keys to a more successful physical security program
DESCRIPTION
An effective security program is a living thing. It is comprised of a myriad of equipment, actions, policies, and procedures all of which interconnect and rely on each other in order to provide a comprehensive and effective program. The collection of documents, together forming the security program, must be, by design and intent, focused on three primary missions: remedial measures, preventative measures, and, overlapping both of these, education. The security plan must accurately describe situations both present and future; capture potential scenarios and consequences; detail the organization’s actions both during and following specific events; and, educate the organization on the specific roles specific groups play. Joachim Gloschat's presentation will address all this and more as he explores what makes a successful physical program security.TRANSCRIPT
INTRODUCTION
Background
US ArmyRussian Cryptography Interceptor
○1984 to 1987Mandarin Chinese Intelligence Officer
○1989 to 2001
Sept 11, 2001World Trade Centers
“Working in security is doing God’s work as far as I am concerned. Security work is an opportunity to serve fellow man…There is
nothing greater than saving lives.”
Dr. Ona Ekhomu, CPP Security Management Magazine, March 2007 First Nigerian ASIS
Certified Protection Professional
Background Antiterrorism/Force Protection
2001 – US Corps of Engineers2002 – Operation Enduring Freedom2003 – Operation Iraqi Freedom2004 – Security Management Solutions
○ Federal Energy Regulatory Commission○ Association of State Dam Safety Officials○ InterAgency Forum for Infrastructure
Protection
Post 9/11
A Paradigm Shift
Threat Dimensions1. Non-linear/Asymmetrical
2. Off-the-shelf technology
3. WMD and mass casualties Low Tech vs. High Tech
Urban vs. Rural fights
4. Urban fights
5. Avoid decisive battle
W. Foos, SMS
April 19, 1995 Murrah Federal
BuildingAug 7, 1998
US Embassy NairobiSept 11, 2001
World Trade Centers
Physical Attacks
11 March 2004 Madrid Train Bombings:
Spain
Physical AttacksSept 2004
Chechnya Rebels
Cyber Attacks
2003-2007 - TITAN RAIN 2006-present - SHADY RAT 2008- DOD Classified and Unclassified
Systems-Contaminated thumb drive 2010 - STUXNET 2011 - 50 DAYS OF LULZ
Cyber Attacks 2012
13.37 million recorded compromised 189 total breaches
NY Electric and Gas 1.8m Global Payments 1.5m CA Dept. of Child Support 800k Utah Dept. of Technical Services 780k
W. Foos, SMS
MAKING A SECURITY
PROGRAM MORE EFFECTIVE
Why is a Security Program so vital?
How does a Security Program Work?
A Security Program protects assets or facilities against:
1. Theft
2. Sabotage
3. Malevolent human attacks
4. Natural Events
What does a Security Program Encompass?
1. Physical Security
2. Cyber Security
3. Personnel Security
4. Information Security
5. Business Continuity
6. Crisis Management
PreventionRemediation
Education
Remediation1. Upgrading PPS
2. Upgrading Security Program
3. Responding to Incidents
4. Implementing Risk Reduction Recommendations
Education1. R&D
2. SOPs
3. Emergency Response Plan
4. Physical Security Plans
5. Define, Establish, & Update HLS security procedures
6. Guard Contracts
Prevention1. Maintenance of Systems
2. Assessment – Evaluations
3. SOP Development
4. Integration of Security Operations
5. Training & Exercise of EAPs
6. Implementation of Heightened Security Procedures
Security Documents:-Threat Assessments
- Vulnerability Study
Three Components of a Security Program
W. Foos, SMS
An Effective Security Program ties it all together.
Fundamentals of Security Integration
People
Policies
EquipmentProcedures
Security Program Measures
1. Preventative measures – Reduce the likelihood of an attack, delay the success of the attack, protect the assets or make it less vulnerable of being compromised.
2. Detective measures – Discover the attack and activate corrective or mitigative action.
3. Corrective measures – Reduce the effects of an attack and restore to normal operations.
W. Foos, SMS
What are The Steps Necessary?
1. Evaluate
2. Establish
3. Sustain
Step One: Evaluation
1. Mission
2. Assets
3. Consequences
4. Threats
5. Security System Effectiveness
Step One: Evaluation (Mission)
1. What do I buy?
2. What do I sell?
3. How do I produce it?
4. What components do I need to make what I make?
5. What does it take to get those components and deliver the finished product?
Company Mission Company Vision License Requirements Shareholder Mandates Products of the facility Vendors Inventory System Shipping and Receiving Operational involvement & location of
senior executives
How Missions lead to Assets
W. Foos, SMS
1. Physical
2. People
3. Knowledge
4. Information Technology
5. Clientele
6. Any activity that has a positive value to its owner
Step One: Evaluation (Assets)
What would it take to disrupt operations?
What would it take to stop operations? What would happen to the vendors, your
company, your customers, if operations paused or ceased?
Who and What would be impacted?
Step One: Evaluation (Consequences)
The Security Program Arch
THREAT
INFOSEC
PH
YS
EC
CY
BE
RS
EC
PERSEC
Step One: Evaluation (Threat)
Natural
Intentional
Unintentional
Step One: Evaluation (Threat)
W. Foos, SMS
Threat Categories
Terrorists (CONUS or OCONUS)EcologicalMilitia / ParamilitaryRogueRacist
Extremist Group Vandals
Saboteurs Criminals Cyber Threat Gangs Other Insider(s)
RAMTM
UNDERSTANDING THE DESIGN BASIS
THREAT
Identifying the Design Basis Threat
Motivation Capability History and Behavior
Patterns Current Activity Geographic Access Organization &
Numbers Mobility Technology/ Tactics
RAMTM
Design Basis Threat (Example)
Adversary Type Militia/Paramilitary Terrorist Group
Motivation Ideological/Political/Publicity
Group Terrorist Cell - 2 to 7 persons – well organized
Tactics Large scale sabotage
Equipment Hand tools, construction equipment, 2-way radios
Weapons Small handguns, rifles, submachine guns
Explosives Vegan Jell-O, TNT or Equivalent Explosives
Transportation Sport utility vehicles, all-terrain vehicles, vans, 4x4s, foot access
Intelligence gathering means
Surveillance, Internet research, public record review
Technical skills and knowledge
Sophisticated technical education
Financial resources Assumed unlimited
Potential for collusion Disgruntled or planted employee or contractor
RAMTM
Intelligence Methods used by Adversaries
Open Source Research FOIA Internet Public Domain Technical
Reports People Informers Intelligence Agents Communications Photographs / Surveillance Trash
W. Foos, SMS
Based on analysis of Asset and Threats, create Asset-Threat Pairing
Not every Asset is considered attractive to the same Threat
Every asset’s protection must be evaluated against its own Design Basis Threat
Step One: Evaluation (Security System Effectiveness)
Basics of Security
1. Detect
2. Assess
3. Delay
4. Respond
5. Integration and Communication
Fundamentals of SecurityProtection in Depth & Balanced
Protection
OAsset
Outer Perimeter
Intermediate Perimeter
Inner Perimeter
Exclusion Zone
What are The Steps Necessary?
1. Evaluate
2. Establish
3. Sustain
Step Two: Establish
1. Fill in the gaps
2. Create what wasn’t there
3. Accept versus Reject Risk
4. Risk Reduction Measures
PreventionRemediation
Education
Remediation1. Upgrading PPS
2. Upgrading Security Program
3. Responding to Incidents
4. Implementing Risk Reduction Recommendations
Education1. R&D
2. SOPs
3. Emergency Response Plan
4. Physical Security Plans
5. Define, Establish, & Update HLS security procedures
6. Guard Contracts
Prevention1. Maintenance of Systems
2. Assessment – Evaluations
3. SOP Development
4. Integration of Security Operations
5. Training & Exercise of EAPs
6. Implementation of Heightened Security Procedures
Security Documents:-Threat Assessments
- Vulnerability Study
Three Components of a Security Program
W. Foos, SMS
Security Policies and Procedures
Establish strategic security objectives and priorities for
organization
Identify personnel responsible for security functions
Identify the employee responsibilities Should be aligned with the objectives of the
organization
Should cover the following topics
- People - Property - Information
What are The Steps Necessary?
1. Evaluate
2. Establish
3. Sustain
Step Three: Sustain
1. Education
2. Exercises
3. Relationships
4. Reevaluation