FINANCIAL MANAGEMENT
2.6 Implementing Financial Strategy and Financial Controls
2.6 IMPLEMENTING FINANCIAL STRATEGY AND FINANCIAL
CONTROLS
To be effective, any financial strategy (cost reduction, rapid growth, or other) must be imple-
mented and overseen with appropriate controls. Implementation depends greatly on clear
communication of the strategy, its purposes, and its expected results. For example, if
production managers understand that the company’s financial strategy is to reduce costs,
they can organize their activities to support that goal. If they do not understand the strategy,
they may focus on the wrong goal and undermine the strategy.
Budgets, too, must be aligned with the company’s financial strategy. If a defined profit
margin is to be achieved, executive-level management must work with the sales and produc-
tion teams to determine the optimal price at which to sell the product and the cost at which
it can be produced. From that discussion, budgets can be established. If a department is
expected to grow, its budget should be flexible so the department can pursue business
opportunities as they appear. However, spending must be carefully managed so the business
can still cover expenses.
Controls need to be in place to monitor execution of a financial strategy and to prevent
fraud. Such controls are implemented through accounting processes and internal auditing.
Financial controls monitor spending in reference to budget allocations. If more or less
money than was budgeted is spent, the situation should be investigated. It is possible for
fraud to be present even when spending is on budget.
Establishing a solid financial strategy is essential to keeping an organization competitive and
able to adapt to changes in the marketplace. The strategy is derived from a thorough analysis
of the company’s current financial situation and its intended financial goal. Communicating
the strategy to employees, investors, vendors, suppliers, and other stakeholders boosts confi-
dence and makes it possible for all to focus on creating success from the strategic direction.
30 Protection of Assets Ɣ Copyright © 2012 by ASIS International
CHAPTER 3
STANDARDS IN SECURITY
3.1 INTRODUCTION TO STANDARDS
A standard is a set of criteria, guidelines, and best practices that can be used to enhance the
quality and reliability of products, services, or processes. Standards are part of everyday life,
and the average person gives them little thought. Many modern conveniences are made
possible by standards: light bulbs fit into lamps, files transfer over the Internet, and
automated teller machine (ATM) cards work around the world. More than 95,000 standards
are recognized in the United States alone (Siegel & Carioti, 2008). Because of the world’s
numerous national and international standards, many parts, processes, and systems work
regardless of who creates or performs them, who uses them, and where they are used.
Standards are also used in the security arena. When they are developed in accordance with
the principles of consensus, openness, due process, and transparency, they can help nations,
communities, societies, organizations, and individuals improve their resilience in the face of
security threats, both natural and man-made.
In the past, some parties expressed concern that security standards, even though voluntary,
might in practice force security professionals to conduct their work in a prescribed manner.
Others observed that security standards, when written in general terms, would allow security
professionals sufficient latitude in how they perform their jobs. Regardless of one’s view, the
trend toward international security standards is under way, and security professionals can
best influence the development of those standards by getting involved instead of leaving
standards development to nonsecurity personnel. Moreover, adopting robust security
Protection of Assets Ɣ Copyright © 2012 by ASIS International 33
STANDARDS IN SECURITY
3.1 Introduction to Standards
standards may also reduce calls for intrusive government regulations—which would likely tie
security professionals’ hands more tightly than voluntary standards ever could. Thus,
standards development may not only help security professionals coordinate their efforts
around the globe but also preserve their freedom to employ their professional judgment as
they carry out their responsibilities.
In a nutshell, security standards have arrived, more are under development, and they are
likely to work best when security professionals participate in their development.
3.1.1 CHARACTERISTICS OF STANDARDS
A standard may address a product, service, or process. A standard itself is voluntary and is
hence different from a regulation. However, a regulation may require compliance with a
standard.
Over time, standards have evolved from a technical issue to a business issue of strategic
importance. When a well-developed standard is in place, it brings benefits to many parties.
Businesses can use standards to develop products and services that are widely accepted,
enabling those businesses to compete freely in markets around the world. Customers can
choose from a wide variety of products and services that are compatible with each other.
Customers can also more easily judge product quality if a product is in conformance with
certain standards.
Standards are of nine main types: basic, product, design, process, specification, code,
management systems, conformity assessment, and personnel certification. They require
periodic review to remain relevant and state-of-the-art.
3.1.2 BENEFITS OF STANDARDS
Security standards can play several roles in making a security professional’s job easier. They
may do any or all of the following:
x Codify best practices and processes and share lessons learned. The idea is not to
develop statements that are prescriptive but to share in a generic fashion what works
best, how it works, and how it can be used to help improve the services and activities
that an organization participates in. Unlike, for example, a standard addressing light
bulb dimensions, which must be highly specific to be useful, security management
standards do not dictate particular quantities (of staff or equipment) or techniques that
must be used.
34 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.1 Introduction to Standards
x Provide tools to assess threats, risks, vulnerabilities, criticalities, and impacts. A
challenge in risk assessment is that different parts of an organization may not know
how the other parts conduct and document their risk assessments. Thus they may have
no way of measuring improvement consistently across an organization. Security
standards can add consistency in this activity.
x Define measurement methods. Standards provide guidance on benchmarks and
testing methods and protocols.
x Document equipment performance requirements to ensure effectiveness and safety.
Standards can help define how effectively and how safely different types of equipment
perform.
x Establish design requirements for devices, systems, and infrastructure to withstand
threats. These specifications make it easier to design systems and sell equipment
across borders.
x Define effective methods for identification of individuals. Again, standards can
provide a useful consistency.
x Enhance cross-jurisdictional information sharing and interoperability. Standards
help in this regard when they develop communication and interoperability protocols.
Disaster response works much better when responders can communicate with each
other and when their equipment works with the equipment used by other responders.
x Provide for consistency of services. Standards help define benchmarks for service
delivery and provide frameworks for consistent performance.
A famous illustration of the cost of nonstandard equipment is the Great Baltimore Fire (Seck
& Evans, 2004, pp. 6-7):
Fire equipment responding from different cities to the Great Baltimore Fire in 1904 were
hampered or rendered useless by the incompatibility of hose and fire hydrant connections …
When fire hoses were first manufactured, the threads used to couple them differed among all
the manufacturers. The same is true with the fire hydrant connections … Differences in hose
connections on the hydrants, both diameters and threads, were part of the design that
protected manufacturers from competition. Cities with different hydrant suppliers had fire
fighting water supply systems with connections that were incompatible with those in other,
sometimes neighboring, communities. History demonstrates that in major urban fires, the
inability of fire fighting apparatus from other areas to utilize the water supply, because of
incompatible hose connections, was a contributing factor to increased fire damage.
The lack of uniform threads is commonly cited as a factor in the massive destruction of the
Great Baltimore Fire that started on Sunday afternoon, February 7th, 1904 … Engine
companies from Washington, DC, transported by train, arrived in Baltimore to assist in fire
fighting a few hours after the fire started. Unfortunately, their hoses would not fit Baltimore
hydrants due to the difference in threads. The fire continued to claim block after block of
Protection of Assets Ɣ Copyright © 2012 by ASIS International 35
STANDARDS IN SECURITY
3.1 Introduction to Standards
buildings in the Baltimore business district as more fire companies arrived from surrounding
cities and counties, Altoona, Annapolis, Chester, Harrisburg, New York, Philadelphia,
Wilmington, and York. Some of the responding fire companies’ hoses fit the Baltimore
hydrant connections; others did not.
After the fire, the National Fire Protection Association adopted a national standard for
hydrant connections. Interestingly, 100 years later, only 18 of the 48 most populous U.S.
cities had installed national standard fire hydrants (Seck & Evans, 2004, p. 6).
The issue of standards-based compatibility remains important. At the ASIS International 53rd
Annual Seminar and Exhibits in 2007, Stefan Tangen, ISO/TC 223 Secretary from the Swedish
Standards Institute, told attendees, “When standards work, you just don’t notice them. You
take them for granted. But when they are not working, then they become a problem.” He
offered the example of a bridge linking Malmo, Sweden, to Copenhagen, Denmark, which was
designed to comply with both countries’ road and rail standards. Unfortunately, planners did
not harmonize emergency standards for equipment such as fire hoses (Plentiful Preseminar
Programs, 2007, p. 44).
Likewise, F. Mark Geraci, CPP, Chairman of the ASIS Commission on Standards and
Guidelines, has observed, “Today’s security issues and challenges transcend borders and
jurisdictions. Natural disasters and intentional disruptions … do not recognize boundaries.
Therefore, ASIS is behind the effort to eliminate confusion by supporting … standards” (ASIS
Supports Global ISO Standards, 2008, p. 93).
3.1.3 STANDARDS DEVELOPMENT ISSUES
Standards are developed on several levels: national, regional, and international. The follow-
ing issues apply at all those levels.
Many Players Involved
Although ASIS is the largest membership organization of security professionals in the world,
many organizations other than ASIS have developed security standards. For example, ASTM
International (formerly the American Society for Testing and Materials) has developed
standards for high-rise evacuation equipment to be used when primary routes to a safe zone
are cut off, as well as standards related to homeland security, including one on the selection
of antiterrorism physical security measures for buildings and hospital preparedness. In fact,
ASTM has more than 100 active standards relating to a broad range of security concerns.
Similarly, the National Fire Protection Association (NFPA) has issued several standards regard-
ing security issues, including standards on premises security and installation of electronic
premises security systems.
36 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.1 Introduction to Standards
Other security standards have been developed by various government agencies (including,
in the United States, the Department of Agriculture) and by such organizations as the
American Chemistry Council and the Biometric Consortium. Many countries have their own
standards organizations (such as the American National Standards Institute in the United
States, the Deutsches Institut für Normung in Germany, and the Japanese Industrial
Standards Committee. With 159 member countries, the International Organization for
Standardization, ISO, is the world’s largest standards developer. Based on international
consensus, ISO standards address the global business community.
To influence the direction of security standards worldwide, ASIS launched its Global
Standards Initiative, which is discussed in detail in Section 3.5 below.
Standards Determined by Need
Standards are generally developed to address specific needs, such as technical issues; health,
safety, or environmental concerns; or quality or compatibility requirements. It is important
to know why a standard is needed before deciding what type of standard will best suit those
needs. It is also important to assess whether the marketplace will support the standard. If
not, as in the case of fire hydrants and hose couplings discussed above, the effect of the
standard will be limited.
In addition, it is important to assess whether, instead of developing a new standard, an
existing standard could be adopted or revised.
Broad Stakeholder Participation Beneficial
A standard is more likely to be accepted when it is jointly developed by all interested parties
or stakeholders. These are groups or individuals with an interest in the content of the
standard. Producers, users, and others may be included as stakeholders, representing such
parties as manufacturers, professionals, government authorities, educators, and consumers.
Experienced standards developers note that security professionals who participate in
standards development should be sure to attend the relevant meetings. Security
professionals may serve as development committee members or leaders or as subject matter
experts. No matter the capacity in which they serve, by serving on technical committees or
attending meetings they will increase their influence, gain from valuable discussions, keep
up with all circulated documents, demonstrate their interest, and boost their credibility.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 37
STANDARDS IN SECURITY
3.2 Development of International Standards: ISO Example
3.2 DEVELOPMENT OF INTERNATIONAL STANDARDS:
ISO EXAMPLE
The International Organization for Standardization, called ISO, is the world’s largest
developer and publisher of international standards. Its name is not an acronym but comes
from the Greek word isos, meaning equal. Based in Geneva, Switzerland, ISO is a network of
the national standards institutes of 159 countries.
ISO is a nongovernmental organization bringing together stakeholders from the public,
private, and not-for-profit sectors. It serves as a central point where standards bodies from
around the world—and the organizations that participate in them—can gather to develop
standards jointly. ISO standards address products (e.g., so USB drives will work anywhere in
the world), processes (e.g., how to perform quality control or provide security services), and
other issues.
ISO does not regulate, legislate, or enforce. However, ISO standards often become recognized
as industry best practices and de facto market requirements. Therefore, what ISO does is
important to the security profession worldwide. Because ASIS has liaison status with various
ISO Technical Committees, ASIS is able to play a leading role in shaping standards that will
affect security practice.
3.2.1 CHARACTERISTICS OF ISO STANDARDS
ISO standards are built on the following pillars:
x Equal footing of members. Each participating member (country) in ISO has one vote.
x Market need. ISO develops only those standards for which there is an identified market
need or that facilitate international or domestic trade.
x Consensus. ISO standards are not decided on a majority vote. Rather, they are based
on consensus among the interested parties. All major concerns and objections raised
during the development of the standard must be addressed to the satisfaction of the
participants in the relevant committee. ISO comprises approximately 3,000 technical
groups (including technical committees, subcommittees, working groups, and other
bodies) in which more than 50,000 experts participate annually. The organization
employs a transparent process for developing standards.
x Voluntary participation and application. Participants in the ISO standards
development process are not paid to participate; rather, they work on a standard
because it is important to them. Moreover, ISO has no legal authority to enforce
implementation of its standards. Its standards are simply meant to be a benefit to the
marketplace. In ISO terminology, an organization comes into conformity with a stan-
dard, not compliance.
x Worldwide applicability. ISO standards are designed to be globally relevant.
38 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.2 Development of International Standards: ISO Example
3.2.2 ISO STANDARDS DEVELOPMENT PROCESS
ISO standards development work is carried out by technical committees that focus on
specific areas of expertise. For example, in the security field ISO has the Societal Security
Committee (ISO/TC 223); other committees address environmental management, quality
management, and a variety of technical specifications.
These technical committees include experts from the industrial, technical, academic,
governmental, and business sectors that have asked for the standards and will put them to
use. Other members include representatives of organizations interested in or affected by the
standard’s subject matter. The committees prize balance, openness, and impartiality to
ensure that the content of a standard is relevant, credible, and broadly acceptable (How are
ISO standards developed? 2008).
ISO has a detailed, written process for moving a proposed standard through the various
stages of development and adoption. The slow, deliberative process is designed to build up
the credibility of the standard. By the time the standard is completed and sent into the
marketplace, it has a large constituency (those who participated in its development) that can
increase the standard’s acceptance. In most cases, the countries that participate in standards
development at the ISO level adopt ISO standards as their national standards.
Each national standards-developing organization that serves as a member of an ISO technical
committee is encouraged to establish a national mirror committee or technical advisory group
of subject experts and interested parties. These mirror committees are broadly inclusive and
typically comprise industry experts, government representatives, consumers, and others who
might be affected by the standards. Members of the mirror committees meet to discuss
development of the standards. Individual countries have their own processes for deciding who
may participate in their mirror committees. Mirror committees frequently charge a
participation fee for voting members. Liaisons are exempt from the participation fee and do
not vote. Observers pay the participation fee and do not vote.
Participation in a mirror committee is a convenient option for people who want to take part
in standards development but are unwilling or unable to travel internationally. A mirror
committee advises its country on what position it should take on the documents being
developed. The committee reviews the documents as they are being prepared and prepares
comments to submit to the ISO technical committee developing the standard. Then some
members attend ISO plenary meetings or technical committee meetings, present the
country’s position, and try to get their country’s views reflected in the standard. In brief, a
mirror committee’s main responsibility is to develop a national consensus to present to ISO.
In ISO, one of the committees working on security activities is ISO/TC 223: Societal Security.
The committee has a broad scope, addressing security, business continuity, crisis manage-
Protection of Assets Ɣ Copyright © 2012 by ASIS International 39
STANDARDS IN SECURITY
3.3 Development of National Standards: U.S. Example
ment, disaster management, and emergency response. The committee examines crisis
management and organizational continuity related to all types of disasters and disruptions,
including intentional attacks, unintentional accidents, and natural disasters. The committee
focuses on what an organization should do before, during, and after an incident. The
committee also addresses interaction and interoperability between organizations.
3.3 DEVELOPMENT OF NATIONAL STANDARDS: U.S. EXAMPLE
The American National Standards Institute (ANSI) was formed in 1916 to serve as a clearing-
house for Standards Developing Organizations (SDOs) in the United States. The Institute
oversees the creation, promulgation and use of thousands of standards that directly impact
businesses in nearly every sector: from acoustical devices to construction equipment, from
dairy and livestock production to energy distribution, and many more. ANSI is also actively
engaged in accrediting programs that assess conformance to standards—including globally-
recognized cross-sector programs such as the ISO 9000 (quality) and ISO 14000 (environ-
mental) management systems.
3.3.1 CHARACTERISTICS OF ANSI STANDARDS
ANSI is the administrator and coordinator of the U.S. private sector voluntary standard-
ization system. It is a decentralized system that is partitioned into industrial sectors and
supported by hundreds of private sector standards-developing organizations (SDOs). An
SDO is an organization, company, government agency, or group that develops standards,
including professional societies, industry and trade associations, and membership organi-
zations that develop standards within their areas of expertise.
ANSI is the only accreditor of U.S. voluntary consensus SDOs. Of the approximately 600
SDOs in the United States, some 200 are accredited by ANSI as developers of American
National Standards. Examples of ANSI-accredited standards developers are ASIS Interna-
tional, the National Fire Protection Association, and the Security Industry Association. ANSI
also conducts programs for accrediting third-party product certification.
ANSI is the sole U.S. representative to and dues-paying member of the two major non-treaty
international standards organizations: ISO and the International Electrotechnical Commis-
sion (IEC). The institute is designed to support a broad range of stakeholder engagement,
address emerging priorities and new technologies, and allow stakeholders to find the
solutions that best fit their needs. In addition, the ANSI system is market driven, flexible,
sector based, led by the private sector, and supported by the U.S. government.
40 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.3 Development of National Standards: U.S. Example
The ANSI federation represents more than 125,000 companies and organizations and 3.5
million professionals worldwide. Members include academicians, individuals, government
agencies, manufacturers, companies, trade associations, professional societies, service
organizations, standards developers, consumer and labor interests, and more (About ANSI
Overview, 2008).
3.3.2 ANSI STANDARDS DEVELOPMENT PROCESS
The ANSI standards development process is designed so that standards users, not standards
bodies, drive standardization activities. The process places a high degree of confidence in
private-sector solutions for both regulatory and non-regulatory functions. The process is
deliberately decentralized and provides a strong voice to standards users and individual
stakeholders.
ANSI accreditation, mentioned earlier, signifies that the procedures sponsored by an SDO
satisfy ANSI’s requirements for an open, fair, consensus-based process that benefits
stakeholders and the American public. Procedures provide due process and legal safeguards.
Developers retain some flexibility in how they satisfy ANSI’s requirements. ANSI accredi-
tation is a precondition for submitting a standard for approval as an American National
Standard.
The emphasis on proper procedures is crucial for mitigating the risks of standards-developing
activities. The procedures require the following:
x openness, with no barriers to participation
x timely and adequate notice of the initiation of development of a standard
x a resolution process with a balance of interests
x clearly and fairly defined interest categories
x careful consideration, answering, and addressing of all views and objections
x reporting of any unresolved objections to committee members
x keeping of careful meeting records
x an appeals process
ANSI approval of a standard means the standard was developed in accordance with ANSI’s
requirements and is subject to ANSI’s procedural oversight, due process, and audit. The ANSI
designation means the standard was developed through a process that includes the following:
x consensus by a group that is open to all materially affected and interested parties
x broad-based public review and comment on draft standards
x consideration of and response to comments submitted by voting members of the
relevant consensus body, as well as by the public
Protection of Assets Ɣ Copyright © 2012 by ASIS International 41
STANDARDS IN SECURITY
3.4 Management Systems Standards
x incorporation of submitted changes that meet the same consensus requirements into
a draft standard
x availability of an appeal by any participant alleging that these principles were not
respected during the standards process
x lack of requirement for compliance unless the standard is adopted into a regulation
or statute
ANSI also examines any evidence that a proposed national standard is contrary to the public
interest, contains unfair provisions, or is unsuitable for national use.
3.4 MANAGEMENT SYSTEMS STANDARDS
Of the several types of standards, one particular type will likely have a large impact on the
way security professionals work: management systems standards. The term management
system refers to the organization’s method of managing its processes, functions, or activities.
Management systems standards are designed to help organizations improve the ways in
which they provide services and perform processes.
Management systems standards are widely accepted and used in many fields and disciplines.
The most famous management systems standards are ISO 9001:2008 Quality Management
Systems—Requirements and ISO 14001:2004 Environmental Management Systems—
Requirements with guidance for use.
3.4.1 CHARACTERISTICS OF MANAGEMENT SYSTEMS STANDARDS
Management system standards are developed to be generic. They are designed to fit all sizes
and types of organizations: private, public, faith-based, not-for-profit, etc. By taking a
generic perspective, these standards avoid becoming overly prescriptive and including
approaches that will be too difficult for some organizations to conform to. They provide a
framework for what an organization should do while leaving how to do it at the discretion of
the organization based on its financial and operating environment.
A management systems standard can help an organization in several ways. For example, a
company in conformity with a management systems standard may thereby give its
customers, suppliers, and other stakeholders greater confidence in its reliability. Likewise, a
company that supplies materials to a large manufacturing corporation (that must meet
certain environmental standards) may better satisfy that company if it can show that it is in
conformity with the ISO 14001 environmental management systems standard. In the same
vein, if a company wishes to supply a critical piece in a supply chain, the customer may be
happy to know that the prospective supplier is in conformity with the ISO 28000:2007
42 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.4 Management Systems Standards
Specification for Security Management for the Supply Chain and/or the ANSI/ASIS
Organizational Resilience Standard. The customer may feel the supplier is less likely to suffer
a disruption that would halt the customer’s production process.
Management systems standards also provide organizations with a forum and mechanism for
complying with regulations, industry requirements, and best practices. Of course, these
standards are not regulations. Instead, they are tools to help an organization meet its goals,
whether in terms of quality, environmental concerns, safety, security, preparedness, or
continuity. Most management systems standards are based on the Plan-Do-Check-Act
(PDCA or Deming Cycle) model of total quality management (TQM), which was developed
decades ago and has been proven in the field of management.
In sum, management systems standards include very generic requirements. They set a
framework for a holistic, strategic approach to management. They address what an org-
anization should do while leaving the details of how to achieve its objectives to the
organization. The organization then has the flexibility to define the scope of the program and
the means of implementing it.
Moreover, an organization can strive to be in conformity with a management systems
standard throughout the organization or only in a part of it. The standard’s generic quality
also means the standard can work in different business cultures and different nations.
Why Management Systems Standards Work
The process of implementing a management system—and thereby coming into conformity
with a management systems standard—is meant to address the specific needs of the
organization. The process requires examination of the organization’s assets, management’s
expectations, the organization’s objectives, communication needs, measurements of success,
and potential risks that could keep the organization from reaching its objectives. The
implementation process encourages the organization to pay attention to the needs of the
many interested parties—employees, suppliers, financers, the local community, and society
as a whole—that may be affected by the organization’s operations.
Because a management systems standard focuses on the organization’s goals, implementing
a management system requires engaging top management. Doing so is the necessary first
step in the process. By gaining the approval and insights of top management, the person
implementing the management system can identify the goals, mission, and vision of the
organization and clarify how its critical functions, activities, and services are defined. That
information helps define the path toward which the management system will lead the
organization. Among other benefits, a management system provides a factual basis for
decision making and a system for continual improvement.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 43
STANDARDS IN SECURITY
3.4 Management Systems Standards
The bottom line is that in working toward conformity with a management systems standard,
the implementer is changing the organization’s culture. In the case of a security management
systems standard, the implementer embeds a culture of security into the organization so all
stakeholders understand that security is an important objective of the organization and that
they are involved, will be held accountable, and should commit themselves to achieving the
goals named in the management system.
Use of Management Systems Standards in Security
As management systems standards become more common in the security field, security
professionals face a change in their vocabulary—they will have to learn “management-
speak.” This change is likely to give them a professional advantage. When organizations’
environmental officers began to implement the ISO 14000 environmental management
systems standard, they had to learn to communicate by using the same words and concepts
that their top management used. They were able to justify their effort by putting it in terms
that management used in carrying out the organization’s mission. By learning that language,
environmental officers were elevated to the status of management.
The same concept applies to security professionals. Being able to describe security goals in
terms that management uses helps both parties. Management will better understand
security issues, and security professionals will better understand management issues, which
are really the issues of making the organization successful. Security then may be viewed as a
strategic business and operational issue.
3.4.2 BENEFITS OF MANAGEMENT SYSTEMS STANDARDS
A management systems standard can benefit an organization by doing the following:
x Establishing benchmarks. These enable the organization to measure its progress and
outcomes. The implementer must demonstrate that the management system is
effective, and benchmarks help in doing so.
x Forcing the organization to systematically identify risks and problems as well as
potential solutions. Many organizations skip this step, make false assumptions, and
therefore focus on issues that do not matter and ignore important ones.
x Including more participants. A management systems standard requires the org-
anization to include all levels of employees and stakeholders in planning. This more
inclusive approach encourages normally reserved people to step forward and identify
problems the organization may have overlooked. It also gives more people a sense of
ownership of the process. They will then be more likely to get involved and participate
in reaching the goals of whatever management system is being implemented (e.g.,
quality, environmental, security).
44 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.4 Management Systems Standards
x Providing problem-solving and decision-making tools. The standard also links those
tools to personnel training that will help employees do what the organization needs to
reach its goal.
x Leading the organization to study how standard operating procedures and
operational controls can enhance the organization’s performance. Often organi-
zations find that implementing a management systems standard improves their
production and quality of service in ways completely separate from the standard’s
particular goal.
x Protecting the organization’s reputation or brand. In many cases, implementing and
conforming with a management systems standard gives others greater confidence in
the organization. News reports often show how a minor mistake, such as a breach of
information security or a contamination problem, causes a company to lose market
share or stock value. Better management systems can help prevent mishaps that lead
to reputational damage.
x Providing a model for continual improvement. A management systems standard does
not call for a one-time action and specific output. Rather, the management system it
leads to is an ongoing system. When an organization is audited for conformity, it is
checked not for specific performance but for a mechanism for improving performance.
x Helping an organization coordinate its resources and programs. These may include
structure, responsibility, training, awareness, operational controls, and communica-
tion; policy and management commitment; planning and program development;
review and improvement; checking and corrective action; knowledge of the
organization; and planning, risk assessment, and impact analysis. These are all
important, but in the absence of an effective management system, they may be like
unconnected puzzle pieces and may not be usable in an effective, coordinated way.
Some specific outcomes that a management systems standard is likely to lead to include
better organizational performance through improved capabilities; strategic alignment of
improvement activities at all levels of the organization; the flexibility to react quickly to
opportunities and a changing environment; and optimization of resources.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 45
STANDARDS IN SECURITY
3.4 Management Systems Standards
3.4.3 PLAN-DO-CHECK-ACT CYCLE
The Plan-Do-Check-Act (PDCA) cycle is the operating principle of ISO’s management
systems standards. Also sometimes called the Assess-Protect-Confirm-Improve model, it is
an approach to structured problem solving focused on continual improvement. It works as
follows:
Plan This most critical stage calls for identifying and analyzing the organization’s
problems—events that could disrupt operations—and assets. One identifies
the root causes of those problems and begins to rank them in terms of
importance.
Do Here one looks at the planning analysis, devises a solution, prioritizes next
steps, and develops a detailed action plan. The key word is action. The goal
is not to write a manual that sits on the shelf, gathering dust. Rather, the goal
is to develop a plan that will be used actively to engage the organization and
address problems and their causes—and then to implement that plan.
Check At this step, one examines the solutions devised to address the problems.
The point is to check whether the solutions are producing outcomes that
are consistent with the plan. It is necessary to have a way of identifying
deviations so one can analyze why some measures might not be working
and how they can be improved.
Act If the solutions are in fact addressing the organization’s problems, it is time
to act to standardize those solutions throughout the organization, review
the current list of problems, and start defining new problems and issues.
This is where the cycle, in effect, begins again.
A good way to start this process is to focus initially on a problem that is relatively easy to
solve. Picking a solvable problem provides practice in using the management system and
demonstrates the system’s effectiveness before the organization moves on to more serious or
difficult problems.
46 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.4 Management Systems Standards
Plan
Define & Analyze a
Problem and Identify the
Root Cause
Act Do
Standardize Solution Devise a Solution
Review and Define Next Issues Develop Detailed Action
Plan & Implement It
Systematically
Check
Confirm Outcomes Against Plan
Identify Deviations and Issues
Figure 3-1
Plan-Do-Check-Act-Cycle
3.4.4 WELL-KNOWN MANAGEMENT SYSTEMS STANDARDS
The most famous management systems standards (used by more than a million organizations
in 161 countries) are the ISO quality management systems standard and environmental man-
agement systems standard. These have been around for several decades and have proven to be
very efficient.
The ISO 9000 family of standards addresses quality management to help an organization
meet customers’ quality requirements, enhance their overall satisfaction, satisfy regulatory
requirements, and continually improve the organization’s performance in pursuit of these
objectives. The ISO 14000 family of standards addresses environmental management, which
is a way of looking at the organization’s activities, products, and services to gauge their
environmental effect, find ways to minimize any harmful effects, and improve the cost-
effectiveness of the organization’s processes.
All ISO management systems standards are implemented using the same process and have
the same structure and components. Thus, a single, well-designed management system
within an organization can be used to show conformity to several standards.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 47
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
3.5 ASIS GLOBAL STANDARDS INITIATIVE
ASIS began its Global Standards Initiative (GSI) in 2007 to position itself as a world leader in
international security standards development. The move was driven by members who noted
a lack of a voice for security professionals in the standards being developed within various
countries as well as internationally. It was also driven by members involved in cross-border
activities, who faced different sets of rules and procedures every time they reached a national
or jurisdictional border. These members urged ASIS to get involved at the ISO level to
promulgate a more global perspective in security planning.
3.5.1 PROCESS
An early step taken through the GSI was to have ASIS gain approval as a liaison in the major
national and international standards bodies. Not being a country, ASIS cannot participate
directly in ISO as a national member. However, as an international organization, ASIS was
able to seek liaison status, which enables full participation except for voting. Through the
GSI, ASIS is also developing strategic partnerships with other standards-developing bodies
around the world.
ASIS encourages its members to help identify standards of high priority to security
professionals and then to participate in developing drafts for circulation at the national,
regional, or international level. The goal is to get involved in the development of standards
regarding issues where standardization will make security professionals’ jobs easier and
improve the quality of security service delivery. Specifically, ASIS encourages members to
participate in developing standards on mirror committees in their home countries.
ASIS is also an ANSI accredited SDO. The GSI is actively developing ANSI American National
Standards (ANSI-ANS) in the U.S. As an example of ASIS standards-developing activity,
Figure 3-2 illustrates the ANSI-certified process ASIS follows to develop American National
Standards.
This chapter focuses on standards. It is worth noting, however, that before becoming
involved in standards, ASIS promulgated several guidelines. They were meant to be less
formal than standards in the sense that an organization could use some, none, or all of a
guideline’s elements—there was no issue of being in formal conformity. ASIS began issuing
guidelines in 2001 to help the private sector secure its business assets and critical
infrastructure. Where applicable, these guidelines are being modified into different types of
documents: either actual standards or handbooks for implementing actual standards. The
latter type is appropriate when the original guideline is too detailed and prescriptive to be a
standard but contains much useful guidance that practitioners may want to know as they
apply a standard.
48 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
ASIS conducts the five-day Security Lead Auditor Course for ISO 28000:2007, which is
accredited by the Registered Accredited Body, USA and Quality Standards Australia
(RAB/QSA). Upon successful completion of the program, participants receive the
internationally recognized Lead Auditor Competency Certification.
ASIS is also providing implementation guidance for ISO standards; leading education and
training on standards and guidelines issues; and developing auditor training and
certification (for auditing conformity with standards).
Start
ASIS and S & G
Commission
Identifies
Need for Standard
S & G Commission Committee Chair HQ and Committee Committee Develops Working Group
Establishes Standard And Vice Chair Develops Voting Body Draft Standard and Reviews/Revises
Committee and Initiates Draft Standard
Appointed Assigns Working
Project Group
HQ Completes ANSI PINS Form Submitted Comments No HQ Sends Letter HQ Submits ANSI
Project Initiation to ANSI for 30-Day Received? Ballot to Voting Body BSR8 Form for 45
Notification (PINS) Comment Period Day Public Review
Form Yes for Draft Standard
Approval
Committee Reviews Comments Yes Yes
Comments and Makes Received?
Appropriate Revisions Substantive
Revisions
No Required?
No
Draft Standard
End Approved
ANSI Approval and HQ Submits ANSI Form
Publication BSR9 for Approval/
Appeals Process (See
pg. 2 for Appeals Process)
Figure 3-2
ASIS Commission on Standards/American National Standards Institute
Standards Development Process
Protection of Assets Ɣ Copyright © 2012 by ASIS International 49
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
3.5.2 PRODUCT STATUS
This section describes the status of various security-relevant standards and guidelines.
Because ASIS is converting some of its guidelines into standards or into products that
accompany standards, both guidelines and standards are listed below.
ASIS Guidelines
The following are the ASIS guidelines that are published or under development as of March
2011. All published guidelines can be downloaded from http://www.asisonline.org/guidelines/
published.htm.
x Chief Security Officer Guideline (2008). This guideline addresses the key responsibilities,
skills, and qualifications needed in an organization’s senior security executive. Status:
published.
x Facilities Physical Security Measures Guideline (2009). This guideline provides a
methodology to select appropriate physical security measures to safeguard an
organization’s assets. Status: published.
x Threat Advisory System Response Guideline (2008). This provides private industry
with possible actions to implement at various U.S. Department of Homeland Security
alert levels. Status: published.
x Information Asset Protection Guideline (2007). This offers general protection advice
for an entity’s information assets, including proprietary, classified, and other sensitive
materials. Topics include collection, storage, dissemination, and destruction. Status:
published.
x Preemployment Background Screening Guideline (2009). This guideline helps
employers understand and implement the fundamental concepts, methodologies, and
legal issues associated with the preemployment background screening of job
applicants. Status: published.
x Business Continuity Guideline: A Practical Approach for Emergency Preparedness,
Crisis Management, and Disaster Recovery (2005). This guideline outlines various
interrelated processes and activities—including readiness, prevention, response,
recovery/resumption, testing and training, evaluation, and maintenance—that can be
used in creating, assessing, and sustaining plans for use in a crisis that threatens an
organization’s viability and continuity. Status: published.
x Workplace Violence Prevention and Response Guideline (2005). This offers useful
ways to maintain a safe and secure work environment. Means include identifying,
evaluating, and controlling potential hazards and conducting employee informational
training. Status: published.
50 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
x Private Security Officer Selection and Training Guideline (2010). This guideline sets
forth minimum criteria for the selection and training of private security officers. The
criteria may also be used to provide regulating bodies with consistent minimum
qualifications. Status: published but under revision.
x General Security Risk Assessment Guideline (2003). This provides a seven-step
methodology for identifying and communicating security risks at a specific location. It
also addresses appropriate solutions. Status: published.
ASIS Standards
The following are the ASIS American National Standards that are finished or under
development as of March 2011. All published standards are available at http://www.
asisonline.org/guidelines/published.htm.
Many of these standards are being worked at the international level as well.
x Chief Security Officer (CSO) Organizational Standard (2008). The standard provides a
model for organizations to use when developing a leadership position responsible for
providing comprehensive, integrated risk strategies to protect an organization from
security threats. The CSO’s role may be viewed as a stand-alone position or one that
has been incorporated within an organization’s existing leadership team. The standard
details the CSO reporting relationship, key responsibilities, core competencies,
experience, education, and compensation. It also provides a model position
description. Status: published as an ANSI-ANS.
x Organizational Resilience: Security, Preparedness and Continuity Management
Systems—Requirements with Guidance for Use (2009). Using the Plan-Do-Check-
Act approach, this standard provides steps necessary to prevent, prepare for, and
respond to a disruptive incident. It lists generic auditable criteria for establishing,
checking, maintaining, and improving a management system that enhances
prevention of, preparedness for, mitigation of, response to, and recovery from dis-
ruptive incidents. An annex to the standard provides guidance on system planning,
implementation, testing, maintenance, and improvement. Status: Status: published as
an ANSI-ANS.
x Business Continuity Management Systems Requirements with Guidance for Use
(2010). This joint ASIS/BSI ANSI standard includes auditable criteria for preparedness,
crisis management, business and operational continuity and disaster management. It
uses a management systems process approach according to the Plan-Do-Check-Act
model and is based on the British Standards Institution’s standard on business
continuity, BS 25999. Status: published as an ANSI-ANS.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 51
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
x Workplace Violence Prevention and Intervention (2011). Joint standard with the
Society for Human Resource Management (SHRM) that provides an overview of
general security policies, processes, and protocols that organizations can adopt to help
prevent threatening behavior and violence affecting the workplace and better respond
to and resolve security incidents involving threats and episodes of actual violence.
Status: Published as an ANSI-ANS for WVPI.
x Auditing Management Systems for Security, Preparedness and Continuity Manage-
ment with Guidance for Application. Management systems standards emphasize the
importance of audits as a management tool for monitoring and verifying the effective
implementation of an organization’s policy. Moreover, audits are an essential part of
conformity assessment. This standard addresses the systematic, objective activities
in evaluating management system performance for security, preparedness, and
continuity management. Status: Under development.
x Physical Asset Protection. This standard uses the Plan-Do-Check-Act approach to
identify, apply, and manage physical security measures to safeguard an organization’s
assets—people, property, information, and intangibles—that are based in facilities (not
in transit). It describes a process that includes setting goals; identifying, assessing, and
managing risks; and selecting appropriate physical security measures. The standard
describes basic functions of physical security measures in deterrence, detection, delay,
and response. Status: Under development.
x Organizational Resilience Maturity Model—Phased Implementation. Standard
describes a maturity model for phased implementation of the ANSI ASIS Organi-
zational Resilience Standard as a series of steps designed to help organizations evaluate
where they currently are with regard to resilience management and preparedness, set
goals for where they want to go, benchmark where they are relative to those goals, and
plot a business sensible path to get there. The model outlines six phases ranging from
no process in place for resilience management to going beyond the requirements of
the Standard. It can be used in conjunction with the ANSI ASIS Organizational
Resilience Standard or as a tool for continually improving a generic resilience manage-
ment and preparedness program. Status: Under development.
x Management Systems for Quality of Private Security Company Operations—
Requirements with Guidance. Provides requirements and guidance for a management
system with auditable criteria for Quality of Private Security Company Operations
(PSC), building on the Montreux Document on pertinent legal and security companies
in conditions where the rule of law has been undermined by conflict or disaster.
Standard provides auditable requirements based on the Plan-Do-Check-Act model for
third-party certification of Private Security Company Operations—private security
providers working for any client. Status: Under development.
x Conformity Assessment and Auditing Management Systems for Quality of Private
Security Company Operations. Provides requirements and guidance for conducting
conformity assessment of the Management System for Quality of Private Security
52 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
Company Operations (PSC) Standard. Standard provides requirements for bodies
providing auditing third party certification of Private Security Company Operations—
private security providers working for any client. It provides requirements and
guidance on the management of audit programs, conduct of internal or external audits
of the management system and PSC operations, as well as on competence and
evaluation of auditors. Status: Under development.
x Resilience in the Supply Chain. Standard expands the scope of the ANSI ASIS
Organizational Resilience Standard to include resilience in the supply chain. It
provides a framework for evaluating the internal and external context of the
organization with regard to its supply chain, enabling it to develop a comprehensive,
balanced strategy to reducing both the likelihood and consequences of a disruptive
event. It also is consistent with the risk management principles and framework of the
ISO 31000. The standard provides auditable criteria to prevent, prepare for, respond
to and recover from a disruptive event using a comprehensive approach to managing
risks thereby eliminating the siloing of risks and their impacts. Status: Under
development.
x Risk Assessment. This standard provides a means of analyzing the efficacy of risk
management controls designed to protect an organization’s assets. Status: Under
development.
Standards Activity
ASIS has become involved in numerous security-related standards development projects in
concert with other organizations. Note that security in the ISO context is a very inclusive
term, referring to the entire flow of events that can take place surrounding a disruptive
incident, such as prevention, preparedness, mitigation, response, continuity, and recovery.
ASIS also has relationships with national bodies and is participating in developing standards
with them. The subsequent goal is to take completed standards and submit them to ISO for
consideration as international standards. Doing so accelerates the process and gives a larger
voice to security professionals so standards will truly address their needs and the services
they provide. Members are encouraged to volunteer to participate in technical committees
on standards that affect their areas of practice and expertise. The following are some key
areas of ASIS involvement:
x ISO/TC 223: Societal Security. ASIS Type A liaison status with ISO allows ASIS full
participation. ASIS is a member of the Chairman’s Advisory Group, the Resolutions
Committee, and all work groups and task groups involved. ASIS has been actively
involved in drafting the documents that have been circulated through the technical
committee.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 53
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
x ISO/TC 247: Fraud and Countermeasures. ASIS Type A liaison status with ISO allows
ASIS full participation. ASIS has been actively involved in drafting the documents that
have been circulated through the technical committee.
x ISO/TC 8: Marine and Maritime. ASIS participates as a liaison, particularly in the ISO
28000 Security in the Supply Chain series.
x ISO/PC 262: Risk Management. ASIS Type A liaison status with ISO allows ASIS full
participation. ASIS has been actively involved in drafting the documents that have
been circulated through the technical committee.
x ISO/IEC JTC 1/SC 27: Information Security. ASIS participates as a liaison, particularly
in the ISO 27000 series.
x ISO/TMB WGRM: Working Group on Risk Management. ASIS participates as a liaison.
This group recently finished a draft of a new ISO 31000 Risk Management Standard.
x JTCG Task Force Auditing for the revision of ISO 19011. ASIS represents ISO/TTC 223
as a liaison to this group on auditing of security and security management systems.
This task force is looking at how to expand auditing (as is done in quality and
environmental management systems standards) to the realms of security, information
technology, occupational health and safety, and other fields where management
systems standards are being developed or have been developed.
x ISO/SAG-S: Strategic Advisory Group on Security. ASIS also participates in this group,
which advises the ISO Board on strategic issues related to security. The group is open
only to national bodies, not to liaisons, but ASIS sits at the table as a member of the
Dutch contingent (that is, as a technical expert with the Nederlands Normalisatie-
Instituut).
x Supply Chain Risk Leadership Council. ASIS participates in the Supply Chain Risk
Leadership Council in strategies to address supply chain standards development both
nationally and internationally.
x CEN/BT/TF 167: Security Services, CEN/BT/WG 161: Protection & Security of the
Citizen, CEN/PC 384: Airport and Aviation Security Services, CEN/TC 391: Societal
and Citizen Security, and CEN/TC 379: Supply Chain Security. ASIS participates in
CEN, the European Committee for Standardization, which is a consortium of European
standards bodies. In the first committee listed, ASIS has observer liaison status; in the
second committee, ASIS maintains close relationships with active members.
x ASIS International partners with National Standards Bodies (NSB) around the globe
to develop national standards, promotes collaboration between the local ASIS
Chapters and the NSB, and provides joint training programs.
54 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
x ANSI’s Board of Standards Review (BSR) body. ASIS is a voting member of the ANSI
BSR, which is responsible for the approval and withdrawal of American National
Standards and for hearing appeals of its decisions.
x ANSI’s Executive Standards Council (ExSC) body. ASIS is a voting member of the ANSI
ExSC which is responsible for the procedures and criteria for national and international
standards development activities of the Institute, and accredits national standards
developers and U.S. Technical Advisory Groups (TAGs) to ISO. The ANSI ExSC hears
appeals related to its areas of responsibility.
x ANSI National Policy Committee (NPC) body. ASIS is a member of the ANSI NPC,
which is responsible for broad-based policy and position decisions regarding national
standards issues and government relations and public policy issues.
x ANSI International Policy Committee (IPC) body. ASIS is a member of the ANSI IPC,
which is responsible for development of ANSI strategic directions and policies related
to international and regional standardization.
x ANSI ISO Council (AIC) body. ASIS is a member of the ANSI AIC, which is responsible
for developing ANSI positions and preparation of ANSI representatives to ISO General
Assembly and ISO Council and its subgroups, including ISO policy development
committees.
x ANSI International Conformity Assessment Committee (ICAC) body. ASIS is a
member of the ANSI ICAC, which is the U.S. interface to the ISO Council Committee on
Conformity Assessment.
x ANSI Committee on Education (COE) body. ASIS is a member of the ANSI COE, which
is responsible for initiatives related to standards and conformity assessment education
and outreach, as well as fulfilling the objectives of the United States Standards Strategy.
x ANSI Standards Boost Business (SBB) campaign. ASIS participates in the ANSI SBB
effort to increase executives’ and other private-sector leaders’ (C-level) understanding
of how the U.S. voluntary standards system and its activities can boost business
performance.
x ANSI Organizational Member Forum (OMF) body. ASIS is a member of the ANSI OMF,
which provides a forum for U.S. professional societies, trade associations, standards
developers, and academia to come together to discuss national and international
standards and conformity assessment issues of interest.
x ANSI Homeland Standards Security Panel (HSSP). ASIS is a member of the ANSI
HSSP, which identifies existing consensus standards, or, if none exists, assists the
Department of Homeland Security (DHS) and those sectors requesting assistance to
accelerate development and adoption of consensus standards critical to homeland
security. Additionally, ASIS is a member of the ANSI Homeland Standards Security
Panel Steering Committee, an advisory committee to the HSSP.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 55
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
x Security Industry Standards Council (SISC). ASIS is a member of the SISC, which votes
on proposed standards that are being considered from other security-related SDOS in
addition to review and coordination of standards activities.
x U.S. Department of Homeland Security Title IX program (Voluntary Private Sector
Accreditation and Certification Preparedness Program). The ANSI ASIS Organi-
zational Resilience Standard has been adopted in the Title IX PS-Prep program.
x U.S. Department of Defense. The Department of Defense reached out to ASIS to
develop Standards for Private Sector Security. Two standards projects under
development; Management System for Quality of Private Security Company Operat-
ions, and Conformity Assessment and Auditing management systems for quality of
private security company operations.
The position of ASIS is that these areas represent the best thinking of security professionals
around the world and also help to ensure an organized approach to the challenges facing
corporations and the public and private sectors today.
3.5.3 ORGANIZATIONAL RESILIENCE STANDARD
In March 2009, the ASIS Global Standards Initiative published the American National
Standard ANSI/ASIS.SPC.1: Organizational Resilience: Security, Preparedness and Continuity
Management Systems—Requirements with Guidance for Use. This flagship standard was
developed by technical committees in Australia, the Netherlands, and the United States. The
management system standard provides a framework for a comprehensive approach to
managing the risks of a disruptive incident by addressing reduction of both likelihood and
consequences. It continues to gain international acceptance. The Netherlands and Denmark
have adopted it as a national standard in their countries, and several other countries are in
the process of adoption, translation, and publication. It has also been submitted to ISO for
consideration as an international standard.
This is a practical management systems standard that deals with organizational resilience. It
focuses on security, preparedness, and continuity management all in one management
systems standard. It looks at how an organization can prevent, prepare for, mitigate, respond
to, and recover from a disruptive incident that could, if not controlled, turn into an
emergency, crisis, or disaster. Like ISO standards, it uses the Plan–Do–Check–Act model.
The standard was designed to be business-friendly (improving its likelihood of adoption in the
marketplace) and is completely aligned and compatible with existing management systems
standards, such as ISO 9001:2000: Quality Management, ISO 14001:2004: Environmental
Management, ISO/IEC 27001:2005: Information Technology Security, and ISO 28000:2007:
Supply Chain Security Management. An advantage of this alignment is that an organization
56 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
can meet the requirements of other standards through the process of meeting the require-
ments of this organizational resilience standard. The standard is also meant to be an
auditable complement to the new ISO31000: Risk Management standard, thereby enabling
an organization to seamlessly integrate resilience and security management into its overall
risk management strategy.
The standard’s goal may be illustrated by considering a company that, on a normal day of
operation, is working at 100 percent capacity. Suddenly a disruptive incident occurs. Without
a plan in place, the company could completely lose capacity. Once that happens,
management may have no idea how long it will take to return to full capacity, if indeed the
company ever does. This standard encourages management to preempt the problem by
looking at what could potentially disrupt the operation, how to prevent it, and how, if it takes
place, to respond quickly to mitigate the impact of the incident (reduce the drop in capacity)
and shorten the recovery period. The standard also helps management consider how to
bring the most critical processes back online as quickly and efficiently as possible. The goal,
then, is to help the organization survive and thrive.
The following is a summary of the steps contained in the standard, as directed to security
management:
1. Start: Know the Organization
Many organizations unwisely skip this most critical step and start looking for solutions to
what they think are the problems, rather than analyzing what are the core issues they need to
address. This step includes several tasks:
x Identify the internal and external context of the organization.
x Define the scope and boundaries for the security, preparedness, and continuity
management program.
x Identify critical objectives, operation, functions, products, and services. Prioritize them
according to their importance to the organization’s survival.
x Make a preliminary determination of likely risk scenarios and consequences.
By understanding and prioritizes the issues most important to the organization, it is possible
to focus on problems that are manageable and for which one can effectively develop a
system. It is not advisable to deal with all problems of the organization at once. The process
should be approached from a business point of view with a continual improvement
perspective.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 57
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
2.Security Policy
The next step is to obtain management commitment, participation, and leadership, which
are critical to the exercise. The standard is, after all, for a management system. Security
policy will be elevated to a critical interest of the organization and hence requires the
participation of the entire organization. The policy will state and constitute a commitment to
the protection of critical assets as well as commitment to continuous improvement.
Obviously, management demonstrates its commitment by providing adequate resources to
implement the management system.
3.Planning
This is the time to conduct a risk assessment and impact analysis. The standard simply states
that the organization must have a defined and documented method for doing so. The
organization may choose from the many existing risk assessment methodologies and means
of analyzing business impact, but it must choose a specific, formal methodology and not
merely rely on its general sense of the problem. It is recommended that the organization
follow the risk assessment process outlined in ISO31000:2009: Risk Management Guidelines.
At this stage it is also necessary to determine the legal and other requirements with which the
organization must comply and then choose a method of addressing them.
With these three analyses, the organization has a basis for developing objectives and
determining its means and resources for attaining them.
Plans for security management programs emphasize incident prevention, while plans for
response management emphasize reducing an incident’s impact and quickly returning to
full operation.
4.Implementation and Operation
This is the step for developing the organization’s approach to improving resiliency. Here are
key topics to examine:
x Organizational structures and responsibilities needed to develop the strategic plan.
Organizational roles, responsibilities, and authorities are clearly defined to support the
management system and all the activities needed to address the risks of disruptive
events.
x Training, awareness, and competence. Programs must be developed that will give
employees the confidence and competence to do what they should. They should be
educated on what could happen and how they should respond.
x Communication. The standard addresses communication both within the organi-
zation and with external parties. Key issues include how to prepare in advance to
respond to external questions and who will speak for the organization.
58 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
x Documentation. This process requires developing standard operating procedures
regarding security, preparedness, and continuity management, as well as documenting
the management system itself. If it is not documented, no one can check to see if it is
working.
x Incident preparedness and response plans. These contain the specifics of what should
be done to prevent an incident and mitigate its consequences, as well as what should
happen after an incident, covering such issues as alternative work sites, mutual aid
agreements, and meeting points.
5.Checking and Corrective Action
The standard then addresses these topics:
x Performance evaluation: The organization establishes performance metrics and
evaluates its resilience performance, including compliance with legal and other
obligations. Exercises and testing are used to evaluate performance.
x Monitoring and measurement. This step discusses how to identify nonconformity,
address it through corrective and preventive actions, and document those steps.
x Important business records. This step addresses the need to identify, store, and
protect vital documents, as well as keep them accessible to the people who need them.
Again, the standard does not specify how to perform these tasks but merely insists that
the company have a specific plan for doing so.
x Audits. These make it possible to track the performance and effectiveness of all
required tasks.
6.Management Review
Information from all the preceding steps is then fed back for management review. This is the
stage to ensure that the management system is adequate and effective and to discuss any
need for improvement.
Then, for continuous improvement, one repeats steps 1 to 6 indefinitely. Figure 3-3 shows
the process in graphic form.
The standard’s structure is simple, but each step is rather involved. If the organization
contains a person who wishes to focus on security, preparedness, and continuity management,
that person may be the best candidate to bring this management systems standard to
management. Alternatively, an organization may use an external consultant with expertise in
developing such systems. However, the management system is implemented by the
organization with the advice and guidance of the consultant. Ownership throughout the
organization is the key to success.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 59
STANDARDS IN SECURITY
3.5 ASIS Global Standards Initiative
Standards are nothing to fear. If the security community sits back and waits for others to
develop security standards—whether people from other disciplines or standards developers
with no security expertise or practical understanding—then the standards developed could
be overly prescriptive and make it more difficult for security professionals to do their jobs.
On the other hand, if the people who will use the standards get involved in developing them,
the standards are more likely to be useful tools.
Start: Know your Organiz on
- Define scope and boundaries for
preparedness, re nuity and
recovery management program
- Iden ves, oper ons,
ons, products and services
- Preliminary det on of likely
risk scenarios and consequences
Policy
Management Review - Management Commitment
- Adequacy and Effec veness
- Need for Changes - Commitment to Protec cal
- es for Improvement
Assets and Con nuous Improvement
- Commitment of Resources
Checking & Corr ve Ac on ConƟnual Planning
Improvement
- Monitoring and Measurement - Risk Assessment and Impact Analysis
- Evalua on of compliance and Implementa on and Oper on - Legal and Other Requirements
- Structure and Responsibility - ves and Targets
system performance - Training, Awareness, Competence - Strategic Preven on, Preparedness
- Nonconformity, Correc ve - Communica on
- Documenta on and Response Programs (Before,
and Preven ve Ac on - Document Control er an Incident)
- Records - Oper onal Control
- Internal Audits - Incident Preven on, Preparedness and
Response
Figure 3-3
Organizational Resilience (OR) Management System Flow Diagram
60 Protection of Assets Ɣ Copyright © 2012 by ASIS International
STANDARDS IN SECURITY
References
REFERENCES
About ANSI Overview. (2008). American National Standards Institute. Available: http://www.ansi.
org/about_ansi/overview/overview.aspx?menuid=1 [2008, December 8].
ASIS supports global ISO standards. (2008, January). Security Management, 93.
How are ISO standards developed? (2008). International Organization for Standardization. Avail-
able: http://www.iso.org/iso/standards_development/processes_and_procedures.htm [2008, Dec-
ember 8].
Plentiful preseminar programs. (2007, November/December). ASIS Dynamics, 44.
Seck, M. D., & Evans, D. D. (2004). Major U.S. cities using national standard fire hydrants, one
century after the Great Baltimore Fire. National Institute of Standards and Technology.
Gaithersburg, MD.
Siegel, M., & Carioti, S. (Speakers.) (2008). Standards changing the world of security professionals
(ASIS Virtual Forum CD Recording EDUPRG.VF-06). Alexandria, VA: ASIS International.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 61
CHAPTER 4
INTRODUCTION TO ASSETS PROTECTION
Protecting an organization’s assets is a daunting task. The business world, the security arena, and
life itself are changing at lightning speed. Globalization, information technology, instant
communications, complex and asymmetric threats, public opinion, mergers and acquisitions,
conglomerates and partnerships, and regulation all have a major influence on how security
professionals must perform their mission. In addition to needing a broad array of security
expertise, today’s security professional must be an adaptable, strategic thinker, skilled in process
management and fast, accurate program implementation.
Protection of Assets is designed as a support tool for security professionals and others with similar
responsibilities. It provides information on all aspects of security and related functions and helps
readers balance costs and results in planning, developing, and implementing sound risk
management strategies.
Because of the rapid pace of change, POA is a living document. It features periodic updates and
guides readers to other sources for further information.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 63
INTRODUCTION TO ASSETS PROTECTION
4.1 Basis for Enterprise Assets Protection
4.1 BASIS FOR ENTERPRISE ASSETS PROTECTION
4.1.1 DEFINING ASSETS PROTECTION
For many people, the term assets protection suggests finance. Security professionals,
however, think of assets protection in a different, broader sense. In the security arena, one
often speaks of protecting three types of assets: people, property, and information. The larger
view of assets protection, however, also considers intangible assets, such as an organization’s
reputation, relationships, and creditworthiness.
In considering all of an organization’s assets and all potential hazards, both natural and
man-made, the security function should take the lead on some matters and play a
supporting role in others. This approach helps ensure that the security function is, and is
seen to be, a value-adding element of the organization. The greatest protection of corporate
assets occurs when an appropriate mix of physical, procedural, and electronic security
measures is in place in relation to the assets being protected. This creates an effective
defense-in-depth asset protection program.
Graduate students in a security management program were recently asked to define assets
protection from their perspective. The students were all experienced, mid-career professionals
in security, law enforcement, or the military. Almost all the students mentioned elements like
asset definition, threat assessment, vulnerability and risk analysis, security methods for
reducing risk, and the need to balance security costs with the benefits of protective measures
employed. However, several additional aspects of assets protection emerged as well:
x Both tangible and intangible assets must be considered.
x A key objective is maintaining smooth business operations.
x Post-incident business or mission continuity is an important element.
x Both the current and future risk environments must be considered.
x Providing a safe and healthy environment should be factored in.
x Liability reduction/management is an important component.
As those students seemed to understand, assets protection must be a comprehensive,
proactive function that is directly tied to the organization’s mission.
In addition, it is essential to know what needs to be protected. In many cases, asset owners
(such as business owners or managers) lack a thorough understanding of what their real
assets are. Some think purely in financial terms, while others focus on tangible goods, such
as facilities, inventory, vehicles, or equipment. A wider view of assets might include those
listed in Figure 4-1.
64 Protection of Assets Ɣ Copyright © 2012 by ASIS International
INTRODUCTION TO ASSETS PROTECTION
4.1 Basis for Enterprise Assets Protection
TANGIBLE INTANGIBLE MIXED
Facilities/buildings Reputation/image People
Equipment Goodwill/trust Intellectual property
Inventory Brand recognition Knowledge
Vehicles Relationships Proprietary processes
Raw materials Vendor diversity Information technology
Cash/money Longevity/history capabilities
Accounts receivable Past performance Land/real estate
Supplies/consumables Experience Infrastructure
Telecommunications systems Quality assurance processes Credit rating/financial stability
Other capital assets Workforce morale/spirit/loyalty Customers (customer base)
Workforce retention Contracts in place
Management style Financial investments
Human capital development Geographic location
Liaison agreements Staffing sources/recruiting
Market share Certifications (e.g., ISO 9000)
Continuity posture/resiliency
Safety posture
NOTE: Tangible assets are generally those one can see, touch, or directly measure in physical form. Mixed assets have
both tangible and intangible characteristics.
Figure 4-1
Examples of Organizational Assets by Type
4.1.2 RELATION TO SECURITY AND OTHER DISCIPLINES
Because assets protection is a broad, complex function, many departments or elements of an
organization may be involved in it. However, a single office or person should be designated
as the assets protection focal point. Assets protection professionals should either lead or
follow, but in either case they should not allow themselves to be left out of key deliberations
and decisions. Though it is the responsibility of senior management to provide the resources
needed to enhance the protection of assets, it is the assets protection professional’s respon-
sibility to provide them with the best information for their decision-making process.
Assets protection incorporates all security functions as well as many related functions, such
as investigations, risk management, safety, quality/product assurance, compliance, and
emergency management. Therefore, the senior assets protection professional must have
Protection of Assets Ɣ Copyright © 2012 by ASIS International 65
INTRODUCTION TO ASSETS PROTECTION
4.1 Basis for Enterprise Assets Protection
strong collaboration and coordination skills as well as a thorough understanding of the
workings of the enterprise. In today’s asset protection program, countermeasures need to
include people, hardware, and software.
Of particular interest today is convergence, which is the “integration of traditional and
information [systems] security functions” (ASIS International, 2005). Such convergence
makes collaboration even more important.
4.1.3 HISTORICAL PERSPECTIVES
From the dawn of mankind, organizations have faced threats to their safety and security. One
of the tribe’s important functions was the protection of its assets, which might include land,
crops, water supplies, or its cultural or religious heritage.
Over the centuries, upon arriving in a new country, immigrants from particular regions have
tended to settle together in communities that became known as ghettos. These ghettos have
had a strong assets protection aspect.
Like tribes, gangs today emphasize assets protection. Their assets may include “turf,” recogni-
tion, members, weapons, or market share of illegal activities.
Families, too, protect their assets, which include family members, the home and its contents,
vehicles, financial assets, pets, occupations, and status in the community. Families use such
methods as security equipment, insurance, education, communications procedures, and
neighborhood watch groups.
Different assets protection methods work in different situations (Webster University, 2006):
The protection of assets is not an exact science. What works in one situation may have
disastrous results in another. Asset owners and security professionals alike must analyze
specific situations or environments; recognize needs, issues and resources; and draw
conclusions regarding the most appropriate protection strategies and applications.
Assets protection can be performed by internal entities, external entities, or a combination. In
the United States, the first private security firms emerged in the mid-19th century. They began
as investigative agencies and expanded to provide other assets protection functions, such as
executive protection, intelligence collection, counterintelligence, cargo escort, and protection
of railroads, a critical infrastructure of the day (Securitas, 2006).
The concepts, techniques, tools, and philosophies of assets protection change as threats
mutate, technologies advance, management approaches develop, and business around the
world becomes transformed.
66 Protection of Assets Ɣ Copyright © 2012 by ASIS International
INTRODUCTION TO ASSETS PROTECTION
4.1 Basis for Enterprise Assets Protection
Influences in Assets Protection
Many recent developments have affected the practice of assets protection. In the early 1970s,
for example, computer security began to flourish as a separate discipline (National Institute
of Standards and Technology, 2006) because of society’s increasing reliance on information
systems.
Another influence was the recognition of the vulnerability of critical infrastructure to both
natural and intentional attacks. In the United States, critical infrastructure was initially defined as
comprising the following industry sectors: transportation, oil and gas, water, emergency services,
government services, banking and finance, electrical power, and telecommunications. More
sectors were added later. Significantly, most U.S. critical infrastructure is owned or operated by
private enterprises. In the United States, attention to the security of critical infrastructure
increased greatly after the 1993 attack on the World Trade Center in New York City and the
bombing of the Alfred P. Murrah Federal Building in Oklahoma City two years later.
Damage to the Pentagon caused by the September 11th attack. 67
Photograph by Kevin Peterson
Protection of Assets Ɣ Copyright © 2012 by ASIS International
INTRODUCTION TO ASSETS PROTECTION
4.1 Basis for Enterprise Assets Protection
To security professionals, the terrorist attacks of September 11, 2001, represented the most
significant turning point in assets protection around the world. That attack
x led to increased security budgets and reduced constraints on security policies and
procedures,
x fostered communication between security officials and front-office executives, and
x enhanced threat awareness and vigilance by business managers and employees
In some cases, knee-jerk reactions to 9/11 wasted valuable resources. For example, one
company with facilities in several countries ordered each site to post a security officer at its
entrance. However, the new security officers had no idea of their roles and responsibilities
and had no way to communicate with other security staff at the sites. At best they were able
to provide a false sense of security. Similarly, after 9/11 many organizations spent much
more than necessary on security technology.
The shock of 9/11 also caused an overemphasis—in terms of security solutions—on terrorist
attacks instead of the broader spectrum of realistic security risks. Even now, resources that
could have been dedicated to information technology (IT) security, information asset protec-
tion, and traditional crime or loss prevention are being diverted to antiterrorism measures,
such as blast-resistant materials, stand-off zones, bollards, chemical/biological hazard
sensors, and similar items. Even in school security, interest in traditional, comprehensive
assets protection has often given way to preparation for terrorist attacks.
Over time, the 9/11 attacks have partly redefined assets protection. The following are some of
the beneficial changes:
x a change in public expectations and an increase in the level of security measures that
the public will tolerate
x an ongoing examination of personal privacy versus public protection
x more serious study of security and protective services budgets and strategies
x better information sharing within and between the security and law enforcement
communities, leading to improved crime-fighting capabilities
x greater application of advanced technologies to threat analysis, vulnerability assess-
ment, information sharing, and protective measures
x more widespread discussion of strategic protection concepts incorporating risk
management and comprehensive assets protection
x more emphasis on security and assets protection research
68 Protection of Assets Ɣ Copyright © 2012 by ASIS International
INTRODUCTION TO ASSETS PROTECTION
4.1 Basis for Enterprise Assets Protection
Similarly, the 2001 anthrax scare in the United States led to much greater emphasis on the
security of mailroom operations. In addition, the Sarbanes-Oxley Act in the United States has
required publicly traded corporations to perform more extensive assessment and reporting.
Respondents to one security-related survey rated the act as the second most important
legislation having a moderate or major impact on their organization (ASIS International,
2005, p. 48).
Patterns of Change
In assets protection, the period between major paradigm shifts (including technological
developments and conceptual shifts) has been decreasing. As Figure 4-2 shows, during the
1950s and 1960s several years passed between major paradigm shifts. In more recent
decades, the interval between those shifts has decreased to the point where changes today
follow each other rapidly.
© Innovative Protection Solutions, LLC, 2006. Used by permission.
Figure 4-2
Paradigm Shift Frequency Model
These paradigm shifts include changes in surveillance technology, integrated security
systems, the scope of security professionals’ duties, legal and liability issues, the regulatory
environment, the use of computers in the security function, public/private partnerships,
antiterrorism, convergence, and global business relationships. Security professionals must
be prepared for rapid change in the workplace.
Another change is that assets protection is increasingly based on the principle of risk
management, a term rather recently applied to security management and assets protection
(Webster University, 2006). The ASIS International 2006 General Risk Security Guideline
defines “risk” as the possibility of loss resulting from a threat, security incident, or event. The
concept is a perfect fit for assets protection, the primary objective of which is to manage risks
by balancing the costs and benefits of protection measures.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 69
INTRODUCTION TO ASSETS PROTECTION
4.2 Current Practice of Assets Protection
4.2 CURRENT PRACTICE OF ASSETS PROTECTION
This section discusses two important issues in assets protection: the field’s underlying
principles and the practice of assets protection in various industry sectors.
4.2.1 UNDERLYING PRINCIPLES
One framework for viewing the underlying principles of assets protection states that three
concepts form a foundation for any assets protection strategy. Those concepts are known as
the five avenues to address risk, balancing security and legal considerations, and the five Ds.
Five Avenues to Address Risk
This concept contends that there are five distinct avenues for addressing identified risks to
assets: risk avoidance, risk transfer, risk spreading, risk reduction, and risk acceptance. Care-
fully considering these avenues is an effective way for assets protection professionals and
management to think creatively in designing ways to protect assets.
Balancing Security and Legal Considerations
Organizations need to find the right balance between a security approach and a “legal”
approach. Some enterprises rely entirely on legal measures, such as patents, copyrights,
trademarks, and service marks, to protect their critical information. They mistakenly believe
that with these legal protections in place, they do not need stringent security programs.
Alternatively, some executives believe a strong security program eliminates the need for legal
measures. Of course, both types of measures are needed. The legal approach must also
consider when and how incidents will be litigated, what preliminary measures must be in
place for successful litigation, and how litigation costs will be managed.
The Five Ds
This security approach complements the “legal” approaches
discussed above. In this concept, the first objective in
protecting assets is to deter any type of attack. The second
objective is to deny the adversary access to the asset, typically
through traditional security measures. The third objective, if
the first two fail, is to detect the attack or situation, often using
surveillance and intrusion detection systems, human
observation, or a management system that identifies short-
ages or inconsistencies. Once an attack or attempt is in
progress, the fourth objective is to delay the perpetrator
through the use of physical security and target hardening
70 Protection of Assets Ɣ Copyright © 2012 by ASIS International
INTRODUCTION TO ASSETS PROTECTION
4.2 Current Practice of Assets Protection
methods, or use of force. Finally, in today’s terrorist environment with more violent criminals,
it may become necessary to destroy the aggressor if the situation warrants it.
In short, assets protection should involve a comprehensive strategy, not just piecemeal ele-
ments (officers, closed-circuit television, access control systems, etc.).
4.2.2 ASSETS PROTECTION IN VARIOUS SETTINGS
Many security principles and procedures are common across sectors, geographic areas, and
various sizes and types of organizations. However, each particular industry has its own
culture, environment, and issues that influence assets protection
Health Care Sector
Hospitals are open to the public 24/7 and tend to have an open
environment. Patients are vulnerable, and hospitals can be a high-
stress environment for all concerned: patients, visitors, and staff.
Hospitals also have to be concerned about information assets,
especially patient privacy, the protection of which is often
governed by regulation, such as, in the United States, the Health
Insurance Portability and Accountability Act (HIPAA) and criteria set by the Joint Commission
on Accreditation of Healthcare Organizations (JCAHO). In addition, many health care
institutions, especially at universities, engage in medical research, an activity that calls for
protection of sensitive information, intellectual property, facilities, and materials. Assets
protection staff may also need to focus on maintaining the hospital’s reputation, another key
asset.
The most serious threats in health care involve workplace and domestic violence, threats,
harassment, internal theft, vandalism, extremist activity, fraud, threats to high-risk or high-
profile patients, and violence in emergency departments.
Health care security professionals can gain management support through these means
(Stewart, 2006):
demonstrating a knowledge of hospital management issues and respecting the business
aspects of the enterprise maintaining a dialogue with management to ensure they understand
the hospital’s risks and vulnerabilities, as well as the assets protection program itself
Whether security officers in health care settings should be armed is the subject of ongoing
debate.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 71
INTRODUCTION TO ASSETS PROTECTION
4.2 Current Practice of Assets Protection
Educational Sector
Educational institutions range from preschools to universities and include both public and
private institutions. Schools at all levels have historically been viewed as somewhat insulated
from the ills of society, but in recent years more attention has been paid to school security.
At the lower academic levels, security responsibility may fall under the school board, county or
city, or local police department. Most colleges and universities maintain their own security
function, which may or may not be connected to the campus police department.
Educational institutions face a wide range of threats, such as assaults against students and
staff, facility damage, vandalism, theft of goods (computers, equipment, supplies, etc.), theft
of private information, attacks against IT, white-collar crime, liability, and natural disasters.
Universities also face the theft of research information.
At most schools, much of a security director’s time is spent on crisis management. Evacuation
planning, preparations for shelter-in-place situations, liaison with first responders, awareness,
training, and exercises are all critical in that environment. In addition, schools may be called
on to serve as community shelters or medical triage centers during disasters. Figure 4-3 lists
some of the common security issues at each educational level.
Universities include more than classrooms—they may also feature dormitories, restaurants,
stores, libraries, entertainment venues (clubs, theaters, bowling alleys, fitness centers, game
rooms, etc.), sporting facilities, worship centers, conference centers, and hospitals. Further
security issues are raised by the fact that some students may be living away from home for
the first time and may not behave as well as they should or show the right level of safety and
security consciousness. Universities also host many students from other countries, who may
violate bans on certain exports or may overstay their visas.
High crime rates, high-profile incidents, and a questionable campus safety record can harm a
university’s image and lead to a loss of students, revenue, grant money, and research projects.
Security directors in the educational environment must take a comprehensive risk manage-
ment approach to their assets protection program. In their security planning, they should
consider many factors, such as the size and demographics of the school, the characteristics
of the surrounding area, the mission and culture of the institution, the types and values of
assets, the school’s image, its management style, and any identifiable threats.
72 Protection of Assets Ɣ Copyright © 2012 by ASIS International
INTRODUCTION TO ASSETS PROTECTION
4.2 Current Practice of Assets Protection
Level Considerations
Preschool
Health and safety
Teacher/staff backgrounds
Constant student oversight
Potential for parental/stranger abduction
Elementary (K through 8) Student oversight
Teacher/staff backgrounds
Inappropriate discipline
Early gang and drug abuse prevention
Exposure to inappropriate issues
Student interrelationships
Secondary and High School Student independence/student interrelationships
Teacher/staff backgrounds
Teacher/staff relationships with students
Gang and drug/alcohol abuse prevention
Exposure to inappropriate issues
Weapons and contraband exclusion
Facility access control
Protection of equipment, chemicals, other resources
College and University Students as an asset and a threat
Lifestyle (student independence, drugs, alcohol, etc.)
Residential setting
Multiple facilities (retail, food service, entertainment)
Overall crime environment
Potential for hate crimes and activist groups
Sports and entertainment venues
Laboratory/research facilities and information
© Innovative Protection Solutions, LLC, 2006. Used by permission.
Figure 4-3
School Security Considerations
Protection of Assets Ɣ Copyright © 2012 by ASIS International 73
INTRODUCTION TO ASSETS PROTECTION
4.2 Current Practice of Assets Protection
Fast Food Sector
This sector, also known as the quick-service restaurant (QSR) industry, features many com-
pany-owned restaurants and franchise stores around the world. The largest companies often
have an in-country or regional assets protection director, who reports to the local business unit
head and the corporate assets protection director. The wide geographical dispersion also
makes QSRs vulnerable to varying levels of ordinary crime, activism, vandalism, and
terrorism. Companies in this industry work hard to protect the value of their brand.
The industry emphasizes cost control, margins, and profit and loss management. Thus,
assets protection professionals must focus on theft prevention, anti-fraud programs,
strategic planning, and supply chain/vendor/distribution integrity. The QSR industry employs
a range of security technology, including closed-circuit television (CCTV) tied to point-of-sale
systems (e.g., cash registers). Assets protection teams in the industry also investigate suspected
false claims of employee or customer injuries.
Because of the high employee turnover rate and the geographic dispersion of stores, security
training is both essential and difficult. Modern IT can enhance the company’s ability to
conduct safety and security training—for example, by facilitating distance learning. One
focus of employee training is simply teaching whom to call and how to report suspicious
activity. Most companies maintain toll-free hot lines. In addition, employee awareness can
be bolstered using security posters, changed regularly.
Telecommunications Sector
Assets protection in the telecommunications sector has changed in the wake of industry
deregulation; the boom in wireless, Internet, fiber optic, and other telecommunications
technologies; and, in the United States, the designation of the telecommunications system as
a national critical infrastructure. Assets protection in the telecom sector now encompasses
four major areas:
x Information security: protecting competitive and proprietary information; protecting
information about the telecommunication infrastructure; and protecting voice and
data signals
x Network and computer security: protecting networks from hacking and other forms of
cyber attacks; protecting computers and other equipment from viruses
x Fraud prevention: protecting the company from toll fraud, calling card misuse, and
other frauds
x Physical security: protecting the people, places, and things that make telecommunica-
tions networks function
Assets protection in telecommunications is greatly affected by government regulation. Some
jurisdictions mandate specific security practices, limiting the ability of assets protection
74 Protection of Assets Ɣ Copyright © 2012 by ASIS International
INTRODUCTION TO ASSETS PROTECTION
4.2 Current Practice of Assets Protection
managers to tailor programs to their particular environment. Another security challenge
arises from the wide exposure of the industry’s product (electronic signals), which are
susceptible to both physical and electronic threats. Finally, telecom companies’ fiber and
cables are often routed through or under property owned by others. Therefore, assets
protection strategies must consider property rights and access issues.
Aerospace Sector
The aerospace sector, which includes civil aircraft,
military aircraft, missiles, space systems, and aero-
space services, is characterized by fierce, global
competition; large, complex contracts; interna-
tional joint ventures; and a huge network of
vendors, all of which factors significantly complicate
assets protection strategies.
In addition to traditional corporate safeguards, firms NASA Photo
in this sector should consider the following:
x protection of sensitive, proprietary, and export-
controlled technical information
x handling of government classified information
x regulatory and reporting compliance at the local, national, and international levels
x integration of safety and security programs
x domestic and international travel security
x test and evaluation program security
The larger aerospace firms maintain large security departments staffed with various
security specialties. By contrast, small aerospace vendors often have no security resources.
Therefore, it is best to discuss security support at the outset of a new project and agree who
will be responsible for various aspects of assets protection and what resources each player
will contribute.
Assets protection in the aerospace industry is also affected by the climate of risk taking; the
extent of high-value information that must be protected; and the industry’s high profile, which
attracts adversaries in the form of competitors, activist groups, and white-collar criminals.
These industry snapshots illustrate the wide variety of issues, concerns, and environmental
factors that affect assets protection programs. They highlight the meshing of security concerns
with business and management issues in planning for a safe and secure setting in which to
conduct the enterprise’s mission.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 75
INTRODUCTION TO ASSETS PROTECTION
4.3 Forces Shaping Assets Protection
4.3 FORCES SHAPING ASSETS PROTECTION
This section examines five forces that are shaping the practice of assets protection:
x technology and touch
x globalization in business
x standards and regulation
x convergence of security solutions
x homeland security and the international security environment
Some of these forces are at least partially within an assets protection manager’s ability to
influence, while others are not. In either case, security professionals should study and
leverage these forces as they formulate tomorrow’s protective strategies.
4.3.1 TECHNOLOGY AND TOUCH
Assets protection has always required a balance between human and technological solutions.
Sometimes the balance swings too far toward technology. The following statements are
described as symptoms of “high-tech intoxication” (Naisbitt, 1999):
x We look for the quick fix.
x We fear and worship technology.
x We blur the distinction between real and fake.
x We accept violence as normal.
x We love technology as a toy.
x We live our lives distanced and distracted.
We Look for the Quick Fix
Security solutions are often implemented haphazardly. Decision makers may buy
surveillance cameras or install card readers without an independent assessment or clear
understanding of the real needs. That approach addresses only the symptoms, not the cause.
Through advance planning and meaningful dialogue, the security professional can guide the
corporate decision makers on the best long term security solution for the company.
Security professionals should take the time to ask questions and determine what the actual
problem is and then create a comprehensive assets protection strategy, not a short-sighted
quick fix.
76 Protection of Assets Ɣ Copyright © 2012 by ASIS International
INTRODUCTION TO ASSETS PROTECTION
4.3 Forces Shaping Assets Protection
We Both Fear and Worship Technology at the Same Time
Assets protection professionals cannot afford to be technophobes. Security systems and
procedures increasingly demand an understanding of technology, and technology is becoming
a major element in most business processes.
On the other hand, some people see technology as the solution to everything. Most common
functions today consist of several layers of technology. If something does not work, the
tendency is to add another layer of technology (Naisbitt, 2006). Careful examination of the
problem might show that a solution blending technology and other solutions (training, poli-
cies, or personnel) is best.
We Blur the Distinction Between Real and Fake
The quality and quantity of electronic images (on television and in video games) tends to
desensitize people to real situations. Frequently seeing people attacked or killed may make
those events seem commonplace. The ramifications for security include a potential
dampening of reaction by security officers and others. For example, console operators might
react less quickly to events shown on their monitors because they see such things all the time
in games or on television. The delay may be aggravated by information overload as security
staff are expected to monitor more and more images.
We Accept Violence as Normal
When violence is considered normal, employees may not bother to report incidents or suspi-
cions to corporate security officials. Failure to report such matters promptly can make it
more difficult to stop such situations as workplace violence, terrorism, sexual harassment,
and hate crimes.
The perception of violence as normal can also affect the reaction of security officials. If they
become desensitized to crime and violence, they may take incidents less seriously or react
more slowly than they should.
We Love Technology as a Toy
Viewing technology as a toy can lead to a neglect of sound, risk-based assets protection
strategies. For example, one company installed biometric access controls on the entrance to
each of its office suites, even though there was no obvious need for high security. When
asked why the equipment was installed, a manager replied, “We thought it was cool.”
High technology plays an important role in assets protection, but it exacts ongoing costs,
such as training and maintenance. In many situations it makes sense to step back and take a
“back to basics” approach. For example, “Given a specific security challenge, imagine how
you would develop a solution if you had no access to technology at all. You can then think
outside the box and interject some traditional creativity into the problem-solving process”
(Naisbitt, 2006).
Protection of Assets Ɣ Copyright © 2012 by ASIS International 77
INTRODUCTION TO ASSETS PROTECTION
4.3 Forces Shaping Assets Protection
We Live Our Lives Distanced and Distracted
Being surrounded by technology changes our relationship to other people. Assets protection
professionals must never lose sight of the people factor in identifying and protecting critical
assets (Naisbitt, 2006):
Any security issue involves human psychology—and always will. The issues of safety and
security are simply fundamental to every human being.
When planning for security, the professionals should always consider the culture of the
organization. … Does the corporate culture foster a sense of community? Do employees respect
and care for one another? Does the nature of their work allow them to develop relationships,
or do they work in a vacuum? How much human interaction is there?
In addition to the six preceding symptoms of high-tech intoxication, two other issues are
worth considering:
x whether the prevalence of security technology leads employees to shirk their
responsibility for protecting the organization’s assets because they think technology
will take care of those assets
x whether a high-tech environment depersonalizes the workplace and leads employees
to feel it is acceptable to commit pilferage, industrial espionage, fraud, embezzlement,
and other workplace crimes
The bottom line is that human factors must always be considered in the development of
security strategies. For example, the security approach called crime prevention through envi-
ronmental design (CPTED) uses psychology, architecture, and other measures to encourage
desirable behavior and discourage undesirable behavior. Some critics claim that CPTED does
not show a conclusive link between the design concept and a reduction in crime. However,
where CPTED has been used, the recording agencies claim that there are fewer reported
incidents when compared to similar structures or developments within their jurisdiction.
4.3.2 GLOBALIZATION IN BUSINESS
Globalization brings a wider range of goods, services, vendors, suppliers, capital, partners,
and customers within a company’s reach. It also brings threats closer and may increase
vulnerabilities. Risks related to business transactions, information assets, product integrity,
corporate ethics, and liability, as well as far-flung people and facilities, expand and evolve
with increasing globalization. As the director of the U.S. Defense Intelligence Agency notes
(Wilson, 2002):
Values and concepts [such as] political and economic openness, democracy and individual
rights, market economics, international trade, scientific rationalism, and the rule of law …
are being carried forward on the tide of globalization—money, people, information, tech-
78 Protection of Assets Ɣ Copyright © 2012 by ASIS International
INTRODUCTION TO ASSETS PROTECTION
4.3 Forces Shaping Assets Protection
nology, ideas, goods and services moving around the globe at higher speeds and with fewer
restrictions.
Our adversaries increasingly understand this link. … They are adept at using globalization
against us—exploiting the freer flow of money, people, and technology … attacking the
vulnerabilities presented by political and economic openness … and using globalization’s
“downsides.”
Globalization makes it necessary for assets protection managers to consider a wider variety
of customs, cultures, laws, business practices, economic factors, language issues, workforce
characteristics, and travel requirements. A more radical vision of the impact on organizational
structures is described in William Davidow and Michael Malone’s The Virtual Corporation.
They argue that the centerpiece of the new economy is a new kind of product: the virtual
product where major business functions are outsourced with hardly any internal departmen-
talization. This will give the corporate security manager even more challenges in the protection
of proprietary information, product security, supply chain security, and business continuity. As
in all cases the dissemination of sensitive or proprietary information should be on a need-to-
know basis. Security professionals should not erect barriers to international business but
instead should help their organizations overcome those challenges and comply with the many
regulations and standards that apply around the world (Heffernan, 2006).
4.3.3 STANDARDS AND REGULATION
Security standards are becoming increasingly important, and their development is the
subject of much interest. The establishment of standards and guidelines has been described
as the centerpiece of a comprehensive assets protection program, especially in today’s global
society (Dalton, 2003, p. 185). This section discusses standard-setting bodies; statutory,
voluntary, and mixed standards; the use of certification and licensing as a form of standards;
and the impact of regulation.
Voluntary Standards
Standards from the well-known International Organization for Standardization (ISO) and the
American National Standards Institutes (ANSI) are voluntary but widely adopted. Some have
been integrated into various countries’ regulatory frameworks. ISO standards that are relevant
to assets protection involve such issues as safety and security lighting, identification cards,
radio frequency identification), protection of children, and IT and information security. In the
United States, voluntary standards are also set by the National Fire Protection Association
(NFPA). Many NFPA standards are incorporated into regulations, such as building codes.
Protection of Assets Ɣ Copyright © 2012 by ASIS International 79
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search