Start with risk, not technology

Access & Identity Management Handbook 2015 Access Control & Identity Management, Security Services & Risk Management

All too often we are inundated with technical specifications, background information and conflicting argument over what technology to adopt. The industry experts tender for this work and leave the responsibility back with the end-user, who effectively accepts a list of ‘kit’ and not a solution that is designed or programmed to meet the needs of the original requirement. There is a need to become more objective and performance oriented.

This article looks to avoid the usual technological rhetoric approach and provide end users with a list of performance-based requirements that will leave the responsibility of providing the correct access solution with the system provider.

Before any system-based security technology mitigation solution scope can be considered, the starting point has to be in first adopting a pure risk management principles and practices approach.

This is the biggest area of opportunity and why so many organisations fail dismally when selecting the appropriate and applicable security technology solution that is needed to mitigate micro risks; they have failed from the outset to identify and quantify each risk in terms of:

* Exposure (which includes brand trust reputational risks),

* Severity,

* Frequency, and

* Probability.

Having completed one’s risk identification, one must then perform a risk analysis in order to determine the following before commencing with the risk control step:

* Which risks can be terminated?

* Which risks can be treated?

* Which risk can be tolerated?

* Which risks will be transferred (insurance)? Remember insurance is the last leg of the process not the first.

This critical process is far too often overlooked or is over simplified, yet this is the single most critical success factor needed. In order to ensure the limited funding available is spent effectively, one’s ROI is achieved and the intervention has the desired impact in preventing, reducing and maintaining risks to an acceptable level, one needs to perform quantifiable risk analysis.

Far too often this failure on the part of organisations to first adopt effective risk management principles and practices results in many organisations having to repeatedly revisit the poorly designed master security plan resulting from ongoing incidents being experienced after installing the security technology solutions. This subsequently results in the loss of confidence in security, loss of revenue, negative brand trust reputational exposure etc., and ultimately this poorly executed approach is not only costly, but extremely ineffective due to the piecemeal reactive and corrective approach.

In closing this matter, risk management requires the analysis of risk, relative to potential benefits, consideration of alternatives, and finally, implementation of what management determines to be the best course of action. Risk management consists of two primary and one underlying activity, risk assessment and risk mitigation being the primary activities.

Risk assessment: The process of analysing and interpreting risk, is comprised of three basic activities:

* Determine the assessment’s scope and methodology.

* Collecting and analysing data involves: asset valuation, threat identification, consequence assessment, safeguard analysis, vulnerability analysis, likelihood assessment and interpreting risk assessment results.

Risk mitigation: This process involves the selection and implementation of security controls to reduce risk to a level acceptable to management.

* Select safeguards, accept residual risk, implementing controls and monitoring effectiveness.

Addressing risks via access control layout and design

In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety strategy. Defining your core business processes is the first step, which then allows one to then identify essential resources and facilities that need protection. From here, as highlighted above, you must perform a risk assessment to identify the associated risks to these resources and focus on those you consider most likely to occur. The risk assessment will determine and quantify if the chance of threat / risk is low, medium or high and what the exposure, frequency and severity of the risks are on the business.

Although the core elements of businesses may differ, however, they generally all have a number of processes capable of identifying and responding to attacks when they occur.

In saying this there is a common tendency to look at security technologies as a quick fix to security risks. Effectively addressing and preventing security risks does require much more than getting the right technology, and as highlighted above, fails by neglecting to adopt an holistic system-based approach when considering and designing access control.

There are five security principles that need to be considered when exploring the deployment of access control solution.

Security Principle 1. “Delay without detection is not delay”

Consider a door fitted with a deadbolt lock, which would take some time before an intruder could penetrate the door if the alarm system’s detection of the intruder is first activated when the door is opened. The time value of the lock as a delay barrier is several minutes, however the moment the door is opened, the time value of the lock as a physical barrier is actually zero. If a homeowner, for example, is not at home, it would make no difference if the burglar took 5 minutes or 5 hours to get through the lock because delay without detection is not delay.

Security Principle 2. “Detection without assessment is not detection”

This principle is similar to that of an alarm system. First detection takes place. However, the detection process is not complete until assessment takes place. An effective access control system requires that the components of People and Procedures must be well articulated. Depending on the design, when configuring access control layers the response times could be very short periods at the point of detection. It must be noted that in order to meet the desired access control design standards, this will only be possible with a clear systematic approach.

Security Principle 3. “People make great assessors but poor detectors”

A common mistake is to assume the security personnel will be able to detect a threat in sufficient amount of time to respond and deploy the final denial barriers. Often the required response times are too short. People do not make good assessors.

Principle 4. “Adversary Path”

There are a number of adversary paths / routes a burglar may take to gain access to a business. It is therefore important to identify and address the multiple adversary paths when designing one’s access control solutions.

Security Principle 5. “Critical Detection Point”

This is the culminating principle that borrows from the other four principles. Once one’s adversary paths have been identified, they must then be analysed by measuring the time it takes for the adversary to reach the asset / identified threat along with the probability of detection in order to determine the Critical Detection Point. If the advisory makes it past this point it’s too late.

Crime Prevention Through Environmental Design (CPTED)

This is an essential discipline that is often overlooked. This principle outlines how the proper design of a physical environment can reduce crime by directly affecting human behaviour and has three main strategies:

Natural access control: This relates to the guidance of people entering and leaving a space by the placement of doors, fences, lighting, and landscaping including bollards, use of security zones, access barriers, and use of natural access controls.

Natural surveillance: This entails the use and placement of physical environmental features, personnel walkways, and activity areas in ways that maximise visibility. The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable, through the use of observation.

Territorial reinforcement: This is achieved by creating physical designs that highlight the company’s area of influence to give legitimate owners a sense of ownership and is accomplished through the use of walls, lighting, landscaping, etc.

In conjunction with the above principles it is critical that the following zone layout and design must also be considered which can be divided into four primary zones:

* Approach zone

* Access control zone

* Response zone

* Safety zone

Generally speaking it is important that the detection elements needed must be placed either in the approach or access control zones that will ensure the guard force alarm response time needed for alarm, assessment and response.

All these components take time, and the engineering and design will be directly affected when calculating the response times directly. Also, do not forget that this will also have a direct impact on were the final barriers will be placed. Remember, if they are too close behind the access control zone, one’s guard forces will not have sufficient time to respond to the threat.

When one looks at the three primary zones in the zone corridor, one can begin to understand how critical these security principles are relative to access control point layout and design.

Lastly, based on the above application of risk process, principles and zone configuration, the effects of the different design elements to deter, deflect, delay, detect and response models will assist in determining the required subsystems – alarms, barriers, surveillance, EAS, smoke cloak, audio, lighting etc., in order to provide the most cost effective vulnerability solution.

It must be noted that in order to be successful, a systems approach will always include a combination of personnel, equipment and procedures. Herein lies an additional issue, in respect of the people element (poorly selected, poorly paid, poorly trained or poor retention), plus in many instances little or no procedures are in place.

Life cycle planning

The following are typical phases of the life cycle planning that are often poorly executed and or often not considered:

Initiation phase

* Prepare and define the master access control security plan to ensure it supports the mission of the organisation.

* Develop a visible access control programme policy that is consistently supported by management, which must address the organisation’s strategic direction, assign responsibilities, and include a compliance programme.

* Conduct a sensitivity assessment.

Development/acquisition phase

* Determine security requirements and specifications.

* What are the system and related security activities.

Implementation phase

* Install/turn-on controls.

* Security testing.

* Accreditation.

Operation/maintenance phase

* Security operations both on and off line, assurance and administration.

* Ensure SLA addresses support, turnaround times, assured supply, define response times etc.

* User training.

* Audits and monitoring.

Staffing and user administration

* Position definition, separation of duties and least privilege.

* Determining position sensitivity.

* Screening and employee training and awareness.

* User account management and audit and management reviews.

* Detecting unauthorised/illegal activities

* Termination.

Business plan priorities

Develop scenarios to identify and analyse resources needed to determine if there are any overlapping of common areas plus resources that can be used and the time frame needed. This will include recovery, resumption, implementation, test and revise plan in order to determine ability to respond quickly and effectively so as to contain, repair damage and prevent future damage

Address awareness and training strategies. Identify the programme scope, goals, and objectives. This includes:

* Identifying target audiences.

* Administer, maintain and evaluate the programme.

Evaluate physical access controls and fire safety factors, including the failure of supporting utilities and other environmental issues such as plumbing leaks and security concerns about possible interception of data, protection of security hardware, etc.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Turnstar ramps up countermeasures
Turnstar Systems Editor's Choice Access Control & Identity Management News Products
Turnstar has developed and patented an early warning and deterrent system which will alert security, and anyone nearby, of any attempt to place ramps over the raised spikes.

Suprema integrates biometric access control with Genetec
Suprema News CCTV, Surveillance & Remote Monitoring Access Control & Identity Management
Suprema has announced the successful integration of its biometric access control products with Genetec Security Center, a unified security platform that connects security systems, sensors and data in a single intuitive interface.

The state of the distribution market
ESDA (Electronic Security Distributors Association Bosch Building Technologies Dark Horse Distribution Elvey Security Technologies Regal Distributors SA G4S Secure Solutions SA Editor's Choice Security Services & Risk Management
The distribution industry has evolved over the years and its current challenges simply mean another change is in the wind, for those who can take the next step.

Training that delivers
Technews Publishing Leaderware ESDA (Electronic Security Distributors Association BTC Training Africa Editor's Choice Security Services & Risk Management Conferences & Events Training & Education
Hi-Tech Security Solutions hosted a virtual conversation to address the challenges and solutions related to effective and measurable training and education in the security industry.

IDEMIA South Africa achieves level 1 B-BBEE status
IDEMIA News Access Control & Identity Management
As part of the action plan to improve its status to Level 1, IDEMIA now works with over 40 black-owned local suppliers, representing over 30% of IDEMIA’s local suppliers.

Suprema no. 1 in the global biometric market excluding China
Suprema News Access Control & Identity Management
According to the latest report by Omdia, a global market research firm, Suprema ranks first in global market share, excluding China, in the field of biometric readers.

Dahua and Yeastar PBX-intercom integration
Dahua Technology South Africa News Access Control & Identity Management
Dahua Technology and Yeastar announced their new ECO partnership on PBX-intercom integration to provide a comprehensive and unified communication solution for small- and medium-sized enterprises.

Traka launches experience centres
News Access Control & Identity Management
Traka launches inaugural Experience Centres in Australia and South Africa; aims to drive continuous collaboration and innovation.

New platform for keyless access
Access Control & Identity Management
The new ABLOY CUMULUS platform for keyless access combines locking hardware with secure access and management applications in a single ecosystem with a risk-free, integrated cloud service.

The importance of traceable records
Technews Publishing Editor's Choice Security Services & Risk Management
Traceable records streamline performance management, training, evidence records and reduce fraud, corruption and criminal activities.