Physical Security and Facilities Management 101

Download Report

Transcript Physical Security and Facilities Management 101 

Physical Security and Facilities
Management 101
David M. DiQuinzio, P.E.
Strategic Facilities, Inc.
Kathleen A. Lucey, FBCI
Montague Technology
Management, Inc.
1
Session Agenda
Kathleen:
David:
• Introduction and ground
rules
• Physical Access Security
• Incident Management
• Introduction to SFI
•
•
•
•
Reliability vs. Availability
The Players
Risk Assessment
Case Studies
Questions & Discussion
2
GROUND RULES
Please interrupt immediately if you...
 Can’t hear
 Can’t see or read the slides
 Find the presentation confusing
 …Let’s address the situation ASAP!
3
Introduction
 It’s about working together to avoid the
interruption and minimize both its recurrence
and its impact...
 Who are the players...and how do we work
together ?
 Making the right decisions for design, detection,
and response
 Managing the incident to minimize impact and
deter recurrence.
4
Where are MOST of the
Continuity Challenges ??
CONTINUITY ISSUES
Catastrophic Interruptions
Minor Interruptions
Everyday Blips
Process
Dysfunctions
BCARE SOLUTIONS
Continuity
Availability
Reliability
Engineering
5
Physical Access Security
 Establishing Perimeters
 Implementing and Maintaining a System,
Equipment, Procedures
 Defensive Depth, Universal Application
 Monitoring / Detection / Response
 Common Intrusion Techniques
6
What is a Perimeter?
 Controlled border
• External: Public / First Level. May be outside
of building.
• Second: Building Access. May include
elevators and stairways.
• Multiple interior: authorization related to
function-based “need to know”
7
Systems, Equipment, Procedures
 System components: hardware, software, devices,
data, personnel (operators and staff)
 Equipment: readers, tokens, cameras and video
recorders, screen monitors, barriers (turnstiles,
man-traps)
 Procedures: operator, equipment maintenance, log
review, token issuance, authorization maintenance.
System upgrading. Guards.
8
Defensive Depth
 Multiple barriers to breach: make an
intruder work harder
 Multiple levels, multiple techniques
 Multiple levels of monitoring and detection
 Introduce random supplemental checks
9
Universal Application






Every time
Every person
Every control point
Weekdays, nights and weekends
Especially no “official piggybacking”
Why: keeps the “bright line” between
authorized and unauthorized
10
Monitoring/Detection/Response
 Monitoring: what conditions, when
 Detection: manual, automatic, alarms; who is
notified?
 Response:
√ Who, what, when
√ How contacted
√ Logistics and SLA
 Failure in any area “breaks the chain” of response
11
Common Intrusion Techniques
 “Piggy-backing”
 Poor housekeeping of access privileges
• Terminated employees
• Transferred employees
 “I have a delivery for Mr./Ms. X.”
 Concealment within interior protected areas
 Exploitation of known system flaws
12
Incident Management:
How to Get a High ROI
13
Incident Management




Players
Response Management
Debriefing and Documentation
Follow-up: Implementing Adjustments
14
Players
 BC should be taking the LEAD
 IT
 Facilities: Internal, Building Management,
+ vendors, contractors
 Physical Security: Internal, Building
Management, + external contractors
15
Response Management (1)
 Get complete information:
•
•
•
•
equipment/environment state
relevant time/day data
understandable alarms
supporting systems
 Notify the most knowledgeable person for this
case within the appropriate time interval
 Eliminate response single-points-of failure
through cross-coverage and training.
16
Response Management (2)
 Who is in charge of logistics procedure?
• BC should design, implement, and maintain, and should
be involved in every incident.
• Should NEVER be IT, Facilities, or Physical Security
alone.
 Analysis and problem resolution leads to design of
the fix.
 The fix is then applied by the appropriate party,
but...
THE FIX DOES NOT END HERE!
17
Debriefing and Documentation (1)
 Formal post-incident meeting
 Led by BC; includes all fix participants + others
 Cause analysis:
• Proximate cause
• Contributing causes
• Underlying causes
 “Fix” design for all causes
18
Debriefing and Documentation (2)
 BC assigns responsibility for implementation of
changes/adjustment to a named person.
 Date for change completion, including documentation, is
agreed upon
 BC is responsible for follow-up.
 BC provides a formal, written meeting record to all
participants AND their management.
 BC facilitates any budget or resource allocation necessary
to design/implement change.
EFFECTIVE PERFORMANCE OF THIS STEP IS
THE ONLY WAY TO MAXIMIZE ROI
19
Follow-up: Implementing
Adjustments
• BC signs off on correct implementation of
change.
• BC, working with other units, ensures that
any necessary training is provided.
ONLY BY EXECUTION OF THIS KIND OF
PROCEDURE CAN YOU PREVENT
RECURRENCE OF THE SAME INCIDENT.
20
BREAK!!
21
Introduction to Strategic Facilities, Inc.:
Dave and Dave
 Founded in January 1996 by David A. Sjogren;
David M. DiQuinzio becomes co-owner in 1997.
 Today SFI is multi-disciplinary and nationwide
practice
22
Dave and Dave
DiQuinzio
Sjogren
• 6+ years at Chase Manhattan
Bank - 6+ years. Project
Manager (Mechanical
/Electrical) at MetroTech Center
- Brooklyn, NY
• 3 years at PRK Associates Critical Facility Engineering
Specialists. UPS System
Design and Testing,
Reliability/Capacity Studies.
• 11+ years at UPS as IT
Facilities Director
• Ramapo Ridge Data Center Mahwah, NJ
• Windward Data Center Alpharetta, GA
23
SFI Clients and Projects
Typical Clients
Projects

• Site Capacity, Reliability & Ops
Analyses
• Critical Systems Testing &
Commissioning
• Operating Procedures &
Programs
• New Critical Systems
Technology Studies
• Serve as Interim Facilities
Department





Hughes
State Street
Cingular
Safeco
1st National Bank of Omaha
Salt River Project
24
PHYSICAL INFRASTRUCTURE
SECURITY - FROM A CRITICAL
FACILITIES GUY
25
PART 1
Overview &
Introduction
26
GET WITH THE PROGRAM...
1. Overview & Introduction
2. Facilities, Security, Information
Technology and BCP - Risk & Reliability
as Common Threads
3. Case Studies - Using Risk & Reliability
Language to Improve Coordination among
Facilities, Security, IT & BCP
27
PART 2
Facilities, Security, IT &
BCP - Risk & Reliability
as Common Threads
28
WHAT YOU ALREADY KNOW
 Good Things:
• Card readers and physical access control systems
• Cameras
• Locked doors
 Bad Things:
• Piggybacking
• Easy-to-guess passwords
• Asleep at the console
 No need to hear that again
29
WHAT YOU MAY NOT KNOW...
 Facilities & Security co-dependencies
 How they affect the enterprise risk picture
 How formal risk assessment techniques
developed for other industries are
emerging as tools to reduce critical
facilities risks
 How all this relates to BCP/DR
…UNTIL NOW
30
SO WHAT? WHO CARES?
Poor Facilities/Security/IT/BCP coordination =
 Wasted resources
 Risk picture not fully understood
 Risks not fully addressed
CEOs, CFOs, CIOs, CHAIRMEN AND
DIRECTORS CARE ABOUT THESE THINGS...
...AND SO DO REGULATORS
31
Copyright 2004 Strategic Facilities Inc. All rights reserved
3 THINGS TO TAKE AWAY
 Coordinate Facilities and Security before
investing in reliability and BCP/DR
improvements - or waste your resources
 How? Get everyone on the same page with
common language
 The language of formal risk assessment
techniques does this very well; it’s worth
taking time to learn
32
AND ANOTHER THING...
…you don’t have to become a risk assessment
expert to learn and use the language and get
value from risk assessment concepts
HOW DO WE KNOW?
BEEN THERE, DONE THAT
33
WHAT LIFE IS
LIKE FOR OUR
CLIENTS...
34
WHAT THEY DO RESTS ON
SUPPORTING SYSTEMS
35
Copyright 2004 Strategic Facilities Inc. All rights reserved
A SHORTFALL IN THE CORE
BUSINESS…WE CAN’T HELP
36
WE CAN’T FIX THIS,
EITHER…
37
Copyright 2004 Strategic Facilities Inc. All rights reserved
OUR MISSION & PURPOSE:
AVOID THIS
38
Copyright 2004 Strategic Facilities Inc. All rights reserved
AERIAL VIEW
39
SOMEWHERE AT THE BASE...
40
SECURITY & FACILITIES
 SECURITY NEEDS FACILITIES
 Surveillance & Access Control need power
 Cameras need light
 Guard force needs decent environment just like
everyone else
FACILITIES NEEDS SECURITY
 Extra eyes and ears to for building problems
 Help screen visiting technicians
 Reduce tampering with building systems
41
MANAGING CRITICAL
FACILITIES: PROJECT CIRCLE
42
FILL IN THE GAPS...
43
WHAT WE’VE LEARNED
FROM DOING THIS RISK ASSESSMENT LESSONS
 RISK
•
•
•
•
•
Probability that something bad will happen?
Variable #1 - FREQUENCY
How bad if / when it does?
Variable #2 - SEVERITY
It’s TWO DIMENSIONAL
44
THE RISK PICTURE
45
WHAT TO ACT ON?
46
ACCEPTANCE CURVE
47
IN YOUR CASE, PERHAPS...
48
BUT FOR SOMEONE ELSE...
49
WHERE WE SEE PROBLEMS
50
WHAT SEEMS TO WORK
51
Copyright 2004 Strategic Facilities Inc. All rights reserved
MORE LESSONS
 RELIABILITY
• What is the probability that a system will
•
•
•
•
operate correctly?
Over what mission time?
Severity of failure is part of the risk
conversation, not the reliability conversation
Duration of failure is also a separate variable
Duration is also part of the risk conversation
and also NOT part of the reliability
conversation
52
EMPIRICAL LIFETIME
53
THE GOAL...
54
WORTHWHILE? MAYBE...
55
MAYBE NOT...
56
reserved
LESSONS III
 MORE RELIABILITY
 Can be expressed as Mean Time To Failure
(MTTF)
 MTTF is OK, but lacks mission time context
 Probability of success over mission time does a
better job of depicting the situation
 Probability of failure
= 1 - (Probability of success)
 Duration of failure known as Mean Time To
Restore, or MTTR
 Probability of success or failure of an individual
system does not depend on MTTR
57
LESSONS IV
 AVAILABILITY
•
•
•
•
Different concept entirely
Comparison of MTTF & MTTR
Mathematically: MTTF / (MTTF + MTTR)
Grossly misused throughout industry in the
form of “nines”; usually, MTTF >> MTTR
• Misuse due to two-dimensional nature
• Does not mean that MTTR and Availability
do not matter
58
AVAILABILITY - IT DEPENDS
59
RELIABILITY VS.
AVAILABILITY
System “A”
 1 failure; end of year 9
 Down entire year 10
 Reliability: MTTF = 9
yrs; only 1 sample
 Availability: 90 %
 More reliable (?), less
available
 Less certain
System “B”
 4 failures, avg. 1/2.5 yrs
 Down 5 min each time
 Reliability: MTTF = 2.5 yrs,
4 samples
 Availability: 99.996 %
 More available, less reliable
 More certain
60
LESSONS V
 HOW SYSTEMS FAIL
• Independently due to internal, local failure
• Due to a “common cause” effect; that is,
something that affects entire system at once
• Natural or man-made disaster, for example;
tend to be high severity, low frequency
• Human error is most frequent common-cause
failure mode; often less severe than disasters
 Applies to Facilities, Security, IT, BCP
61
WHERE DOES ALL OF THIS
COME FROM?





Probabilistic Risk Assessment - known as PRA
Taught at MIT, Stanford, etc.
Initiated by German rocket scientists during
WWII to explain V2 rocket failures
Brought to USA by Werner von Braun and his
associates
Refined by many over the years since
62
PRA ACCOMPLISHMENTS
 Aviation: Odds of you NOT getting off a
commercial airliner in one piece are now less
than one in one million
 Nuclear Power: USA output is up 20% and
reportable incidents down despite older fleet
and no new plants since early 80’s
 Slow and steady improvement, not gee-whiz
breakthroughs
 Very limited application in Facilities arena
63
Copyright 2004 Strategic Facilities Inc. All rights reserved
PART 3
Case Studies:
Using Risk & Reliability
Language to Improve
Coordination among Facilities,
Security, IT & BCP
64
CASE #1 - WHO CAN GO
INTO THE DATA CENTER
 Client is a hedge fund; they develop and use




proprietary applications to execute trades.
Frequent hacker target; security is tight.
Big battle over who has access to data center.
Facilities team is responsible for power and cooling
in there!
Facilities team members are not employees:
Should they be allowed in?
65
CASE #1 - WHO CAN GO
INTO THE DATA CENTER
Result for Case #1:
Debate spurred client to grow in-house staff and
reduce presence of non-employees while
expanding the ability to grant and track
physical access privileges.
66
CASE #2 - OPERATOR
TRAINING FOR NEW SITE
 Client was considering building a new facility
specifically designed as a data center.
 Limited pool of building engineers to transfer to
new facility; mostly air conditioning guys.
 Client is late in recognizing problem and planning
for commencing operations.
 How should the client prepare to operate and how
much should they spend to do it?
67
Copyright 2004 Strategic Facilities Inc. All rights reserved
CASE #2 - OPERATOR
TRAINING FOR NEW SITE
Result for Case #2:
Client saw the folly of spending $25 million on
a new site and risking outage due to human
error; instead implemented a full program of
procedure writing and training to reduce
errors.
68
Copyright 2004 Strategic Facilities Inc. All rights reserved
CASE #3 - WHO SEES STATUS
INFO ON BUILDING SYSTEMS
 Client agreed to lease space in former co-lo site taken





over by landlord.
Landlord has never managed critical facilities before.
Power and cooling status info goes to NOC via HP
OpenView and other means systems.
NOC personnel are trained in only IT, not Facilities.
Analysis finds AVAILABILITY too low
What should the landlord do?
69
CASE #3 - WHO SEES STATUS
INFO ON BUILDING SYSTEMS
Case #3 Results:
Landlord contracted for fast emergency response,
added auto-paging capability, and trained NOC
staff to relay vital information to qualified
responder en route.
70
CASES #4, 5, etc....
ANY SUGGESTIONS?
71
RECOMMENDATIONS &
CONCLUSIONS
1. When confronting a risk, ask yourself:


How often is it likely to occur?
How bad will its impact be if it does occur?
2. Then, compare this risk to others you face:


Is it likely to occur more or less frequently?
Is its likely impact more or less severe than others?
3. Apply this approach consistently across IT, Facilities
and Security
72
MORE RECOMMENDATIONS
& CONCLUSIONS
4. When evaluating a risk reduction measure:



What does it require of other sectors - e.g., if it’s a
Facilities measure, what do IT and Security need
to do to make it work?
Who will do those things and how?
Same question for Security and IT initiatives
5. Then, look across sectors...


What other exposures are out there?
Who should address them?
73
Copyright 2004 Strategic Facilities Inc. All rights reserved
Q+A
74
Contact us at:
• David M. DiQuinzio
• (973) 903-3699
• Kathleen A. Lucey
• (516) 676-9234
• [email protected][email protected]
75
LATER, DUDES!!!
76