The Gap Analysis

If you have a need to increase your school district’s electronic security program a Gap Analysis is a great place to start. Actually a Gap Analysis is prudent for any of your security programs but for today we will stick with the Physical Security Gap Analysis.

As you may already be aware, there are various types of Gap Analysis practices. The one most often used and the one most universally understood is a business or finance gap analysis. The purpose of this type of analysis is essentially to determine the gap between where a company is and where they would eventually like to be.

When speaking of physical security though I like the DoD military planning definition of the term. Within the DoD scope of analysis the focus is on capabilities. The context in which I use the term “capabilities” for the sake of this discussion relates to ” a school districts capabilities to deter crime through physical security measures”.

The Capabilities based Gap Analysis; in my view, starts with a discovery phase in which the overall security policies and goals of the school district are discussed, a community risk evaluation has been determined and a physical audit has been conducted during which vulnerabilities are unveiled and determined through accepted benchmark  practices. The vulnerabilities are documented for the purpose of later reporting.

You may be thinking at this point that your physical security program is impenetrable and that you’ve covered every base. Think again. As long as there exists a human will and desire to gain access you must remain vigilant. Beyond that point (and this is true for your IT Managed Security as well) methods for penetrating vulnerabilities in areas that were not so long ago invulnerable, are always evolving and improving.

As I stated in an earlier post there are a number of low cost and no cost things that you can do to help in mitigating vulnerabilities but those measures should never be considered as an alternative to a strong physical security program or to the policies that underwrite such a program.

Remember as well that humans play a role in the implementation and management of the security system and that a hidden vulnerability may lie in a process or in the execution of a process and not just in the original schema design or installation.

I had mentioned earlier that a Capabilities based Gap Analysis begins with a discovery stage and moves into a reporting stage. The reporting stage is critical because it puts into laymans terms exactly where a vulernerability exists, what causes it, what impact it may have on the safety and security of the school district and concludes with recommendations for next steps.

Overall, a physical security gap analysis is painless, typically low cost, and not as invasive as you may think. It is also almost always an extremely enlightening snapshot of the vulnerabilities and liabilities that currently exist and how to fortify them.



Pull the Door on the Right!

The expression “Pull the Door on the Right” is one that I typically hate to hear, at least when I’m auditing a school and have been asked absolutely no qualifying questions. I mean what good is it to go through the expense of putting in expensive door locking hardware, an intercom system and access control if there is no enforced policy on controlling the access.

A few simple qualifying questions can indicate a great deal to the building’s designated gatekeeper who will be responsible for entry; How can I help you? May I ask who you are here to see? Can you please state the purpose of your visit?…

In the time that it takes to ask the above questions only thirty to sixty seconds of the gatekeepers time has been invested, but more times than not essential intelligence has been gained.  The gatekeeper may be able to detect nervousness or mental instability or some other desperate response. The response may even be violent. In any of these cases someone with an administrative or intervention authority may be alerted.

Now of course 9 times out of 10 the response will be what was hoped for, the indivdual will be permitted entry and the intended business can be transacted. Its the event where a distraught non custodial parent or a recently fired employee who is focused on nothing good (the reason that policy must be enforces even with people who are celarly recognized) is allowed unfettered entry that we are attempting to prevent.

The above are recommendations in mitigation. By no means should you construe from what I say here that if you correct a gatekeeper’s decision process toward greater vigilence that will be an end all method (a cunning person may be able to mask their disturbance) to hostile visitor entry. The recommendations are merely policy starting points in discouraging unwanted visitors.

Front office personnel and other “gatekeepers” should be made to understand the responsibility that they have to every individual within their school community as the administrators of the first bastion of security in keeping thier school building safe and secure.