National Park Service Security

 
 

The following is an outline of the topics discussed by Steve Keller of Architect's Security Group, Inc. at the Physical Security Conference Call on January 29, 2013. Steve has done security surveys at dozens of NPS sites over the past 25 years and sees the same type of problems often. He considers fixing them to be the low hanging fruit, problems that can be easily fixed.


Before Steve began his presentation of common mistakes he commented on what he considers to be systemic problems with the NPS as compared to other private sector and government cultural properties and their impact on security. There are reasons for these problems and most have to do with the way the Park Service is structured, certainly how it is inadequately funded, and other complex reasons. Over the years he has offered an opinion on the procurement system that is used and has sometimes riled some feathers in doing so. But as a management consultant who is trained to see the causes of problems, he offers his opinion even if it is not popular. Let there be no confusion: Steve feels that the people who comprise the National Park Service are wonderful people and generally far more dedicated to the mission than he sees in other institutions. He recognizes the gross underfunding and his criticisms are not intended to target the wonderful people of the park Service.


He sees a lack of real ownership in security, sometimes even by those who are actually technically responsible for it, difficulties with the procurement system, an unwillingness by the Park Service to address their security problems on a national level with big picture solutions, and other systemic issues as the problem.


Most Common Security Mistakes National Park Sites Make


1.No one really "owns" security.

a.Officially someone does, but there are no teeth in enforcement.

b.There needs to be an emphasis on good security and it needs to include employees well above your level.

i.When procurement rules negatively impact good security, it is time to re-think the procurement rules.

c.Security procedures and concepts should be simplified in a document given to everyone as part of a security orientation, because interns and volunteers are not going to read and understand more complex directives. "Tell it to them like a five year old."

d.Known security problems sometimes don't get fixed and if they do, it is usually not quickly enough. NPS sites need a process for prioritizing security maintenance requests.

e.The NPS accepts inadequate quality because they are the poor stepchildren of the government.

i.Some of this can be fixed by system wide projects such as

1.Write a model spec for a small alarm system, identifying a group of acceptable panels and detectors.

2.Convert every alarm panel in the system to a national standard. Other government agencies have done this and so can the NPS.

3.Include central station reporting requirements.

4.Develop a design criteria manual like that used by the Smithsonian to define for the non-security trained staff what they need with regard to locks, alarms and cameras.

ii.Do the same for access control systems.

iii.It can be done. Smithsonian has such a model spec.

iv.Smithsonian also has a Design Criteria that defines the exact security required for every type of situation.

1.There is a lack of guidance (until now) so that when you do get new technology, it is often not installed or used properly or poor procurement choices are made.

2.There is no real standardization due to procurement rules although other agencies are able to standardize on specific products.

2.Employees are sloppy about enforcing security practices.

a.Doors are often left unlocked for convenience.

b.I asked to see a playback of a videotape to verify recording quality and found that the tape was many years old, had never been changed, and the recording produced only snow. Why was this not discovered sooner? Because no one owns security.

3.When technology is purchased there is never consideration given to servicing it. Initial purchases should include a service agreement beyond the warranty. And every purchase should define the NPS's warranty expectations.  You ask for a one year warranty when you ask for a warranty but virtually every camera sold in the US comes with a three year warranty. so you just gave up two years of free warranty!


So what are some of the things I observe most often?


Too often motion detectors are removed due to exhibit or building changes and not replaced. Sometimes they are blocked. Staff involved with these changes need to own responsibility for security that is affected by their projects.

There is no daily walk test of the alarm system so detectors that are blocked or not working properly are not discovered or reported.

When detectors that are blocked or removed or don't work, it is unusual that service is provided promptly.

I find single cylinder dead bolt locks with thumb turns on doors with glass instead of locks with a double cylinder. Break the glass, reach through and open the door.

Where the site has purchased a CCTV system, too often, no one is assigned to monitor it. Often the monitor is high on the wall in an administrative office, where it is not visible to anyone in the office and the office is often empty. No one is assigned to monitor it. Why not put it at the main reception desk of the Visitor Center? When it is in the Visitor Center, there is no inclusion of the requirement to be responsible for watching it in the job description or employee/volunteer/intern training.

Often the wrong CCTV equipment is chosen for the task due to light levels, etc. There is a tendency to buy from the Schedule and take what you can get. Too often, security purchases are made without expert assistance.

Being in law enforcement doesn't make you qualified to make good security purchases or decisions. I was in law enforcement and I know this to be a fact. Unless you can quote UL standards and know most of the security "Best Practices" you need advice from people like Mark.

The alarm signal to the central station is often simply a Grade C phone line and does not have a cellular backup. It is easy to defeat an alarm system dialer that uses the phone line. If you are in range of cellular service, you need a back-up to your digital dialer.

Collections are often placed directly against windows where the motion detectors won't detect if the glass is broken and the object is removed. Smash and grab is a real risk. Keep collections away from windows. Provide ample interior motion detection to saturate all of the room.

At night, most sites look unguarded. Why not leave a marked ranger vehicle out front and leave some lights on?

Too many people have access to the building:  keys and PIN codes

oPIN codes are not programmed out of the system or are not programmed out quickly enough after an employee departs

oVolunteers and interns often have PIN codes for the alarm system

While virtually all alarm panels have a duress code, virtually no one at NPS knows what it is or how to use it.



These are just some of the commonly found problems but that's all we have time for. Your region has begun a process that will correct some of these issues. The Intrusion Detection Alarm Plan is a good start as it will help you address the practical issues with your systems.


I do a very low cost security survey for the NPS called a Mini-Assessment of Security. You can get information about it here: http://www.architectssecuritygroup.com/Consulting/mini_assessment.html

We have recently modified the custom checklist we use to include elements of and conform to the Intrusion Detection Plan. I urge you to support this program as it is a great first step.


The important thing for you to know is that the above problems exist. They don't have to make your efforts impossible. You just need to know they exist and work around them; compensate for them.


Steve Keller, CPP

Architect’s Security Group, Inc.

formerly Steve Keller and Associates

555 W. Granada Blvd. Suite G-4

Ormond Beach, FL 32174

(386)  673-5034

steve@stevekellr.com



   

                                                            Navigation Page

Outline of Steve Keller’s Comments on the January 29, 2013

Physical Security Coordinator’s Conference Call