperatures may prohibit the use of ultrasonic or infrared detectors. A major weakness with microwave is that it can penetrate beyond a protected area. Microwaves will penetrate practically all surfaces except concrete and metal.
Dual technology: Dual technology sensors combine two technologies into a single sensor. An example of this would be to combine a passive infrared sensor with a microwave sensor. An alarm signal is not generated until both sensing devices are triggered. Thus, the use of such technology should result in fewer nuisance alarms being generated if installed correctly and applied properly.
Video motion: Using CCTV cameras to initiate an alarm is another method that can be utilized for intrusion detection. Video motion technology detects changes in light brightness levels within the coverage area. It is advisable to only use video motion detection for an interior application due to the varied environmental conditions which exist outdoors. Vibrations, moving objects such as trees and bushes, and fluctuating light levels can trigger nuisance alarms when using video motion; they may render the system ineffective.
System Controls System controls consist of components that transform individual detectors /sensors into a network of intelligence-gathering devices. System controls include data processing equipment, signal transmission equipment, on/off and reset controls, backup power supply, LED system status indicators, and any other equipment specific to a particular system.
The data processing equipment basically acts as a receiver and interpreter of signals from the sensors /detectors and reacts to these signals in accordance with preprogrammed instructions.
The signal transmission equipment is the means by which an alarm is raised. This equipment may simply activate a local siren, or it may send a signal over telephone wires to a remote monitoring location. The telephone wires may be either dedicated (the most secure system) or through the normal telephone network by use of a digital dialer that transmits to a special type of receiver /decoder.
The on/off and reset controls can be keys, toggle switches, or digital keypads. The digital keypad is recommended. The backup power supply is essential in case the electrical power supply fails or is sabotaged.
The LED (light-emitting diode) system status indicators use different colors to indicate whether the system is on or off, or if there is trouble in the system. The usual colors are:
Red for system okay (but in the off mode),
Yellow for trouble somewhere in the system, and
Green for armed and properly functioning.
SYSTEM MONITORING There are basically three options in system monitoring:
1. Local
2. Proprietary
3. Commercial
A local system is just that, a siren or bell on the outside of the protected premises. This system is not recommended due to its reliance on a passerby to actually call the police.
The proprietary system is similar to a local system in that the system is monitored on-site or remotely by employees of the owner of the protected premises. If this system is used, it is advisable to have a link from the proprietary station to a commercial station in the event of a holdup of the monitoring personnel.
Commercial monitoring falls into two categories: monitoring stations or answering services.
The answering services are useful for the economical monitoring of signals transmitted by telephone dialers; however, this is not for high security systems. Commercial monitoring stations are either Underwriters Laboratories (UL) approved or they are not. UL-approved is the best guarantee of quality service.
Note: An initial step in planning an intrusion detection system is to identify zones of protection in the building that will create a series of independent subsystems. Each subsystem should
(1) be compatible with normal operations, and
(2) allow for prompt response to a specific problem area.
When the functional requirements of a system have been identified, the system engineering should be left to experts.
CARD ACCESS The decision to use, or not to use, a card access system should be based on the perceived need for accountability and the accompanying financial considerations. An objective statement for a card access system might read: "To economically eliminate the inherent security weaknesses in key access systems by electronically supervising and documenting the activities or persons authorized to access the property."
To be useful, a card access system should have the following minimum capabilities:
• Restrict access by authorized persons to certain times and /or days of the week. • Allow controlled after-hours access to selected areas within. • Control after-hours access to a parkade. • Selectively control after-hours use of elevators. • Maintain a record of all valid and invalid use of cards. • Provide an audit trail permitting a printout of persons on the property at any one time.
There are numerous types of cards:
• Magnetic coded
• Magnetic strip coded • Proximity coded • Weigand coded • Hollerith • Optical coded
The magnetic coded card contains a sheet of flexible magnetic material on which an array of spots has been permanently magnetized. The code is determined by the polarity of the magnetized spots. The magnetic strip encoding is widely used in commercial credit cards. The proximity card is a badge into which electronically tuned circuits are laminated. The badge gets its name from the fact that it only has to be held near the reader for authorized access to be granted. The reader for this card is concealed in the wall behind drywall or paneling. The Weigand-coded badge contains a series of parallel wires embedded in the bottom half of the badge. Each wire can be assigned logic "0" or "V," the combination reveals the ID number.
The Hollerith badge is easy to recognize because the card has small rectangular holes punched in it. It cannot be considered a high security badge. The optical coded badge is easy to recognize if it uses a barcode as its encoding device. The barcode is commonly used on retail goods to assist the cashier with pricing.
All of the commonly used coded cards are reliable and, with the exception of the Hollerith badge, are reasonably resistive to compromise. Although it is not recommended, many organizations like to use their access cards as both an access card and an identification badge. The information contained in the normal employee ID card can easily be incorporated into any access card:
• Company name and logo • Details of cardholder • Name • Department • Date of birth • Signature • Photograph • Condition of use (restrictions)
This is not recommended, however, because if the card is lost, it will be obvious to the finder that it is owned by a particular organization, which may lead to unauthorized use of the card. There are many different card readers; the significant difference among them is the addition of a secondary method of verification or confirmation, such as the requirement for insertion of a personal identification number (PIN), through a numerical keypad.
The use of a numerical keypad usually offers the valuable option of allowing a user to signal that he is operating under duress.
LOCKING HARDWARE Locking hardware can be categorized as mechanical, electrical, or electromagnetic, and as either security or nonsecurity.
Quality mechanical security locks should be used for all of the following:
• Perimeter openings • Doors that control /restrict internal movement • Doors to sensitive /restricted areas
Only deadbolt locks should be considered. The bolt should offer a minimum of 1-inch throw. If the door is a glass metal-framed door, the bolt should be of the pivotal type to ensure maximum throw.
Electric locks are particularly suitable for the following:
• Remote control of the after-hours pedestrian entrance door • Grade-level emergency exit doors • Exit doors from stairwells to grade level • All stairwell doors
Electric locks are available where the strike is normally in the locked or unlocked position. Electromagnetic locks are particularly suitable for use on emergency exit doors, as there are no moving parts that can accidentally become jammed. Several conditions must be met before this type of lock can be used on an emergency exit door:
A manual or automated egress device to unlock door within close proximity. When activated, the fire alarm system must be able to automatically deactivate the
locking device. Each location must have a fire pull station in its vicinity, and its activation must
automatically deactivate the lock.
Note: It is essential that the fire department be consulted prior to any final decision on the locks of any door that may be considered an emergency exit. Get their decision in writing, and carefully consider it before compliance.
Emergency exit devices that are normally used on emergency exit doors cause justifiable security concern. If permitted, only quality electric or electromagnetic locks should be used. If electric or magnetic locks cannot be used, great care should be taken to ensure the emergency devices use such features as the following:
• Deadbolts • Deadlocking latches • Vertical locking bars for pairs of doors
Remember that emergency exit devices can be connected to a proprietary or commercially monitored alarm system. Loud local alarms are also an effective way to protect emergency exits.
CLOSED CIRCUIT TELEVISION CCTV has three major roles in any physical security program:
To deter crime or unwanted activities To allow the ability to witness an act as it occurs As an investigative tool after an act has already been committed
Although CCTV is typically used to monitor a property or facility for crime prevention purposes, there are a multitude of applications with which this technology can be used to visually monitor events. CCTV is a great tool for assessing a real-time situation involving crowd control and responding to personnel movements. In addition, it can be used to capture customer movement and behavior in the retail environment as well as to monitor internal staff as they work. CCTV can also remotely watch traffic flow on highways and monitor weather activity in specific areas.
CCTV technology has progressed quickly in recent years. The advent of software-based analytics has skyrocketed the capabilities of CCTV into the future. "Intelligent video," as it is known, can offer tremendous capabilities under the right circumstances. As with any CCTV system, the surrounding environment can adversely affect the effectiveness of any CCTV program.
That being stated, here are a few CCTV software feature sets that fall into the intelligent video realm:
• Video motion detection (VMD) • People counting and tracking • Object classification, counting and tracking • License plate recognition • Facial recognition • Crowd detection • Psychology of motion (still under development)
Intelligent video is currently used in some of the largest cities in the world to detect criminal activity and other issues, such as traffic problems, loitering, and riot activity. Among the tremendous benefits of using technology to detect certain events, intelligent video may allow for the reduction of manpower by harnessing technology to increase efficiency and accuracy of CCTV systems.
There are three main views that a standard CCTV system should provide, depending upon the application requirements:
1. Identification of any subjects 2. Identify the actions within a scene 3. Identify the scene where the act occurred
Subject identification is based on the principle that whoever or whatever is viewed must be identifiable beyond any reasonable doubt. This includes capturing specific features that could identify the person, such as nose, ears, and eye characteristics. As an example, the scene view usually will provide about 25% coverage of the person being viewed. The subject identification view is critical when used with facial recognition software, as the facial features must be captured to have a reasonable success rate in identification.
Action identification is a view that can assess what has occurred within a given area. This level of video surveillance can usually determine what has occurred. A good example might be that a painting was stolen or that an act of violence occurred. Another illustration of an action
identification view would be in a retail environment to determine how a retail customer purchases specific goods while shopping, and which advertisement was most effective in gaining additional sales. The action view usually comprises about 10% of the total scene image.
Identification of a scene view is based on being able to identify where an act took place. An example might be in the lobby or in a specific department. Each scene must stand on its own merit and be identifiable during playback. Weather monitoring is another example of an application using a scene view.
Great care must be exercised in designing a CCTV system to ensure that the objectives are achieved. Caution is also necessary to ensure that costs do not get out of hand. This is a comon problem when the system is not designed by a security expert.
The following are suggested practical applications for CCTV:
• Parkade areas, entrances /exits, shuttle elevator lobbies, stairwells, and elevators • Shipping/ receiving areas • Main floor elevator lobbies • Cross-over floors • Cash handling areas
All CCTV systems are made up of several components that an end user should be, at the very least, familiar with. The following is a brief description of each component:
Cameras — a primary consideration in relation to camera selection is the available light coupled with required image quality. The two most common cameras in use today are the charge coupled device (CCD) and the complementary metal oxide semiconductor (CMOS). Both are relatively stable camera platforms that outperform older camera technology.
Lenses — there are three major types of lenses available for cameras today. They are fixed lens, varifocal lens, and zoom lens. The fixed lens only offers a single point of view and is best used on indoor applications due to the more consistent environment. The varifocal lens offers a range of views and great flexibility in application, as long as the range is within the lens capabilities, and the lens does not need to be refocused. The zoom lens, by contrast, is best for situations in which the lens needs to be refocused, should one change the field of view. The focus on a zoom lens is maintained either through manual or motorized adjustments.
Housings — several types of housings are available. They fall into two categories: aesthetic and environmental. Housings can also effectively disguise the existence of a camera.
Monitors — monitors are available in different sizes and in color, monochrome, or LCD. When a quality image is required, it is necessary to use a high-resolution screen.
Sequential switches — it is not necessary, or usually desirable, to have a monitor for every camera. By using a sequential switcher, the image from two or more cameras can be routinely rotated for viewing on one monitor. When required, an operator can lock on the image from one particular camera for select viewing.
Motion detectors — cameras are available with built-in motion detection capability. If movement occurs within the field of view of the camera lens, an alarm will sound at the control
center, or a video recorder will be activated to record the activity that caused the alarm. This feature is very valuable when using a large number of monitors.
Pan/tilt/zoom — the need to use several cameras to cover an area or activity can be avoided by carefully positioning one camera and providing pan/tilt/zoom features.
Controls — in addition to the normal television controls, controls will be required for whatever special features are built into the system.
Consoles — the design of a control center console that houses a CCTV system is definitely an engineering task. Care must be exercised to ensure operator comfort, particularly in relation to viewing angles and ease of accessibility of controls.
Video recorders — a CCTV system should be considered incomplete if it does not have the ability to selectively record events. Recording can be done on VHS recorders; however, these are quickly being replaced by digital video recorders (DVRs) and by network video recorders (NVRs). In some cases, the recordings are sent directly to a computer server using a graphical user interface (GUI). The GUI eliminates the need for a separate recording "box" by using software to manage the recordings.
Day/time generators — this feature has potential benefits in specific circumstances — for example, where no immediate incident response capability is available, or if the recording may be required as evidence in court.
SAFES AND VAULTS Safes and vaults are designed to offer varying levels of protection from specific risks, namely burglary, robbery, and fire.
Burglary-Resistive Safes In addition to their actual construction, burglary-resistive safes have a number of protective features:
• Locks • Interior design • Depository • Time locks • Time delay locks • Relocking device • Extra weight • Floor anchoring • Counterspy dials
Locks Safes are available with three types of locking systems: • Single combination • Single key lock combination • Dual combination
With the single combination option, an unaccompanied person with the combination can access the contents at any time. The second option, a key lock combination, requires that two persons be in attendance to open the safe. One person has the key to unlock the combination-turning
mechanism, and the other has the combination to unlock the safe. The third option is similar to option two in that two persons must be in attendance to open the safe. Each person has only one of the combinations.
Interiors Sufficient options are available in interior configurations so that the need for customization can be avoided. Available features include fixed or adjustable shelving and enclosed compartments that may be either key or combination-locked. Available options increase proportionately to the size and cost of the safe.
Depository This feature permits the insertion of property, most often cash, without allowing access to the safe contents. The depository is usually fitted with an antifish device to inhibit retrieval of deposited property
Time Locks Time locks prevent access to the safe contents for predetermined timeframes by persons normally authorized for access. For example, when a bank safe is locked at the close of the business day it cannot be opened again until the following morning. Should the bank manager be taken from his home forcibly he cannot be forced to open the safe.
Time-Delay Locks This feature is designed to protect against a holdup. Opening a safe equipped with this feature requires keying the lock, followed by a predetermined waiting period, before the locking mechanism will unlock. A safe with this feature is often used at late-night convenience stores or 24-hour gas stations.
Relocking Devices These devices are designed to act as a secondary locking feature if the normal one is attacked. For example, if someone attacks the combination dial with a sledgehammer, the relocking device will activate. After this happens, only a qualified safe expert can open the safe.
Extra Weight To prevent thieves from simply walking away with a safe, it is recommended that a safe weigh a minimum of 340 kg or 750 lbs. Most large safes do weigh 340 kg, and smaller ones can be ordered with extra weight added.
Floor Anchoring An acceptable alternative to extra weight, where extra weight may present problems for structural reasons, is floor anchoring — provided a concrete slab is available.
Counterspy Dials It is not uncommon for thieves to note the combination of a safe while surreptitiously viewing it being unlocked. A counterspy dial prohibits anyone other than the person immediately in front of the dial to see the numbers, and only one number is visible at a time.
Apart from the foregoing obvious security features, we can tell little about a safe by looking at it; nowhere can appearances be more deceptive. For this reason, a purchaser has to rely on a particular vendor or on independent appraisal. Independent appraisal is available from Underwriters Laboratories Inc. (UL). If a manufacturer submits a product sample to UL, they will
conduct various tests and issue authority to the manufacturer to affix a specific label to the protected line. The following UL labels are available:
UL Labels Resistant to Attack From
T.L.-15 Ordinary household tools for 15 minutes T.L.-30 Ordinary household tools for 30 minutes T.R.T.L.-30 Oxyacetylene torch or ordinary household tools for 30 minutes T.R.T.L.-30 X 6 Torch and tools for 30 minutes, six sides X-60 Explosives for 60 minutes T.R.T.L.-60 Oxyacetylene torch for 60 minutes T.X.-60 Torch and explosives for 60 minutes T.X.T.L.-60 Torch, explosives, and tools for 60 minutes
Safe manufacturers sometimes assign their own ratings. An assigned rating will usually mean that the safe offers a level of protection that compares to what UL would assign if given the opportunity to test. A concern exists, however, that without an independently assigned rating or classification, a purchaser has no way of verifying the expected level of protection.
Burglary-Resistive Vaults Any storage container specifically designed to resist forcible entry and large enough to permit a person to enter and move around within, while remaining upright, can be considered a vault. Vault construction consists of reinforced concrete walls, floor and ceiling, and a specially constructed vault door.
Any consideration to build/purchase (prefabricated vaults are available from most large safe manufacturers) must be carefully assessed to ensure cost-effectiveness. The assessment must recognize that the value of the asset to be stored in the vault will likely attract the professionally competent thief. The impact of this is that regardless of construction, the vault will only delay penetration.
In addition to applicable features as mentioned for "burglary-resistive safes," the possibility that an employee(s) may be locked into the vault accidentally or deliberately in a robbery situation must be considered. To ensure safety of employees, all vaults should be equipped with approved vault ventilators and a method of communicating to those outside the vault.
Fire-Resistive Containers Insulated safes, filing cabinets, and record containers that offer varying degrees of protection to contents from exposure to heat are available. The appearance of fire-resistive containers can be particularly deceptive — of necessity, the construction material is totally different from burglary safes. The insulation material used in fire-resistive containers offers little protection from physical assault.
Two very important points in relation to fire-resistive containers are:
Paper records will destruct at temperatures in excess of 350°F (159°C).
Computer tapes /disks will destruct at temperatures in excess of 150°F (66°C).
Underwriters Laboratories tests fire-resistive containers for their ability to protect contents when exposed to heat. Tests are also conducted to determine the container's ability to survive a drop, as might happen when a floor collapses in a fire situation.
Note: It is of the utmost importance to remember that safes and vaults are only designed to delay entry when attacked; they are not impenetrable. For this reason, safes and vaults should always be protected by a burglary alarm system. Similarly, alarm systems should be used to protect the contents of record safes from theft.
UNDERWRITERS LABORATORIES Underwriters Laboratories (UL) is a recognized certification organization for security equipment, security systems, and security monitoring. UL criteria are important in physical security, as it helps to reduce potential litigation by conforming to specific standards. UL has created safety standards for every device, system, and monitoring center that they certify. Many jurisdictions require UL certification prior to commissioning the system, and in many cases, insurance premiums can be reduced for UL-compliant installations.
FENCING The subject of fencing is a much more interesting and important topic than most people first realize. Fencing has been used throughout history as a defense against enemies — the walled city of Pompeii dates back to 800 B.C., and it was not uncommon for the complete frontiers of kingdoms in China to be walled (origin of the Great Wall of China). Closer to home, the old city of Quebec remains the only enclosed city in Canada and the United States.
Modern acts of terrorism and civil disturbance have resulted in innovations in the types and usage of fencing. Barbed tape (razor ribbon), a modern version of barbed wire, is a very effective (if not vicious) defensive, or should we say, offensive material. Its use is rarely justified, except where the highest standards of security are necessary — for example, in a federal penitentiary.
The use of barbed tape in industrial facilities is not common in North America. Barbed tape can be used in coils along the top of fences, instead of the conventional barbed wire overhang. In very high-risk situations, coils of barbed tape stacked in a pyramid configuration between double conventional fences will provide a very effective defense.
Another product of modern terrorism is the freely rotating barbed wire fence topping recently developed in Ireland. When a would-be intruder grabs the overhang in an attempt to gain leverage, a second overhang simply rotates into place. This is more effective than the conventional overhang and much more acceptable for routine application than coils of barbed tape.
Fencing as used in most applications is the common chain-link type with a barbed wire, outward facing overhang. A major weakness with the chain-link fence is the ease with which it can be climbed. To overcome this problem, the British developed the "welded mesh fence." Compared to the 2-square-inch opening in chain-link fence fabric, the welded mesh fence has openings of 1.5 square inches. The openings are 3" X W and run vertically. The narrowness of the openings makes it almost impossible for a climber to gain purchase. The width of the openings also inhibits the use of wire or bolt cutters.
Prior to making any decision on the location and type of fencing, it is necessary to conduct a risk assessment. It is also necessary to gain a thorough understanding of the enterprise's operation.
For the purpose of this article, we will discuss the fencing requirements for a typical manufacturing plant located in an industrial area of a large city. The objective of the fencing program is twofold — to control movement to and from the property, and to minimize the need for costly manpower at control points. The latter is to be attained by keeping the number of perimeter openings to a minimum.
While it is true that the industry is becoming ever more security conscious, it is also true that the owners of industrial facilities do not want their property to look like a prison compound or armed camp. With this in mind, the first objective is to define the boundary of the property. Most often, this will require a combination of structural and psychological barriers.
From a psychological point of view, we are only concerned with defining the boundary — mostly for legal reasons, prevention of trespass, and liability lawsuits. Property definition may be simply a change in landscaping, or indeed, anything that distinguishes the property from its neighbor.
Somewhere between the property line and the area of company activity, it will be necessary to install a structural barrier that will act as a physical deterrence to the would-be intruder. Usually, this barrier is a chain-link fence, and it should be topped with a barbed wire overhang. The following are suggested minimum specifications:
1. Minimum of 7'0" in height excluding top overhang.
2. Wire must be 9-gauge or heavier.
3. Mesh openings must not be larger than 2 square inches.
4. Fabric must be fastened securely to rigid metal or reinforced concrete posts set in concrete.
5. There should be no more than 2 inches between the bottom of the fence and the ground.
6. Where the ground is soft or sandy, the fence fabric should extend below the surface.
7. Top overhang should face outward and upward at a 45-degree angle.
8. Overhang supporting arms should be firmly affixed to the top of the fence posts.
9. Overhang should increase the overall height of the fence by 1 foot.
10. Three strands of barbed wire, spaced 6 inches apart, should be installed on the supporting arms.
11. A clear zone of 20 feet or more should exist between the perimeter and exterior structures.
12. Where possible, a clear zone of 50 feet or more should exist between the perimeter barrier and structures within the protected area.
Vehicular and pedestrian gates in the perimeter fence should be kept to a minimum — ideally, to only one common entry point for employees and business visitors. Depending on the size and layout of the site, it may be necessary to install a secondary entry point for emergency use,
such as access by the fire department. However, this entry point should normally remain closed and locked.
All openings in the perimeter fence should be equipped with gates. Even if these gates are not to be electronically controlled initially, planning should provide for power to each gate location with provision for a remote control capability from the control /security center.
Typically, security control is provided at the first defensible point; however, numerous facilities allow free access beyond this point to an inner control location. This may be beneficial for many reasons, especially in large, heavy traffic plants. Once inside the initial perimeter, signs should direct employees to the employee car park, visitors to an information center, and truck traffic to shipping/ receiving areas. Beyond these points, a secondary secure perimeter should be established.
The employee car park should be completely enclosed; access to the area should ideally be controlled by a card access system. Access from the car park to the plant should be through a control point (manned during shift changes).
In addition to the possible need for a secondary line of defense, there may also be a need for fenced areas to provide secure overnight storage for company vehicles, bulk raw materials, or large finished products. Waste awaiting disposal should also be stored within a fenced area. Fencing may also be required to segregate operational areas, such as stores, tool cribs, and so on.
It is important to remember that fencing is first and foremost a barrier, and that as a barrier, it does not have to be chain-link fencing. If we also remember that fencing will only delay the determined would-be intruder, it should be easy to be flexible regarding the material used. Hedging, poured concrete, solid concrete blocks, and decorative concrete blocks are all suitable fencing material.
If fencing is required to provide a very high level of protection, its use should be supplemented by fence disturbance detectors, motion detectors, and patrolling guards or surveillance by closed circuit television.
CONVERGENCE The term "convergence" is one that is currently commonplace in the physical security arena. Simply put, convergence can be defined as the meshing of physical security, logical security, information technology, risk management, and business continuity into a seamless and integrated system and process. It would be remiss to overlook this important aspect of physical security, as the entire industry is on the road to making convergence a reality.
Organizations that take a holistic view of security and integrate their physical security program into a converged environment are finding mutual benefits within the entire organization. When an organization can integrate their video, intrusion, and access control systems into their information technology systems, there are efficiencies that can improve the entire organization.
A basic example of convergence would be using the access control system over the corporate network to transfer data and integrate with the employee time and attendance system. The human resources department can then utilize the access control database (a physical security subsystem) to track and calculate employee attendance and hours worked. Although this is a
very basic example of convergence, it shows how security technology can drive business efficiency and lower operating costs through convergence.
One of the greatest challenges with convergence is due to many departments having different reporting structures, and correspondingly different missions, within the organization. Budgetary funding and political wrangling can often hinder a converged environment. Some organizations have created a Chief Security Officer (CSO) position to assist in the convergence of information technology and procedures into the physical security function. The CSO position usually has some oversight and direct accountability to make sure that multiple departments work together in a converged environment for the betterment of the organization.
CONTINUING EDUCATION There are many benefits in continuing one's education in the security field. Continued education is part of the career planning phase and should not be overlooked as a method of differentiating oneself in the job market. It is more important than ever today to continually improve one's knowledge and education. Employers are searching for employees that are dedicated to their field and have a wide range of exposure to concepts and theory in security management. If already employed in the security industry, an advanced degree can lead to faster promotions or an increase in salary.
Work experience is also a critical component, and when combined with the proper education, it can lead to opportunities not afforded to those without the benefit of continued education.
Universities such as the University of Leicester in the United Kingdom specialize in the compilation and distance education delivery of security-specific educational opportunities. A bit closer to home, schools such as American Military University, York College of Pennsylvania, and Eastern Kentucky University offer studies that can be tailored to one's specific area of focus. A fairly comprehensive list of universities and colleges that offer security related degree programs can be found online at:
http://www.asisonline.org/education/universityPrograms/traditionalprograms.pdf/
PHYSICAL SECURITY CERTIFICATION ASIS International offers the only board certification program for physical security professionals worldwide. The ASIS Board Certified Physical Security Professional (PSP) designation focuses on one's proficiency in three major domains of knowledge:
1. Physical security assessment
2. Application, design, and integration of physical security systems
3. Implementation of physical security measures
The course reference materials are comprised of eight publications, offering a substantial look at physical security-related topics designed to assist security professionals in their career field.
It is important to point out that the ASIS "Board-Certified" designation brings accreditation to the certification process, and thereby creates a credential that is earned through examination and not just handed out for doing coursework. As such, it has become the most respected professional designation for Physical Security Professionals worldwide.
ASIS International does have eligibility requirements, which include work experience, in order to sit for the PSP certification exam. Additional details can be found online at:
www.asisonline.org/ certification.
EMERGING TRENDS
The physical security field is quickly developing futuristic technologies to meet developing threats. The industry is adopting automated technologies to assist in the detection and assessment phases prior to a security force response. Visual analytics, the science of computer-aided assessment for surveillance systems, is becoming more accurate, which has led to deployments around the world. These analytically driven solutions allow for rapid detection and assessment using facial recognition, psychology of motion, path analysis, and much, much more.
Even "simplistic" devices such as locks are becoming "smart" through the use of computer chips and RFID technology. These smart locks are almost impossible to pick and do not allow for copies of the keys to be made, except when ordered directly from the manufacturer. Surreptitious attack methods on smart locks are difficult, if not impossible, to achieve, thus making such locking devices more effective when protecting critical assets.
Currently, security professionals are being asked to do more, using fewer resources, which can make the task daunting, even for the best and brightest. Recent terrorist attacks have hastened the technology curve in order to develop robust, scalable, user-friendly physical security solutions in the never-ending effort to prevent such acts. The need for new technologies will be critical to allow these practitioners to respond and mitigate the risk. It is evident that as the threats become more sophisticated, physical security technology must improve to meet those challenges, both now and in the future.
SECURITY QUIZ
1. Risks are usually placed into one of three categories. (Select one that does not apply)a) Peopleb) Propertyc) Legal liabilityd) Insurance
2. Physical security planning is a recognized security process that, if followed, will result in the selection of physical countermeasures based on appropriateness.
a) Trueb) False
3. The security planning process consists of following ___________ stepsa) Threeb) Fourc) Fived) Six
4. Security-in-depth is also known as:a) Layered protectionb) Concealed protectionc) Altered protectiond) Necessary protection
5. Microwave detectors use high-frequency sound waves to establish a protected area.a) Trueb) False
6. Deadbolt locks should have a minimum of a ½” throw.a) Trueb) False
7. Card access systems permit accountability.a) Trueb) False
8. The most commonly used security fencing material is:a) Barbed wireb) Barbed tapec) Chain-linkd) Welded wire mesh
9. The minimum height of a security fence should be:a) 7 feetb) 6 feetc) 8 feetd) 10 feet
10. Which of the following types of lighting are only lit on an as-required basis?a) Continuousb) Standbyc) Movabled) Emergency