A robust security policy must address issues related to its members as well as the constraints of it adversaries by a mechanism of physical and procedural security. It is a high-level specification of the security properties that a given system should possess; a means for designers and implementers to communicate with each other, and a blueprint that drives the security message throughout an organisation. The security policy sits at the top of the process of securing an organisation.
The “procedures” document the processes necessary to achieve and maintain the required level of security, such as access control structures and CCTV policies. The “mechanisms” are the hardware devices that enable the procedures and policies to be enforced.
The security policy is a set of high-level documents that state precisely what goals the procedures and mechanisms are to achieve. It is driven by an in-depth understanding of the threats and risk to an organisation.
During the compilation of a security policy it is essential to consider the wide ranging threats and risks to the facility. This process should establish a list of vulnerabilities that have the potential for damage to or loss of an asset or severe disruption to operations. Each vulnerability must be assessed and rated for likelihood and impact.
- Counterfeiting / fraud
- IT security
- Proprietary information
- Business continuity planning
- Cash handling
- Fire risk assessment
- Health & safety risk assessment.
- Physical Damage: fire, water, pollution, major accident, destruction of equipment or media. Etc.
- Natural Events: climatic, seismic, volcanic, meteorological phenomenon, etc.
- Loss of Essential Services: failure of air conditioning, water, power supply, telecommunications
- Disturbance due to Radiation: electromagnetic, thermal radiation, electromagnetic pulses, etc.
- Compromise of Information: theft of media, documents, equipment, tampering, etc.
- Technical Failure: equipment failure, malfunction, breach of IS maintainability, etc.
- Unauthorised Actions: use of equipment, illegal processing of data, data corruption, etc.
- Compromise of Functions: error in use, abuse of rights, denial of action, etc.
- Hacker, Cracker: hacking, social engineering, system intrusion, unauthorised access, etc.
- Computer Crime: fraudulent act, information bribery, spoofing, etc.
- Terrorism: bombs, terrorists, information warfare, system attack, etc.
- Industrial Espionage: competitor, economic advantage, information theft, etc.
- Insiders: assault, blackmail, computer abuse, system sabotage, etc.
The process also establishes which assets and people are at risk.
- Employees, Contractors and Visitors – loss of life or injury.
- Physical structure of building – cost of damage or consequential loss.
- Company property – theft or damage and cost of loss.
- Staff property – theft or damage and cost of loss.
- Visitor property – theft or damage.
- Morale of staff.
- Adverse publicity and image.
The location of the building has inherent risks that need to be considered. Proximity of top-tier Control of Major Accident Hazard (COMAH) sites and the more local risks must be considered.
An assessment of the local crime, a review of past incidents, direct observation and documentation examination along with interviews with management, employees and the security personnel provided the basis of an exercise that will indicate the potentially vulnerabilities to a number of threats; such as Fraud & Theft, Abuse of Rights, Assault on Employee and Information Theft.
With the risks identified and quantified, a security strategy can be developed to establish the policies and procedures necessary to mitigate the risks.
By adopting a philosophy of demarcation, deterrent, detection, delay and determine, this strategy can established a series of security tiers that provide a structured layer approach to protecting the people, property and information of the facility. For example
- Tier 0 – Uncontrolled Domain.
- Tier 1 – Public areas with hostile vehicle mitigation.
- Tier 2 – Public areas for pedestrians with facility business.
- Tier 3 – Facility pedestrian access and vehicle parking.
- Tier 4 – Facility controlled domain.
- Tier 5 – Facility communications rooms.
These tiers allow for proportional and appropriate technology to be deployed to demarcate, deter and detect and delay miscreant activity.