Developing and Modifying Security Design

Developing and Modifying Security Design

1. General.

A. Planning for security should be an integral part of any function or project undertaken within a company. The most efficient and cost-effective method of instituting security measures into any facility or operation is through advance planning and continuous monitoring throughout the project or program. Selecting, constructing, or modifying a facility without considering the security implications of employee safety and assets protection can result in costly modifications and lost time.

B. Physical security programs should be administered within each region, center, and field activity based on the policy and the guidance set forth in a detailed security plan, to ensure the protection of personnel, visitors and assets. These programs should be continually and effectively administered by the appropriate organizational security officer and monitored to ensure their integrity. At a minimum, a physical security program should include:

(1) A physical security survey of each facility occupied to determine the security level of the facility and to determine the minimum-security safeguards required for protecting personnel and assets;

(2) An initial physical security survey prior to constructing, leasing, acquiring, modifying, or occupying a facility or area to determine the minimum-security safeguards is required to protect personnel and assets. A follow-up physical security survey must be done before acceptance of the property or occupancy of the facilities to ensure the completion of required modifications and security upgrades;

(3) Periodic reassessments of facilities to ascertain whether a security program meets pertinent company and facility standards or regulations;

(4) A comprehensive and continuing awareness and education effort to gain the interest and support of employees, contractors, consultants, and visitors; and

(5) Procedures for taking immediate, positive, and orderly action to safeguard life and property during an emergency.

The Rehabilitation Act of 1973, as amended, and the Architectural Barriers Act of 1968, as amended, require agencies to ensure accessibility and safety for employees, applicants, and members of the public with disabilities who are in facilities. The company security plan must ensure that accessibility and safety issues regarding people with disabilities are addressed in all relevant aspects of the establishment of appropriate physical security measures to protect personnel, real and personal property, and information. A key element to the success of this will be ensuring that security and facility officials are familiar with the legal requirements to meet the needs of people with disabilities while also maintaining physical security.

2. Facility Protection.

A. The extent of facility protection is determined by the senior official or manager of the activity based on the results of a comprehensive physical security survey of the facility.

(1) Perimeter protection is the first line of defense in providing physical security for personnel, property, and information at a facility.

(2) The second line of defense is interior controls. The extent of interior controls will be determined by considering the monetary value and criticality of the items and areas to be protected, the vulnerability of the facility, and the cost of the controls necessary to reduce that vulnerability.

(3) The cost of security controls normally should not exceed the monetary value of the item or areas to be protected, unless necessitated by criticality or national security.

3. Planning Facility Protection.

A. The objective of planning facility protection is to ensure both the integrity of operations and the security of assets. Planning for security must be an integral part of selecting, constructing, reconfiguring, or moving into a new facility.

B. The modification of a facility or addition of security measures after occupying a facility can be costly and impractical. Therefore, the responsible security officer and the facility management personnel need to coordinate closely, from the outset, on any addition, alteration, or new construction. The coordination should begin with the designers and architects and continue through the contracting process and actual construction and installation.

C. Many company offices occupy space in commercial buildings where a building manager executes the lease on behalf of the tenants. In leased office space, physical security may not be as easily controlled or be controlled to the same extent as in a facility where the company owns the facility. The tenants must rely on building manager to provide protection for the building, and it is therefore imperative that the security officer of the activity establishes a working relationship with the appropriate building officials to maintain an active role in the security decisions and processes that will affect the facility.

4. Facility Protection in Owned or Leased Facilities.

For buildings or grounds owned or leased by a company to include leased space from other companies, the senior official having jurisdiction of the real property is responsible for determining the degree of protection to be provided the space. The level of protection shall be based on a physical security survey of each facility conducted by the Security Manager using the guidelines and requirements cited in the security plan to evaluate the security of that facility on a case-by-case basis considering the facility’s location, size and configuration, number of occupants, mission, extent of exterior lighting, presence of physical barriers, and other factors as may be deemed pertinent.

5. Facility Protection in Space Assigned Facilities.

For building and grounds which has space assignment responsibility, the company is responsible for furnishing normal protection not less than the degree of protection provided by commercial building operators of similar space for normal risk occupants, as determined by a physical security survey. This protection may include guards, access control, intrusion detection (alarms), closed circuit television surveillance (CCTV), inspection of packages, etc., when the survey determines the control is warranted for general occupancy and not necessitated by special activities or specific agencies. Special protection required due to the nature of the business conducted within the space or unusual public reaction to an agency’s program and missions, whether or not of a continuing nature, is determined jointly by the security provider and the occupant agency or agencies and is provided on a reimbursable basis.

A. Protection Criteria. The security consultant determines the level of normal protective service on a case-by-case basis and normally considers the facility’s location, size and configuration, the occupant agency’s mission, history of criminal or disruptive incidents in the surrounding neighborhood, extent of exterior lighting, presence of physical barriers, and other factors as may be deemed pertinent.

B. Physical Protection. The security plan should provide normal and special protection through mobile patrol or fixed posts manned by uniformed personnel, security systems and devices, locking building entrances and gates during other than normal hours of occupancy, cooperation of local law enforcement agencies, or any combination thereof depending upon the facility and the degree of risk involved. The degree of normal and special protection is determined by completion of a physical security survey and/or crime prevention assessment.

C. Crime prevention. The security contingent collects and disseminates information about criminal activity on or against property under its’ charge and control, provides crime prevention information programs to occupant and agencies upon request, and conducts crime prevention assessments in cooperation with occupant agencies.

6. Facility Protection in Facilities with Delegations of Authority.

In facilities where the company has delegated protection authority to the agency or prime tenant, some of the protection responsibilities are transferred to the agency, including procurement, installation, maintenance of physical security equipment and systems, and procurement and management of any guard contracts. Normally, the company will retain responsibility for physical security surveys, mobile patrols, monitoring of alarms, response to incidents, and requests for criminal investigations.

7. Design Factors.

It is imperative that security systems and procedures are considered from the design phase on, so that conduit runs and alarm wiring, heavy-duty materials, reinforcing devices and other necessary construction requirements are provided in the original plans.

A. Facility and Building Location.

(1) Determine the minimum-security safeguards as delineated by the Facility Security Standards, and incorporate them in your facility planning. Start by determining the security level of the facility, whether it is open to the public and the time it will take for enforcement response to incidents.

(2) Check geographical factors carefully. Avoid locating facilities near high crime, high traffic, or industrial areas. Take into account approach routes, traffic patterns, and nearby transportation.

(3) At a facility site, the number of separate buildings should be kept to a minimum, and they should be grouped close together.

B. Configuration of Space.

(1) Entrances. Facility or office entrances should be kept to a minimum commensurate with fire safety, to control access or prevent crime. Although convenience of employee access, parking, and deliveries must be considered, one entrance with multiple interior routes is preferable to several outside entrances. Entrances should be planned with guard posts and access control systems and procedures in mind. Reception desks, barriers, and other controls should be planned from the start. Accessibility of entrances for individuals with disabilities must also be considered and planned from the start.

(2) Access Controls. Plan for locking devices or controls at perimeter and interior doors. Provide for effective key control. Plan for protective, cleaning, and maintenance forces, and determine hours, locations, and levels of access for such personnel.

(3) Location of Offices and Facilities. Locate offices or other facilities in close proximity and on the same or successive floors. Try to locate sensitive operations such as credit unions or imp rest funds on upper or lower floors and away from entrances.

C. Safety and Fire Protection. Safety and fire protection requirements must be incorporated in any construction plans. With proper coordination, safety requirements can be achieved. Contact the Local Fire Marshal regarding National Fire Prevention Administration (NFPA) and local code requirements and construction standards.

D. Utilities. Utility systems should be protected against unauthorized access. Plan for protection of telephone and electrical closets and conduit runs, heating and cooling systems, water supplies, and boilers and generators.

E. Special Activities. Special emphasis should be placed on security systems and safeguards when constructing or modifying special or sensitive activities such as imp rest funds, computer facilities, equipment storage or shipping and receiving areas, classified work areas and mailrooms, and special-use areas such as warehouses or hazardous material storage areas.

F. Contingency Plans. A contingency plan must be developed for each delegated facility to protect personnel and property in the event of emergencies such as fire; bomb threats; civil disturbances; natural disasters; and chemical, biological, or radiological events. The Designated Official is responsible for developing, implementing, and maintaining an Occupant Emergency Plan.

8. Surveys and Inspections.

A physical security survey is an in-depth analysis to determine the extent of security measures, which will be needed for protecting personnel, property, and information. An inspection is a check or test against a certain set of standards or regulations to ascertain whether a security program or facility meets those standards or regulations. It is used to evaluate the implementation of regulations, the security awareness of employees, security administration, and existing internal management controls. The security officer to carry out his/her oversight responsibilities should use it as a tool.

A. Surveys.

(1) Purpose. The senior facility manager to determine the type and extent of security controls for the facility or areas will use the survey. Each type of physical security survey will include the determination of the security level and a security evaluation (threat assessment), which addresses the criticality of operations, the vulnerability of the facility or area, and the probability of compromise of the personnel or property contained therein. Facility Security Standards provides the criteria for determining what security level a facility is of the possible four (4) security levels. The security standards also provide a chart delineating the recommended minimum-security standards applicable to each of the four security levels addressing facility criticality, vulnerabilities, and risk of security penetrations. In those cases where the contractor does not provide a physical security survey, the security consultant and a facility manager should conduct a survey of the facility.

(2) Recommendations. The security consultant should work with the facility manager in developing a security plan for resolving any recommendations resulting from the surveys and inspections.

(3) Criticality, Vulnerability, and Probability/Risk. No survey is considered complete until all three of the factors below have been given full consideration and weight.

(a) Criticality. Criticality is the effect that partial or total loss of the facility or area would have on the facility’s mission. The adversity of the effect is directly related to the criticality factor.

Examples of adverse effects include the interruption of a vital function, disruption of the continuity of operations, or the compromise of security information. A higher classification level of information handled or stored in a facility or area will increase the criticality.

(b) Vulnerability. Vulnerability of the facility or area is the susceptibility of a facility or area to damage or destruction or the possible theft or loss of property. Factors used to determine vulnerability include the size, configuration, and location of the facility or area, the local crime rate, and the proximity of law enforcement, and emergency response services.

(c) Probability/Risk. Probability deals with an assessment of the chances or risk that certain events could or might occur, such as a penetration of the perimeter, compromise of a system, or the occurrence of a variety of unauthorized activities.

(4) Type of Surveys.

(a) Initial Survey. The initial physical security survey is conducted prior to constructing, leasing, acquiring, modifying, or occupying a facility or area. It describes any modification required to raise the level of security commensurate with the levels of criticality and vulnerability. At a minimum, the initial survey must address the minimum-security requirements delineated in the Facilities Security Standards.

(b) Follow-up Survey. When recommendations are made in the initial physical security survey, a follow-up survey is conducted to ensure the completion of modifications. This survey should be conducted before acceptance of the property or occupancy.

(c) Supplemental Survey. The supplemental survey is conducted when changes in the organization, mission, facility, or the threat level of the facility alter or affect the security posture of the facility or area. This survey is conducted at the discretion of either the facility manager or the security manager. The Security Manager may require that facilities undergo a supplemental survey when there is a change of the overall threat level to all Survey facilities, such as the terrorist acts of September 11, 2001.

(d) Special Survey. The special survey is conducted to examine or resolve a specific issue, such as when there is a request for a Sensitive Compartmented Information (SCI) accredited facility or there is a need to investigate or assess damage resulting from an incident.

(5) Conducting Surveys.

Normally for owned, leased, and delegated facilities, the company will conduct surveys, and it will not be necessary for the security officer of the facility to conduct a physical security survey. For owned and leased facilities to include leased space from other companies, the manager of the facility must conduct the physical security survey. When necessary, the consultant actually conducting a survey should start by obtaining a layout of the facility, which depicts areas within the facility, access points, parking lots, warehouses, and any adjacent areas belonging to the facility. The consultant should interview program management officials to determine the mission and nature of operations, classification or sensitivity level of information, and value of assets. The consultant should also obtain the following:

(a) The facility’s address, number of buildings and square footage, tenant organizations, approximates population, and names of key management officials;

(b) A description of features of the facility and conditions that produce vulnerabilities. Document the physical configuration of the office or facility for classified information storage areas;

(c) The law enforcement agency, fire department, and other organizations responsible for emergency response. Include the security force company or agency, and its response time;

(d) Type of construction of buildings at the facility;

(e) The determined value of monies or sensitive or unique equipment, the highest classification level of information, or the number and types of weapons;

(f) Description of access controls, alarms, guard services, and security containers; and

(g) Recommendations for improving security and pertinent implementing instructions, which include the required minimum-security standards as delineated by the Facility Security Standards.

(6) Survey Report. Survey reports are provided to the Designated Official. A written survey report should be generated that is thorough and precise. It should contain supporting exhibits such as floor plans and specifications. The survey report should be submitted to the facility or office manager for review, and the consultant should maintain a copy.

B. Inspections.

(1) Purpose. Inspections, which may be announced or unannounced, are usually conducted to determine the extent of compliance with security regulations or procedures, including those recommended during surveys. The security officer shall inspect facilities and programs under the security officer’s cognizance as often as necessary to ensure compliance with the provisions of the applicable Standard Operations Procedure. The inspections should result in written inspection reports.

(2) Checklists.

(a) The Physical Security Program Checklist, (PSPC) can be used by a security officer to inspect the physical security of a facility.

(b) The PSPC requires the Security Officer to conduct a self-inspection program for the evaluation of all security procedures applicable to their operation for the protection of information. In order to assist the self-inspector in assessing the security posture of his/her facility, a Security Inspection Check List should be contained as Appendix B to the Security Post Orders.

(3) Recommendations. The security officer should assist the facility or office manager in resolving any discrepancies or implementing any recommendations.

(4) Types of Inspections.

(a) Evaluation. The evaluative or fact-finding inspection is generally positive in tone and promotes liaison and security awareness while taking a broad, general look at a facility or program. Deficiencies, which may be resolved either on the spot or within a non-specified time frame, may be noted and recommendations for further corrective actions may be made. The evaluative inspection can also help management officials in planning or upgrading their security programs.

(b) Compliance. The full compliance inspection generally is conducted for enforcement purposes. It focuses on compliance with established standards or regulations.

(c) Follow-up. Another form of compliance inspection is the follow-up inspection, conducted to ensure that facility officials have complied with recommendations from earlier inspections.

(d) After-hours Room Check. The after-hours room check is a form of compliance inspection. It monitors compliance with security regulations, especially involving areas where sensitive security information is processed or stored.

(e) Self-inspection. The security officer or facility manager to evaluate his/her own security program initiates the self-inspection. Additionally, self-inspections are required by each Security Officer to evaluate all security procedures applicable to their operation using the self-inspection checklist contained in Appendix B of the Post Orders. The initiator determines the scope and purpose of the self-inspection for an office, building, or other facility.

(f) Closeout. A closeout self-inspection is accomplished immediately prior to the action to administratively terminate a Sensitive Compartmented Information Facility (SCIF). During closeout inspections, all areas and containers authorized for the storage of classified material are checked to ensure all classified material has been removed.

(5) Frequency of Inspections. The frequency of inspections will be based on the criticality and vulnerability of the facility or the level of classification or value of information handled or stored at a facility. Following are the established standards:

(a) Each Document Custodian, and Security Officer is required to conduct an annual self-inspection program utilizing the Security Inspection Check List in Appendix B of the Post Orders.

(b) The Facility Manager coordinates a schedule of periodic inspections of compliance with the Security Manager. A review of the completed annual self-inspection checklist serves as the basis for these inspections. The Security Manager coordinates a schedule of periodic inspections of the Security Officers and the security program.

(c) In conjunction with periodic field assistance visits, the Security Manager conducts inspections of the facilities and the accountability and control of company and departmental identification cards, badges, and smart cards.

(6) Conducting Inspections.

(a) Plan an inspection by determining the scope, type, and method. Schedule the inspection, and if appropriate, provide written notice. The notice should provide the date(s), purpose, proposed interview schedule, and request for any information needed by the security officer. Review past inspection reports and prepare a list of questions or a checklist to structure the inspection.

(b) Upon arrival at the site and prior to departure, the inspector should meet with the senior manager to discuss the inspection. Collect a sufficient sampling of data from interviews with on-site employees and contractors and from touring the facility. Obtain information to support findings in the inspection report. Report favorable findings as well as deficiencies. Check awareness and adherence to local security procedures. Document any discrepancies corrected on the spot.

(c) After sufficient data is collected, the inspector should analyze all findings, compare them with applicable security regulations, list discrepancies and cite regulatory references, recommend corrective action, and write the inspection report.

(d) The inspection report should be produced within 10 working days of completion of the inspection. The report should be distributed to the office, facility, or regional manager in a timely manner and require a response to any recommendations. Copies of final inspection reports shall be provided to the Security Management Office.

9. Awareness and Education.

A security program is most effective when employees practice security daily. That sort of interest and support can be gained through an effective security awareness and education program that encompasses all aspects of security. The security manager is responsible for carrying out and administering a comprehensive, on-going security awareness and education program for all employees in his/her respective activity.

A. Awareness and Educations Plans. The security manager must plan an effective program of instruction and efficient use of training material provided for specific training purposes. The security manager may also tailor presentations to the organization and solicit other security professionals to speak on their areas of responsibility, training, and experience. For example, a local police representative could address crime prevention and will provide on-site crime-prevention seminars.

B. Briefings.

(1) Initial Orientation Briefings.

(a) Simply providing printed security regulations is not an effective way to promote complete understanding of security responsibilities. A verbal orientation briefing, supplemented with audio-visuals and handouts, is more effective. Where possible, it should be presented personally. Where this is not practical, it may be presented in the form of videotape or other recording.

(b) The initial orientation, whether written or verbal, should address general physical security principles, including common security hazards, building security and crime prevention, key system or site-specific access controls, vehicle control, and property accountability or package inspection programs. It should also address implementation of regulations relating to the handling and safeguarding of security information, including reporting requirements and nondisclosure provisions.

(c) Crime Prevention. A well-rounded security awareness and education program includes information on crime prevention. Encourage employees to minimize opportunities for crime by knowing the signs of unauthorized activity; practicing good office security; and reporting unauthorized activity, security deficiencies, violations, and safety hazards.

10. Incident Reporting.

An incident reporting program is an essential element in any security program. The timely reporting of thefts, losses, or damage of property and the tampering or unauthorized disclosure of information is important. A timely report increases the possibility of recovering the property, minimizing damage, and apprehending the perpetuator. Any employee who discovers, witnesses, or has knowledge of a criminal, dangerous, or unauthorized practice or condition, or a violation of security regulations shall immediately report the matter to the appropriate authorities.

A. Reporting Serious Incidents, Unusual Events, and Emergencies. The senior official at a facility is responsible for reporting serious incidents, unusual events, or emergency conditions that affect the operations to his/her Director for their appropriate action.

(1) Security Management Office. The Regional Director or his/her designee must report the following information to the USGS Security Management Office for further reporting to the DOI Watch Office:

(a) Homeland Security and Facility Infrastructure Protection.

o Threats, attempted sabotage or terrorist activity directed against facilities.

o Threats, attempted sabotage or terrorist activity directed against mineral, oil, natural gas or electrical grid on lands.

o Information regarding threatened or actual demonstrations that may impact upon mission-essential facilities, critical infrastructure, or national monuments.

o Threats or damage from natural disasters or technological emergencies impacting mission-essential facilities or critical infrastructure.

(b) Other.

o Incidents resulting in property damage exceeding $10,000.

o Incidents with potential to result in media interest.

o Serious incidents involving employees on official duty, including incidents attracting media or diplomatic attention.

o Other incidents that warrant attention by the Office of the Secretary.

(2) Emergency Coordinator. The Security Director or his/her designee must report the following information:

(a) Deaths, Injuries, and Accidents.

o Fatalities on company properties, excluding natural causes.

o Employee fatalities, while on duty.

o Life-threatening injury to employee, while in performance of their duties.

o Serious injury to multiple employees or visitors.

(b) Disaster and Emergency Incidents Response.

o Natural disasters affecting lands or facilities that cause injury, significant damage, impact visitor use, or degrade the ability to provide vital services.

o Serious incidents such as major structural fires, structural failures, or other emergency events affecting facilities that cause injury, significant damage, impact visitor use, or degrade the ability to provide vital services.

o Warnings of natural disasters or other serious emergencies that threaten facilities or infrastructure, and preparedness measures taken in response to such threats.

o Information on events monitored by Departmental of Homeland Security or the Watch Office that may impact on adjacent areas.

o Emergency preparedness and response activities involving bomb and other threats.

o Warnings, alerts or advisories related to emergency conditions issued to the public by various government bureaus and offices, including dam failures, flood, earthquake and volcanoes.

o Major search and rescue activities involving large numbers of personnel or coordination of interagency resources.

(c) Fires.

o Take the actions necessary to mitigate the potential damages caused by fire (i.e., notifying the fire department, directing the responding units to the site of the fire, assisting in maintaining control of the perimeter).

o Security officers shall alert the Watch Office to major incidents, which cause injury, significant damage, or impact visitor use.)

B. Reporting Incidents to Law Enforcement Agencies.

(1) Security procedures require that cases of theft, unauthorized use, or vandalism of company property be reported to the Security Manager. He/She will decide whether to report the incident to local or State law enforcement authority where appropriate. Additionally, all thefts and vandalism of property must be recorded in the appropriate security logs. In cases where the value of the property stolen or missing is valued at less than $100, the report will be placed in the administrative files for analysis but normally no investigation will be conducted, except as directed by the security manager.

(2) Standard Operations Procedures (SOP) requires the prompt reporting of all crimes and suspicious circumstances occurring on controlled property to the Security Manager. An Offense/Incident Report is the standard reporting form. The security officer in reporting the incident must use this form. The form requests information such as date; time and location of incident; details regarding lost, stolen, or damaged items; nature of the incident; and any suspects involved. Supplies of the form can be obtained from the Security Manager or the Building Manager.

C. Administrative Reporting. The incident reporting requirements stated herein are not a substitute for nor do they eliminate the need for compliance with any additional reporting requirements prescribed or pertaining to motor vehicle incidents and to the loss, damage, and mishandling of company property.

11. Emergency Planning and Evacuation.

A. Occupant Emergency Plan (OEP). In accordance with “Occupant Emergency Program,” immediate, positive, and orderly action must be taken to safeguard life and property in company facilities during emergencies. Examples of emergency situations are bomb threats; civil disorders; fires; explosions; chemical, biological, or radiological events; natural disasters; direct threat to a major computer facility; and immediate threat of compromise of classified information. These situations require the development of an emergency evacuation plan for each affected facility. Each security officer should cooperate with and assist the Designated Official or safety personnel responsible for developing the OEP.

(1) Emergency procedures are normally provided by the Building Manager with input from officials of the security detail.

(2) The senior facility manager shall coordinate the development of the OEP in consultation with the servicing safety officer and building management officials.

(a) Managed Space. In space owned or managed, offices and facilities will rely on issued guidance and protective measures to implement the Homeland Security Administration (HSAS) issued guidance and protective measures. Guidance issued by Security Manager will be the minimum measures to be taken at each Threat Condition. Principal managers may develop additional measures, as they deem appropriate. Principal managers are responsible for establishing a notification system to ensure that appropriate personnel are notified of changes in protective measures and of threat information affecting the office/facility. Additionally, the principal manager is also responsible for developing means of informing employees about their responsibilities under different threat levels and protective measures.

(b) The Security Manager will notify Security Officers who are responsible for notifying the principal building manager of the owned or leased facility. Principal managers are responsible for establishing a notification system to ensure that appropriate personnel are notified of changes in protective measures and of threat information affecting the office/facility. Additionally, the principal manager is also responsible for developing means of informing employees about their responsibilities under different threat levels and protective measures.

The Security Management System operates the following key functions and processes:
Safeguards and Security Training and Qualification, Protection Program Planning, and Self-Assessment Programs.

The Training and Qualification Programs, should include individual development plans for each staff member, to ensure that staff is qualified to perform assigned duties and responsibilities in support of the applicable program requirements. The individual development plans provide a means to ensure the continued growth and development of each staff member.

The activities of the Assessment Program must include conducting scheduled reviews of all topical areas using the Inspection Standards and Criteria, and for Safeguards and Security Orders and Standards and Criteria are utilized to ensure compliance with each of the program requirements. Performance objectives and indicators may be included as areas for assessment. Assessments also identify areas for potential process improvement to ensure the continual growth resulting in improved operations and processes.