Making The Rules

Apr 1, 2004 12:00 PM, By Corrina Stellitano

The security industry provides protection, but what protects the security industry from delivering inconsistent, widely fluctuating results? Several national organizations have begun creating comprehensive security standards and guidelines, opening a discussion that has been called “the biggest issue that confronts [the security] industry today.”

Some facets of the security industry are standardized. Organizations like the Underwriters Laboratories Inc. (UL) and the American National Standards Institute (ANSI) offer more than 800 standards governing products and components, many of which emphasize fire safety and electrical system specifications. They include such arcane documents as the Standard for Surface Raceways and Fittings for Use With Data, Signal and Control Circuits, or the Standard for Smoke Detectors for Fire Alarm Signaling Systems.

The National Fire Protection Association (NFPA) offers more than 300 technical standards and codes predominantly related to life safety and fire prevention, such as the well-known National Fire Alarm Code, NFPA 72.

And the Security Industry Association (SIA) has produced more than 20 technology-specific standards, ranging from An Interface Protocol for Communications Between a CCTV Switching Sub-System and an Access Control Sub-System to The Recommended Practices for Dye Sublimation Printing on Polyvinyl Chloride (PVC) or Polyvinyl Chloride Acetate (PVCA) Cards.

The NFPA, however, is now developing more all-encompassing documents in the form of NFPA 730, Guide for Premises Security, and NFPA 731, Standard for the Installation of Electronic Premises Security Systems. As a guide, NFPA 730 offers information and recommendations for protecting various types of facilities, from one- and two-family dwellings to industrial complexes. The document covers exterior and interior security devices and systems, physical security devices, security personnel, and security planning, detailing various aspects ranging from the recommended components of an intrusion detection system to suggested duties of security personnel. NFPA 731 provides specifications for installing electronic security systems in the included types of facilities. If the development processes continue on schedule, both could hit the streets in July 2005.

ASIS International (ASIS) has also begun to develop guidelines recommending security procedures in a number of areas, some of which overlap the subject matter covered by the NFPA. The organization released its first general security guideline in January 2003, and is now set to publish three more guidelines by third quarter 2004. The General Security Risk Assessment Guideline released in January is a seven-step methodology for assessing, identifying and communicating risk in a specific facility; it then communicates appropriate solutions. The Private Security Officer Selection and Training Guideline designates minimum criteria for the selection and training of officers; The Chief Security Officer Guideline discusses the key responsibilities, skills and qualifications for a company's senior security executive; and The Threat Advisory System Response Guideline provides businesses with the appropriate precautions based on the alert levels of the Department of Homeland Security. These three are awaiting evaluation of public comments before final versions are published this year.

Other guidelines slated for future development by ASIS include business continuity, protecting information, museum security, workplace violence prevention and response, conducting investigations and security countermeasures. These guidelines will also be issued as draft guidelines and will undergo a public review and comment period of 60 days.

“This is the biggest issue confronting our industry today — who will set the goals for our industry,” says Chad Callaghan, co-chair of the ASIS Guidelines Committee. “The discussion is descending on our industry, and there are some people who are not aware of it, some who are hoping it will go away, and there are many more who are embracing it.

“And then some are confused about who is going to be setting the future direction for the security industry, whether it be ASIS or the NFPA,” he continues. “For that reason, this is a very big issue.”

Industry experts say the security industry is faced with difficult questions:

• Does the security industry need governing standards?

• Who should issue them?

• How enforceable would the standards or codes be?

• How would the standards open up industry members to liability?

The NFPA takes on security

The NFPA's path to 730 and 731 has been long and winding, not without apparent dead-ends. Allan M. Apo, senior technical manager with the Engineering and Safety Service of the Jersey City, N.J.-based Insurance Services Office (ISO), first approached the American Society for Testing and Materials in 1992 about producing security guidelines similar to NFPA 730. After four years, the project was abandoned in the face of opposition by the lodging and real estate management industries.

Apo took the idea to the NFPA. Through his work in loss control, he had often worked with the NFPA; the NFPA was, in fact, created by the National Board of Fire Underwriters, a predecessor organization to ISO, in 1896. “My original hope was to develop a security code for one- and two-family dwellings. That (would serve as a) baseline to go forward to other occupancies. Initially, there was a lot of support for the idea, but there was also opposition,” recalls Apo, who now chairs the Task Group for the 730 guideline.

In the late 1990s, the NFPA Board of Directors had already decided to develop a set of consensus codes and standards for facilities. But the project suggested by Apo, a premises security code, “was on-again, off-again for several years, because this was something different for the NFPA,” recalls Rich Bielen, P.E., NFPA chief systems and applications engineer. “We primarily created documents like the National Electrical Code and the National Fire Code.”

Not until 1999 did the NFPA Board decide to develop a full set of consensus standards on premises security. Initially a committee was formed to create one document, but discord quickly rerouted this path.

“The initial meetings were a lot of frank and direct discussion,” describes Shane Clary, chair of the task group for NFPA 731. “There were people who felt the NFPA had no business doing this, and others felt it needed to be done. There were two schools of thought on the committee. They asked, ‘Are we writing a code that tells people what to put into a building if you're trying to protect it, or are we writing a code that tells people how to put in the systems?’ Out of that, 730 and 731 were born.”

Document 730 would be a guideline, while 731 would be bestowed with more power as a standard. According to NFPA definitions, the most binding document issued is a code, suitable for adoption into law independently of other codes and standards. A standard uses the word “shall” to indicate requirements and is written in a form suitable for mandatory reference by another standard or code. A guide is advisory or informative and contains only non-mandatory provisions — the document as a whole is not suitable for adoption into law. Guides often serve as a compilation of other existing resources.

The NFPA prides itself on creating applicable documents through consensus. “We have a balanced (technical) committee: We try to take no more than one third of any group — for instance, insurance, manufacturers or users,” Bielen says. The technical committee chair then forms task groups to provide specific expertise and input; task group members are not required to be NFPA members.

As an enforceable installation standard for electronic premises security systems, 731 contains mandatory requirements for those who adopt it. The standard is organized similarly to the NFPA's National Fire Alarm Code, NFPA 72.

Because 731 is a standard, it contains more forceful language and could be adopted by a local governing body as law. Once the NFPA standards are adopted, the next question becomes, “Who will enforce them?” The NFPA describes the enforcing body in its documents as the “authority having jurisdiction.” According to Bielen, this authority can include local law enforcement, building inspectors, insurance companies or the property owner.

Eventually, the 730 guideline could become a code or standard, Bielen says. “Often, it's a compromise to get to the point where everyone agrees on what the document should look like. Once everyone becomes more comfortable, at some point it can be developed into a standard or a code.”

Feedback from opponents

Talking with proponents and opponents of security guidelines reveals that acceptance or comfort with the NFPA documents seems to be a faraway destination. Immediate opposition to NFPA 730 and 731 has not been restricted to how enforceable the documents will be. One objection expressed by many committee members, Apo says, is that the guidelines “would actually create liability for them, because if you don't meet the guidelines established by the document, you're not providing an acceptable level of security (in a manner that is easily pinpointed by the legal system.)”

“There is some basis to this argument because courts do tend to muddy the line between what is a standard, what is code and what is a recommended practice,” he continues. “Our response is to urge the companies to become involved by working with us to make sure they already meet the guidelines included in the document, so it won't create a problem.”

Shane Clary, who works as vice-president of code and standard compliance for the 11 branches of California-based Bay Alarm Co., says the legal objection has been a visible presence in NFPA committee meetings for 730. “I've been involved in committee work for 10 years now, and this is the first committee I've seen where we have so many lawyers attending,” he says.

The concern about liability is not the primary complaint by most security professionals, however, Apo says. Many security professionals say they support security codes or guidelines, but question the development of these documents by an organization primarily known for its work in fire prevention and life safety.

“Many people believe the NFPA is not the proper place for developing security documents,” Apo says. Instead these opponents say guidelines created by a security industry-based association like ASIS, with more than 33,000 members worldwide, are more applicable to the security industry.

Apo notes the NFPA's long history in the standards writing business and its preoccupation with consensus and representation from a variety of industries. “The documents that ASIS develops are developed solely by security people,” he says.

Security rules by security pros

Callaghan, who is also vice-president of loss prevention for Marriott Intl., is a vocal proponent of abandoning the NFPA security efforts. In addition to serving as co-chair of the ASIS Commission on Guidelines, he also serves on the developing committees for NFPA 730 and 731.

“I am a proponent of the NFPA abandoning the project, and using the ASIS guidelines,” Callaghan says. “I am not opposed to security guidelines. I oppose a fire protection group setting guidelines for the security industry. Given that the ASIS work is being done by security professionals, it makes more sense to me that ASIS should be the body that promulgates standards or guidelines. Secondly and very importantly, ASIS would not be in the business of profiting from standards or guidelines.”

In discussions as far back as 1975, ASIS had expressed opposition to standards or guidelines for the security industry. Then in early 2001, under the leadership of President Bonnie Michelman, the group began developing guidelines.

“As the security industry has matured, there is greater knowledge and more expertise available to get a cross-section of experiences and proven best practices,” says Don Walker, co-chair of the ASIS Guidelines Committee and CEO of Securitas Security Services. “Technological advancements have made it easier to share knowledge and develop reliable metrics to qualify and quantify the effectiveness of methods and practices. In addition, risks and threats have increased in severity, prompting an increased need to have ‘proven best practices’ and yardsticks by which an organization can judge its security effectiveness.”

In the current political and world climate, the security industry should establish practical guidelines before a legislative or regulatory body imposes unrealistic requirements, Walker says, adding: “As ASIS is the largest professional security organization, it should be the entity to establish security guidelines.”

ASIS guidelines are non-binding recommendations, though the organization is ANSI-accredited. In a unique arrangement intended to improve consistency, the ANSI-accredited Security Industry Standards Council (SISC) also reviews new standards issued by ASIS, the Central Station Alarm Association, SIA and the National Burglar and Fire Alarm Association.

Callaghan says he supports the introduction by the NFPA of the more systems-oriented 731 standard, but opposes NFPA 730, especially if it could eventually become a binding standard. “In respect to 730, I personally don't think many security pros would support NFPA doing a premises standard (730), but I do think many security pros would support ASIS doing it,” he says. Opponents like Callaghan argue that the NFPA's true experience lies in the governance of systems like fire alarms, not the overall protection of a facility.

Explains Bill Strother, a member of the 730/731 technical committee who opposed the document becoming a standard: “The original committee voted to limit the document to testing, installing and maintaining of electronic security devices. The majority felt that was more in line with the NFPA's expertise.”

Strother and Callaghan express concern that the general standards are intended to apply to too many applications. “I think the last thing that our industry needs is government regulations,” Callaghan says. “However, if we don't take action to set some (voluntary and consensus based) guidelines, someone is going to step in and regulate it for us. Because it's such a broad industry, I think it would be very difficult to have regulations which would be actionable across all lines of the industry.”

Strother, corporate director of security for Weingarten Realty, calls this the “cookie-cutter issue.” In his 30-year tenure in the security industry, he has directed security for a bank, a hospital and the Weingarten Realty corporation, with its 38 million-square-foot portfolio.

As a member of the 730 task force, he also represents the International Council of Shopping Centers which opposes the guideline — especially if it will become a standard. “As an organization, the International Council is opposed to setting an actionable code or standard for the security industry. Our argument is they're asking us to take a cookie-cutter approach to security, which is not possible with a shopping center environment.”

Though 730 first directs any property owner or security director to complete a risk assessment of his facility, Strotherworries that users may try to avoid this effort. “We feel very strongly that by publishing a standard you will actually limit some people. Some landlords would look at that standard and that's exactly where they would stop, as opposed to doing what's good on its own merit for the property,” he says.

Strother made the motion to make 730 a guideline rather than a code or standard. “Personally I feel that if any organization is developing security standards, it should be a security organization. But regardless of who is developing the standard, the shopping center council feels it's going to be difficult to develop a standard that is so general it can be of use to everyone without it becoming so general that it's useless.”

Strother supports documents tailored to specific channels, such as the guide to writing a shopping center security manual created by the International Council of Shopping Centers each year.

But varying, and sometimes conflicting, niche documents are the problem 730 and 731 are intended to fix, according to Bielen. “The combination of the two standards may level the playing field on the installation side. Since there really are no standards for installation, you have a wide range of people and companies and philosophies. And from the 731 side, there really was no document that gave you security recommendations for all the various occupancies,” he says.

“Insurance companies have certain guidelines; the International Council of Shopping Centers has certain requirements. What we did is develop a plan that will be applicable for all the different occupancies,” he continues. “For the most part, no matter what type of facility you have, you can go to this document to see what to do.”

Comment periods remain open for many of the NFPA and ASIS documents and both opponents and proponents urge security professionals to join the discussion. “These documents are only as strong as the comments we receive from the industry,” Clary says.

FOR THE RECORD

About the companies

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

ASIS International	20
National Fire Protection Association	21

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue