Establish Security Program Performance Requirements

2-1

DOMAIN 2 - TASK 1

 

This section teaches you how to design, specify, and measure security systems that effectively mitigate risk and align with organizational goals. You'll master the art of writing clear and actionable security requirements—from concept to performance verification—based on real-world risk analysis, compliance frameworks, and strategic metrics.

Whether you're a security consultant, systems designer, facility manager, or PSP candidate, this content bridges theory and practice with methods grounded in industry best practices and standards like NFPA 730/731, ISO 31000, and ASIS PAP.

🔧 From Risk to Requirements: Building the Foundation

Every security requirement should be traceable to a risk-based justification. This approach ensures that systems are built with a clear understanding of:

Once gathered, this data is used to define operational, functional, and performance requirements and establish a Basis of Design (BoD)

⚙️ Design Constraints

Before selecting technologies or writing RFPs, consider:

 

📜 Regulatory Requirements

  • Local codes (building, fire, zoning, ADA, etc.)
  • Industry standards (ISO 31000, NFPA 730/731, IBC, ASIS PAP)
  • Data and privacy laws (e.g., GDPR, CCPA)
  • Requirements for government or high-security sites (e.g., FISMA, DHS Risk Series)

💵 Budgetary Constraints

  • Installation vs. lifecycle cost (maintenance, updates, deprecation)
  • Trade-offs between capital expense (CapEx) and operational expense (OpEx)
  • Design-to-cost considerations for phased implementation

🧱 Material & Construction Constraints

  • Durability (vandal resistance, weatherproofing)
  • Compatibility with legacy infrastructure
  • Facility age and retrofit limitations

🔄 System Interoperability

  • Integration with legacy platforms (fire, HR, BMS, CCTV)
  • Standards: ONVIF (video), OSDP (access control), BACnet (building automation)
  • Need for vendor-neutral design to reduce lock-in

Design must be informed by constraints to ensure feasibility, maintainability, and compliance.

🧠 Key Security Design Concepts

The 4 Ds of SecurityDeter, Detect, Delay, and Deny—are fundamental principles used in the design and evaluation of physical security systems. They provide a layered defense strategy that helps security professionals protect assets by managing adversary behavior at every stage of an attack.

 

🔵 1. Deter

Objective: Discourage the attacker from attempting an intrusion in the first place.

 

How it works:

  • Visible security measures like cameras, signage, and uniformed guards increase the perceived risk of getting caught.
  • Environmental design elements (e.g., fencing, lighting) signal territorial control and vigilance.
  • Psychological barriers that make a site appear well-protected and not worth the effort.

📌 Example: Warning signs about surveillance or patrols at facility entrances.

 

🟠 2. Detect

Objective: Identify the presence of a threat or intrusion attempt early.

 

How it works:

  • Technologies like intrusion detection systems (IDS), motion sensors, and surveillance cameras alert security personnel.
  • Monitoring systems track and log unauthorized activity.
  • Detection enables timely response and escalation before an incident escalates.

📌 Example: Motion sensor triggers an alarm when someone enters a restricted zone.

 

🟡 3. Delay

Objective: Slow down the attacker’s progress to allow an effective response.

 

How it works:

  • Physical barriers such as locks, doors, fences, turnstiles, and security glazing increase the time required to access targets.
  • Delays are strategically designed to outlast the adversary’s tolerance or until response forces arrive.

📌 Example: Reinforced doors or anti-ram barriers that buy minutes during an intrusion attempt.

 

🔴 4. Deny

Objective: Prevent access to the protected asset altogether.

 

How it works:

  • Structural and electronic controls eliminate the possibility of unauthorized access.
  • Denial mechanisms include secure enclosures, biometric access control, encryption, and mantraps.
  • Ideally, this is the final layer that ensures an intruder fails even after breaching other defenses.

📌 Example: High-security vault with biometric access and 24/7 surveillance.

🧰 The 4 Ds of Security

🧱 Defense-in-Depth

🔐 Summary Table

Together, the 4 Ds form a comprehensive, layered defense strategy essential for effective physical security planning.

🧱 What Is Defense in Depth?

Definition:
Defense in Depth is a security approach that uses multiple, overlapping layers of protection to safeguard people, property, information, and operations. These layers span physical barriers, electronic systems, policies, and human interventions.

 

🎯 Purpose

  • Redundancy: No single point of failure
  • Delay: Slows adversaries to allow detection and response
  • Flexibility: Adapts to varied threat types (e.g., external intruders, insider threats)
  • Risk Reduction: Even if one control is defeated, others continue to function

🧩 Key Layers of Defense

  1. Physical Controls
    • Fences, walls, locked doors, turnstiles
    • Bollards, gates, blast-resistant barriers
  2. Technical Controls
    • CCTV, access control, intrusion detection, analytics
    • Sensors (motion, glass break, thermal, LIDAR)
  3. Administrative Controls
    • Security policies and procedures
    • Background checks, visitor management, access approvals
  4. Personnel
    • Security officers, reception staff, internal threat awareness
    • Trained responders and regular drills
  5. Environmental and Design Controls
    • CPTED strategies (lighting, sightlines, territoriality)
    • Zoning (perimeter, transition areas, secured cores)

🧭 How It Works – Example

An intruder tries to breach a high-security building:

  1. Outer Perimeter: Fence, lighting, surveillance deter and detect the intruder.
  2. Intermediate Layer: Access control gate requires valid credentials.
  3. Interior Zones: Turnstiles and mantraps slow progress; video analytics flag suspicious behavior.
  4. Final Barrier: Biometric authentication protects the secure vault.
  5. Response: Security personnel are alerted at the first layer and intercept at the third.

Even if one control fails (e.g., tailgating past a gate), other layers compensate (e.g., camera analytics and mantraps).

📘 Benefits of Defense in Depth

In summary:

 

Defense in Depth is about creating a resilient, multi-layered security architecture that anticipates failures and protects what matters most. It's the physical security equivalent of having seatbelts, airbags, and lane assist—not just one safeguard but many working together.

  • Natural surveillance: lighting, clear sightlines
  • Territorial reinforcement: fencing, signage
  • Access control: defined entries, barriers
  • Maintenance: visual order = control and ownership

🌿 CPTED (Crime Prevention Through Environmental Design)

🛡️ Writing Security Requirements: The 3 Types

1️⃣ Operational Requirement

These describe how the system will be used and maintained on a day-to-day basis. They must reflect actual organizational workflows and staffing levels.

 

📌 Examples:

  • Who monitors the system, and when?
  • How are alarms escalated and responded to?
  • What are the visitor access protocols?
  • Is the guard force integrated with the system (e.g., mobile patrol apps)?
  • How are procedures documented and reviewed?

🧠 Poorly documented operational requirements result in system misuse or underperformance.

 

2️⃣ Functional Requirements

These specify what the system must do. Think features, functions, and interoperability.

 

🔐 Access Control

  • Authenticate badge, PIN, or biometric credentials
  • Log events and generate audit trails
  • Operate offline during network failures

🎥 Surveillance

  • Continuous and motion-based recording
  • Live streaming and remote access
  • Integration with analytics for alerts (loitering, line crossing)

🔁 Integration & Redundancy

  • Link with HR, fire alarm, and ID systems
  • Support API/protocols: ONVIF, OSDP, SIA DC-09
  • Include failover servers and backup power

✅ Functional requirements guide vendor evaluation and ensure system relevance.

 

3️⃣ Performance Requirements

These define how well the system must perform, especially under load or stress.

 

📈 Sample Metrics:

  • Video: Record at 1080p, 30 FPS for 90 days
  • Access Control: Handle 10,000+ badgeholders with 1-sec read time
  • Turnstiles: Process 500+ people per hour
  • Alarm Response: Alert shown in 3 seconds max

📘 Defined In:

  • Design Basis Documentation
  • Cut Sheets and Manufacturer Specs
  • Performance Verification Plans

✅ Use real performance data from pilots or lab testing to set realistic benchmarks.

📊 Security Metrics: Measuring What Matters

🎯 Why Metrics Matter

  • Prove system effectiveness
  • Improve design iteration
  • Justify budget allocation
  • Highlight areas of risk or underperformance

🧪 SMART Metrics Framework

📐 Common KPIs

  • MTBF (Mean Time Between Failures)
  • False Alarm Rate (Nuisance vs. Legitimate)
  • Alarm Response Time
  • Training Completion Rates
  • Security Post Compliance Scores

🧰 ASIS Security MET Tool

The ASIS Security Metrics Evaluation Tool (Security MET) provides a framework to evaluate any metric's reliability, validity, and relevance. It helps ensure metrics:

  • Align with organizational strategy
  • Provide actionable insight
  • Are cost-effective to gather

📋 Lifecycle & Implementation Considerations

🛠️ Design Documentation

  • Basis of Design: Justifies system intent and requirements
  • Schematic Design: Early concepts and layout
  • System Specifications: Detailed requirements for contractors
  • Punch List: Final issues before project closeout

🔄 Ongoing Operations

  • Preventive Maintenance: Scheduled health checks and updates
  • Change Management: Documenting system modifications
  • User Training: Role-specific modules for guards, operators, and admin

✅ Metrics apply at all stages—from design through maintenance—to ensure long-term value.

🧭 Summary: What You Now Understand

You've learned how to:

✅ Translate risk into actionable security requirements

✅ Draft clear operational, functional, and performance specifications

✅ Select metrics that drive improvement and budget justification

✅ Apply compliance frameworks and use tools like ASIS Security MET

✅ Think strategically about system design from concept to lifecycle support

 

This task sets the standard for designing security systems that perform under pressure, prove their worth, and evolve with your organization.

 

Let me know if you'd like the content exported as a responsive HTML page or embedded into your training portal.

© Copyright. All rights reserved.
Legal Notice | Privacy Policy 

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.

Privacy Settings

Website Translator

Privacy Settings

This tool helps you to select and deactivate various tags / trackers / analytic tools used on this website.

Select all services
Website Translator
More
Save Settings