|
The devastating
impact of Hurricane Katrina on the ability of commercial and
institutional facilities to function serves as a frightening
reminder that the best disaster recovery (DR) plan may fail if steps
are not taken to prevent or limit the impact of disasters before
they occur.
Disaster recovery plans are more likely to succeed if a pre-disaster
program of physical security is in place prior to the advent of
hurricanes, earthquakes, accidental and intentional explosions and
other potentially life and business threatening events. Obviously,
this is good advice, but unfortunately apparently not taken
seriously.
In the concern for better securing essential computer system
infrastructure and mission-critical
data, the need to harden facilities to adverse environmental impacts
such as flooding and windblown debris has been shortchanged.
Businesses have gotten so caught up in technological security that
they have forgotten the notion of physical security. Funds that had
once been spent on physical security have been shifted to IT
security to the extent that some observers believe many
organizations are vulnerable to both natural
disasters and physical security breaches.
A recent survey by Pinkerton Consulting and Investigations found
that only 2 percent of corporations grouped IT security and building
security in the same department and only 36 percent supported
formal communications between those responsible for building and IT
security.
In many organizations, IT security is run by one department,
personnel security by another, physical security by another and
network operations by yet another. Each department may have its own
budget, priorities and methods in whose defense and justification
cooperation and even communication among those responsible for
security may not take place. Most would agree this is not the
optimum way to prevent and mitigate a disruptive event, nor, in the
immediate aftermath of such an event, enhance the efficacy of even
the best-planned disaster recovery program.
Balance between post and pre-disaster planning needs to be
established. No matter how extensive the existing DR plan, the
corporate security department, or who ever is responsible for
physical security, needs to develop a comprehensive disaster
prevention/mitigation plan designed to protect
people, property and to reduce company liability from
business-threatening events.
Security managers need to realize that a comprehensive disaster
prevention/mitigation plan recognizes threats from both those who
intentionally would disrupt a business and possibly threaten lives
and the dangers and risks from interruptions of business caused by
natural disasters and catastrophic accidents.
In either case, the disaster prevention/mitigation plan and the DR
plan need to be mutually supportive and not establish policies and
procedures that are in conflict.
The end result needs to be an integrated security program that sets
up a course of action to prevent and mitigate disruptive events as
well as steps to be taken in the event such an incident occurs.
Obviously, those responsible for security need address such issues
as computer security, perimeter control, asset protection, business
continuity and risk management.
The following suggestions should be among those that need to be
considered in any organization’s physical security plan.
• Controlled access to all building entrances. In the rush to focus
on IT security controlling access to physical facilities has been
discounted in evaluating threat scenarios.
• Alarm systems in high value storage areas and electronic
monitoring of specific, important
pieces of equipment must act as a second line of defense to enhanced
perimeter security.
• Replacing surveillance cameras relying on videotape with digital
video will make possible more efficient archival monitoring as well
as allow the integration of video input into broader digital
security
databases.
• As demonstrated by Hurricane Katrina, electrical generators that
operate on diesel, propane or natural gas are essential as electric
power will be off line for extended periods in any major disruptive
event.
Gasoline powered generators are less valuable due to limited storage
capacity and the relatively short shelf life of gasoline.
Generators should be hard-wired to building systems utilizing
automatic transfer switches so that employees will not need to
manually operate equipment.
• Storing on-site emergency medical supplies, food, water and
communications gear should support an extended stay at the facility
by staff in a major emergency.
• Generic unisex clothing such as jumpsuit coveralls and sturdy
footwear to protect from the likelihood of leaking water and
injury-prone debris should be in place before disaster strikes.
Portable cook stoves, sealed drums of potable water and sufficient
numbers of chemical toilets should be available. Pre-disaster
training of employees in the use of this equipment is essential.
• A review of how security/safety measures can be implemented
incrementally over the coming five years during routine building
renovations/redesigns should be part of a comprehensive security
plan.
The ability to integrate security measures into facility upgrades
reduces cost and shortens pay back periods. In addition, taking such
steps will reassure staff that management is doing all that is
necessary for their protection and well being in the event that
disaster strikes.
Building-In Safety & Security
There are many examples of how safety and security can be seamlessly
built into an organization’s physical environment resulting in
significant increases in the protection of building occupants and
the ability to recover from potentially disruptive events.
Consider the following:
Security window film can strengthen windows to withstand hurricane
driven wind-blown debris that can cause glass shards to strike
building occupants. Security window film helps windows withstand
earthquake stress, accidental and intended impact and explosive
force. Tests verify that many security
window films provide equivalent, or in some cases superior,
performance compared to laminated glass.
Securing equipment and furniture to prevent injury: Facilities in
areas prone to earthquakes need to secure large file cabinets,
shelving and equipment to the walls or floors to prevent injury when
seismic
events occur. If hurricane or tornado force winds penetrate building
interiors secured objects will not become a source of injury.
Safe rooms: Rooms securely shielded from the elements offer
protection against hurricane and tornado force winds can be
constructed to secure key executives from attempted abductions. To
reduce cost, an existing interior restroom can be retrofitted as a
safe room. Provisions should be made to store emergency supplies in
that location.
In larger facilities it may be necessary to retrofit several
restrooms or other spaces to provide adequate staff protection.
Using aesthetics to enhance security and safety: Building-in
security and safety does not have to compromise a facility’s
aesthetic character. Shielding computers from electronic
eavesdropping conducted by vehicles in the street can be
accomplished with ordinary-looking electronic signal blocking window
glass.
Defending building entrances from bomb-carrying vehicles can be
accomplished with heavy flower containers, decorative fountains and
ornamental but secure fencing. For effective and aesthetically
pleasing results, engage a security firm employing both experts in
security and building
and landscape design.
From the perspective of those charged with developing and
implementing a disaster recovery program, the extent to which
building-in safety and security limits injury and property damage
and protects access to computer systems, the more quickly full data
system recovery will be possible if a
disruptive event occurs.
An appropriate disaster prevention/mitigation plan should identify
and prioritize which renovations and redesigns to the physical
facility need to be made and equipment and supplies purchased. Most
importantly, the disaster prevention/mitigation plan should assign
responsibility to specific
individuals and departments for the implementation of the steps that
need to be taken.
Needless to say, full coordination and ongoing communication between
those responsible for disaster prevention/mitigation and DR planning
is essential. So too, endorsement and support by top management of
such comprehensive organization-wide efforts are necessary to
overcome turf battles
among those departments responsible for carrying out the wide range
of security initiatives that need to be implemented.
Anything less than the enthusiastic commitment of an organization’s
leadership will increase the likelihood of failure and impede the
clear establishment of lines of accountability necessary to achieve
successful implementation of the program.
FSM Marty Watts is president & CEO, of V-Kool,
Inc., a Houston-based North American distributor of security and
energy efficient applied window film. For information contact V-Kool,
Inc., at 800 217-7046 and at www.v-kool-usa.com.
|
