TEN COMMANDMENTS of security design

Aug 1, 2000 12:00 PM, William J. McKool

The best way to protect a facility is to design for security from the building's conception. Security design must be approached in three directions: architecturally, operationally and technologically.

Architectural security is, by far, the greatest factor in security design. Limiting the number of access points minimizes the problems associated with controlling access.

Technology should never be used as a substitute for good operational controls. Electronic security measures should be used to complement procedures. If everyone adheres to established, easy-to-follow procedures, abnormal activity becomes apparent.

These factors all play a role in effective security design. The following commandments will assist the security professional in integrating architectural, operational and technological security into any facility.

1 Start early. A security program should begin with the schematic phase. Many security concerns can be overcome by providing input on entry and exiting schemes, traffic patterns, logical adjacencies and departmental security concerns. Any element affecting the security of the facility must be brought to the attention of the architect prior to a final commitment on building design.

One recent client required all employees to card-read in and out of the data center - not an unusual audit request given that information is probably the most vital asset a company monitors. It is also a procedure that is easily abused by employees, unless they are "forced" to card-read out in order to exit. The most effective way to meet the client's wishes and provide the immediate egress dictated by fire code, was to provide a separate, emergency-exit-only door. Door alarms were installed, both locally and remotely, to deter unauthorized use.

Adding the exit-only door to the space required that offices be shifted, which caused the entire floor to be redesigned. Such effort and expense can be avoided if the security requirements are fully understood prior to the architect signing the contract.

Expeditious action can result in considerable savings in construction costs. Savings are not just the products of consolidating or eliminating access points. Items such as elevator controls, unique construction requirements and door hardware have cost implications. If implemented early, input in these areas can save up to of 50 percent compared to the cost of adding features later.

Card reader control of the elevators is a good example. Two separate clients were developing similar high-rise office buildings. Both agreed that card reader control of the elevators for after-hours security was a desirable feature. Unfortunately, one client had already bought the elevators package and had to purchase the controls as a change order. The price of adding the controls later was $3,000 more per elevator. With 10 passenger elevators plus a service elevator, it adds up to a $33,000 difference.

Early input also reduces duplication of effort. The roles of each contractor should be established. A single card-reader- controlled door can involve up to seven different trades including the hardware supplier, carpenter, electrician and security contractor. The exact start and stop points for each of their responsibilities requires coordination. The roles of each should be determined by the project manager with exact lines of demarcation.

2 Design the facility for the operation, not the operation into the facility Whoever said "form follows function" has not been through the design process lately. Although certainly important, aesthetics is sometimes emphasized too much at the cost of functionality. When an operation is forced into a space not complimentary to its function, compromises are introduced which can adversely affect both security and operational efficiency.

A review of the architectural drawings of a new high-rise office building recently revealed that the lobby desk, which was to be the hub of security operations, was tucked away in the corner. This was done so that tenants would not be "offended" by the security desk intruding on the design of the lobby. The problem was the desk was so inconspicuous that no one would have noticed it. In addition, the desk was not in a position to provide any control after-hours; people could enter without passing by security. A guard had to be posted in the center of the lobby as well as at the desk, greatly increasing manpower costs.

After discussion, the desk was moved to the center of the lobby, thus providing a great view of all entries. The location allowed the security guards to react before anyone entered an elevator. The architect designed the desk so that it was no longer considered "offensive," but rather the centerpiece of the grand lobby.

Operations such as warehousing, data processing, or research and development each have distinct traffic patterns associated with the workflow. Consequently, they all have unique security requirements. When a function is forced into a space, security often becomes complex in an effort to compensate for design deficiencies. Security that is cumbersome typically violates the next commandment.

3 Make security convenient. Perhaps the most important rule in security planning is to keep security convenient. The more security blends with normal day-to-day operations, the less likely employees will be to circumvent the controls. Architectural drawings should be reviewed with two factors in mind. First, the weakest link in any security program is people. Without the cooperation and commitment of the users, security measures are an exercise in futility, not to mention a wasted expense. Piggybacking and unauthorized use of exits are constant user-related violations.

The other factor draws figuratively upon the laws of physics. People will seek the path of least resistance. Employees will always attempt to find the easiest way to perform their duties. If it causes a breach in security, it's only a problem if they get caught. Should a route through an emergency exit be the quickest way to the parking lot at the end of the workday, there is great temptation to take the shortcut.

It was happening at a newly built production plant. The employee parking lot was such a distance from the employee entry that, at quitting time, nothing could stop the people from taking the closest exit to their car - a severe security breach since turnstiles were used at the employee entry to ensure individual control.

After months of security breaches, a card reader-controlled security revolving door was installed. It granted employees the convenience of quick access to their vehicles, while providing security management with the controls they desired. In addition, the security revolving door minimized manpower costs.

With these elements in mind, the security professional should study employees habits. By doing so and planning early, situations such as the one described at the production plant can be avoided. The security design for the facility should complement operations, not impede them. A "go with the flow" program is less susceptible to abuse. It is easier to decrease regulation than to increase it.

4 Seek input from the users because they have to live with it. Outside of religion or politics, few subjects have more diverse opinions than security. Everyone is an expert. There is something very personal about security, and everyone wants to be heard.

This viewpoint can be used to the advantage of the security designer.

Start by having management appoint representatives for each user group. Instead of forcing restrictions on a group, solicit employee input. Listen carefully, but guide the results into a cohesive plan. Always let the users know the effect of any decision, such as the cost in equipment or manpower.

This approach proves successful for several reasons:

n It reduces defensive reaction to restrictions;

n It makes each user group feel that it is part of the security team; and

n People accept change more easily when they feel they were part of the change process.

A good start is a departmental questionnaire. Topics can include workflow, departmental relationships, visitor access, as well as past security problems. The user group should be presented with the security program for feedback. This step demonstrates to the users that the security designer was listening.

5 Look at all the alternatives. There are always alternatives. Comparison is the only way to determine the best solution. Very few problems are new. Other security professionals with similar circumstances can be a good source of ideas.

Brainstorming is another good tool for pooling the talents of many. Old techniques could be improved or combined to provide innovative solutions to difficult problems. Alternatives should be reviewed with an eye toward necessity, cost and effectiveness.

In the case of the production plant we mentioned, prior to settling on the security revolving door as the solution to the unauthorized exiting problem, many possible approaches were reviewed. The security management considered installing time delay exiting devices in an attempt to force employees away from the doors and establishing a manned guard post similar to the main employee entry.

The security revolving door carried the highest initial expenditure, but when compared to the cost of one guard for 16 hours a day, the payback was less than a year. This solution was well received by employees because it provided the convenience they were seeking. The controls established at the main entry were maintained, since the security revolving door eliminated "piggybacking."

6 Keep it simple. Simplicity makes a security program easier to accept, implement, operate and maintain. Conversely, when a security program becomes complicated, there is more chance for resistance, errors and failures.

One recent client might be considered overly security-conscious. His vision for entering the building was so layered that the employees would spend more time trying to get in or out of the building than performing their responsibilities. According to his plan, employees would have had to use their cards at the main entry doors, the lobby turnstiles, the elevator, each floor's elevator lobby and secured areas.

The client was finally convinced that the controls were so redundant and cumbersome that little was gained and the employees would fight the inconvenience. The final plan settled on fast-processing optical turnstiles, which established controls at the main entry point, with additional card reader controls on sensitive spaces. Traffic flowed well, control was maintained, and no resistance was presented by employees.

Always design for the minimal security required to meet the goal. A card reader should not be used when a lock would suffice. A lock is useless if the door is constantly open. The "keep it simple" approach pays dividends not only in construction costs, but in long-term maintenance as well.

7 Be consistent. All access points to a secured area should be treated the same. At times, too much attention is paid to the direct entries, while indirect entries are handled casually. This is especially true for doors designed as "exit only." For example, electromagnetic locks exerting 1,500 pounds of holding force may secure the main entrance. All that may secure the exit door is a latch bolt. When reviewing the security of a space, look at it three dimensionally. Every possible approach to the secured area must be reviewed and treated to the same level. This does not necessarily mean a card reader at every door to the secured space, but every door to a secured space would require some form of control. If the security of an area is not consistent, save the money.

A consistent perimeter is the reason a security revolving door was selected in lieu of simply installing card reader controls at one of the exit points. The card reader-controlled turnstiles provided a barrier against tailgating. That level needed to be maintained. The revolving door, with its integrated protection against multiple entries, affords the same level of security without the ongoing cost of maintaining a guard post.

8 Treat security as you would any other business. The true value of security can never be determined. Typically, there isn't a direct monetary saving associated with implementing security measures. Sometimes a reduction in shortages can be directly attributed to an increase in controls. But more often, security is proactive. It is tough to go to management and claim a saving because of everything that did not happen.

To treat security like a business decision, management should be presented with all the alternatives along with the associated cost of implementing each. The cost of the various alternatives should be measured against their possible consequences if not enacted. By providing the cost/benefit analysis, security decisions are brought to a business level that management understands. Benchmarking with similar operations is another effective means of bringing the security shortcomings to the attention of management.

There are many tools available to help illustrate the needs for the additional funds. These include graphs, digital pictures of trouble points, and audits. All of these could be incorporated into a Power Point presentation that is an effective means of grabbing management's attention and securing the funds.

9 Design for today, plan for tomorrow. The budget should fit the immediate needs of the facility. Too many security designers ask for more money than required under the assumption it will be cut anyway. It is better to provide a cost which is realistic and justified in meeting the needs of the facility.

The heart of the systems -the access control computer, the CCTV switcher - should have the capacity to grow. Fifty percent spare capacity is a good rule of thumb.

Planning for tomorrow goes beyond just the systems, however. Expansion capabilities should be considered for console enlargement, riser closet space, conduit and wiring. A small amount of preplanning can lead to considerable savings as the systems grow.

Communications is a major factor in a system's ability to grow. The security designer should work hand-in-hand with the information technology group. This cooperation can open opportunities for using the company's telecommunication network, including fiber optics, LANs and WANs.

10 Specify for performance. Anyone who has been to a security exposition realizes the vast amount of equipment available. It is a buyer's market. Limits should never be placed on a design by attempting to stay with one manufacturer. Security equipment is like stereo equipment. Some companies make great speakers. Others build outst anding receivers. The same company may not manufacture the best of both.

The requirements for each component of the project should be evaluated. Develop a list of expectations and minimum standards. Base the specification on the requisite that it must perform as required to do the job, not on what may be available. The security contractor bidding the project should attempt to come as close as possible to the demands of the specifications, noting the shortcomings.

Thorough specifications are just as important after the installation is completed. They provide a means of measuring the performance of the security contractor, as well as the equipment. It may be vital in ensuring the job is completed correctly, in negotiating a service contract or for evaluating additional work.

An effective design for security relies on many factors. Security for a new facility must be developed as a program, rather than just a bunch of icons on a set of plans. The three design factors - architecture, operations and technology - all play a role. The interaction between the users and security, as well as between the spaces within the facility itself, must be evaluated prior to committing to security systems and device locations. With a new facility, much of the interaction has to be projected. An effective security program takes into account topics such as the following:

n access control for employees and visitors;

n messengers and deliveries;

n parking (if applicable);

n loading dock operations;

n secured areas;

n special security requirements;

n stairs;

n elevators;

n interaction with other systems such as fire, building management and automatic doors;

n architectural security;

n manpower requirements; and

n budgetary estimates.

Once the program is accepted, the system design can move forward. By using the security design commandments, the security of the facility will not only be operationally effective, but poised to meet the future demands of the users.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue