Conducting Security System Site Surveys



Similar documents
Insert Client Name Request for Proposal for Security Risk Assessment Services Consulting

Introduction. Industry Changes

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Comprehensive Master Plan. Strategic Security Plan East Carolina University. December 31, Prepared by:

Manage and secure your workplace by controlling who, what, when, why, where and how people are allowed in your facility. Marquee

Science/Safeguards and Security. Funding Profile by Subprogram

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

UBC Technical Guidelines Section Edition Secure Access: General Standards Page 1 of 7

SECURITY. Risk & Compliance Services

visit us on the web at:

Middleborough Police Electronic Security Narrative

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Write up on PSIM PHYSICAL SECURITY INFORMATION MANAGEMENT

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO

How to Implement a Unified Security Management Platform:

Communication Infrastructure Convergence & The need of IS Audit Compliance. Ninad M. Desai

INFORMATION TECHNOLOGY ENGINEER V

From the Lab to the Boardroom:

IOWA LABORATORIES FACILITIES PHYSICAL SECURITY PLAN

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Integrated Physical Security and Incident Management

Security-in-Depth 4/26/2013. Physical Security Webinar. DCO Meeting Room Navigation. Host: Danny Jennings

Cisco Advanced Services for Network Security

Network Design Incorporated

TECHNICAL QUESTIONS AND ANSWERS ITN-DOT-14/ RM TAMPA OPERATIONS CENTER VIDEO SURVEILLANCE/SECURITY ACCESS SYSTEM

Chapter 1 Introduction

Supplier Security Assessment Questionnaire

IBM Connections Cloud Security

File 6: Appendix A, 36 CFR 1234 (formally numbered as 36 CFR 1228 subpart K) Federal Facility Security Standards (version 2.0 issued May 15, 2014)

OCCUPATIONAL STANDARD (For use in the development of supply chain related job descriptions, performance evaluations, career development plans, etc.

REQUEST FOR PROPOSALS FOR SECURITY MASTER PLAN CONSULTING SERVICES

Healthcare Security Solutions. Building Technologies

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

System Security Plan University of Texas Health Science Center School of Public Health

How To Ensure Security At A Site Security Site

Site Security Standards and Strategy

HIPAA Security. assistance with implementation of the. security standards. This series aims to

21 st Century Campus Network Responsibility Matrix 5/26/10

Ames Consolidated Information Technology Services (A-CITS) Statement of Work

Information Technology Branch Access Control Technical Standard

City facilities that are currently part of the System are listed below. Other City facilities may be added in the future.

INCIDENT RESPONSE CHECKLIST

Security Alarm Monitoring Protocol

Safeguards and Security

Physical Security: Introductory Applications and Technology

R345, Information Technology Resource Security 1

BANKING AND FINANCE. Advanced technology solutions to maximize the security of financial institutions and branch banks.

The Protection Mission a constant endeavor

SECURITY CONSIDERATIONS FOR LAW FIRMS

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Building Integration System (BIS)

Supplier Information Security Addendum for GE Restricted Data

Tyco Integrated Fire & Security Advanced Integration Solutions

Data Security Concerns for the Electric Grid

Physical Security: Introductory Applications and Technology

Security Service de Services sécurité. Security Alarm Monitoring Protocol

Exhibit F. VA CAI - Staff Aug Job Titles and Descriptions Effective 2015

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Cyber Threats in Physical Security Understanding and Mitigating the Risk

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

CHIS, Inc. Privacy General Guidelines

IT Networking and Security

Music Recording Studio Security Program Security Assessment Version 1.1

FACILITY SECURITY CERTIFICATION FORM DOJ SECURITY LEVEL II

Building Integration System Selection Guide for V4.0

White paper. Axis Video Analytics. Enhancing video surveillance efficiency

School Security: What are you missing?

AV Parking System Review

Understanding Sage CRM Cloud

Make your business EXCEL with technology solutions provided by Excel Communications Worldwide, Inc.

Fire Alarm Systems Certification

White Paper. Information Security -- Network Assessment

Directory of Personal Information Banks

HIPAA Security Alert

ABSOLUTE SECURITY. IVRI Group. Corporate Profile December 2012

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

CCTV on IP Network. How Cisco IT Deploys Closed- Circuit TV Cameras over the Secure IP Network. A Cisco on Cisco Case Study: Inside Cisco IT

HIPAA Security Series

The Information Assurance Process: Charting a Path Towards Compliance

Security Policy JUNE 1, SalesNOW. Security Policy v v

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Company Management System. Business Continuity in SIA

INTEGRATED SOFTWARE SOLUTIONS

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Request for Resume (RFR) CATS+ Master Contract All Master Contract Provisions Apply. Section 1 General Information

Sample Career Ladder/Lattice for Information Technology

Transcription:

Conducting Security System Site Surveys Written By: Harold C. Gillens, PSP, CFC, CHS-III Quintech Security Consultants, Inc. 102 Sangaree Park Court Suite 4 Summerville, SC 29483

CONDUCTING SECURITY SYSTEM SITE SURVEYS I. BACKGROUND: In the aftermath of September 11, 2001, Federal, State and Local authorities all turned their attention to assessing their security posture. Each of them began making the necessary adjustments to ensure proper levels of security. However, in their attempt to do so, many organizations discovered that they possess a multitude of different systems and security technologies. At that point of discovery, it was now up to someone to determine the best security technology required to move them forward in there quest to provide optimum security for protection of personnel, facilities, and other critical assets. Security managers often find out quickly that determining their AS-IS condition is the first step in obtaining its security objectives. To do so, security managers want to know what type of systems are currently in place, their functional status and expansion capability, and their past performance and reliability. In addition, they need to obtain information on the current security infrastructure and facility resources needed to support its operations. The usability of current infrastructure plays a major role in the ultimate decision of maintaining items currently in place or migrating to a new system. The IT Network as a security infrastructure has become both a positive and negative for organizations. The ultimate objective for security managers is to develop recommended solutions for increase security posture and to define and implement a strategy to get them to their newly defined TO- BE state. II. PURPOSE: The purpose of this White Paper is to provide organizations seeking to increase their security posture with a list of task areas required to successfully accomplish an Electronic Security System (ESS) Site Survey of their campus-wide environment and to assist them with guidelines for selecting a qualified Security Consulting Firm. III. STATEMENT OF NEEDS: An ESS Site Survey should include identifying and evaluating the AS-IS condition of existing security systems used by the organization to protect against unauthorized access, provide intrusion detection, and to provide closed circuit television surveillance of critical areas. Recommendations should be developed with a strategic understanding of the on-going capital improvement projects. Considerations for the out-years should be identified as TO-BE upgrades and should be incorporated as part of the site survey report. Recommendations and solutions for modifications and upgrades should be developed with an understanding that all processes, systems, and resources must be integrated to provide a comprehensive campus-wide security management plan. Within the site survey report, milestones should be identified for the ESS upgrade that is compatible with the organization s capital improvement plan and the levels of protection consistent with the protection of key assets and facilities. Page 1

The site survey should closely follow the process as outlined in the task areas below: Task Area 1 Conduct Site Survey: Addresses physical security and access controls as the first line of defense for protecting the organization s asset. The survey should include, as a minimum, each of the following. Perimeter and interior access control Mail, Packages and Delivery systems Traffic and barrier planning Parking CCTV surveillance Intrusion detection Response capabilities Site Survey Process a) Hold an in-brief with site personnel to outline survey goals. b) Hold discussions with site personnel to discuss issues such as: Operational procedures and security requirements Organization structure, roles and responsibilities Available and planned resources On-going or planned security projects Real or perceived threats not yet guarded against Past incidents (types, impact, resolutions) c) Survey each facility to gather information that includes at a minimum, the following: 1) Access Control System Locate and document all access control systems. Determine equipment type and operating condition. Locate and document all access control system field panels. Note adherence to good installation practices and fire safety standards. Locate and document all access control card readers. Determine reader type and operating condition. 2) Communications Backbone Examine and document the type and condition of existing wiring and cabling. Determine the adequacy of existing infrastructure to handle future access control security requirements. Examine adequacy of existing telephone lines. Examine existing network Topology. Examine and document current deployed communications encryption. Note adherence to applicable ANSI, EIA and TIA commercial telecommunications standards. Page 2

3) Access Control Monitoring Control & Display Equipment (MC&DE) and Badge Station Examine the MC&DE and document the salient characteristics, i.e., Operating System Software and Version; MC&DE System Software and Version; database type, etc. Document each access control system's architecture. Examine the systems capacity, i.e., maximum number of card readers, card holders, access points, etc. Examine historical records to determine the system s activity. Examine and document the system s database structure and data distribution methodology. Examine and document the systems integration to existing intrusion detection and fire alarm systems, and Closed Circuit Television (CCTV) systems. Document the existing concept of operation for all access controls systems installed and monitored in the facility. Examine and document the badge station set up and concept of operation. Examine and document the methodology for system back-up. Examine and document the site s methodology for disaster recovery. 4) General Facilities Examine and document the adequacy of emergency back up power. Examine and document the adequacy of UPS in assuring continuity of operations in power fail situations. Survey facility to identify areas that are now vulnerable or may present a potential of becoming an at risk area. Compile building drawings and sketches, if available, to be used in generating proposed equipment layouts. d) Hold an out brief to sum up the site survey findings. Task Area 2 Technologies Evaluation & Analysis: Assist in identifying and recommending security products and applications to upgrade security systems and technologies. Considerations should include: Security system development, which may be integrated with the existing and new infrastructure incorporating security system servers, security management system software, advanced processing alarm and card access controllers, control panel and lock power supplies, operator, administrative and identification badging workstations, identification badge printer, report printer, CCTV matrix switcher, CCTV cameras, duress intercoms, intercoms, and digital video recorders (DVR). Integration criteria used to incorporate/installed card readers, alarm sensors, and security cable infrastructure to the new and existing facilities as identified and approved by the educational institution s committee, evaluating the recommendations of the final assessment report. Personal Identity Verification (PIV)/badge system to be used as part of the overall security management system. The PIV should be able to accommodate smart card technology. The contractor should also make recommendations and consider perimeter systems, barrier controls, and traffic plans to support the facility development efforts. Page 3

Task Area 3 Prepare Site Survey Report: Utilizing the information obtained during the site survey of each facility, the contractor will develop a Security Assessment Report. The report should outline all the findings of the surveys and make recommendations for upgrading existing intrusion detection, CCTV, and access control systems. These recommendations may include the integration of additional equipment, training, procedures, and safeguards required to maintain and/or increase the client s security posture and to further mitigate identified vulnerabilities and perceived threats documented during the survey phase. Recommendations may include: Installation and/or upgrading of access control and alarm monitoring equipment Installation of additional CCTV cameras and/or relocation of existing cameras Institution of physical security counter-measures (vehicle barricades, fence lines, metal detectors, etc.) Upgrade of indoor and outdoor lighting Creating or modifying existing security policies and procedures Potential reorganization of current organizational structure Recommendations for continuity of operations in a crisis situation Designing, installing and integrating the most efficient and cost effective Integrated Security Management System to meet the client s requirements. The intent of the organization s security report is to highlight the findings of the assessment and briefly describe recommended security improvements required to strengthen the security posture of the campus environment. A second goal of the report is to highlight ways of decreasing potential liability exposure. IV. SECURITY PROFESSIONAL S QUALIFICATIONS: The first step in selecting a security consultant or consulting firm should be to verify its true independence of manufacturers and system integrators. The benefit in doing so is to ensure that the consultant is working on behalf of the organization and is not there to deliver any preconceived solution. It is important to remember that the selected security professional could be a part of your in-house staff. In-house security professions may also provide a non-bias and independent view of one s security needs. The next step is to verify the company s or consultant s credentials with respect to the specified task areas. The qualified company or team should have both physical and information security professionals with associated professional certifications. The company or consultant should also possess senior level engineering and/or project management skills. Physical security professionals will typically have the following certifications: Certified Physical Security Professional (PSP) Certified Protection Professional (CPP) Certified in Homeland Security (CHS) Information security professionals will typically have the following certifications: Certified Information System Security Professional (CISSP) National Security Agency s Information Security Assessment Methodology (NSA-IAM) Page 4

It should be emphasized that professional experience may be more important than credentials and those with experience can bring to bear industry s best practices. The contractor should also provide a Project Manager for the security assessment task. This individual should have: Proven experience in managing security programs and conducting analysis, studies, and assessments. Proven capability working in security management with threat analysis and vulnerability assessment experience. Demonstrated experience as a security consultant developing security programs, integrating security systems and products and managing federal government security engagements. Experience supporting the national efforts engaged in the continuity of government and continuity of operations planning. V. NEXT STEP (FOLLOWING REPORT DELIVERY): The Security Assessment Report is the resulting document from the site surveys and all task area performance. Following the approval of the security recommendations, a Statement of Work (SOW)/Request for Proposal (RFP) should be developed that consist of descriptive information based on all approved recommendations; request for contractor support in the development of policies, procedures and support of the system design process. Along with the new policies and procedure development, an Installation Design Plan (IDP) should be developed detailing the overall system configuration for the organization s campuswide security upgrade. The typical duration for an IDP development and approval could take approximately 60 to 90 days for task completion. The development process contains, at minimum, a 30%, 60%, and 100% design review with all stakeholders. To speed up this process, the end-user may agree to have the system integrator use the approved 60% design package to conduct procurement and installation. The as-built drawings will then be completed using redlines generated during the installation period. By doing so, the end-user may be able to reduce the design time by 30 to 45 days getting to the installation phase much faster. (Stakeholders including, but not limited to, IT Department, Safety & Protective Service/Physical Security, and others to be identified by the executive staff.) Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information