After careful review of the Commonwealth of “Massachusetts Enterprise Physical & Environmental Security Policy”, the following Whitepaper was prepared as a response utilizing concepts, best practices and the countermeasures & tools available under contract FAC64 “Security Surveillance and Access Control Systems.”
Whitepaper Best Practices For Integrated Physical Security Supporting Ma Itd Sec 10
1. An AACI White Paper
Auburn Regional Office
489 Washington Street
Auburn, MA 01501
Phone: (508) 453-2731
www.AmericanAlarm.com
Best Practices For Integrated Physical Security Capabilities
Supporting Massachusetts Document Reference: ITD-SEC-10.1
Dated: October 29, 2010 | Entitled
“Enterprise Physical & Environmental Security Policy”
By James E. McDonald
Integrated Systems Consultant
Government Contracts Team
2. Executive Summary
Contents Physical Security Technology today is all about the
network, if you’re not on the network you are
probably not working. The physical protection of
Executive Summary 2
facilities including the perception of detection of
The Security Policy Applies To 2 negative human behaviors is the key to effective
physical, network security and risk management.
Perception of Detection and Fraud 3
Compliance Consulting Process 5 In response to the Commonwealth of Massachusetts
Overview 5 Enterprise Physical & Environmental Security Policy
(Reference # ITD-SEC-10.1 Issued Dated 10-29-2010)
Commonwealth Policy Statement 6 issued by the Information Technology Division, this
Physical Security Best Practices 9 document articulates available physical security and
monitoring solutions to meet the requirements that
Critical Infrastructure and Secretariats and their respective Agency or
Environmental Monitoring 15 Contractors facilities must address in defining a
policy to implement adequate physical and
Implementation 16
environmental security controls and to secure and
Key External Technology 16 protect information, assets, infrastructure and
Key Internal Technology 16 Information Technology (IT) resources by using
solutions provided to these departments under
Policy Basics 17 procurement contract Operational Services Division
Non-Compliance 18 (OSD) contract FAC64.
Identification Procedures 18 According to this policy the Secretariats and their
Physical Security Information respective Agencies must implement the
appropriate combination of controls (administrative,
Management (PISM) 19 technical, physical) to provide reasonable assurance
In Summary 20 that security objectives are met. Agencies must
achieve compliance with the overall information
FAC64 State Contract 21
security goals of the Commonwealth including
Contact Information 21 compliance with laws, regulations, legal agreements,
Appendix A: Understanding Physical policies and standards to which their technology
resources and data, including but not limited to
Access Control Solutions 22 personal information (PI), are subject. This policy
encompasses existing technologies existing within
each department and the physical security solution
technologies themselves since these integrated
solutions are also network appliances.
The Security Policy Applies To
Any opinions, findings, conclusions, or All Commonwealth of Massachusetts Secretariats
recommendations expressed in this publication and their respective Agencies and entities governed
do not necessarily reflect the views of
by the Enterprise Information Security Policy who
American Alarm & Communications, Inc.,
(AACI). Additionally, neither AACI nor any of
must adhere to requirements of this supporting
its employees makes any warrantee, expressed policy.
or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, The requirements described in the ITD-SEC-10.1
or usefulness of any information, product, or document must be followed by:
process included in this publication. Users of • Executive Department employees
information from this publication assume all • Executive Department Secretariats and
liability arising from such use. their respective Agencies, in addition to any agency
2
3. or organization that connects to the protection, alarm monitoring and related security
Commonwealth’s wide area network systems by the Commonwealth of Massachusetts.
(MAGNet), are required to ensure
compliance by any business partner that Covered under the state's purchasing contract
accesses Executive Department IT resources known as "FAC64 Security Surveillance and Access
or shared environments, e.g. MAGNet; and Control Systems" the state's designation of American
• Contractors or vendors performing Alarm establishes preferred pricing for any eligible
work in or providing goods and services to public entity in Massachusetts. Additional
Commonwealth managed spaces information concerning this 3 year contract is
• Visitors to any Commonwealth available on-line at
managed physical space (e.g. offices, http://www.americanalarm.com/business-
buildings, and network closets) or resource. security/fac64-state-contract
Other Commonwealth entities are The following protective programs and technologies
encouraged to adopt, at a minimum, involve measures designed to prevent, deter, detect,
security requirements in accordance with and defend against threats; reduce vulnerability to
this Enterprise Physical and Environmental an attack, internal losses, and other disaster;
Security Policy or a more stringent agency mitigate consequences; and enable timely, efficient
policy that addresses agency specific and response and restoration in any post-event situation.
business related directives, laws, and Protective programs that benefit the
regulations. Commonwealth are in place at many facilities.
American Alarm and Communications, Inc. (AACI)
Operational Services Division (OSD) as the have designed, installed and continue to monitor a
Commonwealths’ central procurement range of integrated security systems for public
agency whose primary role is to coordinate entities including:
the procurement activity for commodities
and services on Statewide Contracts and • Executive Office of Health and Human Services
Commonwealth Executive Branch (EOHHS),
Departments. OSD Contract FAC64 for • The Judicial Branch/Trial Courts,
Security, Surveillance and Access Control • Department of Revenue (DOR),
Systems is a new (2010) statewide contract • Registry of Motor Vehicles,
that covers all security, surveillance and • Massachusetts Medical Examiner’s Office in
access control needs with monitoring Boston and Holyoke,
services, locksmiths, security cameras, • State Firefighting Academy in Stow,
lobby turnstiles, CCTV, vehicle access • Hampden County Sheriff’s Outreach Center in
barrier, metal detectors, x-ray machines Springfield
and locks. Labor under this contract is • Western Massachusetts Hospital in Westfield,
covered under the Prevailing Wage Law. among others.
Statewide Contracts are written to meet the Perception of Detection and Fraud
needs of public purchasers, including but
The following describes what is known as the fraud
not limited to: Executive and Non-Executive
triangle. In order for fraud or most crime and
Branch departments, municipalities,
“Negative Behaviors” to occur, all three elements
counties, public colleges and universities,
have to be present. The Commonwealth and its
public purchasing cooperatives, local
individual Departments can takes steps to influence
schools, state facilities, public hospitals,
all three legs. Commonwealth employees should be
certain non-profit organizations,
cognizant of pressures and how they relate to the
independent authorities, political sub-
Commonwealth’s overall security risk.
divisions and other states.
Rationalizations can be reduced by promoting a
American Alarm has been awarded a three-
strong sense of ethical behavior amongst employees
year designation as an approved provider of
and creating a positive work environment. By
video surveillance, access control, intrusion
3
4. implementing strong internal controls, the person reconciling his/her behavior (stealing) with
Commonwealth can remove much of the the commonly accepted notions of decency and
opportunity for negative behaviors to occur trust. Some common rationalize-tions for
and can increase the chances of detection. committing fraud are:
• The person believes committing fraud is justified
This is the most widely accepted theory for to save a family member or loved one.
explaining why people steal was postulated • The person believes they will lose everything –
in the early 1950’s by Dr. Donald R. Cressey, family, home, car, etc. if they don’t take the
while working on his doctoral dissertation money.
on the factors that lead people to steal • The person believes that no help is available
from their employers. He called them ‘Trust from outside.
Violators’, he was especially interested in • The person labels the theft as “borrowing”, and
the circumstances that lead otherwise fully intends to pay the stolen money back at
honest people to become overcome by some point.
temptation. To serve as a basis of his work • The person, because of job dissatisfaction
he conducted about 200 interviews with (salaries, job environment, treatment by
inmates at Midwest prisons at the time managers, etc.), believes that something is
were incarcerated for embezzlement. Today owed to him/her.
this work still remains the classic model for • The person is unable to understand or does not
the occupational thief. Over the years his care about the consequence of their actions or
original hypothesis has become known as of accepted notions of decency and trust.
the Fraud Triangle.
Opportunity
Opportunity is the ability to commit fraud. Because
fraudsters don’t wish to be caught, they must also
believe that their activities will not be detected.
Opportunity is created by weak internal controls,
poor manage-ment oversight, and/or through use of
one’s position and authority. Failure to establish
adequate procedures to detect fraudulent activity
also increases the opportunities fraud for to occur.
Of the three elements, opportunity is the leg that
organizations have the most control over. It is
essential that organizations build processes,
Financial Pressure procedures, use technology and controls that don’t
needlessly put employees in a position to commit
Financial Pressure is what causes a person
fraud and that effectively detect fraudulent activity if
to commit fraud. Pressure can include
it occurs.
almost anything including medical bills,
expensive tastes, addiction problems, etc.
Opportunity-Rationalization-Financial Pressure
Most of the time, pressure comes from a
significant financial need/problem. Often The key is that all three of these elements must exist
this need/problem is non-sharable in the for the trust violation to occur. Technology has
eyes of the fraudster. That is, the person always been used to attack the opportunity leg to
believes, for whatever reason, that their create the perception that if you try you will be
problem must be solved in secret. However, detected. "Crede Sed Proba" or “Trust but Verify” is
some frauds are committed simply out of the key to eliminating negative behaviors and
greed alone. policies being followed, thus minimizing fraud. A
fraud prevention consultant can discuss the “Red-
Rationalization Flags” of fraud in further detail.
Rationalization is a crucial component in
most frauds. Rationalization involves a
4
5. Compliance Consulting Process 4. Prioritize. We have found that it is not
Our countermeasures today and services appropriate to develop a single, overarching
can provide a detailed assessment of all prioritized list for the Commonwealth,
processes, policies and procedures such as: many factors may come into play such as
purchasing, cash handling, work flow locations, lease terms, etc.
management, information technology, and 5. Implement Solutions. There is no universal
client intake, human resources, billing, etc. solution for implementing protective
security measures, different departments
A review security goals, objectives, and and agencies implement the most effective
requirements; Align business and solutions based on their assessments.
technology strategies for protecting assets 6. Measure Progress. By measuring the
by consolidating external compliance and effectiveness of protective solutions and
security best practice requirements into a their performance, together we can
common control framework. Then we continually improve the security,
review the existing policies and security infrastructure at each facility.
architecture against the controls necessary
to achieve compliance requirements, We will collaborate with you to develop a road map
review the effectiveness of policies and in design, implementation and best practices of
procedures, conduct an audit and track and physical security solutions which are aligned with
document actual data. We prioritize gaps, your departments or agency’s mission and values
vulnerabilities, and possible loss scenarios that will support rather than hinder its operation.
according to risk, present findings and
prioritized recommendations for addressing Overview
discovered weaknesses. To assist our In today's ever-growing regulatory compliance
customers in developing a framework of landscape, organization can greatly benefit from
compliance we at American Alarm and implementing viable and proven physical security
Communications, Inc., have developed a best practices for their organizations.
six-step process.
There are plenty of complicated documents that can
1. Set Goals and Objectives. The guide companies through the process of designing a
Secretariats and their respective secure facility from the gold-standard specs used by
agencies define specific outcomes, the federal government to build sensitive facilities
conditions, end points or like embassies, to infrastructure standards published
performance targets as guiding by industry groups like ASIS International, to safety
principles to collectively constitute requirements from the likes of the National Fire
and effective physical security/risk Protection Association.
management posture.
2. Identify Assets, Systems. The Recent federal legislation, ranging from the Gramm-
identification of assets and Leach Bliley Act (GLBA), the Health Insurance
facilities is necessary to develop an Portability and Accountability Act (HIPAA) and The
inventory of assets that can be Sarbanes Oxley Act of 2002 (SOX) Homeland Security
analyzed further with regard to Presidential Directive 7 (HSPD-7) are putting intense
criticality of information needing pressure on public and private entities to comply
protection. with a myriad amount of security and privacy issues.
3. Assess Risks. We approach each What’s more, the public is looking for assurances
security risk by evaluation that a strong control environment is in place, to
consequence, vulnerability and protect private information with security best
threat information with regard to practices.
attack or other hazard to produce
a comprehensive rational Homeland Security Presidential Directive 7 (HSPD-7)
assessment. identified 18 critical infrastructure and key resources
(CIKR) sectors and designated Federal Government
5
6. Sector-Specific Agencies (SSAs) for each of contribute the most to risk mitigation by lowering
the sectors. vulnerabilities, deterring threats, and minimizing the
consequences of outside attacks and other incidents.
• Agriculture and Food Sector
• Banking and Finance Sector Commonwealth Policy Statement
• Chemical Sector In this section are excerpts from the “Enterprise
• Commercial Facilities Sector Physical & Environmental Security Policy”
• Communications Sector Secretariats and their respective Agency or
• Critical Manufacturing (CM) Sector Contractors’ facilities housing information and IT
• Dams Sector Resources (e.g. telephone networks, data networks,
• Defense Industrial Base (DIB) servers, workstations, storage arrays, tape back-up
Sector systems, tapes) must protect the physical space in
• Emergency Services Sector (ESS) accordance with the data classification of the IT
• Energy Sector Resource or the operational criticality of the
• Government Facilities Sector equipment.
• Healthcare and Public Health
Sector Agencies are required to implement controls to
• Information Technology (IT) Sector secure against unauthorized physical access, damage
and interference to the agency’s premises,
• National Monuments and Icons
information and other assets including, but not
(NM&I) Sector
limited to, personal information (PI) and IT
• Nuclear Sector
Resources by implementing:
• Postal and Shipping Sector
• Transportation Systems Sector
1. Workforce Security: Secretariats and their
• Water Sector respective Agencies must implement administrative
and managerial controls that engage the workforce
Each sector is responsible for developing through awareness and participation. To accomplish
and implementing a Sector-Specific Plan this, Secretariats and their respective Agencies must:
(SSP) and providing sector-level
performance feedback to the Department
• Identify a management team that will be
of Homeland Security (DHS) to enable gap
responsible for managing and enforcing the
assessments of national cross-sector CIKR
requirements detailed in this policy. The
protection programs. SSAs are responsible
Secretariat or Agency ISO or designee must be
for collaborating with public and private
part of the management team.
sector security partners and encouraging
o Implement appropriate procedures that address
the development of appropriate
at a minimum:
information-sharing and analysis
o Misplaced or stolen keys or any other items
mechanisms within the sector.
used to gain physical access.
o Suspicion of any potential physical security
For example the 2010 Information
threat including potential break-ins or the
Technology (IT) Sector-Specific Plan (SSP) is
presence of unauthorized persons.
the result of a collaborative effort among
o Changes in procedures for medical, fire or
the private sector; State, local, and tribal
security events.
governments; non-governmental
o Ensure storage of and access to sensitive
organizations; and the Federal Government.
information or resources on portable media are
The 20I0 IT SSP provides a strategic
handled in a manner that is consistent with this
framework for IT Sector critical
policy and the classification level of the data.
infrastructure and key resources (CIKR)
o Educate any individual requiring access to
protection and resilience. The combined
Commonwealth managed space of their
efforts across IT Sector partnerships will
responsibility to comply with this policy prior to
result in the prioritization of protection
providing access, including:
initiatives and investments to ensure that
resources can be applied where they
6
7. o Helping to ensure that agency access 3. Visitor control: Agencies must develop
points (entrances/exits) in work areas and enforce procedures to monitor and control
remain secure. Specifically, locked access to secure IT facilities and offices by visitors.
doors must remain locked and any Examples of visitors may include contractors,
access codes, keys, badges or other vendors, customers, friends/family of employees
access devices must not be left in and employee candidates. Procedures must
accessible places or shared in an address:
unauthorized manner. • Requirements for use and maintenance of
o Notify employees that failure to comply visitor logs.
with this policy and related policies and • Requirements for visitor identification.
procedures may result in disciplinary • Requirements specific to a given security zone,
action. e.g. escorted access to highly sensitive areas.
o Notify vendors, consultants, or
contractors that failure to follow this 4. Facility access controls of IT Resources:
policy or related policies and Secretariats and their respective Agencies must
procedures may be grounds for implement, or ensure third party implementation of,
termination of existing agreements and physical access controls for all Agency IT facilitys and
may be considered in evaluation and offices that they are responsible for, including access
negotiation for future agreements. controls for public areas, deliveries and loading
areas. Access controls must be implemented based
2. Least privilege: Agencies must on the data classification or operational criticality of
apply the principle of least privilege when the IT Resources that are housed within a given
granting physical access rights to facility or security zone. A security risk assessment
individuals. must be performed and documented to locate (map)
physical areas and the levels of security needed at
• Physical access controls must be each location.
granted at the lowest level of access,
rights, privileges, and security Appropriate levels of security controls must be
permissions needed for an individual to installed at areas needing higher levels of security.
effectively perform authorized tasks on
any IT Resource or information or Acceptable methods for implementing such controls
within a Commonwealth managed include but are not limited to:
facility. • Electronic Card Access.
• It is important to understand the role • Traditional Lock and Key Access.
of the individual who is granted access • Motion and Breach Detection System.
and how that role impacts the privilege • Video Monitoring.
requirements. For example, the role of • Security Service Provider or Third Party
a delivery driver, the individual Monitoring Service.
responsible for janitorial services in • Attendants, Security Guards or Police Officers.
secure areas, and the network • Paper or Electronic Logs.
administrator each have different roles 5. Equipment and Environmental security:
that require varying levels of privilege. Secretariats and their respective Agencies are
• Agencies must also address the responsible for ensuring that Commonwealth
technical, operational and managerial managed facilities (including IT facilities, offices or
controls necessary to achieve facilities that house telephone networks, data
compliance with least privilege in those networks, servers, workstations, and other IT-related
instances where authorized users have systems) can implement adequate environmental
physical access to logically separated safeguards to ensure availability and protect against
data, applications and/or virtualized damage (e.g. from high heat, high humidity, etc.).
hosts. Environmental safeguards that must be evaluated,
implemented and maintained as appropriate
include:
7
8. • Secure installation and maintenance of prior to sending the equipment off-site for any
Network cabling that protects against reason. At a minimum, Agencies must:
damage to the physical cabling and/or
unauthorized interception of data o Securely remove any sensitive data that does
traversing the network cables. not need to reside on the equipment.
• Ability to monitor and detect variation o Have reasonable assurance that the party
in temperature and humidity responsible for the equipment while it is off site
associated with the use of Heating, understands and accepts responsibility for
Ventilation and Air Conditioning (HVAC) protecting the equipment, information about
systems. the equipment or information stored on the
• Use of industry standard methods for equipment at the appropriate level based on the
maintaining consistent power supply sensitivity classification of the equipment and
including backup generators and/or associated information.
Uninterrupted Power Supplies (UPS).
• Use of industry standard network 7. Secure disposal, removal, or reuse of
components including routers, equipment: Agencies must document and
switches, intelligent hubs and implement procedures to reasonably ensure secure
associated cabling. handling and disposal of IT-related equipment,
• Use of leak detection devices (water). particularly hardware that contains data classified as
• Use of fire detection and suppression having high or medium sensitivity. Procedures must,
devices including fire extinguishers and at a minimum, accomplish the following:
sprinkler systems.
• Protection against environmental • Secure removal or overwriting of licensed
hazards such as floods, fires, etc. software prior to disposal.
• Effective and permanent removal of the
Any changes to the deployed environmental contents/data on the storage device of
safeguards which affect the availability of computing equipment using industry standard
assets or information must be reported techniques or tools to make the original
immediately to the business owner, service information non-retrievable. Note: Using the
manager and ISO or management team as standard delete or format function is an
required by Secretariat or Agency unacceptable method of achieving this goal.
procedures. • Ensure all equipment containing storage media,
e.g., fixed hard drives are checked to verify that
6. Equipment Maintenance: any licensed software or information classified
Agencies must have maintenance as having medium or high sensitivity are
procedures in place to accomplish the removed or overwritten prior to disposal.
following: • Specify whether damaged storage devices,
• Keeping all systems and IT equipment particularly those containing information
maintained and updated per classified as having high or medium sensitivity,
manufacturer recommendations to must be repaired or destroyed. Procedures may
ensure availability and integrity of the require that a risk assessment be performed to
data and services provided by the determine how the device will need to be
equipment. handled. For example, does the content of the
• Ensuring that all maintenance, device indicate that the device should be
troubleshooting and repair services are physically destroyed rather than sent out for
provided by authorized personnel. repair or discarded?
• Keeping current documentation
including maintenance logs, fault logs, What should be the high-level goals for making sure
diagnostic details, service records and that physical security for the facility is built into the
corrective measures taken. designs, instead of being an expensive or ineffectual
• Ensuring adequate controls are afterthought?
implemented for off-site equipment
8
9. From the moment an individual arrives on compliance with department policies and
the grounds and walks through the doors, procedures.
the following items should be part of a
facility physical security best practices Policies
program. An organization should consider including the
following physical security policies in the
Physical Security Best Practices organization’s overall security policy:
This section discusses our ideas on best in Identify unauthorized hardware attached to the
class physical security concepts that we use department computer system—make routine checks
in our analysis of each department. of system hardware for unauthorized hardware.
Computer systems and networks are Limit installation of hardware and software owned
vulnerable to physical attack; therefore, by employees on department desktop workstations.
procedures should be implemented to Identify, tag, and inventory all computer system
ensure that systems and networks are hardware. Conduct regular inspections and
physically secure. Physical access to a inventories of system hardware. Conduct
system or network provides the opportunity unscheduled inspections and inventories of system
for an intruder to damage, steal, or corrupt hardware. Implement policies that instruct
computer equipment, software, and employees/users on how to react to intruders and
personal information. When computer how to respond to incidents in which an intrusion
systems are networked with other has been detected.
departments or agencies for the purpose of
sharing information, it is critical that each Physical security practices should address threats
party to the network take appropriate due to theft, vandalism, and malicious internal or
measures to ensure that its system will not external staff.
be physically breached, thereby
compromising the entire network. Physical • Theft—Theft of hardware, software, or data can
security procedures may be the least be expensive due to the necessity to restore lost
expensive to implement but can also be the data and the cost of replacing equipment and
most costly if not implemented. The most software. Theft also causes a loss of confidence
expensive and sophisticated computer in the department that may have compromised
protection software can be overcome once the network.
an intruder obtains physical access to the • Vandalism—Vandalism in most cases is not
network. directed at compromising a system or network
so much as it is the senseless destruction of
At the same time these countermeasures property. Both external and internal
are tools that not only protect the IT perpetrators may pose a vandalism threat. Low
network but also the employees, visitors morale in an organization may be the underlying
and citizens at Commonwealth facilities. reason for vandalism caused by internal
perpetrators. The actual threat to a network
Purpose posed by vandalism is difficult to assess because
This section identifies potential physical vandalism is generally not motivated by a
threats to facilities, hardware, software, conscious effort to compromise a network. Like
and sensitive information. This section also theft, vandalism can be expensive due to the
recommends best practices to secure necessity to replace damaged equipment and
computer systems from physical intrusion. software.
• Threats Posed by Internal and External Staff—
Principles Internal and external intruders may attempt to
Identify potential physical threats to manipulate or destroy IT equipment,
departmental computer systems and accessories, documents, and software. The
networks. Establish policies and procedures potential of damage caused by the manipulation
to thwart potential physical threats. of intruders increases the longer they remain
Conduct audits to monitor employee undetected, thereby increasing their knowledge
9
10. of the system and their ability to wreak sensitive information. Intruders act like
havoc on a network. The threats may department staff and use keywords during
include unauthorized access to conversations to obtain information. “Sounding”
sensitive data and outright destruction occurs by telephone when intruders pose as
of data media or IT systems. Internal staff, as in the following examples:
staff may attempt to modify privileges o A staff member who must urgently
or access unauthorized information, complete an assignment but has
either for their own purposes or for forgotten his password.
others. This may result in system o An administrator who is attempting to
crashes or breaches in other areas of correct a system error and needs a user
the network opened up through password.
configuration errors. o A telephone technician requesting
• Temporary workers, contractors, and information, such as a subscriber
consultants represent a unique security number or modem configurations and
threat in that they are generally not settings.
subject to the same background checks
as a department’s full-time employees, Applying the following physical security measures
but they may be granted the same high mitigates these threats.
level of access to the system and
network. Contractors and consultants • Identification of Unauthorized Hardware
will sometimes know the applications Attached to a System—Establish policies to limit
and operating systems running on the employees from attaching unauthorized
network better than department hardware to the office system. Unauthorized
employees. Temporary employees hardware includes computers, modems,
should be closely scrutinized until a terminals, printers, and disk or tape drives. The
level of trust can be established. policies should also restrict software that
Consulting firms and contract agencies employees may load onto the office system.
should be questioned about their hiring Implement policies regarding opening
policies and standards. Cleaning staff unidentified e-mail attachments and downloads
may also cause threats either by theft off the Internet.
of system components or from using • Perform monthly audits of all systems and
the system improperly, such as by peripherals attached to the network
accidentally detaching a plug-in infrastructure. Make random inspections of
connection, allowing water seepage equipment to search for unauthorized attached
into equipment, or mislaying or hardware to the network. Identify missing or
discarding documents as trash. misplaced hardware. Search and identify any
• An intruder may attempt to unauthorized hardware attached to the
masquerade as or impersonate a valid network.
system user by obtaining a false
identity and appropriating a user ID • Inspect computers and networks for signs of
and password. Someone may be misled unauthorized access. Search for intrusion or
about the identity of the party being tampering with CDs, tapes, disks, paper, and
communicated with for the purpose of system components that are subject to physical
obtaining sensitive information. An compromise by damage, theft, or corruption.
intruder can also use masquerading to
connect to an existing connection • Protection against Break-In—Intruders choose
without having to authenticate himself, targets by weighing the risk and effort versus
as this step has already been taken by the expected reward. Therefore, all measures
the original participants in the implemented to prevent break-ins should
communication. increase the risk to the intruder of being caught.
• Social engineering can be used by The possible measures for protection against
internal or external intruders to access break-ins should be adapted to each specific
10
11. situation. Protect doors or windows by systems. When implementing policies for entry
adding security shutters. Add additional regulation, consider the following:
locks or security bars. Add additional
lighting inside and outside the building. • The area subject to security regulations
Seek advice from police and security should be clearly defined.
professionals. When planning physical • The number of persons with access should
security measures, care must be taken be reduced to a minimum.
to ensure that provisions relating to fire • Authorized persons should be mutually
and personal protection (e.g., regarding aware of others with access authority in
the serviceability of escape routes) are order to be able to recognize unauthorized
not violated. Staff must be trained on persons.
the anti-burglary measures that are to • Visitors should only be allowed to enter
be observed. after the need to do so has been previously
verified.
• Entry Regulations and Controls—A • The permissions granted must be
fundamental but frequently overlooked documented.
aspect of sound internal security is the • Access should be limited by locked
physical restrictions placed on access to rooms/entrances, physical zones, and
systems and networks. Having good identification badges.
physical security in place is a necessary • A record must be kept of accesses.
follow-up to whatever office building • Challenge protocols should be added.
security an organization may have in
place. Know who is entering Entrance Security Staff—Establishment of an
department offices at all times, and entrance control service has far-reaching, positive
ensuring all secure areas are locked and effects against a number of threats. However, this
access restricted. Network security presupposes that some fundamental principles are
measures can be rendered useless if an observed in the performance of entrance control.
intruder can bluff his way past the Entrance security staff must observe and/or monitor
entrance security; walk into a computer all movements of persons at the entrance. Unknown
room; and take diskettes, tapes, or persons must prove their identity to the entrance
servers. security staff. Before a visitor is allowed to enter, a
check should be made with the person to be visited.
• Strangers, visitors, craftsmen, and
maintenance and cleaning staff should A visitor must be escorted to the person to be visited
be supervised. Should the need arise to or met by the latter at the entrance. Security staff
leave a stranger alone in an office, the must know the office employees. In case of
occupant of that office should ask termination of employment, security staff must be
another staff member to supervise or informed of the date from which this member of
request the visitor to wait outside the staff is to be denied access. A visitor log should be
office. If it is not possible to accompany kept to document access. The issuance of visitors’
outsiders, the minimum requirement passes should be considered. The job duties of
should be to secure the personal work security staff should be designed specifically to
area: desk, cabinet, and computer. The identify their tasks in support of other protective
requirement for this measure must be measures, such as building security after business
explained to the staff and should be hours, activation of the alarm system, and checking
made part of department policy and of outside doors and windows.
training.
Alarm System—an alarm system consists of a
• Control entry into buildings and rooms number of local alarm devices that communicate
housing sensitive equipment. Security with a control center through which the alarm is
measures may range from issuance of triggered. If an alarm system covering break-ins, fire,
keys to high-tech identification water, CO, and other gases is installed and can be
11
12. expanded, surveillance provided by this may be caused by intentional and unintentional acts.
system should include, at a minimum, the IT After an unauthorized intrusion, office routines may
core areas (such as server rooms, data be disrupted in order to search for damage, theft,
media archives, and technical infrastructure and unauthorized or missing hardware or software.
rooms, public areas). This will enable Intentional or unintentional damage to systems may
threats such as fire, burglary, or theft to be be caused by temporary help who are employed to
detected immediately so that counter- substitute for cleaning staff. Temporary help may
measures can be taken. To ensure that this accidentally clean workstations and sensitive
is the case, it is imperative that the alarms equipment with solutions or by methods damaging
be sent on to a central command center to hardware.
that is permanently staffed 24/7/365. It is
important that this facility have the Identification of Secure Rooms—Secure rooms such
expertise, equipment, and personnel as the server room, computer center, data media
required to respond to the alarm. The archives, and air conditioning unit should not be
guidelines of the organization concerned for identified on office locator boards or by name plates
connection to the respective networks affixed to the room door. Identifying these sensitive
should be considered here. areas enables a potential intruder to prepare more
specifically and thus have a greater chance of
Security of Windows and Doors—Windows success.
and outward-leading doors (e.g., balconies, Location of Secure Rooms in
patios) should be closed and locked
whenever a room is unoccupied. Unexposed Areas of Buildings—secure rooms should
Instructions to close windows and outside not be located in areas exposed to view or potential
doors should be issued, adding barriers or danger. They also should not be located on the first
films and regular checks should be made to floor of buildings that are open to view by passersby
see that windows and doors are closed by or that are exposed to attack or vandalism. First-
occupants after leaving the rooms. floor rooms are more likely to be easily observed or
exposed to breaking and entering. Rooms or areas
The doors of unoccupied rooms should be requiring protection should be located in the center
locked. This will prevent unauthorized of a building, rather than in its outer walls.
persons from obtaining access to
documents and IT equipment. It is Inspection Rounds—the effectiveness of any
particularly important to lock individual measure will always be commensurate to the
offices when located in areas accessible by enforcement of that measure. Inspection rounds
the public or where access cannot be offer the simplest means of monitoring the
controlled by any other means. Staff should implementation of measures and the observance of
be instructed to lock their offices when they requirements and instructions.
leave, and random checks should be made
to determine whether offices are locked Inspection rounds should not be aimed at the
when their occupants leave. detection of offenders for the purpose of punishing
them. Rather, controls should be aimed primarily at
In an open office, where cubicles dominate remedying perceived negligence at the earliest
and it is not possible to lock individual possible moment, such as by closing windows or
offices, employees should lock away their taking documents into custody. As a secondary
documents in their desks, and a secure objective, security breaches can be identified and
desktop workstation policy should be possibly avoided in the future. Inspection rounds
implemented (additional information on should also be made during office hours to inform
formulating this policy can be found later in staff members about how and why pertinent
this section). regulations are being applied. Thus, they will be
perceived by all persons concerned as a help rather
Unauthorized Admission to Rooms than a hindrance.
Requiring Protection—If unauthorized Proper Disposal of Sensitive Resources—Sensitive
persons enter protected rooms, damage information not properly disposed of may be the
12
13. source of valuable information for persons are usually not protected to the same extent as the
seeking to do harm. An intruder, workplace. Workstations at home are accessible to
competitor, or temporary staff can gain family members and visitors who may intentionally
valuable information in a low-tech manner or unintentionally manipulate business-related data
by simply going through trash for discarded on the workstation, if data is not properly protected.
paperwork that might contain sensitive Inadvertent or intentional manipulation affects the
information. At a minimum, shred all papers confidentiality and integrity of the business-related
and documentation containing sensitive information, as well as the availability of data and IT
company information, network diagrams, services on the workstation. Appropriate procedures
and systems data to prevent a security should be implemented to achieve a degree of
breach by those who might seek security comparable with that prevailing on office
information by rummaging through trash. premises. Suitable Configuration of a Remote
Employees should be advised against Workplace—It is advisable to assign a secure room
writing down user IDs or passwords. for use as a workplace at home. Such a workplace
should at least be separated from the rest of the
In the case of functioning media, the data premises by means of a door.
should be overwritten with random
patterns. Nonfunctioning data media, such IT equipment intended for professional purposes
as CDs, should be destroyed mechanically. should be provided by the employer, and the use of
The recommended disposal of material these services for private purposes should be
requiring protection should be detailed in a prevented by formal policies. Employees who work
specific directive and in training; adequate at home should be questioned regularly or
disposal facilities should be provided. This periodically as to whether their workplace complies
includes storage devices and media (i.e., with security and operational requirements.
floppy and hard disks, magnetic tapes, and
CDs/DVDs). If sensitive resources are Theft of a Mobile IT System—Laptop or mobile IT
collected prior to their disposal, the systems create a greater risk of theft or damage.
collected material must be kept under lock Due to the inherent nature of a mobile system, it will
and be protected against unauthorized often be removed from the confines of a secure
access. office. Therefore, policies should be implemented to
safeguard mobile IT systems.
Secure Desktop Workstations—the first line
of defense in physical security is to secure Suitable Storage of Business-Related Documents and
desktop workstations. Effective training in Data Media— Business-related documents and data
the organization’s policies and procedures media at the home workstations must only be
to secure desktop workstations should be a accessible to the authorized employee, and when
significant part of network and information they are not in use, they must be kept in a locked
security strategy because of the sensitive location. A lockable desk, safe, or cabinet must be
information often stored on workstations available for this purpose. At a minimum, the lock
and their connections. Many security must be capable of withstanding attacks using tools
problems can be avoided if the that are easy to create or purchase. The degree of
workstations and network are appropriately protection provided by the drawer should be
configured. Default hardware and software appropriate to the security requirements of the
configurations, however, are set by vendors documents and data media contained therein.
who tend to emphasize features and
functions more than security. Since vendors In facilities and offices that operate as “Special
are not aware of specific security needs, Facilities” or other high risk there are additional
new workstations must be configured to practices that should be reviewed in the design and
reflect security requirements and planning process.
reconfigured as requirements change.
Restrict Area Perimeter
Remote Workstations—there is usually a Secure and monitor the perimeter of the facility.
higher risk of theft at home because homes
13
14. Have Redundant Utilities that the bollards are down and the driver can go
JMaac10 centers need two sources for forward. In situations when extra security is needed,
utilities, such as electricity, water, voice and have the barriers left up by default, and lowered
data. Trace electricity sources back to two only when someone has permission to pass through.
separate substations and water back to two
different main lines. Lines should be Plan for Bomb Detection
underground and should come into For facilities that are especially sensitive or likely
different areas of the building, with water targets, have guards use mirrors to check
separate from other utilities. Use the underneath vehicles for explosives, or provide
Facility's anticipated power usage as portable bomb-sniffing devices. You can respond to
leverage for getting the electric company to a raised threat by increasing the number of vehicles
accommodate the building's special needs. you check, perhaps by checking employee vehicles
as well as visitors and delivery trucks.
Deter, Detect, and Delay
Deter, detect, and delay an attack, creating Limit Entry Points
sufficient time between detection of an Control access to the building by establishing one
attack and the point at which the attack main entrance, plus a another one for the loading
becomes successful. dock. This keeps costs down too.
Pay Attention to Walls Make Fire Doors Exit Only
Foot-thick concrete is a cheap and effective For exits required by fire codes, install doors that
barrier against the elements and explosive don't have handles on the outside. When any of
devices. For extra security, use walls lined these doors is opened, a loud alarm should sound
with Kevlar. and trigger a response from the security command
center.
Avoid Windows
Think warehouse and not an office building. Use Plenty of Cameras
If you must have windows, limit them to the Surveillance cameras should be installed around the
break room or administrative area, and use perimeter of the building, at all entrances and exits,
bomb-resistant laminated glass. and at every access point throughout the building. A
combination of motion-detection devices, low-light
Use Landscaping for Protection Trees, cameras, pan-tilt-zoom cameras and standard fixed
boulders and gulleys can hide the building cameras is ideal. Footage should be digitally
from passing cars, obscure security devices recorded and stored offsite.
(like fences), and also help keep vehicles
from getting too close. Oh, and they look Protect the Building's Machinery
nice too. Keep the mechanical area of the building, which
houses environmental systems and uninterruptible
Keep a 100-foot Buffer Zone Around the Site power supplies, strictly off limits. If generators are
Where landscaping does not protect the outside, use concrete walls to secure the area. For
building from vehicles, use crash-proof both areas, make sure all contractors and repair
barriers instead. Bollard planters are less crews are accompanied by an employee at all times.
conspicuous and more attractive than other
devices. Personnel Surety
Perform appropriate background checks on and
Use Retractable Crash Barriers at Vehicle ensure appropriate credentials for facility personnel,
Entry Points and, as appropriate, for unescorted visitors with
Control access to the parking lot and access to restricted areas or critical assets.
loading dock with a staffed guard station
that operates the retractable bollards. Use
a raised gate and a green light as visual cues
14
15. Plan for Secure Air Handling airlock in between. Only one door can be opened at
Make sure the heating, ventilating and air- a time, and authentication is needed for both doors.
conditioning systems can be set to
recirculate air rather than drawing in air At the Door to an Individual Computer Processing
from the outside. This could help protect Room
people and equipment if there were some This is for the room where actual servers,
kind of biological or chemical attack or mainframes or other critical IT equipment is located.
heavy smoke spreading from a nearby fire. Provide access only on an as-needed basis, and
For added security, put devices in place to segment these rooms as much as possible in order to
monitor the air for chemical, biological or control and track access.
radiological contaminant.
Watch the Exits Too
Ensure nothing can hide in the walls and Monitor entrance and exit—not only for the main
ceilings facility but for more sensitive areas of the facility as
In secure areas of the facility, make sure well. It'll help you keep track of who was where,
internal walls run from the slab ceiling all when. It also helps with building evacuation if there's
the way to subflooring where wiring is a fire..
typically housed. Also make sure drop-down
ceilings don't provide hidden access points. Prohibit Food in the Computer Rooms Provide a
Use two-factor authentication Biometric common area where people can eat without getting
identification is becoming standard for food on computer equipment.
access control to sensitive areas of facilities,
with hand geometry or fingerprint scanners Install Visitor Rest Rooms
usually considered less invasive than retinal Make sure to include rest rooms for use by visitors
scanning. In other areas, you may be able to and delivery people who don't have access to the
get away with less-expensive access cards. secure parts of the building.
Harden the Core with Security Layers Critical Infrastructure and Environmental
Anyone entering the most secure part of Monitoring
the facility will have been authenticated at "Critical infrastructure" is defined by federal law as
least three times, including at the outer "systems and assets, whether physical or virtual, so
door. Don't forget you'll need a way for vital to the United States that the incapacity or
visitors to buzz the front desk (IP Intercom destruction of such systems and assets would have a
works well for this). At the entrance to the debilitating impact on security, national economic
"data" part of the facility. At the inner door security, national public health or safety, or any
separates visitor area from general combination of those matters.
employee area. Typically, this is the layer American Alarm & Communications, Inc. provides
that has the strictest "positive control," technology and services to monitor many key areas
meaning no piggybacking allowed. For of your operation.
implementation, you have two options:
Communication between your business alarm
-A floor-to-ceiling turnstile system and our Monitoring Center is a critical part of
If someone tries to sneak in behind an your protective system. Our Underwriters’
authenticated user, the door gently Laboratories (U.L.) Listed Monitoring Center is the
revolves in the reverse direction. (In case of core of American Alarm’s sophisticated
a fire, the walls of the turnstile flatten to communications operation. In the event of an alarm,
allow quick egress.) the
CPU in your security system sends an alarm signal to
-A "mantrap" our monitoring facility through the phone lines (800
Provides alternate access for equipment numbers are not used, given their unreliability). The
and for persons with disabilities. This signal is then retrieved by our monitoring center,
consists of two separate doors with an and our operators quickly notify the appropriate
15
16. authorities, as well as the designated rule-based generation of actions/penalties, based on
responder, of the emergency. physical access events.
Correlate alarms and identities to better manage
situations and responses across the security
infrastructure. Incorporate real-time monitoring and
detailed risk analysis tools to instantly enforce,
maintain and report on compliance initiatives
Key External Technology
Entry Point
Facilities are generally designed with a central access
point that’s used to filter employees and visitors into
AACI Monitoring Capabilities the facility.
• Fire All requests are vetted by a security guard with an
• Hold-Up intercom link to ensure that they have a legitimate
• Intrusion reason for entering the premises.
• Halon/Ansul
Automatic Bollards
• Panic/Ambush
• Man Down As an alternative to a guard-controlled gate,
• Elevator Phones automatic bollards can be used at entry points.
• Off-Premises Video These short vertical posts pop out of the ground to
• HVAC/Refrigeration prevent unauthorized vehicles from driving onto the
• Sprinkler/Tamper/Flow site. When a vehicle’s occupants are verified by a
guard, an access card or other secure process, the
• Power Loss/Low Battery
bollards are quickly lowered to allow the vehicle to
• Gas/Hazardous Chemicals
enter. When in the lowered position, the top of each
• Water Flow/Flood Alarms
bollard is flush with the pavement or asphalt and
• Environmental Devices
completely hidden. The bollards move quickly and
(CO2/CO/ETC.)
are designed to prevent more than one vehicle from
• Radio/Cellular Back-Up passing through at any one time.
Communications
Closed-Circuit TV / Surveillance
Implementation
External video cameras, positioned in strategic
At American Alarm and Communications,
locations, including along perimeter fencing, provide
Inc., we utilize and integrate mutable
efficient and continuous visual surveillance. The
solutions to create a physical security
cameras can detect and follow the activities of
compliance and risk management solution
people in both authorized and “off limits” locations.
that can automate and enforce physical
In the event someone performs an unauthorized
security policies, from restricting area
action or commits a crime, the digitally stored video
perimeter and securing site assets to
can supply valuable evidence to supervisors, law
personnel surety and reporting of
enforcement officials and judicial authorities. For
significant security incidents; this helps to
added protection, the video should be stored off-site
ensure both governance and compliance
on a digital video recorder (DVR).
utilizing an organization’s existing physical
security and IT infrastructure.
Key Internal Technology
We can centrally manage all regulations and
associated controls and automate
Lobby/Public Areas
assessment, remediation and reporting as
With proper software and surveillance and
per defined review cycles. Automatically
communications tools, a staffed reception desk, with
trigger compliance-based actions, such as
one or more security guards checking visitors’
16
17. credentials, creates an invaluable first line essential element in any access control plan.
of access control.
Loading and Receiving
Surveillance For full premises security, mantraps, card readers
Like their external counterparts, internal and other access controls located in public-facing
cameras provide constant surveillance and facilities also need to be duplicated at the facility’s
offer documented proof of any observed loading docks and storage areas.
wrongdoing.
Operational Areas
Biometric Screening The final line of physical protection falls in front of
Once the stuff of science fiction and spy the facility’s IT resources. Private cages and suites
movies, biometric identification now plays a need to be equipped with dedicated access control
key role in premises security. Biometric systems while cabinets should have locking front and
systems authorize users on the basis of a rear doors for additional protection.
physical characteristic that doesn’t change
during a lifetime, such as a fingerprint, hand Humans are the weakest link in any security scheme.
or face geometry, retina or iris features. Security professionals can do their best to protect
systems with layers of anti-malware, personal and
Mantrap network firewalls, biometric login authentication,
Typically located at the gateway between and even data encryption, but give a good hacker (or
the lobby and the rest of the facility, computer forensics expert) enough time with
mantrap technology consists of two physical access to the hardware, and there’s a good
interlocking doors positioned on either side chance they’ll break in. Thus, robust physical access
of an enclosed space. The first door must controls and policies are critical elements of any
close before the second one opens. In a comprehensive IT security strategy.
typical mantrap, the visitor needs to first
“badge-in” and then once inside must pass According to a report by the SANS Institute, “IT
a biometric screening in the form of an iris security and physical security are no longer security
scan. silos in the IT environment; they are and must be
considered one and the same or, as it should be
Access Control List called, overall security.”
Defined by the facility customer, an access
It is the innermost layer—physical entry to computer
control list includes the names of
rooms—over which IT managers typically have
individuals who are authorized to enter the
responsibility, and the means to have effective
facility environment. Anyone not on the list
control over human access focuses on a set of
will not be granted access to operational
policies, procedures, and enforcement mechanisms.
areas.
Policy Basics
Badges and Cards
Given their importance and ramifications on
Visually distinctive badges and identification
employees, access policies must come from the top
cards, combined with automated entry
leadership. After setting expectations and behavioral
points, ensure that only authorized people
ground rules, actual facility access policies have
can access specific facility areas. The most
several common elements. The most essential are
common identification technologies are
definitions of various access levels and procedures
magnetic stripe, proximity, barcode, smart
for authenticating individuals in each group and their
cards and various biometric devices.
associated privileges and responsibilities when in the
facility.
Guard Staff
A well-trained staff that monitors site Step 1
facilities and security technologies is an
Authorize, identify and authenticate individuals that
require physical access:
17
18. delivered to or removed from facilities; Record
• Identify the roles that require both the following:
regular as well as occasional physical
access and identify the individuals that • Date and time of delivery/removal.
fill these roles. • Name and type of equipment to be
• Provide standing authorization and a delivered or removed.
permanent authenticator to individuals • Name and employer of the individual
that require regular access. performing the delivery/removal and the
• Require individuals that require authentication mechanism used.
occasional access to submit a request • Name and title of authorizing individual.
that must be approved prior to access • Reason for delivery/removal.
being attempted or allowed.
• Authenticate individuals with regular Non-Compliance
access requirements through the use of Violation of any of the constraints of these policies
their assigned permanent or procedures should be considered a security
authenticator. breach and depending on the nature of the violation,
• Authenticate individuals with various sanctions will be taken:
occasional access requirements
through the use of a personal • A minor breach should result in written
identification mechanism that includes reprimand.
name, signature and photograph. • Multiple minor breaches or a major breach
should result in suspension.
Step 2 • Multiple major breaches should result in
termination.
Verify that work to be performed has been
pre-approved or meets emergency
Although older facilities typically just consisted of a
response procedures:
large, un-partitioned raised-floor area, newer
enterprise facilities have taken a page from ISP
• Verify against standard Change
designs by dividing the space into various zones—for
Control procedures.
example, a cage for high-availability servers, another
• Verify against standard
area for Tier 2 or 3 systems, a dedicated network
Maintenance procedures.
control room, and even separate areas for facilities
Step 3 infrastructure such as PDUs and chillers. Such
Make use of logs to document the coming partitioned facilities provide control points for
and goings of people and equipment: denying access to personnel with no responsibility
for equipment that’s in them.
• Assign the responsibility for the
maintenance of an access log that Identification Procedures
records personnel access. Record the The next step in a physical security policy is to set up
following: controls and identification procedures for
• Date and time of entry. authenticating facility users and granting them
• Name of accessing individual and physical access. Although biometric scanners look
authentication mechanism. flashy in the movies and certainly provide an added
• Name and title of authorizing measure of security, a magnetic stripe badge reader
individual. is still the most common entry technology, as it’s
• Reason for access. simple, cheap, and effective and allows automated
• Date and time of departure. logging, which is a necessary audit trail.
One problem with magnetic readers, according is
• Assign the responsibility for the their susceptibility to tailgating, or allowing
maintenance of a delivery and removal unauthorized personnel to trail a colleague through
log that records equipment that is an entryway. That’s why we advise supplementing
doors and locks with recorded video surveillance.
18
19. I also like to add a form of two-factor your camera feeds, PISM brings out the best of your
authentication to entry points by coupling a equipment.
card reader (“something you have”) with a
PIN pad (“something you know”), which To investigate day-to-day incidents, as well as
reduces the risks of lost cards. I also prepare for emergency situations, the security
recommend using time-stamped video department makes use of a vast network of video
surveillance in conjunction with electronic cameras, access control points, intercoms, fire and
access logs and a sign-in sheet to provide a other safety systems. PISM unifies all of these
paper trail. disparate feeds, including systems from diverse
manufacturers, into a single decision-oriented
Access levels and controls, with Common Operating Picture. Within the PSIM
identification, monitoring, and logging, form Platform are five key components:
the foundation of an access policy, but two
other major policy elements are standards Integration Services – Multiple strategies are used
of conduct and behaviors inside the facility for connection, communication with, and
such as: prohibitions on food and beverages management of installed devices and systems from
or tampering with unauthorized equipment, multiple vendors. The PSIM Platform offers complete
limitations and controls on the admission of support for the industry’s most commonly-used
personal electronics such as USB thumb device types – out of the box. In addition, it employs
drives, laptops, smart-phones, or cameras customizable “pipeline” architecture to receive
are critical. device events. This architecture exploits
commonalities among similar devices (including
Policies should also incorporate processes format and protocol) and reduces the need for one-
for granting access or elevating restriction off adaptations. Network connectivity is achieved
levels, an exception process for unusual using combinations of multiple communications
situations, sanctions for policy violations, protocols.
and standards for reviewing and auditing
policy compliance. Stahl cautions that Geo-Location Engine – The Geo Location Engine
penalties for noncompliance will vary from provides spatial recognition for geo-location of
company to company because they must devices and supports situation mapping
reflect each enterprise’s specific risk functionality. The physical position of devices is
tolerance, corporate culture, local stored in an internal knowledge base as GIS/GPS
employment laws, and union contracts. positions or building coordinates. The engine uses
the information to determine relevance, selects, and
Physical Security Information relate devices involved in a given situation. The
Management (PISM) system uses the information to overlay graphical
representations of security assets and activities onto
The PSIM Platform enables the integration Google-type maps or building layouts.
and organization of any number and type of
security devices or systems and provides a Routing Engine – The Routing Engine is an intelligent
common set of services for analyzing and switch that connects any security device to PISM
managing the incoming information. It also command interfaces or output device(s) and
serves as the common services platform for accommodates any required transformation of
video and situation management formats and protocols between connected devices.
applications. In most cases, devices connect directly to each other
and exchange data streams directly, avoiding
Effectively maintaining security of critical possible bottlenecks that would arise from routing
infrastructure does not happen by accident, all traffic through a single centralized server. An
it means giving your security professionals internal knowledge base of all connected devices
the best security/software tools available and their characteristics is maintained by the
today. By unifying your existing surveillance Routing Engine, which uses that information to
system and providing spatial context to ensure a viable communication path, compatibility
of signal format and acceptable quality of service.
19
20. Rules Engine – The PSIM Platform contains Key Services and Capabilities
a powerful Rules Engine that analyzes event • Physical Security Site Surveys
and policy information from multiple • Physical Security Information Management
sources to correlate events, make decisions (PSIM)
based upon event variables and initiate • Privacy Protecting Camera Systems (PPCS)
activities. Pre-packaged or user written • Design, Engineering and Consulting
rules define the events or event
• Installation, Maintenance and Monitoring of
combinations for identifying and resolving
Fire & Life Safety Solutions
situations in real time according to business
• Integrated Access Control, Intrusion Detection
policies.
and Surveillance Solutions
• Emergency Communications with Wired and
Dispatch Engine – The Dispatch Engine
Wireless and Networks
integrates with communications
• Burglar, Fire Alarm Monitoring (In Our Own
infrastructure to initiate external
Massachusetts UL Listed & DOD Certified
applications or the transmission of
Central Station)
messages, data and commands. Dispatch
In our experience working with management, facility
actions are automatically triggered by the
and security professionals within the
rules engine as it executes
Commonwealth has been rewarding. Compliance to
recommendations for situation resolution.
this policy for most departments has been the goal
Operators can manually initiate actions as
and the new the budget year begins we look forward
well. The system integrates and analyzes
to continuing our work to further compliance and
information from disparate traditional
improve the physical security technologies and
physical security devices including analog
monitoring to implement measures to protect
and digital video.
personnel, equipment and property and the network
against anticipated threats.
The key benefits of today’s technology is
allowing system users to do more with less
It’s time to get physical—as in physically protecting
by getting maximum benefits through
all facilities and all of their assets. Yet physical
integrated technologies with each system
security is often placed on the back burner, largely
(Both new and old) and with the goals of
forgotten about until an unauthorized party
company policies and procedures like never
manages to break into or sneak onto a site and
before.
steals or vandalizes systems.
Today’s security systems include:
In Summary
• Intrusion and Monitoring Systems
American Alarm and Communications, Inc.,
• Access Control Systems
is in a unique position to improve personal
• Visitor Management Systems
protection of key individuals as a
• Surveillance Systems
Massachusetts based Underwriters
• Emergency Communications Systems
Laboratories (UL) Listed, and United States
Federal Government (DOD) recognized 24- • Physical Security Information Management
hour Security Command Center and Central (PISM) Software Platforms
Station. Every day we manage a full range
of security, communication and escalation Our commitment to supporting the terms of the
procedures specifically designed for our key contract are best stated by our President Wells
customers. Our founders, three engineers Sampson, “We continue to serve the unique needs of
from the Massachusetts Institute of public clients, and our track record of strong service
Technology (MIT), have worked to bring the was one of the reasons the Commonwealth
benefits of new technology and solutions to expressed continuing confidence in our company and
our customers. Though we have grown over approved our program for another three years.”
the years, our mission has remained the
same: to provide the best possible security As a manager, you have the responsibility to support
technologies across Massachusetts. this physical and environmental security policy
implementation throughout your respective
20
21. departments and/or Agencies by creating a Contact Information
culture that embraces, reinforces and
demands security best practices and are James E. McDonald
consistent with the policy and the facility. Integrated Systems Consultant
Within this culture is the need to Government Contracts Team
understand the human variable. This American Alarm and Communications, Inc.
encompasses anyone who interfaces with 489 Washington Street
operations, including managers, facility Auburn, Massachusetts 01501
operators, maintenance personnel, other Direct Phone: (508) 453-2731
employees, customers, delivery people, Direct Fax: (781) 645-7537
clients and visitors.
Email: JMcDonald@AmericanAlarm.com
The human element affects everything with
regard to security and reliability. How it is Links:
addressed may depend on external factors American Alarm Website: www.AmericanAlarm.com
such as the law, collective bargaining Blog: www.SecurityTalkingPoints.com
guidelines and even prudent management Twitter: www.Twitter.com/physectech
practices. Within each Agency or Bio: http://www.linkedin.com/in/physicalsecuritytechnologist
Department, responsibility assignments for Site Survey Request:
policy compliance should be defined. http://fs2.formsite.com/physectech/form1/index.html
Therefore, all policies and procedures must
take into account the human variable. Best Association Memberships: ASIS International, ASIS
practices require that physical security be Boston, International Association for Healthcare
treated as a fundamental value. Security and Safety, IAHSS Boston, Association of
Certified Fraud Examiners (ACFE)
FAC64 State Contract
The FAC64 contract gives you a way to
acquire all the tools necessary for your
department or Agency. All with a three
year warranty on all parts and labor.
Countermeasures are constantly improving
and changing and can be used to counter
multiple risks beyond the scope of this
discussion. The need for these solutions
goes back to a time before the Roman
Empire. The tools evolve but the needs
remain the same.
All departments and agencies are subject to
security & fraud risks and need to complete
a physical security/fraud risk assessment for
their agency on a periodic basis.
21
22. Appendix A: Understanding Physical Access Control Solutions
SOLUTION STRENGTHS WEAKNESSES COMMENTS
KEYS •Most traditional form of • Impossible to track if • Several solutions are
access control they are lost or stolen, currently available on
• Easy to use which leaves facility the market to manage
• Don’t require power for vulnerable keys and keep key
operation • Potential for unauthorized holders accountable.
sharing of keys
• Difficult to audit their use
during incident
investigations
• Difficult to manage on
large campuses with
multiple doors
• Re-coring doors when a
key is lost or stolen is
expensive
LOCKS • Easy installation • Power always on (fail- • DC only
• Economical safe) • Comes in different
• Easy retrofit • Typically requires exit “pull” strengths
• Quiet operation device to break circuit • Check extra features,
Maglock • Requires backup power such as built in door
supply for 24-hour service sensor
• Can be either fail-secure or
Electric fail-safe • Door/lock hardware • Requires more door
Strike • Does not need constant experience needed hardware experience
power than Maglock
• Door knob overrides for • Specify for life-safety
safe exit requirements
• Can be both AC and
DC (DC lasts longer)
• Fail-safe must have
power backup
• Fail-secure most
popular
ACCESS CARDS • Access rights can be • Prone to piggybacking / • Can incorporate a
denied without the expense tailgating (when more than photo ID
of re-coring a door and one individual enters a component
issuing a new key secure area using one • Can be used for both
• Can limit access to a access card or an physical and logical
building to certain times of unauthorized person follows access control
the day an authorized person into a • Card readers should
• Systems can provide secure area have battery backup in
audit trails for incident • Users can share cards the event of power
investigations with unauthorized persons failure
• Cards can be stolen and • Tailgate detection
used by unauthorized products, video
individuals surveillance, analytics
• Systems are more and security officers can
expensive to install than address tailgating issues
traditional locks • Can integrate with
• Require power to operate video surveillance,
intercoms and intrusion
Magnetic • Inexpensive to issue or detection systems for
replace enhanced security
Stripe • Not as secure as
proximity cards or smart
cards • These are the most
• Can be duplicated with commonly used access
relative ease control cards by US
• Durable • Subject to wear and tear campuses and facilities
• Convenient
• More difficult to • Cost more than magstripe
compromise cards
22