This article offers suggestions stemming from the author's recent research indicating that CSO's are most concerned with problems relating to their employees from such crimes as violence, fraud, theft, unethical conduct, and drugs and alcohol in the workplace. Often these problems are caused by failure to implement clear policies and procedures, generating behavior that undermines organizational authority, jeopardizes organizational efficiency, and often results in lawsuits due to premises liability, negligence, foreseeability, etc. Organizations need a robust security program with strong policies and procedures to channel employee behavior, create an honest employee culture, and provide legal structure.
Many studies have shown that employees are a company's greatest asset while also the source of their greatest problems. One survey that pinpointed the concern was the survey report by ASIS. The top threats to companies are as follows:
Of the top eight threats to companies, more than half can be traced back to employees; however, many companies fail to recognize that employees are a major problem and fail to take a proactive approach to the problem. Most companies just live with the problem and react when an incident occurs. The reasons for this vary, but companies often feel that these are isolated incidents caused by a few problem employees or that there is no perceived benefit in pursuing the perpetrators. Most companies try to avoid hiring potential problem employees and detect and investigate employee losses on their own. As long as they catch (and fire) the thief and get some kind of restitution, such as recovering what the employee stole or having insurance cover the loss, companies feel they have done all they can. There is also a fear of negative publicity, although this aspect is changing. Employers are realizing the benefits of letting other employees know that these crimes will be detected and will not be tolerated.
To illustrate the severity of the problem, here are a few examples:
If you ignore problem employees or handle workplace problems ineffectively, you will soon have an employee turnover problem because your good employees will go elsewhere.
Negligence can apply to the hiring, supervision, and retention of an individual employee if a violent act by that person is foreseeable.
Douglas Watson (Watson, 2000) documented in his doctoral thesis that the four factors that most influence employee behaviors in the workplace are as follows:
Looking at these factors, which ones can we influence to reduce the employee problems in our company? We can easily see that an individual's culture plays an important part in forming his or her behavior in the organization, but this is not something we can control. However, the other three factors can very much be influenced by the company and are directly related to policies, standards and procedures, and training.
The objective we hope to achieve with policies and procedures is to get our employees to believe that having an ethical corporate culture is good for the company and themselves. The company security function can best accomplish this objective by in several ways:
Without proper program documentation, training, exercises, and enforcement, employees can become confused and overreact; lawsuits may result from inconsistent application, security officers may not know how to respond, valuable time may be wasted, and problems often occur. A review of lawsuits showed several cases where firms were sued for millions of dollars for a variety of issues, including failure to provide proper training for monitoring security systems, failure to have enough security officers on duty, failure to have adequate security patrols during certain hours, failure to conduct pre-employment screening to weed out employees with violent backgrounds, improperly retaining employees who have violated standards of conduct, and other issues that could be traced to lack of or enforcement of policies and procedures. Regulatory authorities have taken action against companies who violate various acts, such as the Financial Services and Markets Act of 2000. One company was fined over $10 million for not taking reasonable care to establish and maintain effective systems and controls for countering the risks of bribery and corruption associated with making payments to non-authorized, overseas third parties who assisted the company in winning business from overseas clients (Westinghouse Air Brake Technologies Corporation, 2008).
The remainder of this report will be devoted to recommendations on how to develop meaningful policies and procedures, gain buy-in from your employees to create an ethical corporate culture, and deal with employee problems legally and effectively.
Security governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. Our research has shown that through their emerging capabilities in the area of security governance and risk management, many companies are taking proactive steps to ensure that their investments in security controls directly support their objectives for the business. A consistent, company-wide view of security risks that integrates both physical security and IT security is an essential element of this strategy. By combining superior security governance and risk management with an integrated approach to logical and physical security, companies gain an advantage for competing in the global economy with a distinct advantage through an optimized IT infrastructure and better protection for their digital, physical, and human assets.
A security program is a system of individuals, processes, policies, standards, and procedures developed to protect its assets and ensure that the company adheres with all applicable federal and state laws, industry regulations, and private contracts governing the actions of the organization. A security program is not merely a piece of paper or a binder on a shelf; it is not a quick fix to the latest hot problem; it is not a collection of hollow words. An effective security program must be a living, ongoing process that is part of the fabric of the organization. A security program must be a commitment to an ethical way of conducting business and a system for helping employees to do the right thing. On a very basic level a security program is about education, definition, prevention, detection, collaboration, and enforcement.
Physical Protection Systems
A Physical Protection System (PPS) integrates people, procedures, and equipment for the protection of assets or facilities against theft, sabotage, or other malevolent human attacks. The functions of PPS are detection, delay, and response (Garcia, 2001).
A security policy is a general statement of management's intent regarding how the organization manages and protects assets. A policy is a guiding principle or rule used to set direction and guide decisions to achieve rational outcomes in an organization. It is used as a guide to decision making within the framework of objectives, goals, and management philosophies as determined by senior management. Policies exist to make sure that decisions fall within certain boundaries, leading to a consistent and fair approach. Policies are compulsory and supported by standards and procedures.
Security policies are office rules used to support management philosophies and set the tone for a security-minded culture. Security policies are also used to set a standard for projecting your company image or to communicate regulations that apply to all personnel. Policies are most effective when they are issued and supported by top management as a result of interpreting the company mission and vision statements and regulations. Policies are used to implement laws, industry standards, and common practices.
A policy is more effective when standards are also developed. Security standards address what must be accomplished in specific terms, containing the means by which to implement one or more security policies. Standards are compulsory and supported by procedures.
A security procedure is a set sequence of mandatory activities that perform a specific security task or function. Procedures are normally designed as a series of steps to be followed as a consistent and repetitive approach to accomplish an end result. Once implemented, security procedures provide a set of established actions for conducting the security affairs of the organization, which will facilitate training, process auditing, and process improvement. Procedures implement the consistency needed to decrease variation in security processes, which increases control of security within the organization. Decreasing variation is also a good way to eliminate waste, improve quality, and increase performance within the security department.
The Difference Between Policies and Procedures
A policy is a guiding principle used to set direction in an organization. A procedure is a series of steps to be followed as a consistent and repetitive approach to accomplish an end result. Together, policies and procedures are used to empower a company with the direction and consistency necessary for successful implementation of security processes.
Importance of Security Documentation
Security policies, standards, and procedures are used to translate the company's business philosophies into action by utilizing sound security principles. Well-designed security documentation for businesses is an invaluable communication tool for efficiently running operations within the security department and bridging the gap between interrelated departments in the company. Policies, standards, and procedures improve decision making by having an authoritative source for guidance and for answering questions. Well-developed and documented security policies and procedures ensure compliance with national and local laws, regulatory agencies affecting business, government contracting authorities, independent certification organizations, and company standards of conduct. Policies, standards, and procedures serve as a quality control mechanism for the security organization. This helps ensure optimum operations and consistent delivery of the finest security services. This program documentation provides the leadership, organizational structure, and processes that ensure the following for the company:
Benefits Derived from a Strong Security Program
There are many benefits to a company when they implement an effective security program. The following benefits are some of the most important:
Many companies believe that the solution to their security problems are through technology and manpower, but in reality, management should implement low cost solutions that support behavior modification, such as implementing policies and procedures, training managers and employees on security matters, and developing frequent security awareness communications programs. Higher cost solutions should be applied, only after less costly solutions have been exhausted and significant risk remains. This is illustrated on the Security Source Online (SSO) website as shown in the figure on the right (Nesbitt, 2007). While it is imperative that the organization has policies and procedures, it cannot be emphasized enough that the only thing worse than not having a policy is having a policy and not enforcing it. Another axiom says, "don't enforce policies you don't have." In other words, if you don't have a policy regarding use of the company telephones, don't try to take action against an employee for improper use of the telephone.
No security documentation should be implemented until you have done a complete threat and risk assessment of your company. A qualified and objective professional should conduct security assessments. Often the use of a qualified security consultant achieves the best result because of his or her independent perspective; one of the biggest advantages of using a qualified security consultant is their objectivity. If you decide to contract with a security consultant, be sure the consultant has no ties to the security product industry, including contract guard services and security equipment manufacturers.
Once you have assessed the threats and vulnerabilities your organization faces, you consider what steps can be taken to improve your physical security. You then create security policies by putting these steps in writing. The resulting documentation will serve as a basis for the security program. All managers and key employees involved with security should be required to review, improve, and implement these security program documents. Security plan documentation is aimed at reducing your overall risk. It will therefore have at least four objectives, based on your risk assessment:
The standards of conduct, first and foremost, demonstrate the company's ethical attitude and its emphasis on compliance with all applicable laws and regulations. The code of conduct is meant for all employees and contractors of the company. This includes management, vendors, suppliers, and independent contractors. From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by standards of the code of conduct. The code of conduct provides a process for proper decision-making. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper conduct. Managers should be encouraged to refer to the code of conduct whenever possible, even incorporating elements into performance reviews, and compliance with standards of conduct must be enforced through appropriate discipline when necessary. Disciplinary procedures should be stated in the standards, and the penalty—up to and including dismissal—for serious violations must be mentioned to emphasize the organization's commitment. All employees must receive, read, and understand the standards and attest in writing that they have done this.
In addition to the standards of conduct, three types of security policies, standards, and procedures should be developed by every organization: framework, all employee, and security specific. All three types of policies, standards, and procedures are essential to a security program so that rules to which employees will be held accountable and the method for enforcing rules are clearly documented.
1. Framework Policies, Standards, and Procedures
The framework documentation creates the structure of how the security organization is staffed and how the security program operates. In addition, framework policies also provide other business practices like the employee selection process, background-screening requirements for new employees, the company's workplace violence policy, and the business continuity plan.
2. All Employee Policies, Standards, and Procedures These documents define the applicable laws, security regulations, and rules that apply to all employees and how to operate compliantly within those rules. They also indicate the applicable risk areas to an organization and describe appropriate and inappropriate behaviors with regard to those risk areas. These documents should cover such subjects as the use of company computers, telephones, and other company assets and how the company monitors employees' actions. These documents set the tone for the corporate culture and should be strict but flexible, designed to meet the employer's needs, restrict employee actions, diminish the employee's expectation of privacy, and consistently be enforced. These documents are the most important ones for building a strong corporate culture.
While most common laws may recognize the right of an individual to take legal action for an offense known generally as "invasion of privacy," such actions historically have not provided employees with additional protections. Courts have found that employers' monitoring of their employees' electronic transmissions involving e-mail, the Internet, and computer file usage on company-owned equipment is not an invasion of privacy. Invasion of privacy claims against an employer generally require employees to demonstrate, among other things, that they had a "reasonable expectation of privacy" in their communications. Courts have consistently held, however, that privacy rights in such communications do not extend to employees using company-owned computer systems, even in situations where employees have password-protected accounts.
3. Security Specific Policies, Standards, and Procedures These documents provide detailed instructions to security employees for accomplishing specific security duties. These are extremely important as security system installation, operation, and monitoring are integral to the security program. Security systems such as electronic access control, intrusion alarm, closed circuit TV (CCTV), and monitoring systems are designed to detect events that are not expected in a facility, provide alarms to alert personnel monitoring security systems, assist them in determining the cause of the alarm, and then provide the ability to dispatch an appropriate security response. Access Control Systems should alarm if an unauthorized person tailgates behind an authorized person through a door or turnstile into a facility. Intrusion detection systems should alarm if an intruder opens a door or window at the wrong time or without presenting a valid ID card or code. For each alarm point, security personnel assigned to monitor alarms should have detailed operating procedures describing what actions to take to assess the alarms (David G. Patterson, 2005). Companies are expected to exercise reasonable care in training and supervising their employees in design, installation, operation, and monitoring of security. There are numerous lawsuits concerning poor security personnel practices, negligent training, and negligent supervision.
Companies should establish a consistent structure and format for all policies, standards, and procedures. Companies should also establish a configuration management system to ensure that all documentation is in the same format, is updated annually (at least), and is located on the company intranet where all employees can find and read. Some companies have achieved good results using social media constructs such as blogs, wikis, and Microsoft Office SharePoint Server (MOSS). A wiki is a website that allows the easy creation and editing of any number of interlinked web pages. They are particularly efficient as a central repository for company policies and procedures. Everything can be kept in the wiki, making it easy for employees to revise documents and eliminating the need of emails to circulate these materials.
MOSS is also a robust collaboration tool and accessible organization-wide allowing users to view all files and emails that pertain to specific policies and procedures.
Each document should have the following sections:
If only a page or section is changed, a new revision should be issued for the entire document reflecting the date of the change. Don't replace only changed pages. The security manager should maintain a log showing the name, number, creation date, and revision dates of all documents. In case of litigation, it is important that that all versions of the documents are retained in the files and logs so the security manager can easily demonstrate what business practices were in effect at the time of any claims or incidents.
Security program documentation must be living documents, not just a binder on a shelf. They must become integral to the day-to-day operation of the organization. That is what a judge will look for in a litigation case. How are the policies and procedures applied throughout the year? Are they incorporated into employee performance reviews? Are they reviewed and updated according to a schedule and on time? Are employees trained on them?
Security Awareness Education
Security awareness education and training go hand in hand with your policies and procedures and strengthen your company's security program by demonstrating to employees that management supports the program enough to provide training. Listed below are three suggested types of training:
Your employees are an excellent source of knowledge about what is really going on in the company. Approached in the right way, they will help identify problem employees and weaknesses in controls and make suggestions for improvement. If management responds to their feedback by changing procedures and rewarding them accordingly, employees will recognize their benefit for participating in the process of improving their organization and will continue to find ways to contribute. Periodically send out questionnaires to a sampling of employees for feedback on your program and conduct focus group interviews. Ask them openly about risks they see to the company, their daily activities, the policies and procedures, and whether they observe areas for improvement. Ask employees to be truthful about whether all employees actually follow the policies and procedures or if they find ways to ignore them. Our research concludes that the best method to catch fraud and other crimes committed by company employees is through tips received by other employees. One of the keys is to make sure employees that support you with suggestions are rewarded.
Data collection and tracking the performance of your security program are very important because they provide you with the ability to accomplish trend analysis and measure progress of the security organization in achieving its goals. Consider the following techniques:
Employees will be much more supportive of the company terminating an employee for a violation of company policy than letting them go for no reason. The place to start with enforcement is back at the beginning with the standards of conduct and the policies and procedures. One of the framework documents should set forth the degrees of disciplinary actions that may be imposed upon corporate officers, managers, and employees for failing to comply with the organization's security program documentation and applicable statues and regulations.
That policy should include five main points:
Failure to detect or report an offense is a serious act of noncompliance and equally as deserving of discipline as the actual misconduct. Compliance with policies, standards, and procedures is an active, ongoing process that is everyone's responsibility. Security managers should consult closely with their human resources (HR) and legal departments. There are probably existing disciplinary policies and procedures already in place that can serve as a guide in developing new ones. The HR and legal colleagues should advise that you should not discipline employees without having properly informed them of the rules.
The first step towards enforcement is distributing standards of conduct and other policies, standards, and procedures and educating employees about them. The training should include the consequences of noncompliance. Punishment for noncompliance can range from oral warnings, written warnings, suspension, privilege revocation, termination, or financial penalties. Many organizations use this type of progressive discipline.
The first step in this process should be a supervisor's conference. The purpose of the supervisor's conference is to make sure the employee understands the problem and is committed to correcting the inappropriate behavior. Depending on the situation, the next step might be a conference with a higher level of management, or it could be a written warning. The written warning is the more severe next step, and it emphasizes the seriousness of the situation and stresses the urgency of modified behavior. It should also state that the employee will face further disciplinary action, up to and including termination, if the problem behavior continues. Subsequent steps might include suspension without pay or infliction of a probationary period where the employee is advised to correct the behavior within a certain time period, e.g. 30 days, or face termination. The final step is termination once all other options have been exhausted. The severity of the infraction will determine the steps. Certainly, any step beyond the basic supervisor's conference should involve the HR and legal departments and the workplace violence team including a security representative (if one has been established). Proper and thorough documentation will be essential.
The following is a typical disciplinary action chain. These steps may be repeated more than once or skipped depending on the level and severity of the offense:
Punishment should be commensurate with the offense. There are offenses, such as blatant acts of fraud, that warrant immediate termination, but most infractions will likely be relatively minor and most likely unintentional. These may best be handled with education or additional training. Education should never be labeled as punishment. When put in a positive and supportive context, it can efficiently correct noncompliant behavior. Be sure your policies and procedures include remedial steps such as additional training. Discipline is only a part of the enforcement equation. Objectives and plans for individuals and departments should include security initiatives. Achievement of those plans, especially when rewarded, is a positive reinforcement that encourages support for and enforcement of the security program. Performance appraisals should include security elements and allow supervisors to recognize favorable or improved security performance. Your security program will be better enforced if you also find ways to reinforce through positive means and not just disciplinary measures.
ASIS. (2009). Results of 2009 Survey: Impacts of Current Economic Environment on Security. Alexandria, VA: ASIS.
Coffin, B. (2003). Breaking the Silence on While Collar Crime. Risk Management Magazine.
David G. Patterson, C. P. (2005). Implementing Physical Protection Systems: A Practice Guide. Alexandria: ASIS Press.
Davis, G. (2009, September 17). Associated Content. Retrieved October 13, 2009, from Associated Content: http:\\www.associatedcontent.com
Garcia, M. (2001). The Design and Evaluation of Physical Protection Systems. Burlington: Butterworth-Heinemann.
Nesbitt, W. (2007, February 3). The Security Solution Hierarchy. Retrieved August 27, 2009, from Security Source: http:\\www.securitysourceonline.com
Watson, D. (2000). Ethics and Corporate Investigations. ACFE Fraud Symposium. Dhahran, Saudi Arabia: Saudi Aramco.
Westinghouse Air Brake Technologies Corporation, Litigation Rel No. 20457 (SEC Feb 14, 2008).
David G. Patterson, MEA, CPP, PSP, CHS-III is a Principal Partner in Patterson & Associates Global Consulting Services located in San Francisco, California, and has over 30 years of international experience as a corporate safety and security consultant for Fortune 500 companies, schools, and governments. He is a recognized author and lecturer with the ASIS International Council on Physical Security in the areas of anti-terrorism, security systems integration, safety, workplace violence, and business continuity planning. He has also served on the faculty for the Physical Security Professional (PSP) Certification program and has developed online courses for this program.