Security

Architecture Firm: Example Executive Summary

“Dalton, Walton, & Carlton, Inc. is an architecture firm with approximately 250 employees in four cities in a regional area. The main office is in Kansas City, Mo, which houses 100 of the employees. The main office is located in a small office park in a suburban neighborhood near the University of Missouri, Kansas City, Volker Campus. The satellite offices are in downtown Des Moines, IA, Springfield, MO, and Omaha, NE.
Their physical security infrastructure for the main office is as follows:

o The main office building is three stories tall with Dalton, Walton, & Carlton, Inc. occupying the top two floors. There are two unrelated businesses on the first floor. DW&C leases the floors from a management company.
o The building as one elevator along with a front and back staircase.
o The building uses standard windows that are slightly tinted, but you can still see in from outside. The windows do not open.
o Both floors are basically laid out the same. Each floor has:
o Drop ceilings used throughout.
o Six offices on the exterior and two interior offices.
o One large conference room and two smaller ones.
o The third floor has a small reception area monitored by an administrative assistant. There is a locked door leading from the reception area to the back offices that required a key card.
o The admin has a master key card kept in a desk drawer.
o Visitors are provided with access badges that they sign out and are supposed to return each day. These allow access to the full facility except for the server room.
o When visitors sign in, they need to provide the name of their contact but don’t need to be escorted when in the facility.
o Access to the building and the floors is controlled with key card access. This access allows entry at a front and back door on each floor. It is also used to control the small server room on the third floor.
o The building management company administers the key card access server.
o The front and back doors for the building open automatically at 6am and lock at 6pm,
Monday through Saturday. All other times they are locked requiring key card access.
o The door to the DW&C third floor reception is unlocked from 7am-6pm Monday through Friday.
o The exterior and primary interior doors all have alarms that go to the DW&C facilities manager and the building manager. They are deactivated during business hours, as noted above. The alarms have the capability to trigger if the door is propped open, but that is not used due to past false alarms.
o The server room on the third floor used to be a storage closet.
o When it was converted, they added a raised floor and extra air handling.
o There’s also are two Tripp Lite SMART1500LCDT UPS towers that are expected to
provide 90 minutes of power in a blackout.
o IT also uses this facility to build and maintain servers and PCs.
o The IT staff all sit outside the server room/closet. They will occasionally prop the door
open when they are frequently accessing the room.
o The building uses dual HVAC systems run by building management.
o There is one telecommunications drop for the building.
o The main power breakers for the building are on the first floor in a room locked by building management.
o Each floor has power breakers in an interior coat closet.
o That area on the second floor is a storage closet housing business supplies.
o The CEO and CFO both have corner offices on the third floor. Access is controlled with a standard key. Each of their offices contains multiple, lockable file cabinets containing company sensitive documents.
o Employees that aren’t in offices are in standard cubes with 5-foot walls.
o All employees have desks and cabinets that lock.
o The CFO’s admin assistant controls all of the keys. She also has master keys to access any room, desk, or cabinet that she keeps locked in a small safe under her desk.
o There are five security cameras spread throughout the building as follows:
o External Front Door
o External Back Door
o Interior front stairwell on the first floor
o Interior back stairwell on the first floor
o Facing the elevator
The camera feeds go to a single DVR unit managed by building management. The CCTV’s
are in the building mailroom on the first floor, where they are monitored by the facilities manager and mailroom personnel. Their physical security infrastructure for the three remote offices is as follows:
o The remote offices have approximately 50 employees and are used by sales and local design teams.
o The offices are located in the downtown areas of Des Moines, IA, Springfield, MO, and Omaha, NE. The intent is to have offices near customers.
o DW&C leases building space for these offices. Each is in a multi-story office building where DW&C uses a floor or a portion of a floor. Each facility is managed by local building management.
o Each building uses standard windows that are slightly tinted, but you can still see in from outside. The windows do not open.
o There are offices and standard cubes in each facility. The senior director at each facility is also responsible for the safety and security of that facility.
o Access to each facility is controlled using key cards administered by local building management. These systems are not tied to the main office’s key card system.
o Each facility has cameras so you can know who has entered/exited the building. Only one of the buildings has a camera on the interior door to access the DW&C offices.
o An admin sits near the front door and monitors visitor access, but this is a part-time duty.
o The doors are unlocked and unarmed based on the same schedule as the main office.
Their IT infrastructure is as follows:
o They primarily use Microsoft servers and PCs with several Mac computers used to perform design work. They use Active Directory, have a Web Server for their Internet web site, four servers used as file shares (one in each office), four servers housing their architecture applications, a training server, five MS SQL database servers, and two Microsoft Exchange servers for email.
o Each satellite office has 3-4 servers for storing files and running local applications.
o Each office has its own decentralized wireless network connected to the production network.
o Each employee has a desktop or laptop PC running Windows 7. HR personnel has laptops for conducting interviews.
o There is a Director of IT who has a full-time staff of 5 employees, one of which does security duties part-time.
There are a few known issues with their infrastructure and organization:
o Recently, several PCs and office equipment have been stolen out of the office.
o It’s at the data owner’s discretion as to whether or not to secure their data files or folders. Many do not secure their files, while some lock them, so only they have access. There have been rumors that customer data and intellectual property have been lost.
o Two employees recently left your company and went to your biggest competitor, where they just landed a contract with your largest account.
o Vendors are allowed access to the site and computers without authorization or supervision.
o Onsite staff at each location provides IT support part-time along with their other responsibilities. Password resets are done by giving out a generic password — Chiefs2011.”

Main Office

Three stories (upper-two of which are owned by the company). Each floor is accessible from a single elevator and a front/back staircase; this setup can be a security risk due to relying on the security of the first floor (two different companies) to ensure that unauthorized individuals cannot access the DW&C levels. Furthermore, without knowing what the staircases’ protective measures are, in the event of a fire or emergency, the security controls need to be quickly disabled due to the single escalator’s necessity to be disabled.

Windows: The building’s lightly tinted windows (which offer visibility) pose a security threat; I would recommend adding a darker or 1-way tint; also, with their inability to open, there may be a fire risk.

Floor Design: Both floors are laid out in the same manner, providing a would-be intruder a general understanding of each floor’s design, thus allowing them greater knowledge of where critical systems and personnel are located. I would recommend redesigning each level in a defensive-oriented layout.

Reception Area Location:  Located on the third floor and monitored by an administrative assistant; this location is not preferred as it bypasses the second DW&C floor, thus relying on a visitor to know that he/she must go to the third floor, first. Ideally, the reception area should be on the second floor, with clear and present signage regarding the location of both DW&C floors, as well as proper sign-in processes.

Reception Area Security Protocols: While the use of the locked door leading to the back offices is effective, the location of the master key card is not acceptable; at the minimum, it should be stored in a locked security box, preferably mounted on the wall in a visible location (to make it simple for firefighters and police to find and use it if the administrative assistant is not present). The master key card’s current location and usage should be logged and signed-off by security staff.

Access Badges: While the fact that visitors are assigned access badges that they sign out and are ‘supposed’ to return each day is useful, the technology the system utilizes, as well as the access that the visitor badge grants are not. I would recommend the use of access badges with RFID chips to allow for customization of the exact individual who is desiring access, by taking an image of the person, personal details, and requiring the individual to surrender their driver’s license at the security terminal during the duration of their visit. Also, with RFID chips, if the visitor attempted to leave without returning the access badge, the system would be alerted (losing a visitor badge is a serious matter).  By utilizing the RFID-enabled identification, the visitor should only be given access to the building/floor/room they require, and nothing more. Furthermore, they should always be escorted when possible. Upon signing-in, the visitor should not only provide the name of their contact, but a call should be made to that contact to both verify the visitor and either escort them or have security do it. Audits of all security badges should be performed throughout the day, to ensure that all are accounted for. The ‘small server room’ on the third floor should not be accessible by any access cards (other than IT and security staff). The building management company should not be in charge of the keycard access server, as relying on another entity’s security protocols is not recommended; if it must be designed this way, proper communication between DW&C IT and security staff, as well as continuous audits of the building management’s server and security practices in regular intervals should be performed.

Door Locks: While the design of the building is unknown to me (in regards to the front and back doors and what they allow access to), I believe the auto-locks are fine, as long as there is some form of reception/security area directly proceeding each door to authenticate visitors. The auto-locks on the third-floor reception area shouldn’t be automatically opened at a specific time, and instead, require a keycard to access (or utilize a callbox so that the assistance and visitor can communicate and upon the assistant’s verification of the authenticity of the individual, unlock the door for the visitor.

Door Alarms: The exterior and primary interior doors should have their alarms go to DW&C security staff, not just the facility and building managers. The fact that they are disabled in the event of a propped-open door should be removed, as propping a door open is a severe security risk. To minimize false alarms, sending a notification to the security staff (preferably text message) will allow for quick determinization of the threat and can disable that specific door’s alarm.

Third-Floor Server Room: Since this server room was initially a storage closet, I am assuming the security of the room is not adequate. Ideally, the room should be locked and only accessed through a specific IT or security access badge (as mentioned before), as well as monitored 24/7 through video surveillance. On no occasion should the door be propped open; as mentioned in the door alarm section, the alarm should activate if this occurs. Without knowing more about the other IT hardware used in the room, I would still ensure that a cooling system is added to the room with proper intake/outtake of cold/warm air.

HVAC: The Dual HVAC system is fine; however, having it entirely ran by building management can pose some issues. For example, constant communication must be maintained between DW&C IT staff to ensure adequate cooling for the server rooms, as well as allow for a backup system in the event of a failure. Furthermore, HVAC alerts and notifications need to be sent to DW&C IT staff.

Telecommunications Drop: Having a single drop can be risky in the event of a disaster or if an individual disables it; maintaining constant communication with the building’s security system, HVAC system, and police and fire departments is of utmost importance.

Main Power Breakers: Having the main breakers on the first floor is fine, however constant communication must be maintained between DW&C IT staff to ensure that if the breakers need to be shut for some reason (fire, virus, etc.), the action can be completed in a timely fashion.

Power Breakers (Each Floor): An interior coat closet is not an ideal location for each floor’s power breakers; if this location has to be used, it should be locked and only accessible with an IT/security-enabled assess badge. The second-floor power breaker (in the storage closet containing business supplies) needs to have the same security protocols as the third floor yet have the business supplies removed (so nobody needs to access it besides IT/security staff).

CEO/CFO Offices: Both of these offices need to have access protected by a keycard; access to each room will only be granted to either the CEO/CFO respectively; for IT/security staff access, special privileges will have to be acquired and signed by their manager (with date and time logged). Video surveillance should also be used outside of the office. All interior file cabinets should remain locked and have the key stored in a secure, locked position (preferably with a pin code).

Employee Cubicles: Standard cubes with 5-foot walls are fine; however, proper placement of employees, as well as the spacing between them, should be carefully reviewed. For example, accounting employees shouldn’t be placed near others due to the risk of overhearing sensitive phone calls. Furthermore, all desks/cabinets should be kept locked with security staff holding a master key, instead of the CFO’s admin assistant. The small safe under the CFO’s admin assistant’s desk should be removed or at least placed in the security office/department, and all keys should be continuously inventoried and logged.

Video Surveillance System: In addition to the five existing security cameras, several more interior and exterior cameras should be installed (as mentioned before), including outside both the CFO and CEO’s office, outside each server room and closet containing the breakers, several outside facing the garage or parking lot, inside each stairwell at each floor (not just the first), and one facing and inside the security office. The system should store audio and video on-premises, as well as offsite, preferably in the Cloud. These feeds should be visible utilizing multiple monitors in the security room and with the facility manager. The mailroom should have no involvement.

Remote Offices

Windows: The building’s lightly tinted windows (which offer visibility) pose a security threat; I would recommend adding a darker or 1-way tint. Also, with the window’s inability to open, there may be a fire risk.

Employee Cubicles: Standard cubes with 5-foot walls are fine; however, proper placement of employees, as well as the spacing between them, should be carefully reviewed. For example, accounting employees shouldn’t be placed near others due to the risk of overhearing sensitive phone calls. Furthermore, all desks/cabinets should be kept locked with security staff holding a master key, instead of the CFO’s admin assistant. The small safe under the CFO’s admin assistant’s desk should be removed or at least placed in the security office/department, and all keys should be continuously inventoried and logged.

Security Management: While the day-to-day responsibility of security and safety may fall upon the senior director, they should remain working hand-in-hand with security staff at the main building. Periodic reviews and tests of the security and safety of each remote office should be performed, logged, and reviewed.

Access Badges: The access badge system needs to be integrated with the main office’s card system for accountability purposes. As I mentioned for the main office, I would recommend the use of access badges with RFID chips to allow for customization of the exact individual who is desiring access, by taking an image of the person, personal details, and requiring the individual to surrender their driver’s license at security terminal during the duration of their visit. Also, with RFID chips, if the visitor attempted to leave without returning the access badge, the system would be alerted (losing a visitor badge is a serious matter).  By utilizing the RFID-enabled identification, the visitor should only be given access to the building/floor/room they require, and nothing more. Furthermore, they should always be escorted when possible. Upon signing-in, the visitor should not only provide the name of their contact, but a call should be made to that contact to both verify the visitor and either escort them or have security do it. Audits of all security badges should be performed throughout the day, to ensure that all are accounted for. The building management company should not be in charge of the keycard access server, as relying on another entity’s security protocols is not recommended; if it must be designed this way, proper communication between DW&C IT and security staff, as well as continuous audits of the building management’s server and security practices in regular intervals should be performed.

Video Surveillance System: In addition to the existing ‘entrance’ security cameras, several more interior and exterior cameras should be installed (as mentioned before), including outside the DW&C access area, several outside facing the garage or parking lot, and inside each stairwell at each floor. The system should store audio and video on-premises, as well as offsite, preferably in the Cloud. These feeds should be visible utilizing multiple monitors in the security room and with the facility manager and communicate between the main office’s system.

Door Locks: While the design of the building is unknown to me (in regards to the front and back doors and what they allow access to), I believe the auto-locks are fine, as long as there is some form of reception/security area directly proceeding each door to authenticate visitors.

IT Infrastructure:  For the satellite offices, no mention of each physical security measures were made in the report, but I would recommend following the same practices outlined for the main building, including video surveillance and access-controlled locks (RFID key cards). I would also recommend promoting the IT member who does security duties part-time to full-time.

Three Areas of Excellence in Physical Protection of its Facilities and Infrastructure

  • As mentioned above, I detailed how to improve the access card system; however, the current use of access-controlled doors and locks is an excellent way to increase deterrence.
  • While having the main building’s power breakers in the first floor managed by an entity other than DW&C isn’t as effective, the fact that it is locked and managed by building management helps prevent unauthorized access, as well as acts as a form of risk transference.
  • The CEO/CFO offices, residing on the third floor of the main building, contain adequate security regarding the lockable file cabinets; with the hope that this means that they are both locked and supervised, this is satisfactory.

Three Infrastructure Areas in Physical Protection That Need Immediate Attention

  • Vulnerability: IT Infrastructure: All Buildings- A sophisticated and regularly updated asset inventory list, proper file-sharing protocol procedures, non-compete clause, and dramatic changes to the password management policies all need to be immediately built and implemented.
  • Vulnerability: Main Building- Access Badges: The lack of proper security measures for granting, retrieving, and managing access badges need to be quickly updated. Furthermore, the access that the badges allow need changes as well (mentioned in the full report above).
  • Risk: Main Building: The admin has a master key card kept in a desk drawer; due to the lack of other security measures, having a master key so accessible and under the ‘responsibility’ of an assistant requires immediate resolution.

Three Techniques to Improve Physical Design Security

  • Main Building: Each floor should be designed differently to reduce the accessibility for unauthorized individuals, as well as special attention made to the proximity of cubicles due to the risk of overhearing sensitive information.
  • All Buildings: The windows should be tinted entirely or at least much darker, to prevent unauthorized individuals from seeing in.
  • The trigger that disables ‘propped door alarms’ needs to be reenabled to prevent unauthorized access due to an unlocked door (that should be locked).

References

Fennelly, L. J. (2017). Effective Physical Security (5th ed.). Cambridge, MA: Elsevier.

McCrie, Robert. Security Operations Management (Third Edition). Butterworth-Heinemann.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s