3.8 Apply security principles to site and facility design

When designing a secure facility, the main principle is to keep people out and data in.  We also want to make sure that the facility can operate redundantly.

The first thing we do is develop a Secure Facility Plan.  This plan uses a Critical Path Analysis to identify the interconnections between devices in our facility.  Security staff must be involved in the development of the plan.

We might have multiple devices or systems that perform the same task.  This is known as Technology Convergence.  It may be efficient, but it may also lead to a single point of failure.  For example, if we switch from an analog phone system to a SIP phone system, our phone calls will travel over the internet.  This is more efficient, but if the internet connection fails, so does our phone system.

Site Selection – how do we choose the best site?

  • We should consider the cost, location, and size of the site.  Is the site big enough for the facility, and is there room for expansion, or will we have to move?

  • How close is the site to other businesses that we rely on?

  • Is the site in an area vulnerable to riots, looting, break ins, natural disaster, or public attention?

  • Is the site close to emergency response services or is it in a remote area?

  • How good is the visibility – can we see people approaching the site?  Are there hazards associated with the visibility?

  • Do skilled people live nearby?  Is it easy to recruit employees, or will they have to travel long distances to get to work?

Facility Design – how will the facility be constructed

  • We should consider fire rating, the type of construction (steel or wood), utility load (how much will it cost to power and heat), HVAC requirements, the availability of power, gas, and utilities

  • What kind of emergency access, entry and exit pathways, and alarm systems will the buildings have?

  • What kind of amenities will the facility have – kitchens, washrooms, living areas, shelters, storage, parking spaces, etc.?

  • Does the facility need to accommodate disabled people?

  • What building codes does the facility need to comply with?

  • Space for generators and fuel storage

  • Loading docks

  • Redundant entrances for power and data

Part of the facility design is physical security.  What kinds of Controls should we implement?  Some examples of controls

  • Administrative Physical Security

    • Is the facility difficult to access?

    • Are there well-trained, skilled security personnel?

    • Are employees trained to detect and report suspicious activity?

    • Is there a good emergency response plan in place?

  • Technical Physical Security

    • Access control systems

    • Intrusion alarms

    • CCTV

    • HVAC

  • Physical Controls for Physical Security

    • Fences and gates

    • Lights

    • Locks

    • Dogs

    • Signs

We want to make sure first to Deter access, then Deny access, then Delay access, then Detect access

  • Deter Access.  The building should look intimidating enough so that people will be afraid to break in.  It won’t be worth their while.  Really tall fences with razor wire and guards with machine guns and dogs with sharp teeth and cameras everywhere.

    There should also be signs that say no trespassing.

    Security through obscurity is another concept.  If we have something valuable in our building (like a data center), we might try to disguise the facility like a warehouse.  Most data centers do not have anything on the outside identifying what they are.

  • Deny Access.  We deny access by installing fences, locks, security guards, and other security equipment.  If you try to breach the fence, the security guard might tackle you.

  • Delay Access.  We can’t always stop every breach.  What if we have a remote site like a cell tower where it isn’t cost effective to station a security guard?  A cell phone company may have tens of thousands of cell towers.  But if we build the tower with a fence around it, and use hardened steel locks and doors, it will take the thieves a long time to get in.  If we detect the access, and we can delay it long enough, we can send a response team to the site or notify the authorities before the thieves do any damage.

  • Detect Access.  If we can’t stop the breach, we should at least be able to detect it.  A breach that goes undetected is the worst kind.  Somebody is stealing from us and we don’t even know about it.