How to validate your security program: Part 12

July 26, 2016
Mitigating the potential risks created by security measures themselves is essential for program effectiveness

Editor’s note: This is the twelfth of a multi-part series that provides 15 important perspectives from which to validate your security program. If this is the first article you have seen in this series, please read the introductory article before launching into the validation steps.

An attribute is a quality or feature regarded as a characteristic of something. What we are calling the "15 Validation Attributes" are 15 characteristics that you can use to validate your security program.

Validation Attribute: Effective

Definition:

1. adequate to accomplish a purpose.
2. producing the intended or expected result.

The Effective attribute has very specific meaning for this validation step. Many of the previous attributes have dealt with aspects of a security program’s effectiveness. The two definitions above can be applied from the perspective of security’s mission:

The mission of security is to reduce security risks to acceptable levels, at an acceptable cost.

The end result of introducing any new security measure or improvement should be that it reduces the security risks it is addressing to an acceptable level, at a cost that is acceptable. However, as Bruce Schneier has pointed out in his "Five Step Process for Evaluating Any Security Measure," "Security is a complex and inter-related system; change one thing and the effects ripple." That is why step three of Schneier’s five-step process is this question: "What other security problems does the measure cause?"

Rarely is this question asked, and as a result, the introduction of new security risks often occurs unseen.

In a fully effective security program, any new risks introduced would also receive some compensating controls so that the level of new risk, if it can’t be eliminated, is also reduced to an acceptable level.

ID Badge Example

The use of photo ID badges is commonplace and the related risks are generally known and addressed, so it can serve as a good example. For many organizations, an access control card doubles as a photo ID badge. However, without a corresponding policy that personnel must display the badge on their person in a prominent manner, some personnel will use their badge to get into a facility, and then leave it sitting in their purse or backpack or in a desk drawer. This encourages tailgating, where some personnel just follow someone else who has been granted access through a door—a situation that makes access control system historical records unreliable. It also introduces the risk of someone misappropriating the ID badge of another, and using it to gain access under someone else’s privileges. Thus the overall security ID card policy must include a prohibition about borrowing or other misuse of cards, about tailgating, and a provision for dealing with lost, stolen or forgotten cards. Procedures must be in place that mandate prompt reporting of lost or stolen cards, and for security to perform prompt deactivation of lost or stolen cards, and temporary deactivation for forgotten cards. Depending upon the company culture, it may require video coverage of access points to fully eliminate tailgating.

Without appropriate policy and procedure measures in place, the deployment of photo ID cards can facilitate unauthorized access. As stated earlier, this is generally well understood. However, there are some scenarios where the liabilities related to introducing a security measure require a bit more thinking to bring them to light.

Video Surveillance Liabilities

A situation where security departments often have unseen liability is with regard to surveillance video. There is an increasing trend in the utilization of security video for business operations purposes, and for providing personnel outside of the security department with view-only access to video from selected cameras. Unless there is a clearly written policy governing the use of video (an acceptable video use policy), which must be read and signed by each individual who is given video access, the organization itself can be found fully liable for the consequences of any video misuse that occurs. Properly informing new employees about the use of premises surveillance video, and its scope and purpose, helps establish accurate expectations of privacy.

There are about 14 states that have regulations regarding employer use of video surveillance, most of which contain restrictions on the use of hidden cameras and establish that privacy expectations exist regarding restrooms, changing rooms, and sometimes break areas. States vary as to which specific areas of a workplace may be legitimately video recorded. It is surprisingly common for break areas to be the subject of concern, as in the case where a refrigerator is provided in which employees may store lunches and other food and beverage items. There are situations where employees have requested video surveillance of break rooms, due to lunches “going missing” from a refrigerator. While a seemingly minor issue, the point here is that there can be many ramifications to the use of video surveillance, some of which can create employee concerns and some of which can create liability for the organization—situations that can be avoided by or sufficiently mitigated by thinking through the attendant risks.

At some facilities, signage is utilized to provide notification of video surveillance, with the intention of discouraging potential wrongdoers. Such signage must not create false expectations of security response, for example, by stating “Security Video Surveillance in Use” when video is not actively monitored for the purpose of providing immediate response. Courts have held that such signage can alter an individual’s response to a threatening situation if the verbiage states or implies that there is live security monitoring of cameras. The presence of patrolling security personnel at the facility, absent any notice about the use of video, can create the impression that video cameras seen around the facility are being actively monitored. Notice of “Recorded Video Surveillance in Use” can make a difference in such cases.

Company Culture

Sometimes security measures can run contrary to company culture, and company culture can vary wildly in some aspects from facility to facility. Where security measures are necessary even though they may seem contrary to local culture, good communication with the affected parties can often point to a solution that satisfies all concerns. Where concerns can’t all be successfully satisfied, it is important to make a record of the issues and periodically review them in case they change, or in case a new solution offers itself. Sometimes a change to local culture is warranted, especially where that culture establishes security vulnerabilities. In this age of social media, negative impacts on personnel can have far greater consequences than in the past, so that is a consideration when making changes to a security program or when changing any particular security measure.

Negative impacts on personnel, business partners and contractors my very well be part of the cost of implementing a security measure. Where this is the case, the extent of those costs must be ascertained, along with their level of acceptability, with attention given to ways to minimize negative impacts.

Validation Steps

There are only two steps for this particular security program attribute.

Step 1. Incorporate the "Five Step Process for Evaluating Any Security Measure" into your security program as formal part of change management.

Step 2. Establish a schedule to perform a "new risks check" of existing security program elements. For example, each month, take up one element of your security program and perform a risk check for unintended consequences of its security measures. Often these have been discovered and mitigated or worked abound, and if so appropriate notes should be added to your security program documentation.

Final Note

Incorporating these five evaluation steps into your security program is an important security risk mitigation element which—while simple—will further strengthen your security program.

About the Author: Ray Bernard, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private organizations (www.go-rbcs.com). Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 28 years. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). He is also an active member of the ASIS International member councils for Physical Security and IT Security.