Physical Security Plan

prudence98
ResourcesforPhysicalSecurityPlanning.docx

Physical Security Planning

stock photo of a security officer working in control room.

Jon Feingersh Photography Inc. / DigitalVision / Getty Images

Organizations can implement the best authentication scheme in the world, develop the best access control, and install firewalls and intrusion prevention. However, their security cannot be complete without implementing physical security. 

The goal of physical security is to protect the actual hardware and networking components that store and transmit information resources. This involves taking measures to prevent unauthorized access to the organization’s assets. These measures include the following:

· Locked doors: It may seem obvious, but security is useless if an intruder can simply walk in and physically remove a device. High-value information assets should be secured in a location with limited access.

· Physical intrusion detection: High-value information assets should be monitored through security cameras and other means to detect unauthorized access to the physical locations.

· Secured equipment: Devices should be physically locked down. One employee’s hard drive could contain all your customer information.

· Environmental monitoring: An organization’s servers and other high-value equipment should always be kept in a room that is monitored for temperature, humidity, airflow, and unauthorized access. The risk of a server failure rises when these factors go out of a specified range.

· Employee awareness and training: Physical security requires educating all employees on organizational policies and best practices related to security, such as upholding visitor policies, workstation locking, device encryption, following policies related to traveling with work devices, and reporting suspicious activity (Kostadinov, 2017).

References

Kostadinov, D. (2017). Tips for managing physical security. Infosec.  https://resources.infosecinstitute.com/category/enterprise/securityawareness/managing-physical-security/#gref).

Security Considerations for Hospitals

Health care facilities such as hospitals and clinics must carefully plan to ensure the safety of patients and staff, facilities, and other assets. In addition to staff and patients, hospitals are open to access by visitors, physicians, delivery personnel, and other members of the public. Hospitals also have security sensitive areas, including the newborn nursery unit, pharmacy, and patient record storage. Patient care areas at greater risk for violence include emergency rooms, waiting rooms, mental health units, and units for cognitively impaired.

In this assignment, you will be making security recommendations for three areas of the Northwest Shelbyville Regional Hospital. As you are creating a map to ensure a safe and secure environment for staff, patients and visitors, and to mitigate the risk of loss or damage to property, equipment, or infrastructure, consider the recommendations below.

Securing the External Perimeter and Building Grounds 

The outer perimeter of a property is defined by the actual property lines. In securing the outer perimeter, the goal is to control who can walk or drive onto the property. The exterior of the hospital should use physical environmental features, walkways, lighting, and designated activity areas in ways that maximize visibility to make visitors and staff feel safe and intruders feel uncomfortable.

When designing your map, you may want to consider the following recommendations from Saxena & Kamal (2018):

· Entry points should be in highly visible areas.

· Security checkpoints should be provided at all entrances and exits. 

· Lighting should be installed near entrances/exits for safety. 

· Vehicular routes should be segregated from pedestrian routes.

· Parking spaces for staff and visitors should be differentiated and identified.

· Parking areas should have controlled entrances, and those entrances should be limited.

· Fencing, signage, and landscaping should not block sight lines. 

· Signage and landscaping should not block or obscure lighting.

· Trees should be located so they cannot be used to climb over fences or onto buildings.

· Be aware of creating spaces in which a person could hide.

Securing the Entrance and Lobby  

Securing the entrance and lobby of a hospital involves a balance between the need to keep people safe while maintaining an environment that is conducive to healing and where patients, staff, and visitors feel comfortable.

Here are recommendations from Saxena & Kamal (2018) and The State of Victoria and the Department of Health & Human Services (2017):

· Minimize the number of unmonitored entrances into the building. Design a well-defined main entry with signage and rules to direct all visitors to the administration area. 

· Use a card access system for entry.

· Locate the main point of entry at the front of the building near the administration area and visitor parking/drop-off area.

· Ensure that exits are visible and routes to reach them are clearly marked.

· Ensure that each floor has at least two exits. 

· Provide plenty of windows at main entry to enhance natural surveillance.

· Equip secondary entrances with alarms to indicate when these doors are open. 

· Ensure that entrances have adequate lighting.

· Use shatterproof glass in the lobby and lighting for safety and visibility. 

· Place a waiting area with a bathroom outside the secured area.

· Use metal detectors as part of security clearance.

· Maintain cameras in lobby areas.

Securing Patient Areas

Patient areas must ensure safety for patients, staff, and visitors while maintaining an environment that is sensitive to patient needs for comfort and social interaction and minimizes unnecessary stress for patients, according to the Joint Commission on Accreditation of Healthcare Organizations (2009).

As you design your security plan, consider the following tips from the Center for Health Care Design (2017) and ECRI Institute (2017):

· Segregate authorized and unauthorized visitors in patient areas.  

· Install intrusion detection systems in any areas not continuously staffed.

· Place staff areas to provide visibility and direct access to exits and elevators, and equip them with duress alarms.

· Control access to elevator lobbies.

· Use "wayfinding" designs that direct patients and visitors to staffed exits (wayfinding refers to the concept of patients, staff, and visitors being able to easily navigate a facility) and ensure that wayfinding and other signs do not compromise direct visibility/sightlines and electronic surveillance systems. 

· Secure doors and windows and lock staff areas such as lounges and break rooms.

· Monitor and control access to patient areas.

· Securely store equipment.

· Maintain unobstructed exists in patient rooms.  

Special Consideration for Maternity Units

The Joint Commission, a nonprofit health care accreditation organization, has established best-practice guidelines for preventing infant abduction in the hospital (2003):

· Attach identically numbered bands to the infant (wrist and ankle bands), mother, father, or significant other immediately after birth.

· Implement an infant security tag or abduction alarm system, such as a bar-coding system or umbilical clamp, which triggers an alarm, locks doors, and freezes elevators if the infant comes within four feet of an exit or elevator. 

· Transport infants in bassinets; don't allow them to be carried or left in the hallway without direct supervision.

· Establish a tracking system to document where the infant is at all times. 

· Control access to the maternity unit; for instance, keep all unit exit doors locked and make sure doors are monitored by cameras with a date/time stamp.

Geofencing

Geofencing is an application that uses the global positioning system (GPS) or radio frequency identification (RFID) to define geographical boundaries. It sends reports or triggers alarms when a predefined area, the “geofence" or virtual boundary, is crossed. Such safeguards can be used to help facilities manage equipment, workflow, monitor conditions, and track staff and visitors (“Radio-frequency identification,” n.d.).

 RFID infant protection systems are potentially lifesaving tools. The system includes a small radio transmitter attached to a tag worn on the wrist or ankle of each baby. Exit points throughout the hospital are electronically monitored with alarms to detect unauthorized removal of babies (Industrial Engineer: IE, 2005).

View of baby's feet with a RFID security tag on

Sally Anscombe / Taxi / Getty Images

References

Center for Health Design (2017). Security: Mitigating risk in healthcare facility design.  https://www.healthdesign.org › res_files › Module_SRA_Security_2017_6

ECRI Institute. (2017, May 24). Violence in healthcare facilities. Healthcare Risk Control.  https://www.ecri.org/components/HRC/Pages/SafSec3.aspx

The Joint Commission (2003, October). Root causes: Practical approaches for preventing infant abduction. Joint Commission Perspectives on Patient Safety, 3(10), 7–8. https://journals.lww.com/nursing/fulltext/2007/10000/Preventing_infant_abduction_in_the_hospital.17.aspx

Joint Commission on Accreditation of Healthcare Organizations. (2009). Planning, design, and construction of health care facilities (2nd Ed.). https://www.jcrinc.com/-/media/deprecated-unorganized/imported-assets/jcr/default-folders/items/pdc09_sample_pagespdf.pdf?db=web&hash=829F1CE9A681AFD9E1BC577867F1C2E9

Radio-frequency identification (n.d.). In Wikipedia. https://en.wikipedia.org/wiki/Radio-frequency_identification

RFID saves baby. (2005). Industrial Engineer: IE, 37(11), 12. https://search-ebscohost-com.ezproxy.umgc.edu/login.aspx?direct=true&db=mth&AN=20651879&site=eds-live&scope=site

Saxena, R.  & Kamal, M. A. (2018). The impact of built environment on crime prevention and safety in schools: An environmental-behaviour design guidelines approach. American Journal of Civil Engineering and Architecture, 6(6), 260–270. Available under the Creative Commons Attribution 4.0 International license.

The State of Victoria and the Department of Health & Human Services. (2017). Security and safety at hospital.  https://www.betterhealth.vic.gov.au/health/servicesandsupport/security-and-safety-at-hospital

Security Controls

The goal of IT security is to protect the people, property, and data assets of the organization. Organizations use security controls to minimize risks to those assets. Security controls can be classified by type: physical, technical, or administrative. All three are necessary for robust security (Walkowski, 2019).

Physical Controls

Physical controls involve security measures that safeguard and protect physical assets against unauthorized access, damage, loss, or theft from natural and man-made events. Examples of physical controls include fences, gates, security guards, lighting, closed-circuit surveillance, motion sensors, access control systems (biometrics, access cards), and locked and dead-bolted steel doors

Among physical controls, the use of personnel can be effective, but it is also the most expensive countermeasure to reduce physical security risks. Ouyang (2012) states that security guards can be used to:

· check credentials at entry points 

· ensure company property does not leave facility

· monitor intrusion detection systems

· verify doors and windows are locked

· watch for suspicious activity 

Technical Controls

Technical controls, also called logical controls, use technology to restrict the access and usage of sensitive data. Examples of some of the hardware and software used for technical controls includes include authentication solutions, firewalls, antivirus software, encryption, and intrusion detection and protection systems. 

Administrative Controls

Administrative or procedural security controls involve the procedures and policies that define and guide employees and users when dealing with the organization’s assets. This includes employee training and awareness programs, hiring and termination policies, data classification, equipment and internet usage guidelines, separation of duties, and disaster preparedness and recovery plans (Walkowski, 2019).

Compensating Controls

There is an additional category of controls called compensating or alternative controls. These are physical, technical and/or administrative controls employed by an organization in lieu of a recommended security control. These security measures are used to prevent a gap in IT compliance when the security requirements are too difficult or impractical to implement due to legitimate technological or business constraints (Bisson, 2016).

For example, organizations ideally should have two or more staff members complete separate parts of certain tasks such as developing and testing a security system. This will prevent fraud and employee error so that no single person has sole accountability for the task. 

However, if an organization has a very small staff, it might need to have one employee complete the task. To compensate, the organization may implement a compensating or alternative control such as having that one employee maintain detailed logs and give reports to an audit committee or hiring a third party to monitor the process (Reeds, 2017).

References

Bisson, D. (2016).Compensating controls: An impermanent solution to an IT compliance gap. Tripwire. https://www.tripwire.com/state-of-security/security-data-protection/compensating-controls/ 

Ouyang, A. (2012).  Physical (environmental) security domain [PowerPoint slides]. CISSP Common Body of Knowledge Review. https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=2ahUKEwi4h7mKxoXmAhUE11kKHac2AqgQFjACegQIAxAC&url=http%3A%2F%2Fopensecuritytraining.info%2FCISSP-6-PS_files%2F6-Physical_Security.pdf&usg=AOvVaw3RNR5kwdnhG-1tHRQYeH9Z

Reeds, C. (2017). Separation of duties and IT security [Blog post].  https://blogs.dnvgl.com/energy/separation-of-duties-and-it-security 

Walkowski, D. (2019). What are security controls? An overview of the types of countermeasures security practitioners use to reduce risk. F5. https://www.f5.com/labs/articles/education/what-are-security-controls