Development of Security Program Standards: Part I

Standards are always tough to define as they never precisely fit the problem at hand. My point is that it is easier to deal with the 5-10% of the problem that is unique at each facility instead of starting from scratch for each facility. Developing standards forces you to ask some basic but yet difficult questions.

1. Do the facility categories truly fit the corporate portfolio? Do the categories really aggregate facilities with similar security risks and physical features to such an extent that they can be treated as a nearly homogeneous group? The answer to this question must be something on the order of close enough. The glove never fits perfectly, but as stated above, you must be willing to deal with the remaining 5-10% of the problem on a case-by-case basis. Development of the category-specific standards will be a good test of the fit of the categories to the broad spectrum of facilities.

2. What is an appropriate suite of security measures for each facility type? What level of security is really needed within each category? A four- person sales office may not need a fully implemented access control system like the 5,000 person corporate headquarters. In some cases, a simple intrusion detection system for after hours monitoring may be sufficient.

3. Monitoring: Will security be monitored onsite or by an offsite corporate monitoring center? Another option for small systems is an offsite third party. Some sites may utilize a combination of the above. Is the facility critical enough to justify a central monitoring station? If so, can additional economy be achieved by also monitoring physically adjacent (or even geographically remote) sites? What kind of business case can be made for a corporately owned national monitoring center? Can the payback be reduced by getting UL certification and also by monitoring facility fire detection systems?

4. CCTV Utilization: Does the criticality and risk of the facilities in this category justify the expense of CCTV monitoring? This decision not only involves the cost of CCTV camera installation but the (digital) recording equipment and the staff time to manage and periodically monitor the system to ensure correct operation.

The easy one to start with is an intrusion detection system or alarm: every facility needs one. If you are not concerned about an after hours break-in because the facility is not sufficiently critical to your operations, then you don’t need that facility. Most systems of this type are placed into access when the first employee arrives in the morning and secured when the last one leaves at the end of the day. Third party monitoring is normally the most cost effective means of overseeing this type of system. A defined contact list must be developed and maintained for use by the monitoring service in the event an alarm is received. The minimum requirement for all facilities is a basic alarm system.

A next step up would be an access control system. Normally incorporating the features of an alarm system, the access control features allow you to electronically control personnel and vehicular ingress/egress based on the possession of an electronic access credential, entering a memorized personal identification number (PIN), successfully passing a biometric scan or a combination of the above. The ability to monitor and control employee ingress and activities allows easy and reliable electronic segregation of your facilities. Every employee needs access through the perimeter. Not everybody needs access to the research and development labs, the new product marketing development suite or the human resources file room. Visitor control also becomes more manageable as a specially designed credential can easily identify them and provide access to basic areas, easing escort requirements. If you defined your facility categories on the basis of risk, an access control system is a no-brainer for the highest risk category.

Now that we have defined the high and low ends, what about the middle category? Frankly, this is where judgment and operational issues become important. There is no question that if capital budgets, annual operating expenses and operational requirements were not an issue, every facility would have a fully implemented and integrated access control and CCTV system; however, most of us have been through the exercise of balancing risk against cost. Some facilities, as a result of their location, population and inherent value simply do not present sufficient risk to justify anything more than the most basic of systems. The successful security manager, just like all other business managers, will effectively balance all the constraints.

Randy Nason, PE, VP