Beruflich Dokumente
Kultur Dokumente
GUIDE
INTRODUCTI
ON TO
SECURITY
MANAGEMEN
T
Saito College Copyright Reserved May 2010
OVERVIEW
The aim of this program is to provide graduates with the knowledge and
skills to perform supervisory and management functions within the security
and law enforcement industry in the areas of public safety, asset
protection, security management and technology. Students will learn how
to deliver enhanced investigative services, initiate prevention programs,
and mitigate asset deterioration within their own organizations and those of
their clients. At the senior level, students will develop security solutions
designed to protect their organizations and industry over all. Graduates will
be able to pursue the growing number of supervisory and management
positions being created to focus on corporate due diligence, investigation
and operational intelligence.
Title
Objective
Learning Outcome
Course Credit Hours
Teaching/ Delivery Methodology
PART 4 - REFERENCES
PART 1 - COURSE
STRUCTURE
Course Title : Introduction to Security Management
Learning Outcome : at the end of the program the students will be able to:
CONTENTS
Introduction to Security
Definition of Security
Need for security in business environment
Security Planning
- Policy & procedure guidelines
Security Implementation
For centuries , people in the community have acted as a security force within the
community. Indeed the “job” of security was not even a job. It was the duty
of all able-bodied man to protect their homes and community. There were
no police to call. Instead, the people acted in self-defence or in-defence of
their community. Therefore it can be seen that, through much of history,
security was seen as the province of people.
Long ago, man has come to realization that, security is one of the basic
foundations for the pursuit of happiness. Without some measure of it, we are
doomed to exist forever in what Hobbes called "a war of all against all." For
most of us, that basic security, whether it be protection from crime in the form of
the police, or from foreign threat in the form of the military, is something that
tends to be seen as a government matter. Increasingly though, private security
companies have begun to feature more prominently in the national and global
security apparatus, dealing with everything from checking IDs at office buildings
to actively participating in military operations overseas. While this seems like a
new development, the origin of security actually goes back to the beginnings of
history itself.
The state of being free from danger or injury; "we support the armed services in
the name of national security". Security is the degree of protection against
danger, loss, disruption and criminals.
Ancient Beginnings
As the Middle Ages gave way to the Renaissance and the early Enlightenment,
burgeoning trade, commerce and exploration began to radically change
European society. Among other things, the increasing levels of urbanization
meant that the traditional communitarian methods for dealing with crime were
now more difficult, leading to periods of chaos and anarchy in many cities. As a
result, magistrates operating as representatives of the king began to more
formally enforce laws and edicts. Along with increasingly public military forces
throughout Europe, the rise of modernity seemed to go hand in hand with a
lessening of private security.
By 1700 the social patterns of the Middle Ages were breaking down, particularly
in England. Increased urbanization of the population had created conditions of
considerable hardship. Poverty and crime increased rapidly. No public law
enforcement agencies existed that could restrain the mounting waves of crime
and violence, and no agencies existed that could alleviate the causes of the
problem.
By the 18th century, it is possible to discern both the shape of efforts toward
communal security and the kinds of problems that would continue to plague an
increasingly urban society for the next decades to come.
Eight years later, Parliament carried out a study on security problems and that
resulted in a program employing various existing private security forces to
extend their scope of protection. Different kinds of police agencies were
privately formed. Individual merchants hired men to guard their property.
Merchant associations also created the merchant police to guard shops and
warehouses. Night watchman were employed to make their rounds. Agents
were engaged to recover stolen properties.
This heterogeneous group, however was too much at odds and were not
effective in addressing crime problems. Eventually parliament’s attention turned
to the reaffirmation of laws to protect common good through the rating of Bill of
Rights of the people by revoking the monarchial control and practices over
decisions of law. However the new development results were far from
expectation. Technically there were much holes in the application of law in
combating crime. This situation perpetuated until late 19 th century through
industrial revolution, thereafter more organized form of security management to
combat crimes evolved.
Even with countries across Europe reducing their use of mercenaries to fight
wars and instituting more formal practices of policing its citizens, up until the late
19th century there was still a need for private security. This was especially true
in the American west, where the frontier settlements suffered from a lack of
established law and order. Private companies such as the Pinkerton National
Detective Agency were given certain limited powers by the government in order
to help secure towns and railroads from outlaw gangs. During this time, private
security was sometimes the only security available for citizens.
By the 20th century, many settlements in the west had become full-fledged
towns and cities with formal police departments. Across the country, this helped
create less demand for private security in terms of dealing with criminals. Private
security was still instrumental, though, in providing security for corporations,
especially in the tumultuous times of the Great Depression, when labor groups
began to challenge working conditions and wages through protests and strikes.
Modern Times
By the middle of the century, private security began to take on its modern form,
being used to deter crime and disturbances at everything from sports stadiums
to shopping malls. Today, though, as transnational threats such as drug
trafficking and terrorism increasingly tax the resources of the state, more and
more roles are being undertaken by private security. Many military bases are
now protected by private security, and private security is once again taking on
mercenary like roles in the wars of Iraq and Afghanistan.
The Western colonialists and in particular the British brought with them the
English system of law enforcement and its reliance on collective responsibility to
Malaya then. Constables and night town watchmen were the primary means of
security in Asia until the establishment of full-time police forces in the I800s.
Malaysia, then Malaya started to have their own private security in 1957 after the
independence when the English established the system result of growing
demands and the prestige associated with the professionals. Currently the
Malaysian Private security industry has about 200,000 guards.
The private Security industry in Malaysia which had a humble beginning from the
days of the colonialists, has been transformed from traditional watchman to a
competitive sector backed up by modern technology. It has become an integral
part of the business world where security aspects are necessary to ensure
protection and safety of individuals and assets. There are around 322 companies
engaged in providing different kinds of security, namely guardian services, private
investigation, in-house security, commercial/industrial integrated monitoring
systems, escort services, executive protection etc. The industry generates an
annual turnover of over RM850 million and it is growing at an annual average of
between 10-20% to meet the management needs of combating crime.
The security industry in Malaysia has come a long way from the days of the
traditional watchman, more fondly remembered as the “jaga” with the image of
“Big, Strong and Friendly” - the days of our Sikh counterparts who single-handedly
stood guard, faithfully ensuring the safekeeping of their employer’s property, to
that of a relatively more organized out-fit of today. The route to this present point
has not been all that smooth. Despite the many problems and obstacles related to
this low-profile, little-understood industry, many resilient companies have
survived.
With the formation of Malaysia in 1963 the changes in the national administrative
scene became more evident. The shift in the proprietary and administration of
Public Organizations and Private Industries into the hands of the locals from the
British Colonialists and the internal security threat from the communist insurgents
being reduced to jungle warfare, the government then had a better grip of itself
and began exploring various avenues for national development. At the onset of
seventies many development programs embracing industrialization enabled the
shift from an agrarian based society towards an industrial based society.
This gave the impetus for the emergence of national industrialization policy
where many industries producing manufactured goods and services had their
humble beginnings. Along with these developments the private security industry
began its growth at a modest pace and the government saw the need to regulate
the industry which was about to traverse through a rapid growth process due to
industrialization. Therefore in 1971 the “ Private Agency’s Act 1971” was enacted
by the Parliament to regulate the industry.
In the eighties the rapid process of industrialization with foreign investors influx
and its impact on the national economic fabric paved way for the expansion of the
private security industry. Though the private security industry expanded to cater
for the various sectors of the economy, its growth was not directed in a well
structured manner to cater for the professional demands of the industry itself and
the actual needs of the clients
Category of Security
There is an immense literature on the analysis and categorization of security.
Part of the reason for this is that, in most security systems, the "weakest link in
the chain" is the most important. The situation is asymmetric since the defender
must cover all points of attack while the attacker need only identify a single
weak point upon which to concentrate.
Types of Security
The under mentioned list explains the range and degree of importance security
plays in human lives.
Monetary
Financial Security
WHY SECURITY PROTECTION IS ESSENTIAL
Introduction
In the past security was fairly straight-forward. Images of bank guards or fences
topped with barbed wire accurately represented the extent of security solutions
in most instances. That was yesterday. Today, the demands placed
on security professionals have moved far beyond guards and barriers.
Effective security requires a comprehensive "systems" approach that protects all
assets of a company.
Defining Organization’s Assets
In general, a company's assets may be broken into three (3) main areas. These
include:
People
It is often said that people are a company's most important asset. A
company's employees, after all, are responsible for coming up with the ideas for
goods or services which bring success to an enterprise. Employees design,
engineer and manufacture the product. They manage these operations, track
costs and revenues, and provide a sense of overall direction for the business. All
of these individuals are valuable assets to a company.
Materials
Consider all the materials typically used by a company. The raw material used in
a company's processes must be protected from theft, damage, or any other
problems which would interfere with manufacturing. Finished products are also
part of the company's material assets and should be a major security concern.
In addition, any materials which may be created as by-products of the
manufacturing process are also of concern. Some of these materials (e.g.,
chemicals, gases, lubricants and fuels) may be classified as hazardous
materials and present a special security concern.
Property
Traditional approaches to security have always focused on property, but today
property includes much more than just physical items, and this, of course,
impacts corporate security concerns. Physical property is clearly an asset;
therefore, it requires a plan to protect it. However, there is a whole range of
other types of property, generally described as intellectual property. This can
include: research
computer programs created by the company operational procedures, marketing
and sales data, and certain company policies.
The old adage is – “good fences make good neighbors.” That holds true today
for businesses, though the fences in this case are security policies. Strong
security policies coupled with the use of good procedures and practices should
minimize the danger for business risks. Organizations need to recognize the
immediate need to protect their employees, properties and information assets
from emerging security threat from the dynamic environment. This security
threat is significant and should lead businesses to consider deploying security
solutions with a proven ability to detect new and previously unknown risks
emanating
The truth is that many organizations would like to have a secure business
environment but very often this need comes into conflict with other priorities.
Firms often find the task of keeping the business functions aligned with the
security process highly challenging. When economic circumstances look dire, it
is easy to turn security into a checklist item that keeps being pushed back.
However the reality is that, in such situations, security should be a primary
issue. The likelihood of threats affecting your business will probably increase
and the impact can be more detrimental if it tarnishes your reputation.
Conversely, if security is accorded adequate priority in the organization, it will
certainly help to maintain a healthy profit margin besides safeguarding the good
reputation of the organization.
Threat Categories
Nature/Environmental
Hurricanes
Tornadoes
Wind
Earthquakes
Snow/ice
Floods
Humidity
Static Electricity
Extreme Temperatures
Dust/dirt
Lightning
Avalanches/slides
Volcanoes eruptions
Fire supply systems
These include the critical infrastructure and utilities that most business
organizations depend on for daily operations, including but not limited to power,
water, and communications providers.
Man-Made
Humans are the most common threat to physical security, generally because of
negligence. We spend the most money and effort in defending against these
types of physical threats. Man-made threats consist of a wide array of
possibilities; some examples include hackers/crackers, theft, fire, human error
(hitting the wrong button, unplugging the wrong cord, and so on),
mechanical/electrical malfunction, explosions, vibration, spills, malicious code,
radio frequency interference, fraud, intruders, magnetism, toxic chemicals,
pollution, overloaded electrical outlets, and many more.
Political Events
With governments, politics, and religion comes power struggles that can
sometimes lead to violence. We have witnessed many of these unfortunate
struggles that continue to occur worldwide. Bombings, strikes, terrorism, riots,
espionage, wars, and so on all can have considerable effects on the security of
an organization and its capability to operate normally.
As an example, the recent civil unrest event (April 2010) in Bangkok had a
devastating effect on the nation and the business community where hundreds of
life and millions of dollars were estimated lost due to clashes, fire and rampage.
Emerging Threats
The physical security environment is quickly becoming more complex and more
difficult to protect for several reasons:
Prioritizing Threats
Time and money are always limited resources when trying to create a solid
security posture. Being asked to prioritize security can be a daunting task.
Threats are widespread and they constantly evolve. A common approach to
gaining insight into the most important threats to your organization can be
identified through performing a simple business impact analysis (BIA).
Note: Rank each impact based on 4 = high to 1 = low. Rank each resource
based on 4 = weak resources available to 1 = strong resources available.
Bottom Line
Threats to physical security are diverse in nature and if they occur can be
devastating to the livelihood of an organization. Technology continues to
become more integrated into everything we do, particularly within our business
community . The more dependent we become on technology, the more
important it becomes that we take the appropriate actions to make them
resistant to all threats.
References
Hansche, S., J. Berti C. Hare. Official (ISC)2 Guide to the CISSP Exam. New
York, NY: Auerbach Publications, 2004.
Cole, E. (2006). SANS +S Training Program for the CISSP Certification Exam:
Physical Security. Bethesda, Maryland: SANS.
A SYSTEMATIC APPROACH TO SECURITY MANAGEMENT PROGRAM
Globalization has changed the structure and pace of corporate life; the
saturation of traditional markets is taking companies to more risky places. At the
same time, security risks have become more complex, too. Many of the threats,
such as terrorism, organized crime and information security, are asymmetric and
networked, making them more difficult to manage.
Companies are looking for new ways to manage these risks and the portfolio of
the security department has widened to include shared responsibility for things
such as reputation, corporate governance and regulation, corporate social
responsibility and information assurance.
The Security Program concept in figure 2 above tends to illustrate that the
above is a relational model whose structure helps to develop a holistic security
management program for any organization be it a business organization or a
government installation.
Introduction
In order to establish a sound security management program, we need to
organize it components in a logical manner where the execution of various
processes from the system components provide a seamless operational flow in
the security chain ensuring an effective security posture for the corporate
organization. The ensuing elaborations are made based upon figure 2.
Conceptual Model of a Security Management Program,
Environmental Scanning
In order to establish what are the major potential security issues an organization
may confront can be assessed through environmental scanning activity.
Environmental scanning is a data collection / information gathering process and
technically it is known as intelligence gathering activity. It is aimed at collecting
information about an environment (both internal and external) such as security
threats that may pose serious consequences to business operations and
directly affecting the company profit margin. Ongoing monitoring by security
managers and supervisors, enable data to be collected, processed and
analyzed to be used in decision making in the development and implementation
of security programs in the organization. Generally security threats facing a
corporate organization are characterized by the crime statistics within the
particular area of business operations both within and outside.
One of the reason to use environmental scanning for security threats is in
preparation for a major change such as a new facility, a big shift in policy, or the
emergence of new technology. Most importantly, scanning and gathering data
before entering the planning stage is a useful tool to help identify weaknesses,
opportunities, threats, and strengths. These can be built upon in the planning
stage to create a strong and effective plan to address issues identified
during environmental scanning. Failure to collect information before starting
plans can result in costly mistakes or blunders and missed opportunities.
Disruptions can also result from; major accidents poses significant risks to the
company. In most companies, security issues overlap with concerns addressed
by other corporate departments — Human Resources, for example. Such
concerns include employee down-time due to; tardiness, substance abuse,
domestic, violence and psychological problems.
These issues extend beyond security, but there is no question that employees in
these situations are legitimate security concerns. Security professionals also
deal with the improper activities of employees, particularly corporate officers.
Conflict of interest is the number one concern. One example of conflict of
interest is an officer who takes sensitive information to a new job at a different
company.
This activity clearly threatens a company and is a significant challenge to a
security management program. Similarly, violations of established business
standards — in contract procurement, for example — and financial
mismanagement present additional threats, all having a potentially serious
impact on corporate stability.
As you can see, the issues confronting security professionals today are broad in
scope, and these threats have a potentially major impact on a company's
operations. Security professionals must be aware of all potential risks in order to
develop a sound security management program.
Companies that use environmental scanning can move quickly when they
identify a problem or an opportunity. This includes everything from a new
regulation issue by the government that might threaten a company's business
operations to a security issue in an office. The data gathered
in environmental scanning can be processed to develop an organized report to
provide information to management and other stakeholders of the company who
may be interested. Dispensing the information effectively is an important part of
this practice, as data is useless if it never gets into the right hands at the right
time.
Introduction
D. Responsibilities
Employees are responsible for ensuring that elements under their control
are carried out according to policy and procedures to maintain effective
control and security.
We aim for excellence in the protection of the company assets and data.. We
achieve this by:
We all play our part in abiding by and supporting the Security policy. No-one
must undermine any of these measures.
Definition of a Policy
The term may apply to government, private sector organizations and groups,
and individuals. Presidential executive orders, corporate privacy policies, and
parliamentary rules of order are all examples of policy. Policy differs from rules
or law. While law can compel or prohibit behaviors (e.g. a law requiring the
payment of taxes on income), policy merely guides actions toward those that are
most likely to achieve a desired outcome.
In a simple term, policy is a formal, brief, and high-level statement or plan that
embraces an organization’s general beliefs, goals, objectives, and acceptable
procedures for a specified subject area. Policies always state required actions,
and may include pointers to standards.
A Procedure
• A series of steps taken to accomplish an end goal
• Procedures define "how" to protect resources and are the mechanisms to
enforce
policy.
• Procedures provide a quick reference in times of crisis.
• Procedures help eliminate the problem of a single point of failure (e.g., an
employee suddenly leaves or is unavailable in a time of crisis).
Procedures are equally important as policies. Often the polices define what is to
be protected and what are the ground rules. The procedures outline how to
protect the resources or how to carry out the policies. For example, a Password
Policy would outline password construction rules, rules on how to protect your
password and how often to change them. The Password Management
Procedure would outline the process to create new passwords, distribute them
as well as the process for ensuring the passwords have changed on critical
devices. There will not always be a one-to-one relationship between policy and
procedures.
A Standard
• A mandatory action or rule designed to support and conform to a policy.
• A standard should make a policy more meaningful and effective.
• A standard must include one or more accepted specifications for hardware,
software, or behavior.
A Guideline
• General statements, recommendations, or administrative instructions designed
to
achieve the policy’s objectives by providing a framework within which to
implement procedures.
• A guideline can change frequently based on the environment and should be
reviewed more frequently than standards and policies.
• A guideline is not mandatory, rather a suggestion of a best practice. Hence
“guidelines” and “best practice” are interchangeable
Guidelines are not a required element of a policy framework; however, they can
play an important role in conveying best practice information to the user
community. Guidelines are meant to “guide” users to adopt behaviors which
increase the security posture of a facility, but are not yet required (or in some
cases, my never be required).
Intended effects
The intended effects of a policy vary widely according to the organization and
the context in which they are made. Broadly, policies are typically instituted to
avoid some negative effect that has been noticed in the organization, or to seek
some positive benefit.
Unintended effects
Guiding Principle
Generally policy formulations are guided by principles that may help to facilitate
the security goals of the organization. It normally involves:
• Over-arching statements that convey the philosophy, direction or belief of an
organization.
• Guiding principles serve to “guide” people in making the right decisions for the
organization.
– What policies and standards are needed
– What technologies are needed
– How architecture should be accomplished
• Guiding principals are NOT policies, but serve as guidelines in the formulation
of thoughtful and comprehensive security policies and practices.
Contents of a Policy
Background, indicating any reasons, history, and intent that led to the
creation of the policy, which may be listed as motivating factors. This
information is often quite valuable when policies must be evaluated or
used in ambiguous situations, just as the intent of a law can be useful to a
court when deciding a case that involves that law.
Definitions, providing clear and unambiguous definitions for terms and
concepts found in the policy document.
The goal of TOTAL Corporate Security is to protect the company's employees, assets,
information,
integrity and reputation from potential threats. This company commitment is guided
by the basic core values, code of conduct and business ethics which fashion and
influence the way we operate throughout the world. These core values include
6. Security measures and procedures must be submitted to regular inspections,
professionalism, respect for employees and stakeholders and a permanent concern for
validations and
health, safety and the protection of the environment.
verifications by security specialists so as to maintain high levels of security
standards in TOTAL
CORE PRINCIPLES
operations country-wide.
The Group recognizes that secure operations are dependent upon employee
participation, commitment and accountability. All security activities must adhere to the
7. The level of professionalism, knowledge and integrity of staff involved in security
general principles laid down in the Chairman's Charter. Where appropriate these are
matters on
elaborated below to provide the basis by which Corporate Security will shape the
behalf of TOTAL must be tightly controlled and exemplary. Appropriate training
direction and conduct of security.
plans,
recruitment and contracting procedures must be established and implemented.
1. The security and protection of employees must be the overriding priority of all
business activity.
8. All incidents, including security breaches and irregularities must be reported and
recorded. Corrective action should be taken and followed up through the regular
2. Security policies and procedures must be implemented according to the Universal
verifications to improve the overall security standard.
Declaration of
Human Rights, the international and national laws, and the Voluntary Principles on
9. Generally security forces used by TOTAL are non armed guards. However if no
security and
other alternative exists to properly manage the risk, armed guards could be
Human Rights. Respect for human dignity is paramount at all times.
used within the scope of legally and governmentally approved practices.
Armed guards must be selected carefully, trained regularly and supervised
3 Line management must be continually aware of and take responsibility for the
closely.
security aspects of
Its business activities. Security organization and resources must reflect this
10. Mindful of the need to introduce security measures to protect its employees and
commitment.
local
personnel, TOTAL nonetheless makes every effort to minimize the impact of
these measures
on local communities.
1. Materials security
Material being brought into the factory premises should be disclosed at the
security and a security gate pass to be obtained before carrying it into the
factory premises. Suspicious materials that come into the factory will be stopped
at the main gate and thoroughly investigated before being sent into the factory.
Material being taken out of the factory should be accompanied by a gate pass
signed by the appropriate authority. The same is to be produced before the
security on leaving the factory premises. Employees found taking out any
material(s) belonging to the factory without a valid gate / security pass are liable
for disciplinary action.
2. Movement Of Vehicles
All personnel bringing their own vehicles should put the security clearance
stickers in a prominent place on the vehicles that is visible to the security staff.
All non personnel vehicles that come into the factory premises will be asked to
park outside the factory premises. All vehicles are liable to be checked by
security personnel while entering and leaving the factory premises.
3. Identity Cards
All employees are provided with an identity card (ID) which, contain employee
particulars. The employee shall carry his ID card on him / her self visibly, at all
times when inside the factory and present it while entering or leaving the factory
or on demand by the security guard, supervisor or the HR department. The ID
cards shall be the property of the factory and should be surrendered to the HR
department on cessation of employment. Loss or damage of the ID card should
be notified to the HR department immediately and a requisition for a duplicate
card will have to be applied for in the Duplicate ID Card Issue Form. If the
employee loses or damages his / her ID card for the first time the ID card will be
replaced by the management free of charge. On loss or damage of an ID card
for the second time a fee of RM50 will be charged.
5. Visitors security
Visitors entering into the factory must be first verified via the intercom to check if
the person they wish to meet is available and where they are, then the visitor
has to register at the security office and obtain a visitors pass. While leaving, the
Visitor should sign in the visitors register again at the security office mentioning
his time of exit and return the visitors pass duly signed by the person visited
before leaving the factory premises. Visitors are liable to be checked by security
personnel while entering and leaving the factory premises. The visitors are not
to be allowed on the shop floor without the permission of the Local HR head /
Factory manager.
6. Search Of Employee(s)
As deemed necessary; all employees entering or leaving the factory at any time
are liable to be searched whilst within the premises by a person authorized to do
so by the manager. To ensure that they are not in unauthorized possession of
property belonging to the company or of other employees or of any articles
prejudicial to the security of the factory or to other employees. In case of a
female employee the search shall be carried out by another female person
authorized by the management.
7. Business materials
No employee shall take any paper, book, photographs, instruments, apparatus,
documents or any other property of the factory or of the premises nor shall be in
any way pass, or cause to be passed or disclose or cause to be disclosed any
information or matter concerning the operations of the factory to any
unauthorized person, company or corporation without the written permission of
the Factory Manager.
If any employee is found doing so he / she would be liable for disciplinary action
or may be suspended / terminated from service.
System Architecture
System architecture involves the construct of a structured security system which
encompasses various functional processes having a sequential functional flow
in the provision of protection for organizational assets and enable resilience
character when the organization is faced with adversities.
System management
System Operations
System Review and Control
Future Challenges to Security Management
The first of these is the speed of innovation. Every day, new technologies are
developed that have the potential to change the way we secure physical
property. Macro-economic changes and mergers & acquisitions mean business
environments can change virtually overnight. And changes in society can
represent a major security risk. In such a world, it has become virtually
impossible to determine your future security needs. At the same time, the
lifetime of currently available security devices is becoming shorter. Every few
months, readers and CCTV cameras are replaced by newer versions. Is it really
a good idea to rely on today’s products to cope with future security
requirements?
The third trend is that security management systems are becoming integrated
into the workplace. Not only do they take care of physical access control; the
same badge can also be used by an employee to pay for a meal in the cafeteria
or gain access to the company’s computer network. So whenever a company
decides to cope with new requirements by replacing its system, this can have a
huge impact on the day-to-day running of the organization.