How to develop and implement a security master plan

How to Develop

and Implement a

Security Master Plan

How to Develop

and Implement a

Security Master Plan

TIMOTHY D. GILES

Auerbach Publications

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

© 2009 by Taylor & Francis Group, LLC

Auerbach is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed in the United States of America on acid-free paper

10 9 8 7 6 5 4 3 2 1

International Standard Book Number-13: 978-1-4200-8625-6 (Hardcover)

This book contains information obtained from authentic and highly regarded sources. Reasonable

efforts have been made to publish reliable data and information, but the author and publisher can￾not assume responsibility for the validity of all materials or the consequences of their use. The

authors and publishers have attempted to trace the copyright holders of all material reproduced

in this publication and apologize to copyright holders if permission to publish in this form has not

been obtained. If any copyright material has not been acknowledged please write and let us know so

we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,

transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or

hereafter invented, including photocopying, microfilming, and recording, or in any information

storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copy￾right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222

Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro￾vides licenses and registration for a variety of users. For organizations that have been granted a

photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and

are used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the Auerbach Web site at

http://www.auerbach-publications.com

This book is dedicated to my wife, Linda, who has encouraged me to

undertake this task and supported me through this process as well

as my children, Amy and Kelly, who have cheered me on to complete

this work. It is also dedicated to the many security professionals that

I have worked with over the years as a tribute to their unselfishness

in sharing their knowledge and skills with me. I hope my sharing

of this information will repay them in some small way.

vii

Contents

Author Page xv

Introduction xvii

Security Master Plan Process xix

Intent of the Master Plan xxi

1 The Business of Security 1

Why Should You Develop a Security Master Plan? 1

Engaging the Stakeholders 3

What Should Your Security Philosophies Be? 4

Contract Security Relationship 6

What Should Your Security Strategies Be? 6

Technology Migration Strategy 11

Equipment Replacement Schedules 13

2 Evaluate the Business’s Risks 15

Potential Risks to the Business 15

Defining What Your Risks Are 16

Information Gathering 17

The Workplace Violence Risk and Beyond 18

Domestic Violence in the Workplace 21

Other Risk Factors 22

Risks of Fraud and Corruption 24

Theft Risks 25

Overseas-Related Risks 26

Acts of Nature 27

Information Sources 28

Human Resources and the Security Plan 29

Reacting to a Defined Risk 31

Placing a Value on the Impact of Risk 32

Contents

viii

3 Conducting a Site Security Assessment — Part 1 35

Assessing Aspects of Security Administration 35

Security Administration 35

Documenting Post Orders and Procedures 36

Post Orders — Best Practices 37

Security Personnel Selection and Staffing Considerations 40

Employee Selection and Staffing Considerations 42

Application Form 42

Security Manual Documentation 43

Security Education Awareness 43

Contract Management and Audit 47

4 Conducting a Site Security Assessment — Part 2 49

Assesssing Aspects of Physical Security 49

Physical Security 49

Security Staffing 49

Exterior Security Assessment — Vehicle Access Controls 52

Parking Lot Security 53

Proper Use of Signage 54

Security Processing Operations — Visitor and Contractor Controls 55

Proper Use of Lighting 56

Barriers, Doors, and Building Perimeters 57

Mechanical Locking Systems — Locks and Keys 58

Submaster System 60

Key Administration 62

Security Officer Patrols 63

Security Officer Review 64

Crime Prevention Through Environmental Design 65

Perimeter 66

Site 66

Buildings and Parking Garages 66

Security Staffing 68

Monitoring and Administering Physical Protection Systems 68

Stationary and High-Visibility Posts 69

Emergency Response Capabilities 70

Facilities Service Interruptions 70

Natural Emergencies 70

Civil or Hostile Attack or Violence 70

Training 71

Contents

ix

5 Conducting a Site Security Assessment — Part 3 75

Assessing the Electronic Systems 75

Electronic Systems 75

Event Driven 76

Fully Integrated 77

Closed Circuit Television 79

Access Control Systems 87

Access Control System Policy 89

Access System Policy — Purpose 89

Access System Policy — Terms 89

Access System Policy — Requirements 90

Alarm Sensors and Reporting 90

Radio Systems 94

Technology Status — Current and Future 95

6 Conducting a Site Security Assessment — Part 4 97

Assessing Information Protection 97

Information Security Protection Programs 97

Information Protection programs 98

Computer and Network Security Ownership 98

Security and Computer Use Standards for Employees 100

Scope 101

Introduction 101

Security Requirements 102

Security of Your Personal Workstation 102

When Leaving Your Office or Work Area 103

When Traveling or Working Away from Your Office or Work Area 103

Handheld Devices 104

Computer Viruses and Other Harmful Codes 104

Security Firewalls 104

File Sharing 105

Copyright and Intellectual Property 106

Releasing XYZ Information into the Public Domain 107

Protecting XYZ Information 107

Passwords 107

Calendars 108

Protecting XYZ Confidential Information 108

Using Telephones or Fax Machines 109

Contents

x

Using Teleconferencing Systems 109

XYZ Internal Networks 109

Implementing a Classification System 110

Classification and Control Requirements 110

Classification Structure 111

Responsibilities 111

Controls 112

Internal Disclosure 112

External Disclosure 112

Safekeeping and Storage 112

Travel 113

Reproduction 113

Destruction 113

Identification 113

Investigation Requirements 114

Processing Departing Employees 114

Information Asset Security 115

Determine Information Assets 116

Assign Ownership of Information Assets 116

Approve Use of Information Assets 117

Educate Employees on Their Responsibilities 117

Guarantee Effective Use of Controls 117

Conduct Self-Assessments to Ensure Compliance 118

Assess and Accept Risks 118

Respond Decisively to Exposures, Misuse, or Loss of Information Assets 119

Assign Custodial Authority and Responsibility 119

System Misuse 120

Summary — Information Protection 120

Government Regulations 121

7 Conducting an Assessment of the Security Organization 123

Reporting Structure 124

The Security Organization’s Structure 125

Mixed Security Forces 126

Separation of Duties 127

Other Issues 128

Security Skills 129

Evaluating the Security Officers 131

Evaluating the Shift Supervisors 132

Contents

xi

Evaluating the CSO or Director of Security 132

Evaluating the Other Security Positions 135

Staffing Levels 136

Armed versus Unarmed Officers 138

8 Determining What Prevention, Crisis Management, and Recovery

Programs Exist 141

Prevention and Recovery Programs 141

Business Intelligence Information 142

Crisis Management Planning 142

Corporate Reputation Crisis Plan 144

Corporate Investigations: Fraud, Financial, Criminal, Computer, and Network 145

Due Diligence Processes 145

Emergency Response Planning and Testing 145

Business Continuity and Disaster Recovery 151

Executive Protection Program 151

Internal Audit and Business Controls, Monitoring Programs, and Fraud and

Integrity Programs 152

Pre-employment Screening and Drug Testing 152

Risk Assessment Process (Annually) 152

Security Systems and Procedures 152

Terrorism, Bioterrorism, and the DHS: Threat Advisory System Response 153

Workplace Violence Prevention Program 156

References 156

9 Interviewing Executive and Security Management 157

Interview Executive Management to Understand Their Concerns and Issues 157

The Approach 158

Interpreting the Interview Answers 160

The Importance of Listening 160

Where to Start the Process 162

Beginning the Interview 162

Educating the Executives and Ensuring Their Buy-In 163

Interview Security Management to Understand Their Concerns and Issues 164

10 Review and Evaluate All Security-Related Contracts and the

Information Protection Program 167

Contents

xii

Security Business Contracts 167

Contractual Right to Audit 169

Contract Bid Process 170

Auditing Security-Related Contracts 171

Reviewing the Information Protection Programs 171

After-Hours Checks 172

IT Information Protection 172

Disaster Recovery Program Review 173

Information Security Awareness Training 174

Investigation Requirements 175

Review of Exit Interview Process 176

Information Asset Security Review 177

11 Constructing the Security Master Plan Document 179

Compiling, Organizing, and Evaluating the Information Gathered 179

Developing Your Recommendations 180

Initial Draft Review with Security Management 181

Recommendation with Solutions 182

Developing and Refining Security Philosophies, Strategies, and Goals 183

Involving the Stakeholders 185

Documenting the Master Plan 185

Developing the Recommendations Presentation 186

Estimating Cost Impacts 189

Project Management Skills 190

12 Typical Contents of a Security Master Plan 191

Content Listing and Organization 191

Structural Focus 193

Purpose 193

Introduction 193

Executive Summary 194

Areas of Focus 196

Budgeting Focus 198

Establishing an ROI 199

13 Finalizing the Security Master Plan Process 201

The Recommendations Presentation 201

Contents

xiii

Where to Begin 202

Setting Your Goals 203

Asking the Tough Questions 204

Submitting the Finalized Security Master Plan 207

14 Utilizing Your Plan in Managing Your Business 209

Utilizing Your Plan for Periodic Quality Checks 209

It Is All about Timing 210

Keeping the Plan in Sync with the Business 213

Testing Your Plan against the Latest Technology 214

Benchmarking and Business Process (Matrix) Management 215

Benchmarking 215

Best of Breed 220

Business Process (Matrix) Management 221

Appendix A Workplace Violence Guidelines 225

Attachment A: Threats and Violent Acts against Employees

and Property 229

Attachment B: Indicators of Dangerousness 243

Attachment C: Sample Workplace Violence Policy 247

Appendix B Executive and Employee Protection 249

Appendix C Security Assessment or Self-Assessment Document 257

Appendix D Risk/Security Management & Consulting 293

Attachment A: Principal Post Requirements 315

Attachment B: Standard Hours of Coverage 317

Attachment C: Bid Evaluation Form / Pricing 319

Attachment D: Post Order Requirements 321

Attachment E: Security Equipment 325

Appendix E Basic Physical Security Standards 327

Contents

xiv

Appendix F Sample Termination Checklist 333

Appendix G Crisis Management Emergency Planning Checklist 337

Index 343