The Bumpy Road To Integration

Sep 1, 2003 12:00 PM, By MICHAEL J. BONANNO

In 1999, Covington & Burling, an international law firm with more than 500 lawyers practicing in Washington, New York, San Francisco, London and Brussels, sought to upgrade its internal security by creating a professional security manager position and installing a state-of-the-art access control system in its D.C. office. Its major practice areas include mergers and acquisitions, finance and taxation, antitrust and regulatory law, technology and intellectual property law, white-collar defense, as well as virtually all types of litigation and alternative dispute resolution proceedings. Seeking improvements in the level of security for its facilities was paramount. After an extensive search, Covington & Burling hired Michael J. Bonanno, CPP, an expert in physical security whose background included eight years in the Marine Corps and several more with a contract security provider. Bonanno now has the title security director, and he is also an adjunct faculty member at George Washington University's Graduate School of Forensic Science, where he teaches security program design and management. In this article, Bonanno describes his process for arriving at an effective security system at Covington & Burling.

As a veteran in physical security, I was hired to oversee the installation of an access control system and raise the performance level of the in-house proprietary security staff, not necessarily in that order. Before my arrival, Covington & Burling had several different proposals from various vendors to install access control systems, but they were not sure which vendor to choose. The proposals were substantially different, ranging in price from $300K to $600K. After reviewing the proposals, I realized that I was comparing apples to oranges — nothing was the same in either proposal. Each vendor made suggestions as to what they thought Covington & Burling needed, but none of them qualified or quantified their recommendations.

I decided to conduct a full-blown physical security survey of the Washington, D.C., office to determine what we needed. The D.C. office access control system needed an overhaul. They had been using a high-security dimple key system that had not been managed properly for some time, in conjunction with electronic locking mechanisms (fail-secure drop bolts) that did not meet existing code. Reliability was questionable. I had to work around two building management companies, who, for the most part, were not open to changing their existing and antiquated perimeter security mechanisms to integrate with a new system. Covington & Burling's D.C. premises, at the time, made up the upper seven floors in one building, which were adjoined to the upper five floors of the adjacent building. I had little recourse but to recommend securing all emergency egress stairwell doors, as well as all “glass” door entrance points off elevator lobbies. Recommending securing the glass doors was certainly not a preferred choice, but better that than nothing. Changing the glass doors and their sidelights was not an option. Additionally, the emergency egress stairwells had to be secured due to lack of access control on lower floors in both buildings. Throughout this evolution, it was paramount that my recommendations kept with the industry standard:

1. Counter the threat. Any recommendation, by itself, or when combined with another attribute, must counter the threat.

2. Cost effective: We do not want to spend $10,000 to protect an item worth $10,000.

3. Acceptable: The intrusiveness of the recommendation must be within the company's culture, or the culture must change.

4. Reliable: The recommendation must have a high “up-time” and return an acceptable level of false-positives or negatives.

After preparing a request for proposal (RFP), I distributed it to the four vendors who had already submitted proposals, as well as several others that were well known in the D.C. metro area. The RFP was specific to include the scope of work, background on the firm, project security requirements, project activity reports, specific tasks for the vendor(s), expected deliverables, proprietary furnished property, the proposal submittal process and a work option for an asset tracking proposal. The extensive RFP was generated to make an even playing field for all the vendors. Unfortunately, some vendors that had not submitted earlier proposals did not see it that way and neglected to submit a proposal for the project. In the end, five legitimate proposals were submitted and analyzed. Four out of five proposals were within $10,000 of each other, while the fifth was almost $200K higher than the average. As cost was not the only deciding factor, selecting the best company to do business with was not easy. My final recommendation came down to selecting the company that had a competitive price, coupled with the financial stability to live through a lengthy negotiation process. Remember, Covington & Burling is a law firm. Additionally, the vendor's software had to be malleable enough to allow significant changes in system configuration.

Specifically, we were looking to install a closed system that could eventually become an open one. The selected vendor had a new product in development, which could operate in either a closed or an open environment, but we did not want to be a beta site. Furthermore, at that time, there was not the highest confidence in our IT infrastructure.

Contract Provisions

The contract negotiation lasted almost a year. As with every security contractor I had experience with, the contract template the vendor asked us to sign was not acceptable. It failed to include: (1) remedy clauses; (2) a sufficient software licensing agreement; (3) appropriate specifications for a long-term maintenance contract; (4) system validation procedures; and (5) a third party escrow arrangement of their source code.

1. Remedy clause. This is an insurance policy within the contract. It identifies recourse for both parties should something go drastically wrong. It usually establishes financial guarantees if the vendor cannot fulfill its obligation under the contract. The clause is quite important to have included if one is in the process of retrofitting a facility or starting with new construction.

2. Software licensing agreement. Too often, access control system vendors do not separate hardware installations and software. Their software usually sits on an operating system (OS) platform, whose life expectancy and stability they do not control. OS platforms are continually upgraded to new versions and, it seems, there are new patches that should be loaded weekly. Nonetheless, access control system vendors do not allow a user to maintain the platform their software depends on, until they can verify that the patch/upgrade in the OS is feasible (or works in harmony with their software). It should be identified up front that their inability to adapt their software to the OS of their choice should not avail security concerns for the user's network.

3. Maintenance contract. Ensure that the scope of the maintenance agreement is detailed before any installation contract is signed. A better deal on the initial installation can be negotiated if a long-term (three-plus years) maintenance contract is lumped in.

4. Validation procedures: The technical acceptance criteria for the system after installation must be detailed and accepted by both the user and the vendor.

5. Source code escrow: If the system installer goes out of business, does the user have any recourse? Only if the supplier provides access to its source code. The escrowing of source codes is commonplace for software manufacturers, but it has been my experience that access control system providers have been slow to adopt the practice. Users should demand that the vendor's source code be escrowed with a third party, without waiting for the vendor to file bankruptcy. Legal proceedings may take an inordinate amount of time, in which a system could suffer significant degradation. As a solution, it should be specified that the user can receive the source code if the vendor has failed in a material respect to support the applicable system as required by the license agreement, or if the vendor defaults in a material respect under the license agreement, etc.

Additionally, the proposal that was provided never addressed the specifics, which as the customer, we wanted listed: What kinds of locks were going to be used? Manufacturer? Type? Finish? Functionality? How will they be installed? Where will the readers be mounted? What color will they be? What choices do we have? What kind of motion sensors will be used? Where will they be mounted? What kind of door contacts would be used? How will they be installed? Is core drilling required?

To address these questions, we conducted no less than six walkthroughs with the vendor and his subcontractors. We wanted all the specifics annotated in the contract that we signed. We wound up using an installation contract template produced by the American Institute of Architects (AIA). I highly recommended their contract templates for many different types of jobs. The templates that the AIA produce are easily adaptable to almost any job through the addition of appendices and attachments, all of which may be listed in the template.

Finally, the deal was closed and both parties were ready to commence installation. Although we thought we had all the bases covered, there were still hurdles along the way — X-ray requirements for core drilling, piped conduit in exposed areas, fire code issues, vendor communication with sub-contractors, to name a few. The contract called for an on-site manager from the vendor to provide all this coordination, but the original manager was a technician, not a manager. Thankfully, the vendor was flexible and made a personnel change.

Other Issues

Here's how we addressed theoh-by-the-ways:

Fire code: Throughout the bidding process, we found many vendors were recommending locking devices that did not meet fire code or ADA requirements. For example, several vendors recommended electric strike installation in emergency stairwells, vise electric locks or magnetic locks. Fire code specifically states that those doors need to remain latched during an alarm activation. Obviously, electric strikes, if fail-safe, will not meet code. They also do not meet code if the code requires the doors to be accessible from inside the stairwell during the alarm, because if they were fail-secure locks, they would remain locked. Surprisingly, we found that the vendors stated in their contract templates that it was our responsibility to ensure that the system they install met all pertinent codes.

With strategic planning in mind, I recommended Covington & Burling commission Simplex to install its NT3400 system at each of its global offices. I knew they had a new head-end system coming out within the year that would have many more features and that would, most importantly, be capable of sitting on our network. In the meantime, we had independent systems installed in each of the global offices. During the installation process, Simplex merged with Grinnell to form SimplexGrinnell, now owned by Tyco Inc. The corporate changes did create a few misunderstandings between some C&B offices and the individual offices of SimplexGrinnell, but nothing that was not understandable in the end.

The installation period for all five global offices gave our new IT director time to make substantial changes to the firm's network backbone, resulting in a much more reliable network on which to reside a global access control system. Without the system going global, database synchronization was quite difficult.

Simplex's new system, iSecure Pro, was flexible and reliable. C&B was able to modify reports, assign rights to individual applications, manipulate event routing, and integrate it with our enterprise back-up system. The D.C. office testing period for this system was 12 months. At the conclusion, it was pushed forward to the implementation of a global system based out of Washington, D.C. I decided to migrate the San Francisco site first, as it was the smallest location in continental United States. It was also easiest, as it already had an Ethernet communications card installed. The iSecure Pro software was flexible enough to allow query generation that identified every card used over the past year. Those card numbers were cross-referenced with the cards in the global database, prior to the individual office system migrations to ensure there were no personnel that had a card, but were not enrolled in the global system. This process was found to be quite successful. New York was much more difficult, as all of its remote transmitting units were on their own network (an independent electrical loop). We had to change out the CPU and communication card in each remote transmitting unit and download a new configuration from the global server. Getting these two sites connected to the global server was important, in that we were able to confirm routing capabilities and operator privileges for various applications. Initial review revealed that only minor changes were needed to groups and routing to accommodate the separate office monitoring stations. The biggest problem was identified when a new iSecure Pro application was opened. The workstation wrote a lot of information across the WAN to the server. We did not have a similar problem with the workstations operating over the LANs. It was resolved by establishing a policy of opening the required applications and then not closing them until that system user was done for the day. We used screensaver passwords to protect the system when the operators were away from the workstations. The next step was to add the London and Brussels offices to the global server. In dealing with these locations, we found that Tyco Inc. had closed Simplex shops in Europe and had ADT pick up the customers. Having the U.S. SimplexGrinnell offices order 220 volt powered remote transmitting units was a challenge, but nonetheless, it was resolved. As expected, we ran into the WAN time delay on applications opening, but other than that, the migration was virtually seamless.

FOR THE RECORD

About The Companies

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

SimplexGrinnell

22

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue