Physical security is just as important as logical security to an information security program.

10.12 Summary

We have discussed both fire suppression and physical security systems for data centers. If we do not have these two systems, the data center will still be operational but will be taking on a lot of risk. These system are necessary to protect the data center.

For medium and large data centers, we should not only have a fire suppression system but also a fire alarm detection system. In order to suppress a fire during the first stage, we suggested placing fire alarm detectors in seven different locations. The number of alarm detectors is dependent on both airflow rate and the size of the data center space.

When we discussed fire suppression solutions, we highlighted three typical traditional solutions. Halon, which was one of the popular solutions, has been banned since 1987 due to the Montreal Protocol but it still may exist in many traditional data centers.

In order to eliminate traditional fire suppression solutions, we described the most commonly used fire suppression solutions in today’s data center and then we unveiled the costs and characteristics of these fire suppression solutions.

On the topic of physical security, we answered four fundamental questions (purpose of security, objects, threats, and possibilities) in this chapter. The TIA-942 guidelines suggest different levels of security for different tiers of data center. Practically, data center physical security can be divided into five different security zones. The security system is built around these five security zones. The main function of a physical security system is to scan people. Ironically, the weakest link point is also the people, or the organizational layer. Therefore, the physical security system is important, but the logical (or organizational layer) security system cannot be ignored.

We concluded the chapter with details on how to calculate the physical security cost for both capex and opex.

1.4.2 Technology and Control Systems

Technology and control systems are used in a physical security system to monitor and secure the environment and to detect intrusion. The control systems options for your organization’s facilities include the following:

Exterior (Zone One): Locks and keys, perimeter alarms, motion detection, CCTV, instructional signs, security officers, electronic access controls, and lighting.

Building Perimeter (Zone Two): Locks and keys, alarms, annunciation, motion detection, warning lights, electronic access controls, CCTV, security officers, receptionists, other assigned people, instructional signs, employee badge/ID systems, and visitor badge systems.

Building Interior (Zone Three): Lock and keys, alarms, annunciation, motion detection, electronic access controls, CCTV, security officers, receptionists, other assigned people, instructional signs, employee badge/ID systems, and visitor badge systems.

Restricted Areas (Zone Four): Same as Zone Three, with the additional precaution of a dedicated control system, including a dedicated response, provided for the restricted area. Additional Zone Four precautions include alarm monitoring devices, escorted access to restricted areas, full audit trail of all access, password or PIN number protections, and biometric verification.

Security Operations

As noted in Figure 9.1, an integrated physical security system effectively incorporates an operational element to establish a qualitative program management and response infrastructure. We discuss some of the noteworthy risk issues in Chapter 12, “Safe and Secure Workplaces,” and in Appendix C we provide model procurement documents for selecting a contract guard force. This physical security operational element is the most visible component of a corporate security program and typically comprises the largest share of the security program budget. In many companies it may be the only security program having that label. More sophisticated investigations may be occasional and contracted out under the purview of legal. Likewise, information security becomes a mere operational element of the IT department. What is important to underscore here is the need to establish clear qualitative standards and expectations around these response resources, and to understand their role in the following: premises liability protection; security incident, emergency medical, and business interruption response; and operational management of the security technology infrastructure.

Owing to the budget visibility of security operations, economic downturn, downsizing, and other responses to business pressure, these resources are a potentially fruitful target. Management needs to be cautioned that such times often bring an increased potential for workplace hostility, theft, and sabotage, and reductions in first responder and physical security resources need to be carefully approached. What is that essential level of protection? What is the resource reduction baseline below which you believe the cost of likely risk potential will add to the cost of doing business?

If you refresh your understanding of risk assessment based on the steps discussed in Chapter 3, “Risk Assessment and Mitigation,” and Chapter 4, “Strategic Security Planning,” you have a handle on known vulnerabilities and risk trends. From this foundation you can demonstrate that at various levels of security resource reduction combined with the likely increase of people and property risk, your ability to prevent, detect, and adequately respond will be impacted at an unacceptable exposure to risk.

4.36 Signs

Signs are used as the first level of control in physical security systems.

Signs provide information and are a key element in communication between your organization and the people who work at and visit the company.

Signs also provide instructions and are used to mitigate liabilities. They define areas of operation and control access to restricted areas.

Be certain that your signs are worded carefully to avoid statements that imply security protection or performance beyond that which is provided. For example, statements such as “This area protected by (or secured by) closed circuit television” may imply performance that is not delivered.

Check with your organization’s legal counsel before you post a new sign.

Ask your management and facility security committee to review the signs in your business for the appropriate applications of signs in support of your operational and security needs.

Postings that relate to inspection guidelines need to be carefully reviewed.

88 Master Planning: Physical Systems

The phrase “Master Plan” is more than just an expression. However, it also applies to your Physical Security Systems.

Intrusion alarms

What is it you intend to alarm and protect?

Who will monitor the system?

What components do you intend to use?

How will this alarm fit in your overall plan?

Access control

Is it needed or a requirement?

Will it be a stand-alone or part of a bigger package?

Consider the overall design, the mixture of biometrics.

Badge control must be a part of your plan.

Security surveillance systems

Consider the very latest in technology and equipment because in 5 years it is no longer state of the art.

Consider the monitoring and response as well as how it will be administered.

HD, 1080p, multiscreen digital recording; interior, pan and tilt—consider how and what this system is to achieve.

Control room or front

Consider how it is to be laid out.

Do not stick it all in a closet.

Define the space and define the usage.

Intrusion Detection Systems

An intrusion detection system detects and reports an event or stimulus within its detection area. A response to resolve the reported problem is essential. The emphasis here is on interior sensors. Sensors appropriate for perimeter protection are stressed in Chapter 8. We must remember that intrusion detection systems are often integrated with other physical security systems and rely on IT systems with Internet capabilities.

What are the basic components of an intrusion detection system? Three fundamental components are sensor, control unit, and annunciator. Sensors detect intrusion by, for example, heat or movement of a human. The control unit receives the alarm notification from the sensor and then activates a silent alarm or annunciator (e.g., a light or siren), which usually produces a human response. There are a variety of intrusion detection systems; they can be wired or wireless. Several standards exist for intrusion detection systems from UL, ISO, the Institute of Electrical and Electronics Engineers, and other groups. Types of interior sensors are explained next (Garcia, 2006: 104–122; Honey, 2003: 48–94).

Physical Security Certification

ASIS International offers the only board certification program for physical security professionals worldwide. The ASIS Board Certified Physical Security Professional (PSP) designation focuses on one’s proficiency in three major domains of knowledge:

Physical security assessment

Application, design, and integration of physical security systems

Implementation of physical security measures

The course reference materials are comprised of eight publications, offering a substantial look at physical security-related topics designed to assist security professionals in their career field.

It is important to point out that the ASIS “Board-Certified” designation brings accreditation to the certification process, and thereby creates a credential that is earned through examination and not just handed out for doing coursework. As such, it has become the most respected professional designation for Physical Security Professionals worldwide.

ASIS International does have eligibility requirements, which include work experience, in order to sit for the PSP certification exam. Additional details can be found online at www.asisonline.org/certification.

Emerging Trends

The physical security field is quickly developing futuristic technologies to meet developing threats. The industry is adopting automated technologies to assist in the detection and assessment phases prior to a security force response. Visual analytics, which is the science of computer-aided assessment for surveillance systems, is becoming more accurate, which has led to deployments around the world. These analytically driven solutions allow for rapid detection and assessment using facial recognition, psychology of motion, path analysis, and much, much more.

Even “simplistic” devices such as locks are becoming “smart” through the use of computer chips and RFID technology. These smart locks are almost impossible to pick and do not allow for copies of the keys to be made, except when ordered directly from the manufacturer. Surreptitious attack methods on smart locks are difficult, if not impossible, to achieve, thus making such locking devices more effective when protecting critical assets.

Currently, security professionals are being asked to do more, using fewer resources, which can make the task daunting, even for the best and brightest. Recent terrorist attacks have hastened the technology curve in order to develop robust, scalable, user-friendly physical security solutions in the never-ending effort to prevent such acts. The need for new technologies will be critical to allow these practitioners to respond and mitigate the risk. It is evident that as the threats become more sophisticated, physical security technology must improve to meet those challenges, both now and in the future.

Root Server Operation

The root server operators are not involved in the policymaking regarding Internet names and addresses, nor in modification of the data. They just take what is originated by one of their number (Verisign Global Registry Services) and propagate it to the others. The operators are encouraged to explore diversity in organizational structure, locations, hardware, and software, while maintaining expected levels of physical system security and over-provisioning of capacity. They maintain their own infrastructure for emergencies, including telephone hotlines, encrypted email, and secure credentials. The root servers use distributed anycast where practical, making many separate systems all over the world appear and act as one system with one IP address. The use of anycast helps minimize the effects of denial-of-service attacks.

We haven’t talked about anycast before. In anycast, as in multicast, there is a one-to-many association between addresses and destinations (multicast has groups) on the network. Each destination address identifies a set of receiver endpoints, but (in contrast to multicast) only one of them (determined to be the “nearest” or the “best”) is chosen at any particular time to receive information from a particular sender. For example, in contrast to a broadcast (which goes to everyone) or a multicast (which goes to all interested listeners) sent onto a LAN, a message to an anycast address goes to only one of a set of hosts and is then considered delivered. Anycast (“send this to any one of these”) is more suited to connectionless protocols (such as UDP) than stateful protocols (such as TCP) that have to maintain state information.

Root server operators often struggle to overcome a lot of misconceptions, even on the part of people who should know better. Contrary to what some believe, all Internet traffic does not flow through the root servers (nor do they determine routes), not every DNS query goes to a root server, the “A” system is not special, and there are many more than just 13 machines.

Understanding Convergence

Before we can discuss the idea of converging general security and IT security, we must have a solid idea of what convergence is. As discussed earlier, technology has changed the way companies do business. The advent of the Internet, smaller and faster computers, and satellites have made it possible for globalization to take hold. Think of it this way: In order to monitor a CCTV feed 20 years ago, security companies most likely needed to have a monitoring station on the premises and a fairly large room to house all the equipment. With the technological advances of today, that same job can be done by someone on the other side of the world with just a computer and some hard-drive space. Looking at this from the paradigm of the convergence of general and IT security functions, the CCTV is a physical security system and the lines that transmit the information need to be protected by IT security.

Whereas technology is the driving force behind globalization, globalization is the driving force behind convergence. While there would still be some convergence without the aid of globalization, it certainly would not be to the extent it is today without the rapid expansion of globalization. Since security is a constant anywhere a company has a physical presence, and because of the need for security systems to be integrated, it stands to reason that the two disciplines would converge.

Last, there is integration. This is an essential part of convergence since the whole point is to integrate the technology of both general security and IT security sectors. Whether it be private sector security guards on a military installation, or Target Corporation’s video surveillance division helping out a local police department, the integration of public and private security is crucial to the whole idea of convergence. This already happens on the public level. Joint exercises between military and police agencies of all levels have been going on for quite some time. The inclusion of the private sector only makes sense given the ever-growing role it plays in the overall security picture. Without technological advances, globalization would not have expanded at the rate it has and the need to integrate the general and IT security sectors would be greatly diminished. In a world that seems to be getting increasingly smaller every passing year, the convergence of the two security disciplines is becoming an increasingly more popular decision.

Financial considerations

Before the Columbine High School tragedy, most schools did not have a budget line item for security. They attempted to draw from general operating funds to pay for security measures. Not surprisingly, the approval process required complicated steps and very rarely included options for sustaining the funding. As a result, the school tended to lack a commitment to maintenance, upgrades, and expansion of security systems.

Schools must consider the sustainability, or capacity to endure, of physical security systems. Security measures, such as video surveillance systems, are not one-time expenditures. A video surveillance system will experience growth, such as additional cameras, need updating, and require maintenance. Sometimes products fail. Sometimes they become antiquated. The system may require annual licensing fees. Funds must be set aside to ensure systems are operational and functioning optimally.

Because people generally wait for losses to occur before addressing security needs, state and federal grants tend to appear after school tragedies. In other words, schools cannot always count on the availability of grant funds. Difficult economic times can cause the diversion or cessation of grant program funds.

The U.S. Department of Justice's Office of Community Oriented Policing Services (COPS) offers one notable exception. The COPS program has consistently provided grant funding to schools through state, local, tribal, and territorial law enforcement agencies. Best known for the COPS Hiring Program (CHP), which primarily funds School Resource Officer (SRO) salaries, COPS works in close collaboration with the Bureau of Justice Assistance's (BJA's) Students, Teachers, and Officers Preventing (STOP) School Violence Act of 2018. The STOP School Violence Act funds evidence-based programs, practices, technologies, and equipment.

Occasionally, technology grants and energy-efficiency grants permit the inclusion of security-related items, such as software. Schools may also be able to include door hardware upgrades, such as classroom security locks, when accessing title funds or block grants for facility improvement. Many schools made safety enhancements through the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020.

School security programs may also benefit from private funding sources. Three significant private funding sources include Corporate Foundations, Family Foundations, and Community Foundations. Many of these foundations focus on community safety. Corporate foundations, such as the Allstate Foundation, provide grants that seek to end youth violence. Family Foundations, such as the Wood Family Foundation, look for opportunities to support student safety initiatives. Community Foundations, such as the Greater Milwaukee Foundation, support violence prevention efforts in specific geographical locations.

In addition to public and private funding entities, schools may receive assistance from internal stakeholders. Extracurricular programs and parent organizations can assist in raising funds for security projects. Sometimes, even individual parents and local businesses will donate because of their investment in the community's well-being.

Schools can also access websites dedicated to grant-funding opportunities (see chapter 9, “School Security Resources and Conclusion”). Districts that employ full-time grant writers often find that the individual's salary is more than covered by what is received in grants.

Do not give up on security initiatives due to a lack of funding. Money is not the only way to improve school security. The following chapters will demonstrate no-cost and low-cost ways to reduce risk.