Access Badges: While the fact that visitors are assigned access badges that they sign out and are ‘supposed’ to return each day is useful, the technology the system utilizes, as well as the access that the visitor badge grants are not. I would recommend the use of access badges with RFID chips to allow for customization of the exact individual who is desiring access, by taking an image of the person, personal details, and requiring the individual to surrender their driver’s license at the security terminal during the duration of their visit. Also, with RFID chips, if the visitor attempted to leave without returning the access badge, the system would be alerted (losing a visitor badge is a serious matter). By utilizing the RFID-enabled identification, the visitor should only be given access to the building/floor/room they require, and nothing more. Furthermore, they should always be escorted when possible. Upon signing-in, the visitor should not only provide the name of their contact, but a call should be made to that contact to both verify the visitor and either escort them or have security do it. Audits of all security badges should be performed throughout the day, to ensure that all are accounted for. The ‘small server room’ on the third floor should not be accessible by any access cards (other than IT and security staff). The building management company should not be in charge of the keycard access server, as relying on another entity’s security protocols is not recommended; if it must be designed this way, proper communication between DW&C IT and security staff, as well as continuous audits of the building management’s server and security practices in regular intervals should be performed.
Door Alarms: The exterior and primary interior doors should have their alarms go to DW&C security staff, not just the facility and building managers. The fact that they are disabled in the event of a propped-open door should be removed, as propping a door open is a severe security risk. To minimize false alarms, sending a notification to the security staff (preferably text message) will allow for quick determinization of the threat and can disable that specific door’s alarm.
Third-Floor Server Room: Since this server room was initially a storage closet, I am assuming the security of the room is not adequate. Ideally, the room should be locked and only accessed through a specific IT or security access badge (as mentioned before), as well as monitored 24/7 through video surveillance. On no occasion should the door be propped open; as mentioned in the door alarm section, the alarm should activate if this occurs. Without knowing more about the other IT hardware used in the room, I would still ensure that a cooling system is added to the room with proper intake/outtake of cold/warm air.
HVAC: The Dual HVAC system is fine; however, having it entirely ran by building management can pose some issues. For example, constant communication must be maintained between DW&C IT staff to ensure adequate cooling for the server rooms, as well as allow for a backup system in the event of a failure. Furthermore, HVAC alerts and notifications need to be sent to DW&C IT staff.
Telecommunications Drop: Having a single drop can be risky in the event of a disaster or if an individual disables it; maintaining constant communication with the building’s security system, HVAC system, and police and fire departments is of utmost importance.
CEO/CFO Offices: Video surveillance should be used outside of the office.
Video Surveillance System: In addition to the five existing security cameras, several more interior and exterior cameras should be installed (as mentioned before), including outside both the CFO and CEO’s office, outside each server room and closet containing the breakers, several outside facing the garage or parking lot, inside each stairwell at each floor (not just the first), and one facing and inside the security office. The system should store audio and video on-premises, as well as offsite, preferably in the Cloud. These feeds should be visible utilizing multiple monitors in the security room and with the facility manager. The mailroom should have no involvement.
Security Management: While the day-to-day responsibility of security and safety may fall upon the senior director, they should remain working hand-in-hand with security staff at the main building. Periodic reviews and tests of the security and safety of each remote office should be performed, logged, and reviewed.
Video Surveillance System: In addition to the existing ‘entrance’ security cameras, several more interior and exterior cameras should be installed (as mentioned before), including outside the DW&C access area, several outside facing the garage or parking lot, and inside each stairwell at each floor. The system should store audio and video on-premises, as well as offsite, preferably in the Cloud. These feeds should be visible utilizing multiple monitors in the security room and with the facility manager and communicate between the main office’s system.
IT Infrastructure: For the satellite offices, no mention of each physical security measures were made in the report, but I would recommend following the same practices outlined for the main building, including video surveillance and access-controlled locks (RFID key cards). I would also recommend promoting the IT member who does security duties part-time to full-time.
List and explain areas the case study company does well for physical detection and response.
- The use, number, and placement of the surveillance cameras in both primary and remote buildings are sufficient for general security.
- As mentioned above, I detailed how to improve the access card system. Included in my RFID proposal, the ability to configure alarms to initiate based on the chip, as well as be able to remove its access immediately will both increase detection and alarm capabilities. The same RFID chips, or some form of them, can be added to assets as well.
- For the main buildings, the fact that the surveillance system utilizes a DVR system is excellent for recording purposes.
List and explain three areas the case study company needs improvement on its security detection, alerting, and response.
- Vulnerability: IT Infrastructure: Due to the recent theft of several PCs and office equipment, and asset management and protection system should be created and utilized. I would recommend placing RFID chips on every relatively expensive device to ensure that if the object were attempted to be removed from the building, an alarm would go sound.
- Vulnerability: The lack of security cameras placed overlooking the parking garage/lot and inside each building needs to be quickly addressed.
- Risk: Main Building: The alarms that go to the DW&C facilities manager and building manager need to also go to the security team/department; otherwise, you are relying on an additional layer of communication in front of the security team being able to respond to an event.
Provide and explain at least three (3) techniques or technologies that would improve the company’s security detection, alerting, and response.
- Remote Building: The part-time admin that sits near the front door to monitor access needs to be increased to full time or even better, replaced with security staff, to improve the detection and response of thwarting unauthorized access.
- Remote Buildings: The senior director of each building is not a proper choice for security management; instead, security personnel needs to be in charge of ensuring the daily safety and protection of personnel and assets. Relying on a response from the main office would take too long to address a security breach or incident quickly.
- The trigger that disables ‘propped door alarms’ needs to be reenabled to prevent unauthorized access due to an unlocked door (that should be locked); this will also aid detection and alerting.
Fennelly, L. J. (2017). Effective Physical Security (5th ed.). Cambridge, MA: Elsevier.
McCrie, Robert. Security Operations Management (Third Edition). Butterworth-Heinemann.