Security PACE Book 1 - Security Principles

and Operations
Course
Introduction
Security Principles and Operations is Book One in this PACE series on Security
Basics. It was designed to cover basic concepts and principles that address the
security-related and environmental issues requiring security systems.
Security
Principles and
Operations Learning Objective

After completing this PACE Book, you should be able to:

Assets Protection
compare the traditional definition of assets protection with today's definition of
security assets protection
Security describe the importance of people, material, and property as they relate to security
Resources assets protection
describe the purpose of an Assets Protection Program (APP)
identify sources of potential disruption to operations, both internal and external
Underwriters discuss the five (5) objectives of an APP
Laboratories list the three (3) essential elements of a systems approach to security
describe the three (3) variables in vulnerability analysis
Standards
explain the three (3) requirements of event profiles
list the key factors influencing event probability
Burbank list factors to consider in assessing event criticality
Cryogenics - A name and describe the four (4) categories within event criticality
describe the significance of countermeasures and management support within an APP
Case Study
list the key objectives of operational testing
explain how vulnerability analysis, countermeasures, and operational testing work
together in an APP and describe their outcomes
list the advantages of multiplexed systems for security programs
describe modern security organizations and personnel as security resources
recognize UL standards as they apply to security operations
given the three elements of an APP, identify a solution to an AP problem (case study)
http://training.simplexnet.com/SEC601/SEC601.htm (1 of 2) [10/15/01 1:46:52 PM]
Assets Protection

Assets Protection
In the past "security" was fairly straight-forward. Images of bank guards
or fences topped with barbed wire accurately represented the extent of
security solutions in most instances. That was yesterday.

Today, the demands placed on security professionals have moved far

beyond guards and barriers. Effective security requires a comprehensive
"systems" approach that protects all assets of a company. In this section,
you will learn:
what these assets include
what the security issues are regarding each asset category, and
what security solutions are available to protect them.

One note of explanation before we begin: Throughout this series we will

refer to the "company." In most instances, however, these discussions
also apply to many different types of organizations. These may include
colleges and universities, medical facilities, industrial plants, etc.
Corporate security applies to these settings as well.
Assets Protection

Defining Assets
In general, a company's assets may be broken into three (3)
main areas. These include:

People - Employees, customers, and others who may visit

a site
Materials - any materials used in a company's processes
Property - both physical and intellectual

We'll look at each of these in more depth.

Assets Protection

People
It is often said that people are a company's most important
asset. A company's employees, after all, are responsible for
coming up with the ideas for goods or services which bring
success to an enterprise. Employees design, engineer and
manufacture the product. They manage these operations,
track costs and revenues, and provide a sense of overall
direction for the business. All of these individuals are valuable
assets to a company.

In addition, customers, contractors, vendors, and other visitors

become part of a company's assets, particularly while they are
within the company's physical plant.

People can also be potential threats or liabilities to a company.

Both outside individuals and company personnel who may be
intent on injuring the company in some way — by theft of
materials, for example — present significant concerns to
security operations. Example of such "people" threats include:
Assets Protection

protesters/demonstrators
thieves
a disgruntled employee damaging property or interrupting
operations
Assets Protection

Materials
Consider all the materials typically used by a company. The
raw material used in a company's processes must be
protected from theft, damage, or any other problems which
would interfere with manufacturing. Finished products are also
part of the company's material assets and should be a major
security concern. In addition, any materials which may be
created as by-products of the manufacturing process are also
of concern. Some of these materials (e.g., chemicals, gases,
lubricants and fuels) may be classified as hazardous materials
and present a special security concern.
Assets Protection

Property
Traditional approaches to security have always focused
on property, but today property includes much more than
just physical items, and this, of course, impacts corporate
security concerns. Physical property is clearly an asset;
therefore, it requires a plan to protect it. However, there is
a whole range of other types of property, generally
described as intellectual property. This can include:

research
computer programs created by the company
operational procedures
marketing and sales data
certain company policies

All of these are valuable assets of an organization that

require prudent protection. The challenge for security
personnel is to implement effective protections for people,
materials, and property. A successful security operation
must be build on an Assets Protection Program which
addresses all of these system-wide concerns. In addition,
an effective security program must be able to address
current and emerging threats within the environment in
which a company operates. We will look at this next.
Assets Protection

Potential Disruptions
Managers of an effective Assets Protection Program
(APP) must be concerned about all potential disruptions
to a company's operations. Such disruptions can come
from either the inside or the outside. Internal sources of
disruptions include:

disgruntled employees; or
former employees

There are other less obvious possibilities as well.

Assets Protection

Consider the effects of major or unanticipated changes

within a corporation's "culture" — layoffs resulting from
downsizing or mergers, for example. Such change may
lead to high levels of anxiety within the work force.

Disruptions from outside include:

disgruntled customers
vendors
contractors; or
persons who may have no prior links to the company.

At the extreme, such disruptions become disasters

ranging from bomb threats to actual bomb detonations or
other types of terrorist deeds.

Disruptions can also result from:

major accidents
interruption of water and power services (either
accidental or intentional); or
fires.

All of these may be triggered by human activity, but

disruptions also result from natural disasters including:

floods,
tornadoes; and
earthquakes.
Assets Protection

Protecting All Property Assets

Asset protection also involves preventing or reducing theft
of materials or destruction of property or facilities. Again,
there is little difference in these concerns from traditional
security concerns; however, security operations which
limit their scope of interest — to materials pilferage, for
example — risk even greater potential losses. Consider
the loss of sensitive company-private information,
compromises to corporate information systems, and
misappropriation of funds or property. Each of these
Assets Protection

poses significant risks to the company.

In most companies, security issues overlap with concerns

addressed by other corporate departments — Human
Resources, for example. Such concerns include
employee down-time due to:

tardiness
substance abuse
domestic violence; and
psychological problems.

These issues extend beyond security, but there is no

question that employees in these situations are legitimate
security concerns.

Security professionals also deal with the improper

activities of employees, particularly corporate officers.
Conflict of interest is the number one concern. One
example of conflict of interest is an officer who takes
sensitive information to a new job at a different company.
This activity clearly threatens a company and is a
significant challenge to an APP. Similarly, violations of
established business standards — in contract
procurement, for example — and financial
mismanagement present additional threats, all having a
potentially serious impact in corporate stability.

As you can see, the issues confronting security

professionals today are broad in scope, and these threats
have a potentially major impact on a company's
operations. Security professionals must be aware of all
potential risks in order to develop an APP. Next, we will
Assets Protection

Elements of an Assets Protection Program

There are two (2) requirements for an APP. Both grow out
of the need for a comprehensive "systems approach" to
security. These requirements are:

a realistic security plan

Assets Protection

a fully committed management, including the

company's top officers

A company's security plan should be based on the

specific needs and resources of that company. A realistic
plan must reflect an understanding of both the
requirements of the company and the financial and
human resources for security operations. Such a plan has
five (5) objectives:

include methods for responding emergencies

minimize the opportunities for disruptions to company
operations
manage potential losses in all areas of the company
provide a systems approach to security (including
methods for controlling, monitoring, and recording
access, events, and incidents
implement an education program to increase employee
awareness of security issues within the company, and
clarify employee responsibilities with respect to security.
Assets Protection

Total Commitment at All Levels

Without the full support of management, the best
designed security plan may still be compromised. A
successful Assets Protection Program requires total
commitment from all level of management, starting at the
top. Only with this "top-down" commitment will such a
system-wide approach to security and Assets Protection
be as effective as possible. Management's commitment is
reflected in the resources allocated for the security plan.
Management must also clearly communicate their
Assets Protection

commitment to their employees. Delegating responsibility

to mid-level management, without demonstrated senior-
level commitment, will result in compromised
effectiveness.

The commitment of senior-level management is also seen

in its compliance with the company's established security
procedures. A CEO, for example, who casually walks
through a facility, expecting to borrow someone's badge
to enter a controlled area, sends a message that security
— for some people — isn't all that important. And like so
many other things, a corporate security plan is only as
good as its weakest link. In the example just cited, the
CEO may indeed be the weakest link.
Assets Protection

Program Implementation
By now, the value of a comprehensive systems approach
to security should be clear. Such an approach is built on
three (3) essential elements:

a vulnerability analysis
selection and implementation of countermeasures
based on the vulnerability analysis
a thorough, on-going testing program for validating the
security plan

Next, we will look at each of these elements in more

depth.

Vulnerability Analysis
A Vulnerability Analysis asses a company's risk for
various kinds of disruptions. Vulnerability is based on
three (3) variables:

event profiles (potential threats)

event probabilities (the likelihood of an event occurring)
event criticality (severity of impact on the company's
operations).
Assets Protection

Event Profiles
Event profiles list potential threats to a company. The task
of the security planners is to identify and asses the
threats to people, materials, and property. Threats must
be based on reasonable expectation of potential impact.
(While it is possible for a meteor to fail on a company's
home office, the wisdom of a security plan to respond to
such an event is questionable.) Threats, reasonably
expected to occur, must meet clear criteria. The event
must present a risk to the security of the company which
can be measured in a formal way. Finally, the
measurement of the risk must be based on valid criteria;
in other words, it cannot simply be speculation or
supposition on someone's part.
Assets Protection

Event Probability - Contributing Factors

Event probability is the second variable in determining
vulnerability. The greater the likelihood of an event
occurring, the greater the event probability. Event
probability provides a means for deciding which potential
threats will likely become actual events.
Assets Protection

Physical One factor affecting event probability

Environment is a company's physical environment
— location, geography, climate,
physical plant design and even the
number of people utilizing the facility.
A company which uses hazardous
materials in manufacturing processes
in a building on a California fault line
may determine a high level of
probability with respect the
earthquake damage and, as a result,
institute sophisticated building
modifications. On the other hand,
another company, using virtually
identical chemicals, in an identical
building located in the prairies of
South Dakota, may determine an
earthquake as a low event probability
and therefore implement very
different policies and practices.
Social and Besides an organization's physical
Political environment, security planners must
Environments also consider social and political
environments when assessing event
probability. Issues of social and
political environments can be
particularly sensitive. A security
planner, who is examining event
probabilities with respect to social
and political environment, must look
for statistically significant patterns
that suggest high levels of probability
with respect to certain threats. Again,
Assets Protection

these measures must be based on

quantifiable criteria and must not be
based on personally held attitudes or
anecdotal "evidence." Factors which
are typically associated with social
environment include the crime,
income, and age levels of
neighborhoods around a company's
location.

Political environment can include a

country's political structure, especially
in overseas locations, but political
environment also involves the
company's own "politics." This may
include internal politics and
organization, the "corporate culture,"
management style, and attitudes
toward issues which impact the
company. In addition, another factor
which impacts the political
environment is how the company's
politics are perceived by its
neighbors.
Past History Another key factor to consider in
assessing event probability is past
history. Long-term, accurate records
can provide powerful predictors of
particular events. Types of events
and the number of occurrences of
each event yield valuable data for
security planners.
Assets Protection

Tools to Aid in Assessing Event Probability

Often planners use checklists and risk matrices to help
determine event probability. A checklist is simply a form
which calls out specific pieces of information related to an
event — type, time, and locations, etc. Checklists assist
security personnel in developing a database of event
occurrences.

A risk matrix provides a comparison of two or more factors

which can be helpful in determining event probability. It is
useful in identifying trends by compiling records of several
similar events. A matrix may report all the occurrences of a
given event by location. Under each location additional data
is recorded. With the matrix completed, it is possible to
determine if any location is more likely than others to
experience the particular event and whether time or other
factors are significant.

With sufficient data, security planners confidently assign

event probability. During this final stage of the process,
planners look for a means to prioritize events; that is, which
events are more likely to occur than others.

To this end, five or six probabilities may be established.

Categories range from "low likelihood of occurrence" to "high
likelihood." Each event type is assigned to a category, based
on data previously gathered. When completed, all potential
threats will have rating that indicates which events are of
greatest concern to security personnel by virtue of their high
probability.
Assets Protection

Event Criticality
Probability is not the only factor to consider in
implementing an Asset Protection Program. Event
criticality is also important. Criticality assess the impact
an event occurrence may have on a company's
operations. An event may have a much greater impact on
operations event though its probability may be lower than
another. For example, the probability of theft of materials
may be greater than the theft of a company-private
software design, but the theft of the software design could
have a far greater impact on the company's operations.
Assets Protection

On the other hand, an event which has a high probability

of occurring may have a low level of criticality. The cost of
countermeasures required to prevent a loss may far
exceed the cost of the actual event itself. Consider
personal use of the company photocopy machine.
Systems could be put in place to control such employee
behavior, but the security costs would certainly outweigh
the actual costs associated with photocopying.

Besides direct one-to-one costs, other factors must be

considered in assessing criticality:

employee morale
community relations
potential impacts on revenues
downtime
competitive position in the marketplace

For example, suppose an employee makes a company's

cost sheets available to the competition. While the short-
term damage may be negligible, there could be a longer-
term impact on competitive position, and ultimately on
revenues.

As with probability categories, security professionals

determine the specific ratings scale for event criticality in
their own company. There are four (4) basic levels:

Fatal - discontinuance of business or operations

Very serious - major negative impact on operations
Moderately serious - noticeable negative impact
Marginally serious - full recovery from impact is possible
with resources on hand
Assets Protection

Countermeasures Design and Implementation

With the company's vulnerabilities — event profile, event
probabilities and event criticality — determined, security
planners design countermeasures which will:

reduce the probability of an event occurring; and

provide an immediate response if it does occur.

Effective countermeasures involve personnel, hardware, and

software. Personnel include company employees and those
supplied through contracted services. They are responsible for
supporting all phases and components of the security
operation; they provide all security management functions as
well as day-to-day implementation of security policy and
procedures:
Assets Protection

Hardware countermeasures create a company-wide security

"infrastructure," including all physical equipment and devices
used for access control, intrusion detection, locks, fencing,
barriers, closed circuit television, and badging systems.
Software countermeasures include security information
programs, employee training and awareness programs,
education materials, and policies and procedures.
Assets Protection

Operational Testing
The third and final element of an effective APP is a
regular, on-going testing program. This is essential
because such a testing program:
identifies any risks which may still exist within the
company's operations
isolates any deficiencies within the existing system
(changes in a company's culture and operations may
require a similar change in the company's security
system)
identifies where changes are required in order for the
security system to grow with the company; and
provide a means of ensuring that security program
policies and procedures adequately meet the company's
needs
Security Resources

Security Resources
As in other areas, security benefits from advances in
technology. Multiplexed, integrated security systems are
now universally accepted as the standard technology for
security. These multiplexed systems define a baseline for
all security programs, and offer the following advantages:

lower operating costs

broader protection capabilities
overall increase in system reliability
comprehensive coverage (including reporting) of
multiple locations from one central command and control
point
flexibility and extendibility
greater control throughout the entire system; and
fewer security personnel (because of the ability to
centralize control).

Multiplexed systems benefit companies by:

allowing them to achieve improved security with a
significantly improved economy of resources, particularly
with respect to personnel; and
providing a modular design that allows newer
technologies to be integrated into the existing system,
Security Resources

thus adding functionality, longer life, and an improved life-

cycle cost to the company's current security system.

As mentioned above, modern security organizations

function effectively with smaller staffs. Current trends
toward more sophisticated systems, however, demand
personnel with higher levels of education and training.
Increasingly, security personnel have an in-depth, broad-
based knowledge of all aspects of security, as well as
demonstrated skills in computer operations and systems
applications. Today, security management positions
typically require a college degree and professional
certification. In addition to security issues, many secure
managers have demonstrated competencies in business
disciplines.

Security is increasingly an executive staff level function

within a company and as a result, requires more skilled
personnel. This also assumes a centralized operation as
the preferred model. In keeping with this more integral
approach to security, security operations are expected to
develop business plans and goals that contribute to the
overall objectives of the company. As in other
departments or divisions of the company, the security
operation is expected to plan and implement programs
that meet business objectives. As these objectives
change, security management must revise their own plan.
In addition, security throughout the APP is standardized
and duplication is eliminated, thus maximizing efficiencies
while minimizing personnel and other resourcing costs.

This approach to corporate security limits direct, company-

hired security personnel to professional positions,
Security Resources

technical support and administrators. Guards and other

support personnel will be provided through outsourcing.

In many ways, corporate security has reached a new

level o maturity. The current environment suggests a
broader range of potential threats. These threats have
compelled security planners to design a comprehensive
top-down, systems approach to the task of assets
protection. And emerging technologies, driven by these
new models of security, are enabling security operations
to achieve levels of responsiveness never before
possible.
Underwriters Laboratories Standards

Underwriters Laboratories Standards

Underwriter Laboratories
The speed and extent of the changes in security
operations and systems could suggest a lack of
meaningful industry-wide standards. Fortunately, this is
not the case. Underwriters Laboratories have defined a
comprehensive set of standards. These UL standards
define requirements in the manufacture, construction and
installation of security products. Underwriter Laboratories
have further defined the primary objective of security
products as ensuring the protection of assets. To
accomplish this objective, devices used in security
systems must meet the defined UL standards.

Underwriter Laboratories provides standards for security

products. UL standards also apply to the suppliers of
security products and to the installation requirements for
security products. Security professionals and others
involved in the security industry should be familiar with
the applicable UL standards, in particular standard
numbers:

294 (Access Control Systems); and

1076 (Alarm Systems and Units, Proprietary Burglar)

The entire listing of relevant UL standards appears below:

Underwriters Laboratories Standards

Standard
Title
No.
294 Access Control Systems

1635 Alarm Communications

Systems, Digital, Burglar

1076 Alarm System Units, Proprietary

Burglar

904 Mann Systems and Units,

Vehicle

1037 Anti-Theft Alarms and Devices

752 Bullet Resisting Equipment

1023 Burglar Alarm System Units,

Household

681 Burglar Alarm Systems,

Commercial

611 Burglar Alarm Units and

Systems, Central Station

1034 Burglar Resistant Electric

Locking Mechanisms

608 Burglar Resistant Vault Doors

983 Cameras, Surveillance

827 Central Stations for Watchmen,

Fire Alarm and Supervisory
Service

634 Connectors and Switches for use

with Burglar Alarm Systems

539 Fire Alarm Devices, Single and

Multiple Station

985 Fire Warning Systems,

Household
Underwriters Laboratories Standards

972 Glazing Materials, Burglary

Resisting

636 Hold-up Alarm, Units and

Systems

639 Intrusion Detection Units

689 Linings and Screens

609 Local Burglar Alarm Units and

Systems

768 Locks, Combination

437 Locks, Key

365 Police Station, Connected

Burglar Alarm Systems and
Units

603 Power Supplies for use with

Burglar Alarm Systems

687 Safes, Burglary Resistant

603 Power Supplies for user

with Burglar Alarm Systems

687 Safes, Burglary Resistant

Underwriters Laboratories Standards
Burbank Cryogenics - A Case Study

Burbank Cryogenics - A Case Study

Company Profile

Burbank Cryogenics is the leading developer of cold

tissue regeneration and storage. Their genetics division is
the sole supplier of artificial skin to the US military which
uses this tissue in their burn therapies on severely burned
personnel. It ranks among the top five biotechnology
companies in the United States and has experienced a
50% growth rate annually over the past three years.

Burbank Cryogenics (BC) has recently become a

privately traded company on the New York Stock
Exchange. It was privately held from its founding in 1978
until 1996.
Burbank Cryogenics - A Case Study
Burbank Cryogenics - A Case Study

Company Operations
BC currently employs 17,000 people in four major
facilities in Massachusetts and Rhode Island. Corporate
Headquarters is located in a 10-story office building which
the company owns in the financial district in downtown
Boston. Their main manufacturing laboratory in
Providence, Rhode Island recently became a union work
force. BC's Research and Engineering Facility is located
in Roxbury, Massachusetts, which is a neighborhood of
the City of Boston. Their Production Warehouse, which
also houses the MIS Group, is located in East Boston
adjacent to Logan International Airport to take advantage
of 24-hour air freight shipping. The company has also
done research in areas requiring animal testing, which is
widely opposed in the communities where they are
located.

Security History
The biotechnology field, especially genetic research, is a
highly competitive business, where information must be
properly safeguarded to ensure success. BC has
experienced several security breaches in the past six
months, and its new management team has decided it
must implement a thorough security plan. The company
culture has been an open campus environment with most
employees working flexible schedules. Its philosophy has
been to allow employees to go anywhere in the company
unabated, with uncontrolled access permitted even in the
research laboratories.
Burbank Cryogenics - A Case Study

HQ Requirements
BC's corporate Headquarters located in the financial
district of Boston is a very safe environment, with
incidents of crime almost non-existent. However,
management wants to safeguard against workplace
violence, due to the stress of this highly competitive
business. The employees are exclusively middle and
senior managers, with appropriate
administrative/secretarial support personnel also
assigned to this location. All major corporate functions are
in this facility: Finance, Controller, Procurement, Human
Resources, Legal, Patents, Strategic Planning, Public
Relations, Customer and Community Relations, Company
Officers.

Executive Security Requirements

Several executives have achieved a highly visible profile
and are concerned about the lack of an executive
protection program for them at work, home, in-transit
between locations, on overseas travel, and for their
families. They consider this to be a part of their
compensation packages with BC.
Burbank Cryogenics - A Case Study

Providence Security Problems

The manufacturing laboratory in Providence, Rhode
Island is located in a high-technology park adjacent to an
economically challenged inner-city neighborhood. The
area has a high incident rate of drug activity and crimes
against persons (e.g., assaults, robberies, and sexual
assaults), as well as property crimes (e.g., car thefts,
breaking and entering, and vandalism).

All facilities in the high-technology park have been built in

the last three (3) years. BC's employees have a security
clause in their collective bargaining agreement, which
requires BS to provide a security program that protects
them at all times while they are on BC property. This is
due to the many crimes committed against the work force
and their perceived lack of protection in/at the workplace.
Employees assigned to this facility are either
manufacturing management, facility support or production
workers. All non-management employees recently
unionized and are members of the Internal Brotherhood
of Electrical Workers (IBEW).
Burbank Cryogenics - A Case Study

Facility and Materials Requirements

Currently anyone can enter the high-technology park and
has access to parked vehicles, loading docks, lobbies,
and outside break areas. The economic level of this area
is very poor, and most buildings are in disrepair with the
exception of those in the high-technology park which are
state-of-the-art facilities. There is also concern that
several facilities have been broken into. While BC has
been spared so far, should a break-in occur, there are
numerous sensitive laboratories, equipment,
developmental materials and processes that could be
damaged. Some of the tissue regeneration efforts are
irreplaceable and require the highest priority protection.

R&E Facility Background

The Research and Engineering Facility is located in
Roxbury, Massachusetts, which is a neighborhood of the
City of Boston. BC received incentives from the state and
city administrations to locate this facility in an inner-city
environment. Its security issues are very similar to the
Manufacturing Laboratory in Providence, RI.
Burbank Cryogenics - A Case Study

People Security Problems/Needs

The one significant difference between Roxbury and
Providence is the major gang activity that occurs almost
unabated in Roxbury, even though the Boston Police
Department's Anti-Gang Unit is a constant presence. The
Major and Governor have started to receive pressure
from BC management to eradicate this activity, because
employees have walked off their jobs on two different
occasions when exposed to gunfire as they departed the
facility. This is a major personnel issues as the
surrounding geographical area has a constant demand
for qualified engineers in suburban and rural settings and
the turnover is almost 40% for the current year. The
employees located at this facility are engineering
management, engineers and support personnel.

Facility/Materials Needs
This facility houses state-of-the-art laboratories and
equipment. It has been broken into on several occasions
with major equipment losses and destruction of research
projects that have been extremely costly to replicate. This
has caused major delays in the release of new products,
which has hurt BC's position as a market leader in
artificial tissue alternatives.
Burbank Cryogenics - A Case Study

Warehouse Background

The Production Warehouse, which also houses the MIS

Group, is located in a recently constructed facility
adjacent to Logan International Airport. The facility was
located here to take advantage of the 24-hour freight
shipping available to meet customer requests, and handle
the immediate shipment of BC's products with a limited
shelf-life.

Personnel and Materials

The employees assigned to the facility are generally
software/hardware engineers, management and
production workers who support shipping/receiving,
transportation and warehouse operations. The facility
stores raw materials, production by-products requiring
regulated disposal (hazardous materials) and finished
products.
Burbank Cryogenics - A Case Study

Security Requirements
The BC facility is located in a general
warehouse/transportation hub. While there are no
immediate neighborhoods adjacent to the facility, car
break-ins and car thefts occur daily.

Many employees require access to the airport's tarmac

areas. This requires the employer (BC) to perform an
additional background check on employees to meet the
minimum security requirements for access to the airport's
restricted areas. These results are sent to Airport Central
Security with application for access by BC's Human
Resources Department, who wants this responsibility
transferred to the new Security Department immediately.

All the major main computer systems for BC's financial

group, personnel records, order processing and tracking
systems require added protection due to the criticality of
systems being down. The order processing system was
recently sabotaged by an employee, who was fired for
cause and later rehired and returned to the facility without
any problem. This act of sabotage resulted in orders
being delayed for 10 days causing numerous
cancellations, and caused BC to operate at a loss for the
quarter for the first time in their history.
Burbank Cryogenics - A Case Study

Planned Changes for Personnel

The new BC management team has announced that
access to all company facilities will be determined by an
individual's pay status, job position and work
assignments. Different time zones must be developed to
accommodate business and non-business hour access.
Positive control and identification of employees must also
be accomplished; discharged employees must be
prevented from reentering any location at any time. The
management team also wants all visitors, vendors,
contractors, and deliveries positively controlled and
documented. The union work force will be restricted to
manufacturing areas.

Planned Changes for Facilities and Materials

All research laboratories, computer areas, executive
offices, critical storage areas and parking areas will have
strict access control with compartmentalization required.
A comprehensive protection program that protects
employees the entire time they are on BC's property must
be developed, with testing and feedback from the
employees built into the program.

Information systems, research processes, manufacturing

processes, and patent projects have been classified as
company confidential and will require a layered security
program. The new management team wants
comprehensive CCTV coverage with recording at a
quality that can be used in litigation if necessary. The
bottom line is they want a complete, in-depth, fully
Burbank Cryogenics - A Case Study

documented security program that implements the latest

technology, operated by a trained and professional
security staff.

Additional Changes
The company will hire a security director for the first time
in their history, and it will require this individual to develop
an assets protection program as his first priority.

Objective
You are the new Security Director for Burbank
Cryogenics and as your first priority, you must develop an
asset protection program that includes BC's four major
facilities and incorporates their main protection
requirements. The questions below will help you begin
formation of the APP.