Faced with the blank canvas of a facility in need of protection, it is tempting to apply that first splash of paint by locating a bunch of cameras in problem areas and at facility access and egress points. But before you make that bold stroke, there are several questions you may wish to consider:
- What are my security needs?
- What currently available technology can help me to mitigate my problems?
- What support infrastructure-lighting, power, network, space-will I need?
- What staffing issues will be raised by this project?
Thoroughly analyzing your security needs, designing appropriate solutions, and planning for their implementation will ensure that you are addressing your current problems in a cost-effective manner with an eye toward minimizing future obsolescence.
What Are My Security Needs?
The most often overlooked concept in security system design is, perhaps, also the simplest: You cannot apply meaningful solutions to problems until you know and understand the nature of those problems. Sherlock Holmes said it best in The Adventure of the Speckled Band: "I had come to an entirely erroneous conclusion, which shows, my dear Watson, how dangerous it always is to reason from insufficient data."
The classical approach to understanding security needs is first to identify what requires protection-the assets-and then to determine from what the assets need to be protected-the threats. To put the threats in perspective, the risk of occurrence should also be assessed.
Let's look at a data center as a sample asset. This asset may be of importance to your organization on many counts; it encompasses the value of the data-processing equipment, the value of the data itself, and the value of the transmitted data as a management tool to its recipients.
Threats against the data center could come from trusted sources such as employees (by accident or because disgruntled) or equipment vendors (sabotage to the equipment or other vendors), or from outsiders such as hackers or competitor industrial espionage. Other threats could include fire or natural disasters, or, depending on the nature of your organization, terrorism due to the iconic stature of the building or the target status of neighboring buildings.
The means and methods of attack should also be considered. You may need to protect a data center from physical break-in through doors, windows, drop ceilings, or raised floors, as well as from damage to support elements such as HVAC systems, electrical power cables, and telecommunications infrastructure. These physical safeguards may need to be augmented by protections against hacking and denial-of-service attacks as well.
Risk is looked at in different ways by different organizations. One way is to prioritize threats by their likelihood or frequency of occurrence, much in the same way as is done with natural disasters. Is this an incident that could happen daily, weekly, monthly, annually, or once every 10 years, 50 years, or 100 years?
More commonly, risk is looked at as the magnitude of effect that a successfully orchestrated threat could have on the organization or on a business unit of the organization. This is generally measured in days: How many days can the organization survive if a particular asset is not available? Security is charged with mitigating only man-made threats, so it must join forces with contingency planning and disaster recovery to look at risk in this broader context.
There is another category of baseline information that should be explored before looking at possible solutions: constraints. The most obvious constraint is cost, but equally important are any negative impacts that solutions could have on normal productive operations, the availability of space for back-room equipment and real-time monitoring, and any approvals that may be required by other design professionals. For instance, an architect may need to have a say on the aesthetics of overt equipment like cameras.