Physical Key Management Practices for Organizations

Physical Key Management Practices for Organizations

Physical key management is important in today’s business world, although oftentimes overlooked and approached with levity. Effective key control is key for security, managing risks, and protecting assets of your organization. Whether it’s about logging and tracking issued keys, the principle of key management will play significant role in the overall security of your organization. By practicing standardized key control businesses would prevent potential security risks associated with porous practices. Organizations must be strategic in managing their building and office keys. Being tools for security protection, any compromise has potential to put critical and confidential business assets to avoidable risks. Let’s explore, simple and easy to adapt practices to keep organization office keys protected. That is, protecting the protector. Physical Key Management Practices Have policy, standard and procedure: starting point for office key management is to have policy in place. Such will make the organization’s intent known towards this direction. Following policy should be standards and procedures that would highlight step by step method of managing these keys. Staff and stakeholders must be notified, and periodically re-iterated. Establish authorized user: office keys must not be allowed to move freely from hand to hand. There should be clarity about who is an authorized user and under what condition will such authority be exercised. For example, authorized user of a particular office should have specified days and timeframe they are authorized to access key for official purpose. Create tiered access: users must be tiered. This means that authorization to use should be relative to roles, responsibilities and function. Principle of least privilege is recommended. A user can access only the office key required to perform their duties. Automate key tracking: automation of key tracking will enable managers know exactly who has what key per time. The system should also indicate when such key is been used beyond acceptable duration relative to programming. Alternate manual key log: where automation is not applicable, manual key log should be activated as substitute. Have master or valet key: your organization should endeavor to have master or valet key in place. This will come handy in the event of misplacement or loss of primary key. Store key secured: office key should be kept securely in a fire-resistant key rack. The rack location must be visible and constantly monitor directly or remotely. That is, protecting the protector. Code keys: office key should be coded with associated manifest, not labelled. Coding will conceal identity of users and prevent target unauthorized access. Simplify issuance and tracking: efforts must be made to simplify request, authorization, issue and tracking of this asset. This would eliminate drudging frustration usually associated with this exercise. Do periodic audit: ensure periodic audit is carried out. This is necessary for check and balance and accountability. Establish protocol for lost key: a lost key is a compromised key; as such protocol for lost key will ensure timely reporting, investigation and possible recovery or overhaul replacement. Building and office keys hold access to locations where vital business assets are kept. To protect these assets well; the protector must be protected. This can be achieved through simple procedures encoded into practices driven by organization’s policy. ALSO READ: Embracing Diversity and Inclusion: The Key to a Prospering Workplace Culture  

Emerging Trends in Physical Security

Emerging Trends in Physical Security

Contemporary physical security is concerned with traditional security roles, assets protection, and loss prevention. All services are offered concurrent such that it cannot be cleared understood by a lay person. Emerging trends have kept the industry evolving rapidly. Traditional security refers to routine tasks that involve control of access to premises through checks, credentials authentication and authorization. Asset protection means that it has responsibility to ensure that organization’s physical assets (on-premise or on-transit) are not stolen, tampered with or damaged. Finally, loss prevention function of security demands that whatever should constitute risk with potential for loss must be prevented by security. Overtime physical security has been influenced by modern factors and realities of new world. Since 9/11/2001 terror attack on US, the perception and appreciation of security in general has been experiencing radical change. The service side is now a necessary evil. To some others it is a cost centre, yet to the conscious organization it is seen as business enabler that must be recognized and supported. This article highlights the developing and emerging trends that have kept security services on its toes. To remain relevant and command budget allocation, security must go with the tide of modernity. Below are the emerging trends in physical security. Sophisticated threat landscape: risk, threat and vulnerability are key components that is driving security service delivery. The goals are to ensure risks are strategically managed by proactive identification of threats and prompt resolutions for vulnerabilities. The threat model is increasingly evolving, threat actors have become sophisticated in knowledge, tools and collaboration. Automated Access Control System: many organizations are abandoning traditional manual access control for digitalized and automated type. This approach may adopt fingerprint, facial recognition, biometric, voice command, etc. Security Operations Centre: most businesses are currently either transforming their traditional CCTV control room to Security Operations Centre (SOC) or building new infrastructure. The centre serves as central hub for security operations. The core focus of SOC oftentimes includes Visual Surveillance System (VSS), Access Control System (ACS), and Intrusion Detection System (IDS). Security Operations Centre optimizes security service delivery for efficiency and agility where prompt response by a support Quick Response Force – QRF is the rule of thumb. Automation Of Operations: with dominance of artificial intelligence, some routine functions of security are being replaced with automated process. Such automation may include Visitor Management System (VMS), Electronic Patrol Management System (EPMS), Incident Management System (IMS), etc. This automation enables standardization, consistency and efficiency. Security Convergence: the gap between physical and cyber security is increasingly getting blurred. This novel approach enabled many organizations to integrate information technology solutions into physical security operations. For example, a facility may have physical deployment of guards at gate posts for physical security screening and digital boom barriers to compliment, at same time have a biometric access control at various access point in the buildings and restricted areas. All operations would be monitored real-time from a security operations centre. Data Analytics: physical security is traditionally not a data-driven filed however, current trend is favoring practitioners and service takers who are able to generate data that provide insights for informed decisions. Hybrid workforce: combining outsourced and proprietary security personnel to form a team with different background have become the norm in the industry. Hybrid work schedule: some middle level and executive security personnel have adopted a flexible work pattern of having some days at work and some days at home within the week. CPE & certifications: continuing professional education and certifications have become pillars of relevance and career growth for most security practitioners who are strategic about career success. Regulations and compliance: new regulations have been established to control and coordinate practices and actions in security industry. To avoid business disruptions and possible severe sanctions, organizations are duty bound to adhere and comply. Networking and collaboration: security practitioners, entrepreneurs, developers/technologists, etc. are appreciating the need to come together for mutual assistance and industry advancement. Networking and collaboration have form significant reference for stakeholders. Further to this, several organizations, institutes and interest groups have provided platforms for wiling players. In conclusion, physical security industry has established its value as a go-to business enabler. Several factors as highlighted above are playing key roles to keep it thriving in line with demands of modern business world. ALSO READ: 16 Trending Physical Security Threats Every Corporate Organization should Prepare to Deal with

16 Trending Physical Security Threats Every Corporate Organization should Prepare to Deal with

16 Trending Physical Security Threats

Physical security is responsible for overall protection of assets, people and information in the business place. Threat is any person, group, and/or activity that have potential to cause breach of security within a defined space. While the underlie principle of physical security has universal application; what may be defined or accepted as threat is relative to time and space. Threat is synonymous with loss as such, whatever is seen as security threat must elicit thoughtful concern from organization who might suffer its impacts. For instance, pilfering may seem inconsequential in most business setting however, if was not confronted and addressed it can run down a business. The starting point for any corporate organization is to put in place a functional security team who have capability to harness available resources to prevent or frustrate potential threats. Physical security threats are constantly evolving alongside modern society. This is largely influenced by workplace culture, technology, knowledge, socioeconomic factors, globalization, and available market. To stay abreast or ahead of this trend, an organization must build agility, resilience and dominance. What can shape the kind of physical security threats a business may face include type and size of such business, industry, location, leadership and regulation, policing and criminal justice system. Here is highlight of all-time physical security threats every corporate organization should prepare to deal with. Access breach – happens when people and/or materials enter or leave business premises without authorized approval. An organization with porous access management will struggle to exist. Any state or country characterize by border (land, water, and air) porosity will be overrun by criminality. General theft – this old stealth craft may occur in form of stealing, dupe/swindle, pilfering, shoplifting, diversion, shrinkage, padding, undersupply, cargo theft, siphon, fraud, etc. regardless of its form, it is a business killer. Vandalism – this threat is a property crime. It involves willful destruction of a company property Stowaway – this sort of security threat is applicable to aviation and maritime transport sector. It occurs when people illegally board an airplane or ship with intent to enter another country without following official protocol. Burglary – this refers to act of gaining illegal access into a locked building, room or office with intent to commit crime. Oftentimes it involves forceful breaking and entry; sometimes, it may happen with ease of access. Arson – this is act of intentionally setting fire on a property to cause loss to the owner or users. It may be influenced by a disease called pyromania or by vengeance or by criminal intent. Robbery – this old coercive craft involves act of violence through the aid of a weapon to take what belongs to others. Civil unrest – this may occur in form of riot, protest, demonstration, strike, picketing, lockout or lockdown. Regardless of how it happens, it can cause business disruption. Kidnapping – involves abduction or hostage taking of people with aim for a gain. Identity theft – this crime involves intentionally taking on identity of another person and conducting relationship in the name and profile of the person. It is very common on cyber space; however, it also exists in physical world. For instance, a non-staff thief can use identity credentials of a staff to prowl, and to access or exit company premises. Natural disaster – this is an act of nature (force majeure) which may include flood, drought, storm, hurricane, tornado, and earthquake. Convergence of threat – also known as cyber-physical threat is a peculiar kind of threat that is increasingly bridging the gap between physical and cyber security worlds. When a cyber-attack impacts physical services of an organization, a convergence of threat is playing out. For instance, a ransomware or distributed denial of service can cause panic and frustration for customers of an organization thereby creating mutual insecurity. Product adulteration – this sort of security threat is applicable to manufacturing industry. It is a practice of faking a branded product that enjoy widespread industry acceptance and sometimes dominance. Workplace violence – this applies whenever any act of violence against someone happens in a business premises. It may include robbery, assault, harassment, fight, and other types of uncontrolled aggression. Fraud/embezzlement – fraud is a dishonest act of stealing money or property by deception or trick, while embezzlement involves stealing company’s money by a person of trust and authority. Sexual harassment and/or rape – this refers to intimidating act against someone for sexual pleasure; or forcefully having sexual intercourse with a person. This threat is most common with female gender; however, a male can also become victim of it. Physical security threats are realities of modern world business. The security threats exposed above are not new, however, criminals have continued to innovate new ways of committing them such that solutions which worked a decade ago may not be effective today. Proper prior planning will prevent poor performance in responding to these threats. ALSO READ: Insider Threat Management And Guide

Security Operations Centre – SOC Essentials For Physical Security Operation

Rear view of security system operator looking at CCTV footage at desk in office

Security Operations Centre otherwise known as SOC is a central hub for security operations. The concept was originally applicable to cybersecurity operations. However, it is no more an exclusive field. Futuristic physical security is increasingly optimizing its operation through adaption of this niche functions of surveillance and response. With Artificial Intelligence dominating business world, Security Operations Centre is indeed the future of security value. The reality of future physical security is such that most organizations would go full automation. This disruption will lead to sharp drop on reliance on physical deployment of guardforce personnel. Many routine roles of guardforce that require less decision making will likely be replaced with automation. Given above scenario; most corporate security departments are currently expanding their traditional CCTV control room operation to reflect a classic Security Operations Centre settings. In this configuration, the SOC will be equipped with skilled personnel for complex tasks that would essentially include monitoring, analyzing and responding to security threats. Security Operations Centre will serve unique function, dedicated to using analysis of observed event to direct and guide field security operatives to respond to emerging security incidents within a facility or distant location being monitored remotely. In the age of Artificial Intelligence, the importance of Security Operations Centre cannot be relegated. It would play crucial roles in shaping the future of physical security operations. Field security force who are serving as quick response force – QRF would rely on SOC to activate response to security incident. See below, the summary of security routine security functions to be integrated into Security Operations Centre. Controlling access to premises and assets. Monitoring people, locations and activities. Managing security incidents. Responding to emergencies. Supporting investigations. Enforcing compliance to company rules and regulations. Reporting incidents. The two types of Security Operations Centre – SOC:  Managed SOC – this is an outsourced SOC, to a third-party service provider. It may be located onsite or offsite command centre operated by the vendor. Dedicated SOC – this is a proprietary or inhouse SOC; owned and operated by an organization. It is usually located onsite, however; it maybe tasked to manage various offsite locations that belong to same organization. It is correct to brand such, a command centre SOC. Security Operations Centre technologies and tools: Access Control System – ACS: this tool is deployed for management of access control. It makes use of pre-enrolled card, pin, code, fingerprint, facial or voice recognition, etc. SOC runs the enrollment, privileges, activations, deactivations, data analysis and archiving, etc. for efficient operation. Visual Surveillance System – VSS: this technology provides SOC with cameras, DVRs, cables, videowalls, spot monitors, dedicated software/application, etc. for real-time remote monitoring of people, assets/locations & activities. Intrusion Detection System – IDS: this comprised of alarms, alerts and prompts; it may be visual and/or audio. IDS relies on sensors to collect data, analyzers to process data, and response mechanism to initiate appropriate actions which SOC would act on. Standard Operating Procedures – SOP: this sets step by step guides on required response of SOC per event and the overall functions. It provides framework for uniformity, consistency and standardization in Security Operations Centre. Composition of SOC team: Tier 1 personnel: this is an operator and level 1 analyst. Tier 2 personnel: this is an operator with added functions and authority above tier 1. Tier 3 personnel: this person handles supervisory or coordinator roles; having authority above tier 1 & 2 personnel. SOC Manager: this person should be responsible for overall SOC resource management. Primary functions of SOC include: Monitor – this function requires active surveillance on cameras, alarms, and alerts. Analyze – requires making sense of people, location and event being monitored. Detect – identifies abnormal, odd, out of place, threats and security breach event. Respond – requires taking actions in response to events or incident. Communicate – entails reaching out to other functional personnel about the incident. Collaborate -demands working with the entire team from start to initial and final close of the incident. Record – will require documenting every piece of information about the incident. Investigate – entails fact-finding focused on what-when-where-who, how & possible why. Report – is about providing fact-based account or testimony of the incident. Archive– store and protect data, and exhibits about the incident using chain of custody guide. Security Operation Centre is the future of physical security operations. It is been driven by Artificial Intelligence. Its adoption will disrupt traditional physical security functions. It has potential for huge return on investment. Your organization’s CCTV control room operation can be expanded and transformed to SOC. ALSO READ: A Christian Journey That Started With Theft