Protective Security Requirements: Physical Security
In my previous PSR post, we looked at the mandatory requirements for the Personnel Security Governance (PERSEC) domain of the Protective Security Requirements. In this post we explore the four mandatory requirements of the Physical Security (PHYSEC) domain.
As the government’s online PSR guidance states, physical security threats can come from your own people or from outside your organisation (visitors, contractors, the public, external groups), and they can also come from accidents and natural disasters. Examples include:
- crime, including personal and property crime;
- workplace violence, such as assaults, harassment, and revenge attacks;
- civil disturbances, such as protests and riots;
- natural disasters, such as floods, earthquakes, and pandemics;
- industrial disasters, such as explosions, building fires, and structural collapses;
- terrorist acts, such as bombings, extortion, and kidnappings;
- other risks, such as mental health sufferers and traffic accidents.
Robust physical security can help you keep your people, customers, and the public safe, and to meet your obligations under the Health and Safety at Work Act 2015.
PHYSEC1 - Understand what you need to protect
Identify the people, information, and assets that your organisation needs to protect, and where they are. Assess the security risks (threats and vulnerabilities) and the business impact of loss or harm to people, information, or assets. Use your understanding to:
- protect your people from threats of violence, and support them if they experience a harmful event;
- protect members of the public who interact with your organisation;
- put physical security measures in place to minimise or remove risks to your information assets.
An underlying theme throughout the four domains of the PSR is the idea of taking a ‘risk based approach’. It’s no surprise, therefore, that the first of the PHYSEC mandatory requirements is all about assessing what you need to protect and what you need to be protecting it from.
In this regard, the PSR guidance poses four questions for you to consider:
How will your facilities be used?
Knowing what your facilities are used for, who uses them, who may visit them, and what is stored in them, can assist your understanding of who might pose a threat and why they might be attracted to your facilities.
Are your people working away from the office?
Consider what your people might face when they are working away from the office, such as at home, in remote locations, in another premises, or overseas. The hazards your people face and the level of risk they are exposed to differ significantly depending on location.
Have you taken health and safety needs into account?
Under the Health and Safety at Work Act 2015, organisations must take all reasonable steps to minimise the risk of harm to employees, clients, and the public, and ensure their physical security plans address the risk of harm.
Is your organisation co-locating?
If you’re co-located, work in partnership with the other tenants to build a shared understanding of physical security issues. You should similarly engage with neighbouring organisations and consider ‘joined up’ approaches to security where appropriate.
PHYSEC2 - Design your physical security
Consider physical security early in the process of planning, selecting, designing, and modifying facilities.
Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with relevant health and safety obligations.
This is all about ‘security by design’ and baking security in from the ground up. Use site-specific risk assessments to help you prepare site-specific physical security plans, and ensure that your risk assessments feed into related documents, such as your Business Continuity Plan and/or Disaster Recovery Plan.
Your security planning will identify the types of security controls/measures most appropriate to your organisation. These may include a considered mix of security guarding, patrols, CCTV, locks and access control systems, intruder detection and alarm systems, perimeter fencing, gates and bollards, security lighting, safes and security containers.
Importantly, your security planning should include your potentially most important security control of all – your people. No amount of investment in physical security will be effective without the right security culture.
PHYSEC3 - Validate your security measures
Confirm that your physical security measures have been correctly implemented and are fit for purpose.
Complete the certification and accreditation process to ensure that security zones have approval to operate.
Having distinct security zones within your facility achieves ‘security in depth’, and may include ‘public areas’, ‘work areas’, and ‘restricted areas’, etc, that are afforded differing levels of security in accordance with your security planning.
Whatever your situation, your Chief Security Officer (or person you have delegated CSO functions to) should validate whether your zoning and security measures are right for the risks your organisation faces.
Validation should be carried out by a person who is suitably qualified and experienced, and the validation should be made against any relevant policies, guidelines or standards. Depending on the nature of your organisation, facilities, or security controls, there may be a formal certification and accreditation process required.
PHYSEC4 - Keep your security up to date
Ensure that you keep up to date with evolving threats and vulnerabilities, and respond appropriately. Ensure that your physical security measures are maintained effectively so they remain fit for purpose.
This is the part of the process that tends to get overlooked. Once a plan has been devised and a set of security controls put in place, organisations often default to an approach of ‘set and forget’.
I can’t stress enough that security controls only remain fit for purpose when they are properly maintained (such as a good service and maintenance plan for electronic security assets) and when they are regularly re-evaluated in line with periodic security risk assessments.
Coming up...
My next PSR post will be the sixth and final post in the series, so stay tuned for the finale! If you’d like to have a discussion about how we might be able to assist you in your protective security planning, feel free to contact me at [email protected]