Home About CSP In Every Issue Blog Archives Buyer's Guide Media Guide e-News Subscribe Contact
Check Out The
February 2012 Supplement
February 2012 Supplement




Making the Grade
By: Robert Metscher

We typically think about security after something bad happens to us or to someone or something we care about. Sadly, it takes such an event to cause our reflection on our own state of security. In other words, we wonder how this could happen, and we begin to cast around for culprits, explanations and convenient “blameholders” that allow us to avoid the real cause. This also tends to prevent us from actually solving the problem. 

Consider this--we would never wonder why our car stopped working if we never changed the oil, or why our roof began to leak if we never bothered to inspect or repair it. But, we wonder why our security failed the moment we are directly affected by crimes or other losses. The reason may very well be our own lack of attention to our responsibility to ensure our own safety. It hurts to hear that, but it is necessary to prepare for the future.

The reason security, and security programs, fail is from a simple misunderstanding of the environment. The environment is constantly changing. We all know this and have sayings like “nothing stays the same” to remind us of this fact. We change individually and as a group, and our buildings, structures and the physical environment around us changes constantly as well. 

This is the misunderstanding that causes so much trouble with security. We take some action, like installing an alarm system, and then say we have security or are secure. We feel good about our actions and convince ourselves that we are now safe. Then, when something happens--a burglary, vandalism or other crime--we feel even more hurt because our belief in our security has been destroyed. All this because security is a process and not a destination, but it is routinely believed to be someplace that can be reached with no further action needed. 

With the environment constantly changing around us, so is the threat. The threat is dynamic and bounded only by the limits of ingenuity. The point in time at which we install security equipment or implement new procedures is an imaginary point in time, because it has already passed us by – the environment has changed.  The threat may have changed a little or a lot, but it has changed even if only to deal with your new security efforts.   

However, this is not to say that it is impossible to be “secure,” but to recognize that the process is ongoing. It requires vigilance and dedication, at least a little anyway, especially if the process is designed to compensate for the changing threat environment. One brief and very clear example of this is airport and airline security. To prevent hijackings, firearms were initially banned from commercial aircraft, but the threat did not remain static. It changed, and the security mechanism, for whatever reasons, did not stay oriented toward the threat from which we all saw the result. This is, of course, a very grand example of this issue but it is nonetheless a powerful illustration. It is not necessary to have a successful burglary at your church simply because the alarm system has become outdated or recent construction rendered areas unprotected.

Once a reality in which security is a process and the threat environment is constantly changing is acknowledged, it becomes possible to create security that does not fail, at least not systemically. We can create functional structures that incorporate the process of security. This means going beyond “point” solutions. Point solutions are those that are enacted to solve one problem. It is a new lock on a door or a new alarm system, or a new safe; however, point solutions do not always complement each other and, in some instance, may hinder one another. A truly effective security program means integrating people, technology, procedures and the environment to create protection that is as dynamic as the threat environment. 

Security’s Best Beginnings
This brings us to the starting point--the starting point of any well-designed protection program is the Risk Assessment. However, while this is the starting point and creates a sturdy foundation, it is not the key to preventing “failures.” It is, instead, a way of identifying what is to be protected, from what it is to be protected and, finally, how to protect it. The Risk Assessment is generally broken into these five steps:

  • Identifying Assets
  • Identifying Threats
  • Identifying Vulnerabilities
  • Determining Risk
  • Selecting Countermeasures

To keep things very simple, we can boil these down to their essence. Assets are of two types: Tangible and Intangible, or those that can be touched and those that cannot. Since tangibles are pretty clear – being people and “stuff” – it is also significant to note the intangibles. These include goodwill, trust, information and knowledge. These assets can then be further categorized by their criticality to the operation. Critical, Important, Useful and Convenient are some easy categories.

With that, it is time to develop a Threat Inventory, which can become fairly complicated very quickly. To simplify it think in terms of “Take” and “Break.”  That is generally the goal of any threat. Assets can generally be taken or broken, and that is what security is meant to prevent, or mitigate, right? Consider what it is needed and how to go about “taking” and “breaking” each asset. This will assist in identifying vulnerabilities. Vulnerabilities are commonly considered to be “exploitable weaknesses,” but for simplicity sake, it is easy to remember this idea: If you can identify how to gain unauthorized access to an asset, then vulnerability exists. 

Now the question becomes what are the chances of something like this happening. There are complex probability formulas for this, but keep it simple and apply some common sense. Is it highly likely, possible, somewhat likely or very unlikely?

Now consider the significance of the loss if an attack were successful, which comes from your asset criticality. Would it cripple your operations, severely hamper them, create some inconvenience or cause a minimal impact? Think in multiple dimensions: financial impact, community image impact, comfort and fear of members, and the ability to continue routine operations. 

There are three general ways to manage risks: accepting them, which means not attempting to mitigate them; transferring risks through the use of vendors and insurance carriers; and reducing risks through countermeasures. For each risk, one or more methods for managing it should be considered. Put all of this in a report, submit it to management, and the Risk Assessment is complete.

It is rare to find the entire Risk Assessment process described in one paragraph, but it may not be necessary to over-explain the topic. Most importantly, the Risk Assessment does not stop any loss. It is an assessment and nothing more. It creates understanding and implies action, but confusing either for actually taking action will destine your efforts to fail. Your action must come in the form of implementing countermeasures. And, implementation is not enough. Implementation is just the start, with the real work coming in the maintenance and evaluation that follow.

So, the whole process starts with a Risk Assessment, followed by implementing countermeasures, followed by maintaining and evaluating those countermeasures, which is all followed at some point in the future with a fresh Risk Assessment. What is the timeline between assessments? It can be whatever you want it to be. Generally, the interval is somewhere between every one and five years, depending on the environment.

“Smart” Countermeasures
Now that you have considered what can happen to each asset, what it will take for this to happen, and how likely it might happen, it is time to consider countermeasures.

There are smart countermeasures and there are “Smart” countermeasures. The former are those selected because a salesman or a “security expert” with little or no experience with churches identifies those methods that are commonly used in the industry – everyone uses this method. The only problem is that there are very few industries that function like churches. They, no doubt, have similar threats and maybe even fewer assets to lose, but it is nonetheless a very different environment. 

“Smart” countermeasures are those that are selected because they blend with your organization’s culture, are capable of effectively countering your organization’s threats and are able to orient toward changing threats. They fit and work with your environment.  Now, what is meant by this? Not all churches operate exactly the same way. Some are more open then others, particularly when it comes to administrative matters. The way everyone interacts with each other and how everyone interacts with the institution largely defines the organizational culture.

Each countermeasure must fit with the culture. It is just not possible to claim an “All Are Welcome” policy and then require ID badges to get in – it just does not fit, and it certainly will not work. So, each countermeasure must balance people, technology and procedures to achieve the greatest effect, while not only “permitting” operations to continue but actually fostering them.  The best security blends so well with the operations that it feels almost natural. This security will be used consistently, and that is a cornerstone to a successful program. 

Countermeasures that are being considered should be placed on paper during the planning process. They should be tested vigorously with scenarios. Use blueprints with technology solutions identified clearly and role-play walkthroughs to determine whether human and procedural solutions make any sense at all. This also helps to eliminate solutions that may compete or be disruptive to each other. Ask some questions:

  • Does the countermeasure make sense? 
  • Is it easily circumvented? 
  • How would those efforts be prevented or monitored? 
  • Is the countermeasure sustainable – or what resources does it need to work? 
  • What other functions might this countermeasure assist (accounting, customer service, landscaping, etc.)?

When a countermeasure does not seem to fit, then it is time to consider other similar options. Sometimes, a good solution today is better than a perfect solution never.  Implement it and listen to comments and complaints; many times these will provide what could not be thought of before. 

Knowing Which Way to Look
With all the countermeasures selected, it is time to consider how to prevent them from failing. The trick lies in the maintenance and evaluation phase, which is all too often the most overlooked part of the process. Once countermeasures are implemented, there must be a mechanism to monitor them, test them and ensure that they still make sense by addressing a threat.

This mechanism typically takes the form of just a few people – too many makes it unwieldy and too few means the monitoring is ineffective. Since these will most likely be volunteers, it is important to use those consistent in fulfilling their obligations. But to make this part work ever so smoothly, there should be enough individuals to fill three functions: 1) analyzing current events, 2) testing or auditing the effectiveness of the countermeasures, and 3) evaluating the appropriateness and efficiency of the countermeasures. The functions do not necessarily need to be separated, but no one person should be responsible for doing them all. The reason here comes from the old saying of “an extra set of eyes.” Different perspectives, different levels of creativity and differing levels of commitment to any set of rules are very helpful.

Analyzing Current Events
First, the analyst must keep an eye on local activities as well as activities around the world, especially those that involve churches. They should consider local crime or other loss events like fires, crimes and events in communities connected by major transportation arteries to their own and crime against churches worldwide.  This provides insight to several important concerns. What is happening here and now? What may be traveling this way? And, generally speaking, what is happening everywhere? This, when done on a regular basis, will create a database of activities and trends.

This is the same sort of information used by crime analysts and is how policing activity is targeted; however, in this case, the purpose is to help identify threats that may not have been considered before and what new methods the old threats might be using. It is truly an analysis of collected data, and the best way to get the data is to use automated tools to augment any manual searches. Several search engines offer free “news alerting” services that will provide regular updates on current news stories from around the world. Get a weekly e-mail, read the articles, take some notes and the process is underway. Once this information has been distilled from raw into a more convenient format, it should be shared with the person or persons doing the testing. 

Testing or Auditing the Effectiveness
There is no way to know if security is “working” without testing it. The bad guys can do this for you, but then it becomes a pass-fail test. When you test it, it is more like a pre-test, and you can go back and study what went wrong.

This part of maintenance is just like it sounds. Someone tries to carry out a threat – steal a computer, steal money, break in, get private information, etc. The purpose of any effort should be to determine the effectiveness of an implemented countermeasure and identify the ease of completing an attack.

Remember these threats might come from outsiders or insiders, including employees or volunteers. Good countermeasures prevent the likelihood that a loss will occur by making it more difficult to accomplish. Assuming that most people are not mean-spirited, this means that those who might go astray can be guided away from such a wrong as a result of procedures, technology and the organizational culture. With that said, any testing should be carefully planned and controlled, involving key members of organizational leadership and possibly even local law enforcement. This prevents the possibility of any misunderstanding about the tester’s actions. 

In some instances, it may be worthwhile to use a third-party professional in this role so that contractual obligations on confidentiality can be enforced. In any case, this should be a relatively creative person. Their efforts should include role-playing with those responsible for specific countermeasures as well as physically testing locks, alarms, any other countermeasures, and inspecting the buildings and grounds.

Evaluating the Appropriateness and Efficiency
The final piece to maintaining the security program is a routine evaluation to ensure the countermeasures are working and fitting with the organization. If a countermeasure is not financially feasible, it should be identified here in this part of the process and as early as possible so that a replacement solution can be found. If something is clashing with the organization’s culture, then it should be noted here as well.

The primary questions at this point have to do with financial and cultural efficiency. By now, the countermeasures should have already been tested, possibly multiple times, and found to be effective, or not, but it is here where their efficiency is determined. 

The person involved in the evaluation should consider what resources are being consumed, at what rate, and when or if that might change. If this is not feasibly sustainable over the long haul, then a new method must be sought. Evaluations should be made of every aspect of the security program, from the awareness campaigns to the illumination plan and any video or alarm system design. Query, survey and interview those directly affected or involved and those that are not affected or involved. Hear all sides and thoughts, and then address them. The perception of a security program is nearly as important as its actual performance.

Ultimately, these three functions provide the opportunity to keep a security program oriented toward the right threats effectively and efficiently. That is what keeps a security program from failing – a little maintenance. How each of these is done will, and should, be allowed to alter and improve over time. There should be some rigid procedures in the analysis, testing and evaluation, but there must also be many flexible guidelines as well.  It just is not good enough to simply test what is in place for the threat that existed last week, month or year; it must be tested and evaluated for the current threats as well.

Robert Metscher, CPP, CISSP, is a security consultant with more than 15 years in the security industry.  He is the founder of Asset Protection Innovations and maintains the blog “Protecting Your House of Worship” (worshipprotection.blogspot.com) for sharing information concerning safety and security at churches and other spiritual centers.

Product Roundup

Asset Verification
Asset Verification, Inc. provides detailed inventory, appraisal, and asset management systems for houses of worship to:

  • Determine proper insurance coverage
  • Track assets
  • Deter theft
  • Facilitate real estate transactions
  • Foster responsible stewardship

Each inventory, formatted onto a CD- or DVD-ROM, includes a text printout describing all items, digital images of all items, and an aggregate valuation. AVI’s customized barcoding systems provide convenient asset tracking and theft deterrence.
www.assetverification.com

JTECH’s ParentPass
JTECH’s ParentPass nursery paging system was designed specifically for the unique needs of the church environment and was developed from actual customer feedback with input from church nursery workers and children’s ministry leaders. Key features and benefits ParentPass brings to your church include:

  • Strong pager vibration means no more missed pages
  • Robust, two-piece “cell phone style” clip is comfortable, durable and easy to use
  • New vibe/flash option gives more flexibility and further reduces missed pages
  • Out-of-range and search features reduce loss and simplify pager management
  • Long-life, rechargeable NiMH battery technology reduces maintenance costs

www.churchnurserypagers.com

ACTAtek
HECTRIX has introduced a secure, easy-to-use, easy-to-implement and easy-to-manage control unit – ACTAtek. ACTAtek is a world-class SSL-protected Access Control and Time Attendance System Web-based Biometrics, Smart Card & PIN Technology. ACTAtek:

  • Can be used in a standalone mode without the need of costly and complex dedicated architecture
  • Is 24/7 security management solution
  • Can be accessed and controlled via Wi-Fi/GPRS network using your PDA or smart phone

You can also send and receive SMS messages and e-mail notification via the ACTAtek.
www.hectrix.com

Video Insight
The most important aspect of a security system is its reliability. Video Insight ensures stability through an e-mail alert system and a health monitor so you’re the first to know if there is ever a problem.

  • All the features you would expect are delivered in an interface that is easy to understand and navigate because it uses the familiar Windows platform.
  • With up to 32 cameras per server, you can monitor all areas of your church and control who has access.
  • No need to hassle with tapes or change any past infrastructures.
  • It is compatible with your existing PCs, CCTV Cameras, cabling and storage.

www.video-insight.com


Voice Broadcasting
©Copyright 2012 Religious Product News

For Christian School Products, Reviews And Resources Visit The Christian School Products Website
Religious Product News Archives
2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005
Religious Product News