The security director looks at system design as a process. For the implementation to be relevant and effective, it must address the needs of the organization and be tempered with a complete understanding of constraints. The needs are identified by determining
- the assets at risk, including people, processes, property (intellectual and physical), production and infrastructure (power, environmental conditioning, voice/data communications);
- the threats to those assets (theft, vandalism, sabotage, terrorism);
- the likelihood that the threats will occur; and
- the effects on the organization if the threats do occur.
The constraints to an organization’s security program come in many flavors. They may be organizational, operational or cultural. They may have to do with equipment compatibility or commonality, public perception, codes, standards, or available funding.
Only when we understand the security needs thoroughly can we reach into the security manager’s toolbox and apply the most appropriate solutions to deter, detect, deny access to and apprehend perpetrators. Traditionally, the security director has relied on this basic model to determine the best solutions for a given site, but the model is now evolving.
The New Business View
Businesses now ask that security managers no longer consider security as the main objective, but instead design their programs with a business-centric mind-set. Today’s senior management is less interested in protecting the building, its structure and its physical and human component, than with protecting the business—the organizational entity without which the physical components have little meaning. The security department’s goals must now be aligned with the objectives and mission of the business; security’s vision must match the corporate vision. In this new world, security becomes risk management, whose reason for being is to ensure business continuity through contingency planning and crisis management.
The security practitioner’s toolbox has not changed—access control and video systems, security operations and investigations remain as valuable as they were. It is the rationale and justification for their application and implementation that is evolving. To put the change of mind-set into perspective, consider a company with corporate headquarters in an urban high-rise and a manufacturing facility in a rural campus that takes advantage of less expensive labor. Traditional security thinking regards the corporate HQ, with its mahogany-row executives, high-level support functions and corporate art as the highest-value asset. However, in true business terms, it is the manufacturing facility that creates the cash flow and corporate wealth. Many corporations now give priority to the protection of the manufacturing facility, and plans and procedures to quickly implement production at alternate facilities in the event of a disaster are at the top of the list.
One of the catalysts that has triggered this change in thinking is the globalization of corporations. However, when we start to look at one of the major security system solutions, access control, we see that many of the operational, design and implementation elements also need to be rethought.
Operational and Design Considerations
Access control systems support operations over a number of areas, including cardholder record design, photo ID badge design, data entry, database management, definition of security zones and alarm descriptions, alarm monitoring and alarm response. The development of corporate-wide standards for these areas is relatively easy for organizations spread only within the borders of a single country, but when there are multiple languages, customs, and even different legal ramifications of the manipulation of personnel data, the task becomes more complex.
Most large access control system manufacturers have addressed the language issue in their systems by creating alternate dictionaries for all of the standard words used by the system in its pull-down menus and dialog boxes. In some cases the language choice is set up to be selected automatically based on the operator’s sign-in password.
The area where language becomes more complex is in the user-definable words, phrases and sentences that are selected for the names of alarm zones, time zones, groups, and security offices’ response instructions. Even between countries with the same language, there may be inconsistencies. For instance, in the U.K., “first floor” refers to the floor above the ground floor, and in the U.S., the first floor is the ground floor.
If alarms are to be monitored locally during part of the day or week but at a central location at other times, a common vocabulary must be developed to ensure that all operators understand the meanings of commonly used terms. Again, even with a common language this can be problematic. For example, all local building users may understand that the north door is the main entrance and the south door is a restricted area of entry, but an operator who has never seen the facility may not appreciate the significance of a south door alarm. Graphic maps with well designed icons may be a better alarm display medium in such cases than simple text warnings.
Photo ID badge use is often an issue of corporate culture, but multi-nationally, the content of the badge may be more contentious. In some places, local customs do not favor the display of photographs, the selection of identification numbers or the use of signature panels.
This same concern extends to the selection of the data fields to be included in cardholder records. Many cultures and local laws restrict the use of data they may consider private. An access control system with a global cardholder database needs to use a single record format for all countries covered by the system. Carefully research all cultural customs and requirements before you finalize the format to ensure that no faux pas requires reformatting at a later date.
It should also be noted that when you combine the data from multiple stand-alone systems of the same model into a global system, you may need to use a data conversion program to ensure that all the fields in the cardholder records are in the same order and have the same character length.
The selection of a new access control system suitable for a global environment requires the consideration of some additional criteria. However reliable, all components and systems have failures, and good-quality maintenance capabilities and repair facilities are essential to minimizing down time. Each location at which the system is to be deployed should have a relationship with a factory-trained dealer with rapid access to spare parts.
It is worth considering a system whose manufacturer certifies its dealers at different levels of support. If you are implementing a network-based solution, the installer or integrator should have certified network technicians on their staff. Also determine if the system manufacturer has direct representation in each country and if component import agreements are in place and tested. You do not want your card readers to be held indefinitely in a customs shed while you are trying to secure a facility.
Installation quality and practices vary tremendously across the globe, so before you choose installers you should develop design criteria and installation standards. It may be acceptable to build a small stand-alone system by handing to a local, known contractor a single sheet with a scope of work and a second with a facility sketch showing device locations. However, where portions of the system are being installed in multiple facilities by different contractors, and those systems all need to talk to each other, quality documentation and a knowledge of the purchasing methodologies of each location are essential to a successful project.
Information Technology Involvement
One of the constants in the implementation of global security systems is that some form of data network will be required to allow the components to talk to each other and to share information. The IT department controls the network, and they jealously guard their data resources, as well they should—IT’s role is to input, manipulate, store, and transmit corporate data as accurately, quickly, securely, and cost effectively as possible. Business relies on data to make business decisions, and the larger the business, the more reliance there is on data. The heavier the reliance on data, the higher its value as an asset and the greater its importance as a business tool.
Since IT controls the data transmission medium and is responsible for its reliability, they can also dictate what equipment can be connected to the network, what volume of data needs to be transmitted, and what controls are in place to ensure the security of both that application and the rest of the data processing system. Many IT departments specify the physical and performance standards for hardware and peripherals that connect to their networks, and they may require that they test and certify any new device type, such as an IP-addressable access control field panel. This may extend to version control for standard operating system software, communications protocols and computer system security software.
In some cases, IT may have negotiated purchase agreements with hardware and software providers, and the security contractor installing an access control application may be allowed to do so only under the vigilance of IT personnel and on systems that IT has provided. Some IT departments are considering using their help desk as the first port of call for physical access control problems, such as lost credentials or inoperable readers.
Thus the developer of the global access control system should coordinate all design activity, standards development, procurement plans, and implementation strategies with the IT department. And, just as in a foreign country, it is imperative for good communication that you can speak their language.
David G. Aggleton, CPP, is president and principal consultant at Aggleton & Associates, the New York City-based security consulting firm. Mr. Aggleton has been in the security industry since 1978 and has been a security systems consultant since 1985. He has taught the principals of the security technology design process at ASIS workshops, at ASIS, IFMA, and other industry conferences, and at John Jay College of Criminal Justice. Mr. Aggleton is immediate past president of the International Association of Professional Security Consultants and a member (past Chair) of the ASIS Standing Council on Security Architecture & Engineering.