Home Security Management The Process of Security Design – the steps to success
Security Management

The Process of Security Design – the steps to success

By Contributor CSM
By Contributor CSM Organisation CIS Security Online First Published Winter 2023

The Process of Security Design – the steps to success

The process of security design involves systematically planning, implementing, and managing security measures to protect assets, people, and information within a given environment. Understanding the environment is critical to ensuring that the security being suggested, whether physical, technical or deployment of officers, will be effective and efficient.

Overall, these options when employed, either in isolation or combined, need to make sure deterrence, detection and reporting are the main aims.

The following steps are an overview of what is involved in the security design process.

Define Security Objectives

Begin by clearly defining the security objectives and goals of the project. Understand what needs to be protected, the potential threats, and the desired level of security. This is where intimate knowledge of the environment is essential and also identifying the risk appetite from key decision makers; this can set initial thresholds and offer an understanding of costs and any restrictions. Better to understand this from the outset than later in the project or on completion. This also means that “value engineering” can be avoided in the overall design and implementation of the security being proposed.

Risk Assessment

Conduct a comprehensive risk assessment to identify potential threats, vulnerabilities, and risks associated with the environment. This step helps prioritise security measures. Although an obvious element, I am sure we can all give examples of glaring holes or issues in inherited security systems that cause issues, have obvious weakness and are generally detrimental to overall security integrity.

Regulatory Compliance

Ensure that your security design complies with relevant laws, regulations, and industry standards. Different industries and locations may have specific security requirements that must be met. It also dictates the level of security you need and can assist in realistic costs and specific needs. As an example, if HVM does not need to meet PAS 68/69 criteria, then establishing a good alternative will save considerable amounts of money. It is also important to ensure that any insurance requirements are met; the appropriate security rating (SR) levels may be dictated by insurance policies. Secured by Design (SBD) is an excellent reference point, as is the National Protective Security Authority (NPSA) to recommend appropriate assistance and standards.

Security Policies and Procedures

Develop security policies and procedures that outline the rules and guidelines for implementing proposed security measures. These policies should cover areas like access control, incident response, and employee security awareness. Where this needs to be emphasised is the application and adherence to these. There is no point in having them in line with appropriately designed security and then have them ignored through convenience, bad practice, or apathy. They also need to be drilled and tested at regular intervals.

Access Control

Determine who should have access to various areas, systems, and information. Implement access control measures, which may include key card systems, biometric authentication, or password policies, to enforce these restrictions. Too often we see blanket access to appease clients, operators and others that have no real need to be in certain areas or have that specific access. There are many instances where control of keys, passes and other elements is given through perceived entitlement. This leads to difficulties in auditing and an additional risk in terms of cost in replacing or managing lost security passes etc.

Physical Security Measures

Implement physical security measures such as locks, fences, bollards, and barriers to protect assets and facilities. Although this seems to be a very obvious thing to mention, it is often overlooked or the most basic measures are implemented. Examples I have seen range from chipboard to cover gaps in fencing that is a supposed “temporary” measure, and heavy duty padlocked gates that can be climbed over or under. I am sure we have all seen these!

Surveillance and Monitoring

Deploy surveillance systems (e.g. CCTV cameras) to monitor and record activities in critical areas, with suitable operations/control room or process to manage this. I could write forever on the issues of surveillance, poor practice, inappropriate and ineffectual examples, often led by architectural plans and the aesthetic as opposed to if it will actually work as designed. Too often, security is not consulted when these systems and operational controls are implemented or designed. I am forever reviewing systems with blind spots, poor control facilities and, quite frankly, pointless waste of money on elements of the installation.

Network and Information Security

Design and implement cybersecurity measures to protect digital assets and sensitive information. This includes firewalls, intrusion detection systems, encryption, and regular software patching. I am not an expert in this field but again, it’s important in the security design element that the integration of security technology and systems (e.g. access control, alarms, surveillance) does work cohesively and provides a comprehensive security solution. The added element is that the human aspect must be aware of the threats, social profiling and other concerns that can let the technology systems fail.

Security Training and Awareness

The last sentence in the previous paragraph is vital: train employees and users on security best practices and protocols, ensure that the security culture is enforced and supported from the highest levels down through to the frontline users. By encouraging a culture of security awareness and reporting suspicious activities, supported with training, and instilling the confidence, frontline staff are not then questioned as to why they had the audacity to verify a pass or check ID.

This is vital in ensuring effective security is part effective and part of the security culture. Especially after you have spent considerable time, money, and resources on designing and implementing a system in the first place.

Incident Response Plans and Testing

Develop a detailed incident response plan that outlines how to respond to security incidents and emergencies. These, as previously mentioned, need to be regularly tested to evaluate the effectiveness of your security measures through vulnerability assessments, penetration testing, and security audits. Make necessary adjustments based on the results. These tests also need to be applied to emergency drills and responses.

Documentation, Recording, Monitoring and Maintenance

Maintain thorough documentation of security policies, procedures, configurations, and incident reports. This documentation is essential for compliance and continuous improvement. They are also needed as potential evidence in any investigations post incident. Ensure that users have access to these processes in simple and digestible formats, especially when responding in anger, as it were. Continuously monitoring security systems, updating software, and regular scheduled maintenance ensures that security measures remain effective and up to date. These may be driven by legislation and codes of practice and conduct. They should make up a key part of any overall security strategy and operational plans. While very few people enjoy the admin side, it is a critical part to ensure the security planning and execution to remains.

Review, Adaptation, Communication and Reporting

Periodically review and adapt your security design to address changing threats, technologies, and business needs. Security is an ongoing process that requires continuous improvement. Threat landscapes change and as we have seen in recent years, risks, and their complexity, change, which may mean what was in place originally is no longer effective or sufficient. Establish clear communication channels for reporting security incidents and sharing security updates with relevant stakeholders, external partners suppliers and ultimate end users; this has to be part of the security design. In any crisis or incident the communication element is often the first to fail.

By following these steps and maintaining a proactive and adaptive approach to security design, organisations can create a robust and effective security framework that mitigates risks and protects valuable assets. As these steps are an overview it is important that the correct level of expertise is applied at a more granular level. Detailed assessments should include; Crime Prevention Through Environmental Design (CPTED), Threat and Vulnerability reviews and focused crime statistics and patterns. These add to the known and likely threats so you can design out crime from the outset and not have to retrofit post incident. Retrofit is always less effective and more expensive. As an overview, consider the following in your design process (drastically simplified for the purpose of this article):

Natural Surveillance 

Ensure that spaces are designed to maximise visibility, reducing areas where criminal or hostile activity can occur unnoticed.

Territorial Reinforcement

Clearly define and delineate property boundaries to establish a sense of ownership and territorial management. Control the movements and prevent desire lines and spontaneous pathways and traffic.

Access Control:

Implement measures such as controlled entrances, gates, and fences to regulate who can enter your controlled areas and how.

Maintenance and Management:

Keep the environment well-maintained to signal that it is actively cared for and monitored.

Environmental Design Considerations:

Lighting, landscaping, and architectural features can enhance security. Where you have seating, cycle storage etc, these can be designed to be crime deterrents.

Community Engagement:

Engage with the community and gather their input on security concerns and preferences.

A sense of ownership and involvement in the security design process can foster a safer environment.

In summary, correct planning and application to security design will make a huge difference to the integrity of the environment that is being protected. Work with planners, designers, and architects; push for what is needed at the right time to prevent value engineering and poor decision making, or at least financially driven decision making where cheap is seen as best. Successful security is a partnership approach and it is essential for open partnerships with clients, police and other service partners that planning must be seen as a vital keystone to ensure success.

Jon Felix BSc(Hons) MDIP MBCI MSyl M.ISRM

Risk and Threat Advisor

CIS Security

www.cis-security.co.uk

SHARE   0 comment
1
FacebookTwitterPinterestEmail

City Security magazine is proud to work with contributors from across the security sector and beyond, including police forces, security associations, security providers, consultants and specialists who produce a range of varied and interesting content.

Related Articles

Martyn’s Law: An update for the security industry

Security: essential asset or expensive overhead? Exploring the...

Physical Penetration Testing  – 6 Key Facts

Tackling retail crime: an intelligence-led approach

Eight hundred years of securing the Lord Mayor’s...

Ready for anything – The role of exercising in...

Safe Haven app supports Our Safer City 

Security on your side – National Protective Security...

Balancing security with community

Frontline Security Officers:  An imperative force multiplier