Security Standards
The development of security standards has been a point of contention and confusion for sometime. Only in the last four years has there been significant progress in the development of security standards.
A standard is a set of voluntary criteria developed using an unbiased and consistent methodology. The progression of a standard begins when an organization develops an internal guideline or best practice. A standard follows a specific process to facilitate additional ideas, openness and consensus.
The process involves standards organizations, which do not write standards, but administer to the organizations that do write them. In essence, a standards organization does not validate the information being proposed; it verifies that the standard was developed openly, without bias, fairly and follows a consistent policy and procedure. This is an important distinction to make because a proposed standard endorsed by a recognized standards organization will have far more clout than it otherwise would.
There are numerous standards organizations. Two accreditation models that U.S. government bodies should be aware of are the American National Standards Institute (ANSI) and the broader International Standards Organization (ISO). Once an organization’s policies, procedures, openness and transparency for the development of any proposed standards have been accepted by a standards organization, the organization is accredited as a Standards Development Organization (SDO).
Why are standards important?
A code is defined as: “any set of standards set forth and enforced by a local government agency for the protection of public safety, health, etc., as in the structural safety of buildings (building code), health requirements for plumbing, ventilation, etc. (sanitary or health code), and the specifications for fire escapes or exits (fire code).” A code, in many instances, is basically the application of a standard.
Sometimes, a standard can be adopted into a code. In many instances, standards are modified by state, municipal and government organizations through the codification process. However, the process from guideline/best practice to standard and then to code is not absolute. At any point, a state, municipal or government organization can make a decision to adopt a document and make it into a code. The International Code Council (ICC) is making great strides with its open process for the development of codes. Specifically, the International Building Code (IBC) is a document that in many instances is being wholly adopted by municipal, state and some government organizations.
The applicability of standards on security
There are security standards such as those of Underwriters Laboratories (UL) and the Security Industry Association (SIA) that are product standards. Fire protection standards exist for products and methods whereas security standards currently focus primarily on products. Current security product standards depict what a product must do, but not how it is done. Whereas other organizations can prescribe standards for products and methods, security currently cannot.
To understand why, let’s look at fire protection. There are standards that prescribe specific installation criteria to detect and extinguish or manage a fire. That is possible because if, for instance, someone decided to set his or her desk on fire, generally, no matter where that desk is located, it will burn at a specific rate and will generate a certain amount of heat and smoke. These scientific variables are unchanged. No matter where the desk burns, the nature of the burn can be anticipated and controlled. A fire cannot determine not to “start” because it recognizes that you have installed a fire protection system. Fire is a chemical reaction that can be measured.
Like fire, the incidence of workplace violence can cripple an organization. Unlike fire, however, security is not a chemical reaction that can be measured. In some instances, a simple security-related dispute can erupt into very unfortunate incidents, but it doesn’t happen every time. This is why security standards have taken so long to develop. The security risk is very different and, although it cannot be measured scientifically, we can draw conclusions about security through research, statistics, probability and impact upon an organization.
Standards for security
There are two organizations that are currently active in developing security standards. The National Fire Protection Association (NFPA), in the absence of other guidelines and standards, has developed two documents. These include: “NFPA 731: Standard for the Installation of Electronic Premises Security Systems” and “NFPA 730: Guide for Premises Security.” These documents are very different in their approach, and although well meant, are too consistent. Security requirements are generally qualitative. In this way, NFPA 730 fails the broader audience because it indicates specific requirements for all facilities regardless of location or risk.
Security issues are more difficult, but not impossible to impart into a set of standards. ASIS International, the foremost and predominant organization in advancing security, has established and endorsed the development of the ASIS Commission on Guidelines. Having the forethought to follow a consistent approach, ASIS was quickly recognized as an SDO and by ANSI.
The ASIS Commission on Guidelines modified its name to the ASIS Commission on Standards and Guidelines, thus solidifying its intent to enter into the standards market. Nine days after its announcement that it had been accredited by ANSI, the organization was designated as a liaison member of the ISO technical group, ISO/TC 223: Societal Security stating: “ASIS will promote a message that there is a need for business-friendly consensus-based voluntary international standards rather than a hodgepodge of national standards.”
All security practitioners should become involved in this process and familiarize themselves with these ideas. In particular, the “Guidance Standard to Complement the ISO 9001,” is probably one of the greatest opportunities for the purposes of codifying security. For more information go to: http://www.asisonline.org/guidelines/volunteer-form.xml.
Standards resources:
“NFPA 731: Standard for the Installation of Electronic Premises Security Systems” and the “1997 Uniform Building Security Code” administered by the ICC are narrow in scope. NFPA 731 applies to installation practices of security systems and does not prescribe where they are installed, only how. The 1997 Unified Building Security Code “only establishes minimum standards to make dwelling units resistant to unlawful entry.” If it were any broader, the standard would fail to meet additional criteria that would be applicable to other users such as corporations, municipalities and government entities.
There are also numerous security guidelines. As a result of 9/11, everyone from the Federal Emergency Management Agency (FEMA) to NFPA to the General Services Administration (GSA) and unlikely sources such as the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE), promulgated security guidelines. ASIS has also been quietly developing guidelines, which, like many of the others, are free to anyone who has access to the Internet. Each of the ASIS guidelines follow an ANSI-approved process, which means they could be quickly adopted into ANSI-approved standards should ASIS choose to do so. A complete list of ASIS International’s Commission on Guidelines resources can be found at: http://www.asisonline.org/guidelines/guidelines.htm.
Another relevant development with regard to ASIS guidelines relates to the development of the Regulations Implementing the Support of Anti-terrorism by Fostering Effective Technologies Act of 2002 (the SAFETY Act). These regulations appear in the Code of Federal Regulations (CFR), specifically 6 CFR Part 25. This law, a direct result of 9/11, provides benefits for which the ASIS Standards and Guidelines Program has received a designation award. Specifically, “the SAFETY Act designation limits ASIS’ liability for acts arising out of the use of the guidelines in connection with an act of terrorism and precludes claims of third-party damages against organizations using the guidelines as a means to prevent or limit the scope of terrorist acts.” (However, there is no protection against non-terrorist-related civil adjudication.) The fact that this law exists and that the ASIS guidelines hold this designation foreshadows the future of ASIS guidelines and standards.
Where are we going?
Security standards are not a bad thing and, in actuality, will probably provide oversight and requirements for organizations that otherwise would have not undertaken them. There is great potential for linking up current guidelines and future standards with the ISO 9001 process. Obviously, the development of security standards will be far more complex than traditional standards, but that does not mean it cannot be done.
It won’t be long until we will be rattling names that have the same significance as the NFPA 101 Life Safety Code or the International Building Code (IBC), but related specifically and strictly to security. We might even be faced with the requirement of having someone who is board certified in security management, as a Certified Protection Professional (CPP), as part of ISO 9001 certification. Security standards will be developed though the greatest body of knowledge: the international community. Although this development will be based mostly on qualitative, intangible information, security standards will still be astute and provide minimum requirements.
About the Author
Sean Ahrens, CPP, CSC is a project manager for security consulting and design services with Schirmer Engineering. He has more than 16 years of experience in the security industry.