LEA 202

INTRODUCTION
TO INDUSTRIAL SECURITY
CONCEPT

PART TWO:
CATEGORIES OF SECURITY

CHAPTER 4:
PHYSICAL SECURITY

CHAPTER 5:
PERSONNEL SECURITY

CHAPTER 6:
DOCUMENT AND INFORMATION SECURITY
 CHAPTER 4
PHYSICAL SECURITY

Learning objectives:
At the end of this chapter, the student is expected to:
• Define physical security;
• Explain the purposes and advantages of physical barriers;
• Explain the three lines of defense and enumerate examples;
• Illustrate protective alarm sensors; and
• Characterize protective lighting and enumerate examples.

Discussion:
Physical security refers to a logical set of tangible elements and measures adopted to prevent
unauthorized access to equipment, facilities materials, documents and personnel. The objective is
protect these assets from damage, compromise and loss. In short, it is system of barriers placed
between the potential intruder and the objective to be protected. For example, a fence can slow
down an intruder sensor can send alarms, and protective lighting can make the intruder visible to
patrolling security personnel.
There is a wide variety of factor to consider in ensuring physical security. Measure include
safeguards such as lightning, fences and lock key system, personal identification and visitor
control. Other factors to consider may refer to the nature of a target or the asset being protected.
It could be a physical object like a very expensive jewelry, a non-physical object like the formula
for San Miguel Beer, a human object like a chief justice or a group of high profile tourist
vacationing in Boracay, or even a structure like the Malacañang Palace.
Principles of Physical Security
In considering the appropriate security measures, the following principles should be considered.
1. The type of access necessary depends on the numbers of variable factors, thus, may be
obtained in different ways.
2. There is no such thing as an impenetrable barrier.
3. The installation of a barrier varies from another.
4. There is defense in barrier depth.
Factors in Selecting Security Safeguards
The following are factors that should be considered in determining the physical security needs of
a facility (Fay, 2006).
1. Site Characteristic
Selection of safeguard can be influenced by the nature of the site such as the size,
layout, utilities, internal activities and assets in the site. Other factors may include company
philosophy and work force culture.
2. Environment
This refers to the area surrounding the facility. A bank inside a large commercial
complex in Makati City will require safeguards different from those required for an
exclusive beach resort in an island in Cebu or a factory of fireworks in an isolated area in
Bulacan. For example, the bank may opt for electronic locks and sensors, the resort may
require a specially secured boat access, and the fireworks factory may go with a perimeter
fence.

3. Forces of Nature
Also at play in the selection of safeguards are the environment’s climate, weather, and
natural forces. Certain detection sensor devices may not work well in extreme temperatures
and are vulnerable to floods and earthquake.

4. Crime
Crime patterns must be considered in selecting the necessary countermeasures.
Decisions should be preceded by a risk assessment that includes a study on the nature,
intensity, and repetitiveness of criminal acts that have occurred in or near the facility
during the recent past.

Terrorism is also an important factor for certain facilities that may be considered targets
of terrorist groups such as airports, tourist destinations, research laboratories and
government buildings.

Physical Barriers
A barrier is a natural or manufactured obstacle to the movement of persons, animals, vehicles or
materials. It defines physical limits to and delays or prevents penetration of an area (POA
Publishing LLC, 2003).
It is impossible to build a barrier that cannot be compromised. A clever and determined intruder
with plenty of time, money and imagination can quite possibly penetrate any structural barrier.
Hence, intelligently designing layers of barriers is considered an effective measure to ensure
physical security. The idea is to cause as much delay as possible by designing a series of layers,
or concentric circles, so that highly protected assets are within a configuration of multiple
barriers.
A concentric protection of a high-security facility allows for several rings of barriers, as
explained by John J. Fay in his book Contemporary Security Management:

"...The overall security scheme features several rings of security that in the abstract look like a
shooting target. The outermost ring, which is at or on the far edge of the perimeter, might be a
clear zone in which the approach of an intruder or intruder force can be seen by human and/or
electronic means. The next ring might be a wall or fence, and then another wall or fence.
Supplementing the walls or fences might be guard posts, patrols, detection sensors, CCTV
cameras, and security lighting. The next ring might be sentry-protected and electronically
controlled doors to a building or a complex of buildings. Within the building might be another
ring of security another ring within the exclusion areas might consist consisting of access-
controlled exclusion areas, and yet another ring within the exclusion areas might consist of safes,
vaults, and similar containers, inside of which might be motion-detection devices. The theory
operates on the simple premise that an attempted intrusion will have a lesser chance of success
when multiple layers of protection stand in the way." (Fay, 2006)

Advantages of Physical Barriers

1. Physical barriers become a psychological deterrence when a potential intruder is

discouraged from accessing a facility because the barriers appear to present difficulties.

2. Actual difficulty in getting through physical barriers.

3. Reducing the cost of security staffing by substituting barriers for people, and placing
security posts in locations that complement barriers

Purpose of Physical Barriers

1. To control the movement of people and vehicles into, out of, and within the facility

2. To segregate or compartmentalize sensitive areas

3. To provide physical protection to objects, materials, and processes of critical nature

General Types of Physical Barriers

1. Natural Barriers include bodies of water, mountains, marshes, ravines, deserts or

other terrain that are difficult to cross.
 2. Structural Barriers are man-made barriers such as fences, walls, floors, roofs, grills,
bars, roadblocks or other physical means. A structural barrier physically and
psychologically deters or discourages the undetermined, delays the determined and
channels the flow of authorized traffic through entrances.

Other Types of Physical Barriers

1. Human Barriers

The guard force as a human barrier is the key element in any security system. Without it,
all other protective devices - mechanical, electrical or electronic-would be useless. The
electric device may sound the alarm, the CCTV may spot the culprit, or the micro-
computer may trigger a red button as a sign of intrusion, but it is the guard who will
respond and initiate the needed security action.

2. Animal Barriers

The most common of animal barriers are dogs known as the K-9 team. The number of
dogs to be used relies on the size and kind of installation being secured. The most popular
breed is the German shepherd. If trained correctly, the K-9 can detect even hidden drugs
and firearms, thus, their prevalent use in sensitive entrances like airports, malls and
public transport such as the MRT.

Among rural residences, another effective animal barrier is the goose barrier. It is
common knowledge that geese are not as ferocious as dogs, but they can easily call the
attention of their owners at the first sign of a would-be intruder through their loud hissing
sound.

First Line of Defense: The Perimeter Barrier

The usual starting point in assessing risk at a facility is the perimeter. The major purpose
of the use of perimeter as barrier is to deny access or exit of unauthorized persons.

Purpose of the Perimeter Barrier

• To define the boundary of the property to be secured
• To create a physical and psychological deterrent to unauthorized entry
• To delay intrusion, thus facilitating the apprehension of intruders
 • To assist in a more efficient and economical employment of guard
• To facilitate and improve the control of pedestrian and vehicular traffic

Types of Perimeter Barriers

1. Wire Fences (Solid or Full-View)

1.1 Chain Link Fence

• Must be constructed of 7-foot material excluding top guard.

• Must be of 9-gauge or heavier
• Mesh openings are not to be larger than 2 inches per side
• Should be a twisted and barbed selvage at top and bottom
• Must be securely fastened to rigid metal or reinforced concrete
• Must be reached within 2 inches of hard ground or paving
• On soft ground, must reach below surface deep enough to compensate for shifting
soil or sand

1.2 Barbed Wire Fence

• Standard barbed wire is twisted, double-strand, 12 gauge wire with 4-point barbs
spaced at an equal distance apart
• Must be less than seven feet high, excluding top guard
• Must be firmly affixed to post not more than six feet apart
• The distance between strands must not exceed 6 inches and at least one wire will
be interlaced vertically and midway between posts.

1.3 Concertina Wire Fence

• Standard concertina barbed wire is a commercially manufactured wire coil of high

strength steel barbed wire clipped together at intervals to form a cylinder.
• Opened concertina wire is 50 feet long and 3 feet in diameter
 1.4 The Top Guard

• A top guard is an overhead of barbed wire along the top of the fence, facing
outward and upward at approximately 45-degree angle.
• Top guard supporting arms will be permanently affixed to the top of the fence
posts to increase the overall height of the fence at least one foot.
• Three strands of barbed wire, spaced 6 inches apart must be installed on the
supporting arms.
1.5 Clear Zones
• A clear zone of 20 feet or more should exist between the perimeter barrier
and exterior structure, parking areas and natural or man-made features.
• A clear zone of 50 feet or more should exist between the perimeter barrier
and structures within the protected areas except when a building wall
constitutes part of the perimeter barrier.

2. Building Walls
Walls, floors roofs or their combinations serve also as barriers and must be of such construction
to provide uniform protection just like the wire fencing.
Masonry walls' height must be the same that of the chain link and surmounted by the barbed wire
top guard, if the height of the masonry is less than the prescribed, additional chain link as
"topping" is placed to attain the minimum requirements. Walls can be made of stone slabs the
post at regular intervals to prevent the wall from collapsing.

3. Bodies of Water
Bodies of water like river, lakes, marsh, ponds or other bodies of water forming part of the wall,
building or fencing should never be considered adequate natural perimeter barrier, Additional
security measure like wire fence, concrete walling, security patrolling and floodlighting at night
maybe necessary for the portion of the perimeter.

Second Line of Defense: Building Exteriors

Building surfaces such as walls, ceilings, floors and roofs are not constructed primarily as
security barriers, but they have the potential to deter penetration. The following is a list of
building exteriors and their construction and vulnerability, as discussed in the Asset Protection
and Security Management Handbook (POA Publishing LLC, 2003).
Roofs
The roof usually has sheathing placed over the rafters, often horizontal wooden boards placed
flush on the rafters. Sheathing may be covered with felt or other insulating material, and
foundation these layers covered with shingles, metal sheet, tar paper, tile or other weather-
resistant material.
Exterior Walls
Exterior walls may be similarly constructed, with sheathing placed diagonally on vertical studs
and covered with sheathing paper. This is usually topped with an exterior material such as stucco
or siding compose of overlapping horizontal boards or vinyl siding. Exterior surfaces of
buildings constructed of such materials as brick, concrete block, stone block, cinder block or
reinforced concrete offer greater resistance to penetration than those made of wood.

Concrete Structures
An ordinary concrete building wall, because of its rugged and formidable appearance, may give
the impression that it offers good protection against penetration, but may not. Standard poured
concrete or concrete block walls are utilized to support structural loads, or are used as curtain
walls to enclose spaces between load - bearing walls, but are not normally designed to prevent or
delay penetration. Concrete walls that are six inches or less in thickness are vulnerable to
penetration with hand tools and small amounts of explosives. For example , bolt cutters can be
used to cut the small - size reinforcing bars ( rebar ) usually number four or less sometimes used
in four - inch - thick concrete walls . Four - inch concrete walls are not load bearing , are used
principally to curtain spaces between columns , and offer little protection against even moderate
force .
Eight - inch - thick, reinforced concrete walls are found in all types of structures. They are load
bearing and cannot easily be penetrated with hand tools alone. However, small amounts of
explosive, supplemented by hand tools can quickly penetrate them. Walls thicker than eight
inches are usually found in vault construction.
Standard concrete block walls, without reinforcing material, are easily penetrated with hand
tools, power tools or explosives. The strength of these walls can be increased materially by
filling the hollow cores with concrete or by installing rebar.

Floors
Wooden floors normally have flush sheathing covering the joists diagonally. This surface may
then be covered with building paper and flooring such as tile, cork, rubber, linoleum or wood.
Floors may also be constructed of poured concrete, which may be reinforced with steel rods. A
concrete floor may be used without any covering or may be covered with wood, tile, linoleum or
carpet. The floor may be a concrete slab poured directly onto the ground, or it may be on a
foundation, raising it above the ground and leaving a space underneath for an intruder to
penetrate the floor surface.

Interior Walls
Interior walls and ceilings may be constructed of lath and plaster. However, prefabricated sheets
and panels of material such as plasterboard have become, in recent years, a popular method of
interior wall and ceiling construction. The joining edges of the material are sealed with paper or
fabric tape and are then sealed with a plaster covering. After installation, surfaces constructed of
such material resemble plaster. Plywood or other types of wooden paneling may also be used and
are usually attached to the studs or rafters. The vertical joining edges may be covered by narrow
wooden strips.

Ceilings
Ceilings may be covered with acoustic or decorative tile. It is a common modern building
technique to construct ceiling plenums that do not have security barriers between rooms and
areas. As a result, an intruder who can gain access to the plenum space can work from there to
achieve access to rooms or spaces below.

Doorways
Doorways, including the frame, jambs and stops, are constructed of either wood or metal.
Doorways are of two general applications: personnel and vehicular.
Personnel doorways, in both outer and inner building walls, may be single or double. They are
usually fastened by hinges to the door jamb on one side and equipped with a latch and perhaps a
lock on the other side. Sliding doors and folding doors may also be used. Folding personnel
doors are ordinarily installed in the interior of a building and are often intended to deny visual
rather than physical access.
Vehicular doorways may also serve as entrances and exits for personnel. Double doors are often
used because of the size of the openings. They may be hinged on the outside on jamb edges and
secured with a locking device where the inner edges of the doors meet in the center. Sliding or
rolling doors, single or double, may also be used. They may move horizontally or vertically on
tracks or rollers. Folding doors that fold in hinged sections are another option. Regardless of the
design or the size, doors have weaknesses.
A door is often much weaker than the surface into which it is set. Sometimes, the door is hollow
core, or constructed of comparatively thin wooden or glass panels between the rails and stiles,
and the panels may be easy to remove.
The door frame may also be a weak spot if it is not properly installed. If the frame is wood, it is
usually installed by nailing the doorjamb to the wall studs, after which the doorstop is nailed to
the jamb. If this installation is not correctly done, the piece-by-piece construction may allow thin
shims or levers to be inserted so that the lock bolt can be disengaged. In addition, most doors are
installed by a carpenter, not a locksmith. Carpenters are generally more concerned with the
swing of the door rather than the effective function of the locking mechanism. An all-metal door
does not cause such a problem if properly installed. However, the door frame must be of
sufficient strength that it will not allow the door to be pried out of the frame or allow the bolt in
the lock to be released.
If not correctly installed, hinges may contribute to the weakness of a door. For example, if hinges
are surface mounted so the mounting screws or hinge pins are exposed on the exterior surface of
the area being protected, intruders can quickly remove the screws or pins and gain entrance by
opening the door from the hinged side and replace the door as they leave. There would be no
evidence of penetration if the removal and replacement were done carefully. Hinges should be
installed so that the screws are concealed and the hinge pins are on the interior. The hinge pins
can also be welded or flanged to prevent removal. Surface-mounted hinges are sometimes
installed with bolts extending through the door. Removal of these bolts is possible even from the
bolt head side if sufficient pull is exerted. The threaded end of the bolt can be peened to
eliminate this hazard.

Windows
Windows are designed to provide ventilation, natural illumination or visual access through a
wall, or any combination of the three. Most windows are equipped with clear glass and can often
be opened to provide access. Other windows, in areas where it is necessary to deny visual access,
are glazed with frosted, pebbled or other opaque or translucent glass. Picture windows or those
installed in air conditioned buildings are permanently fixed in place. While they allow
illumination and visual access, they do not open to provide ventilation.
The weakest area in a window is usually the glass. An intruder can easily cut out a section with a
glass cutter, or the glass may be covered with tape so it can be broken without the broken pieces
falling and causing noise. Because of the innate vulnerability of glass to penetration, two
products have been developed to discourage forcible entry. One type, a polycarbonate, is
constructed of plastic material, while the other has a special plastic laminate sandwiched between
two pieces of glass. Both products are highly resistant to impact and give the appearance of
ordinary glass. However, the laminated glass is about twice the cost of tempered glass; the
plastic is a bit less costly than the laminated.
If they are not strengthened, standard windows may be the weak link in the barrier protection in a
structure. Because most standard windows can be penetrated with hand tools in less than a
minute, additional protection, such as protective coverings, grills or mesh, may be required for
proper protection.

Other Openings
In addition to doors and windows, a wide variety of other openings in the roof, walls and floor
may require consideration. These include openings for shafts, vents, ducts or fans; utility tunnels
or chases for heat, gas, water, electric power and telephone; sewers and other types of drains; and
other small service openings.
Various techniques and material can be used to give added protection to surface openings.
Expanded metal, wire fabric and fencing may be utilized. Steel bars or grills may be used to
protect glass-paneled windows or doors. Such bars should be spaced no more than five inches
apart. If they are round, their diameter should be at least 1/2 inch; if they are made of flat steel,
they should be at least 1x 1/4 inch in size. Steel grills that have 1/8 x 2-inch mesh offer good
protection. Both bars and grills must be securely fastened so they cannot be pried loose; and if
possible, they should be installed on the interior surface.
If a door needs to be strengthened, it can be covered on the inside with 16-gauge sheet steel,
attached with screws. Sound-reducing baffles can be installed in ducts to protect a room or area
from unauthorized listening. Wire mesh, expanded metal or metal grills can be used to secure
chases and tunnels, locked in place to permit removal, if necessary.

Third Line of Defense: Interior Controls

Establishing interior controls not only maximizes the efforts of security guards. Such measures
also allow or deny access to facilities or areas within the facility, as well as track the identity and
times of entry and exit.
There are a variety of techniques to control access to the interiors of a high-security facility.
These may include identification systems, call boxes, paging and recall systems, or even the
more sophisticated coded card system access. Other examples are enumerated below.
Locks
Installing locks on doors is the easiest line of defense inside a facility. It is the simplest way to
impose a physical restraint as well as grant entry. It is the most widely used physical security
device, yet it is hardly foolproof. However, locks can also be vulnerable to physical force. A key-
operated lock can be picked, or its keys can be duplicated illegitimately. Below are factors to
consider in using locks (Vellani, 2007).
1. Locks are only as good as the door, jambs, and walls around them. A lock is therefore useless
if an intruder can simply kick a weak door to access a facility.
2. Key management is important when dealing with a complete lock system. It is important to
make sure that only authorized personnel can obtain or make a key to the lock.
3. All locks can be compromised by an expert in a very short period of time. It is therefore wise
to use locks together with other security measures and as part of an overall physical protection
system.

Telephone Entry Systems

Telephone entry systems are commonly used in apartment buildings and condominiums. They
are typically located outside the building, with a panel, handset and touchpad. Each tenant has a
special entry code that a visitor dials. The tenant may then release the door lock by pressing a
designated key on the residence phone. For added security, some systems add a CCTV camera in
the entry lobby with small monitors provided to each occupant (POA Publishing LLC. 2003).

Identification Systems
Controlled entry into a business facility usually begins with identification of the person entering.
The identity of employees or visitors can be determined through the following types of
identification verification and access control.
1. Guards can personally recognize or inspect the identification of employees or visitors, and
then formulate a judgment of that person's validity.
2. Card reader systems can compare the coded identification cards with computer records for
authorized personnel verification.
3. Biometric readers can use a person's physical property (such as retinal pattern or fingerprint)
to gain entry.

Protective Alarm Sensors

Different types of protective alarms installed indoors or outdoors complement and supplement
physical barriers. These systems are designed to alert security personnel to completed or
attempted intrusion into an area, building or compound.

Types of protective alarm systems include local alarm system, auxiliary system, central station
system and proprietary system. These can serve the purpose of either substituting other security
measures for economic reasons or supplement these security measures to provide additional
controls.
Sensors can detect when an intruder penetrates the facility's boundary. It can also "sense
unexplained presence within zone or in close proximity to a protected object. When the intrusion
is detected the sensors are calibrated to activate and causes an alarm sounded or a signal to be
sent to a monitoring station of protected facility (Fay, 2006)

Sensors can perform three main functions. They can detect intruders such as when it reacts to
intruder's motion, sound or body heat. They can also open a portal, such as when it validates the
inputted card key to open a door. Finally, a sensor can turn on a device, such as when it reacts to
movement and automatically turns in security lights.
Sensors are more economical compared to the cost of labor. They are accurate and reliable when
properly installed, calibrated and serviced. However, the reliability of detection depends on
several factors such as an intruder's size, speed strength and direction of movement and distance
to the sensor. The intruder who uses very slow and stealthy movement in the right direction will
make it difficult for the sensor to detect his presence.

Protective Lighting
Protective lighting is designed to illuminate the perimeter barrier and the outside approaches of
an area. A threat cannot be detected, either by camera or in person, if there is no light. Lighting
can also serve as deterrence since a threat is more likely to attack an asset relative darkness than
in bright light.

Purpose of Protective Lighting

• To provide sufficient illumination to an area during hours of darkness
• To improve visibility in order to easily spot, identify and even apprehend intruders
• To present psychological fear
• To serve as deterrent to thieves, pilferer, trespasser and saboteurs
General Characteristics of Protective Lighting
• It is relatively inexpensive to maintain
• It may provide personal protection for security forces by reducing the elemen of surprise
by the intruder
• It may reduce the need for security forces
• It requires less intensity than working light

Types of Protective Lighting

1. The stationary luminary is the most common type consisting of a series of fixed
luminaries.
• The glare projection type produces bright white light with its intensity focused on the
intruder who is made highly visible but unable to easily see what lies ahead. Glare
lighting also adds protection to security officers posted behind the light source.
• Controlled lighting is focused on certain objects than the background.

2. The standby lighting provides continuous illumination of a protected area during the
hours of darkness, but it can be turned on manually or by special device or other
automatic means.
3. Movable lighting can be stationary or portable and consists of manually operated
searchlights. It may be lighted continuously during hours of darkness or only as needed.
It can supplement or temporarily replace other types of security lighting.
4. Emergency lighting is a standby lighting that can be utilized in the event of electric
failure, either due to local equipment or commercial power failure. The power source of
emergency lighting is usually a backup generator or an arrangement of batteries. Lamps
mounted in a stairwell that automatically light up during a fire fall into the emergency
lighting categories
 CHAPTER 5
PERSONNEL SECURITY

Learning objectives:
At the end of this chapter, the student will be able to:
• Explain personnel security;
• Enumerate the checks included in pre-employment screening;
• Enumerate pre-employment screening measures;
• Enumerate the purpose and explain the importance of ongoing personnel security;
and
• Enumerate ongoing personnel security measures;
• Explain exit procedures.

Discussion:
Among the major threats confronting an organization are employee crime and employee
misconduct. In fact, internal theft surpasses the losses that can be attributed to robberies, theft,
frauds and other criminal acts committed by outsiders. At the same time, both substandard job
performance and inappropriate behavior of employees can result in potentially devastating
lawsuits and loss of business.
It is the employer's duty to maintain a safe and secure working environment. Employers conduct
pre-employment background checks of job applicants in order to protect existing workers,
guests, and the public from the harmful acts of employees. Harmful acts committed by
prospective employees cover a wide number of criminal acts, such as the rape, assault, and drug
dealing, as well as safety violations that injure and kill. Job applicants with a potential to commit
harmful acts can be filtered out of the hiring process through pre-employment investigations.
An employee with legitimate access to corporate systems also potential to wreck the
organization's reputation by simply using a USB memory stick or a webmail account to steal
confidential information. Personal security measures can prevent such kinds of employees from
exploiting their legitimate access to company for unauthorized purposes. Those who seek to
exploit their legitimate access are termed "insiders. They can execute several forms of criminal
activity, from minor theft to terrorism. Company polices procedures should be put in place to try
to minimize the risk.
Employees who may exploit their legitimate access for unauthorized purposes may include
rebellious individuals, members of activist groups, journalists, competitors, those with links to
organized crime or even those involved in terrorism. Through effective personnel security
measures, the organization will be better able to employ reliable people, minimize the chances of
staff becoming unreliable, and detect suspicious behavior and resolve security concerns once
they emerge.
Many organizations use security measures solely in the recruitment process, but personnel
security should be maintain throughout the time of employment. Although it is the management
and the human resource personnel who are tasked to oversee the enforcement of proper
employee behavior, security personnel have an important role in developing the necessary
policies, standards guidelines and procedures. They should also assist in developing training
programs that will help the organization handle situations in case security incidents occur.
The Centre for the Protection of National Infrastructure (CPNI) is a government agency that
protects the United Kingdom's national security by providing protective security advice. It has
published guides on Pre-Employment Screening (CPNI, 2011) and Ongoing Personnel Security
(CPNI, 2010) to assist UK-based companies in personnel security management. These guides
will be used here and adopted to the Philippine setting to discuss key elements on personnel
security.

Purpose of Personnel Security:

• To identify security measures in proportion to the risk
• To reduce the risk of employing personnel likely to present a security concern
• To establish that applicants and contractors are who they claim to be
• To close down opportunities for abuse of the organization's assets

Pre-Employment Screening
Personnel security measures are usually undertaken during the recruitment process. This is
because companies believe that it is better to spot a dangerous or dishonest individuals before
they are hired. This means that the human resource department should not simply trust the
correctness of information written in a very impressive resume. Hence, proper background
employment screening on job applicants must be carried out.
Apparently, companies in financial services have long been carrying out such background checks
and only recently have other industries followed. Such an interest could be attributed to the rising
instances of applicants who lie on their job applications (Condon, 2010).Many of these lies might
be considered trivial, such as exaggerating the responsibilities of a job role, or making
educational qualifications look more impressive. Nevertheless, these small lies are suspicious
enough when evaluating the character of a prospective employee who will be handling high
security functions if hired.
Through pre-employment screening the credentials of job applicants and their preconditions for
employment are verified. These checks should establish whether the applicant has concealed
important information or otherwise misrepresented himself. The objective is to collect
information and use that information to identify individuals who present security concerns.

The pre-employment screening should include checks on the following:

• Proof of identity and address
• Details of education and employment
• Criminal records check
• Financial check
• Checking of at least two character references

Pre-employment Screening Policy Checklist (CPNI, 2011)

1. Make pre-employment screening an integral part of the recruitment process.

2. Ensure that applicants are informed in writing that any offer of employment will be subject to
the satisfactory completion of pre-employment screening checks, whether or not the individual
has already been granted access to the site recruitment process.
3. Ensure that the screening processes are legally compliant at all stages (including the wording
of application forms).
4. Involve all the relevant departments in the organization, and ensure they communicate and
share data effectively.
5. Identify the specific office responsible for the pre-employment screening process.
6. Incorporate specialist businesses into your strategy if appropriate.
7. Ensure that the application form requests all relevant information, including consent for
further checks, and outlines your screening policies.
8. Establish decision making guidelines for consistent and transparent judgments about
information.
9. Have a clear understanding of the thresholds for denying someone employment. 10. Be clear
about how fake or forged documents will be dealt with.
11. Collect data on the results of the pre-employment screening process (e.g. incidence of false
qualifications or criminal record).

Application Form
Using a standardized application form to be completed by job applicants requires them to
provide all relevant information and confirm its correctness with a signature. The form should
include 4 provision that pre-employment screening will be carried out. By signing the form, the
applicant provides consent for background checks to be undertaken. It should also include a clear
statement that lies or omissions are grounds to terminate the hiring process or employment even
if it is discovered when the applicant is already hired. Such statements in the standardized
application form not only protect the organization legally; they also serve as deterrent to the
applicant signing the document.

Interviews
The job interview portion of the application also helps in the screening process because it
provides an opportunity to discuss the candidate's suitability for employment. This interview is
important because:
• A face to face discussion encourages applicants to be honest.
• It allows the employer to clarify information in the application form, ask for other
information not covered in the application form, and probe candidates about their
responses.
• It also provides a good opportunity to add to the overall assessment of the applicant's
reliability and integrity.

Identity Verification
Verifying the applicant's identity is a critical measure in the screening process. In fact, other
measures in the screening process should only come second after the applicant's identity has
been satisfactorily proven. The key is to verify that the individual is not committing fraud by
using false identities.
There are four main reasons why individuals use false identities:
• To avoid detection - Individuals like crooks, terrorists or wanted criminals may wish to
remain anonymous or undetected.
 • For dishonest financial gain - This involves individuals who have ill intentions to commit
credit fraud or unqualified applicants who falsify educational qualifications to obtain
employment.
• To avoid financial liability - "This includes individuals who have failed to pay debts and
are avoiding financial liabilities.
• To legally obtain genuine documents such as passports by using false 'breeder' documents
(i.e. those documents required to obtain passports, such as birth certificates which can
have few or no security features).

These reasons show how some individuals will claim false qualifications in their resumes and
application forms, possibly to get unauthorized access into an organization's assets. These also
highlight the need to authenticate documents submitted by the applicant and verify the
information provided.
The purpose of verifying identity is to ascertain the correctness of the information they have
given about themselves by:
• Determining that the identity is genuine and relates to a real person.
• Establishing that the individual owns and is rightfully using that identity.

One method of verifying identity, which is called the paper-based approach, involves requesting
original documents such as those that corroborate the applicant's full name, signature, date of
birth and full permanent address. Ideally, such documents should possess the following
characteristics:
• Issued by a trustworthy and reliable source
• Difficult to forge
• Dated and current
• Contains the owner's name, photograph and signature
• Requires evidence of identity before being issued

A second method called the electronic approach involves checking the applicant's personal
details against external databases. This method requires checking and cross-referencing
information from databases such as criminal records or credit reference agencies. By searching
for records associated with the name, date of birth and address provided, it is possible to build a
picture of that individual's past and current life. Tracking such history indicates that the identity
is more likely to be genuine. On the other hand, if searches result in a history that lacks detail or
depth, it is possible that the identity is false.
When such database checks are able to confirm that the identity does exist, it would also be
necessary to test whether the individual truly owns this identity by asking questions that could
corroborate information about the identity. Testing the individual's knowledge of the identity is
as important as establishing that the identity exists to prevent the hiring of an applicant who
simply stole the identity of someone who is actually qualified to perform an important position in
the organization.

Qualification and Employment Checks

A qualification check involves the verification of information regarding educational or
professional qualifications, while an employment check involve the verification of the applicant's
employment history in terms of dates of employment and position. The purpose of such
confirmations on the applicant's qualifications and previous employment is to help the employer
in evaluating the candidate's reliability and integrity. It also helps to discover whether applicants
are hiding negative information such as a criminal record or dismissal from previous
employment for suspicious reasons.
The qualification check should confirm the following information:
• The establishment attended
• Course dates
• Title of the course
• Grades/marks awarded

The employment check should verify the following information:

• Dates of employment
• Positions held
• Duties
• Salary
• Reason for leaving
• Any employment gaps

Media Searches
Media searches involve the evaluation of an individual based on their online reputation. It
includes searching for what they say or what others say about them on the internet. This could be
a useful tool if the position to be filled up involves access to sensitive material that the applicant
might compromise. For example, if the position requires working closely with several TV and
movie personalities, it would not be ideal to hire an individual who enjoys heavy gossiping in
social media sites.
Media searches can also help verify identity, confirm or resolve concerns about suspicious
behavior, or establish how security aware the applicant is. An individual who posts photos of
drunkenness in parties and allows public viewing of such photos could indicate poor judgment,
especially if the position being applied for involves working in a religious foundation or a
prominent conservative politician. Potential conflicts of interest may also be identified, such as
being personally related to the owner of a competing business.
There are risks, however, in using media searches. Employers might obtain information about
someone with the same name as the applicant. It is also possible that the positive information
available online were staged by the applicant in order to appear qualified. Third party views or
opinions about the applicant are also not completely reliable, especially if these cannot be
verified to be true.

Ongoing Personnel Security during Employment

Personnel security is a system of policies and procedures that manages the risk of staff or
contractors exploiting legitimate access to an organization's assets or premises for unauthorized
purposes. It is important to distinguish between this and personal security, which seeks to reduce
the risks to the safety or well-being of individual employees.

Purpose of Ongoing Personnel Security (CPNI, 2010):

• To minimize the likelihood of employees becoming a security concern.
• To implement security measures in a way that is proportionate to the risk.
• To reduce the risk of insider activity, protect the organization's assets and, where
necessary, carry out investigations to resolve suspicions or provide evidence for
disciplinary procedures.

Importance of Ongoing Personnel Security

Insider activities are those that exploit an employee's legitimate access to an organization's assets
for unauthorized purposes. This potential threat for organizations that could have possibly hired
terrorists, intelligence service agents, discontented employees, or journalists and activists seeking
to damage the organization's reputation. Numerous companies already had serious losses because
of insider acts such as fraud, theft, corporate espionage and even terrorism. But the more
common insider activities include those that involve unauthorized disclosure of information and
process corruption. For example, a finance employee might be receiving money to illegitimately
alter an internal process in order to benefit certain clients.
It is difficult to clearly establish an insider's motivation. It could be a combination of factors such
as political or religious ideology, revenge, notoriety and financial gain or even fear or coercion
from an external pressure. An outsider seeking to gain access might hire insiders to get through a
company's sophisticated physical and IT security measures.
An employee might not have malicious intentions initially when hired, but attitudes change
either gradually or in response to events and circumstances. The employee who has proven to be
honest and dependable for a few years could possibly change loyalties after acquiring sensitive
information about the organization.
As with physical security, so single set of countermeasures can guarantee protection from serious
threats. Ongoing personnel security is critical to counter threats considering that the human
factor could quite possibly be the weakest link in the organization's security chain.

Security Training and Awareness

Security training and awareness programs provide an opportunity for old and new employees to
gain necessary skills to perform their responsibilities within the organization's security network.
These programs may include the orientation for new employees or other activities for existing
employees such as workshops, scenario based role-plays, briefings, intranet or magazine articles,
posters, meetings, focus groups or quizzes. The goal is to encourage them to accept personal
responsibility for security and equip them to make judgment calls that procedures cannot always
predict.
• To achieve these objectives, trainers and security personnel meetings, accept should
consider the following points (CPNI, 2010).
• Encourage staff to see those in security as friendly and approachable. Provide a contact
number or email address for reporting security concerns.
• Demonstrate unconditional support for the security policy (particularly from
management)
• Explain the organization's security policies openly. If there are some areas that are more
sensitive than others and where access is restricted this should be clearly stated.
• Give employees a realistic picture of the threats to the organization
• Encourage cultures which resolve and correct rather than focus on establishing blame.
• Avoid exaggerating the risks and threats faced by the organization to gain more
credibility. Avoid making false claims about security to frighten employees into
compliance.
• Provide regular refresher trainings to incorporate new security procedures in order to help
maintain standards and ensure that employees' understand why these are important to
follow.

Addressing Behaviors of Concern

Managers play a key role in addressing negative behavior and ensuring that security measures
are followed. Managers sometimes fail to act on poor performance and this could worsen the
problem because other employees might become dissatisfied for compensating on their co-
worker's poor performance. Another negative result is when employees assume that poor
performance is acceptable and follow that example.
If there is reason to be concerned about an employee' performance or behavior, the manager may
resort to an informal interview to clarify or address issues to prevent the problem from getting
worse. An informal interview can be initiated by asking open questions like, "How have you
been finding your job lately?" or "how is the project going so far?" If there are serious concerns,
the manager could uncover innocent explanations such as:
• Personal issues like marital problems, bereavement or illness.
• Work difficulties which may be causing tension, such as friction between colleagues,
disillusionment, boredom or dissent
• Possible conflicts of interest which may affect the employee's engagement with their
work, such as ethical concerns

If there is a clear breach of security policy or if further evidence of wrongdoings emerges, those
responsible for personnel security should be informed so that they can conduct further
investigation.

Controlling Employee Access

Organizations usually use access controls as physical security measures against outsiders.
Similar considerations should be used to prevent or minimize the risk of individuals with
legitimate access engaging in insider activities.
One measure is to require employees to wear security passes. There should be no exceptions,
even for senior management, security staff or visitors. When an individual gains access to
sensitive areas without an appropriate pass, employees are encouraged to challenge this
individual for suspicion of security breach. In addition, the security system should be
periodically tested to ensure that personnel without the appropriate pass will not easily gain
access.

Screening for the Insider Threat

Insider attacks can cause significant damage to an organization. Big organizations might rarely
encounter threats of insider activity, but they should nevertheless be prepared by establishing an
effective Screening regime. There is no clear pattern that can help detect insider threat because
the personality, motivation and behavior of insiders can be extremely varied.
The insider could be the administrative assistant who decided to exploit his access to expensive
equipment once in post, even though he had no prior intention of doing so. He could be the
public relations staff who was recruited by an investigative journalist to take advantage of his
access to sensitive information that could destroy the organization's reputation. He could even be
the elevator maintenance applied for the job with the intention to gain access to highly secured
areas in the office.
Screening employees to determine their vulnerability to, or active involvement in insider activity
involves identifying those people who give cause for concern by demonstrating suspicious
behaviors or possessing individual vulnerabilities. After identifying individuals who may give
cause for concern, it is important to find a way to resolve or manage those concerns. It is
important not to overreact but to take swift, proportionate action in order to avoid any escalation.
It is equally important not to diagnose insider activity where none exists, so organizational
procedures should always be followed, to ensure that the correct steps are taken in each instance
(CPNI, 2010).

Exit Procedures
An employee who leaves an organization could possibly have considerable knowledge about its
assets, operations and security vulnerabilities. If the reason for the employee's departure is not
amicable, he might maliciously give sensitive information to the organization's competitor. A
thorough procedure on personnel departures is therefore critical to ensure that appropriate actions
are taken to protect the organization without unnecessarily disrupting the relationship with the
departing employee. Standard procedures could include changes in the combinations for secure
cabinets, termination of IT accounts, or changes in generic passwords and remote access codes
so that an employee will no longer have access when he leaves the organization.
When an employee leaves, the organization cannot guarantee his loyalty especially if he left
feeling badly treated, ignored or unappreciated. They would possibly not feel guilty about
damaging the organization or give away sensitive company information. Exit procedures can be
the appropriate measure to limit this employee's propensity to be disloyal.

As soon as managers become aware that an employee is leaving the company, they should assess
and manage the risk that this individual may pose. The manager should consider the following:
• Is the employee leaving voluntarily or as the result of a disciplinary process or
redundancy?
• If the employee is not leaving voluntarily, what is the reason for the dismissal?
• Where are they going to work for next? Would they be working for the competitor?
• How sensitive is their role and their access to organizational assets?
After assessing the risks, the following are the manager's options depending on the employee's
contract:
• Allow the employee to carry on working during their contractual notice period and retain
their usual access to the organization's assets. This option could provide the employee
with an opportunity to abuse his access and damage the organization and should therefore
be used only if there is no risk.
• Allow the employee to work their contractual notice period but with reduced access to
assets (for example, using additional supervision or by allocating lower-level IT access).
This is generally considered the best course of action. If an employee is leaving to work
for a competitor, it may be appropriate to remove his access to commercially valuable
information.
• Ask the employee to leave immediately - possibly under supervision to prevent any
unauthorized act while still on the premises - and not to return for the duration of their
notice period. This could apply to employees who had extremely sensitive positions. This
is likely to cause ill feelings with the employee and should therefore be handled with
caution.

Exit procedures should also include the return of all access tools and identifiers that belong to the
organization. These assets may include:

• Uniforms
• Security passes and/or identification cards
• Mobile phones
• Company credit cards
• Any unused personal business cards
• Keys to secure/storage areas
• Tokens for access to electronic systems
• Any books, papers or commercially sensitive documentation Laptops and other remote
working equipment such as flash drives
• Security containers such as security briefcases

The following additional steps should also be considered to reduce the employee's access to
assets:

• Selectively or completely blocking the employee's user-IDs to prevent systems access

• Changing passwords to common systems
 • Making sure that measures are in place to protect the organization's electronic systems
from malware or hacking
• Selectively or completely blocking the employee's security pass to prevent physical
access
• Changing door codes to common areas Changing combinations to storage areas, where
the value of the assets merits it
• Cancelling the employees signature authority, credit card and expense accounts and
ensuring that all relevant parties are notified
• Where necessary, issuing instructions to security guards regarding the employee's future
access to the premises

The Exit Interview

By and large, the exit interview is done with employees about to leave the company in order to
help identify problems contributing to employee turnover. The employee's experiences and
reasons for leaving may suggest needed changes and open the eyes of the management to adopt a
course of action that will improve the morale, improve the working conditions and increase
efficiency. Expanding the questions by including security questions can be an effective source of
information about loss.

As a security measure, the exit interview is an opportunity to:

• Remind the employee of his obligations and organizational codes of conduct concerning
access to assets like intellectual property.
• Obtain all passwords or encryption keys for files the employee has been working on so
that they can be changed accordingly.
• Recover as many of the organizational assets, access tools and identifiers as is reasonable
at the time.
• Ask the employee if they have any comments/observations about the strength (or
weakness) of the security culture, measures and procedures in place within the
organization.
 CHAPTER 6
DOCUMENT AND INFORMATION SECURITY

Learning objectives:
At the end of this chapter, the student will be able to:
• Enumerate factors to consider in document and information security;
• Illustrate the information cycle;
• Enumerate the characteristics of information;
• Define and classify sensitive information;
• Define proprietary information and enumerate the types of intellectual properties;
and
• Enumerate some information security measures.

Discussion:
Protecting crucial documents has become progressively more critical in this age of fast growing
technology. The loss of document and information can cost a company huge amounts of money.
Business competitive badge and national security have been put at risk because proper security
precautions were not implemented. Oftentimes, the importance of document and information
security is not realized until after a loss has been discovered. Owing to this, a comprehensive
document and information security program is important to operating and competing in our
modern society.
Implementing an efficient and effective document and information security program requires
knowledge and skills in the field of document and information technologies as well as
management. Its management relies on a clear understanding of the types and uses of document
and information within an organization. Planned measures information throughout all phases of
its existence. To prevent loss of document and information due to employee or procedural error,
security administrators must implement an effective document and information management
plan.
In protecting vital documents and information, one must understand the capabilities and use of
document and information technologies in terms of how technology can be used in the creation
usage, storage, transmission and disposal of information. One must also understand how
technology can be used in the manipulation and abuse of documents and information.
Types of Documents
• Class I - Vital Document - an irreplaceable record, reproduction of which does not have
the same value as the original.
• Class II - Important Document - a record , reproduction of which will involve
considerable expense and labor or considerable delay
• Class III - Useful Document - a record , the loss of which may cause inconvenience but
could be readily replaced and may not present an insurmountable obstacle to the prompt
restoration of the business
• Class IV- Non - essential Document - a record that may include daily files, routine in
nature, the loss of which will not affect the organization's operation. This class represents
the bulk of the records which can be kept in ordinary files ready for reference if needed
and usually discarded after some period of time.

Factors to Consider
1. Document and information security is based on the premise that the government has the right
and duty to protect official papers from unwarranted and indiscriminate disclosure.
2. The authority and responsibility for the preparation and classification of classified matters rest
exclusively with the originating office.
3. Classified matter shall be categorized according to their content and not to the classification of
file in which they are held or another document to which they are referred.
4. Classification shall be made as soon as possible by placing appropriate marks on the matter to
be classified.
5. Each individual whose duties allow access to classified matter while it is in his possession
shall ensure the distribution of such matter on the "need to know" basis only and to properly
cleared persons only.

Stages of Information Cycle

Information occurs through various stages. Familiarization of the different stages can provide
significant analysis on how it can be protected.
1. Creation - During this stage, information is discovered and developed. Information can take
the form of handwritten notes, discussion, dictated script, or electronic data. It is commonly
concentrated in laboratories, offices, word processing units and computer centers.
2. Use - Undoubtedly, information is created for use. This stage involves a process wherein
people act on the information for the purpose of making a decision based on the information,
soliciting support or informing others. When information is use, it usually includes duplication as
well as distribution. Duplication can be in the form of photocopying, printing or sending through
electronic mail.
3. Storage and Retrieval - Use information should be put away for future use. Storage and
retrieval methods must ensure the integrity of the information, its timely accessibility to
authorized users and its protection from criminal intervention and disastrous circumstances.
The security measures that must be taken depend on the type of storage center, the storage means
and the storage technologies used. More importantly, the experience and dependability of the
personnel who will handle the storage and retrieval of information must be considered.
4. Transfer - This involves the transfer of information from active to inactive storage. Inactive
records are usually located in remote areas less accessible to users. Special security precautions
should be taken at the time of the transfer and when records are on the way from one place to
another.
5. Disposition - This is the last stage of the cycle of information. During this stage, a decision
can be made to retain the information indefinitely at either an active or in active storage center or
to dispose of it. The method of disposal should depend on the amount of information and the
type of media used.

Characteristics of Information (Fay, 2006)

Information is expansive. It is unlike other business resources because it can easily expand to
cover a wider scope. Information rage, but it tends not to diminish; today's breaking news, for
instance I will be an event in history after a few years. Information tends to accumulate; a
discovery on the healing benefits of a plant can lead to the formulation of a variety of benefits for
numerous diseases, Information is compressible and transportable at very high speeds, and can
impart advantages to the holder as demonstrated by a memory card that can save hundreds of
photos.
Information requires barriers. Just a decade ago, information assets were stored in computer
systems with electronic barriers inside centrally controlled equipment and located within the
protected confines of a computer room. Nowadays, computers have become widely dispersed
through computer networks protected through firewalls. The future trend seems to rely on cloud-
based information and data exchange (called internet area networks) protected by hosts through
passwords and other computer security measures.
Information is costly and important. Organizations should protect information assets because
it is costly to acquire and maintain, and it is important to the success of the business enterprise.
In industries like research and development, education and publishing, information fuels their
business. It has significant value in much the same sense that people, physical property and
financial assets have value.
Information is coveted. When something has value; someone will want an opportunity to take it
away. For example, a new cellular phone technology being developed by a big
telecommunications company might not be accessible to the pickpocket who preys in public
places, but it can be vulnerable to an intelligent, clever and professional spy who can steal the
information and sell it to the company's competition.
Information has a limited life. At some point in time, certain information can lose all or most
of its value. If a business owner is in possession of valuable information, he will want to extract
from it the maximum worth possible by making it available only to those whose Talent can
exploit it. When news of this information spreads to more and more people, its value can
diminish.
Information is difficult to protect. In a world of advanced information technology, several
employees may hold and share corporate information on their laptops, memory drives and
emails. Oftentimes, confidential information such as prices, designs and production schedules
need to be shared with suppliers, customers and shippers. Protecting information is difficult but it
should be a significant concern for every organization.

Information is voluminous. Another reality is that companies are dealing in larger volumes of
information than ever before. Great amounts of raw data are needed to make fully developed
analyses. From customer information to critical business strategies, financial operational data
and intellectual property, not only is there more information but it is high-impact information.
All of these have serious security vulnerabilities.

Sensitive Information
Sensitive information refers to information that has value and should be protected, including the
following:
• Proprietary business and technical information.
• Personal data concerning applicants, employees, and former employees.
• Proprietary information owned by partners and obtained through an agreement.

Classification of Sensitive Information

Sensitive information is generally classified into three (Fay, 2006):

1. Secret - This is information the unauthorized disclosure of which could cause serious damage
to the organization's business. Its use and access to it are strictly limited. Examples include:
• Trade secrets
• Plans to merge, divest, acquire, sell, or reorganize
• Information that could affect the price of shares
 • Information with high political or legal sensitivity
• Information prejudicial to the interests or reputation the organization

2. Restricted -This is information of such value or sensitivity that its unauthorized disclosure
could have a substantially detrimental effect on the organization's business. Example include:

• Marketing strategies
• Customer files
• Agreements and contracts
• Contentious or litigable matters

3. Private - This is information relating to employees. Examples include:

• Salaries, bonuses, and wages

• Health and medical matters
• Disciplinary actions
• Job performance

Proprietary Information
Information is considered proprietary when it is not readily accessible to others; it was
created by the owner through the expenditure of considerable resources; or the owner
actively protects the information from disclosure (Fay, 2006). This can include secret
formulas, processes, and methods used in production; or it could be the company's
business and marketing plans, salary structure, customer lists, contracts, and details of its
computer systems.

Proprietary information includes intellectual properties that are recognized and granted
varying degrees of protection by governments, such as the following:

1. Patents - grants issued by a national government conferring the right to exclude others
from making, using, or selling the invention within that country. Patents may be given for
new products or processes. Violations of patent rights are known as infringement or
piracy

2. Trademarks - words, names, symbols, devices, or combinations thereof used by

manufacturers or merchants to differentiate their goods and distinguish them from
products that are manufactured or sold by others. Counterfeiting and infringement
constitute violations of trademark rights.
3. Copyrights - protections given by a national government to creators of original
literary, dramatic, musical, and certain other intellectual works. The owner of a copyright
has the exclusive right to reproduce the copyrighted work, prepare derivative works
based on it, distribute copies, and perform or display it publicly. Copyright violations are
also known as infringement and piracy.

4. Trade Secrets - formulas, patterns, compilations, programs, devices, methods,

techniques, and processes that derive economic value from not being generally known
and not ascertainable except by illegal means. A trade secret violation in the vocabulary
of the law is a misappropriation resulting from improper acquisition or disclosure. The
key elements in a trade secret are the owner's maintenance of confidentiality, limited
distribution, and the absence of a patent.

Information Security Measures

It was already demonstrated in the previous chapter on personnel security that

organizations face a wide spectrum of risks to protect information assets. Sensitive
information such as those illustrated above can be vulnerable to threats not only from
individual’s external to the organization, but from so-called insiders as well. Some of the
recommended mitigation measures include screening of both applicants and existing
employees, restricting access to sensitive areas, or using IT security measures such as
firewalls, restricted site accessing policies, and virus checks. Below are examples of risk
mitigations that an organization can implement as part of their information security
measures (Blyth, 2008):

Security Screening

Job applicants, current employees, contractors and other individuals who could be
sharing sensitive information with the organization may have their backgrounds checked
for affiliation with known activist or dissident groups or for any potential for insider
activity. For individuals in posts that are considered critical or vulnerable within the
company structure, screening may involve an investigation of their criminal history or
interviews with family, friends and work colleagues in order to identify any possible
concerns. In some cases, covert methods of security clearance may be employed.

Restricted Areas and Identification

Physical barriers that control access to restricted areas can serve as a deterrent and
increase the likelihood of identifying unauthorized individuals. The organization can
employ a series of identification methods from photographic identification cards, bar
codes, voice analysis, and retinal scans to enhance entry restrictions within high security
areas inside the facility.

Technology Security Measures

The organization may use technological security measures to prevent individuals from
accessing communication or data storage media from external sources. In addition,
security personnel can enforce restrictions against electronic devices such as mobile
phones, cameras and voice recorders that could record or access sensitive information
within certain areas inside the facility. Countermeasures should also include protection
against high-tech surveillance devices that involve tapping land lines and mobile
telephone calls, remote accessing computer terminals or viruses that damage IT
equipment. Magnetic shielding, encrypted communications, virus checks, stand-alone
computers, and magnetic interference equipment as well as secondary communication
backups, alternative data storage systems, and power generators should also be in place
as part of a redundancy policy.