Security Requirements – Physical Security

Built-in safety measures, such as the ones described above, are an important part of an overall protection scheme, but they are seldom sufficient alone to ensure the full protection of an object.

One also needs external security measures which regulate such parameters as access control, camera surveillance, alarm systems and sensors and the number of security guards on duty.

Together these elements make up what is termed physical security [30]. Access control includes both perimeter control which regulates access to the site or location of the facility, and

protective barriers such as sluices, turnstiles, and access verification solutions for controlled areas which are meant to regulate the movement of persons once they are inside the facility.

Camera surveillance generally covers critical points around and inside the facility 24 hour a day, such as exits and entrances, to facilitate real-time action and, if needed, later investigations.

Safety requirements Implementation

Fire protection Flame, heat and smoke detectors present in the piqlVault.

Fire suppression mechanism: an oxygen reduction suppression solution is recommended.

Handheld extinguishers present in the piqlVault (Class A, B, C).

Water protection Recommended location of piqlVault above basement levels in

geographical areas affected by flood risk. If not, underground locations are recommended.

Fire suppression mechanism: an oxygen reduction suppression solution is recommended, as unattended sprinkles could lead to flood of the film.

Seismic resistance Building structures housing the piqlVault should comply with national design and construction standards of seismic mitigation if geographical zone is prone to earthquakes.

Chemical and biological compounds

A slight positive air pressure present in the piqlVault.

No gaseous impurities present in the piqlVault.

Power redundancy No redundancy in energy supplier, but piqlVault must be equipped with power generators to keep environmental control systems up for at least 24 hours after main power failure.

Other influences The piqlVault shall be separated in a dedicated room without any other activity to keep the environment as stable and non-affected as possible.

Table 5.5 The safety requirements of the storage facilities used in the scenario development

Alarm systems and sensors are also placed at critical points. They are in place as a deterrent to break-ins and also to alert the security personnel when set off. They also often create confusion and stress for the person or persons setting off the alarm. Security personnel also serve as a deterrent through their often highly visible presence. Their more important and prominent role, of course, is to serve as additional mobile security resources when a situation arises, who are able to adapt to situations as needed.

Piql AS has also formulated a security regime to be applied during the storage phase of the service journey, and one which applies during production and transportation. The regime is laid out in the same document as the safety requirements, and for the part which applies to security it is based on the Content Delivery & Security Association (CDSA) standard ―Content Protection

& Security Standard‖ [27, 31].In the document, Piql AS specifies the necessary requirements of the security regime which have to be present in a storage room in order for someone to become a certified Piql partner. The specific implementation, however, of said security regime is not described: that is largely left up to individual Piql partner so long as it is compliant with the requirement.

For the purposes of the scenario development, FFI has created a strategy for the implementation of Piql AS’ security regime. The assumptions that we have made for the requirements are not directly based on any particular set of rules and regulations, as these would oftentimes greatly differ between countries. We have instead tried to find an average describing the security regime that can be applied across sectors and across geographical zones. Naturally, if a Piql partner is subject to national legislation on protective security services, the regulations

stipulated there must also be implemented. This means that the suggested strategy should serve as nothing more than guidelines and inspiration for how the production sites and piqlVaults should be protected against external threats.

The requirements stipulated by Piql AS in the document are numerous, and we include a relevant sample here:

 The piqlVault shall have an alarm system activated when operators are not on duty.

 The piqlVault shall control access to facility. It shall be segregated, secured and monitored to prevent unauthorized access.

 The piqlVault shall implement and maintain policies and procedures for visitor access.

These should include details of visitor registration, search policy and escorted access to secure locations.

 The piqlVault shall employ guards, who shall be on duty whenever operators are not in the premises.

 CCTV should be installed and deployed at the warehouse access points and at the points of contact with the piqlFilm (receiving ports - automatic).

 Monitoring shall be carried out by a guard when operators are not on duty.

 Uninterrupted power supply (UPS) must extend to all security systems and sized appropriately for local conditions and business activities.

Security requirement Implementation during storage

Access control Protective barriers in the form of doors/sluices inside the facility which opens with authorised ID verification solutions.

Alarm systems Alarm systems installed in connection with authorisation devices.

Activated outside office hours. Summons security personnel.

Camera surveillance CCTV coverage of outside entrance area, all access points and all critical points inside the facility. Recorded 24/7, and monitored outside office hours.

Security personnel One (1) guard onsite outside office hours. Sound vetting procedures for all personnel (either security clearance or criminal record and credit check depending on sector).

Table 5.6 The security regime of the storage facilities used in the scenario development

It is apparent that these requirements can be grouped together into the four main parameters included in physical security as outlined above, namely access control, alarm systems, camera surveillance and security personnel. FFI has made a strategy to implement the security regime as set forth by Piql AS, specifically for the storage facility, which includes these parameters.

The strategy is presented in table 5.6.

Piql AS has devised separate security regimes which apply during the transportation and production phases. With these additional regimes, the protection of the piqlFilms containing valuable information is accounted for from the moment the sensitive data is converted from its original form into nanofilm to the moment it is put in secured storage and onwards.

These are the requirements Piql AS has stipulated when it comes to the security regime applied during production [32]:

 The facility shall have control access [sic]. It shall be segregated, secured and monitored to prevent unauthorized access.

 The facility where rooms are located shall have an alarm system activated when operators are not on duty.

 CCTV should be installed and deployed at the facility access points and at the production rooms.

 CCTV Monitoring shall be carried out by a guard when operators are not on duty. When operators are in duty, recording mode shall be enabled.

At FFI’s suggestion, Piql AS has added the following stipulations regarding the security regime which should apply during the transportation phase [27]:

 General level of security from a professional trusted transportation security service provider is required.

 The films shall be labelled and scanned for constant tracking.

 The films shall be stored in a safe in the holding area, protected by a PIN lock.

 Personnel shall have gone through criminal background checks and driving record reviews.

Though the security requirements during transportation do not fall squarely into the parameters we have defined earlier as necessary parameters of physical security, we have decided, for the sake of continuity, to keep to the same categories as used in the strategy for storage in our implementation of the strategy for production and transportation, though the latter entails a few adjustments to fit the different settings.

Table 5.7 presents FFI’s strategy for the implementation of the security regime which applies for the production and transportation phases.

Security requirement During production During transportation

Access control Production site only accessible with authorised ID verification solutions.

Armoured or otherwise fortified truck used by a professional and trusted transportation service provider. The doors are locked at all times.

Alarm systems Alarm systems triggered by sensors installed in connection stored in a safe in the holding area, protected by a PIN lock.

Camera surveillance CCTV coverage of access points and all production rooms from

Security personnel Guards monitoring the CCTV footage outside office hours.

Table 5.7 The security regime during the production and transportation phase