Comment: Facilities managers taking on security

Facilities managers have to consider security issues such as access management.
Facilities managers have to consider security issues such as access management.
Who do you allow into your business and your data?
Who do you allow into your business and your data?
Steve Garton
Steve Garton

The roles of the facilities manager and risk manager is ever evolving into much more complex and diverse positions, with responsibilities encompassing multi-disciplinary activities across several different environments.

Particularly in the current climate as companies tighten their budgets and look to restructure their man-power, the facilities manager is increasingly pulled in to assist other offices and senior management. Together they must ensure that security measures are considered and appropriately implemented to safeguard an organisation physically and virtually.

This transition requires them to have a much greater awareness of security issues and to be more involved in the delivery of security in all of its forms across an organisation.

Historically, the facilities manager in particular has not been adequately informed for overseeing such security measures, or given the appropriate guidance to implement suitable procedures or technologies to tackle potential threats. This is now a situation that needs to change, with legislation such as the National CCTV Strategy, a report that reviews the use of CCTV and the legal requirements of CCTV footage, should it be needed as evidence in court for prosecution purposes.

With the advent of enhanced technology, businesses work in different ways and with this, it has become unclear who should be responsible and held accountable for certain roles. In the past, it has been extremely clear who is responsible for IT security and physical security across an organisation.

Now with processes being conducted differently, this is not the case and raises questions as to whether it should be the IT manager or the facilities manager that is responsible. Facilities managers and security managers now need to jointly agree the security provision, whether it is within the IT department or as part of the estates and facilities management.

In this instance, it is useful for a facilities manager to be aware of the security concept as a bare minimum along with the standards that come with physical security compliancy requirements. This reduces the blurring of territory and responsibility, which can leave employees confused, as well as encouraging a better work culture with security raised higher up the business agenda.

Security threats to an organisation can occur from both internal and external sources. The security business is constantly aware of the increased risks associated with the current economic climate and how it could (and probably is) affecting the UK workforce, especially with regards to information assurance and the general protection of assets. It is fair to say, that the threat from the insider has always posed a significant risk to businesses across the UK and indeed is now a contagious global concern with more disgruntled staff through redundancy.

By working together with IT, the facilities manager can now ensure that there are procedures in place to restrict disgruntled former employees entering buildings and knowing shortcuts or passwords.

One of the key aspects a facilities manager must recognise is that technology is an enabler of safer systems but it is not the complete solution. Facilities managers need to manage the working environment to control how technology, information and physical assets are shared and kept safe.

This entails them working closer with the IT Manager to control systems that protect Information Assurance. These same systems also need a back-up plan to ensure Business Continuity, so that if a disaster or major disruption occurs that could impact virtual and physical assets, the company will be able to recover and restore partially or completely interrupted critical (urgent) functions in a timely fashion.

Additionally, the physical security of a building is becoming an important part of both the Facilities Manager and the Risk Manager’s role with many issues that need to be taken into consideration.

The first step these workers should take when considering the physical security of a building is to conduct a Threat Assessment.

When addressing building security, Facilities Managers should consider from where the risk initiates. Is it from an outsider looking to force entry or potentially an inside worker with authorised access to the building? Has there been a thorough Threat Assessment conducted to assess ‘real’ risk to ensure the security design can be based upon analytical findings and not from perception or rumour?

This will pay dividends in the long-term and achieve significant savings during the design phase of any security plan. It is vital that every security design is overseen by an independent security consultancy and sufficient commissioning takes place for sourcing additional security components or systems (e.g. CCTV, access control, intruder detection and lighting).

There are also a number of compliance documents and guidelines issued by the UK government that today’s facilities manager should be aware of, recognise and understand. One of particular note, is the government’s ‘Security Policy Framework’ (SPF) – which contains the most recent primary internal protective security policy and guidance on security and risk management for government departments and associated bodies.

Another is ‘BS7858’; the British Standards Institute code of practice which urges employers to screen all individuals who have unescorted access. In the current economic climate, fraud and crime will undoubtedly be on the rise both from the inside and out. Consequently, it is paramount that each company safeguards themselves from a serious threat; the people. An employee screening process should be conducted for all prospective workers, regardless of their position, in an attempt to confirm legitimacy.

Those facilities managers who are lucky enough to have a source of security expertise in-house should have the capacity to address the physical security issues that affect their building. This is however, not always the case and we know from experience that many facilities managers are seeking expertise in this field on a consultancy basis.

Many security companies are keen to offer a plethora of security products including CCTV and alarms for example, where in reality, fewer products are needed. By handling a comprehensive threat and risk assessment, the type and volume of products will become instinctively clear.

Facilities managers seeking counsel should request that this security consultant mentor their interests throughout, keeping them abreast of the assessment and of any suggestions to permit a useful and feasible plan of protection. Regular independent reviews are also paramount.

At a corporate level, a well-structured physical security plan contributes to the delivery of strategic and operational objectives. Further to this, on a day-to day level, effective facilities management provides a safe and efficient working environment, which is essential to the performance of any business – whatever its size or role.

What’s Hot on Infosecurity Magazine?