Printer Friendly

Integrating security and design.

CRITICAL GOVERNMENT AND INdustrial assets present particularly attractive targets for a variety of threats. These threats can range from unsophisticated activist groups to highly sophisticated, well-armed, and welltrained professional career criminals or narcoterrorists.

Security managers and executives recognize this and are becoming increasingly convinced the best defense is a fully integrated security program that carefully and effectively blends architectural, technological, and operational elements into a flexible, responsive system. Unfortunately, far too many security organizations place undue emphasis on the selection and application of security personnel or equipment alone without equal consideration of the full range of options and countermeasures that comprise a total security system.

Security managers must be alert to this tendency and ensure their security systems effectively integrate all the various subsystem elements throughout the design process. More importantly, soaring personnel and equipment costs coupled with the potential insider threat demand the effective application of security countermeasures at key locations to reduce asset vulnerablity and keep operational costs under control.

This application can be accomplished by following the security system design and integration process discussed here. if followed by the security manager as system specifier and user and the architect/engineer (A/E) as system designer, this approach will ensure the proper selection and integration of personnel, procedures, and equipment into a fully responsive and operationally effective system at reasonable cost.

Before the security manager can even begin to determine user requirements and formulate a system solution, he or she must identify the objectives of the security system. Simply stated, a security system is an integrated combination of barriers, technologies, personnel, and procedures designed to safeguard personnel, property, and operations.

System objectives generally address deterrence, denial, detection, delay, assessment, and response

user requirements. Complete systems incorporate a wide range of measures to achieve stated objectives.

In the case of a fully integrated security system, protection objectives can be achieved through the selection and integration of protective measures from the following subsystem options:

* facilities and architectural barriers designed to deter and delay an adversary

* physical security equipment designed to assist detection and assess intrusion attempts and unauthorized activities

* communications systems that collect, integrate, transmit, and display alarm and other data for operator response and control response forces

* security personnel to conduct day-to-day security program operations, management, and system support and respond to nonroutine events

a security procedures that guide security operations and provide security program direction and control.

SYSTEM INTEGRATION IS BOTH A process and a product of security systems engineering. As a process, integration is the function of completely incorporating and interfacing the various subsystems, personnel, procedures, facilities, barriers, and equipment into a facility-specific unified system that reduces and controls vulnerability based on an identified threat. The overall process of security system integration is shown in Exhibit 1.

As the exhibit indicates, system integration begins with a thorough requirements analysis and system concept definition. Protection schemes are designed beginning with countermeasures identification for each asset.

In-depth protection is the system goal and involves establishing a series of protective rings around a critical asset, starting with the asset itself and working outward. Barriers, technologies, personnel, and procedures interact at key locations in each concentric ring to form an integrated subsystem protection scheme.

The system concept is formed through the collection of integrated approaches at each asset, facility, and groups of facilities sharing a common boundary. Given the diverse missions found in organizations, the integration of protective measures and resources does not involve a static set of environments. Because the threat is normally dynamic at each asset or facility requiring protection, the fully integrated system concept must allow for diversity, redundancy, and collective security resource management to achieve protection in depth.

Based on the approved concept, system engineering and design brings the system through the various design phases, resulting in a complete system solution. The integration function is introduced when the design solution, which is prepared by the A/E, is validated by the user based on a review of requirements.

This validation phase is absolutely critical for the security manager to be assured the integrated design solution addresses all stated requirements. More importantly, design solution validation is essential before hardware is acquired and construction is begun. Once validated, the system is ready for implementation and operation by the user.

Finally, the operational system becomes the product of the security planning process. Feedback on the effectiveness of the system, which is based on the dynamics of threat and changing missions, is continuously fed into the front-end requirements and system definition phase.

Each phase of this system integration process is described in principal integration activities that must be performed by the security manager and the A/E. This is necessary to arrive at a fully integrated security program that effectively counters the threat and substantially reduces vulnerability.

EXPERIENCE HAS SHOWN THAT THE system integration process must be front-loaded to arrive at a valid security concept. The process is based on a thorough analysis of threats and the relative exposure of individual assets to these threats. Thus, the requirements analysis phase is critical to develop an optimum system configuration and determine the relative cost-effectiveness of various physical security options. This initial phase of the process is shown in Exhibit 2.

Initially, assets that need protection are identified, and their criticality to the facility and its function are determined. Next, the attractiveness of these assets to potential threats and their likely modes of attack are evaluated. Finally, areas in which existing countermeasures do not adequately address the threat are identified as facility vulnerabilities.

Based on the results of the on-site requirements analysis, asset-specific physical security countermeasures are applied to various points in and around the facility or asset to be protected. Selection of individual countermeasures is made based on an initial statement of system objectives and functional requirements, such as detecting unauthorized entry and controlling access.

Countermeasures begin at the designated outer perimeter and are applied in concentric rings in the adversary's path to each specific asset. Regardless of the facility type or configuration, countermeasures development must embrace a complete protection-in-depth concept. The security manager must consider the full range of potential countermeasures, including architectural barriers, intrusion detection, access control, and assessment subsystems, as well as procedure and personnel-intensive countermeasure combinations appropriate to each asset.

Finally, individual countermeasures are selected and integrated into a cohesive protection solution. Also, preliminary cost estimates for the initial and expected total life cycle of the complete system are conducted. Costs for those physical security countermeasures necessary to meet operational and vulnerability reduction objectives are always a prime consideration.

In this phase of system design and integration, the security manager as user plays the key role in determining initial system requirements. In the requirements phase, the security manager must do the following:

n Establish security system goals and objectives.

* List functional requirements to address.

* Identify and prioritize assets.

* Assign criticality ratings for each asset.

* Identify potential threats in terms of aggressor categories, their expected capabilities, and modes of attack.

n Assess current security force capabilities and related procedural controls.

n Assess the effectiveness of countermeasures in place.

n Identify the organization's mission requirements or functions that will be secured through protection of individual assets.

n Identify procedural, operational, and fiscal constraints.

n Validate the security system concept in relation to all of the above.

Introducing the A/E at the requirements phase depends on the security manager's decision to either formulate a concept in-house or hire an A/E firm. Factors to consider when making this important decision include the availability of relevant requirements information in the organization, the ability of the security organization's own internal planning staff, and the relative complexity of the subsystems to be included in the overall security system.

The following is a list of roles and responsibilities of the A/E in the requirements phase or the functions of the internal security personnel if an outside A/E is not used:

* Provide a detailed analysis of threats and vulnerabilities.

* Provide a detailed analysis of the capabilities and effectiveness of existing countermeasures.

* Complete a site survey and an evaluation of environmental conditions.

* Identify candidate countermeasures.

* Formulate a system concept addressing individual subsystems.

* Develop a preliminary system design and implementation plan, including an assessment of system costs and support requirements.

THE SYSTEM ENGINEERING AND DEsign phase shown in Exhibit 3 uses this concept as a basis for developing a detailed engineering design solution. This more detailed system design consists of drawings or specifications for all hardware and software, subsystem and component interface, and interoperability requirements as reflected in design drawings. It considers the interaction of personnel and procedures with equipment, logistics support requirements, system installation, and testing requirements.

Because of the diversity of threats confronting an organization, the system design process needs to be structured in a total systems orientation to ensure all reasonable protective measures will be incorporated to reduce vulnerability. The security manager should provide the designer with an established system goal, a full set of functional requirements on which the design can be based, and a complete system concept that defines how the total system and its elements will function to counter identified threats and reduce vulnerabilities.

The system designer leads a team effort that concentrates on the development of asset-, facility- and organization-specific protective measures to deter, delay, detect, assess, and respond to a variety of threats. Typical protective measures detailed in the engineering design phase include architectural barriers, interior and exterior sensors, closed-circuit television (CCTV) and associated support lighting, communication and transmission media, alarm and signal field collectors, and control and display equipment. These elements must be identified in terms of their individual characteristics and overall contribution to facility or asset protection from an integrated perspective.

For example, the delay capabilities or architectural barriers will modify the degigner's selection of sensor and access control subsystem elements. In addition, the availability and operational capabilities of the security force will dictate the optimum selection, configuration, and placement of various security technologies.

Each of the various subsystem options available to the security designer represents a complete inventory of protective elements that may be selected and combined with other elements to form a completely integrated security system. Subsystem elements are specifically selected based on their performance, reliability, maintainability, cost, and vulnerability reduction potential.

Considered individually, these elements offer little in the way of complete protection for critical assets. However, if the system engineer has correctly used the information provided in the user's security system concept, the result should be a system that effectively counters current and future threats at reasonable cost.

Throughout the system engineering and design phase, the security manager's principal role is to

n establish quality assurance requirements;

a participate in milestone design reviews;

n review preliminary and final cost estimates; and

n review engineering submittals and design documentation, such as the design specification, support plans, and test and acceptance criteria.

The A/e's principal role in the system engineering and design phase is to

n provide a complete system engineering design, including all hardware and software engineering;

n prepare a detailed system installation plan;

n prepare construction and renovation plans;

n prepare drawing submittals and supporting documentation;

a prepare detailed bills of materials and system specifications;

n implement a quality assurance and quality control program; and

n prepare detailed cost estimates and schedules.

ON COMPLETION OF THE SYSTEM engineering design, the security manager and A/E need to reflect on the designed system and ask the critical integration question: How do all of the selected protection measures and components required for their operation fit together for total system effectiveness?

While not normally recognized as a major phase, system integration is essentially a step between final design and implementation in which the security manager validates the system design in accordance with established requirements. In effect, system integration is really the final design review elevated to a major phase.

At this point, the following items should be considered:

n the adequacy of the the final security system design solution in terms of threats and vulnerabilities

a the security manager's concept of security operations

n economic and other constraints

n organizational operations

n overall system requirements Exhibit 4 shows the sequence of events for the system integration phase.

The system integration phase confirms the primary objective of the earlier design process to incorporate the various subsystem elements (architectural barriers, sensors, data transmission media, control units, CCTV, etc.) with personnel and procedures resulting in an integrated approach to asset protection. During this phase, each subsystem along with its associated components needs to be evaluated by the security manager, the A/E, and system operators in terms of its individual contribution to vulnerability reduction and contribution to the total systems effort.

Each element offers trade-offs in terms of costs and benefits. For example, a physical barrier with 10 minutes of delay has a set cost as compared to real-time intrusion notification via electronic sensor zone with CCTV assessment.

To move the process forward, the systems engineer together with the security manager chooses the best solutions during the design phase. However, their solutions need a final review and confirmation based on the availability and capability of the security force to respond within a specified time, the value of the asset, the criticality of the mission, the capabilities of the adversary, budget constraints, and other factors. Subsystem integration reflected in the final design represents the culmination of the choices appropriate to individual asset protection decisions.

True system integration will not result unless the countermeasures selected and implemented are consistent with the

* criticality of individual assets;

* dynamics of the threat;

* reduction of specific vulnerabilities;

* mix of personnel, technologies, and procedures; and

* design for cost/performance effectiveness.

During the system integration phase, the security manager validates

* the threat,

* system goals and objectives,

* the operations concept,

* economic and other constraints,

* operations requirements, and

* the system design solution.

The A/E's functions during this phase include

* justifying security system design,

* demonstrating conformance with design objectives and specifications, and

* ensuring interoperability and compatibility of components and subsystems.

Exhibit 5 shows the result of the security system design and integration process-a completely integrated security system consisting of various subsystems and their associated elements that collectively counter an adversary with a high degree of reliability and assurance.

IMPLEMENTING THE SECURITY SYStem involves preparing facilities, acquiring system hardware, installation, testing, evaluation, training, and establishing a comprehensive logistics support system. Exhibit 6 shows the major events of this most critical phase in terms of eventual system performance.

It is at this crucial phase that the designer can lose control of the desired results. Project controls need to be exercised with respect to the design specifications to ensure quality control.

While the A/E is primarily involved in getting the system installed, the security manager needs to be concerned with overall quality assurance, test, and acceptance issues.

Most security managers contract out system installation to a local, qualified firm. These firms typically supply, install, and maintain the system. If the security manager has secured the services of the A/E in either a design-and-build or turnkey role, the A/E will generally supervise system installation and conduct system test and turnover.

On-site quality control of system installation is essential to successful system performance. The designer plays a key role in this phase by carefully considering key installation activities when on-site inspection can confirm that design requirements are being met.

The designer must be completely familiar with the devices being installed and ensure all items right down to cable connectors meet the design specification and are appropriate for the conditions and environment in which they will be used. If they are not, the designer must stop the project until system redesign can be done. This is a drastic step, but unless it is done, the security system will never meet the objective established at the beginning of the process.

Field system checkout and performance tests need to be monitored closely. The test results, prepared at the end of each test phase, should be documented fully by the testing agency and verified by user security representatives. Likewise, shop drawings and other engineering submittals required by the specifications and statement of work need to be reviewed for acceptability.

Formal acceptance of the installed system should be made only after the user has confirmed that all quality control provisions have been satisfied. System level training for maintainers and supervisors is also conducted at the end of this phase.

The role of the security manager in the implementation phase involves

* schedule and cost conformance,

* quality assurance oversight,

* specification compliance oversight,

* test oversight, and

* acceptance confirmation.

The role of the A/E in the implementation phase involves

* preparing the site,

* procuring and fabricating components,

* assembling and installing the system,

* testing and evaluating the system,

* overseeing and inspecting the subcontractor's installation,

* conducting a training program,

* performing interim logistics support, and

* ensuring quality.

The system operation phase shown in Exhibit 7 involves the actual operation of the system. Key aspects of this phase include preparing and submitting of as-built drawings and the final receipt of technical manuals for system operation and maintenance. A principal element of this phase is the assumption by the user of responsibility for system support.

One price option involves forming and training a dedicated maintenance team to perform routine preventive and troubleshooting procedures on a regular basis. Another option is to contract out all maintenance to a qualified firm.

Regardless of the option chosen, all maintenance personnel need to understand system operation and be able to test, troubleshoot, and replace modular components and repair certain components. In some cases, multiplex control and display manufacturers offer diagnostic software to troubleshoot system, subsystem, and component failures.

All operational systems should be evaluated regularly-at least yearly-based on a continuing threat and vulnerability analysis and changes in organizational missions. System hardware should also be tested regularly to verify that system performance has not been degraded. Some experts recommend repeating original system-level acceptance tests semiannually. Lastly, sustained training of all system personnel, including operators and maintenance and supervisory personnel, is mandatory.

As the system user, the security manager performs virtually all functions in the system operation phase, including

* integration of personnel and procedures subsystems with installed technologies,

* system operation,

* system maintenance,

* personnel retraining,

* threat and vulnerability update, and

* system upgrade requirements.

THE A/E HAS A LIMITED ROLE IN system operation, namely

* preparing and submitting system as-built drawings,

* monitoring system turnover,

* supporting follow-on logistics through the warranty period, and

* implementing system upgrades.

Effective security system integration not only includes security hardware selection and application but also must take into consideration existing procedures, architectural measures, and security resources. This requires a thorough understanding of the roles and functions of the security manager as the user and the A/E throughout the entire integration process.

After selecting assets critical for protection, the security manager must systematically determine potential threats and their characteristics, the attractiveness of critical assets to these threats, potential attack modes, and potential attack severity. Finally, with the aid of an A/E who understands that the most effective, flexible, and economic security system is the one that has an appropriate blend of personnel, procedures, and technology, an integrated security system can be designed.
COPYRIGHT 1990 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1990 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:architecture and security
Author:Grassie, Richard P.; Johnson, Andrew J.; Sullivant, John; Hancock, John R.
Publication:Security Management
Date:Apr 1, 1990
Previous Article:Don't segregate - integrate.
Next Article:The phases of partnership.

Related Articles
Client/server allows faster addition of new members and benefits.
What does IT want from security?
Copernic Enhances B20 Info Management Product.
Global access control. (Marketplace).
Integrated access control.
Network security architectures.
Security and site design; a landscape architectural approach to analysis, assessment, and design implementation.
Information Security Architecture: An Integrated Approach to Security in the Organization, Second Edition.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters