There are various factors that may influence the security of any industrial facility, as was discussed in detail in the previous chapters. These factors vary from system- or plant-related threats, to chemical–biological threats, which may directly affect internal security as a whole.
Security within the industrial plant or oil facility may also be affected by external threats, ranging from planned terrorist activities, to sabotage and individual attempts by disgruntled staff of opponents in the market. Terrorist activities are becoming more prevalent where facilities sustaining sensitive and/or expensive operations may fall victim to such attempts, especially in light of most conflicts being more asymmetric of nature (asymmetric warfare: conflicts that are nonconventional and difficult to define; the intended hostility and identity of the belligerent are not visible).
Existence of a terrorist threat and its ability to gain access to a given facility will be influenced by the following factors and should be analyzed according to its perceived manifestation and the prevailing trends and tendencies as mapped within a specific country and certain political arenas.
The acquired assessed or demonstrated abilities or capabilities of the terrorist group must be analyzed in detail by utilizing security information analysis. It may also be advisable to approach existing sources of intelligence gathering on regional and national levels.
The intentions of the terrorist organization must be obtained or assessed. These may be found in recently demonstrated company hostile activities or intent, or stated intent to demonstrate hostility toward the company or a country. If the company represents a symbol of the country of may be classified as a national key point (NKP), the threat potential will be far higher than expected. The following are critical considerations: What is the history of the group? Have they conducted terrorist activities in the past? What is the current credible information on activity indicative of preparations which indicate attack is imminent? The US Department of Homeland Security (DHS) uses the following color code to assist during the analysis of threat levels (Table 8.1).
Table 8.1 US Department of Homeland Security color code: security threat levels
DHS color code | ||
Critical | Red | Factors, 1, 2, and 5 present, maybe 3 and 4 also |
High | Orange | Factors 1, 2, 3, and 4 present |
Medium | Yellow | Factors 1, 2, and 4 present |
Low | Green | Factors 1 and 2 present, factor 4 maybe present |
Negligible | Factors 1 and/or 2 present |
Terrorist or other hostile activities may be attempted to destroy a facility or to affect its specific output of a specific chemical or product. In most cases, these activities are conducted by using any form of explosives, varying from manufactured munitions to improvised explosive devices. Vehicle bombs are best known for these attempts, due to its mobility and opportunity to enter a facility through the standoff zone and will be discussed later.
Vehicle blasts can develop very high pressures, but the pressures decrease rapidly with distance. This was clear during the highly destructive nature of the explosion at the Khobar Towers in Riyadh—1996. The terrorists were reported to have smuggled explosives into Saudi Arabia from Lebanon. In Saudi Arabia, they purchased a large gas tanker truck and converted it into a bomb. Al-Mughassil, Al-Houri, Al-Sayegh, Al-Qassab, and the unidentified Lebanese man bought a tanker truck in early June 1996.
Over a 2-week period, they converted it into a truck bomb. The group now had about 5000 lb of advanced, high-grade plastic explosives, enough to produce a shaped charge that detonated with the force of at least 20,000 lb of TNT, according to a later assessment of the Defense Special Weapons Agency. The power of the blast was magnified in several ways. The truck itself shaped the charge by directing the blast toward the building. Moreover, the relatively high clearance between the truck and the ground gave it the more lethal characteristics of an airburst. It was originally estimated by US authorities to have contained 3000–5000 lb of explosives.
Later the General Downing report on the incident suggested that the explosion contained the equivalent of 20,000–30,000 lb of TNT. The terrorists prepared for the attack by hiding large amounts of explosive materials and timing devices in paint cans and 50-kg bags, underground in Qatif near Khobar. The bomb was a mixture of gasoline and explosive powder placed in the tank of a tanker truck (Figs. 8.1 and 8.2).
In order to prevent such an attack, the barriers on the perimeters must prevent penetration of the vehicle beyond the standoff zone. There are three levels of protection based on building damage:
There are two very important measures to be instituted of improved to ensure that barriers and perimeters are impenetrable:
It is however important to first understand the levels of threat and types of weapons that may be used to attack a facility, before the importance of vehicle barriers and the enforcement of the proclaimed standoff zone and distances could be understood best.
Standoff weapons include machine guns, artillery, heavy caliber guns, and mortars. They cannot be detected in advance. The best protection is prevention of line of sight from exterior vantage points. Screen with trees, walls, or fencing. Even wooden fences can be used for pre-detonation devices.
If mortars are a concern, strengthen roof surfaces to withstand blast and add a layer of protection to reduce line of sight. The facility may require added internal reinforced concrete walls to serve as sacrificial walls for blast resistance. Masonry is generally resistant to all but armor piercing rounds. For military weapons, thicknesses must be doubled to 18–20 cm of brick or 18 cm of reinforced concrete.
The minimum standoff distance is 50 ft (20 m) or more depending on the type and amount of explosives anticipated. Use tools such as ALOHA or Archie (disaster management tools or the formulas presented in earlier chapters) to calculate blast damage based on the size of the vehicle and anticipated weight, and adjust accordingly. Walls may tend to magnify blast and can create missiles if blast is next to wall (Figs. 8.3 and 8.4).
For nonexclusive standoff zones, an additional layer of distance (protection) is required (see Fig. 8.5).
The best protection is achieved thorough search and not allowing any vehicles inside the standoff zone, unless cleared by security after searching.
Fencing is not a barrier. Most fencing will delay people less than 10 seconds, 4 seconds to climb and 10 to cut. A bomb inside a building (mail room) is much more hazardous than a bomb outside because the force is not dissipated. Keep the mail room and delivery points separate and rather of light construction or revetment grade (revetment grade is designed to withstand and dissipate a blast). Receiving areas should be kept away from other areas and designed to prevent blast damage. Utility openings, including drainage ditches, and sewer openings of greater than 20 cm diameter should be protected against intrusion or insertion of a weapon. Seal manholes and close gaps for drainage swales. Barrier fences should be at least 2.1 m tall, with barbed wire or concertina wire on the top. Maintain a clear zone around the perimeter of the exclusion zone.
Security design is probably the most important element for the future existence and profitability of any industry or company. The security architecture is therefore dependent on detailed consideration, planning, and implementation of various facilities and infrastructure upgrades to ensure a proactive and technologically relevant security environment. Aspects to be considered, as well as discussed further in this chapter, are as follows:
Perimeter barriers are fixed around the perimeter of the standoff zone and include the following types which may vary according to the threat potential and level of fortification required:
Active vehicle barriers are much more expensive, but with proper design can stop vehicles of 7000 kg at speeds of up to 85 km/h. Much heavier construction is required which further ensures anchorage in the ground. Active vehicle systems include bollards, cable beams, sliding gates and drum, and so on.
Active vehicle barriers are installed and constructed at all main entry and exit points to facilitate controlled movement. Although movement control is exercised from these locations, active vehicle barriers must be able to prevent forced entry in the best possible way. This aspect is again dependent on the level of the anticipated threat and the analyzed methods of forced entry expected. In Figure 8.7, different active vehicle barriers are illustrated, varying from cable beam barriers and retractable bollards, to drum-type barriers.
Speed control is important. Establish an entrance lane that provides a serpentine path and that limits vehicle speeds to 15 km/h. Use Jersey or other types of barriers to slow vehicles. Establish barriers both inside (after) and outside (approaching) the perimeter barrier. The sides of the entry roadway should have high curbs to prevent vehicles from leaving the roadway.
Entry control stations should be located at main entry points where guards and control staff are present. A holding area should be established for unauthorized vehicles and the turnaround for other vehicles prior to inspection. Vehicles passing through the entry control stations should display a vehicle sticker or temporary visitor card. Entry control stations should be manned 24 hours and should be equipped with quality interior and exterior lighting. Exterior motion detectors have to be installed to enable threat detection or vehicle movement from a distance. Entry control stations should further be reinforced for it to be bullet or blast proof as the threat may indicate. First-class communications systems must be installed and made available with secure interfacing between telecom and radio facilities. Sufficient technology must be considered to assist signaling potential threat indicators. Signs clearly signaling all control requirements and law enforcement policies, where applicable, must be displayed (preferably in most local languages possible) at least 30 m from control and entry stations.
It is important to consider that the master command, communications, and control center should not be located at the main entrance unless the building is blast proof. In every event, a backup location away from the front gate should be established, and all communications should be routed to this station in parallel so that it has the same information as the main station in the event that the main station is disabled by blast, attack, or incident. All sensors should be routed to this backup station as well, but not through the primary station.
Blast forces will be substantially horizontal, but will require reinforcement of floors and walls to withstand blast pressure. Most buildings nowadays are designed to withstand 2.3 kPa; explosion pressures can be significantly higher. The use of reinforced masonry or concrete is added to newer buildings to absorb or counter blast pressures.
Windows present a special problem. Flying glass accounts for 85% of injuries. The following preventative and reinforcing methods may be considered and applied according to the nature of the anticipated threat potential:
Security lighting is probably one of the most important elements of security and will enhance all other technologies and planned efforts to secure any environment. Without quality and sustainable lighting in all strategic locations, security services are rendered blind. In order to plan and install a guaranteed security lighting system, the following critical considerations are applicable:
The value of a well-planned and sustainable lighting system design is that it will assist in discouraging intrusion by making detection likely and that it will enhance all re-active efforts by the guard force and other observers.
Boundary areas must be lit so that guard paths are darker, in order to present glare in the eyes of attackers. High brightness and contrast between intruders and background is required. Though it may sound ridiculous, it is crucial to keep buildings brightly painted and clean to assist in providing sufficient silhouetting of the intruder. Standby or emergency lighting should duplicate existing patterns. Illuminating both dock areas and approaches is required. Docks should have at least 10.74 and 5.37 lx/m2 for water at least 30 m out from the pier (port/plant security).
Electronic Security System (ESS) is the placement and implementation of electronic systems to serve as early warning to unauthorized intrusion or other planned attacks. This may include closed-circuit television (CCTV), security lights, various forms of sensors, alarms systems, and a well-trained and adequate guard force for response. ESS should be reliable, accurate, and updated according to most recent technologies. ESS must delay the intruder from achieving their objectives until response arrives. A well-designed system minimizes the possibility of covert intrusion. All sensor systems have nuisance alarms and physical design constraints for detection. Respect those constraints! Manufacturers do not provide information on nuisance alarms: they occur from environmental conditions (wind, birds, etc., and from electrical faults). If alarm system sensors are delayed, it increases the area of search.
The speed in which detection is achieved is important. If a fence is scaled or cut in 10 seconds and man runs 6 m/s, a 2-minute delay could result in an area search of over 80 ha (200 acres). CCTV cameras must be independently illuminated. A scanning system should be installed for more than 10 cameras. Most exterior intrusion sensors are exposed to much more rugged environmental conditions and generally do not detect movements above 2.5 m even on fences. Buried sensors generally are not able to detect movements more than a meter from the ground surface. Interior Electronic Security System (ESS) sensors are generally less costly than external sensors. For entrances, windows, and so on, there has to be an access mode where the alarms are shut off for normal access and a secure mode where they are activated. The secure mode should never be locally controlled and access mode must not de-energize the alarm. Duress and tamper switches must never be put into access mode. Each type of sensor has its limits. Fog, rain, and dust limit infrared (IR) capabilities—it might therefore be advisable to consider thermal imaging to supplement IR. Wind may cause fence-mounted sensors to give false alarms. Vegetation can cause many false alarms and conceal intruders. Line of sight is extremely important for detection and confirmation (Fig. 8.8).
Alarm configurations for small systems may provide individual alarms for specific areas or a general alarm depending on configuration. An ideal system will provide specific area notifications to increase probability of detection and minimize false positives. Computer-assisted systems may use multiple computer processors and automatic reset as well as entry/card acceptance for certain functions. All alarm systems should be connected through redundant data transmission links to prevent local loss of signal from inactivating regional and zone alarms. Alarms should be logged, preferably by printer. There are five possible alarm levels:
Exterior sensors are quite straight forward and differ from facility to another facility, again based on the threat levels and the type of intrusion/violation that could possibly be expected. All external sensors have the mutual objectives to provide early warning and during extreme measures to terminate the attack/intrusion. External sensors may consist of the following:
Access control is the primary point for the enforcement of security and is probably the most vulnerable area, providing entry to the processes of the industry or complex. The main focus of effort by security staff, the guard force, and detecting technology should be directed here. History has taught that most unauthorized entry, especially vehicle improvised explosive devices proceed through access control points. In many case studies performed, this is usually supported by staff within the complex, either being supportive to the intruder or being forced to participate. There are three main types of access control points that should be established to ensure controlled entry.
Three types of areas are as follows:
All employees must be screened to eliminate potential threats. Before hiring any personnel, the following aspect should be checked and verified:
Medical screening may be necessary to establish the mental and physical condition of the candidate. Family medical history may also be appropriate for severe medical stress or sickness.
Identification cards may be adequate for low security areas. Badges with personal details are required for areas with over 30 employees/shift personnel. Personal recognition systems (uniforms or color coding) depend on guard force protocols. Multiple badges and cards/color coding may be required for varying levels of security entry. Card or badge specifications should include designated areas where cards/badges are required. Description of the badge in use and authorization limitation of the bearer must be indicated and verified to the employee and control point. This must be presented when entering or leaving each area at all times. The disposition of cards upon termination of employee, or other causes, must also be clarified.
Visitor identification is a critical part of access control. Due to the fact that any industry is dependent on contracted services, deliveries, shipment of cargo, and other consignments from the facility by other industries, hostile or unauthorized entry occur through this aspect. Visitor identification and the control of all cargo/items entering or leaving the facility will limit the vulnerability against any form of unauthorized/hostile intrusion. The following are the most important aspects to consider and check during the authorization of visitors to the complex/facility:
A package checking system must be enforced prior to entering all restricted areas. Inspect all outgoing packages for authorization (cuts down on pilferage). If 100% package control is not possible, use frequent random checks and inspections. Personal vehicles and packages, tool boxes, and so on, need to be inspected during entry and exit. Visitor’s vehicles must be clearly marked. Truck and rail movements in and out must be inspected. Truck and rail gates must be locked. Shipment must be sealed and seals inspected upon entry. Incoming trucks and rail cars must be logged in. The following details must be logged:
Key locks are only good for low security systems and offices. Dead-bolt locks and mortise locks are only slightly better than straight key locks. Drop-bolt locks are better than dead bolt. Combination locks need to be backed up by other locking devices when area is unoccupied. Padlocks are mostly low security devices, except high security padlocks that have hardened parts. ALL LOCKS ARE DELAYING DEVICES AND IS NOT A POSITIVE BAR TO ENTRY OR FORCED ENTRY BECAUSE THEY CAN BE DEFEATED!
There is a vast difference between security staff recruited from a local home grown origin and that of a contracted nature. The type of security required versus the potential threat to the facility will determine the type of guard force required to protect the security interest. Factors like the origin of candidates, qualifications, and cost obviously have to be considered, but the perceived threat potential will ultimately determine the type of security forces needed. You should answer the following questions: Do you want a local rent-a-cop or a professional. There is a difference in cost and level of involvement.
It is further important to determine the levels of authority and jurisdiction. What special powers or authority is required to effect arrests? What jurisdiction will the guard force have in lieu of existing policing and/or defense forces jurisdiction? What other armed force response are available to contribute to the capacity of a guard force? Consider liabilities for accidental deaths. Relations with local police and military are important. Consider force organization and response when co-coordinating roving patrols. Who responds, with what, where and how many?
Standard operating procedures (SOPs) have to be drafted and implemented to guide and control all security force activities within the facility. It must be designed to clearly stipulate procedures, responsibilities, accountabilities, and roles, especially in the event of emergencies, attacks, and other unauthorized activities. The security forces must be controlled from a centralized command and control location, in some cases referred to as an Operations Control Center or Headquarters, and all staging and forming-up areas must be known and rehearsed, as part of contingency planning.
Security personnel must have provisions for shelters, relief, and breaks (at least every 2 hours). Security Personnel may only be utilized for security, not firefighting (unless in an emergency)—but cross training for use when off duty is permitted. Strict instructions and posting assignments must be issued, as well as for actions required during emergencies elsewhere in the plant.
Training must be supported with regular evaluations, testing of skills, and rehearsing of drills. Security forces may require uniforms, specialized vehicles and equipment, dedicated communications infrastructure and radio equipment, traffic control equipment, sirens, flashlights, weather gear, and so on. Training should include the following:
Harbors, ports, and terminals are highly susceptible to security breaches because of high levels of foreign (non-plant) workers and movement of goods. Security needs to monitor the area and establish a perimeter and classifications for various personnel. Patrols should be combined randomly and regularly. Specialty (high-value) areas should be clearly designated and considerations include the following:
Keep cargo secured while being transferred. Establish security perimeter and access control points. Erect field expedient barriers and limit personnel access to those required. Provide a separate holding area whilst truck cargo is inspected and sampled where required. Inspect inbound and outbound containers. Verify records, seals, and documentation. Respond to various threat levels with appropriate security measures.
Continuous auditing and evaluation of security systems is critical to ensure that the most appropriate and updated systems design is maintained at all times. Due to the fact that the threat scenarios continuously change in any facility, auditing and evaluation must be formal processes allocated to an accountable team within the security environment. A risk assessment team must be appointed and should consist of the following staff:
Figure 8.9 illustrates the preferred groups and individuals which should be incorporated into the Risk Assessment Team. The figure relates to Electronic Security System Design. The figure is an graphical representation of the Electronic Security System Design Elements.
Security management is an integral part of management as a whole. The executive staff of the facility remains accountable for security, even though qualified security staff is employed and appointed to fulfill different responsibilities within the security environment. Figure 8.10 indicates the relationship and channels of liaison from a management perspective.
The blank sheet approach to auditing and evaluation is the most effective model to implement in order to maintain a secure sequence for the identification of challenges within the security environment and the continuous rectifications and implementation of required upgrades.
The blank sheet approach provides a cycle of activities, which will continuously start and end, to ensure a live and frequent analysis of the security systems design, as follows:
The blank sheet approach to auditing and evaluation, as discussed earlier, is more informal and provides a logic cycle of assessment and rectification. The business approach is a more formal system related to the management activities and processes within the facility. We will examine this again later in this chapter.
The business approach to audits and assessment is a list of steps to be followed from the audit impact assessment down to the assessment report and follow-up assessment (see Fig. 8.12 for the business approach to audits and assessments).
Benchmarking is a continuous ongoing long-term process. It is a systematic, structural, formal, analytical, and organized process for evaluating, understanding, assessing, measuring, and comparing business practices, products, services, work processes, operations and functions of organizations, companies, and institutions that are recognized, acknowledged, and identified as best-in-class, world-class, and representing best practices for the purpose of organizational comparison, organizational improvement, meeting or surpassing industry best practices, developing products/process objectives, and establishing priorities, targets, and goals. (Source: Van der Zee HTM. Measuring the Value of Information Technology. Hershey (PA): IRM Press; 2002: p. 144.)
A security system is more than the sum of its parts. The components of the system are just the basics. The system must address more than just fence line intrusions. There is a strong personnel component in any security system. It must be flexible and secure at the same time. The security system must be capable of considering multiple elements including natural disasters (typhoons, sand storms, Tsunamis, earthquakes, etc.), industrial accidents, including sabotage and arson, criminal acts (arson, theft, etc.), terrorism, and other possible scenarios.
A security system must consider assets, exposure, loss, and loss prevention within the framework of limited costs and personnel interactions and liabilities. A totally secure system is an empty tank in an abandoned plant. Activity incurs risk!
A good audit is a thorough examination of all parts of a system and tests the system for response to activities. A good audit is more than a paper trail, but the paper trail is important. A good physical security system includes interviews and thorough physical examination of the mission and the system being evaluated. It is both active and passive and requires a team to evaluate.
A good security system must plan for the unthinkable and undesirable, and must be able to integrate internal and external organizations which function in its support such as the following:
Define types of risk to be assessed and types of effects from incidents. Define the probability of occurrence. Prioritize the loss potential, interview personnel, review files, collect and analyze data, and compile a detailed report.
Conduct a preliminary data gathering effort. Obtain the mission statement and directives for the security function. It should be part of the overall company mission statement. It should also have a specific function and responsibilities. Interview long-term employees regarding incidents and activities; include management personnel. Oral history and written records is of tremendous value. Include retired employees where possible. Interview and record information as part of the database must be accessed. Observe and inspect security measures. Conduct a physical inspection and finalize the security audit.
Gather assets, exposure, and loss data from the corporate risk manager and controller’s offices.
Fixed assets | $_______ |
Owned, leased assets | $_______ |
(Less) Facility losses | −$_______ |
= Total tangible assets | +$_______ |
Total intangible assets | $_______ |
This may include various categories of exposure and collateral and contributory losses and liabilities, for example, losses from business interruption, replacements, cleanup and decontamination, disposal, and other sources.
Types of losses to be considered may also include the following:
The following aspects must be taken into consideration during the review and assessment of the security system within the facility:
Illumination | ||
Condition | (ftcd) | (lx) |
Full daylight | 1000 | 10,752.7 |
Overcast day | 100 | 1,075.3 |
Very dark day | 10 | 107.53 |
Twilight | 1 | 10.75 |
Deep twilight | 0.1 | 1.08 |
Full moon | 0.01 | 0.108 |
Quarter moon | 0.001 | 0.0108 |
Starlight | 0.0001 | 0.0011 |
Overcast night | 0.00001 | 0.0001 |
Activity | Illumination (lx, lumen/m2) |
Warehouses, homes, theaters, archives | 150 |
Easy office work, classes | 250 |
Normal office work, PC work, study library, groceries, show rooms, laboratories | 500 |
Supermarkets, mechanical workshops, office landscapes | 750 |
Normal drawing work, detailed mechanical workshops, operation theatres | 1000 |
Detailed drawing work, very detailed mechanical works | 1500–2000 |
Are safes substantial, fireproof, rated, lighted (24 hours), and covered by motion detectors?
The Emergency and Disaster Plans are integral to the operation of the facility. The plans should be reviewed and updated periodically to insure that the actions and contacts and equipment required for emergency response are all in good repair and usable in an emergency. It is also necessary to drill on these plans for a number of different contingencies.
The risk assessment process flow is depicted in Figure 8.13 in three phases, as follows:
The phases for the risk assessment flow are further followed to outline the different timelines or sequencing of the risk assessment project as follows (Fig. 8.14).
During the risk assessment and auditing process, the severity of the perceived or expected impact of the risk identified and the levels of intensity thereof must be compared according to the scales indicated in Table 8.2.
Table 8.2 Severity of impact and risk levels
Insignificant. Will have almost no impact if threat is realized and exploits vulnerability. |
Minor. Will have some minor effect on the system. It will require minimal effort to repair or reconfigure the system. |
Significant. Will result in some tangible harm, albeit negligible and perhaps only noted by a few individuals or agencies. May cause political embarrassment. Will require some expenditure of resources to repair. |
Damaging. May cause damage to the reputation of system management, and/or notable loss of confidence in the system’s resources or services. It will require expenditure of significant resources to repair. |
Serious. May cause considerable system outage, and/or loss of connected customers or business confidence. May result in compromise or large amount of Government information or services. |
Critical. May cause system extended outage or to be permanently closed, causing operations to resume in a hot site environment. May result in complete compromise of Government agencies’ information or services. |
Once the security risks had been analyzed according to the severity and intensity thereof, an initial report must be compiled per assessed risk, listing all system components and establishing the system boundaries for the purpose of the report. System policies and procedures related to the risk must also be taken into consideration, when drafting the report (in order to define the risk and the required management).
The report must clearly state the list of identified threats and the related vulnerabilities, as well as the severity of the impact it may have and the likelihood of occurrence. This must go hand-in-hand with a list of suggested safeguards for controlling these threats and vulnerabilities. A list of recommended changes, with the appropriate levels of effort for each recommendation, must further be included in the report. Each suggested change must include the resulting reduction in risk, which will have to be achieved when implemented.
Finally, the report must indicate the level of residual risk that would remain once the recommended changes are implemented.
SQUARE is the abbreviation for Security Quality Requirements Engineering. It is an extremely valuable model assisting during the eliciting and prioritizing of security requirements. It starts with the technical definitions, serving as the baseline for all future communications between the requirements engineering team and project stakeholders.
This is followed by clear security goals, documenting the understanding of the relevant security system and the risk assessment, clearly defining all possible likelihoods and impacts. The best methods for eliciting the initial security requirements are drafted by the engineering team according to the size and complexity of the project. Finally, an initial set of security requirements are established based on risk assessment results and artifacts. Figure 8.15 depicts the earlier format.
The following steps are followed to make use of SQUARE, indicating the input and techniques required, the participants, and the desired outcome (Table 8.3).
Steps to performing SQUARE | ||
Step 1: Agree on definitions | Step 4: Perform risk assessment | Step 7: Categorize requirements as to level (system software etc.) and whether they are requirements or types of constraints |
Input: Candidate definitions from IEEE and other standards agencies | Input: Misuse cases, scenarios, security | Input: Initial requirements, architecture |
Technique: Structured interviews | Techniques: Risk assessment method, analysis of anticipated risk against organizational risk tolerance, included threat analysis | Techniques: Work sessions using a standard set of categories |
Participants: Stakeholders | Participants: Requirements engineer, risk expert, stakeholders | Participants: Requirements engineer, other specialists as needed |
Output: Agreed to definitions | Output: Risk assessment results | Output: Categorized requirements |
Step 2: Identify security goals | Step 5 Select elicitation techniques | Step 8 Prioritize requirements |
Input: Definitions, candidate goals, business drivers, policies, procedures, examples | Input: Goals, definitions, candidate techniques, expertise of stakeholders, organizational style, culture, level of security needed, cost/benefit analysis, etc. | Input: Categorized requirements and risk assessment results |
Technique: Facilitated work session, surveys, interviews | Techniques: Work session | Techniques: Prioritization methods such as triage, win–win, etc. |
Participants: Stakeholders, requirements engineer | Participants: Requirements engineer | Participants: Stakeholders facilitated by requirements engineer |
Output: Goals | Output: Selected elicitation techniques | Output: Prioritized requirements |
Step 3: Artifacts to support security requirements | Step 6: Elicit security requirements | Step 9: Requirements inspection |
Input: Potential artifacts (e.g., scenarios, templates, forms, etc.) | Input: Artifacts, risk assessment results, selected techniques | Input: Prioritized requirements, candidate formal inspection techniques |
Technique: Work sessions | Techniques: Joint application development, interviews, surveys, model based analyses, checklists, lists of reusable requirements types, document reviews | Techniques: Inspection method such as Fagan, peer reviews |
Participants: Requirements engineer | Participants: Stakeholders facilitated by requirements engineer | Participants: Inspection team |
Output: Needed artifacts, scenarios, models, etc. | Output: Initial cut at security requirements | Output: Initial selected requirements, documents of decision which record process and rationale |
aModelled after Mead NR, Viswanathan V, Padmanabhan D, Raveendran A. Incorporating security quality. Requirements Engineering (SQUARE) into Standard Life-Cycle Models. (CMU/SEI-2008-TN-006). Software Engineering Institute, Carnegie Mellon University, May 2008. http://www.sei.cmu.edu/publications/documents/08.reports/08tn006.html.
It is the responsibility of application coordinators to implement appropriate measures to detect attempts to compromise the security or integrity of information or information technology systems. When implementing monitoring capabilities, consideration should be given as to what situations are to be monitored based on the extent of risk, the most effective means for monitoring security activities, the resources available for monitoring, and system constraints that limit the ability to monitor security events. If appropriate measures are not available within a system environment to effectively monitor security events, additional controls should be implemented to mitigate security risks.
When activity occurs that is in conflict with security policies and standards, application coordinators should take the appropriate steps to enforce desired security practices. The steps involved range from training of the users, revoking access, altering security parameters, and possibly disciplinary actions.
The facts surrounding an intrusion or system compromise must be documented, reported to the security officer, and include the circumstances that led to the discovery of the incident, actions that were immediately taken, the names of persons involved in investigating the incident, and detailed observations about what transpired, what damage was caused, and what systems or files were compromised.
The security officer must enforce and support the security policy by responding to business ethics violations through disciplinary action, termination of services, suspension, or prosecution.
It is the responsibility of management to ensure that all employees understand how to protect company assets, including information and information resources and comply with security policies, standards, and procedures. Supervisors and managers must ensure that persons working within their department understand general security requirements and that they are sufficiently knowledgeable about the security policies, standards, and procedures to recognize the need for protection and the requirements for which they are specifically responsible.
The security officer with assistance from the security team is responsible for developing and implementing an information security awareness program that supports employee awareness.
Managers and supervisors need to be aware of performance in this area, encourage good security practices, and address inappropriate behavior. Application coordinators can assist in implementing specific awareness programs.
The following are critical training requirements for security staff within the company. Application and levels will be determined by the appointments and responsibilities of staff:
The security manager has a different focus and responsibility than the rest of the organization. The rest of the organization is focused on providing production, research, shipping, and so on. The security manager is focused on avoiding losses through internal and external undefined sources.
Security department cuts across various disciplines. The security manager is more than a glorified guard force manager, although that is the general perception. The security manager cannot do the entire job alone; he or she needs subordinates, and the subordinates are the first line of defense and form the perception of the company by visitors. Sometimes, loss prevention and control is considered a part of security.
There is often a conflict between the organization and the people due to the differing histories of the people and their talents and abilities. This sometimes causes conflicts within the organization. Every organization has a formal and an informal organization chart for effectiveness—You know what the organization chart says, but when you want to get something done, who do you really go to?
Every organization has a culture, and it is often based on who has the ear of whom in management and what special privileges does that individual get or get away with, that is, the company doctor’s parking space. It is important to recognize these factors and deal with them on a practical level.
The following are the different roles within the security department:
Everyone is subject to some stress, because it is a part of everyday life. Security personnel may have a bit higher stress than some other occupations because of the nature of their differing and sometimes contradictory roles in keeping the plant, its equipment, and personnel safe from various known and unknown hazards. Oftentimes, the security force must worry about the attacks from outside by persons unknown, with unknown armaments, plus worry about employee theft (and theft is not confined to plant workers, but it can also involve top management). Here are some suggestions for handling job stress.
Stress is another name for fear, and or worry. When we are worried or stressed, we cannot perform at our peak. Stress has physiological effects that include the following:
The following techniques will help us to reduce or eliminate worry:
Often based on autocratic styles, it assumes the worst about employees. Average human dislikes work and will avoid it if possible. Because of dislike of work, most people must be coerced, controlled, directed, threatened, and so on, to get adequate performance from them. Average human prefers to be directed, wishes to avoid responsibility, has little ambition, and wants security above all else.
The average individual considers work as a part of life, and as natural as play or rest. External control and the threat of punishment are not the only ways of bringing about effort. Man will exercise self-direction and self-control when he has committed himself to the work. Rewards (part) are found in the execution and satisfaction of the work. Average person seeks responsibility under the right conditions—it gives him a sense of pride. People can be imaginative and creative in the fulfillment of their work if given a chance. The intellectual potential of an individual is only partially utilized by his work. The challenge is to get the commitment to utilize that intellectual role to its fullest.
The following maintenance factors will have an influence on the behavior of employees:
The following aspects can be regarded as motivators within the job environment and should be manage well. It must further be understood clearly that each individual has different personalities, backgrounds, upbringing, and skills. Even levels of maturity and experience will differ from person to person:
Bad management traits are serious and detrimental to any form of management. Management within the security domain is even more adversely affected by these forms of managerial conduct:
Security is everyone’s business. We need to approach it in a professional manner with intelligence and personnel training on the important things. The people in the security force are professionals and deserve respect just as much as the plant operators and engineers. In that regard, we hope this book has been informative and helpful.