Building Security：Codes and Liability.pdf

CODES AND LIABILITY P A R T 6 CHAPTER 30 CODES, STANDARDS, AND GUIDELINES FOR SECURITY PLANNING AND DESIGN Walter “Skip” Adams, CPP Senior Security Consultant, Sako and design philosophy, strategies, and assumptions for military construction. Department of StateCountering Terrorism, the Bureau of Diplomatic Security guideline, contains suggestions for U.S. business representatives abroad. Suggestions are mostly operational and are applicable to many building types. Department of Health andLaboratories storing and using certain types of agents and organisms must Human Services (DHHS)adhere to guidelines promulgated by DHHS through the Centers for Disease Control and Prevention (CDC) and National Institutes of Health (NIH). These biosafety guidelines address facility design and construction, equipment needs, and facility operations. See DHHS (NIOSH) Pub. No. 2002-139. Department of Defense,The National Industrial Security Program Operating Manual (NISPOM) Department of Energy,prescribes requirements, restrictions, and safeguards to ensure that U.S. Nuclear Regulatorycontractors protect classified information. Commission, and Central Intelligence Agency Department of TreasuryU.S. Customs publishes standards serving as models for cargo security best practices. Federal Monetary andThe Bank Protection Act of 1968 includes amendments and standards Banking Agenciesaddressing intrusion and robbery alarm systems, lighting, locks, surveillance, vault, and safe requirements. National Institute of StandardsFIPS 31 is a guideline for Automatic Data Processing, Physical Security, and Technology (NIST)and Risk Management. Nuclear RegulatoryThe NRC standards and regulations describe entry and exit controls to Commission (NRC)protected areas, material access areas, locks, perimeter intrusion alarm system, security equipment, key and lock controls, and protection against vehicular ramming and explosives. Note: All regulations are subject to revisions and modifications. CHARTING A COURSE OF ACTION Building owners and managers often view security provisions as optional costs, especially since most are not required by code. However, owners will typically pay for security in order to avoid liability, to add value, or to maintain critical and necessary operations. Examples of necessary operations include maternity ward infant protection systems in hospitals, warehouses with valuable inventory, and data centers housing essential or sensitive information. Building owners, operators, and landlords understand the need for heightened security concerns among tenants stemming from terrorist threats,workplace violence,and crime. These security concerns should be shared with architects, engineers, designers, and construction professionals during the earli- est phases of the programming and planning process. Owners must decide on the level of risk that they are willing to assume and work with the project team to determine appropriate security goals. Owners must also ensure that facility operations do not conflict with the comprehensive security plan. Increased global concern about terrorist threats indicates that the trend toward enhanced security design, technology, and operations will likely remain strong. Implementing prescriptive codes could potentially reduce duplicative efforts, decrease waste associated with companies paying for useless provisions, and standardize the quality of expectations in the design and construction arena. Regardless of any potential life safety and security code provisions that address architectural and engineering design, a comprehensive security plan that integrates design, technology, and building operations is still the best protection for building owners. Until a series of prescriptive codes is developed and made available for widespread, standard application, building owners, operators, and managers seeking to enhance security measures on their properties should develop a comprehensive security plan. (Table 30.5) Other tasks may require working with in-house professionals or outside consultants: Examine corporate security standards for applicability to site planning and building design. Assess the likely threats using a template developed by the corporate security department or a qualified professional consulting firm. Ascertain the security design experience and qualifications of architectural, engineering, and secu- rity consulting firms under consideration for selection in new construction or renovation projects. The firms and proposed team members should demonstrate appropriate, relevant experience and knowledge of essential security design elements (Table 30.6). VIABLE OPTIONS FOR SECURITY CODES The primary motives for development of security codes are to: Clarify conditions prior to identifying the need for security measures Develop viable options to address an identified threat Reduce duplication of effort Decrease waste Standardize quality To further efforts in developing security standards for the commercial building sector, the fol- lowing suggestions merit consideration: Use federal mandates for security provisions critical to emergency response at applicable facilities. Limited federal funding would ideally offset implementation costs. Implement federal recommendations for more in-depth security provisions, organized according to building type, function, and likely threat, for state and local homeland security, and counter-terrorism 30.10CODES AND LIABILITY efforts. The federal government is best suited to this task, as several federal agencies have comprehensive guidelines suitable for adaptation by state and local government agencies. Encourage states to adapt federal recommendations, as applicable to local conditions, and mandate compliance. States could execute periodic inspections and compliance tracking. Provide incentives for local governments to assist in documenting compliance. For example, if state provisions have clear criteria, local governments could collect compliance statements from builders. However, if localities are responsible for approvals, they might have to train staff engi- neers; especially those already performing building code inspections, to handle security inspec- tions. As a result, localities might be forced to hire more staff, a potential financial burden. Encourage states to provide incentives to building owners who voluntarily pay to be accredited by a security professional. Increased security and emergency response preparedness benefit employees, the community, and neighbors of the facility. Accreditation criteria should stress police and fire coordination and provisions supporting emergency personnel. Encourage architects, engineers, and design and construction professionals to be familiar with fundamental security design concepts, codes, and standards, especially pertaining to specific building types they are involved with, as part of maintaining professional licensure, and as part of the licensing examinations. Educate design and construction professionals in schools, professional conferences, and continu- ing education courses, about security design and related industry codes and standards. CODES, STANDARDS, AND GUIDELINES FOR SECURITY PLANNING AND DESIGN30.11 TABLE 30.5Ten Steps to a Comprehensive Security Plan 1. Assume incidents or attacks will occur and plan accordingly. 2. Identify threats by predicting the most likely attacks or incidents. The main objectives of an effective emergency response, which is part of any security plan, should be to protect lives, protect assets, and maintain operations. 3. Identify facility vulnerabilities with respect to the likely threats. 4. Maximize design features to improve security. Examples: Minimize number of entryways Protect utility areas from tampering and explosions Harden mail and delivery facilities for blast resistance Design architectural landscaping to prevent ramming Provide adequate setback from roads, parking areas, and other facilities Build space to accommodate security functions, such as a control station, inspection area, and badging operations 5. Select appropriate technology systems to address vulnerabilities. Examples: Access control Door alarms Communications capabilities Surveillance Lighting 6. Use consistent standard operations, policies, and procedures to enhance the security plan, such as: Key control Identification card issuance and use Hiring practices Visitor policy Mailroom and delivery policies Computer security 7. Demonstrate genuine support for standard operations, policies, and procedures from the top down. 8. Develop and institute mandatory employee security training. 9. Develop an emergency response plan. Start by identifying who has the authority to initiate an emergency response and why. 10. Train, practice, evaluate, and refine the emergency response plan at least annually. Whether any future mandatory security codes exist as a stand-alone regulatory document, or are integrated into other life safety codes, components for standard documentation might include: Categorization tools, enabling building owners and operators to classify their facility based upon location, function, occupancy, risk, and public accessibility Baseline provisions required for all facilities to ensure a reasonable security level Architectural and engineering design recommendations Technology, such as security systems, communications, and data Operations, policies, and procedures CONCLUSION No one could have predicted, planned for, or counteracted the use of airplanes as missiles targeted at the World Trade Centers Twin Towers on September 11, 2001, and the resulting loss of approxi- mately 3000 lives. However, many security lessons may be learned from these attacks, especially regarding commercial buildings (Tables 30.7 and 30.8). Designing, installing, and maintaining security systems are significant expenses for commercial property owners. Without any binding codes or mandates addressing comprehensive security sys- tems in the private sector, building owners must rely on recommendations from consultants and in- house security professionals. Ultimately, however, in the public and private sectors, owners determine their security needs, select and specify technology, and justify associated costs. Industry groups, design professionals, and public officials may eventually develop mandatory security codes for commercial buildings. However, a significant body of resources, from the public and private sec- tors, is available for adaptation to commercial use. The tragic events of September 11, 2001, underscored the lack of, and the potential need for, baseline security codes and standards appropriate for private-sector commercial, institutional, and industrial buildings falling outside the mandates of government security guidelines. Design and con- struction professionals, facility managers, and building owners should remain aware of proposed changes to national, state, and local codes and standards to accommodate security provisions. Until security guidelines are formally integrated with existing codes and standards, building owners and design professionals should become familiar with and routinely implement the best security 30.12CODES AND LIABILITY TABLE 30.7Lessons Learned from 9/11: Security Planning The most urgent lessons for design and construction professionals, building owners, and facility operators as a result of the attacks on September 11, 2001, and from other terrorist attacks directed at American facilities and operations, are the need to plan and design for security and emergency response operations. Coordinate a quality security system by integrating architectural design, technological devices, and oper- ational activities. Develop a list of likely threats to be mitigated, specific to every site and function. Mitigating threats requires dedicating money to address security vulnerabilities. Hire an experienced professional to perform vulnerability assessments, whenever possible. Look for relevant certifications from industry organizations. Hire an experienced security professional to adapt best practices from regulated organizations, such as the Department of Defense, into the commercial building security design. Maintain documentation regarding which standards and best practices were implemented, should proof be required for insurance or liability purposes at a later date. Keep record copies at an off-site location from the building being covered. Understand that security emergencies cannot be predicted, nor can they all be prevented. Security plans mitigate risk and represent a tradeoff between operational freedom and restriction. Building owners must make informed decisions about the amount of risk that they are willing to accept and cover all related security costs. design and operational practices to ensure the health and life safety of their employees, tenants, and communities. INTERNET RESOURCES American Chemistry Council (ACC) www.americanchemistry.com American National Standards Institute (ANSI) www.ansi.org American Society for Industrial Security (ASIS) www.asisonline.org American Society for Testing and Materials (ASTM) www.astm.org Centers for Disease Control and Prevention (CDC) www.cdc.gov Chlorine Institute (CI) www.cl2.com Electronic Industries Alliance (Association) (EIA) www.eia.org Factory Mutual Research Corp (FM) www.fmglobal.com CODES, STANDARDS, AND GUIDELINES FOR SECURITY PLANNING AND DESIGN30.13 TABLE 30.8 Lessons Learned from 9/11: Emergency Planning The events of September 11th highlighted the need for building owners and managers to plan emergency response operations. Invest the time and effort required for planning emergency response. Plan for worst-case scenarios such as: Power outages, including emergency backups, which render alarms, communications, elevators, lights, and electronic systems useless Circumstances where key coordination people are unavailable or inaccessible A chaotic, noisy, confusing, frightening, life-threatening situation Determine how security systems will function in emergency response efforts. For example, card access systems can provide a list of who is in the building, which is critical rescue information during emergencies. Plan to use such information in emergency response plans, which may require programming remote access of the electronic information. Recognize that preparedness is paramount,time-consuming,tedious,and sometimes costly. Sound emergency plans take time and effort to develop. Government organizations, like the Federal Emergenc Agency (FEMA), publish helpful guidelines. Emergency plans are most useful if they are well designed, accurate, trained, rehearsed, and ev Regular testing is the most effective way to assess emergency plan accuracy. Document the tests and promptly remediate any identified problems. Find innovative ways to multip