The Five Layers

There are five important layers in Security for risk mitigation (refer last Blogs on Risk Chain and Finding Solution to Break the Risk Chain). Implementation of these layers is generally in combination of each other. Correct balancing the implementation of layers at appropriate risk chain link and at right timings will result into Cost-effective and Optimum Security, which every management is looking for. But to have this achieved it is important to understand the components within these five layers. It is also important to note that while you are changing any layer, other layers will be affected. Therefore, change management is not one time activity, need to observe the impact in long term.

The five layers includes ‘Infrastructure’, ‘Equipment’, ‘Application’, ‘Process’ and ‘Human Resource’. We will go in detail of each layer, understand the components and interconnections between the layers. All layers together should be seen like an engine, wherein each layer is individual gear, should match perfectively with other layer to give smooth running experience and efficiency.

Refer last blog ‘Finding the solution to break the Risk chain’ presenting template for mapping Risk Chain links with Security Layers. Understanding the template is very important to know interconnections between layers during component implementation. Interconnections ensures that while Security measures are enforced, it is in totality and not in isolation. Also, interconnections help in estimating correct cost whether one time Or recurring. The details on each layer are as below followed by example one Security function:

1. Infrastructure – Right time and correct engineering design is important for infrastructure layer to be deployed (refer CPTED). Generally Security by infrastructure design is low cost and effective. Non-Security infrastructure sometimes also support prevention of crimes if due care is taken during initial implementation. This includes:

• Perimeter barriers – wall, fence, trench, anti-climb design, water channels, plantation, natural barriers.
• Surveillance and response infrastructure – patrol road, observation posts (elevated, floating, static), control room (with ergonomic furniture).
• Gates – funnel area, response area, screening points, denial lanes, flow management and queue management.
• Illumination – at perimeter, gates/screening points, security sensitive areas
• Stand-off, isolation, segregating and barricading.
• Signages – informatorily and mandatory.
• Towers and poles – for cameras, wireless communication/networking.
• Power supply (main and backup) – for electronic gates, bollards, cameras, control room etc.
• Supporting infrastructure – provision of access control on doors, cable duct for gate automation / camera installation, OFC/Network cable laying for Security equipment, server room for security servers etc.

Infrastructure to be designed as per volume which in turns enable saving time and supporting security screening. This gives cost effective, comfortable Security to users.

2. Equipment – the components include all electrical, electronics, vehicles, other equipment required for Security. Equipment deployment, utilization and monitoring depends on proper infrastructure (layer-1 above) and next layer i.e. application. e.g. Patrol vehicle can do effective patrolling roads are available, however if situation is no roads available, we need to find alternate way of surveillance and response. Equipment layer includes the following:

• Surveillance equipment – cameras, sensors, sonar, radar (marine/ground/aerial), drones etc. Surveillance equipment do connect within and with other equipment (through hard cabling or through application) for alert generation and/or logical recording. One of important role of surveillance equipment (which cannot be quantified), is to add deterrence value.

“Security Deterrence Value & Importance” is a separate topic to understand by Security Professional.

• Access control equipment – door controllers, readers, door sensors, break glass units, anti-tail gating, electronic gates, forcible entry prevention equipment (bollards, tyre killers). Installation of desired / right-fit access control equipment depends largely on correct infrastructure.
• Monitoring Equipment - Guard tour devices, GPS devices, Control Room Display, Workstations etc.
• Detection equipment – HHMDs, DFMDs, NLJDs, Explosive detectors, x-ray scanners (baggage, vehicles), search lights, under vehicle scan equipment,
• Communication Equipment – Radio communication (UHF, VHF, tetra etc.), speakers, hooters, mobile phones, Sat phones, LRADs, mobile jammers, network switches etc. Communication is backbone of coordination, hence very critical for exception and emergency management.
• Protection equipment – arms & ammunitions, tasers guns, BP jackets, riots control gear etc.

Lots of innovation is happening in Equipment layer components. New equipment being added in routine especially in CCTV, mobility, biometric equipment etc. e.g. developments in Security camera hardware in terms of resolution, DRI ranges, edge analytics etc. is helping taking more functional outputs.

3. Application – this layer is the most important layer as lots of innovations, changes are being done therefore this is the most dynamic layer at this stage. There are various applications which are being used to support Security function. Application layer gives the best results when logically integrated with Business Applications and not deployed in isolation. Deployment is isolation is a very common mistake. The application layer controls, monitor equipment (layer-2 above) and also support in generation, storage of data which in turns helps in routine operations, taking tactical and strategic decision. Equipment (layer-2) and Application (layer-3) combined is Security Automation. Following are the most common applications (function) in use:

• Video Management system – main role is managing CCTV feeds to enable control room live & recorded data, health status of camera devices. Video management system flavored with AI have several Security and non-Security use-cases. The feed from cameras can be analysed on real time or on recording helping Security to generate RT exception alerts and/or help in smart investigation. The applications are available on desktop and supports mobile monitoring. Network is backbone of video management system, therefore network to be designed carefully to meet the technical/functional requirements.
• Access control application – deals with regulation of authorised access and deny/alert on unauthorised access. Access control application have three primary roles: - One: manage registration (of authorised users), Two: validate users through equipment and Third: report events. Events could be authorised movement and alarms for exception(s). There are many secondary roles which access control application can do like health status of access devices, reports, use of generated data for the purpose of attendance, footfall, resource tracking, emergency evacuation reconciliation etc.
• Biometric system – the system enables registration, storing biometric templates (on card or on server or on devices) and validating the users biometrically on access control points. Biometric system can also be used for ensuring individual’s unique record in large organization mainly where outsourced staff is deployed to prevent forgery.
• Visitor management application – this system enables team to place visit request, manage requests, enable Security to validate visitors as per requests, track visitors and reconcile movements. In an organization where ‘Information’ is important asset, visitor management application plays very important report.
• Physical Security Incident Management system (PSIM) – the application can vary from basic to advance role. PSIM is application of applications also known as C4i. If deployed in full scale PSIM enable auto-trigger incident, display guidelines to team (also known as decision support) throughout incident life cycle, generate notifications to concerns and store data for reporting & analysis. In an advance version using data mining (or processing), application can also predict the incident. PSIM can be effectively used when Security processes are strong, basic systems are available in an integrated way. PSIM full scale working model is most difficult to achieve due to sync issues between system, processes, and Security manpower.

 

While deciding Security applications Or Automation system, all processes should be well proven and stabilized. One of the common mistakes by Security managers is going for an application without finalization on process layer, results in frequent changes, dissatisfaction to users and higher cost of upgrade.

4. Process layer – Process layer is low cost yet most important, need to match suitably considering the desired Security level. The process layer should cover all Security functions, should have continual improvement cycle. Process layer should have documented all desired actions by Security team, especially the ground force. Broadly following processes are required.

• Access control – men, material, vehicle, and information. This includes several functions around assets crossing secured / non-secured line. Major functions are registration process, regulation process, exceptional handling process, screening process, key control, lock management etc.
• Asset protection – process of patrolling, point guarding, surveillance, response, etc. Asset protection is core role of Security but if access control is implemented well, Asset protection majorly is taken care (separate blog on this topic).
• Emergency management – process of handling man-made situation(s) with culpable intension like bomb threat, labour unrest, vandalism, sabotage, kidnapping, hostage situation etc. The process should define role of Security and non-Security team’s functions.
• Governance – audits, checks, mock-drills, change management. Change management in all five layers, to repeat changes in any one layer, will surely call for some changes in other layers as well.
• Manpower management process - recruitment, training, deployment, and upgrades.

Several frameworks are available providing guidelines on process layer designing. One side process layer is supposed to be simple and understandable by enforcement team, other side it is desired to cover all actions. But when routine and exception actions elaborated in detail; it becomes complex. Therefore, process visibility should be as per user, on “need-to-know basis”. As every employee is also responsible for some part of Security, he should know only that much Security process through awareness programs. Similarly, within Security team, as per job description, Team members should know their part.

 

5. Manpower – human resource is the 5^th layer which is the strongest and weakest link in Security. Strongest because without this layer we cannot imagine Security and weakest because errors are possible. Manpower in an organization is generally seen from three different but “inter-connected” levels:

• The first level team is purely execution level ground force team, where the physical work is involved. The operations for team at this level should be either black or white i.e. every action must be supported by a documented process. Execution level team’s role is to generate information for routine and exceptions. Manage routine and exceptions as guided and if not guided or documented, report upwards*. In majority this level is outsourced to Security Manpower supplying agencies.
• The Second level is the management level, responsible for sync between the Business expectations and actual execution. One important role is to collect data from Ground force, validate and process enabling tactical decisions at their level or strategic decision at CSO level*.
• The third level is the high level. At this level the CSO should be worried about the percentage cost spent on security vs the Business financial, the strategy where Security should be in sync with the Business growth, estimate how much Security is needed. Take the decision on organization risk appetize. One of the important roles is to create right picture of Security to the management, therefore manage dual sided communication i.e. Business Need to Security team* and Security need to Business.

* Shows the interconnections.

Absence of inter connection is the most common mistake while designing the org structure, job description and R&R. Another mistake especially in large organization is not to sync manpower with technology. For e.g. car driver cannot be deployed as a Pilot while upgrading from car to an airplane, we either need to train the driver on how to fly an aircraft or we need to get the new person hired. So, upgrading systems, processes and not manpower will bring imbalance. Core reason in failure of automation projects lies in weak hands behind technology.

Implementation:-

Let’s see all five layers in toto for one Security function say, ‘Material Access Control’. The core purpose or objective of Access Control Material is to prevent unauthorised material movements. Components for each layer will be for Access Control Material function will be as under:

1. Infrastructure – gate (may be separate gate as per volume), parking area to hold vehicle for screening, illumination for night operations, isolation of material delivery zones with core operations areas.
2. Equipment – under vehicle search, vehicle scanner for sensitive area, workstations to log movements, camera for material movement records, biometric for driver validation, RFId for material vehicle validation.
3. Applications – material logging application with provision to display material, vehicle and driver details, display approvals from competent authority/authorities, provision to log movement, provision to track (especially outgoing returnable) movements.
4. Process – authorization management for different material movement (company material, contractor material, cargo, product out), screening process, tracking & reconciliation process, exception handling process (short delivery, theft, etc.).
5. Manpower – for screening and exception management.

Five layers stated above is base foundation to understand what is required to be deployed to meet functional requirement of mitigating the risk. Once we have drafted all Security functions with required five layers, actual ‘Security Plan’ can be concluded.

Next blog will cover the most important function that nearly complete Security.