Although this article was written for the International Association of Healthcare Safety and Security (IAHSS), these concepts apply to almost any organization. To put it simply, if you have security technology, you should have security standards. If you’re a member of IAHSS, you can access the entire original article here.
Have you ever seen a situation where there seems no rhyme or reason for the placement of security devices? Wouldn’t it be wonderful to be able to hand your architect, engineer, or integrator a document and know that they have the specifics of what product you want and how you expect those products to be installed and function? Well, you can when you have security standards in place.
Security is all about people, processes and technology. When these three components work together, there can be a decrease in exposure to an organization. There is also an increase in the number of ways security issues can be mitigated.
Security standards discussed here should not be confused with security design specifications. (We will discuss those later.)
What are security standards?
Security standards can be defined as a set of rules for products or processes that provides consistency, accountability, and efficiency. Like policies govern the actions of people, standards are designed to provide a repeatable way of doing things. The use of written standards can be based on compliance and best practices. This enables organizations to make objective decisions concerning the implementation of security devices.
Without standards, it is difficult to consistently define the processes for where and why security devices should be installed. Consequently, many decisions to apply and implement security technology are simply based on budget and/or in response to an incident. This reactive response makes it nearly impossible to defend a negligent security tort from a “standard-of-care” perspective. There are two questions that must be satisfied. The first is “Are we consistent with the implementation of electronic security equipment?” The second is “Can we articulate our position for use?” Security standards also facilitate sharing of knowledge and best practices. They help to ensure common understanding of concepts, terms, and definitions, which prevents errors.
Often standards are developed based on “the way we’ve always done it” becoming de facto standards. Standards based on product use help to ensure that products and installations are consistent with the desires of the organization. Standards also help to ensure product functionality and compatibility.
What’s a good example?
Standards for door hardware requiring latching locks could prevent the use of a product that does not provide a desired level of security that a latching lock provides. Magnetic locks are an inexpensive lock type that can be used to secure a door. They are often chosen by those not familiar with security issues as a way to lock a perimeter door. What they do not take into consideration is that a magnetic lock requires constant power in order to stay locked. Should a building lose power, the door is unlocked and no longer secure.
They should require a battery back-up (depending on the AHJ), but who knows how long battery power will last? You can wire the lock so that it is on a generator emergency circuit. If the building does not have a generator, that will not be an option. In the period between the time the power goes out and the generator starts, the door is unlocked. Additionally, in most situations, building codes requires that magnetic locks have an emergency override which requires additional equipment. Whereas, if there is a security standard in place, an electrified panic device or hardware were to be used there would be less equipment needed, less installation time and, no concern that a power outage would leave the building unsecured.
What are levels of standards?
Once an organization can articulate why a particular device is used, it becomes easier to identify where the device should be used. Standards can be written in such a way that there are minimum standards that can be expanded as necessary to ensure quality.
By implementing minimum or baseline security standards, end users can expand the minimum standards based on size and budget. For these reasons, minimum standards should be designed in a progressive format. This format can allow for a more effective approach in addressing differences in a facility’s size or use. For example, locations with similar size and function – let’s call them Level One – may have the minimum standards. Due to an increased size or type of operation, a Level Two site will have all of the Level One standards as well as additional minimum requirements. An example of this could be exterior perimeter cameras at Level One but additional internal cameras at Level Two.
What about building codes?
Many end users believe that national standards and local building codes provide enough guidance for integrators to install systems appropriately. At a high level, this is true. The system may function as intended, but have the devices, panels, and other parts been installed in an acceptable manner? Do cables and wiring look like a bowl of spaghetti or an installation completed with good workmanship and pride? Good cable management and installation practices can lead to more effective troubleshooting and faster repair when there is a problem. Eventually there will be a problem. There may be requirements depending on the AHJ, but typically there is no code that requires an installer to remove old cable or coax. However, it is considered a best practice. If it is a standard the installer knows that it must be done.
What are some other benefits to having standards?
Developing standards that define the preferred location of where certain devices should be located can make the installation much easier. For example, card readers should typically be installed on the latch side of a door. The reader will work on the hinge side, but it makes more sense on the latch side. A person can present their credential with one hand and open the door with the other.
Standards that correspond with the security systems implemented are very important to an organization. These policies aid managers and staff in overall goals when implementing and using various types of electronic security systems. For example, an organization could institute a standard that all IT closets doors are equipped with access control which requires a valid card read to enter. This will allow the organization to track who and what time an individual entered the room. Another example would be a standard that any high security area, such as an IDF or MDF room, have a camera that provides a field of view that includes entry into the space.
Security standards enhance the physical security of an organization and contribute to the overall risk management in several ways. Security standards also allows the sharing of knowledge and best practices by helping to ensure common understanding of conditions, terms, and definitions, which can prevent costly errors. Written standards offer a way to measure installation practices and services against criteria that is objective, which can result in improvements to the quality of an installation.
In an enterprise-wide security program, one must first evaluate existing security features at the various locations. As mentioned, minimum standards can be expanded as necessary to ensure quality and efficiency. By developing progressive security standards, differences in facilities can be addressed more effectively.
What are specifications?
Security standards can work in conjunction with specifications. A specification is a type of technical standard describing precise requirements and performance expectations. Specifications are seen most often in the world of construction but are essential to the design of security device installation. Specifications can cover everything in a detailed narrative, starting with a general overview of the project, the description of the system being used and the scope of work. The specifications can provide information including the location of device installation, routes for cabling, make and model of devices, and the expected documentation or training for the integrator to provide the end user.
Starting with product specifications, the end user may find there are additional ways to take advantage of the products they choose. They may find that certain systems work better or not at all with other systems. For example, can the access control system you are considering for use be integrated with the video management system (VMS) you already use? Can the access control system provide an alarm or a notification if there is a problem with a door function? Can a video camera be associated with that card reader to provide a visual alert on a screen providing camera footage of the incident? These and many other questions can be answered in the product specifications.
If your organization needs help in developing Physical Security Standards, Protus3 is here to help. We have consultants and designers who have extensive knowledge in both the technical requirements of security devices and system installation as well as experience as end-users and security operations.