CHAPTER 7: FACILITIES MANAGEMENT AND PHYSICAL SECURITY

Organizations across all industries and types need controlled environments that have specific conditions in order to properly operate and achieve their strategic goals. Such environments are contained and provided within specific facilities that have a unique and complex integration and interaction of logical, or intangible, environments and arrangements with physical, or tangible, ones. In this chapter, we will specifically discuss the issues related to the physical and tangible parts and the aspects related to facilities.

Being used interchangeably, facilities, premises, locations, and buildings are all at the heart of this subject. With regard to BCM, facilities are critical to the organization due to the fact that they include, or house, the majority of the organization’s operations and assets, both physical and logical. Thus failures or incidents affecting these facilities will naturally have an effect on the operations and assets they contain. The most important of these are the critical processes and assets, with the highest importance being given to human life, safety, and well-being.

It is important here to emphasize the roles of proactive protection, risk management and treatment, and reactive responses as the main pillars of support for proper facilities management arrangements within BCM.

Facilities management

Proper facilities management provides the organization with areas and environments that are suitable, usable, maintained, controlled, and user-friendly in order to perform operations and house assets that work together to achieve operational and strategic goals and objectives. Facilities management, as a high-level integration of components, is an umbrella for physical security, environmental preparations, and evacuation planning activities.

Facilities management, on one level, focuses on the provisioning of proper preparations and arrangements for air conditioning, power, water, lighting, and ground keeping. On another level, facilities management plays a major role in restoring buildings to a safe, usable state and carrying out effective maintenance operations for the included areas and buildings. Continuous and sufficient supplies of air conditioning, water, electricity, and telecommunications services are vital for an organization to continue its operations. Alternative locations, whether operational or idle, should meet the same requirements as primary locations, or sufficiently significant part of them.

Role of facilities management in BCM programs

Effective facilities management is a key contributor to reducing risks and threats inherent in or related to the buildings or facilities and the surrounding environments.

When a disaster or incident occurs, facilities management plays a key role in assessing the impact of the incident on buildings or facilities. Such assessments play a vital role in determining the overall impact of the incident and the nature of the invocation of recovery processes.

After a disaster, facilities management takes care of two important recovery tasks. The first is to salvage the remaining assets from the damage and assess their usability. In many cases, there are some valuable assets that are usable or hold critical information that can be extracted. Effective recovery plans should accommodate salvage restoration and reuse as much as possible as they can save precious time, effort, and cost if done properly. The organization can seek help from specialized vendors for such assignments and tasks.

The second task that is assigned to facilities management is the proper activation and use of alternative sites to accommodate the recovery process and required assets. Such activation is driven and constrained by timeframe limits and recovery objectives. Part of this task is also the mobilization of teams and assets from alternative or recovery locations to primary, permanent locations, either old or new. Facilities management is a vital stakeholder in determining the suitability and usability of permanent locations for the organization’s operations. This task also includes the necessary activities to manage continuity of facilities management activities and make sure that resources (whether human, physical, or monetary) are being planned for and allocated as required.

Unfortunately, BCM programs sometimes overlook the importance of facilities management areas. Facilities management is an aspect of the organization that has the same features as any other department. It should be included in the BCM life cycle as an independent and dedicated, not virtual, function that is given its appropriate weight.

Main activities of facilities management

Facilities management has related activities that cover key areas. In addition to physical security and environmental setups, facilities management extends to cover building management systems and space management. These activities start as early as the conceptual design stages and continue throughout the operational lifetime of a building through a combination of administrative and technical activities. We will be covering the parts related to physical security and environmental preparation in later sections of this chapter.

Building management systems

Building management systems (BMSs) involve the technical and management activities to run and maintain a controllable environment within the facility. In modern environments or facilities, especially large ones, the management is performed through automated and smart systems that integrate with the other components and provide easy-to-use, consolidated, and accurate interfaces with the different variables and attributes related to the facility. As far as BCM is concerned, this can play a vital role in the early detection of faults and a more proactive response, resulting in a lower impact from disasters failures, and outages. Automated and smart BMSs help the facilities manager to be more hands-on and adaptive to changes, and maintain the facility in a state that is ready for changes.

Space management

Space is one of the most precious features of a facility. It is important to allocate and utilize the space provided by the facility in the best possible way. Facilities not only house people. They also house much of the critical assets of an organization, like data centers and important documentation. Space should be allocated to meet all requirements in relation to these. Naturally, people should be given optimal space as crowded areas negatively affect the well-being and morale of employees, and the confidentiality of information. Such situations are red flagged as some people actually change their employers if they don’t feel comfortable in their workplace. It can also put the organization at legal, regulatory, and reputational risk. Proper space management should also consider expected growth and expansion of the organization and, consequently, its employees and critical assets.

Physical security preparations

Physical security, specifically, is the area concerned more with the material protection and safety of physical, or tangible, assets against improper use, utilization, or exposure, regardless of whether they are internal or external assets.

Physical security is important because it provides the visible aspect of protecting an organization and its critical assets. With regard to information and technology, physical security complements the role of technology, or logical, security. For example, computer rooms and workplaces that have improper access control or are unmonitored can undermine the whole reason and worth of having the tightest logical security measures and controls.

Physical security and BCM

Physical security plays a major role within the BCM program. Its comprehensive coverage and focus are drawn from its link with BCM. Proper physical security is very effective in minimizing man-made disasters as its relevant controls and techniques concern people-related threats. If such threats occur, physical security greatly contributes to the detection, controlling, and recovery phases. As mentioned above, physical security does not only integrate with BCM, it is also a major pillar in the information security program, covering areas where technology, or logical, security falls short.

Physical security policy and framework

Similar to other disciplines of security and BCM, physical security needs a solid and clear policy that determines the scope, activities, and controls that the organization is intending to use for physical security. The policy needs to be integrated and aligned with other programs, especially in relation to information security and BCM programs.

The policy should also define the ownership of the overall physical security discipline and the owners of substantial activities. These definitions are important for establishing accountability and practical and viable implementation plans and follow-ups. Where physical security is considered part of the BCM program, a reporting line between the BCM owner and supporting committee should be established with the physical security owner. Both the relationships with the BCM program and the reporting lines should be defined in the physical security policy.

It is important to include the scope definition of the physical security policy and subsequently the relevant physical security activities.

Another element of the policy is the review and update processes. It is very important to look at physical security as an organization-wide discipline that is not restricted to premises or security departments.

A typical physical security policy would contain the following sections:

  • policy statement
  • scope
  • objectives of policy and physical security
  • definitions of relevant aspects in relation to physical security
  • ownership
  • review and update processes
  • guiding principles
  • relationships to standards, programs, regulations, and other mandatory or discretionary policies
  • physical security activities, setups, preparations, and controls.

Physical security activities

Physical security is linked to many activities that can be seen, or even unseen, within organizations worldwide. These activities can be mapped to the following categories:

  • perimeter protection and security
  • access control
  • internal premises protection and security
  • surveillance and monitoring
  • guards
  • alarm systems
  • fire suppression systems.

These categories do not work independently. They act together in an integrated manner so that unwanted access, improper use, and realization of threats are minimized to the lowest possible levels.

Perimeter protection and security

The logical approach to physically protecting the organization is to set the physical boundaries of the organization and enhance the security measures there to prevent the unauthorized access of people and goods to the premises. Walls, fences, gates, guards, and other measures are among the usual and common implementations of this category. The main idea is to control unwanted access to and from the premises as required by the organization.

Access control

The role of access control is to allow only authorized people and other assets to move in the desired direction in an easy and secure manner.

The implementation of access control starts by identifying secure areas and assets and the names of people and assets allowed to access them, and in what manner. In order to achieve this goal, organizations utilize several measures and controls like keys, ID cards, badges, automatic access controls, locks, mantraps, and others. These controls and measures work on a very simple principle; allow the bearer of the card, key, or badge access. As the controls have evolved, so have intruders’ abilities to break them. It is now becoming more common to have dual- and triple-factor access controls that are extremely personalized and hard to fake. Biometrics, one-time password tokens, and similar controls are making their way into organizations these days.

Internal premises protection and security

It is not enough to protect the outer perimeters of an organization; the insides of premises and buildings need the same attention as well. Within the organization’s premises, there are some areas that are more confidential or private than other areas because they contain critical assets, like archiving rooms, data centers, safes, and rooms containing cash. This category can also include executives’ offices and meeting rooms, where confidential information is shared. These areas, or zones, need to be protected physically by proper walls, doors, and access controls.

The other areas, which are categorized as less confidential or public areas, are those which are accessed by the public, like entrances and public hallways. They can also be showrooms, galleries, and toilet areas. These areas, although public in nature, still need a proper level of wall enforcement and door controls. Access control may not be strict as they are public areas but comprehensive monitoring is highly recommended. Visitors’ safety is an obligation on the organization as long as they are inside its premises.

Surveillance and monitoring

It would not be an exaggeration to say that surveillance and monitoring are major features in proactive physical security programs in any organization. In modern implementations, the scope of surveillance and monitoring goes beyond the known and familiar roles of detecting breaches and getting visual coverage of the organization’s premises and sensitive locations. Surveillance and monitoring extend their usability to cover areas that are not related to human actions or visual imaging of the organization’s premises. It is now common to cover environmental parameters and variables. Automatic surveillance and monitoring with intelligent recording, notification, and resolution capabilities are also becoming increasingly common in modern security implementations.

As mentioned earlier, technology is a valuable resource here as it becomes the eyes, ears, and sometimes brains of the physical security professional. Security systems provide enormous capabilities starting from cameras and sensors, going through recording and archiving, and finally using notifications, alarms, and decision intelligence. These systems, properly integrated with a competent human element, can provide the organization with the required levels of physical security.

Guards

Along with the physical and technological setups and preparations in relation to physical security, there comes a major and vital element: guards.

There are areas where all technological and physical preparations fall short of delivering the appropriate levels of security, especially when the threat or risk is related to humans, as in the case of burglary, sabotage, etc. Guards can complement these areas as well as enhance the protection levels by including human intelligence and common sense in the process.

Guards’ activities include the usual roles of gate control, human surveillance and intervention, and sometimes of operating systems related to physical security. Guards also play an important role in suppressing human-related threats if they occur. They can substantially help in estimating the damage and situational aspects in delicate and complex situations.

Alarm systems

Alarm systems work closely with surveillance and monitoring. Alarms are there to notify and communicate an event at the time it happens in order for the necessary actions to be taken. Of course, the most common alarms are fire alarms. Physical security activities should detail the events required to be associated with alarms and notifications. Among these are fire, flood, temperature, physical break-in and perimeter breach, and alarms associated with equipment operation and breakdown. Nowadays, with the mobile computing and smart phone revolution, manufacturers are supporting notification and alarm platforms that integrate and operate on smart phones and mobile computers or laptops, tabs, and pads. This feature is extremely helpful in ensuring that the alarms and notifications do actually reach all concerned parties, if they are not physically present at a particular location.

Fire suppression systems

Fire is one of the most threatening hazards to be addressed by organizations at all sizes due to the damaging impacts and consequences on people, the buildings, assets, equipment, etc.

There are now mandatory requirements for every organization to install a fire alarm and suppression system. Fire suppression systems are operated either manually or automatically and use different a suppressing material for different purposes. Fire suppression systems are supposed to suppress fire by reducing oxygen levels and/or burning temperatures. The usual and common suppression systems use water as a suppressing material. Water is the safest for people but will damage equipment and furniture. That is why it is common to have sprinklers in the work areas and spaces that are occupied by people. In areas like data centers and technical rooms, where people are unlikely to be present, more powerful and effective materials are used, like gases (FM200) and foam. While these are safe for the equipment and furniture, they pose a hazard to people. Thus they are used only in unmanned areas and in the cases where these areas become manned, they are manually activated to ensure human safety.

Another method is to have the organization’s premises divided into zones, so that activated alarms are associated with specific zones. Fire suppression systems are activated only in the specific zones where alarms are activated and so avoid unnecessary damage to other unaffected parts of the premises.

Environmental setups and preparations

Along with physical security and facilities management, there exists another area of high importance to the facility, the people, and the assets housed and utilized by the organization. This area is called environmental setups and preparations.

The reason why this area is important is because it provides the necessary preparations for the facility to be usable, the workplace to be manned, and the equipment to operate and function. Setups and preparations deliver these goals through controlling various environmental variables and parameters for various zones and conditions to maintain the desired levels of the surrounding environment.

Being more specific, environmental preparations and setups deal with environmental variables and parameters related to:

  • electricity
  • heat, ventilation, and air conditioning (HVAC)
  • lighting
  • electromagnetic interference
  • water supplies and drainage
  • fuel supplies and storage
  • vibration control.

The list above can be longer, depending on the nature of the organization and its operations and housed assets.

Relationship with BCM

As with physical security, BCM has a two-way relationship with the above-mentioned environmental preparations and setups. Failures in this area can easily evolve into organization-wide disasters and crises. On the other hand, BCM includes some requirements and special needs from these areas that depend on analysis and approved strategies. Environmental setup works closely with facilities management and physical security to deliver such requirements and needs. For example, data centers, storage areas, and workspaces are all areas that need special settings for environmental variables and parameters.

Roles related to environmental setup and preparations

Environmental setup is commonly assigned to facilities management, building administrators, and maintenance departments. However, it is also common to have technology departments responsible for the definition and implementation of their environmental setup. In all cases, there should be a flow of requirements passed from other departments with interests in specific areas.

Environmental setup activities

Within environmental activities lie a number of areas that are interconnected and interdependent. You should remember that environmental activities do not stand alone. They are highly integrated and dependent on physical security and facilities management. Thus they should not be considered in isolation of such disciplines.

The environmental activities that we will go through here are:

  • electricity
  • HVAC
  • lighting
  • electromagnetic interference
  • water supplies and drainage
  • fuel supplies and storage
  • vibration control.

Electricity

Electricity may be the most important member of the list above. The placement of electricity under environmental preparations is due to its close coupling with HVAC and lighting as well as its not-so-close coupling with the others. It is also common to have electricity under physical security. That is correct as well. Remember that physical security, environmental preparations, and facilities management complement each other and are closely integrated.

The electricity equipment like generators, uninterruptible power supply (UPS), distribution panels, cable trays, circuit breakers, and power precision control (PPC) should be protected and secured from tampering and unauthorized access. They should be clearly labeled and marked with clear signs indicating dangerous and hazardous equipment.

Cables should run through specific trays and should be clearly labeled. Outlets and wall sockets should also be labeled and numbered to track their relevant cables for maintenance activities. This is also helpful to prevent undesired loads being placed on the UPS.

In addition, all cable trays and electricity generating and distribution equipment should be mapped on clear diagrams and layouts to facilitate referencing for maintenance, upgrades or substitutions.

These days, UPSs and generators are all network-ready and can be connected to the organization’s local area network (LAN). This feature is very helpful in monitoring the status and performance of these pieces of equipment and detecting alarms and early signs of failure. Nevertheless, it can also be a vulnerability that can have serious impacts if exploited. The world has seen Trojans and viruses targeting industrial equipment and bringing it down. Make sure that these pieces of equipment are connected to the LAN through firewalls, intrusion detection systems and intrusion prevention systems, and proper anti-virus software or firmware.

Another important aspect in security preparations is redundancy and elimination of single points of failures in the electrical generation and distribution network. In one organization, a single battery attached to a UPS brought down the whole data center and could not be detected for failure as it was maintenance-free. It was embarrassing to know that a US$100 battery made preparations worth US$2 million completely useless. The battery set containing this battery and the UPS attached to it was simply a single point of failure being overlooked.

It is also important to test redundant equipment frequently and under real loads, if possible. Testing uncovers faults and detects them while it is easy to fix them. Testing reports should be circulated to relevant parties as part of their usual reporting.

Heat, ventilation, and air conditioning

HVAC systems are responsible for controlling the temperature, humidity, and air flow within the various areas of the premises. In common workspaces, HVAC aims to provide a comfortable atmosphere for the people located in that space. In specific areas like data centers, warehouses, garages, etc. HVAC play a more critical part in providing an atmosphere for the assets and people located within them that matches their needs. Equipment often specifies a recommended operating environment in which the equipment functions properly. HVAC specifications play big part in the recommended operating environment. These specifications are to be followed with the utmost precision. Otherwise, expensive equipment may not function properly or may not function at all. In both cases, the organization will suffer considerable impacts.

Let us consider the workspace which people actually occupy. As mentioned before, the right HVAC system should provide a comfortable environment for the people to stay there and work during their working hours. The HVAC system should cater for controlling the temperature during working hours and according to the season. Environments that are too hot can cause illness and faintness. Too cold environments can also cause serious illness.

Environments with high humidity can also cause people’s health to suffer and damage office equipment and those with low humidity can cause dryness and dehydration.

Environments with poor ventilation or air circulation can be filled with germs and odors that can be easily labeled as undesirable. Ventilation is also a key component in maintaining desirable temperature and humidity levels.

Currently, the operation of HVAC is almost completely automated and integrates seamlessly with the other BMSs.

As guidelines, the following principles should be considered when designing, deploying, and maintaining HVAC systems:

  • HVAC systems should be set up according to the local environment, weather, social customs, and seasonal requirements.
  • Check with the local health and safety office for the recommended specifications for temperature, humidity, and ventilation.
  • Design the HVAC to be adaptive to changes and future demands.
  • Preventive maintenance plays a major role in keeping the HVAC system up and running.

Lighting

Workspaces should be provided with sufficient lighting to enable staff to perform their jobs. Dim or excessive lighting can pose health threats to staff and will, at a minimum, provide an uncomfortable environment in which to work.

Lighting requirements depend on the nature of the jobs being undertaken within the space and on the age range of workers. Tasks that require visual focus, like proofreading or graphic design, require different lighting levels than common office tasks. Older people usually require more lighting than younger staff.

Other areas, like data centers and warehouses, need different lighting designs. These locations are often unmanned. Nevertheless, they also contain critical assets. Lighting may be required to conduct effective monitoring, maintenance, and troubleshooting.

In all areas across the premises, there should be emergency lighting that is fed through a UPS and batteries. Having the emergency lighting installed can significantly reduce the impacts on human life and increase the chances of effective recovery from an incident. Emergency lights should be installed on aisles, pathways, doors and exits, bathrooms, elevators, stairwells, and other critical areas.

Electromagnetic interference

Electromagnetic interference is especially harmful to equipment. Basically, modern machines and equipment that are used in organizations today are mostly electronic and electric and electromagnetic disturbance or interference can affect the operation of this equipment and machinery. The sources of electromagnetic interference are numerous. Cell towers, power stations and transformers, and microwaves can be sources of electromagnetic interference.

Often, the equipment that is generating or being affected by electromagnetic interference is shipped with enclosures to prevent such interference. Additionally, in areas where these machines and equipment are operated, thin metal sheets are implanted within the walls, ceiling, and roof to prevent interference from leaving or getting into the area. There are also sensors and detectors that can raise the alarm when interference levels reach unacceptable limits.

Water supplies and drainage

Water is an important resource within an organization for its uses for drinking and flushing toilets. In addition, some organizations use water for cooling machines and within the HVAC system. Water supplies should be stored and run through a reliable system of storage tanks, wells, pipes, drains, and pumps.

Water is also a threat. Floods from internal and external sources can harm an organization and its employees and assets. When designing or choosing a building, investigating its exposure to floods from neighboring rivers, streams, and water reservoirs and distribution facilities is highly recommended. The building should be surrounded with drains to steer water away to public sewage systems or other drainage paths. The building’s walls should be enhanced with proper insulation. There should also be sensors for water leakage within and around critical areas.

Internally, water storage tanks and reservoirs should be isolated and sufficiently remote from electrical equipment and fuel storage facilities. They should be secured against unauthorized access and clearly labeled. The pipes should run away from critical areas, like data centers and warehouses. The pipes should be checked periodically, at least every three months, for cracks, rust, and leakages. Having more than one supplier of water is also recommended since if one supplier is disrupted, other suppliers can compensate for the shortage.

Fuel supplies and storage

Fuel is critical for the organization as it enables backup generators to keep running for an extended period of time. It is also used for heating.

Due to the hazardous nature of fuel, there should be extra precautions taken for its storage and use. The fuel tanks should be isolated and remote from other areas, especially those that are manned or contain heat sources, like kitchens. Fuel tanks and the surrounding areas should be secure and clearly labeled with signs and clear text. Tanks should be checked for cracks and leakages once a week. Needless to say, detected faults should be handled with urgency and care.

As with the case of water, having more than one supplier for fuel is recommended to compensate for single failures of individual suppliers. Tanks should also be kept full all the time.

Vibration control

There are three reasons why vibration control is important. The first is that certain equipment and machinery require vibration to be below a certain level to operate properly. Exceeding these limits can make the machines malfunction or damage them. The second reason is that it can cause damage to a building’s structure and thus pose the threat of collapse, consequently damaging assets and threatening human lives. The third reason is that it is unhealthy and uncomfortable to be in a place that shakes all the time. Productivity levels decrease and health problems may occur.

To control vibration, the surroundings and interior of the building should be free from vibration sources. If internal vibration sources are inevitable, they should be located in remote areas of the building and dampers can be used around these sources to decrease vibration levels. Vibration sensors should also be installed in critical areas to trigger alarms if specified vibration levels are exceeded.

If the vibration sources are external, the organization may install dampers around critical areas to protect the enclosed assets.

Regular vibration checkups should also be included within the periodic environmental check.

It should now be clear that facilities management, physical security, and environmental setup all work together in one integrated framework to provide the organization with effective operations and reduced hazards. Indeed, many of the disasters recorded in recent history were linked to components relevant to the areas mentioned above. Thus it is very important to look after this domain and make sure that it helps the organization during normal conditions and during recovery from disasters.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.217.37.129