A REPORT ON THE NECESSARY (PHYSICAL SECURITY) ACCESS CONTROL SYSTEM DESING

Whenever a company sets out to expand its territorial borders, one of the most critical questions considered is the safety impact. In most cases, where a company is intending to build its headquarters, there are certain factors that it will need to take into account. The task of this report is to analyze the physical access control system implications that may accrue from the decision by Company X, to construct its new headquarters next year. This report should help the directors determine whether the construction is prone to uncontrollable risks or not. This report takes into account the physical security assessment procedures risk assessment procedures  challenges of performing risk management analysis risk assessment method effective physical control system wireless sensor technology automated electronic access control system security risks in physical security systems and some few recommendations

Executive Summary
Company X is a research and development organization that is planning for the construction of its new headquarters next year. The headquarters will consist if two-storey building and car park located in a parcel of land in an industrial area. The buildings bottom level will house the administration and management staff, while the top level features the companys research laboratories. The company uses wishes to incorporate a suitable automated electronic access control system to the headquarters plan.
In this regard, this report has a number of objectives. It aims to among other things
Outlining a proposed design and recommendations
Design and discuss the layout of the overall property and the building interior
The potential risks that can accrue
Design a suitable access control system for the facility

Introduction
Whenever a company considers expanding its territory base beyond the parent companys boarders, it is always good news because it means that the company is doing very well. The plans by the company to construct a new headquarter means that, it stands to have direct physical-security related risks. It is worth noting that this move comes at a very critical moment when terrorism and vandalism has become a serious reality. There are several factors the company will have to take into consideration in order to come up with a viable physical Access Control System. It will be also an opportunity for the company to improve on its traditional security systems that might have led to serious risks and damages. In the same way, the company may get into serious troubles in its security procedures for newly proposed project if not carefully planned. This report considers the viable physical security control system that can be adopted by the company.

The Report Procedure
This report was prepared on the basis of a request that was made by the company for the analysis of the safety issues that will need to be considered before the implementation of the proposed construction of its new headquarters. It was further requested that the report provides a design layout of the overall property and the building interior and the relevant risks and considerations applicable. This report will also establish whether the proposed project would be worthwhile by considering the possibility of manageable risks in this matter, and make necessary recommendations.

Physical Security Assessment
Physical security entails measures undertaken to safeguard personnel, equipment and property against foreseeable threats. These measures could be passive if they include use of architecture, landscaping and lighting in order to attain improved security by deterring, interrupting or mitigating potential hazards. On the other hand active measures comprise the utilization of proven systems and technologies designed to prevent, detect, report and react against threats (Lynda, et al.2010). It is of much value to incorporate IT security into physical security in order to strengthen the physical security risk assessments and actions plans.

Adequate physical security helps to safeguard the organizations assets by making good choice of facility location, upholding a security perimeter, execution of access control and protecting equipment.  It is incumbent upon the physical security management personnel to develop and enforce appropriate physical security controls. These operations should work hand in hand with the computer security management, program and functional managers and so forth accordingly. Physical security should take into account central computer installations, back up facilities and office environments. In different governments the security function is largely responsible for the processing of personnel background checks and security clearances.

A company should develop an operational security procedure which will enable it preserve privileged information covering the companys capabilities and vulnerabilities. This can be achieved through appropriate policies and procedures. It involves pointing out, controlling and safeguarding interests linked to the integrity and the unconstrained performance of a facility. These consist of training, policies and procedures, facilities access and tenant space (Lynda, 2010). The information system should be prevented from arbitrary interference and misuse by persons either or not belonging to the company. There should be proper measures in place to safeguard the confidentiality, integrity and availability of information.

Risk Assessment
It is always advisable to ensure that policies and procedures are in place and properly updated. Effective security program should be in place as well. Normally, risk assessment of a company aims at assessing the systems use of resources and controls (implemented and planned) to get rid off as well as manage vulnerabilities that are exploitable by threats to the organization (Lynda, 2010). The vulnerabilities consist of threats linked to the system operational configuration, systems remedies, threats and vulnerabilities, potential and real existing threats which need to be looked into in the corrective action plan. The security system should be in conformity with the companys policies and procedures and the entire applicable legal and regulatory measures.

The risk assessment framework captures the significant scope of the assessment which may include the present configuration, environment, personnel, communication facilities and administrative security services available. It should identify the companys valuable property that needs to be protected as well as assigning value to each property together with its business criticality. Once threats are identified they can be incorporated into a dynamic threat model or digital dashboard and eventually incorporate them to other threat and vulnerability models. In the event that threats are properly identified, the means to counter them are effected with proportionality. This means that the greater the potential for a threat, the greater the need to have in place the control system to alter it. The biggest mistake most companys make is concentrating their security system programs to electronics systems perspective and fail to consider developing a comprehensive risk and vulnerability assessment.

There are a number of reasons that will compel Company X to carry out risk assessment and this has several benefits as well. Normally, a good company will make it its policy to conduct an interim or annual assessment. Other reasons are when Company X contemplates opening a new facility, or an audit report may recommend so, or experience of a breach or vulnerability, or adherence to legal and regulatory requirements, or mergers and acquisitions and when implementing a new technology, just to mention a few. On the other hand, there are several benefits that will make company X carry out risk assessment, for instance, it helps the management in making critical financial decisions as well as budgeting, and safety of the entire staff, integrated risk assessment enables the company take note of the needed security program. In addition, it justifies costs, resources, and schedules, it creates confidence in relation to the legal requirements, it helps identify the different levels of risks as well as implementing policies and procedures, and lastly it brings to light hidden risk with the environment of the company.

Challenges of Performing Risk Management Analysis
It is worthwhile to note that threat analysis is a difficult exercise. It involves among many other things the identification of the threat approximation of potential influence of the threat if the threat would take place approximation of the potential frequency of a threat and approximation of the possibility that threat will actually materialize (Lech, et al., 2005).

Threats can be caused by natural phenomena such as earthquakes, floods, and fires just to mention a few. Threats can also be man-made like in the case of terrorist acts, hackers, and viruses (Leck et al., 2005).

As had been mentioned earlier long, the process of threat analysis is difficult for two reasons namely the majority of events leading to grave disasters are not easily foreseen. This makes its hard to predict their occurrence together with the adverse effects they might have. Europe is an earthquake-free continent apart from some regions in Italy. Therefore, people hardly erect structures based on the possibility of the earthquake. The other fact is that the personnel hired to carry out risk analysis may not be well trained in this field (Lech et al. 2005).

Risk Assessment Method
As indicated earlier risk assessment is a fundamental step in safeguarding the workers and the business as well as ensuring that all operations are in conformity with the legal requirements. It helps the company to focus on those risks that really matter. However, no law will require that a company eliminates all its potential risks, but it is required to ensure the safety of all its employees (HSE, c. 2010).

Risk Assessment is defined as the careful evaluation of what in the workplace could be harmful to people, so that an organization can evaluate whether it has taken adequate precautions prevent harm. If employees get hurt due to poor security system their input will also slow down hence reducing the production of the company. The output will be low, machinery damaged, insurance expenses will also go up, name it. Health and safety executive (c. 2010) proposes five key steps that are believed to be useful to many organizations. It recommends that first and foremost, one ought to identify the hazards judge the real objects of harm and how it should weigh up and decide on precautions document and record the findings as well as implementing them re-evaluate the assessment and update where necessary. Hazards comprise what may cause harm like in the case of chemicals, electricity, working from ladders, an open drawer et cetera. On the other hand a risk is the high or low potential that somebody could be subject to harm by a certain hazard and also indicates the magnitude of the harm (HSE, c.2010). 

It is recommendable that the company implements a physical security model which takes into consideration environmental factors. This makes it imperative that it implements environmental security controls. According to surveys, over 70 of risk managers acknowledge that environmental risks pose the largest security thereat to the earnings of the company (Pizza, 2003). 

The environmental factors consist of floods, fire, moisture, electricity and temperature, and all these have a grave negative impact on IT computer components and equipment. The most important point to consider in the environmental protection is the availability and continuity of computer systems as they require redundancy in availability of power. There should be backup devices that should be ready always to take over and maintain the systems powered up. Mainly, the company can consider use of uninterrupted power supply devices (UPS) or a power generator. This equipment will be useful in the maintenance of the general electricity supply in the company building especially in the maintenance of computer power in the sudden occurrence of a power shortage.

The company should also come up with measures that prepare for potential event of fire. It can consider investing in smoke alarms, heat sensors, fire extinguishers and sprinkler systems. The staff members should learn how to operate such devices. The heat sensors can be installed inside computer rooms to detect and warn of any rise in temperature. They should be such that they can emit an audible or visible alarm. Fire extinguishers should be put in every computer room whereof the management should consider the best fire extinguishers.

Effective Physical Control System
There are basic security arrangements that can be considered. If company X is bound to have an intensive flow of visitors it can consider the following arrangements. The building should have several elevators, a couple of stairs, washrooms, and several service rooms. The reception can be set in a way that it faces the elevator bank. At the reception area there can be a sort of free access space that can host conference rooms or similar activities. In addition, further access within the premises ought to be controlled by separate criterion, for instance, use of lockable doors that can only be activated by another individual and not the receptionists mechanism. This control measure is per the requirements of the double challenge protection principle. In this regard making the receptionist open the door will be in contravention to the said principle. It would be much secure if the company considered a caged solution where the visitors after leaving the elevator enter a glass cage with two doors that cannot be opened at the same time. It will be good if the first door closes, and then the other door may be opened by different means. The only disadvantage is when there are many visitors and this will cause queuing and traffic jams.

The company can consider establishing a stairwell on the opposite side of the reception area. Again, every floor in the building should have lockable doors that can only be opened internally but require a key to open from the stairwell. Besides, alarms can be fixed to detect any unauthorized exits. The washrooms should be set around the reception area and if possible, make their access through the stairwell. Permanent employees can be provided with personal keys to access the stairwell doors. In case the company considers providing easy entry and exit to the visitors, there can be put surveillance camera to monitor their movements accordingly.

The company should exercise abundant caution to those rooms where sensitive equipment like telephone exchanges, power boards, and servers are housed. It is important that the management identifies, designs, and introduces procedures in order to limit access to this infrastructure. Therefore, apart from the locks, motion detectors should be put in place in these rooms.

Internal video cameras should not only be put in the reception area and other perceived special rooms, they should also be installed in the hallways in a manner that creates a chain of vision. This means that each camera must be seen by another camera. Only in this way can the company record any tempering with the cameras. The building can have access control at the underground floor to inspect all incoming and outgoing traffic. This in turn, reduces the task of keeping every minute record of incoming or outgoing visitors.

Wireless Sensor Technology
The company can consider implementing wireless sensors in all accessible points. They are cheap with low power consumption, minute devices equipped with some degree of sensing, data processing and wireless communication capabilities and power supplies (Xia, 2009). Their use will be a great improvement to the existing sensors. It is important to note that a good wireless sensor can have several components in a sensor node (Akyildiz, et al., 2002). This means that it should have a sensing unit, processing unit, a communication unit, and power supply. The sensing unit may comprise several sensors and Analog-to-Digital Converters (ADCs). Sensors are in the mode of hardware whose function is measuring physical data of the supervised systems state, for instance, temperature, humidity, pressure, or speed. The signals from the analog generated by the sensors are digitized by ADCs and transferred to the processing unit for further dispensation. The processing unit is accountable for performing tasks, processing data, and regulates the functionality of the rest of the components of the sensor node. In most cases, the sensor nodes may vary in capacity and feature. Table 1 illustrates a list of some wireless sensor nodes available. (See appendix A). The value of using wireless sensor and actuator networks is because they will enable technology for cyber-physical systems (Xia, 2008).

Automated Electronic Access Control System
The company may consider coming up with vehicle access control solutions based on license plate. It can consider putting at the entrance gate or barrier a complete LPR based access control system. In this regard, it would not be necessary to have keypads, code readers or manual guards.  It will have other added advantages as follows it is cost-effective, easy installation and system set up. It can operate for twenty four hours (247).

REG-Sentry is an automated vehicle access control system from Bosch (Bosch Security Systems, 2008). The REG-Sentry makes it possible for the user to configure physical security apparatus either to accept or bar access to any vehicle attempting to enter a protected area. The REG camera captures the license plate of any vehicle that drives in towards its access control point and transmits video information to the REG-Sentry control point which will process the video. Eventually, it creates the license plate characters and compares this information to the previously loaded black and white list. The valuable thing with REG-Sentry is that it is designed to be used in a multifarious range of access control applications (Bosch Security Systems, 2008).

REG-Sentry is modeled to function as a stand-alone solution. It can also be integrated with existing access control equipment in delivering a flexible, automated vehicle access control system and this reduces the need for an existing and expensive back office system. The REG-Sentry control box is the central point of the system. The control box brings together out-and-out electronics, a frame grubber, an entrenched processing engine and license plate detection library into one compact discreet unit. Moreover, the REG-Sentry control box can be suitable for any access. For the illustration of REG-Sentry control box and order codes. The figure below is an illustration of the architecture of automated physical access control system

Cyber-Physical Systems (CPS) is a composite integrated system of diverse components that are aimed at providing an integrated computed physical process (Lee, 2007). Although they are well suited for industrialized organizations, they can be widely used in providing autonomous control systems through control loops. They can as well monitor the movement process through sensors.

The company can consider use of Personal Identification Verification (PIV) card. This card will carry the identity of the holder. PIV Card is a physical artifact, for instance, identity card or smart card, issued to a person that contains recorded identity credentials, for instance, photograph, cryptographic keys, biometric data (Honeywell Security, 2006). The claimed identity of the cardholder is verified against the stored credentials by the company through its automated processes. These stored credentials should be computer readable and verifiable.

Security Risks in Physical Security Systems
Given that physical security devices are used within the context of a security program that in most case has expansive needs and supports diverse business requirements, additional security objectives and areas of potential risks ought to be considered. There are fundamental factors that need to be considered in this matter namely privacy, confidentiality, integrity, availability, authentication, authorization, fraud prevention, investigations and forensics and potential for identity thefts.
     
The fact that systems are widely going to be connected to the organizations networks the security risks to systems and devices designed to supply physical security will be on the risk. The company should ensure that its special systems and devices are not deployed in a manner that subjects them to external access from the internet. This will safeguard it from perpetrators who get unlawful entry to such systems and launch attacks on other resources within the network, and some of this may be business critical.

Recommendations
On the basis of the reported findings, this report further recommends that
The company goes ahead with the planned construction of its new headquarters. This is because, after a thorough analysis of the physical security access control system design suitable for the company, it was found favorable for the new project.

A significant amount of money is set aside for the purposes of buying the devices to be installed in the security system. This is an extremely necessary undertaking, if the company is to properly establish itself in the new proposed headquarters.

A constant observation is made with respect to the proposed Physical Access Control System (PASC). This is especially crucial considering that the premises will serve as headquarters for the company. This will also deter malicious perpetrators in the course of the construction process.

To sufficiently address the security-related risks depicted in this report, the company should look forward to establish a governance framework in the management of security-related risks in its physical security systems. It should also come up with policies that will specify the elements of risk management program for unique systems and devices.

There should be a management infrastructure to provide resources, establish accountability and ensure compliance. It can consider splitting duties, data classification and data retention. In addition, in depth measures and standards pertinent to security in special systems and devices ought to be written and continually updated.

The company should consider expanding its audit function to cover special systems and devices. In this regard, special attention can be accorded to the physical security systems and the consolidated problems that these systems and devices may introduce.

A feasibility study be conducted to further establish the furtherance of the control systems so that they not only capture the physical security, but also the risks that can proceed from the political, economical, social, as well as legal in the country, ad their implications on the overall security system of the company.

Conclusion
The need for this report arose out of the decision by the directors of X Research Co. Ltd, to construct its new headquarters. The aim was to establish the viable physical security access control system design. This report has established that the company is very well advised to consider such a move. The physical safety of the company has been pointed as an area where a lot needs to be done if risks are to be mitigated. Indeed, possible measures have been proposed to this end. The designs as well as the devices have been properly depicted in a manner that will make it simpler in the implementation of the entire control system.

0 comments:

Post a Comment