Outsourcing Physical Security

Marene Allison, director of global security for Avaya, answers readers' questions about outsourcing physical security.

Q: What security concerns does outsourcing present?

A: Outsourcing primarily takes away your personal span of responsibility around the activities you are outsourcing. However, you now have to rely on a third party to take the same care and due diligence that you would take. For example, if you hire a guard company, you have to ensure that the post orders are maintained to your standards; you have to ensure that they complete the background checks with the same due diligence that you would; their training program must meet your needs. The same goes for the installation of security devices: Are they wired properly? If you have an enterprise system, is your outsourcer doing the virus updates? Is there a firewall? You must consider all the security risks that you might have if you did all the activities in-house, but you have to rely on others to ensure that the work gets done.

Q: What is the number-one reason outsourced physical security fails? And what measures should you utilize for improvements?

A: I think the number-one reason is that it is not properly managed. That spans from how the contract is written to the eventual evaluation and assessment. Outsourcing does not mean that the security department's responsibility ends. Sometimes that is just the beginning. Right from the initial contract, all expectations and service levels should be agreed upon and the consequences should be clearly defined. Then the arrangement must be inspected to ensure those service levels are met. If outsourcers tell you they have worldwide installation capabilities and that capability is in your contract with them, and they then turn around and tell you that you need to pay for a technician to fly from Australia to Hong Kong for an installation, question them on it. Don't accept the cost. Hold your outsourced companies accountable.

Q: What contractual precautions can you take with your outsourcers?

A: Your legal department should be able to draft a document called a nondisclosure agreement, or an NDA. Both parties should sign it. You are entering into a contractual relationship. The NDA should have consequences that are clearly defined and agreed to.

Q: Do I still do my own background checks on the employees of an outsourced security team?

A: You could, but with the Fair Credit Reporting Act, it would be cleaner and easier for the hiring company to maintain that information. Have standards, make the requirements a part of the contract, and put in an audit provision if you have any doubts. Most of the highly regarded security companies will want to be sure that they hire only fully qualified staff that meet your contract requirements. It's their business and reputation on the line.

Q: Do you have a rule of thumb on the proper size of the physical security team versus the size of the assets and space being protected?

A: We use some basic guidelines. For most office spaces, we will install an enterprise access control system when more than 25 people use that facility. We will use keys for smaller locations or cipher type locks. The facilities will all have burglar alarms. Cameras will be installed using the 25-employee rule of thumb. We will employ a guard service at any facility that has more than 125 people. These are very general guidelines. If the assets being protected include valuable inventory (either intellectual property or equipment), we will increase the security. We'll also increase security for data centers and anything deemed as critical from our business continuity department. The number of guards used will depend not only on the size but on the location, crime index, and ebb and flow of the employees. We prefer that no guard be on a shift alone unless the building is open and functional. Using a risk assessment methodology, you can define your facilities and match them to the criticality of your business, taking into account the risks that are possible and the probability that they will occur.

Copyright © 2004 IDG Communications, Inc.

The 10 most powerful cybersecurity companies