Physical Security Enhancement in Higher Institution

Transcription

1 Physical Security Enhancement in Higher Institution Siti Riniy Fariza binti Mohd Borham, Hafiza Abas, Azizul Azizan and Sya Azmeela Syariff a Advanced Informatics School, University Technology Malaysia, Jalan Sultan Yahya Petra, Kuala Lumpur, Malaysia. Abstract As we know, in higher institution, the physical security is important as the physical protection of assets, to safeguard personnel, students, faculty, and staff; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, natural disasters, vandalism, and theft. The aim of this project/research is to improve the current/existing best practice and security precaution within the Menara Razak building. This paper identifies the issues and security concerns of implementing access control and perimeter protection in UTM KL building and open space areas. This paper focuses on the lobby/ground floor of Menara Razak building, the parking lot area, and the main entrance guard in UTM KL. Information was gathered through online survey forms, interview and direct observation of the location. The analysis done in the current situation of access control and perimeter protection implementation in UTM KL suggest the solutions to improve the current/existing best practice and security precautions within the location. Keywords: Access Control; Perimeter Protection; Literature Review; Physical Security. 1. Introduction University Technology of Malaysia (UTM) is a leading innovation-driven entrepreneurial research university in engineering science and technology. It is located both in Kuala Lumpur, the capital city of Malaysia and Johor Bahru, which is a vibrant economic corridor in the south of Peninsular Malaysia. UTM Kuala Lumpur (UTM KL) is a graduate campus of University Technology of Malaysia (UTM), and is under the same corporate structure as its main campus in Johor Bahru, Johor. The current UTM KL which is located at Jalan Sultan Yahya Petra, Kuala Lumpur. Currently, there are more than 900 staffs in both academic and non-academic. The administrative and academic support for UTM KL is provided by the major administrative office buildings such as the Office of the Registrar, Bursary, Library, Office of Asset and Construction Management, Centre for Information & Communication Technology and Office of Corporate Affairs, Menara Razak and MJIIT (Malaysia-Japan International Institute of Technology). There are several centers of excellence in UTM KL which carry out research activities and offer some academic programs. * Corresponding Author. Address: srfariza2@live.utm.my 1

2 Security is the quality or state of being secure which means to be free from danger. Physical security is the most important since it is the first layer of security. Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. In higher institution, the physical security is important as the physical protection around those assets, such as to safeguard personnel, students, faculty, and staff; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, natural disasters, vandalism, and theft. Safe and secure campuses lead to better learning environments. They help attract and retain top faculty and administrators. To help create a safe and secure environment, UTM KL has already taken smart steps such as planning, and implementing physical security technology, including video surveillance cameras, physical access controls, and paging systems to secure the locations and valuable assets. In this paper, a study is conducted on the current issues in the physical security technology in UTM KL to describe the problem and suggest solutions. Therefore, there is a need to analyze the security issues and problems of the current implementation as well as other types of concern before giving recommendations. The aim of this project/research is to improve the current/existing best practice and security precaution within the Menara Razak building which consists of 17 floors. However, the scope of this research is focused on the lobby/ground floor of Menara Razak, the parking area, and the main entrance guard. 2. Literature Review In the context of IT security, physical security is about controlling access to facilities and it is also known as physical asset protection. The physical access control terms refer to the practice of restricting entrance to a property, a building, or a room to authorized persons [1]. Areas and entry points of the physical facility that are identified need different rules of access, or levels of security. These areas have concentric boundaries such as site perimeter and building perimeter or side-by-side boundaries such as visitor areas, offices and utility rooms. This design concept is a layered security and it is known as concentric circles of protection or defense in depth which is also part of the concepts included in Crime Prevention Through Environmental Design (CPTED) [2]. This security measure is to design three layers of security concepts which is the outer protective layer (e.g., natural or man-made barriers at property line. Barriers include walls, fences, doors, bollards, and gates), middle protective layer (e.g., exterior of building) and inner protective layer (e.g., doors within building) [2]. 2

3 Figure 1: Defense in Depth Security Map [2]. Physical access control can be achieved by a human operator (a guard, bouncer, or receptionist), through mechanical means such as locks and keys, or through technological means such as access control systems like the mantrap. Research done at Auburn University shows that the main function of access control is to offer a secure environment for students, faculty, staff and guests of the University [3]. Keys and card access were provided to all areas of the campus. Locks on doors and cores in locks were installed, and locks were repaired. Whereas on doors and buildings, card, proximity, and biometric readers were installed. Today, the many physical access control systems in use are incompatible with each other [4]. In a large organization which deals with physical and cyber infrastructure such as a leading telecommunications company or higher institutions, physical access control systems is a difficult task [5]. There are mainly four aspects that have raised complexities of managing physical access control systems [5]: Distributed geolocations of large number of buildings/zones; Different risk levels of buildings, which also have different levels of access control requirements; Different roles of the users who have access to buildings such as permanent employees and an outsourcing workers/visitors; and Constraints of time for accessing the building/areas. For instance, certain areas can be accessed during the day but they are locked during the night. In places like libraries, large organizations and Universities where people must have controlled and authorized access, the physical access control systems are becoming popular. Access control systems that integrate the latest authentication methods like RFID (Radio Frequency Identification) and biometrics have been developed. To control access, such systems required dedicated communication infrastructure, computer systems and specialized hardware [6]. 3

4 Physical Security Threats and Risks Literature shows that there are security threats and risks that need to be concerned and not overlooked. In the context of information security, a threat is an object, person, or other entity that represents a constant danger to the assets of the organization. There are three types of physical threats such as external physical threats, internal physical threats and human physical threats [7]. The external threats whereby some unauthorized people outside the organization who do not have access to the facilities. The unauthorized access is when the personnel/employees entering facilities during unusual hours or unauthorized employees walking through an open door behind an authorized employee (known as "piggybacking"). The examples of the external threats are: Natural events (e.g., floods, earthquakes, wind, hurricane, fire, and tornados); Other environmental conditions (e.g., extreme temperatures, high humidity, heavy rains, and lightning); Intentional acts of destruction (e.g., theft, vandalism, sabotage, espionage and arson); and Unintentionally destructive acts (e.g., spilled drinks, overloaded electrical outlets, and bad plumbing. Internal threats to physical security can come from current or former employees, contractors, and trusted business partners, including custodial staff and security guards. External and internal threats to facilities (and their staff) will continuously grow and so all procedures and technology should be kept under constant review [8]. The risks from these threats include unauthorized disclosure of information, disruption of service, loss of productivity, financial loss and legal implications. In an organization, generally and in higher institutions specifically, most of the security threats and risks are the result of insufficient and inappropriate access control. Hence, physical security controls should be implemented to prevent these threats from becoming reality. Poor access control can expose the organization to unauthorized access of data and programs, fraud, or the shutdown of computer services. One of the safeguards that can be used to prevent unauthorized access to an organization s sensitive or critical information and to minimize the impact to an organization from security breaches is a logical access control. The facilities building need to ensure that the boundary between public and private areas is secure and clearly signed [4]. Therefore, the physical security measures aim by creating a secure environment of the building and rooms to either prevent a direct attack on premises or reduce the potential damage and injuries that can be perpetrated should an incident occur [8]. 3. Methodology To explore the problems and issues within the Access Control (AC) implementation, both qualitative and quantitative approaches are suitable methods for this study. Information was gathered through survey forms (questionnaire) that have been distributed electronically 4

5 using Google forms to gather data relevant to the objectives and research questions. This online survey form allows for ease of distribution, cost efficiency, and reduces the occurrence of errors. Other approaches are through interview questions and direct observation of the location. Survey questions were developed based on literature review and a semi-structured interview is used to collect data from the key users of affected business units as well as guards. Respondents have been divided into three groups such as employee, security officer and student. The exploratory method of the literature review in physical security areas has also been done to explore scientific papers and resources about issues and challenges of implementing physical security perimeter and access control technology areas specifically in higher institutions. 4. Results In this section, several vulnerabilities of Physical Parameter (PP) and AC in UTM KL are analyzed to possibly detect and prevent an intrusion in the facility, where at the end of this study we will suggest the recommendation for physical security protection in UTM KL. Based on the online survey forms that had been filled up by the three (3) groups of respondents which are total of seventeen (17) respondents who completed the survey, there are a few issues or challenges in implementing the access control and perimeter protection in UTM KL. The survey responses were focusing on answering the research questions and objectives. Hence, this analysis is summarized based on research scope and findings that are divided into five (5) sections which are the physical security of the main lobby of Menara Razak, main entrance guard, open space parking area, security policy, and training and awareness. Table 1: The Scope Analysis of Physical Security Issues in UTM KL. No. Scope Issues/Vulnerabilities in MCO 1. Main Lobby of Access Control. There is no access card being implemented at the main lobby. Personnel can just enter the main door in the Menara Razak lobby area without having to touch or show the ID card. Employee or student ID was not frequently checked and is only checked manually by the guard on duty at the reception counter. Doors and Windows. Doors are only locked during the night. Intrusion Alarms. The alarm system is not linked to an outside service / police force. Surveillance System (CCTV). CCTV is only covered at the main lobby entrance door, but not at the external area of the lobby. The CCTV used is the static camera. 2. Main Entrance Guard of Fencing/Gates. It is made from metal. Intrusion Alarms. No alarm system at the main entrance guard. People and Vehicles Movement. The physical inspection was 5

6 No. Scope Issues/Vulnerabilities in MCO UTM KL not done to all vehicles whereby the car boot inspection was only done to certain vehicles. Security Guards. The weakness of the security guard, whereby guards did not check personnel ID. Surveillance System. The surveillance camera is not a motion detection camera, instead, it is a static camera. Hence, it does not cover all areas in the main entrance and no connection to an outside service or police force. 3. Open Space Parking Area 4. Information Security Policy 5. Training and Awareness Barrier. There is no barrier gate (boom barrier) or any other access control form while entering or exit the parking area. Segregated Parking. The student parking is not segregated from employee parking as well as visitor parking. Surveillance System. There is no video surveillance camera (CCTV) installed in the parking lots. Security Guards. There is no security guard duty in the parking area. Information Security Policy Not Updated. The policy and procedures are not updated and through observation, the existing security policy and procedures need a review and updates. Not all employee / student awareness about the security policy. Not all security officers received the properly certified training related to security. 5. Suggestion and Recommendation Based on the findings and results of perimeter and access control assessment, there is a need to improve the physical and environmental security in University Technology of Malaysia especially in areas as in Table 2. The recommendations are based on the research scope and findings that are divided into five (5) sections which are the physical security of the main lobby of Menara Razak, main entrance guard, open space parking area, security policy, and training and awareness. Table 2: Recommendation of PP and AC Enhancement in UTM KL 6

7 No. Scope Recommendation 1. Main Lobby of Physical Perimeter Security. It is recommended to implement CPTED that may help to enhance the AC and PP protection Menara Razak through environmental design. It can be accomplished by safeguarding the environment through natural surveillance or natural access control implementation. Natural forms of access control that can be implemented includes fences, low walls, benches, landscaping, gates and any barrier that is natural for the environment. Doors, Windows, Keys, Locks, and Security Devices. Mechanical forms of access control can be complemented to the natural access control such as organized forms such as security patrols and/or locks and alarms surrounding the area. Smart card security as a choice for securely controlling physical access to enter the Menara Razak building. The smart card for the physical access system (doors) can be used to easily authenticate a personnel s identity, define the correct level of access, and physically admit the cardholder to the building. The physical access device can be used, for example, the Gallagher Cardax Device. These devices are often used to control access to inner security areas and at facility entry and exits entrances. Physical Intrusion Detection/Surveillance Systems. The intrusion and detection system need to be improved using the effective alarm system and visualized surveillance. The motion detection camera for CCTV can resolve the monitoring issues which is can monitor and protect specific security critical area. The alarm system has to be integrated with the CCTV. An adequate external lighting will help to improve the abilities of CCTV systems if it is carefully designed and used. Effective CCTV systems may help to prevent a terrorist attack. If there is any intrusion incident, the good quality images can provide crucial evidence in court. 7

8 No. Scope Recommendation 2. Main Entrance Guard of Access Control System. The security concern that must be improved at the main entrance is on the AC of individual and vehicles. There is no effective access control implementation on UTM KL the physical entrance. Therefore, a security badge or pass system is recommended to be implemented to ensure that only authorized personnel enter, occupy, or leave a secure area, and to indicate limitations placed on access. For an effectiveness the AC, the card reader and coded credentials may be used to complement or replace badge checks as a means of access control. Then, it will be integrated with the Visitor Management System that can enhance the visitor access to the facility. Integrated Barrier System. It is suggested to implement an integrated barrier access system with sensors for authentication mechanism such as using an access card (smart card) or plate number recognition to detect any intrusion and to prevent an authorized access to the facility. By implementing this barrier system, the AC of the vehicle and visitor can be improved. To avoid the bottleneck of access at the main gate, there is a segregated boom gate between employee/student and visitor entrance Physical Intrusion Detection/Surveillance Systems. It is recommended to put a motion detection camera to get an effective image of the vehicle or personnel. It complements with the adequate lighting to illuminate all critical areas. 3. Open Space Parking Area Barrier Gate (Boom Gate). It is recommended to implement a barrier gate such as the installation of a boom gate to control access of vehicles in the parking area. Vehicle barrier is used to prevent penetration into security areas when such access cannot otherwise be controlled. To improve security, a boom gate with a smart card access authentication can be implemented. This can act as a second layer of access control. Physical Intrusion Detection/Surveillance Systems. It is also recommended to install a surveillance camera (CCTV) at the parking lots. With CCTV, it can deter a person with the intention of intruding, other criminal activities and provide valuable evidence to a case such as a car theft. But, CCTV is not complete without adequate lighting. Lighting Systems. It needs adequate lighting to illuminate all areas in the parking lots and provide a good quality image of the CCTV (Exterior lighting suitable for night guard surveillance). Segregated Parking/Far from Emergency Exit. To improve security, by implementing another safeguard such the parking 8

9 No. Scope Recommendation lots must be segregated between employees, students and visitors. To the greatest extent possible, the parking area should be inconveniently far from building emergency exits, therefore it is discouraging employees or students from using those exits as convenience accesses to their vehicles. 4. Information Security Policy 5. Training and Awareness Information Security Policy. The policy must be communicated to all employees and students clearly. Employees and students need to be exposed to a security policy by placing on the notice board and in the classroom as well as through or portal. The university needs to regularly update the policy as the technology and employee requirements change frequently. The security officers need to attend the certified training. We should also increase the awareness of safety through the awareness programs to let the employees and students realize the importance of physical security, and how to use the AC and PP technology in a correct manner. 6. Conclusion Through assessment of the current access control and perimeter protection implementation has been done through online survey forms, interview session, and direct observation. Our research suggested a comprehensive recommendation to resolve the security issues and concerns. The gathered information enables us to find the security concern and overcome it with suggestions and recommendations. Based on the recommendations, it can conclude that in the future, UTM KL can improve the security of perimeter by implementing the use of the integrated smart card physical access system. It is believed that a successful academic program cannot be guaranteed without a safe environment and each employee and student must be assured of an environment that is free from harm and satisfactory to teaching, learning and working. This research will help other researchers to understand the best practice that could be used to identify and analyze the security issues in physical security in UTM KL. It can be very helpful when assessing the suitable solutions/method that can be used to enhance the physical security implementation which will benefit UTM KL. 9

10 References [1] W. M. Fitzgerald, F. Turkmen, S. N. Foley, and B. O Sullivan, Anomaly analysis for Physical Access Control security configuration, 7th Int. Conf. Risks Secur. Internet Syst. Cris. 2012, [2] SecurityInfoWatch, Convergence and Layers of Security. [3] Auburn University, Access Control, [4] B. Alhalabi and C. Carryl, Universal physical access control system, Proc. - IEEE 14th Int. Conf. Bioinforma. Bioeng. BIBE 2014, pp , [5] E. Geepalla, B. Bordbar, and X. Du, Spatio-temporal Role Based Access Control for Physical Access Control Systems, 2013 Fourth Int. Conf. Emerg. Secur. Technol., pp , [6] I. Daradimos, K. Papadopoulos, I. Stavrakas, M. Kaitsa, T. Kontogiannis, and D. Triantis, A Physical Access Control System that utilizes existing networking and computer infrastructure, EUROCON Int. Conf. Comput. as a Tool, pp , [7] BestInternetSecurity.Net, Physical Threats and Security Control, [8] C. for the P. of N. Infrastructure, Physical security. [9] Z. J. Alach, Mapping the elements of physical security towards the creation of a holistic physical security model Master of Science ( Security Science ) at Edith Cowan University, no. May, [10] M. P. Coole, Physical Security Professional s Body of Knowledge : a cultural domain analysis of physical security s knowledge structure, no. May, [11] Carnegie Mellon University, Insider Threats and Physical Security of Organization, [12] H. Lin, M. Ross, and T. Mack, Design of a physical security perimeter fencing system, in 44th Annual 2010 IEEE International Carnahan Conference on Security Technology, 2010, pp