ANSI PAP.1-2012 Security Management Standard Physical Asset Protection.pdf

1、Security Management Standard:Physical Asset ProtectionASIS INTERNATIONAL STANDARDAMERICAN NATIONALANSI/ASIS PAP.1-2012ANSI/ASIS PAP.1-2012 an American National Standard SECURITY MANAGEMENT STANDARD: PHYSICAL ASSET PROTECTION Approved February 24, 2012 American National Standards Institute, Inc. ASIS

2、 International Abstract This Standard presents a comprehensive management approach for the protection of assets by the application of security measures for physical asset protection. This Standard may be used in conjunction with other ASIS International documents that provide additional information

3、and details: g120g3 ASIS International Protection of Assets. g120g3 ASIS GDL FPSM-2009, Facilities Physical Security Measures Guideline. g120g3 ANSI/ASIS SPC.1-2009, Organizational Resilience: Security Preparedness, and Continuity Management Systems Requirements with Guidance for Use. ANSI/ASIS PAP.

4、1-2012 ii NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the part

5、icipants in the development of this document. ASIS International standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of perso

6、ns who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or complet

7、eness of any information or the soundness of any judgments contained in its standards and guideline publications. ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS does not accept or undertake a duty to any th

8、ird party because it does not have the authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public, because its works are not obligatory and because it does not monitor the use of them. ASIS disclaims liability for any personal injury, property,

9、 or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy

10、or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any persons or entitys particular purposes or needs. ASIS does not undertake to guarantee the performance of any individual manufacturer or sellers products or

11、services by virtue of this standard or guide. In publishing and making this document available, ASIS is not undertaking to render professional or other services for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else. Anyone

12、using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available

13、from other sources, which the user may wish to consult for additional views or information not covered by this publication. ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no control over which of its standards, if any, may be ado

14、pted by governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards t

15、o be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any information in this document shall not be attributable to ASIS and is solely the responsibility of the certifier or maker of the statement. All rig

16、hts reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner. Copyright 2012 ASIS International ISBN: 978

17、-1-934904-29-9 ANSI/ASIS PAP.1-2012 iii FOREWORD The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSIs requirements for an ANS. As such, this Foreword may contain material that has not been subjected to pub

18、lic review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the wor

19、d should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages. About ASIS ASIS International (ASIS) is the preeminent organization for secu

20、rity professionals, with 38,000 members worldwide. ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific se

21、curity topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industrys No. 1 magazin

22、e Security Management ASIS leads the way for advanced and improved security performance. The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredit

23、ed Standards Development Organization (SDO), ASIS actively participates in the International Organization for Standardization. The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a vo

24、luntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry. Suggestions for improvement of this document are welcome. They should be sent to ASIS

25、International, 1625 Prince Street, Alexandria, VA 22314-2818, USA. Commission Members Charles A. Baley, Farmers Insurance Group, Inc. Jason L. Brown, Thales Australia Steven K. Bucklin, Glenbrook Companies, Inc. John C. Cholewa III, CPP, Mentor Associates, LLC Cynthia P. Conlon, CPP, Conlon Consulti

26、ng Corporation Michael A. Crane, CPP, IPC International Corporation William J. Daly, Control Risks Security Consulting Lisa DuBrock, Radian Compliance Eugene F. Ferraro, CPP, PCI, CFE, Business Controls, Inc. F. Mark Geraci, CPP, Purdue Pharma L.P., Chair Bernard D. Greenawalt, CPP, Securitas Securi

27、ty Services USA, Inc. Robert W. Jones, Socrates Ltd Glen Kitteringham, CPP, Kitteringham Security Group, Inc. Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair Bryan Leadbetter, CPP, Bausch Corrective and Preventive Action 24 A.8.5 Internal Audit . 25 A.9 MANAGEMENT REVIEW . 25 A.10 IMPROVEME

28、NT . 26 A.10.1 Maintenance and Change Management . 26 A.10.2 Continual Improvement . 26 B INFORMATIVE GUIDANCE ON THE ELEMENTS OF PHYSICAL ASSET PROTECTION . 27 B.1 GENERAL . 27 B.1.1 Process of Physical Asset Protection Systems Risk Assessment and Application . 28 B.1.2 Security Survey . 28 B.1.3 C

29、ost Benefit Analysis 30 B.1.4 Security Convergence . 31 B.1.5 Crime Prevention Through Environmental Design (CPTED) 32 B.1.5.1 Implementation of CPTED . 33 B.1.6 Site Hardening 34 B.1.6.1 Site Access and Perimeter Delineation 34 B.1.6.2 Implementation of Site Hardening Systems 34 B.2 SECURITY LIGHTI

30、NG . 35 B.2.1 Objectives of Security Lighting . 35 B.2.2 Implementation of Security Lighting Systems 36 B.3 BARRIER SYSTEMS . 36 B.3.1 Physical Barrier Systems . 36 B.3.2 Implementation of Barrier Systems 37 B.4 INTRUSION DETECTION SYSTEMS 38 B.4.1 Objectives of Intrusion Detection Systems . 39 B.4.

31、2 Implementation of Intrusion Detection Systems 39 B.5 PHYSICAL ENTRY AND ACCESS CONTROL 40 B.5.1 Objectives of Entry and Access Control System 40 B.5.2 Implementation of Entry and Access Control Systems . 41 B.6 VIDEO SYSTEMS - VIDEO SURVEILLANCE 42 B.6.1 Defining Parameters 42 B.6.2 Systems Archit

32、ecture 43 B.6.3 Signal and Data Transmission 43 B.6.4 Recording Methods 44 B.6.5 System Ownership 44 B.6.6 Cameras . 44 B.6.7 Direct Product Comparisons . 45 B.6.8 Viewing Clients . 45 B.6.9 System Design 46 B.6.10 Estimate . 46 ANSI/ASIS PAP.1-2012 xi B.6.11 Procure and Install . 47 B.6.12 Training

33、 47 B.6.13 Policies and Procedures for System Use . 48 B.6.14 Testing 48 B.7 ALARMS, COMMUNICATIONS, AND DISPLAY . 48 B.7.1 Objectives of Alarms, Communications, and Display . 49 B.7.2 Implementation of Alarms Monitoring, Communications, and Display Systems . 49 B.7.2.1 Security 49 B.7.2.2 Technolog

34、y 49 B.7.2.3 Architectural 50 B.7.2.4 Technical Systems . 50 B.8 PERSONNEL 50 B.9 SECURITY POLICIES AND PROCEDURES . 52 C TERMS AND DEFINITIONS . 53 D BIBLIOGRAPHY 61 TABLE OF FIGURES FIGURE 1: PLAN-DO-CHECK-ACT MODEL XV FIGURE 2: ORGANIZATIONAL RESILIENCE (OR) MANAGEMENT SYSTEM FLOW DIAGRAM 9 FIGUR

35、E 3: RISK ASSESSMENT AND TREATMENT PROCESS FLOW DIAGRAM BASED ON ISO 31000:2009 . 13 ANSI/ASIS PAP.1-2012 xii This page intentionally left blank. ANSI/ASIS PAP.1-2012 xiii 0. INTRODUCTION Protecting the assets of any organization public, private or not-for-profit is a critical task for the viability

36、, profitability, reputation, and sustainability of the organization. This transcends the protection of just human and physical assets, and includes the securing of vital intellectual property and information. Protecting assets requires a combination of strategic thinking, process management, and the

37、 ability to implement programs and initiatives in increasingly shorter periods of time to match the rapid pace of todays global business environment. This Standard provides an approach to identify, apply, and manage physical security measures to safeguard an organizations assets people, property, in

38、formation, and intangibles that are based in facilities (not during transit). Physical asset protection (PAP) also known as physical security management includes the protection of both tangible (e.g., physical, human, infrastructure, and environmental assets) and intangible assets (e.g., brand, repu

39、tation, and information assets). This Standard provides a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving physical protection systems (PPS). All organizations face a certain amount of risk. The challenge is to determine how much risk is acceptab

40、le, and how to cost-effectively manage the risk while meeting the organizations strategic and operational objectives. Thus, choices must be made regarding the trade-off between the resources necessary to generate products, profits, and market-share, and the controls required to protect them. Success

41、ful asset protection provides the appropriate balance between these competing demands. This Standard, used in conjunction with the ASIS International Protection of Assets and the ASIS GDL FPSM-2009, Facilities Physical Security Measures Guideline, will assist organizations in achieving this difficul

42、t balance in determining the appropriate level of acceptable risk for a broad variety of situations and the investment required to manage those risks. This Standard views asset protection from the larger gamut of risk and resilience management as it relates to the complete protection of assets. The

43、management system used in this Standard is the framework presented in the ANSI/ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness, and Continuity Management Systems Requirements with Guidance for Use Standard. This Standard provides informative guidance on incorporating the elements

44、of asset protection into the Organizational Resilience Management System (ORMS). This Standard is designed so that it can be integrated with quality, safety, environmental, information security, supply chain security, organizational resilience, risk, and other management systems standards within an

45、organization. A suitably designed management system can thus satisfy the requirements of all these standards. 0.1 Asset Protection The context of asset protection when applied to a physical asset protection management system (PAPMS) considers risks associated with intentional, unintentional, and/or

46、naturally caused events. Asset protection incorporates the organizations security and related functions (e.g., risk management, safety, finance, quality assurance, compliance, etc.) into a comprehensive, proactive management system. ANSI/ASIS PAP.1-2012 xiv Asset protection is directly tied to the o

47、rganizations mission to protect its tangible and intangible assets by removing or reducing exposure to the causes and consequences of risks. The organizations management system should: a)g3 Ensure top management leadership and commitment to the PAP policy; b)g3 Establish a comprehensive risk managem

48、ent program that identifies, analyzes, and evaluates risks to tangible and intangible assets; c)g3 Characterize the assets, design, and implement a PPS that meets the objectives against the available resources; d)g3 Integrate people, procedures, technologies, and equipment to meet the objectives; an

49、d e)g3 Continuously monitor, measure, and review the performance of the management system. In order to effectively protect its assets, an organization needs to recognize the interdependencies of various business functions and processes to develop a holistic approach to PAP. Physical asset protection is intertwined with other security-related disciplines, such as information technology systems and continuity management. In order to understand the shared risk environment, the organization should consider: a)g