No announcement yet.

Written Physical Security Policies

  • Filter
  • Time
  • Show
Clear All
new posts

  • Written Physical Security Policies

    Okay, I'm going to reopen this topic because the former thread didn't go very well.

    To the original poster: On most web forums, and in real life, for that matter, it's considered rude to rush into a room as a total stranger - without so much as a "hello, I'm Bob" - and start pumping people with questions. And, as a practical matter, people are going to be reluctant to share certain kinds of information knowing nothing about you or the venue in which you work. And on an even more practical note, we can't answer questions without more information. The Moderator was merely nudging you to observe both the proprieties and the practicalities. If you've gotten your feelings hurt and gone away, perhaps others can use the information below.

    In (partial) answer to your question, governmental entities tend, as a general matter, to prefer (or maybe a better word would be "trust") standards and policies developed by other governmental entities - the Department of Defense, the State Department and DHS, even the Department of Education. As such, I'd look for such rather than standards for private properties - although there would be a lot of overlap, of course.

    The Interagency Security Committee of DHS has released a physical standard for federal building security entitled "Physical Security Criteria for Federal Buildings". Distribution is limited to governmental entities/employees. You have to email [email protected] with your full contact information to get a copy.

    There are physical security manuals from the military and DoD available online - some free.

    When it comes to municipal facilities, however, there is no overarching single "standard" for physical security. This in part is because of the differences in both the degree and the nature of threats that exist not only among different municipalities themselves (e.g., Chicago versus Sioux City), but among the different municipal facilities themselves (e.g., the Sioux City court house versus the Sioux City water treatment plant) - as well as differences in the budgets they have available for security, and what measures they have already implemented. Even differences in their geography, climate, the distribution of their facilities, etc. would influence whether any particular "standard" was appropriate or not. Taken together, the variables mean that very different "standards" would apply to different municipalities - and even to their individual facilities.

    There's a lot of information available on the Web, but you might need to search specifically on "court house", for instance, and I'd suggest you try using different terms like "best practices", "guidelines", "requirements", "recommendations", etc. in your search in place of the term "standards". The reason being, there are very few of the latter and much more of the former.

    Also, you might use the "filetype" search modifier to limit your results to PDF and DOC (word) documents, perhaps even PPT (PowerPoint) or RTF (rich text files). These are more likely to be the actual files that you're looking for. If you're not certain how to use this modifier, see this page:

    Here's an example of what I'm talking about:

    Finally, it's worth mentioning that you're not going to find a "prescriptive standard", by which I mean a step-by-step "buy this equipment, install it this way, etc" type of solution in your search. What you're more likely to find are performance standards, which are generally expressed as "requirements", and which can potentially be met in a variety of ways. For instance, there's no single "fencing standard", but it is possible to establish the requirements that the fence must meet. It then becomes possible to evaluate a variety of potential solutions against those requirements. The same is true of doors/windows, locks, CCTV, access control systems, lighting, etc.

    One of the benefits of starting with requirements is that stakeholders who have no particular security expertise can participate meaningfully in selecting solutions. For instance, a stakeholder can offer something as ambiguous as "Anyone can wander around in the courthouse parking lot". This leads to "The courthouse parking lot should be fenced, with controlled access", and this in turn, along with other information - some of which might be technical - can then be developed into a "courthouse fencing requirement". Or, a stakeholder might say something as vague as "The parking lot is too dark". This can then evolve into a "parking lot lighting requirement". Stakeholder involvement of this sort is CRUCIAL to the development of requirements.

    The courthouse security document linked above didn't come out of thin air. What I mean is, this wasn't the beginning of the quest; it was derived only AFTER the requirements for the courthouse were established, which is a phase all its own, must engage stakeholders, and must precede the establishment of the guidelines.

    When the Moderator said that he starts by asking what the client wants to achieve, he was talking about the security requirements, and that really is the right (or only) place to start - with what the client (municipality) wants or needs to achieve. From that standpoint, you might begin by asking what sorts of security problems they need to solve, with what priority, and also what your budget will be to achieve these things. It's pretty hard to map a course if you don't know where you're starting from, where you need to go and how much money you have available for the journey. You also need to have a very clear idea of what measures are already in place. You might be forced to adopt certain solutions simply because it's not feasible to "start from scratch" and you're constrained by what's already been implemented. Municipalities, in particular, are very resistant to "starting over", even if what they've done to this point is horribly inadequate.

    Start by ASKING THE RIGHT QUESTIONS and gathering the basic information you need (pertinent to the municipality itself). From the nature of your question, and the way you framed it, I'm pretty sure you haven't done so - and I think the Moderator saw this as well. It's kind of like those "practical math problems" we had in school. The first step is to read the question to determine what's given and what's needed to be solved - and then set up the equation that solves the problem. Do it in reverse order, and you fail.

    You came here asking for the solution, and you got your nose out of joint when people asked you for more information about the question. You said, "Quick - tell me when the trains get to their destinations!". We said "Okay, we have to know where the trains are leaving from, when they leave, how far the destinations are, how fast they travel..." and you seemed to think we were prying into your business or something.

    Well, okay, then. The answer is 12. No, it's 6. Wait - 23? No, it's 100. Wait - I think it's 39. Oh, hey, I've got it - it's infinity!

    Pick any answer you want, buddy. They're all good for imaginary trains leaving anywhere, anytime, traveling any speeds and going anywhere. Me, I like 0.000000000009638.

    You said "What's the answer?". We said "Well, what's the question?" and you didn't like it.


    Someone correct me if I'm wrong, but is this a speed fail record or what? Except for spam trolls, I can't remember anyone else failing on their first post.
    Last edited by SecTrainer; 12-14-2013, 11:48 AM.
    "Every betrayal begins with trust." - Brian Jacques

    "I can't predict the future, but I know that it'll be very weird." - Anonymous

    "There is nothing new under the sun." - Ecclesiastes 1:9

    "History, with all its volumes vast, hath but one page." - Lord Byron

  • #2
    Great post!!!


    • #3
      Outstanding post!

      I was going to offer the ASIS guidline which talks about security policies and procedures:


      • #4
        It's absurd to think theres one answer to the OP question. Minimum protection standards, type of facility and the industry served is only a few of the many critical points to consider when writing a SOP or any type of policy for a site. Great post as always ST
        Sergeant Phil Esterhaus: "Hey, let's be careful out there.."