Monday, June 29, 2009

SSP Submission – RBPS #4 Deter Detect and Delay

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual and Questions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures SSP Submission – RBPS #1 Restrict Area Perimeter SSP Submission – RBPS #2 Secure Site Assets SSP Submission – RBPS #3 Screen and Monitor This section of the SSP looks at security measures, processes and procedures that specifically serve to deter, detect and delay potential terrorist attacks on the facility. This section only applies to facility wide security measures. It does not include provisions for answering questions about securing individual critical site assets. Previously Provided Information Many of the questions will look like they have already been answered in previous sections of the submission. It is not clear from the manuals provided by DHS if the previous responses will cause the information to be ‘pre-populated’ into these new questions. If the information does not get automatically carried forward into this section, facility Submitters are going to have to carefully review duplicative questions to make sure that consistent answers are provided. It is interesting that the questions on anti-vehicle barriers on the facility perimeter in this section were not found in support of the RBPS #1 section, but were seen earlier in the RBPS #2 section dealing with security measures for site assets. Similarly, the questions about security lighting were found in RBPS #2 but not RBPS #1. Neither sets of answers will ‘carry forward’ to this RBPS since they were directed at asset security not perimeter security. Answers from RBPS #2 questions (or any other question about asset specific security measures) should not be ‘transferred’ to questions for this RBPS. Anti-Vehicle Measures Preparers can find definitions and descriptions of the vehicle barriers in Appendix C of the Guidance document. The ‘K rating’ system is also briefly explained there. K rating data should be available from the barrier installer, though facilities should probably check with manufacturers to ensure that the installer is trained and certified in the proper techniques for installing the barriers. Many manufacturers will be able to recommend independent inspectors that will verify the installation was done in a professional manner. Proper installation is critical for insuring that the barriers meet their ‘rated’ K values. CCTV Measures Most of the CCTV questions found in this section were found in both RBPS #1 and #2. The answers from the RBPS #1 questions should be the same as the answers for these questions. This is where one might expect that a well designed system would pre-populate the answers with those provided in an earlier section. There should be no intention on the part of DHS to ‘catch’ facilities in inconsistencies. There are a couple of new questions in this RBPS section that probably should have been included in the list of questions for both RBPS #1 and #2. Two completely new questions (requiring a yes/no response) are (pg 139):
Is the surveillance system integrated with the access control system? Is the surveillance system integrated with the intrusion detection system?
These are interesting and potentially important questions. I am more than a little surprised that there are no follow-up questions regarding the details of the integration. The other ‘new’ question is more of a follow-up question to one asked in the RBPS #1 section. The earlier question (pg 74) asked about the monitoring frequency. This question asks about monitoring responsibility. The provided answers (including the obligatory ‘other’) are
System monitoring and control by dedicated control room operator. System monitoring an ancillary responsibility of control room operator. System monitoring and control by dedicated security force member. System monitoring an ancillary responsibility of security force member.
Since these questions are going to be used by DHS to evaluate the effectiveness of CCTV system (if present, of course) in detecting an attack in progress, facilities should be careful to use the ‘other’ response on this question to address any aids that the facility might use to help those monitoring detect a penetration. Automated surveillance systems should certainly be listed here. Security Forces This RBPS Section of the SSP includes a mix of new and repeated questions about the security forces. The question about security patrols is a duplicate from RBPS #1 (pg 76) and RBPS #2 (pg 104). As mentioned previously the answers from RBPS #1 should be duplicated here while straight copying of RBPS #2 may not be appropriate. The new questions here have to deal with the details of where the security forces are housed; what the Questions Manual calls ‘security structures’. First a question is asked about ‘stationary posts’. One has to assume that this question applies to stationary posts for security personnel from the listing of posts provided, but an unmanned personnel entrance that uses some sort of access control system could qualify for a ‘main personnel entrance’. I question the inclusion of ‘special posts’ along with the standard entry for ‘other’ since there is no requirement to explain what a constitutes a ‘special post’ while a response of ‘other’ requires that the facility provides a description of that type of post. There are three questions specifically about ‘security structures’; presumably this means buildings used to house one of the previously identified ‘stationary posts’. It seems redundant to ask if a facility has ‘security structures’ after asking about ‘security posts’. The next question deals with physical structure and protections associated with these security structures. This question only makes sense if it were asked for each of the structures identified in the stationary posts question since the provided answers may only pertain to one of the posts. The same could be said about the question dealing with ‘controls’ available within the security structure. While some facilities might have duplications of all security controls at all security posts, this is probably not a good idea for most facilities, particularly when it control of an isolated post might allow an attacker to control cameras and intrusion detection systems to avoid detection. There is one question that follows the security structures questions that deals with ‘process controls’ available at the facility. The question asks what ‘process controls’ are available at the facility and provides the following answers:
Both security and operational functions Security functions Operational functions Neither Security nor operational functionality Other
There is no explanation provide in the Questions Manual or Instructions Manual about what types of ‘process controls’ are being covered in this question; not even explaining if they are asking about cyber controls or manual control systems. This is especially confusing since there are no follow-up questions about locations of the controls for those systems or protections offered to such systems. Adversary Delay There are a series of questions about internal access controls and barriers used to delay potential adversaries from reaching critical assets within the facility. These questions seem to duplicate those found in RBPS #2. What should be clear here is that these are still facility wide measures and not measures dedicated to individual critical assets. Facilities that did not define critical assets in RBPS #2 should certainly include any internal controls in their response to this question. It is harder to determine what DHS is looking for if the facility did identify and report security measures for critical assets within the facility. If there are internal security measures that were not reported for individual assets, they should certainly be reported here. If security measures reported in RBPS #2 serve other critical areas within the facility they should probably be reported here. Finally, security measures unique to specific critical assets that have been reported for those assets in other areas of this SSP should probably not be reported here. Key Control There are a number of questions about the ‘key control’ procedures that the facility uses. Actually, this classic physical security process has been expanded beyond the old style key and combination control procedures. With the expansion of the use of credentials that allow access through automated access control systems, this key control section includes control of those credentials. All but one of the questions included in this section are straight forward that require little or no explanation. The one odd ‘question’ is the one that states:
Select "Yes" for all the key inventory/controls the facility has:
The available answers makes it clear the question is actually about who administers the key control process. While there is a ‘company’ and a ‘security department’ response there should probably have been a ‘facility’ response as well for those facilities that have a facility control procedure that does not managed by a security department. Security Forces The final section in this RBPS concerns the use of security forces. This is one area of the SSP that is going to be the most controversial because of the references to armed security personnel. From comments received during the draft RBPS Guidance review it is clear that many facilities are adamantly opposed to the use of armed security personnel. From the questions found in this section there is no real clue about how DHS will address this issue in their approval of the SSP. The section starts out with the typical ‘does the facility have’ question. A no answer in this case bypasses about half of the questions in the section. What is surprising is that questions about off-site armed response (presumably including police force response) are bypassed by a no response to this question. I hope that there is a disconnect between the Questions Manual and the actual SSP in this case. The question of off-site response is especially critical for facilities that have no on-site security forces. This is not the only organizational anomaly found in this section. In the section that all facilities are required to answer are two questions about ‘posted personnel’. The first question asks about the types of observation provided by posted personnel. Many facilities that answered no about the security force personnel are going to be confused about how they can answer this question. The next question provides some additional guidance by including non-security operations personnel in who may provide observation. Finally, the ‘tactical positions’ question should have been included in the portion of this section by-passed by a ‘No’ response to the initial security force question. A facility that does not have a security force is unlikely to have ‘hardened/defensive positions’ or ‘hardened fighting positions’.

No comments:

/* Use this with templates/template-twocol.html */