Preventing, Limiting the Impact of Disasters
- Published on January 31, 2008
- Written by MARTY WATTS
According to a recent article in the business magazine Japan Inc., “businesses have gotten so caught up in technological security that they have forgotten the more basic, yet salient, notion of physical security.” Money that had once been spent on physical security has been shifted to IT security to the extent that some observers believe many organizations are now vulnerable to physical security breaches.
To make matters worse, a recent vendor survey found that only 2 percent of corporations grouped IT security and building security in the same department, and only 36 percent organized formal communications between building and IT security managers.
More troubling, in many organizations, IT security is run by one department, personnel security by another, physical security by another and network operations by yet another. Each may have its own budget, priorities and processes in whose defense and justification cooperation and even communication among those responsible for security may not occur. Surely this is not the optimum way to prevent and mitigate a disruptive event, nor ensure in the immediate aftermath of such an event, the success of even the best-planned disaster recovery program.
No matter how extensive the existing DR plan, the corporate security department, or whomever is responsible for physical security, needs to develop a comprehensive disaster prevention/mitigation plan designed to protect people, property and to reduce company liability from business-threatening events. Note that a comprehensive disaster prevention/mitigation plan recognizes threats from both those who intentionally would disrupt a business and possibly threaten lives and the dangers and risks from interruptions of business caused by natural disasters and catastrophic accidents.
In either case, input from the IT department in the planning process is imperative so that the disaster prevention/mitigation plan and the DR plan are mutually supportive and not establishing policies and procedures that are in conflict. The end result needs to be an integrated and seamless security program that details a course of action to prevent and mitigate disruptive events as well as steps to be taken in the event, that despite all preventive efforts, such an incident occurs.
Computer security, perimeter control, asset protection, business continuity and risk management constitute general areas of concern to be addressed by those responsible for security. The following suggestions are not meant to be all-inclusive but are among those that need to be considered in any organization’s physical security plan.
- Controlled access at all entrances with particular attention to receiving areas, parking lots and outdoor smoking areas. In the rush to focus on IT security concerns controlling access to physical facilities has been overlooked and discounted in evaluating threat scenarios.
- Appropriate alarm systems in high value storage areas and electronic monitoring of specific valuable pieces of equipment must act as a second line of defense to overall perimeter security.
- Replacing video tape based surveillance cameras with digital video is imperative in increasing the efficacy of archival monitoring as well as facilitating video integration into broader digital security databases.
- Availability of backup electrical generators that operate on diesel, propane or natural gas is essential as electric power will be off line for extended periods in any major disruptive event. Gasoline powered generators may be problematic due to limited storage capacity and the relatively short shelf life of gasoline. Generators should be hard-wired to building systems utilizing automatic transfer switches so that manual operation is not necessary.
- Stocking of emergency medical supplies, food, water and communications gear should support an extended on-site stay by staff in a major emergency. Generic unisex clothing such as jumpsuit coveralls and sturdy footwear to protect from the likelihood of leaking water and injury-prone debris should be routinely stored. Portable cook stoves, sealed drums of potable water and sufficient numbers of chemical toilets should be available. Training of employees in the use of these items is essential.
- A review of how security/safety measures can be added incrementally over the coming five years during routine office renovations/redesigns should be part of a comprehensive security plan. The ability to integrate security measures into facility upgrades reduces cost and shortens pay back periods.
Examples of Built-In
Safety & Security
There are many examples of how safety and security can be seamlessly built into an organization’s physical environment resulting in dramatic increases in the protection of building occupants and the ability to recover from potentially disruptive events. They include the following:
Security window film – Security window film can strengthen windows to withstand hurricane driven wind-blown debris that can cause glass shards to strike building occupants. Security window film helps windows withstand earthquake stress, accidental and intended impact and explosive force. Tests verify that many security window films provide equivalent, or in some cases superior, performance compared to laminated glass.
Securing furniture and equipment to prevent injury – Facilities in areas prone to earthquakes need to secure large file cabinets, shelving and pieces of equipment to the walls or floors to prevent injury when seismic events occur. If hurricane or tornado force winds penetrate building interiors secured objects will not become a source of injury.
Safe rooms – Safe rooms offer protection against hurricane and
tornado force winds and can be constructed to protect key executives
from attempted kidnapping. To save space and reduce cost, an existing
interior restroom can be retrofitted as a safe room in which emergency
supplies can be stored. In larger facilities it may be necessary to
retrofit several restrooms or other spaces to provide adequate staff
Using aesthetics to enhance safety & security – Building-in safety and security does not have to compromise a facility’s aesthetic character. Protecting computers from electronic eavesdropping by vehicles in the street can be accomplished with ordinary-looking electronic signal- blocking window glass. Protecting building entrances from intrusion by bomb-carrying vehicles can be accomplished by heavy flower and shrubbery containers, decorative fountains and ornamental but secure fencing. Don’t engage a security consultant, engage a security firm employing both experts in security and building and landscape design.
Maintenance of environmental quality – a workforce suffering from indoor air compromised by the off-gassing of building components and furnishings and exposed to moisture-induced mold formation will experience increased sick time and noticeable decreases in productivity. Offices burdened by sick building syndrome are an example of a disaster occurring incrementally over an extended period that can have the same negative impacts on business performance as any more quickly-occurring disruptive event. Remedies include replacing building components and office furniture with substitutes made of non-toxic materials and providing adequate heating, ventilating and air conditioning to mitigate moisture and humidity problems.
The extent to which building-in safety and security limits injury and property damage and protects access to computer systems, the more quickly full data system recovery will be possible if a disruptive event occurs. An appropriate disaster prevention/mitigation plan should prioritize which renovations and redesigns to the physical facility need to be made and equipment and supplies purchased. Most importantly, the disaster prevention/mitigation plan should assign responsibility to specific individuals and departments for the implementation of the steps identified to be taken.
Above all, full coordination and ongoing communication between those
responsible for disaster prevention/mitigation and DR planning is imperative.
So too, endorsement and support by senior management of such joint
organization-wide efforts is necessary to overcome turf battles among
those entities tasked with carrying out the wide range of security
initiatives that need to be implemented. Anything less than the total
commitment of an organization’s top leadership will increase
the likelihood of failure and impede the clear establishment of lines
of accountability necessary to achieve successful implementation of
Marty Watts is president & CEO, of V-Kool, Inc., a Houston-based North American distributor of security and energy efficient applied window film. His articles on security and energy efficiency have appeared in Correctional News, Security Products, the Journal of Air Traffic Control and the Washington Business Journal.
"Appeared in DRJ's Summer 2006 Issue"