Question to be answered........

Overview

Managing risk in a responsible and effective manner is an enormous task; one that must take into consideration a number of factors, while carrying out efforts in a coordinated manner. In addition, there are various domains in which security must be provided; both from a physical sense, as well as the ever increasing nature of the cyber operating environment as well. This week, we will focus attention as it relates to what is described as the built environment and how the security professional must address issues related to it.

The Built Environment

From an individual, personal standpoint, providing security generally begins where we reside. We take steps to block doors and windows, provide appropriate lighting, perhaps install motion sensors, cameras, and other devices in an effort to alert us of intruders and keep them from entering into our homes. Such physical structures serve as the basis for the built environment, which in essence refers to any human-made structure. Therefore, from the viewpoint of the security profession and those that operate within it, this environment can include everything from corporate offices to shopping malls and everything in between. Yet as noted by Smith and Brooks, this environment must be seen from a broader perspective as well, as transportation systems (roadways, bridges, etc.), the land and surrounding space in which the structures occupy, as well as the overall design must all be considered. Because of this, the security administrator must work hand in hand with facility managers and others that have a direct impact upon these resources.

Risk Management in Practice

Long before security measures are put into place, many of the issues discussed in last week’s lesson related to risk management must be considered. At the outset, those threats and hazards considered to be most likely in relation to the structure within the built environment under consideration must be identified and assessed. What is the probability of their occurrence? What might be the human impact; whether that is employees, visitors, customers, or those located in the surrounding area? Also, especially as it relates to those within the private sector, what might be the potential impact upon business operations? This is not only an issue that influences a company’s “bottom line,” but can directly impact others who depend upon needed goods and services. These are just some of the many questions that will need to be answered in order for appropriate emergency planning to take place. In regards to the various critical incidents that could occur, these can be categorized in various ways; a step that will aid in determining what resources and assistance might be needed to address them. Man-made emergencies, those that come as a result of Mother Nature, as well as issues related to technology all present their own challenges and opportunities. What must be realized is that no single company or those charged with providing its security possess all of the resources and expertise that might be required to adequately manage identified risk. It is therefore incumbent upon them to also identify these assets long before a critical incident takes place. Perhaps the most critical asset concerns those responsible for overseeing the operation of the structure itself; the facility manager. This person and their staff can make or break any security program, so it is imperative that a good working relationship be developed.

Facility Management and Security

Overall, facility management is concerned with coordinating the overall physical workplace, but is carried out through a combination of a variety of efforts related to business administration, behavioral sciences, as well as engineering. Similar to any management function, the facility manager is expected to fulfill a number of roles related to organization, staffing of personnel, leading them in the proper manner, as well as control measures related to the facilities they are responsible for. Speaking of the facilities themselves (the primary component within the built environment) three core factors must be aligned in order to achieve their objectives. Primarily, these include maintaining a positive influence, being aligned in order to be productive, as well as being fit for purpose. InSecurity Science: The Theory and Practice of Security,the simple example is offered of installing an access control device to a particular door. If personnel are forced to deal with access control as they attempt to move packages back and forth through this particular door throughout the day, it can negatively impact productivity. Conversely, if it is propped open in order to aid in the movement of these packages, the original design of heightened security is greatly diminished or eliminated. Therefore, attention must be given to even the smallest of details within this overall environment; the primary responsibility of the facility manager. It is therefore apparent that an intimate and positive working relationship is developed between this individual, their staff, and those overseeing security measures. “Facility management may view security as one of the more universal services that must be provided." (Langston & Lauge-Kristensen, 2002, p. 134). Although each may possess their own sphere of influence that requires their attention and due diligence, a clear understanding of each other’s roles and responsibilities must be acquired in order to achieve the many benefits that this working relationship can offer.

Building Management Systems

Whether the focus is placed upon a single facility or and overall complex, the built environment is made of a host of sub-systems that requires an understanding regarding their security vulnerabilities. For instance, not only does an HVAC system provide heating and cooling services, but it can also include the extraction of heat and smoke if such a need arises. However, what if these capabilities are negatively impacted or eliminated, whether that is a result of a lack of maintenance or a malicious act? This speaks to the overall issue of fire and life safety; a complex, multifaceted endeavor in and of itself. An understanding of fire chemistry, design and construction, human behavior, as well as both passive and active systems are all key elements in overall fire life safety; a study in and of itself. In addition as it relates to HVAC systems, there is what has been labeled as “industrial espionage,” where audio or video listening devices can be installed in the ductwork; yet another security issue that many are not even aware exists. Also, attention must be directed to how people are transported within a facility, namely elevators, and how security regarding them is treated, approached, and controlled. When and how they are to be accessed and utilized in various circumstances (such as during a fire or other type of emergency) must be considered. Yet controlling all of these components from a facility wide basis is what is labeled as an intelligence building system. This term has been used since the early 1980s, but has gained greater acceptance and application as the use of technology increases and plays a larger role in various functions. A perfect example concerns the emergence and growth of “Internet of Things” technologies and their applications. Although a single definition for an intelligent building system doesn’t exist, the primary components of it are somewhat universal; structure, systems, services and management, and the interrelationship between them (Peluffo, 2015). It is becoming increasingly clear that an intelligent building is one that is both connected and efficient. However, in order to maintain these levels of connectivity and efficiency, facility and security managers alike must not only acquire needed competencies regarding these facilities, but work in tandem to fulfill their own roles and responsibilities. So let us now look at some specific ways in which security can be provided and maintained in this environment.

Facility Security Management

Efforts related to emergency preparedness, as well as both facility and security management go hand in hand; so appropriate attention must be given to each area in a way that complements one another. When speaking of overall security goals responsibilities, these must be prioritized in the proper manner, with life safety and protecting people as the overriding concern, followed by the protection of property. Initiatives can be targeted towards these broad categories individually or collectively, such as hardening buildings against structural damage, ensuring that stairwells can accommodate a sufficient number of occupants during an evacuation, providing emergency backup lighting, and offering detailed emergency plans are just some examples. The bottom line is that all activities most complement and support one another. It is therefore the overarching objective of any facility security plan to protect employees, its assets, and products and services it provides from threats; both within and without.

Roles and Responsibilities

Considering not only the myriad of threats that can impact the built environment on any given day, as well as the impact that both physical and technology plays in providing needed security, the future of physical security must involve the information technology manager, security manager, and facility manager (Roper & Payant, 2014). As noted and Chapter 18 of theFacility Management Handbook, each of these positions has various duties and tasks, where the following serves as examples:

Facility Manager

• Create a facility management program that helps reduce security risks


• Assist with developing cost-effective security solutions


• Coordinate with the security manager during the planning, design, and construction phases


• Provide equipment and manpower to support security measures

Security Manager

• Recommend physical security considerations according to the organization’s mission and identified vulnerabilities


• Conduct physical security surveys and inspections in conjunction with facility manager


• Coordinate with local law enforcement agencies


• Establish and enforce uniform security standards and procedures

Information Technology Manager

• Integrate information security procedures and to all business processes


• Determine existing information security capabilities and related gap analysis


• Develop information security plans to contain a security breach and restore critical data


• Plan and conduct appropriate information security training and exercises

Roper and Payant also directed attention to and oftentimes overlooked resource within any organization, and that is its employees. Seen as an overall “force multiplier,” each and every employee must fully understand that security is a shared effort and cannot be discounted or simply feel that it is someone else’s responsibility. Therefore, concerted steps must be taken to educate employees as it relates to what is expected from them in relation to the link that exist between security and preparedness, and then both empowering and supporting them in this shared initiative. Knowledge of the security plan, resources available, providing requisite knowledge, conducting appropriate security drills and exercises, as well as promoting security from both a professional and personal perspective will certainly aid in this effort.

Planning

Before any specific security measures can be implemented, proper attention must be directed towards appropriate planning efforts. Formulated plans must be not only customize to fit the need of what is being focused upon within the built environment, but incorporate an appropriate measure of flexibility as well. So as it relates to planning, the managers noted previously must serve as the catalysts at the outset; formulating the outline that will lead to the formulation and implementation of the overall security plan. The overall plan addresses three important functions. First, it seeks to clarify the organization’s mission to ensure that the proposed security requirements meet and supports it. Secondly, it provides a methodical approach for executing those requirements. Lastly, it provides points of reference whereby established goals and objectives can be appropriately measured and analyzed (Roper & Payant, 2014). However, even though the security, facility, and IT managers may lead this effort, they depend greatly upon the overall team concept, where other individuals will be delegated certain tasks and expectations related to meeting times, agendas, individual responsibilities and overall delivery of the security plan. Once all “major players” have been identified, defined steps can then be taken to develop a plan that addresses security concerns, is realistic in nature, but can also be carried out within the financial constraints imposed. So the overarching approach that must be taken regarding the planning effort includes assessing the current state of security, developing the plan, where the planning team will seek to answer the “what, when, where, and how” questions related to what overall security should look like and how is to be provided, as well as implementing the plan itself. The time from assessment to implementation is impacted by a host of factors, such as initiating needed policies and procedures, developing appropriate educational programs and training, as well as implementing the technology needed to support these efforts.

Security and the Built Environment

The Role of Environmental Design

There is a recognized strategy that has great bearing upon this discussion known as “Crime Prevention through Environmental Design” (CPTED). It involves a number of underlying principles that correspond with one during the design phase of the built environment; one that recognizes that security is far more than just locks, keys, and alarms. It is based on the concept that the design of a facility, complex, etc., incorporating information from the built environment itself can have a positive impact upon both the reduction in crime, but enhancing life experiences at the location as well. As noted in the Facility Management Handbook, there are four different strategies that should be utilized in order to fully benefit from this approach.

Natural Surveillance

For the most part, if someone feels that they are being observed, they are less likely to carry out a crime. Therefore, acknowledging the need to maximize visibility during the design phase is paramount. Having windows that overlook parking lots, entrances, and sidewalks is one facet to consider. Others would include incorporating landscaping away that aids in monitoring efforts, as well as the use of exterior illumination to reduce blind spots and shadows.

Natural Access Control

Regarding the need to control access into a facility or complex, the overall intent is to direct individuals and vehicles to certain locations in a controlled manner. Confining such access to a single entrance, ensuring that entrances are kept clear of vegetation, storage, trash, etc., and taking advantage of fencing, gates, and walls to direct individuals to certain entrances all serve as pertinent examples.

Territorial Reinforcement

This strategy takes full advantage of certain design features in order to discourage malicious activities by making the actions of the perpetrator evidence. Here, boundaries related to the property should be well-defined, either through fencing gates, pavement, sidewalks, or signage. All of these work to make unauthorized personnel uncomfortable, while at the same time providing an overall sense of protection and comfort to those individuals who are justified to be at that location.

Maintenance

The level of maintenance provided to a facility speaks volumes of how well it is managed. Immediately, a positive or negative impression can be made; one that can lend itself to the probability of criminal activity. Broken windows, alarm systems and cameras that are inoperable, and lack of lighting due to a need of repair or basic upkeep can “make or break” a security program.

Facility Security Implementation

Access Control

Serving as a basis for any security program, access control must be clearly defined by an organization in a way that takes advantage needed control measures. Who is allowed to enter the facility, specific times in which this can and should occur, as well as in which areas must be considered. To determine the legitimacy of not only those who are employed there, but others who have a valid reason in being there as well, an appropriate credentialing should be employed. For employees, this can be carried out during the initial hiring phase, and for vendors can be addressed at the outset of the formalized contract that is initiated. There are a host of devices, cards, and keys on the market that can be used to validate one’s credentials. Regarding visitors, it is beneficial to establish some form of control as it relates to directing them to a specific location where there are met by a receptionist, and then escorted to their proper destination. Appropriate badges that are distinct in nature can be assigned upon arrival and approval. Also, with the ever changing nature of technology, communication, credentialing, and authorization procedures can all be carried out in a remote manner.

Deterrents

Preventing unwanted access to a facility must be considered the first line of defense. A robust physical security plan must take a multilayered approach; arranged in such a manner that the area considered to be most vital is at the center and the group perceives the greatest attention. Then, taking a layered approach moving outward, attention would be given regarding the various measures needed to provide overall security. Beginning with the outer perimeter, fences, bollards, lighting, and credentialing efforts serve as examples that would take place here. Working inward, this is where security is actually provided to the structure themselves, where appropriate locks, glazing, coating, and similar applications would be provided for doors and windows. The interior would then receive due attention through various means such as security guards, security cameras, door and window reinforcements an access control, as well as safes provided for certain items.

When considering the type of deterrents that can be employed to achieve overall objectives, they can take on a number of different forms:

• Natural - ditches, waterways, etc.


• Man-made - structural, turnstiles, lighting, technology, etc.


• Human - screening job applicants, identification systems, etc.

One cannot also discount how deterrents can be psychological in nature as well. Although steps might be taken to secure a facility, if employees and customers do not feel safe and secure, then the perception is that security is lacking. Conversely, if the overall stance taken by the organization is one that clearly conveys a proactive stance and communicates that when a regular basis, then psychologically speaking, this can serve as an effective deterrent to anyone wishing to take unwanted actions.

Conclusion

This week’s lesson has taken a cursory look at the built environment, some of the components that make it up, as well as some of the many security measures that can be implemented in this environment. In addition to the actual steps that can be taken to enhance physical security, one cannot discount the great that a close and collaborative relationship between the security, facility, and IT has upon this overall endeavor as well. Turning our attention to next week, we delve deeper into one of the issues touched upon this week; physical security. We will seek to gain a greater understanding of various principles related to the protection of assets, as well as concepts related to crime prevention and approaches that seek to address this and related threats.