Mike Bluestone proposes eight principles upon which to build a successful security policy.
09 October 2018 | Mike Bluestone
1. Buy-in from top down and bottom up
Having everyone on board with the security policy will make it more successful during implementation and allow security teams to set budgets, without which they won't be able to secure anything.
2. Know your neighbour (and your occupants)
Intelligence is about knowing what is around you. Who's operating next door? It could be an embassy of a country under threat, for example.
It's also about knowing who works for the organisation, and who owns the company or buildings. Are they under threat for other
reasons that could affect your security?
3. Equip your people
People are the greatest asset because when technology fails they always intervene. Train staff to be vigilant and what to do in the wake and aftermath of an attack. When aware of threats, they're more primed to identify them. Training staff lends eyes and ears to the security team.
4. Get technical
High-tech security solutions are available such as off-site remote monitoring centres, which can open and close car park barriers and manage fire alerts, or alarms triggered by CCTV.
Make sure surveillance equipment is set up as an integrated system. Avoid bolted-on solutions. It is relatively cheap to use third-party remote monitoring interventions.
5. Detail operational procedures
This is different from policy, which is about costs and strategy. Operational procedures refer to the daily tasks such as responsible management of passes, desk management and looking after portable devices.
6. Choose security and resilience champions
Designate an employee in the organisation to be responsible for security and resilience (see definition below). Staff need to be assigned duties in the wake and aftermath of a security breach, such as checking the building, and answering phone calls and emails from concerned relatives of colleagues, suppliers and business partners.
7. Sharpen tests and drills
Carry out regular tests and drills so you can review and improve them to guarantee best practice. If your building suffers a serious fire or is affected by an IED/bomb attack, your staff members have to know when and where to muster. There must be multiple points of safety.
8. Commission a security audit
Companies should carry out internal security audits and third-party external audits to make sure everything is working as it should be.
Security professionals will carry out a penetration test to look out for any vulnerabilities before the 'bad guys' find them.
Many professional security firms tend towards narrative style reports, which involve:
- Study of the organisation;
- Security surveys;
- Interviews with key members of staff; and
- Output that highlights findings and recommendations by category, including guarding, CCTV, access control, fencing, lighting, procedures, contingency plans.
Organisational resilience, as outlined in ISO 22316, refers to an organisation's ability to "absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper".
Mike Bluestone CSyP is director of Corps Consult