Exclusive: The principles of designing and delivering security policy
James Thorpe
Share this content
When it comes to the security of premises, large or small, the principles remain the same. The security policy is derived from the overall organisation policy and the objective is for it to assist the organisation in attaining its goals.
The Security Policy design and delivery discipline is outlined in 12 steps:
- Plan your Policy
- Write it down
- Understand what you are trying to protect
- Carry out Risk Assessment & Analysis
- Review the Threats
- Design your Policy
- Get upper management buy-in & HR support
- Write down the procedures
- Derive service rules from the policy
- Educate & Train your staff
- Create Security Culture in the organisation
- Update Policy as deemed necessary
It has been suggested that the circumstances of recent years, increasing professionalism and demands of cost effectiveness alike have created the need for the safeguarding of assets, personnel and even the profitability of the organisation against theft, fraud, fire, criminal damage and terrorist acts. To achieve these objectives, formulation and implementation of strict rules and policies by the employer is required.
Security management is viewed differently when placed in different contexts; the general view is to take preventive measures to stop an undesired event from taking place. Others may view it as guarding assets against crime, the physical protection of premises, loss prevention or risk management.
However, in my opinion, it should be viewed as a management function and as the responsibility of all members of staff. Each one of us performs security and safety functions on a daily basis as a matter of course, for example locking doors, clearing desks, using passwords, logging out of computers, switching off equipment, reporting incidents etc. The culture of an organisation, including the approach to security policy, stems from a philosophy that may be attributed to the head of the organisation or/and past events which have shaped the organisation’s history and current events that define its position in the market.
As the Chief Executive of a successful large organisation stated: “The core of our organisation is ’People — Product — Profits’, if we take care of our people, products will be created and profits will follow.”
Safety and security of employees and business premises are evidently important for the efficient functioning of the organisation. However, the security function which embodies people, structures, systems, procedures and information should be integrated into the organisation with the minimum of obtrusiveness and interference. It is meant to be a support function, creating the desired secure and safe environment for the organisation to function properly. The level of security measures must be judged correctly to strike a happy balance and in order not to impede the business from operating efficiently. Nevertheless, employees also need to be secure and feel secure in order for them to be able to support the business.
Management of security should be carried out as an on-going project of improvements of preventive measures. It should not be treated only as a priority when an undesired event occurs, with the priority then ending when the situation is rectified.
For an organisation or any enterprise serious about security, professional methods should be followed in assessing security needs. These methods are known by various titles, including security survey, protective security risk review, security audit, security review and risk and threat assessment. It has been suggested that the security review consists of the following four stages: resource appreciation, threat assessment, risk analysis, identification of weaknesses and recommended solutions. Through this process, assets and functions critical to the survival of the organisation are identified to receive the best protection.
Security Policy statements
Protection of business premises and employees
The organisation needs to employ and implement all necessary security measures geared towards the protection of premises and employees. Legitimate access to the premises is to be controlled and recorded 24 hours a day. Intruder and fire alarm systems to be installed, remote monitoring is recommended.
Access Control
This is to be considered a priority that applies to all those who require access to premises, including local and visiting staff. The use of the official ID badge must feature prominently as the only means of identification. Otherwise, the identity of the person requiring access is to be verified by other means such as facial recognition or biometrics before access is allowed.
Security system administration
Receptionist/security personnel are to be allocated the responsibility for the day-to-day administration of the security system. This is to be supervised and managed by nominated senior personnel who take on the responsibility of the security management of the building, or by a delegated authority.
Security system fault reporting
An up-to-date log is to be kept and maintained for recording all faults found in the system.
Bomb threat
All bomb threats that are received must be taken seriously and the planned procedures and instructions are to be implemented immediately. The organisation’s security personnel, fire wardens and reception staff are to have defined responsibilities and to be fully trained in actions to be taken in the event of a bomb threat emergency.
Security officers’ instructions
There are to be a set of specific detailed instructions covering the whole spectrum of the security system in operation.
Dissemination
Dissemination is the transmission of information internally; this information may have been obtained from internal or external sources. However, communication is described by Carroll and Gillen (1987: 38-51), as “the exchange of messages between people for the purpose of achieving common meanings”.
Communications
Communications and exchange of security information with regard to incidents or potential risks between businesses in the same vicinity, like a retail business or industrial park, has proved effective in the fight against crime. It has been suggested that it is a good security management strategy for business/industrial estates because it significantly increases risk communication and develops a safety culture amongst members.
Communication of risk is crucial to the subsequent interpretation of that risk by the recipients of the communication. Feedback is critical to effective communication. Risk communication should involve a dynamic exchange of information between parties, which has the potential to resolve conflict. Communication and raising awareness of security issues and safety is to be exercised as an ongoing process of learning.
Human resources
Recruitment and Vetting
It has been suggested that, generally, the tendency is to recruit staff on the basis of their skills to perform a particular job; little attention is paid to their personal attributes, e.g., commitment, loyalty and trustworthiness. These aspects of staff selection only come to the fore when the corporate damage has been done, as the result of recruiting staff about whom very little is actually known.
It then becomes necessary to draw up a vetting procedure to confirm job applicants’ background details, credibility and references. It may also be necessary to carry out checks with police and other official records for posts. Educational establishments should also be contacted to check claims of academic achievements or their equivalent.
The application of psychometric assessment can be invaluable in identifying individuals who may be well-qualified in the technical requirements for the job, but may be lacking in various personality aspects, for example, temperament, attitude, emotional stability and reliability. This assessment can minimise many problems associated with the recruitment of the wrong people later on. However, the exposure to risk created by existing employees will require even more sensitive selection techniques.
Contracts of Employment
Employees’ contracts need to address the protection of confidential and sensitive information during and after a period of employment, to minimise the potential leakage of information. Employees during their term of employment are exposed to confidential information about the organisation. This could be legitimately received in the course of his/her duties or overheard conversation or commercial gossip.
Typical techniques used by competitors may include in-depth interviewing of new appointees about previous employment. It then becomes necessary for employers to be proactive and warn staff of their duties and contractual obligations.
Part of the interview and job briefing for new employees, in addition to a section in the contract of employment, should be devoted to Security and Health & Safety. This is to ensure that employees are aware that the organisation takes this matter seriously and that any potential damage or disruption to the business as the result of breaches of rules and procedures could prove to be a costly exercise. Of course, not forgetting their personal risk of receiving criminal convictions and heavy fines.
Training
Personnel training to raise the awareness level of basic security issues is important for any security policy to be considered a success. Even more important is awareness and compliance with health and safety rules and regulations, as organisations pay heavy penalties for breaches of such laws today.
Many managers and staff are totally unaware or genuinely believe that the risks to their organisation are minimal, therefore, not worthy of management time. The existence of a security policy and its contents must be made common knowledge amongst employees. This document could be made part of the induction process.
The level of understanding of the criminal mind coupled with perception of risk is argued to be a major factor in determining the level of prevention measures employed. The key issues in this process are defining responsibilities of the management, supervisory and specialist staff, determining how these responsibilities are to be delegated, coordinating the execution of responsibilities and maintaining high morale.
Business continuity planning and disaster recovery must go beyond the usual fire, flood, breakdown and acts of God. Breaches of security and loss of critical information are as much major disasters as fire or flood and consequent loss of stock.
The traditional crime prevention approach employs the mind of the burglar and opportunist felon, whereas in the information age the criminal is much more sophisticated and, consequently, harder to predict and control.
By Adil Abdel-Hadi MSc (Security Management), CSyP, FSyI
You can connect with Adil on LinkedIn here