Security practitioners often talk about their most challenging project in terms of the number of facilities and their geographical distribution. The challenges associated with a classic enterprise class design and implementation project, however, often pale in comparison to the challenges facing a university security director whose charge is to secure a small city.
The typical university campus setting includes:
• A population of tens of thousands.
• An average resident age of just slightly above that required for legal access to alcoholic beverages.
• A raft of high-profile research activities that certain segments of the population at large find offensive. These activities could range from live animal testing to bio-security research programs.
• A high-profile athletic program.
• Concentrated student housing facilities sometimes distributed within the surrounding community.
• A mandate to maintain an open and unrestrictive environment to promote independent thinking and academic creativity.
• A study-abroad program that puts students at locations around the globe.
Central to a university security program is the accountability provided by the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act. This legislation was signed into law in 1990 under the Crime Awareness and Campus Security Act of 1990. Under the provisions of this Act, universities are required to publish an annual report containing three years worth of campus crime statistics. While the Act specifically requires distribution of this report to all students and employees, organizations like Security on Campus (www.securityoncampus.org) collect and make available to the general public the data from these reports from universities and colleges across the county.
With even the public safety department subject to this final exam, campus security programs must be comprehensive and robust. While the development, dissemination and enforcement of various security-related policies are essential to a secure campus environment, technology plays a key role in not only monitoring campus activities but also aiding in the response to an incident.
Mass Notification Technology
One particular piece of technology that has received reactive interest on university campuses is mass notification. Before the Virginia Tech tragedy of April 2007, many universities had some form of mass notification system in place; however, that incident prompted a renewed interest in enhancing the coverage of such systems. What has resulted is a combination of approaches to increase the likelihood that every member of the campus community is notified by at least one method, which include:
• Broadcast loud speakers: This option is an extension of the emergency duress telephone stations that have become an industry best practice in parking lots and institutional campuses.
• Cell phones: Systems are readily available that will call any number of cell phones in a targeted group with a prepared message.
• SMS messaging: Similar to the cell phone option, systems can send SMS (text) messages to any number of cell phones in a targeted group. As above, the likely degree of success of this approach is dependent on the capacity of the local cell equipment.
• Cell broadcasting: A relatively new technology is available which uses the existing cell phone network to deliver geographically targeted messages to cell phone users while avoiding the channel clogging limitations associated with voice and SMS messages.
• Desktop pop-ups: Certain services offer content delivery to desktops in the form of pop-ups.
• E-mail/Faxes: Almost all providers of emergency communication services include e-mail and fax notification in their offerings.
Technology to Fight Crime
While communication methods in the midst of a crisis are an important tool, the university community has also focused on elements that will reduce the likelihood of the complete spectrum of criminal events. For example, lighting is widely recognized in the security industry as the one of the most cost-effective security expenditures. Organizations like the International Association of Campus Law Enforcement Administrators (IACLEA) have promulgated standards specifically addressing lighting standards for the university environment. The IACLEA guidelines generate much discussion since they call for lighting levels above those recommended by the Illumination Engineering Society of North America (IESNA); however, their error, in the view of the IACLEA, if any, is on the side of safety. In addition to these organizational standards, individual universities often publish own standards, many of which are available on the Web.
Universities have also strongly embraced implementation of campus-wide facility access control and CCTV systems. Access control systems have been common at the entrances to selected campus facilities such as dormitories for some time. It is now common for card access to be implemented at the individual dorm rooms, in part due to the reduced infrastructure implementation costs associated with wireless door control units. This trend is likely to continue especially as the IP-addressable door control units mature and are interconnected with the campus security management system through a secure wireless network.
Security Management Systems
University security management system implementation planning activities, on the other hand, have encountered some of the same challenges faced by their corporate counterparts — a large number of ubiquitous buildings with varying risk profiles and operational characteristics.
For example, contrast a student dorm with a campus research facility. The former contains the highest concentration of the highest value assets found anywhere on campus. While ingress activities are often curtailed during the early morning hours, internal activity is truly 24/7. Conversely, a campus research facility may contain research products that have taken years and untold amounts of federal grants to develop — all of which could be destroyed as a result of a security breach. These normally low-population facilities take a slightly different approach to access control and security management.
A number of universities are now offering study-abroad programs at remote campus owned by the sponsoring university. Again, like their corporate counterparts, the university public safety program now has to be designed to provide comparable secure environments to students and faculty alike across widely varying international environments.
In response to the expanding role of security management systems in the university environment, public safety programs should adopt a structured approach to system planning, implementation, and management. Such a program involves the following steps:
• Facility Categorization: The number of facilities or varying functions can be daunting when trying to compose a strategic approach to facility security. By breaking down the portfolio into functional categories, the number of facility types to be addressed can drop to a manageable number.
• Security Standards: Define the goals for security at a specific facility type. These performance requirements should be constant across any geographical variations. Once the goals are determined, develop the technology package that will accomplish those goals.
• Defined System Architecture: Define a system structure that will accommodate current facility types and locations as well as future expansion. Current IT-centric system models have made this somewhat easier.
• Pre-approved Equipment and Installers: To the extent possible, select a team for the program that will provide competitive pricing on the major equipment components. For those universities with international campuses, be sure potential suppliers can support the global enterprise.
• Standard Procurement Practices: Streamline the procurement process so that security planning decisions can be rapidly followed by implementation.
• Standard Installation Practices: Develop standard installation detail drawings so all installations follow the same practices. This will reduce both implementation and maintenance times.
• Audits/Follow Up: It is always essential to audit for results. New security management system installations should be commissioned to ensure they operate as specified and will meet the performance parameters necessary to meet program requirements. Follow-up testing and audits will be required to ensure this level of performance is maintained.
As important as a technology infrastructure is, perhaps even more important is a current and well-rehearsed crisis management plan. In spite of our best efforts to strategically apply every piece of technology available and all best practices, eventually every organization will experience a crisis of some magnitude. At that point, regardless of the initiating event, the most important goal is to return the campus to normal as quickly as possible.
We in the security industry know all about crisis avoidance and prevention. After all, the primary thrust of our jobs is to implement a program that will prevent or deter unacceptable behavior directed at our organization. And it is within this context that security and crisis management become adjacent — and in some circumstances, overlapping functions.
The two functions are adjacent in that certain classes of threats must pass through the security program to cause a crisis on campus. For example, an armed student or faculty member may have dealt with layers of technological, procedural and administrative security controls to gain access to a specific dorm room or classroom auditorium. Crisis management takes over after the threat “defeats” the security program; however, these functions overlap as well, since security would play an ongoing role in resolving the crisis.
The strategic response to a potential organization-threatening crisis is the crisis management or emergency operations plan. In broad terms, the strategy is to prevent or avoid the initiating event, mitigate the consequences of the event should it occur, and recover from the event as quickly as possible.
At its most basic level, the security industry is about protecting assets. Public safety and security programs on university campuses have rapidly expanded in scope within the last decade. A structured approach to program development is necessary in order to achieve and maintain effective protection.
Randall R. Nason, PE, CPP is a corporate vice president and manager of the Security Consulting Group at C.H. Guernsey and Co. His experience includes threat assessment, vulnerability analysis and master plan development through system design, construction management and design-led build projects. He has also designed and conducted full-scale emergency response exercises for a federal agency.