A Facility Security Plan is a critical component of an effective security program. The guidelines contained in this document are based on recognized industry best practices and provide broad recommendations for the protection of federal facilities and federal employees, contractors, and visitors within them. Facility Security Plan: An Interagency Security Committee Guide identifies and defines the basic guidelines and procedures used in establishing and implementing an FSP.
Proper building security must begin with the realization that contingent events are, by their very nature, unpredictable. Their occurrence must be met with countermeasures that target possibilities as opposed to individual occurrences. This means that security is a largely invisible undertaking with paradoxically invisible returns. Because of the abstract nature of risk mitigation, it is easily ignored until it is too late. Those with a keen eye for risk management will know that the deliverables of security primarily lie in continually managed processes, not responses to visible stimuli.
The Interagency Security Committee (ISC) is chaired by the Department of Homeland Security and consists of fifty-four federal departments and agencies. The ISC's task is the development of security standards and best practices for nonmilitary federal facilities.
Although the ISC's guidelines are addressed to federal facilities, they make many of their documents available to the public. This means that even if you don't run a federal facility, you may benefit from some of the guidelines the ISC has created.
The ISC identifies a comprehensive personnel hierarchy to be involved with security composed of a Facility Security Committee, Designated Official, Security Organization, Chief Security Officer, Tenant Security Representative, Tenant Managers, Facility Occupants, Financial Authority and Chief Information Officer.
While this structure may be too complex for your organization, the key takeaways are that there is an agreed-upon consensus on who is organizing the security plan, who is responsible for its management, who is attending to the processes and who is signing off on the involved expenses of it all. For a small business, these roles could be simplified down to the owner taking responsibility for planning security and a manager taking the reigns on implementation once the measures and their corresponding budget have been determined.
It is key that responsibilities for security are clearly appointed so that related tasks aren't unknowingly deferred. Many problems can be avoided by having a maintenance designation for someone to not only ensure the bathroom stalls are kept graffiti-free, but that systems like security cameras, alarms, locks etc. are in proper order or else simple maintenance measures like these could easily be overlooked for no good reason other than lack of organization.
Once it is clear who is responsible for security considerations, this person or group will have to assess the facility security level, evaluate the current level of protection, propose and implement adequate adjustments within the scope of budget, and execute security measures.
The ISC identifies five factors to quantify a facility's security level (FSL). The factors are mission criticality, symbolism, facility population, facility size and threat to tenant agencies. Once these have been considered, one should consider additional intangibles unique to an organization.
You will want to identify your own measures that fit your organization's size and purpose more adequately. While "symbolism" is a seemingly obscure factor, you may want to consider public awareness of your company. To what extent are you known by the public and how could that affect future operations?
When assessing mission criticality, take into consideration whether operations confined to a central location or spread out. If there are multiple locations, what would happen if one went offline temporarily? Are there backup measures, or would backup measures be possible? If not, then mission criticality is a major factor.
The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard, 2nd Edition defines the criteria and processes that those responsible for the security of a facility should use to determine its facility security level (FSL) and provides an integrated, single source of physical security countermeasures for all Federal facilities. The Standard also provides guidance for customization of the countermeasures for facilities and the integration of standards and concepts contained in the Interagency Security Committee’s (ISC) Appendix A: The Design-Based Threat Report.
-ISC Risk Management Process Guide
Once a facility's security level has been determined, threat assessment, risk management and countermeasures can be implemented. Facility risk management processes are covered in the ISC standard guide.
The ISC Risk Management Guide provides low-level overviews of topics like Integration of Physical Security Criteria, Risk Informed Decision-Making, Guidance on how to establish and implement comprehensive measurement and testing programs, etc.
The risk management process seeks to categorize events that could threaten personnel, operations and information. The process encompasses threat assessment, consequence (or criticality) assessment, vulnerability assessment and risk assessment.
This is the time to weigh how essential security measures are for the potential threats that could unfold. There is always a degree of tolerance for risk. Risk management attempts to delegate an appropriate level of tolerance to highly unlikely events (random attacks, terrorism, etc.) vs. relatively common (workplace violence, trespassing, theft and the like).
Once risks have been identified, facility occupants should be familiarized and trained according to the facility security plan. Exercises can be discussion-based (eg table-top scenario run-throughs) or operations-based (eg fire drills) or a combination of the two.
Relatively common security considerations involve theft, assault, unlawful demonstrations, workplace violence and vandalism. Very rare but high consequence threats would include terrorism or active attacks.
Prevention and response to workplace violence is covered in the the ISC guide.
The Department of Homeland Security also offers a pamphlet on how to respond to active shooters. While there is little here that evades common sense (eg "Be out of the active shooter's view" or the bureaucratically-conceived suggestion to "yell and throw things at the shooter"), it nonetheless may serve as a good refresher for those who are concerned about an occurrence.