U.S. Geological Survey Manual
CHAPTER 5. INTERIOR PROTECTION
1. Interior Security Controls.
A. After exterior perimeter controls, the second line of defense is interior controls. When an intruder is able to penetrate the perimeter controls and the building exterior, the effectiveness of interior controls is tested. There are few facilities where every employee has access to every area in the facility. Accordingly, access to some areas is necessarily controlled. For example, interior controls are necessary to protect classified information from unauthorized disclosure, to prevent damage to the area or equipment, to prevent interference with operations, for safety purposes, or for a combination of these and other reasons.
B. Usually, interior controls are applied to specific rooms or physical spaces within a building. The senior facility or office manager is responsible for determining whether interior controls are necessary. Office area controls include key accountability systems, locking devices, and access control systems such as sign-in registers and identifying credentials.
C. Determine the extent of interior controls by considering the monetary value and mission criticality of the items or areas to be protected, the vulnerability of the facility, and the cost of the controls. Normally, the cost of security controls should not exceed the value of the item or areas to be protected.
2. Area Designations. The decision to designate areas as either a "Controlled Area" or a "Restricted Area" should be made in conjunction with a decision to close the property or a portion thereof to the public as established in Chapter 8, Paragraph 5.
A. Controlled Area. A controlled area is defined as a room, office, building or other form of facility to which access is monitored, limited, or controlled. Admittance to a controlled area is limited to persons who have official business within the area. Responsible managers are authorized to designate an area as a controlled area after adequate security measures are in place. The following areas should be designated as controlled areas:
(1) An area where classified information or highly sensitive information is handled, processed, or stored. A mailroom is considered such an area.
(2) An area that houses equipment that is significantly valuable or critical to the continued operations or provision of services.
(3) An area where uncontrolled access would interfere with or disrupt personnel assigned to the area in carrying out their official duties.
(4) An area where equipment or operations constitute a potential safety hazard.
(5) An area that is particularly sensitive as determined by the responsible manager.
B. Restricted Area. A restricted area is a room, office, building, or other form of facility to which access is strictly controlled. Admittance to a restricted area is limited to personnel assigned to the area and persons who have been specifically authorized access to the area. Visitors to a restricted area and uncleared personnel must be escorted by personnel assigned to the area and all classified information must be protected from observation, disclosure, or removal. The responsible manager is authorized to designate an area as a restricted area after adequate security measures are in place. The following areas should be designated as restricted areas:
(1) An area approved by the USGS Security Manager for the storage of Top Secret Information (see Chapter 8, National Security Information Handbook (440-3-H)).
(2) An area approved by the USGS Security Manager for the open storage of Secret or Confidential classified information. This includes areas where classified information is normally or frequently displayed, such as charts, maps, drawings, photographs, equipment, or conference rooms where classified information is being discussed. This does not include an office in which classified information is sporadically discussed or displayed and action can be taken by occupants to prevent disclosure.
(3) An area housing keyed Secure Telephone Equipment (STE) (see Chapter 12, National Security Information Handbook (440-3-H).
(4) An area where classified information is visually displayed on an approved standalone office IT system (see Chapter 11, National Security Information Handbook (440-3-H)).
(5) An area that houses mainframe computers or designated IT sensitive systems.
(6) An area that is highly critical or sensitive as determined by the responsible manager.
C. Special Access Program Areas.
(1) Sensitive Compartmented Information (SCI) Facility (SCIF). A SCIF is a room, or a group of rooms, or installations accredited by the CIA where SCI may be stored, used, discussed, and/or electronically processed. The area must meet the rigid physical security standards set forth in Director of Central Intelligence Directive 1/21, Physical Security Standards for Sensitive Compartmented Information Facilities (see Chapter 10, National Security Information Handbook (440-3-H)).
(2) Other Special Access Program Areas. Government agencies outside the intelligence community may have special access programs, which require stringent physical security standards for working and storage areas. The Federal Emergency Management Agency is an example. USGS areas where special-access program information is stored, used, discussed, or processed will be constructed in accordance with standards issued by the sponsoring agency. The USGS Security Manager shall coordinate the approval process with the other agency.
3. Security Vaults.
A. Purpose. A vault is a completely enclosed space with a high degree of protection against forced entry. Vaults are commonly used for storing Top Secret information, special access program information, and extremely valuable materials.
B. Construction. A vault is constructed to meet rigid specifications. The wall, floor, and ceiling construction shall be in accordance with nationally recognized standards of construction practice. An approved vault door and frame unit shall be used. Miscellaneous openings, where ducts, pipes, registers, sewer, and tunnels are of such size and shape as to permit unauthorized entry (normally in excess of 96 square inches in area and over six inches in its smallest dimension), shall be secured by 18-gauge expanded metal or wire mesh, or where more practical, by rigid metal bars at least 1/2-inch in diameter extending across their width, with a maximum space of 6 inches between the bars. The rigid metal bars shall be securely fastened at both ends to preclude removal and shall have crossbars to prevent spreading.
(1) Class A Vaults.
(a) Reinforced Concrete. The wall, floor, and ceiling will be a minimum thickness of eight inches of reinforced concrete. The concrete mixture will have a comprehensive strength rating of a least 3,000 psi. Reinforcement will be accomplished with steel reinforcing rods, a minimum of 5/8 inches in diameter, positioned centrally and spaced horizontally and vertically 6 inches on center; rods will be tied or welded at the intersections. The reinforcing is to be anchored into the ceiling and floor to a minimum depth of one-half the thickness of the adjoining member.
(b) Modular. Modular panel wall, floor, and ceiling components, manufactured of intrusion-resistant material, intended for assembly at the place of use, and capable of being disassembled and relocated meeting Underwriters Laboratories, Inc. (UL) standards are approved for vault construction.
(c) Steel-lined. Vaults may be constructed of steel alloy-type, such as U.S. Steel T-1, having characteristics of high-yield tensile strength or normal structural steel with a minimum thickness of 1/4 inch. The metal plates are to be continuously welded to load-bearing steel members of a thickness equal to that of the plates. If the load-bearing steel members are being placed in a continuous floor and ceiling of reinforced concrete, they must be firmly affixed to a depth of one-half the thickness of the floor and ceiling. If the floor and/or ceiling construction are less than six inches of reinforced concrete, a steel liner is to be constructed the same as the walls to form the floor and ceiling of the vault. Seams where the steel plates meet horizontally and vertically are to be continuously welded together.
(2) Class B Vaults.
(a) Monolithic Concrete. The wall, floor, and ceiling will be a minimum thickness of four inches of monolithic concrete.
(b) Masonry Units. The wall will be brick, concrete block, or other masonry units not less than eight inches thick. The wall will extend to the underside of the roof slab above (from the true floor to the true ceiling). Hollow masonry units shall be the vertical-cell type (load bearing) filled with concrete and metal reinforcement bars. The floor and ceiling must be of a thickness determined by structural requirements, but not less than four inches of monolithic concrete construction.
(3) Class C Vaults. The floor and ceiling must be of a thickness determined by structural requirements, but not less than four inches of monolithic concrete construction. Walls must be not less than eight inches thick concrete block or hollow-clay tile or other masonry units. The wall will extend to the underside of the roof slab above (from the true floor to the true ceiling).
4. Vault Doors.
A. GSA Approved. The GSA establishes and publishes uniform standards, specifications, and supply schedules for vault doors and associated security devices and equipment suitable for the storage and protection of classified information. Vault door manufacturers and prices of equipment approved by the GSA are listed in Federal Supply Schedule (FSS) catalog (FGC Group 71-Part III). A vault door approved by GSA for storing classified information will bear a black "GSA Approved" label affixed to the exterior of the door and a "Class" label affixed to the interior.
(1) Class 5. The class 5 vault door is certified for: 30 man-minutes against surreptitious entry; 20 man-hours against lock manipulation; 20 man-hours against radiological attack; and 10 man-minutes against forced entry.
(2) Class 6. The certified class 6 vault door affords the same protection as the Class 5 except there is no certified forced entry protection.
B. Combination Locks. The Federal specifications and UL ratings for combination locks for vaults are the same as those for safes and storage equipment described in Chapter 7. The procedures for changing combinations, protecting combinations, recording combinations, and repairing combination locks established in Chapter 7, Paragraphs 6 and 7, shall also be followed for vault doors.
A. Purpose. A strongroom is an enclosed space constructed of solid building materials. Strongrooms are normally used for the storage for classified material or sensitive materials, such as firearms. Protection is normally supplemented by guards or alarm systems. Rooms that have false ceilings and walls constructed of fibrous materials, and other modular or lightweight materials, cannot qualify as strongrooms.
B. Construction Standards.
(1) The perimeter walls, floors, and ceiling will be permanently constructed and attached to each other. All construction must be done in a manner as to provide visual evidence of unauthorized penetration. Heavy-duty builder's hardware shall be used in construction. All screws, nuts, bolts, hasps, clamps, bars hinges, and pins should be securely fastened to preclude surreptitious entry. Hardware accessible from outside the strongroom must be peened, brazed, or spot-welded to preclude removal.
(2) Walls and ceiling should be made of plaster, gypsum board, metal, hardboard, wood, plywood, nine-gauge or heavier two-inch wire mesh, or other material of sufficient strength or thickness to deter entry and/or give evidence of unauthorized penetration. Insert-type panels should not be used.
(3) Floors should be solidly constructed using concrete, ceramic tile, or wood.
(4) Windows, which open and are less than 18 feet from an access point (such as the ground, another window outside the area, roof, ledge, or door) should be fitted with 1/2 inch horizontal bars and cross bars (See paragraph 3.B above). In place of bars, number 9-gauge wire mesh can be fastened by bolts extending through the wall and secured on the inside of the window board. All windows, which might reasonably afford visual observation of classified activities within the facility, shall be made opaque or equipped with blinds, drapes, or other coverings.
(5) Where vents, ducts, registers, sewers, tunnels and other miscellaneous openings are of such size and shape (in excess of 96 square inches and over six inches in its smallest dimension) and enter or pass through the area as to permit unauthorized entry, they should be protected with either steel bars, expanded-metal wire mesh or grills, commercial metal sound baffles, or an intrusion detection system.
(6) Doors shall be substantially constructed of wood, metal, or other solid material. When windows, panels, louvers, or similar openings are used, they should be secured with 18-gauge expanded metal or wire mesh securely fastened on the inside.
(7) Entrance doors shall be secured by a GSA approved built-in three-position combination lock (see Chapter 7, Paragraph 7). Other (non-entry) doors shall be secured from the inside with deadbolt emergency egress hardware, a deadbolt, or a rigid wood or metal bar which extends across the width of the door.
6. Intrusion Detection Systems.
A. Purpose. Alarm systems are designed to alert security personnel of an actual or attempted intrusion into an area while also providing deterrence to intrusion. These warning systems detect intrusion or attempts, not prevent them. Any alarm system requires an assessment and a response capability to provide real protection for an area. All systems have weak points by which their functioning can be minimized or even completely interrupted or circumvented. The advantage and limitations of a variety of detection systems are described below.
B. Planning Alarm Installations. Alarms are used to detect approach or intrusion. Some are intended for exterior protection, and some are suitable only for indoor installations. The following should be addressed in determining the need for an alarm system:
(1) Sensitivity or criticality of the operation;
(2) Facility vulnerability to damage, interruption, alteration or other harm;
(3) Sensitivity or value of the information or property stored at the facility;
(4) Location of facility and accessibility to intruders;
(5) Other forms of protection in place or available; and
(6) Guard or law enforcement response capability.
C. Components of an Alarm System. An alarm system is composed of three
main parts: one or more sensors to detect the presence or actions of an intruder,
a control unit that constantly monitors the sensors and transmits an alarm signal
when a sensor detects an intruder, and the alarm annunciator.
(1) Perimeter protection alarm systems utilize point protection sensors almost exclusively, while area protection (volumetric) sensors are used primarily in interior alarm circuits to detect an individual within a building. Object protection provides direct security for individual items and is often the final stage of an in-depth protection system with perimeter and area-protection.
(2) Alarm systems can be designed so that various parts of a building have separate sensor circuits, or zones, and it is not uncommon to have a separate duress or holdup alarm circuit to enable employees to summon security personnel.
(3) The installation of alarm system components is very important. Individual sensors are designed to respond to specific stimuli that indicate the presence of an intruder or attempts to gain entry into a protected area. Similarly, switch sensors must be mounted so that they detect the actual opening of a door or window, but at the same time, the manner of installation should not make them so sensitive to movement that they actuate an alarm from vibrations caused by a truck passing on the street or the wind rattling doors and windows. Care must be exercised in adjusting the sensitivity of the more complex sensors in order to avoid false alarms. Some units can be actuated by a flickering fluorescent light or a telephone bell. Electromagnetic interference from a mobile radio or a thunderstorm can trigger some detectors.
D. Sensors. The three basic types of sensors are perimeter, volumetric, and proximity.
(1) Perimeter. Perimeter protection is the first line of defense. The most common points for sensing devices are doors, windows, vents, and skylights. These may be protected with detectors sensing their opening or breaking. The major advantage of perimeter-protection sensing devices is their simple design. The major disadvantage is that they protect only openings such as doors or windows. If intrusion occurs through a wall or ceiling, these devices are ineffective.
(a) Switches. These devices are usually magnetic operated switches affixed to a door or window in such a way that opening the door or window removes the magnetic field causing an alarm. High security switches are normally balanced or biased magnetic switches.
(b) Metallic Foil. Metallic-foil window tape is the traditional means for detecting glass breakage. Strips of thin foil are affixed to a glass surface. Breaking the glass also fractures the foil, which interrupts the circuit causing an alarm. Metallic foil deteriorates with time and may require frequent maintenance, especially on glass doors where it can be easily damaged.
(c) Screens. Openings such as vents, ducts, skylights, and similar openings can be alarmed by thin wire filaments that signal an alarm if the screen is cut or broken. Often the wire filaments are placed in a frame of wooden rods and require little maintenance.
(d) Glass Breakage (Tuned Frequency). Miniature electronic circuits are bonded to the glass surface. They detect a high-frequency sound pattern within the glass when it is broken.
(e) Glass Breakage (Inertia). A device attached to window or doorframes protects multiple-pane areas. This device detects the shock wave a substantial impact against the surface makes.
(f) Lacing. Lacing can protect walls, doors, and safes against penetration. Lacing is a closely woven pattern of metallic foil or fine brittle wire on the surface of the protected area. An intruder can enter only by breaking the foil or wire. A panel over the lacing protects it from accidental damage.
(2) Volumetric. Volumetric-protection sensors are designed to detect the presence or actions of an intruder almost anywhere within an entire room, from floor to ceiling. A variety of volumetric devices are available. Each kind of detector has some advantages and limitations. Therefore, a device must be selected for a specific environment. A major advantage of volumetric devices is that they provide a highly sensitive and invisible means of detection in high-risk areas. The major disadvantage is that an improper application can result in frequent false alarms.
(a) Infrared. Passive infrared sensors are part of the motion-detection group. They sense the body heat of an intruder as he or she passes through the protected area. Infrared detectors are relatively free of false alarms and are highly recommended.
(b) Ultrasonic. Ultrasonic motion detectors generate a high frequency of sound that is out of the normal range of human hearing. An intruder disrupting the ultrasonic wave pattern initiates the alarm. Ultrasonic devices are prone to false alarms due to excessive air currents or ultrasonic noise from mechanical equipment.
(c) Microwave. This kind of motion detector uses high-frequency radio waves, or microwaves, to detect movement. Because microwave penetrates materials such as glass, and metal objects reflect them, they can detect motion outside the protection area causing false alarm problems if not properly installed.
(d) Photoelectric. Photoelectric devices transmit a beam across a protected area. When an intruder interrupts this beam, the circuit is disrupted causing an alarm. Today's photoelectric devices use diodes that emit an invisible infrared light and usually pulses rapidly to prevent compromise by substitution. A disadvantage is that they can be defeated relatively easily, the beams are narrow and may be discovered or avoided.
(3) Proximity. Object protection provides direct security for individual items.
(a) Capacitance. A capacitance device is used to protect specific objects such as security containers and safes. The capacitance alarm uses the metal construction of the container and causes it to act as a capacitor or condenser. When a change occurs in the electromagnetic field surrounding the metal object, the balance is disturbed and the alarm is activated. The system can only be applied to ungrounded equipment and accidental alarms can occur if the container is carelessly touched when the alarm is activated.
(b) Vibration. These seismic sensing devices use a piezoelectric crystal or microphone to detect the sound pattern that a hammer-like impact on a rigid surface would generate. These devices are attached directly to safes and filing cabinets, or to the walls, ceiling, and floor of vaults. False alarms may occur with these devices by passing vehicles or falling objects.
E. Control Unit. All alarm systems incorporate a control unit, which may or may not be a separate component. The control unit is able to regulate the entire system, turn an alarm system on and off, and transmit the alarm signal to an annunciator. The method for controlling the alarm system is usually a key or a digital keypad inside the premises to avoid tampering. The alarm system is delayed briefly to allow the user to gain access to the system without initiating an alarm. With local systems, the user is responsible for turning the alarm on and off. The central station and proprietary systems shift responsibility for verifying that the system is on or off from the user to the central station or proprietary personnel. Alarm supervision falls into three categories: local, central station, and proprietary.
(1) Local Alarm System. The local alarm system has circuits within the secured areas that are directly connected to audio or visual signal-producing devices such as electronic annunciators, bells, or sirens. The signaling devices are normally mounted on the exterior of the building, or in large buildings at an interior location, where they will be audible or visible at a reasonable distance. It should be protected against weather or tampering.
(2) Central Alarm System. The central-station alarm system is connected to an alarm panel in a centrally located station such as a local police station or guard service that provides monitoring services over telephone lines. When an alarm is activated, the monitoring station initiates a response by either calling personnel designated for the area or by dispatching guards and/or police to the location.
(3) Proprietary Alarm System. The proprietary alarm system is similar to the central station type, except that the alarm panel is located in a manned guardroom on the protected premises. The guard force monitors the system and responds to all alarms. The alarms can also be wired to a central station or nearby police station via telephone wires for backup response.
F. Annunciator. An annunciator sounds an alarm by visible or audible
signals and usually indicates the location of the protected item or premises.
The alarm signal is transmitted
to an annunciator panel that is constantly monitored or to a local signaling device. Local annunciators usually employ an audible bell, siren, and/or bright beams of light to deter the intruder and to attract the attention of persons in the immediate area. Annunciators may be combined in a system that announces alarms both locally and remotely.
G. Line Supervision. The telephone or dedicated lines that transmit the alarm signals from the protected area to the monitoring station must be protected to prevent interruption of the alarm signal. To ensure such integrity, the transmission lines should be electronically supervised. Line supervision refers to the protection various signaling techniques incorporate, such as random tone patterns or data encryption.
(1) CCTV Motion Detection.
(a) CCTV can be used as a detection device to trigger alarms under certain circumstances, much like volumetric alarms, where motion detection is desirable.
(b) A signal generator attached to the monitor can be adjusted to project a pattern of light or dark rectangles, or windows, which can be adjusted in size and location on the screen. The windows can be focused on a fixed object to be protected or alarmed, such as a safe or a doorknob. When the image of an intruder or moving object enters the window, the difference in contrast is detected and triggers an alarm.
(2) CCTV Alarm Assessment/Monitoring.
(a) A CCTV system is not primarily an alarm device but rather a monitoring device. It is frequently used to assess the cause of an alarm or as an access control measure. CCTV can be used at critical locations where visual monitoring from a remote location is advantageous, such as gates, doors, corridors, elevators, and other areas where it is not practical or cost effective to post a guard.
(b) Advantages are that one individual can monitor several CCTV camera locations simultaneously; the image is visual and conveys much more information than other types of alarms; authorized individuals can be distinguished from unauthorized persons; and the signal can be recorded by a digital video recorder for playback and analysis at any later time, including a time-lapse mode for quick playback of lengthy periods of tape coverage. This system is often used in conjunction with a date-time generator, which can project a continuous image of the date and time in the corner of the monitor screen.
(c) Disadvantages are that monitors do not normally provide an alarm to alert the observer, the attention span of persons monitoring TV images is traditionally short, and there are often distractions at monitoring stations.
I. Emergency Alert Alarms. The teller's hold-up alarm in a bank is the most common illustration of an emergency alert alarm. Based on a risk analysis, emergency alert alarms should be considered at medical treatment facilities, personnel counseling or interview offices, credit unions, cash handling activities, and other high risk areas. The type and location of the device should be selected carefully to ensure the device is readily available for surreptitious activation in an emergency. If there is a building security force, a silent alarm should enunciate at the dispatch point. If not, the alarms can be monitored by a central station or direct connected to local police.
The planned response to an emergency alert alarm must be designed to prevent endangering the occupants or creating hostage situations.
(1) Hold-Up Switches. The actuating device should be designed to avoid accidental actuation. Double squeeze buttons, triggers in trigger guards, and a variety of other devices can be used.
(a) Manual Switches. A hold-up alarm system in which the signal transmission is manually initiated by the person attacked activating the device. These alarms can be wireless.
(b) Automatic Switches. A hold-up alarm system that is automatically activated by device such as a money clip in a cash drawer.
(2) Foot Rails. A foot rail is an emergency alert alarm securely mounted on the floor and designed to minimize nuisance alarms, yet permit unobtrusive operation.