Organization Assets Physical Security - Research Paper Example

Physical security Name Institution Date Physical Security Organizations recognize the aspect of security as important in assuring their best interests. Security professionals have established that risks arise from the existing threat as well as the vulnerability of an asset which can result in the destruction or loose of the assets. In this case, an asset can be defined as an item of value within the organization such as information, reputation, and people. Therefore, these assets must be protected from possible causes of attack and resulting damage. Organizations may value assets differently, which implies that security measures for specific assets may vary depending on the valuation of the asset [Aus151]. Assets with more valuation will often require a higher investment regarding security measures, and the vice versa may also be true. The Australian government took the initiative to develop management guidelines for physical security [The15]. These management guidelines are applicable in the security zones and provide mitigation and control measures for risks. It is expected that these guidelines would help organizations in developing a reliable methodology for enforcing physical security. According to the Australian Government (2015), the government established these regulations to be adopted in areas such as the government facilities, facilities that are tasked with handling information as well as physical assets and the protection of the government employees. From this framework, organizations can develop organizational security risk management plans which will establish the varying levels of control depending on the risk ranking identified by the organization. Defense in depth As issues of physical security gain recognition in most organizations, the concept defense in depth has surfaced (Coole, Corkill, & Woodward, 2012). The main purpose of defense in depth is to ensure that assets are protected from possible destruction, theft as well as protection of people and information. Defense in depth has been identified as a security theory that can be applied by professionals in the provision of physical security. This theory focuses on five major action areas which include determining the risk, detecting the risks, delaying the risk, establishing the risk and establishing means of recovery [Dav16]. It has been stated that the defense in depth theory and practice has been used for many decades with a simple strategy that ensured assets are enclosed within barriers. The barriers practically prevent penetration or access that have not been authorized. As the barriers slow down unauthorized access, enough time is available for taking the required response as well as recovery of the asset. Many scholars have argued that the defense in depth theory is a realistic theory whose sense and application has been proven over the years. When compared to the routine activity theory, it is evident that the later insists that security measures are taken in situations where a threat has been identified [Int07]. For instance, in case an organization establishes that its finance department has been targeted, the routine activity theory comes into play. The finance department is thus provided with adequate security that would ensure the assets equipment, people, and other assets within the department are protected from the possible threat. Coole, Corkill, and Woodward (2012) suggest that this theory can be used alongside the defense in depth theory. However, the routine activity theory emerges as a reactive approach towards security management as compared to the proactive defense in depth which is a proactive approach. The defense in depth provides an additional security layer for detecting threats in time. On the other hand, the routine activity theory only relies on chance in detecting security risks. In case the risk is not imminent, the routine activity theory would not recommend security measures [Atl08]. According to the proponents of the theory of defense in depth, the approach requires security professionals to incorporate people within an organization, procedures within the organization and equipment. It implies that the approach demands a system thinking that can account for individual events. In system thinking, security layers within the system are identified as well as identification of subsystems within the security layers. In identifying layers, it can be stated that the protection in depth adopts an onion ring model for protection. It is also important to note that the approach must at all cost avoid the occurrence of single point failure. Multiple detection constituents must be considered alongside multiple delay measures as well as multiple response strategies. Any attempt to penetrate into the security zone has to be detected in time to prevent threats from being real. According to Snyder (2016), the defense in depth strategy can also be used for protecting software. The defense in depth has been identified as a strategy that has also been used in the military for maneuvering and securing information [Atl08]. After layers have been established, the defense must be established for application on each layer. In developing the defensive measures, it is recommended to perform series of penetration testing. In penetration testing, the layers are subjected to some methods that can be used to overcome the security layers and access the protected assets. The penetration testing technique has been identified as the best strategy for identifying gaps within the security layers established by any organization. From, the penetration testing, security professionals can determine the various tactic, tools, and technologies that can be used to for unauthorized access of the protected areas [Jas11]. Physical security management protocol According to Australian Government (2011), physical security protocols help organizations in developing insights on how to developed their physical security systems. This document insists that physical security does not only safeguard against threats recognized as security threats but must consider all the possible hazards that an organization is likely to face. Some of the physical threats that an organization is likely to face may come from civil disturbance, crime, conflicts of interest, terrorism, workplace violence, natural disasters, industrial disasters and other risks resulting from accidents. The physical security management protocol was approved by the Attorney General of Australia on July 18, 2016. The protocol also identifies its position in the four levels of the security policy hierarchy. In the physical security protocol, several issues have been identified as mandatory such as the need for the heads of organizations to give a clear image of the various stages of physical security implementation [Law12]. These stages include development as well as the implementation of the security policy within the organization. On the part of the agencies, it required that the government agencies take the initiative to disseminate relevant knowledge to the interested parties such as the contractors. For this reason, organizations should find it easy to access and use the information in the implementation of the physical security protocol. Organizations have been given the freedom to come up with their specific physical security policies as well as procedures. However, organizations should adhere to the guidelines provided by the Australian Government (2011). The first line of defense in the physical security of any organization is provided by the employees of the organizations. Therefore, organizations should ensure that all employees have adequate awareness of the physical security provisions. An organization should establish a means by which the employees can be sued to provide physical security such locking the offices after work [Joh07]. In addition, it is recommended that organization not only avail information but also resources that would enable the employees to play their roles in providing physical security. These resources and roles should be well defined and availed in every department. The protocol also requires organizations to provide a procedure for reporting security cases as well as articulate consequences for failing to follow the procedures. Risk management is important in when developing a physical security system [Dav08]. According to Science (2016), the basic components of risk management are the identification of the assets that the organization is required to protect, identification of risks, assessment of risks, mitigation of risks and finally the application of assurance controls. Threat assessment is an important activity that helps an organization establish the type of and potential impact of specific risks on assets. This assessment can be done by relying on information from both the internal and external sources where internal sources include staff, and external sources include police officers or private investigators. The risk assessment must include an assessment of risks to people as well as risks to cultural holdings. Barrier Delay Barriers in physical security can be in the form of natural barriers or artificial barriers (Coole, 2016). Examples of natural barriers include water bodies such as lakes and oceans, mountains, problematic terrain, and deserts. These feature naturally scare away or discourage people from accessing a protected asset. In case people want to overcome these natural barriers, they are required to incur a lot of costs. Since natural barriers are geographically mobile, making use of them would require shifting assets to these areas [Tru14]. Artificial barriers are created by human beings through the use of science and technology in engineering. Engineered barriers are developed basing on Isaac Newton’s claim that a barrier resistance force is equal or more that the target force. Barriers are developed with keen interest on hardness and impermeability as suggested by Issac Newton. Engineered barriers include walls, fences, ceilings, windows, grills, and screen. These barriers can be developed using materials such as steel, masonry, wood, plastic and glass. Task Committee on Structural Design for Physical Security (1999) claim that barriers can be penetrated in for main ways which are through, over, around or under. Therefore when planning to use barrier, the risks should be assessed to establish the possible routes to the protected assets. Another important assessment that should be conducted should touch on the possible tools that can break the barrier like hand tools, powered tools, detonators and cutting tools [Bru01]. All forms of engineering should ensure that the barriers are capable of resisting destruction from the identified equipment. The barriers should prevent accidental access, forceful access, stealth as well as a combination of all the access channels. The major assumption when creating barriers is that any form of the barrier can be overcome, but it requires time. Therefore barriers should be able to cause a delay of illegal access until a security team is capable of nullifying the threat. All types of engineered barriers have advantages as well disadvantages which require engineers to weigh and establish the best barrier. Response The fact that barriers may naturally exist or engineered does not guarantee total physical security to assets. According to Philpott and Einstein (2015), most of these barriers are only capable of causing delay and raising the alarm for the security team to take the required measures. These measures are known as response mesures, and they are aimed at saving a life, eliminating the threats and securing assets. Types of responses can be identified basing on incidents as well as life safety while categories can be identified basing on immediate onsite or after the fact salvage. According to Clark and Hakim (2016), the response also involves support which can be in the form of corporate support, state support or federal support. State support may involve the provision of firefighting engines, police and health emergencies. On the other had, federal support may be provided in the form of federal police as well as defense. In the case of a threat, a physical security system should have several resources that would alert security personnel as well as staff. Such alerts may come from alarms, IED, and every individual working within the organization must be trained on how to interpret or trigger these signs. Some of the alarms are manually triggered while others are triggered automatically. Therefore, a physical security system must make a critical decision on places to put the alarms. As far as response is concerned, two types of responses can be identified which are a manual response and automatic response [Dep15]. Automatic responses are common to threats related to the fire where organizations install sprinklers that are triggered by an abnormal increase in temperature or light. Othe threats would require a manual response, which highly depends on the types of risks [Jas11]. Risks caused by natural causes are likely to demand a different kind of res[onse compared to artificial risks. Security response interruption will depend on several factors that include reliable communication, staff adequacy, accessibility by response force, reliable communication on the adversarial action. The primary purpose of response action and the response team is to neutralize the security concern [Rop14]. As stated before, an immediate security concern can be neutralized using internal resources or external resources depending on the nature of the attack. For instance, petty bugglers can be neutralized by the security officers deployed at an organization. On the other hand, armed robber can be neutralized by armed police provided by either the local or federal government. In neutralizing threats, security personnel within an organization are required to have basic knowledge on several aspects such as human rights, roles, and responsibilities of security officers. Therefore the neutralizing approach must be conducted in accordance with the law [DGi02]. A physical security system may detect a threat by the system may not be able to protect assets in case of understaffing, inadequate weapons, delayed response, inadequate training, and absence of confidence. Therefore, to plan effectively, security officers-in-charge have to establish the possible threat related actions like theft, and sabotage then link it to types of adversaries such as terrorism, criminal or activist [Ida06]. By establishing these categories, the type of response can be established and the response team can easily determine the type of resources required for neutralization. In case use of force is required, security system and the management must have a forced procedure. When implementing force procedures, security personnel must also have a way of assessing competence, lines of authority, hierarchy as well as accountability [KRo14]. Use of force can be mistaken for homicide. Therefore an employee should be ready to defend such actions. However, organizations should install a security system that is logical regarding asset value and cost of protection. For instance, it is not logical to spend more on hiring armed guards to safeguard an asset of lesser value. Security officers recommended to use force must have undergone adequate training, qualification, and recognition by relevant authorities. These officers must have an understanding of the force continuum that includes deadly force, less lethal force, paper spray or taser, empty hand control, verbal command and finally physical presence. Use of any of the mentioned force depends on the experience of the security personnel and the retaliation of from person causing threat. Conclusion Physical security control is aimed at protecting important assets from risks such as damage and theft. When developing an integrated physical security management plan, it is critical to recognize five important factors that can also be viewed as strategies. The security system should be able to deter a threat, detect risks, delay penetration, provide a quick option for the response, have a procedure for recovery and finally provide room for reassessment. Physical security control can be provided by both natural barriers or artificially engineered barriers. Artificially engineered barriers must be developed in a way that they will correspond to the security system in place. Bibliography Andress, J. (2011). The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice. ‎Amsterdam: Elsevier. Atlas, R. I. (2008). 21st Century security and CPTED: Designing for critical infrastructure protection and crime. Boca Raton: CRS Press. Australian Government. (2011). Physical Security Management Protocol. Retrieved October 18, 2016, from Commonwealth of Australia: https://www.protectivesecurity.gov.au/physicalsecurity/Documents/Australian-Government-physical-security-management-protocol-v1.5.pdf Australian Government. (2015). Physical security management guidelines: Security zones and risk mitigation control measures. Retrieved October 17, 2016, from Commonwealth of Australia: https://www.protectivesecurity.gov.au/physicalsecurity/Documents/Security-zones-and-risk-mitigation-control-measures-v1.5.pdf Australian Government, Arttoney-General's Department. (2015). Australian Government physical security management protocol. Retrieved October 18, 2016, from Protective Security Policy Framework: https://www.protectivesecurity.gov.au/physicalsecurity/Pages/Protocol.aspx Clark, R. M., & Hakim, S. (2016). Cyber-Physical Security: Protecting Critical Infrastructure at the State and Local Level. New York: Springer. Coole, M. (2016). Physical security: Barrier Delay. Retrieved from SCY 1103, Week 7 Semester 2. Coole, M., Corkill, J., & Woodward, A. (2012). Defence in Depth, Protection in Depth and Security in Depth: A Comparative Analysis Towards a Common Usage Language. Retrieved October 17, 2016, from Australian Security and Intelligence Conference : http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1023&context=asi Department of Veterans Affairs Physical Security Design Manual. (2015). Physical Security Design Manual for Mission Critical Facilities. Retrieved October 18, 2016, from http://www.cfm.va.gov/til/physicalsecurity/dmphysecmc.pdf Engebretson, D. J. (2008). Technician's Guide to Physical Security Networking: Enterprise Solutions. Bloomington: AuthorHouse. Fay, J. (2007). Encyclopedia of Security Management. London: Butterworth-Heinemann. Fennelly, L. (2012). Effective Physical Security. London: Butterworth-Heinemann. Ginley, D. (2002). Technology solutions for physical plant security. Retrieved October 18, 2016, from American Water Works Association, 94(2), 46-48: http://www.jstor.org/stable/41297996 Hutter, D. (2016). Physical Security and Why It Is Important. Retrieved October 22, 2016, from SANS Institute InfoSec Reading Room: https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120 Idaho National Laboratory. (2006). Control Systems Cyber Security: Defense in Depth Strategies . Retrieved October 22, 2016, from Homeland Security: http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Defense_in_Depth_Strategies.pdf International Atomic Energy Agency. (2007). Assessment of defence in depth for nuclear power plants. Michigan: International Atomic Energy Agency. Matthews, B. R. (2001). Physical Security: Controlled Access and Layered Defense. Retrieved October 22, 2016, from Auerbach Publication: http://www.ittoday.info/AIMS/DSM/83-20-13.pdf Philpott, D., & Einstein, S. (2015). The Integrated Physical Security Handbook . Retrieved October 18, 2016, from http://thecounterterroristmag.com/pdf/IntegratedPhysicalSecurityHandbook.pdf Ricks, T. A., Ricks, B. E., & Dingle, J. (2014). Physical Security and Safety: A Field Guide for the Practitioner. Florida: CRC Press. Roper, K., & Payant, R. (2014). Facility Security and Planning. Retrieved October 18, 2016, from In The Facility Management Handbook (pp. 339-350): http://www.jstor.org/stable/j.ctt1d2dpsk.27 Roper, K., & Payant, R. (2014). The Facility Management Handbook. New York: Atlanta; Brussels. Science, E. (2016). Physical Security: 150 Things You Should Know. Amsterdam: Elsevier Science. Snyder, J. (2016). Six Strategies for Defense-in-Depth: Securing the Network from the Inside Out. Retrieved October 18, 2016, from OPUS: http://www.opus1.com/www/whitepapers/defense-in-depth.pdf Task Committee on Structural Design for Physical Security. (1999). Structural Design for Physical Security: State of the Practice. New York: ASCE Publications. The Interagency Security Committee . (2015). Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide . Retrieved October 18, 2016, from https://www.dhs.gov/sites/default/files/publications/isc-planning-managing-physical-security-resources-dec-2015-508.pdf Read More

The defense in depth provides an additional security layer for detecting threats in time. On the other hand, the routine activity theory only relies on chance in detecting security risks. In case the risk is not imminent, the routine activity theory would not recommend security measures [Atl08]. According to the proponents of the theory of defense in depth, the approach requires security professionals to incorporate people within an organization, procedures within the organization and equipment.

It implies that the approach demands a system thinking that can account for individual events. In system thinking, security layers within the system are identified as well as identification of subsystems within the security layers. In identifying layers, it can be stated that the protection in depth adopts an onion ring model for protection. It is also important to note that the approach must at all cost avoid the occurrence of single point failure. Multiple detection constituents must be considered alongside multiple delay measures as well as multiple response strategies.

Any attempt to penetrate into the security zone has to be detected in time to prevent threats from being real. According to Snyder (2016), the defense in depth strategy can also be used for protecting software. The defense in depth has been identified as a strategy that has also been used in the military for maneuvering and securing information [Atl08]. After layers have been established, the defense must be established for application on each layer. In developing the defensive measures, it is recommended to perform series of penetration testing.

In penetration testing, the layers are subjected to some methods that can be used to overcome the security layers and access the protected assets. The penetration testing technique has been identified as the best strategy for identifying gaps within the security layers established by any organization. From, the penetration testing, security professionals can determine the various tactic, tools, and technologies that can be used to for unauthorized access of the protected areas [Jas11]. Physical security management protocol According to Australian Government (2011), physical security protocols help organizations in developing insights on how to developed their physical security systems.

This document insists that physical security does not only safeguard against threats recognized as security threats but must consider all the possible hazards that an organization is likely to face. Some of the physical threats that an organization is likely to face may come from civil disturbance, crime, conflicts of interest, terrorism, workplace violence, natural disasters, industrial disasters and other risks resulting from accidents. The physical security management protocol was approved by the Attorney General of Australia on July 18, 2016.

The protocol also identifies its position in the four levels of the security policy hierarchy. In the physical security protocol, several issues have been identified as mandatory such as the need for the heads of organizations to give a clear image of the various stages of physical security implementation [Law12]. These stages include development as well as the implementation of the security policy within the organization. On the part of the agencies, it required that the government agencies take the initiative to disseminate relevant knowledge to the interested parties such as the contractors.

For this reason, organizations should find it easy to access and use the information in the implementation of the physical security protocol. Organizations have been given the freedom to come up with their specific physical security policies as well as procedures. However, organizations should adhere to the guidelines provided by the Australian Government (2011). The first line of defense in the physical security of any organization is provided by the employees of the organizations. Therefore, organizations should ensure that all employees have adequate awareness of the physical security provisions.

Read More