mag

Assessing Safety

A comprehensive security assessment can give education administrators peace of mind.
June 1, 2005
7 min read

In the aftermath of Sept. 11, 2001, federal, state and local authorities turned their attention to assessing their security. Each began making the necessary adjustments to ensure proper levels of security. Education institutions soon followed in an attempt to improve campuswide security. However, unlike many others, education institutions received no funding support from the Department of Homeland Security.

Education institutions may not be on the list of critical infrastructures outlined by the federal government, but they provide a tempting target for terrorists, as was proven by the recent terrorist attack on a Russian school.

The ultimate goal of most terrorist attacks is to cause mass terror by inflicting harm on a large number of individuals. Many security professionals see America's education institutions as a “perfect” target for such mass infliction of harm.

In an effort to reduce risks, education institutions are beginning to conduct risk analysis and vulnerability assessments of their campus environments. The intent of an education institution's security assessment is to highlight general and specific findings, and briefly describe recommended security improvements required to strengthen security. A second goal of the report is to highlight ways of diminishing an institution's potential liabilities.

A starting point

A comprehensive security assessment should include identifying and evaluating the “as-is” security condition of a school's physical assets, information technology infrastructure, critical support infrastructure components, key facilities and security management system. Recommendations should be developed with an understanding of the school's capital-improvement projects. Considerations for the future should be identified as “to-be” upgrades and should be incorporated as part of the security assessment report. Recommendations and solutions for modifications and upgrades should be developed with an understanding that all processes, systems and resources must be integrated into a comprehensive, campuswide security-management plan.

Within the security assessment report, milestones should be identified for a system upgrade that is compatible with the school's capital-improvements plan and the levels of protection consistent with the protection of key assets and facilities. Vulnerability assessments should include on-site surveys, perimeter vulnerability analysis, access control, security technology evaluation, and security resources and training assessments.

The assessment should address the following task areas:

  • Task Area 1: policy analysis and development. Recommend security requirements, policies, procedures and standard operating procedures based on reviews, analysis and assessment.

    • Vulnerability assessment — Review, analyze and recommend changes.

    • Evaluation of countermeasures — Assess current procedures, techniques and technology. Develop/recommend countermeasures for campus implementation.

    • Continuity of operations, contingency and emergency response planning — Review, analyze, evaluate and recommend changes.

    • Cost analysis — Complete cost/benefit analysis of security technologies and human-resource proposed solutions.

    • Security management — Perform a professional security review and analysis, and provide recommendations regarding the institution's security force and security-management needs.

  • Task Area 2: critical infrastructure and asset identification. Provide technical support to review, identify, itemize and document components, processes and information considered critical to the organizational mission. This support may include a review of policies and procedures addressing the protection and survivability of such resources, and the documentation of identified protection mechanisms and procedures, and the effectiveness thereof.

    This support should document a school's information protection framework; address the content and effectiveness of IT security policies, standards and guidelines; and ensure a balance between security and operational requirements.

  • Task Area 3: critical infrastructure continuity and contingency planning. Addresses the procurement of services to guard against disruption of critical functions and services specific to each department. Continuity and contingency planning focuses on the critical functions and services provided by a department, and delineates recovery activities should a critical capability be lost or unacceptably degraded.

  • Task Area 4: physical infrastructure protection. Addresses physical security and control as the first line of defense for protecting components in a department's critical infrastructure. It is essential to the operation of computer and telecommunications systems, and the protection and preservation of critical data. It includes:

    • Perimeter and interior access control.

    • Mail, packages and delivery systems.

    • Traffic and barrier planning.

    • Parking.

    • CCTV surveillance.

    • Intrusion detection.

    • Response capabilities.

  • Task Area 5: technologies evaluation and analysis. Assist in identifying and recommending security products and applications to upgrade security systems and technologies. Considerations should include:

    • Security system development, which may be integrated with the existing and new infrastructure — incorporating security-system servers; security-management-system software; advanced processing alarm and card-access controllers; control panel and lock power supplies; operator, administrative and identification badging workstations; identification badge printer; report printer; CCTV matrix switcher; CCTV cameras; duress intercoms; intercoms; and digital video recorders (DVRs).

    • Integration criteria used to incorporate installed card readers, alarm sensors and security cable infrastructure to the new and existing facilities as identified and approved by the school's committee, evaluating the recommendations of the final assessment report.

    • Personal Identity Verification (PIV)/badge system to be used as part of the overall security-management system. The PIV should be able to accommodate smart-card technology.

    • Perimeter systems, barrier controls and traffic plans to support the facility development efforts.

Finding professional support

The first step in selecting a security consultant should be to verify that it is independent from manufacturers and system integrators. This ensures that the consultant is working on behalf of the school and is not intending to deliver any preconceived solution. Remember, the selected security professional could be a part of in-house staff. In-house security professionals also may provide a non-biased and independent view.

The next step is to verify a consultant's credentials with respect to the specified task areas. A qualified company or team should have both physical- and information-security professionals with associated professional certifications. The consultant also should possess senior-level engineering or project-management skills. Physical-security professionals typically will have the following certifications:

  • Certified Physical Security Professional (PSP).

  • Certified Protection Professional (CPP).

  • Certified in Homeland Security (CHS).

Information security professionals typically will have the following certifications:

  • Certified Information System Security Professional (CISSP).

  • National Security Agency's INFOSEC Assessment Methodology (NSA-IAM).

The contractor also should provide a project manager for the security assessment task. This individual should have:

  • Experience in managing security programs and conducting analysis, studies and assessments.

  • Capability to work in security management with threat analysis and vulnerability assessment experience.

  • Experience as a security consultant developing security programs, integrating security systems and products, and managing federal government security engagements.

  • Experience supporting efforts in the areas of continuity of government and continuity of operations planning.

Next steps

The security assessment report results from the site surveys and all task area performance. Following the approval of the security recommendations, a statement of work (SOW)/request for proposal (RFP) should be developed that consists of descriptive information based on all approved recommendations; requesting contractor support in the development of policies, procedures and in support of the system design process.

Along with the new policies and procedure development, an installation design plan (IDP) should be developed detailing the overall system configuration for the school's campuswide security upgrade. The typical duration for an IDP development and approval is 60 to 90 days. The development process contains, at minimum, a 60 percent, 90 percent and 100 percent design review with all stakeholders.

Gillens, PSP, CFC, CHS-III, is president, Quintech Security Consultants, Inc., Summerville, S.C.

NOTABLE

A security assessment should address the following task areas:

  • TASK AREA 1:
    Policy analysis and development.

  • TASK AREA 2:
    Critical infrastructure and asset identification.

  • TASK AREA 3:
    Critical infrastructure continuity and contingency planning.

  • TASK AREA 4:
    Physical infrastructure protection.

  • TASK AREA 5:
    Technologies evaluation and analysis.

About the Author

Harold Gillens

Sign up for American School & University Newsletters