ANSI/ASIS PAP.

1-2012

h) Periodic testing of the PPS under normal and abnormal conditions;

i) The potential impact on the PAP system by disruption of critical infrastructure (e.g., electricity,
water, communications, transportation) and other dependencies and interdependencies (e.g.,
information technology systems); and
j) Procedures and actions required to recover the PAP system within the organization’s recovery
time objective and the resources that it requires for recovery.

The organization should continually assess, and periodically review and revise, its incident prevention,
preparedness, and response procedures – in particular, after the occurrence of accidents or incidents
that did escalate or could have escalated into an emergency or crisis situation.
The organization should document this information and update it at regular intervals or as changes
occur. Incident reports should be included in management review.

A.8 Performance Evaluation

A.8.1 Monitoring and Measurement
The PAP management performance of the organization should be monitored, measured, and analyzed
in order to evaluate the effectiveness of the PAPMS.
The organization should establish, implement, and maintain procedures to monitor, measure, and
evaluate the effectiveness of PPS and controls including:
a) Operational and performance evaluation, both on a regular basis and after a disruptive event;
b) Communications and information systems; and
c) Projected systems effectiveness to forecast organizational changes.

The procedures should include the documenting of information to monitor the calibration, efficacy,
applicable operational controls, PAP management procedures, and conformity with the organization's
objectives and goals.
The organization should define:
a) What should be monitored and measured;
b) How and when the monitoring and measuring should be performed;
c) How and when the analysis and evaluation of the results of monitoring and measurement
should be performed; and
d) Who should receive these results.

The organization should take appropriate action when necessary to address non-conformance of the
PPS.

23
 ANSI/ASIS PAP.1-2012

The organization should keep records of the results of the monitoring and measurement of the PPS.

A.8.2 Evaluation of Compliance

The organization should establish, implement, and maintain procedures for periodically evaluating
compliance with legal, regulatory, and other requirements. The organization should take appropriate
action when necessary to address non-compliance. The organization should keep records of the results
of the evaluations.

A.8.3 Exercises and Testing

The organization should use exercises and other means to test the appropriateness and efficacy of its
PAPMS plans, processes, and procedures – including stakeholder relationships and infrastructure
interdependencies. Exercises should be designed and conducted in a manner that limits disruption to
operations and exposes people, assets, and information to minimum risk.
Exercises should be conducted regularly, after a significant event, following significant changes to the
organization's mission and/or structure, or following significant changes to the external environment.
A formal report should be written after each exercise. The report should document the formal review of
the appropriateness and efficacy of the organization’s PAPMS plans, processes, and procedures –
including nonconformities – and should propose corrective and preventive action.
Post-exercise reports should form part of top management reviews.

A.8.4 Nonconformities; Corrective and Preventive Action

The organization should establish, implement, and maintain procedures for dealing with
nonconformities and for taking corrective and preventive action. The procedures should define
requirements for:
a) Identifying and correcting nonconformities and taking actions to mitigate their impacts;
b) Investigating nonconformities, determining their causes, and taking actions in order to avoid
their recurrence;
c) Evaluating the need for actions to prevent nonconformities and implementing appropriate
actions designed to avoid their occurrence;
d) Assigning accountable and responsible persons to completing each action;
e) Recording the results of corrective and preventive actions taken; and
f) Reviewing the effectiveness of corrective and preventive actions taken.

The organization should ensure that proposed changes are made to the PAPMS documentation. The
organization should retain documented evidence of the nature of the nonconformities and any
subsequent actions taken to improve performance and their results.

24
 ANSI/ASIS PAP.1-2012

A.8.5 Internal Audit

The organization should establish, implement, and maintain PAPMS procedures to conduct audits at
planned intervals and non-periodic basis as determined by top management.
Internal audits should assess whether the PAPMS:
a) Meets the requirements of this Standard;
b) Meets the jurisdictional legal and regulatory requirements;
c) Has been properly implemented and maintained; and
d) Has been effective in achieving the organization’s PAP management policy and objectives.

Internal audit procedures should:

a) Define responsibilities and requirements for planning and conducting audits, reporting results,
and retaining associated records;
b) Define audit criteria, scope, competencies, accountabilities, responsibilities, frequency, and
methods;
c) Ensure that the results of the internal audits are reported to the management responsible for the
area being audited; and
d) Retain relevant documented information as evidence of the results.

Auditors should be selected and audits should be conducted in a manner which provides objectivity
and which demonstrates impartiality of the audit process.

A.9 Management Review

Top management should formally review the organization's PAPMS at planned intervals to ensure its
suitability, adequacy, and effectiveness. The reviews should assess opportunities for improvement and
the need for changes to the PAPMS, including the policy, scope, objectives, and targets. Records of all
top management reviews should be retained.
Input to top management reviews should include:
a) Results of PAPMS audits and routine reviews;
b) Feedback from internal and external stakeholders;
c) Results from exercises and testing;
d) The extent to which objectives and targets have been met;
e) Status of corrective and preventive actions;
f) Follow-up actions from previous top management reviews;
g) Changes in the internal, external, and risk management context of the organization;

25
 ANSI/ASIS PAP.1-2012

h) Changing circumstances, including developments in legal, regulatory, and other requirements;

and
i) Opportunities for improvement.

The outputs from top management reviews should include decisions and actions related to possible
changes to scope, policy, objectives, targets, and other elements of the PAPMS, with the aim of
promoting continuous improvement.
Top management should review the organization's PAPMS at planned intervals to ensure its
continuing suitability, adequacy, and effectiveness.
The organization should:
a) Communicate the outputs of management review to relevant stakeholders;
b) Take appropriate action relating to those outputs; and
c) Retain documented evidence of the results of management reviews.

A.10 Improvement
A.10.1 Maintenance and Change Management
Top management should establish a defined and documented PAPMS maintenance program to ensure
that any internal or external changes that impact the organization are reviewed in relation to the
PAPMS. The organization should ensure that any necessary changes are made to the PAPMS.

A.10.2 Continual Improvement

The organization should continually improve the effectiveness of the PAPMS through the use of the
PAP management policies, objectives, audit results, analysis of monitored events, corrective and
preventive actions, and management review.

26
 ANSI/ASIS PAP.1-2012

Annex B
(informative)

B INFORMATIVE GUIDANCE ON THE ELEMENTS OF PHYSICAL

ASSET PROTECTION
B.1 General
This Annex should be used in conjunction with other ASIS International documents that address these
topics in greater detail:
x ASIS International, Protection of Assets.
x ASIS GDL FPSM-2009, Facilities Physical Security Measures Guideline.

Physical asset protection requires the organization to protect its assets and interests from malevolent
acts; undesirable events and changes; the natural, social, and economic environment; and the
community in which it and its interests operate. The PAP systems should be implemented, monitored,
operated, and tested to deter, delay, and detect with the goal to deny malevolent acts; provide a
response to malevolent acts and undesirable events; and provide the processes to recover. The physical
security protection systems performance measurements should be aligned and assessed to this.
The PAP systems, their physical applications, and operating procedures should be integrated and
aligned to an organization’s needs and converged into its overall security and protection systems (such
as people, physical, electronic systems, etc.) the functional and operational processes that enforce
resiliency and capability to meet changes faced by the organization while protecting its assets. This
Annex provides the guidelines to implement the individual physical protective measures and PAP
applications to the organization’s facility, asset, or operation, in conformance to the requirements of the
PAPMS.

To achieve the requirements of the PAPMS, PPS should be implemented to provide:

a) Protection in depth: The protection system will be implemented to ensure adversaries have to
avoid or defeat numerous system components in sequence. This creates additional steps that the
adversary must take to defeat the system, requires extensive planning to defeat the system, and
reduces the adversary’s likelihood to defeat the system. Protection in depth also delays an
adversary, thereby providing additional opportunities to detect and respond to an event.
b) Minimum consequence of component failure: Instills contingency planning into the protection
systems that mitigates against the vulnerability of the systems to component failure and/or the
defeat of the protection system.
c) Balanced protection: The protection system’s individual applications and components will be
integrated and converged so that they provide an equal level of protection. Each protection
system application or component may be physically or structurally different, but addresses and

27
 ANSI/ASIS PAP.1-2012

maintains an adequate level of protection against risks by balancing structural integrity, safety,
and costs.

Factors that will influence the adversary’s perception of the target fall into a phenomenon referred to
by the acronym CRAVED1 whereby assets must be:
a) Concealable;
b) Removable;
c) Available;
d) Valuable;
e) Enjoyable; and
f) Disposable.

The PAP systems should be applied accordingly and conform to the required performance
specifications aligned with clearly defined operational requirements – including quantifiable functional
monitoring, testing, operating, maintenance, and replacement specifications. Compliance with the
performance specifications should be demonstrated upon completion of the installation.

B.1.1 Process of Physical Asset Protection Systems Risk Assessment and Application
The PAP systems should be applied to the organization’s facilities, assets, or operations following the
risk assessment process outlined in A.4.2, Risk Assessment and Application. This will assess and
determine the overall risk and the requirements of the PAP system that will be considered to treat the
identified risks.
The PAP risk assessment process should be aligned to the overall organizational risk considerations to
the facility, asset, or operation where the PAP system is considered for implementation. This should
identify the requirements of a single physical asset protection system application, integrated PAP
systems implementation, or a fully converged security system that provides a holistic security risk
treatment.

B.1.2 Security Survey

The security survey, as part of the risk assessment, is an examination and evaluation of a facility and its
policies, procedures, and operations to ascertain its present PAP status, identify deficiencies or
excesses, determine the level of protection needed, and make recommendations to improve the overall
security of the operation. The security survey is a fact-finding process and is the primary vehicle used
in the overall assessment program for the PAPMS. The security surveyor should be able to conduct a
comprehensive review, verification, analysis, and appraisal of the organization, its facilities, buildings,

1 Clarke & Eck. (2005)

28
 ANSI/ASIS PAP.1-2012

assets, and operations by analyzing the facts, drawing conclusions, and making recommendations
based on what has been presented.
The objectives of the security survey include:
a) Identifying the scope and assets to be protected;
b) Reviewing the PAP system functionality against its requirement;
c) Identifying critical factors, including interdependencies affecting the security of the facility,
asset, or operation;
d) Establishing the continued requirement, and identifying the resources and capabilities, to
conform with the continuation of the PAPMS;
e) Reinforcing good practices and encouraging a continuation of those practices in areas of non-
compliance;
f) Providing a well written, structured, clear, concise, accurate, and complete survey report; and
g) Providing the basis for performance evaluation.

The organization should:

a) Define the objectives, scope, and outputs of the survey requirements;
b) Employ only accredited (recognized competence) PAP professionals proven in the undertaking
and delivery of security surveys;
c) Ensure the surveyor has agreed to and completed contracts, non-disclosure agreements, and
due diligence agreements before the survey is undertaken;
d) Ensure the cooperation and availability of all involved persons within the scope of the survey;
e) Make available for review all information, data, documentation, and references as required;
f) Allow access to the organization’s facilities, buildings, assets, and areas of operations;
g) Support the security survey, the surveyor, and the requirements to undertake the survey;
h) Regularly review the survey report, monitor, and follow-up on the survey findings,
observations, and recommendations; and
i) Reference the survey findings, observations, and recommendations against the applicable risk
assessments, and update the risk assessments accordingly.

The security survey could provide the basis for:

a) Developing the security survey into a comprehensive and integrated security analysis and risk
assessment across the organization;
b) Identifying the range of potential solutions and their consequences; and
c) Assisting in the development of organization security risk management, continuity, response,
and recovery programs.
29
 ANSI/ASIS PAP.1-2012

B.1.3 Cost Benefit Analysis

The organization should introduce and conduct a cost benefit analysis that identifies the costs and
benefits of the considered security risk controls and countermeasures to both the individually
considered PPS and integrated security systems. Costs and benefits should be measured in terms of
effectiveness and efficiency to the accepted levels of risk reduction, avoidance, or acceptance; the
reliability of the protection systems to the risk controls; and the time taken to implement the preferred
protection system against its alternative solutions. The goal of the cost benefit analysis is to identify the
optimal level of risk reduction at the best value available. When conducting a cost benefit analysis, the
organization should consider the following:
a) Selection of risk treatments (controls and countermeasures) should be based on the required
level of risk reduction and the benefit gained with each risk treatment.
b) Asset value should be compared to the cost of asset loss and production. When determining
asset value, it is important to consider the impact of asset loss on production of services or
products, asset capability loss, and the cost of lost productivity during the recovery or
replacement.
c) Cost benefit analysis is a function of equipment and technology costs, opportunity costs,
process impact costs, time costs, personnel costs, and the overall capability costs.
d) Cost benefit analysis is based on risk assessment, and should consider both tangible and
intangible assets.
e) When considering combining risk treatment measures, it should consider the trade-offs
between design, technology, implementation, maintenance, replacement, training, and
administrative solutions by evaluating the costs and benefits of each option (and the order
applied).
f) When determining costs, the entire life-cycle of the controls and countermeasures should be
considered including:
a. Design, implementation, and deployment costs.
b. Purchase price.
c. Installation and operation costs:
i. Utility.
ii. Adaptability, reliability, and scalability.
iii. Redundancy.
d. Training costs.
e. Life expectancy.
f. Life-cycle maintenance costs.
i. Preventive maintenance.
ii. Calibration.

30
 ANSI/ASIS PAP.1-2012

iii. Warranty.
iv. Repair.
v. Replacement.
vi. Disposal.
g) Human resource costs for in-house and external implementation, maintenance, monitoring, and
operation.

B.1.4 Security Convergence

Security convergence is a managed process that applies the principles of security risk management to the
convergence of individual PAP systems and their integration into an organization’s enterprise security
systems and enterprise risk management processes. This creates a single managed integrated process
aligned to meet the organization’s overall security requirements that serves to provide a greater
protection against the organization’s security risks.
In many organizations, different aspects of security risk management (e.g., PAP, people, information,
communications, and continuity management) are managed as separate activities. The recognition of
the interdependence of these business functions and processes has led to the development of a more
holistic approach to PAP management.
Physical asset protection has become highly dependent on information technology networks, often
sharing a common infrastructure and technology platform. Security systems should not be integrated
into an organization’s computer network unless the organization can clearly secure the systems both
physically and technically from intentional or unintentional compromise. Such computerized systems
can become the weak point an attacker can exploit to obtain critical information about an organization
or disable security systems. Rather than having asset protection and security solutions managed by
different business functions applying subjective risk controls to their threat-specific vulnerabilities,
convergence provides a common platform where these solutions are assessed and treated from the
perspective of a shared risk environment. Information and communications technologies can provide
benefits to PPSs (e.g., in implementation, operability, replacement, communications, and overall cost
efficiency); however, it may create additional risks and vulnerabilities to the individual and collective
systems that should be considered. Security convergence applies a comprehensive and holistic view to
the converged security risks – enabling a broad strategic approach that encompasses all areas of
security risk – as well as providing for integration with technological advancements.
The ISO/IEC 27001:2005 Standard outlines strategies and controls for information security. It provides a
management systems approach and therefore can be used seamlessly with this Standard. Likewise, the
ANSI/ASIS/BSI BCM.01-2010 Standard can also be used with this Standard to manage the consequences
of a disruptive event. All of these standards can be applied simultaneously in a single converged
management system standard using the ANSI/ASIS SPC.1-2009, Organizational Resilience Standard.
The application of security convergence should establish:
a) A cost effective strategy that protects people, information, and property across functions;

31
 ANSI/ASIS PAP.1-2012

b) Governance that ensures top management commitment and allocates ownership and
accountability to the converged security risk management program;
c) A cross-discipline and cross-functional risk assessment and management framework that
identifies, analyzes, evaluates, and treats all security risks within a singular managed process;
d) A risk management process that monitors all security risks controls and reports weaknesses,
vulnerabilities, attacks, and systems failures collectively;
e) A process for ongoing monitoring of changes in communications and information technology
risks;
f) Systems that measure and assess the asset protection and PPS performance individually,
collectively, and as an entirety of the organization’s risk controls;
g) A security risk management framework that functions in synergy with the organization’s
collective risk considerations;
h) Strategies that coordinate a unified response to disruptive events (attacks), mitigate their
consequences, and evaluate and report both the incident and response in order to improve
controls to further reduce the likelihood and impacts of an event; and
i) A framework that integrates people, information, technology and procedures.

B.1.5 Crime Prevention Through Environmental Design (CPTED)

Crime Prevention Through Environmental Design (CPTED) is a strategic approach to reducing the
risks of malevolent acts and other disruptive events by combining the natural features of a site, the
built environment, and the human behaviors associated with a location. This approach uses
organizational, mechanical, and natural methods to reduce the likelihood of a threat materializing
and/or mitigating its consequences. The CPTED solutions are integrated into the design and functions
of facilities.
Facilities and structures (e.g., buildings, parks, garages, and access areas) utilizing CPTED principles
can improve the quality of life for people where they live and work by decreasing the opportunity for
malevolent acts and increasing the risks to a potential perpetrator.
The CPTED approach focuses on:
a) Manipulating the physical environment to produce behavioral effects that reduce the fear and
probability of certain types of malevolent acts and disruptive events;
b) Understanding human behavior in relation to the physical environment;
c) Redesigning space or using it differently to encourage preferred behaviors and discourage
illegitimate activities; and
d) Increasing a sense of ownership and territoriality (capable guardian principle).

The level of threat will depend on the intent and capabilities of the adversary. The CPTED approach
seeks to diminish the adversary’s motivation by reducing his/her confidence of success and lessening
the desire to act maliciously. Furthermore, CPTED seeks to increase the resources and knowledge
32
 ANSI/ASIS PAP.1-2012

needed by the adversary to succeed in causing a disruptive event. The CPTED approach changes the
attributes of the space, thereby altering the adversary’s perception of the assets.
There are three general categories of CPTED approaches:
a) Mechanical measures emphasize the use of hardware and technology solutions to provide
physical protection and discourage the targeting areas where these measures are in place.
b) Organizational measures use policies and activities that encourage observation, reporting, and
intervention (where appropriate). This includes personnel training for both protection and
developing a sense of ownership and responsibility.
c) Natural and/or Architectural measures incorporate the design and use of space to ensure the
overall environment works more effectively for the intended users, while at the same time
deterring malevolent and other disruptive events.

The CPTED approach reduces threats by developing and implementing a solution compatible with the
designated use of the space while incorporating risk treatment measures intended to minimize both the
likelihood and consequences of malevolent acts or other disruptive events. This provides a sense of
safety and security for legitimate users.
Typical measures include:
a) Natural access control using physical and symbolic barriers to discourage, prevent access or
direct movement to specific access points;
b) Natural surveillance, internally and externally, to increase the capability to detect, deter, delay,
and/or respond to potential adversaries;
c) Natural territorial reinforcement/boundary definition to promote a sense of ownership and
responsibility;
d) Signage to communicate the designated use of space;
e) Management and maintenance of spaces to look cared for and protected;
f) Activity support to encourage legitimate occupants, residents, customers, or visitors in the
desired or intended uses of the space, thereby deterring illegitimate users of the space; and
g) Increasing protection in depth by designing varying layers of public/private uses with well-
defined boundaries.

B.1.5.1 Implementation of CPTED

The CPTED process includes:
a) Defining scope of project;
b) Determining the threat environment through research and available data;
c) Working with a multi-disciplinary team to identify needs and concerns;

33
 ANSI/ASIS PAP.1-2012

d) Conducting a risk assessment emphasizing the relationships between the threat, the
vulnerability and criticality analysis, and the relevant environmental aspects;
e) Developing and evaluating design plans based on the risk assessment; and
f) Assessing and choosing appropriate CPTED options.

B.1.6 Site Hardening

Providing obstacles to direct, deter, delay, detect, and deny, access to a facility, asset, or operation
utilizing both natural and manufactured means is referred to as site hardening. The principles of
protection in depth should be applied to site hardening and implemented to achieve the overall PAP
system objectives. Since most methods can be contravened, a layered approach should include
provisions to detect a breach or attempted breach to the protected asset. A delay in depth approach
considers the strength of each obstacle to the resources available to an adversary to overcome them.
Time afforded by obstacle delays counts toward the overall time for a response to breach.

B.1.6.1 Site Access and Perimeter Delineation

Controlling site access has tangible results when determining measures that support the security in-
depth approach; therefore, the site access and perimeter requires delineation. Having a well-defined
perimeter eliminates the ambiguity caused by unauthorized access, and clearly indicates intent on the
part of the perpetrator. Some sites that are open to the public can still provide site access control by
coordinating traffic patterns and separating parking and other vehicular traffic. By limiting the number
of access and egress points, surveillance of those points is also easier to maintain. Controlling the
quantity and location of parking and deliveries can help manage the risks posed by persons or vehicles
that are not thoroughly searched. For example, having a designated parking area for pre-screened
vehicles enables resources to be allocated to other areas that pose a higher threat than those in a pre-
screened vehicle lot. Separating deliveries from other site traffic allows for easier observation of
delivery vehicles and its personnel. Ensuring that site access is controlled (or monitored, at the very
least) will increase the depth of protection formed in the PAPMS.

B.1.6.2 Implementation of Site Hardening Systems

The considerations and processes of site hardening should identify the facilities, assets, and operations
to be protected; delineate the boundaries and limitations of the protected spaces; and configure a
protection system – using the layered approach of protection in depth – surrounding the facility, asset,
or operation. The PAP application (such as barriers, entry controls, intruder detection, surveillance,
lighting, and manned guarding) required is determined by assigning criticality factors to the facility,
asset, or operation – and understanding the impact to the business if the initial PAP system and
subsequent restrictive measures are compromised. Individual physical protection applications should
be converged with other PAP application and security systems to control access to the site, deter, delay,
detect, deny, and respond to a malevolent act, minimizing the impact of a breach and enhancing the
success of the overall PAP system.

34
 ANSI/ASIS PAP.1-2012

The psychological deterrence gained through proper site hardening and PAP system implementation
by reducing the target attractiveness of a site is also an important benefit to the overall PAP and
security system. The following should be considered when considering site hardening and
implementing PAP systems:
a) Assess the target attractiveness (design, occupants, local and regional recognition, essential
service providers) and threat profile (past, present, and future threats) of the facility, its assets,
operations, and the community in which it operates;
b) Assess the overall risks to the site including the vulnerability and accessibility of the site;
c) Evaluate neighboring perimeters and adjacent areas;
d) Formulate a PAP plan and evaluate effectiveness of multiple options of perimeter, outer, and
inner security structures – including potential safety issues;
e) Evaluate the cost effectiveness of various options; and
f) Establish response directives and operational procedures for routine inspections, functionality,
and breach remediation.

By establishing the overall goals of a site’s or facility’s PAP and the organization’s security
requirements, and coordinating and integrating with the other security measures throughout the site,
facility or space will substantially increase the measure of security provided by the overall PAP
system.

B.2 Security Lighting

Security lighting enables security personnel to maintain a visual assessment capability of assets during
the hours of darkness. Security lighting provides the elements of deterrence and detection.

B.2.1 Objectives of Security Lighting

a) There should be high brightness contrast between intruder and backgrounds;
b) Boundaries and approaches should be illuminated;
c) Areas and structures should be illuminated;
d) Lighting levels should meet statutory, regulatory, and standards requirements;
e) Lighting should be integrated with surveillance systems;
f) Color rendition should support video surveillance systems operation;
g) The wiring circuit should be arranged such that a failing lamp does not degrade the overall
security plan;
h) There should be minimal time allowance for reactivation of lighting systems after power
failures and during disruptive events;
i) There should be back-up lighting, alternative power sources, and redundancies available
during a disruption of normal operating conditions;

35
 ANSI/ASIS PAP.1-2012

j) Systems lifecycle costs should be acceptable and aligned to all other security systems costs and
implementation programs. Cost considerations include: installation, operation, maintenance,
and replacement of the lighting system;
k) Circuits should ideally be protected (e.g., buried);
l) Lighting poles should be robust and have anti tamper covers fitted at the base; and
m) Maintenance programs should ensure operability of lighting system.

B.2.2 Implementation of Security Lighting Systems

a) Lighting should not be used solely as a psychological deterrent. It should be used in conjunction
with barrier systems deployed to protect assets;
b) Lighting is relatively inexpensive to maintain and a clear maintenance program should be
developed. It should be coordinated with the deployment of technical surveillance systems to
ensure areas that need surveillance are suitably illuminated;
c) Security lighting is desirable for all sensitive areas identified through the security risk analysis
process that require observation;
d) A secure source of auxiliary power allowing for resilience and redundancy within the system
should be installed;
e) Lighting enables security personnel to observe activity around and inside the protected areas of
the facility;
f) Lighting improves the ability of security staff to assess visually and intervene on attempts of
unauthorized access;
g) Lighting should be integrated with barriers, entry/ access control, and surveillance systems –
rather than used as a standalone system; and
h) Consideration should be given to the collateral impacts of the lighting systems (e.g., adjacent
property, zoning authorities).

B.3 Barrier Systems

B.3.1 Physical Barrier Systems
A barrier system is any type of obstacle provided that causes a direct impact on the speed, time, and
tools necessary to circumvent the obstacle. Barriers can be natural site elements, pre-fabricated
structural elements, passive, or temporary (deployable). The most cost effective barriers are those that
already exist as part of the site, or intended as part of a new site or facility design. Examples of these
are storm ponds, drainage ditches, and elevation changes. Utilizing a site’s natural flow of traffic
(vehicular and/or pedestrian) can locate natural areas of surveillance and allow for an increase in
security measures, should the situation warrant it. If a special event or other reason requires a
temporary increase in existing security measures, then deployable barriers can be located at pre-
determined locations. By incorporating these options into the overall security plan prior to the elevated

36
 ANSI/ASIS PAP.1-2012

security need arising, efficiencies in time and effort will result. Depending on the required role of the
barrier system, the cost and reliability will need to be ascertained by the PAPMS.
Barriers can provide any or all of the following:
a) Demarcation of the legal boundary of the premises;
b) Channeled entry through a secured area by deterring entry elsewhere along the boundary;
c) A zone for installing intrusion detection, surveillance, lighting systems, and guards;
d) Deterrence of unauthorized people from penetrating a secured area;
e) Forcing an intruder to demonstrate intent to enter the property;
f) Delayed access thereby increasing the possibility of detection and response;
g) Distance (stand-off) between the barrier and the protected area and/or asset;
h) Psychological deterrence;
i) Reduction in the number of security personnel required; and
j) Demonstration of an organization’s concern for security.

A barrier’s effectiveness is dependent on how much time it can delay an adversary and its ability to
detect an unauthorized breach. Effective delay and detection can allow the response time required to
prevent an adversary from achieving their final objective. The success of the response in apprehending
the adversary is dependent upon the length of time it takes for the response force to become aware of
an alarm, assess the situation, and respond. The time of response force awareness is commonly referred
to as time of detection. After time of detection, each barrier encountered must provide a delay element
in the system to allow the response force to assess the alarm (false alarm, nuisance alarm, intrusion),
and provide a response when appropriate to the system design.

B.3.2 Implementation of Barrier Systems

Deploying a physical barrier plan should start with identifying the assets to be protected, delineating
the boundaries and limitations of the site, and configuring a barrier system using layers of protection in
depth surrounding the asset. The barrier application required is determined by assigning criticality
factors to the facility, and understanding the impact to the business if the initial barrier and subsequent
restrictive measures are compromised. Barriers should assist other aspects of the security program such
as controlling access to the site), and converge with the overall security plan (video surveillance,
behavioral analytics, intrusion detection, physical patrols, and general employee security awareness
programs) to deter and minimize the impact of a breach and enhance the success of detection and
response to a barrier security alert.
The psychological deterrent gained through proper barrier implementation in reducing the target
attractiveness of a site is also an important benefit to the overall security scheme. The following should
be considered when implementing physical barriers and site hardening:

37
 ANSI/ASIS PAP.1-2012

a) Assess the target attractiveness (design, occupants, local/national recognition, essential service
provider) and threat profile (past, present, and possible future threats) of the facility, its assets,
operations, and the community in which it operates;
b) Assess the overall risks to the site including the vulnerability and accessibility of the site;
c) Evaluate neighboring perimeters and adjacencies;
d) Formulate a barrier plan and evaluate effectiveness of multiple options of perimeter, and outer
and inner security structures – including potential safety issues;
e) Evaluate the cost effectiveness of various options; and
f) Establish response directives and operational procedures for routine inspections, functionality,
and breach remediation.

Establishing the overall goals of a site or facility security requirements and coordinating with the other
security measures throughout the site, facility, or space will substantially increase the measure of
security provided by the overall PAP system.

B.4 Intrusion Detection Systems

Intrusion detection is defined as the detection of a person or vehicle attempting to gain unauthorized
entry (directly or remotely) into an area that is being protected by someone who is able to authorize or
initiate an appropriate response.2 An intrusion detection system initiates an early warning to enable a
response of an attempted or unauthorized entry into a protected space – or movement of protected
property from within a protected space – and provides the protective elements of deterrence,
detection, delay, and response.

Intrusion detection systems consist of operators, monitoring devices, sensors, and support equipment.
Intrusion detection sensors perform four functions of detection: 1) intruder penetration of a boundary;
2) intrusion motion detection within a protected space; 3) operator validation; and 4) the movement of
a protected property within a protected space. They are integrated with barriers, entry control devices,
video surveillance systems (video alarm assessment), and alarm communications systems to provide
an integrated systems alarm assessment.

Technical components of intrusion detection systems are comprised of three elements:

a) An alarm sensor: A device specifically designed to sense and respond to a certain change in its
environment conditions;
b) A circuit or sending device: A device that transmits the changes in the condition of the alarm
sensor to another location where it can be assessed by the specific responder forces; and

2 Based on Garcia, M. L. (2008)

38
 ANSI/ASIS PAP.1-2012

c) An enunciator or sounding device: A device that alerts a change in the alarm condition.

The performance measurements of intrusion detection systems are its probability of intrusion
detection, the correct assessment of an intrusion, the sensor device nuisance alarm rate, and the
system’s vulnerability to defeat.

B.4.1 Objectives of Intrusion Detection Systems

a) Deters an intrusion into or the removal of protected assets from a protected space;
b) Detects an actual or attempted intrusion into a protected space or removal of assets from a
protected space;
c) Provides protection in depth to the facilities, buildings, assets, and operations to be protected,
enabling a corrective assessment and response; and
d) Meets the needs of the application, integrating with other PAP systems to provide protection in
depth to the protected asset and balanced protection to the protected facility, building, asset, or
operation.

B.4.2 Implementation of Intrusion Detection Systems

The organization should implement intrusion detection systems based on the application, threats,
design criteria, and applicable regulations to the facility, space, or property to be protected. Intrusion
detection systems should be designed, installed, and configured as layers of unbroken rings
concentrically surrounding the asset to be protected, in correspondence to the delay and response
elements of the PAP system. The organization should include:
a) Establishing the parameters and defining the requirements for the implementation of intrusion
detection systems to each facility, building, or property to meet its operational objectives;
b) Defining the assets to be protected, the environmental and atmospheric conditions
surrounding the asset, the PAP systems to be applied, and the correspondence of the intrusion
detection system to these;
c) Designing the intrusion detection system in concentric layers surrounding the asset to be
protected with the first layer starting from the outermost layer necessary to provide the
furthest delay;
d) Designing the intrusion detection system which ensures consistency to the probability of
detection and instills confidence to detect intrusion;
e) Integrating intrusion detection sensors with physical protection barriers, entry control devices,
video surveillance, security lighting, and guard force deployments to provide the maximum
delay time to the intended target and minimal response time to apprehend the adversary;
f) Establishing operational procedures to reduce false alarms within the system, and enabling
corrective responses to activated alarm states; and

39
 ANSI/ASIS PAP.1-2012

g) Deploying contingencies into the intrusion detection system to minimize vulnerabilities that
can defeat the system (directly or remotely).

A well-designed intrusion detection system – coordinated with other security measures throughout
the site, facility, or space – will enhance the depth of protection for physical assets and provide a solid
foundation for the overall PAPMS.

B.5 Physical Entry and Access Control

Entry devices and access control procedures are implemented to monitor and control access of
authorized personnel and property into and out of controlled spaces while denying access to
unauthorized persons and property. The importance and degree to which monitoring and restriction is
needed is determined by analyzing the various requirements predetermined by the nature of the
facility, its spaces, and assets to be protected. The application of entry and access controls depends on
the level of protection afforded and the proposed need for the controls, which vary to a great degree.
Spaces open to the public but restricted by purchasing access (i.e., sporting events, concert venues,
amusement parks, etc.) have much different access control requirements than those of a non-public
secured facility (i.e., military bases, precious metal storage, prisons, etc.); however, the principles of
applying entry devices and access controls remain the same.
Entry control devices and access control procedures should interface with other PAP systems applied
to the facility or space to be protected, and should be regularly assessed and audited to meet the
requirements of the PAPMS.

B.5.1 Objectives of Entry and Access Control System

Providing an effective access control system requires that several objectives be met. The following is a
typical list of those objectives:
a) Permit authorized persons, materials, and/or vehicles access to controlled areas;
b) Detect, minimize, and prevent the access attempts or exit of unauthorized persons, vehicles, or
materials from controlled areas;
c) Provide information to the security personnel for the assessment and response to unauthorized
entry; and
d) Provide a data audit of who, what, where, and when access to controlled areas has been
granted.

These objectives are met by achieving the three fundamental concepts used to identify and verify that a
person is authorized to enter a controlled area by:
1. Identifying a valid key or credential – something a person has;
2. Validating an identification number or code – something a person knows; and

40
 ANSI/ASIS PAP.1-2012

3. Processing the unique characteristic for biometric identification – what is inherent to a person.

B.5.2 Implementation of Entry and Access Control Systems

The application of entry control devices must be matched with effective access control procedures.
Entry control devices can be used in combinations of two or more technologies (i.e., biometrics and pin
code, credential and lock) to enhance the system’s level of security. Layers of protection may result in
increased verification and throughput times.
The common performance measurements of entry and access control systems are:
a) Throughput: The measure of the time it takes for an authorized person or material to
successfully pass an entry or exit point; and
b) False readings and the measure of acceptance.

Entry and access control systems should be designed and installed to provide protection in depth in
accordance with the operational requirements with the following considerations:
a) The design, construction, and conditions of the premises – including the modes of operation;
b) The operations being undertaken; the nature, sensitivity, importance, or vulnerabilities of these
operations; and the threats directed at these operations and the organization;
c) The area, region, and environment of operations;
d) The value and criticality of the assets to be protected; and
e) The safety, legal, and financial restraints of the entry and access control application.

The organization should:

a) Establish the parameters and define the requirements for the implementation of entry devices
and access controls to each facility, space, property, and/or operation;
b) Define the levels of access allowed to defined areas, the entry control systems required to
control such access, the procedures required to comply to the access restrictions, and the
predetermined levels of controls;
c) Define the processes of access acceptance, access denial, and unauthorized or attempted access
responses;
d) Define the processes of material detection, asset handling and control, and adversary detection
and response;
e) Ensure entry control components are designed, installed, maintained, monitored, and managed
by competent PAP professionals;
f) Install safeguards into the entry and access control systems and devices to protect against
attempts to defeat the systems;

41
 ANSI/ASIS PAP.1-2012

g) Ensure PAP personnel are fit for service and required tasks – including the provision of detailed
access control procedures implemented to coordinate with the use of entry control devices;
h) Implement a process of frequent, irregular checks or tests of the entry and access control
systems and PAP personnel assignments;
i) Establish an identification system where entry into a controlled area is based on the individual
being recognized with at least two different forms of the three basic concepts of entry and
access control systems;
j) Enforce a uniformed method of wearing and displaying identification credentials for areas of
“authorized personnel only”;
k) Ensure entry and exit points are constructed to ensure a single file throughput to direct
personnel through the control point and to better detect attempts to defeat the controls by
unauthorized persons or property;
l) Develop a training and education program for all personnel towards good access control
measures aligned to the organization’s security and safety policies;
m) Develop a process of issuing, auditing, and invalidating identification credentials; and
n) Clearly define a response to unauthorized access attempts or to personnel attempting to bypass
the access control devices.

The access control system will provide some of the most visible security measures which can enhance
the deterrent portion of any security scheme. Coordinated with the overall PAPMS, the access control
system will be a vital portion of an organization’s protection success.

B.6 Video Systems - Video Surveillance

In this age of integrated security, technical and physical systems combine to enable informed
assessment of situations undertaken from remote locations. Video surveillance is an assessment tool
that can assist in the management of security functions.
Video surveillance systems are meant to be a visual assessment or visual documentation tool. Video
surveillance cameras are installed for one (or more) primary reasons:
a) Live surveillance;
b) Post event reconstruction;
c) Deterrence; and
d) Assessment of any alarm activation to determine cause and initiate appropriate response.

B.6.1 Defining Parameters

In order to effectively design and operate a video surveillance system, it is essential to clearly define the
following key parameters:

42