Whenever you implement, or upgrade, your corporate security systems, it is imperative that you follow best practices to develop and document the policies and procedures to support this new security technology. Marrying policies and procedures with security system technology will serve to increase your protection and decrease the associated risks by documenting the way systems are deployed, utilized, and managed.
Even if you’re not adding new technology, having effective policies and procedures alone can serve to mitigate your security risk.
Best Practices for Corporate Security Policies and Procedures
We assist corporate clients with recommendations for reviewing, developing, and documenting their corporate security policies and procedures using industry best practices, past experiences, and assessments of what make corporate environments unique. The following policies are typically implemented (and should be implemented) when security systems are deployed:
- Video Retention and Use Policy
- Access Control Management Policy
- Visitor Management Policy
- Security System Standards
- Security Systems IT Standards
- Unified Security Platform Policy
- Incident Management and Reporting Policy
- MOU with Local Law Enforcement
- Guard Services Policy
Note that some of these procedures may not apply in all situations, but it’s important to know the full universe of possible procedures. Some procedures should be implemented regardless of whether technology is used to assist with the process or not.
Video Retention and Use Policy
The Video Retention and Use Policy is important to create a process for the access, control, and storage for video saved by the video surveillance system.
The key procedures that should be documented identify:
- Who has access to downloading the video
- Where the videos are stored
- How the videos are accessed
- How long the recordings are saved
- The technical parameters of how video is stored (frame rate, file type, image quality)
This policy often also includes the different types of access levels programmed into the system as well as the process for storing watermarked video that can be admissible in court.
Access Control Management Policy
The purpose of the Access Control Management Policy is to document:
- The different access group types
- Who can define or modify access group types
- How access is assigned
- Who can assign access levels
- Who can print badges
- What information should be visible or embedded in the badge
This policy should also define if access badges are meant to be employee ID’s and the process for issuing them. A strong internal control separates the duties of issuing the ID’s from the responsibilities of adding access control levels to an individual. This process minimizes the risk of someone being granted access controls that they should not receive.
Any integrations with HR databases should also be identified in the policy.
Visitor Management Policy
The Visitor Management Policy establishes procedures for managing guests visiting your corporate offices and their access within your offices. This is one of the policies that should be implemented regardless if a visitor management software system is implemented.
The policy should identify:
- What happens during the visitor check-in process
- What information needs to be gathered from the visitor
- Procedures for escorting the visitor and locations they have access to
- What happens to the visitor check-in logs
- How check-in data is stored and tracked
If your organization is going to issue visitor badges, the policy should also identify:
- What visitor badges should look like
- What information should be displayed on the badges
If visitors are also provided with an access control badge that utilize card readers, the policy needs to document how that badge is programmed, issued, and retrieved, or turned off when the visit ends.
A quick security tip for implementing visitor badges is to utilize ink and paper that fades to a different color, or displays marking, making it quickly apparent that the badge has expired.
Security System Standards
The Security Systems Standards Policy is important to document the standards for your company’s specific security equipment and software.
The policy will allow your organization to manage security systems on a holistic basis across your entire firm and is especially important for companies with multiple office locations. This avoids the risk of ending up with many different manufacturers for your devices, which is a maintenance and cross-system integration nightmare.
Security Systems IT Policy
The Security Systems IT Policy outlines the technical aspects of how the security systems will reside on your IT network.
This policy should be coordinated with your IT department and defined whether the security systems are part of a converged network or a separate network. It is also important to describe whether the separation is physical or virtual.
Incident Management and Reporting Policy
The Incident Management and Reporting Policy is important for all firms in that it that identifies the process for how security incidents are reported, tracked, and resolved.
An efficiently designed incident management policy and system allows for the ability to identify patterns and trends that can be used to intervene before incidents escalate. The policy can also identify which departments are responsible for providing, storing, and analyzing the information. Often, we see HR departments work closely with Legal and Security departments to develop this policy.
If the office implementing security systems is part of a multi-office firm, we recommend that the organization consider creating company-wide standards for the security systems. If company-wide standards are not implemented currently, we recommend that our clients consider security systems and software platforms that can be easily expanded to be deployed company-wide in the future, should the company prefer to do so. Allowing for this flexibility will future-proof the system. We also recommend that all deployed systems are non-proprietary systems, if possible.
Another typical recommendation is to utilize a unified platform as opposed to separate software applications for the different systems. This will decrease the learning curve of the systems being utilized and leverage efficiencies for cross-referencing data between all security systems.
MOU with Local Law Enforcement
A Memorandum of Understanding (MOU) with local law enforcement is for larger companies with a higher risk profile or who are looking for higher levels of protection.
The MOU identifies how your company’s systems are accessible or how they are integrated with local law enforcement. Depending on the level of integration, you may grant access to your local police department so they can view camera feeds or other forms of integration to assist in elevating the security posture of your firm.
Guard Services Policy
The Guard Services Policy applies if you are using internal guards or an external guard service and outlines how guard services are engaged, their posts, and the prescribed activities they are to perform during their shift.
Unified Security Platform Policy
The Unified Security Platform Policy defines the requirements for a unified security platform. This is a software product that manages all your security systems (video, access, intrusion etc.) under a single user interface or GUI. This is a recommendation for firms implementing multiple systems. It is common to find vendors selling you on their specific video or access product which may not be the same. They may state that they integrate, but that is different from having a truly unified platform with one executable computer program. A unified platform is easier to maintain and seamlessly integrates all your devices and reporting structures under one software. Unified platforms also leverage the most cross-system data to provide actionable information and triggers.
The implementation of any security system or policy should be a purposeful adoption that aligns with the firm’s overall security mitigation, detection, and response strategies. These best practices are typical for what we’ve seen with our corporate clients and should serve as a baseline consideration for your own situation.
We encourage firms to engage other resources they may identify as necessary, such as security consultants, local law enforcement, internal risk management staff, and others. Firms should also engage their internal legal and HR departments to identify the full scope of policies that the organization should implement given their specific position in the market, nature of the business, security posture and risk appetite.