Schools - Specifying the right kind of security it starts with understanding the real threats and risks.

The challenge of specifying the right kind of security in an educational environment like a school, college or university, can be complex. But it becomes much clearer when based upon thorough threat and risk assessment to ensure it is appropriate, proportionate and fit for purpose. Mention the word security in a school context and it may conjure visions of miserable kids being shepherded about beneath watch towers and cameras more a secure unit than secure school. In reality there are probably very few instances where this would be a proportionate or appropriate outcome to a comprehensive, expert Threat and Risk Assessment. As we are talking about specifying the right kind of security, the focus is on Physical Security. It is worth noting though that viewing security holistically Information and Physical Security offers huge benefits and assurance and will be touched on briefly a little further on. Looking first at Physical Security, having had a thorough Threat and Risk Assessment, a school for instance, will be aware of intended and unintended threats in the local vicinity. This could be a potential threat that has never been considered, such as proximity to a controversial organisation that attracts negative attention, eg protest groups at a medical testing lab. It could be something the school may not even have known about but could form a potential threat to pupil and staff safety. With a proper threat assessment appropriate action can be taken or it can be safely ignored. The school will also become aware of the crime level in the area through this kind of assessment, and the types of crimes that are being reported. This could highlight more obvious threats such as vandalism, arson or metal theft, which is an increasing problem. Like each school, the threats and risks will be bespoke and so naturally, the solution should be too.
Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

As well as staff, student and visitor security, there are assets to consider such as IT equipment. Not to mention the vast amount of personal and sensitive data that educational institutions collect and store. This will need the attention of both Physical and Information Security. Steps such as making sure that key areas are accessible only by those with designated permissions and that any pass card, or password system is stringently checked and maintained as part of information security policy, should ensure that leavers are deleted and access is strictly controlled. Sensitive or personal information needs to be protected physically as well as through policy and procedure because there is a physical risk of loss of equipment and a technical threat of loss of data to be mitigated. Having security equipment and policy that is not fit for purpose, sometimes only comes to light in the wake of an incident. For instance in the event of a data breach, if equipment and policy are working well then it should reduce the risk of this happening in the first place but can also provide important evidential information. For example vital door entry data for the appropriate time, along with CCTV footage and being able to match footage to the users entry card may immediately show a discrepancy and help establish how the breach occurred and who is responsible. The responsibility may be a staff issue and lack of policy education, such as borrowing a pass card, or worst case scenario a criminal activity. Risk in this instance could be limited if, as part of the Information Security Policy, access to sensitive data is restricted to appropriate users a need to know basis combined with a policy on reporting lost cards which are immediately disabled or entry codes changed. Other educational institutions also face differing challenges when designing security systems and policy. Universities, notoriously open places, supplying the public access to leisure and entertainment, in addition to homes and education to its students. Security is frequently spread across several sites, often large and more akin to securing a shopping complex or NHS estate, making a joined up approach even more vital. Again the threats are specific to any one site but if a University is unaware of all the threats it is facing, or is assuming or perceiving threats, things can get missed or misunderstood and risk increases. But with full understanding a school, college or university, can make an informed choice when it comes to layering of security; applying extra layers where it is needed- because the risk is factually based not merely perceived. Getting an independent view on physical security equipment is very important and clearly a part of ensuring a system is fit for purpose. Finding out what is appropriate will come from the risk assessment and the school or institution will be far better informed about what it needs and where. This will avoid both the Secure Unit approach mentioned earlier as well as the missing of key threats that should have been considered. It also means that the equipment specified will be focussed correctly, e.g. proportionate number CCTV cameras, appropriately placed, and future issues such as
Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

their obstruction by growing trees or shrubs, addressed. On a purely aesthetic level, many institutions have a fine history and form part of an areas architectural heritage. The possibility of specifying equipment that can harmonise with its surroundings where appropriate is also an advantage to getting independent advice. By using an expert who is independent from vendors, an institution is assured that whatever is specified is simply what is required and not what the institution is willing to be sold. This independent distinction can make a massive difference to budget. The equipment is even more powerful if used to full capacity and a consultant can show how differing systems can be used together to make efficiencies and supply information. This integrated style of physical and information security information can be a powerful tool if used properly and form part of a cohesive and effective security policy. But it all starts with understanding the real threats and risks. www.advent-im.co.uk/school_security.aspx

www.advent-im.co.uk Head Office: 0121 559 6699 London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.
www.adventim.wordpress.com www.adventimschoolsecurity.wordpress.com

www.adventimforarchitects.wordpress.com The award winning blog www.adventimforuklegal.wordpress.com www.adventimforgambling.wordpress.com

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM