Security Consulting Case Studies

Security Risk Assessment

Security Awareness TrainingBackground

Protection Management, LLC was retained by a multi-million dollar tourism destination to review their safety and security program, measures, and management. This client was experiencing internal staffing, morale, and confidence issues within the security department, as well as experiencing unexplained losses from their retail services. The confidence in security was reported to be at an all-time low following internal security management issues.

Approach

The client provided background information, policies, and security files during the site visit, and they arranged for unrestricted access to all corporate staff, management, worksites, and services. A thorough security risk assessment was conducted by Protection Management, LLC, as well as internal review of the security department. During the assessment numerous employees and managers were interviewed, and the underlying morale and confidence issues were identified. Also identified was the fact that security policies were minimal at best and the ones in place had not been updated in years. In addition to that there were findings of internal theft and diversion of company property, as well inventory control issues that compromised the stock and handling processes. Based on the assessment findings and documentation provided, Protection Management, LLC provided the client with a comprehensive report that detailed the areas of vulnerability, risks, threats, and security operation deficiencies. Also provided to the client was a comprehensive list of recommendations to resolve and/or mitigate the findings. Protection Management, LLC also presented the findings to the corporation Board of Directors, and continues to provide ongoing support services as needed while the corporation seeks to fill the security director position.

Results

The corporation instituted the recommendations provided within the assessment report, and they are in the process of hiring new security management personnel.  Protection Management, LLC continues to support the Human Resources and Board of Directors in an ongoing effort to institute positive changes throughout their operation. 

Active Shooter Incident

Active Shooter TrainingBackground

Protection Management, LLC was retained by a medical center to review their safety and security program and measures as a result of an active shooter threat. This client experienced a situation where they received multiple calls from a disgruntled person that threatened to show up at the medical center campus and murder administrators, staff and patients. The client had already conducted an internal review, but due to internal pressures they elected to retain a security expert to conduct an independent review.

Approach

The client provided background information, policies, and security files prior to the site visit, and they arranged for unrestricted access to all emergency department medical staff, hospital management, workspaces, and security personnel. A thorough security risk assessment was conducted by Protection Management, LLC of the emergency and security departments, as well as review of the actual incident findings and after-action reports. During the assessment numerous security and emergency department employees, managers, and physicians were interviewed, as well as Risk Management, Emergency Management, and Legal services. An extensive review of security policies and protocols was conducted and the security technology for alarms, cameras, and communications were reviewed. Based on the assessment findings and documentation provided, Protection Management, LLC provided the client with a comprehensive report that detailed the areas of vulnerability, risks, threats, and security operation deficiencies as they related to the incident in question, as well as pre-existing vulnerabilities and risks that were not previously identified. The medical center was also provided an extensive list of recommendations to resolve and/or mitigate the findings. Upon review of the findings this client moved forward with implementing changes which included an organization-wide culture change with regards to security services and protocols as recommended in the final report.

Results

The medical center instituted the recommendations provided within the assessment report, and they continuously work to make their campus safer for their staff and patients. They have not had a repeat incident to-date, yet they are in a much better position to handle one in the future. 

Security Expert Opinion

Background

expert-opinionProtection Management, LLC was retained by a law firm that was representing a medical center and its security department in a Use of Force civil case. The litigation revolved around a security officer allegedly using excessive force to restrain a patient who was attempting to leave the medical center and the resulting encounter resulted in injury to the patient. The plaintiff’s counsel argued that the amount of force used was excessive and that security did not properly follow established policies or protocols. Our expert was asked to review the case files and supporting documents and render an opinion on the case facts and submit a written Expert Opinion.

Approach

The medical center’s law firm provided the case files, court filings, depositions, interrogatories, and other legal documents, as well as policies, training records, and hospital forms used by the security staff. A thorough review was conducted of the files and documents and it was determined by our expert that the security officer was following established written policies, and that the injury was direct result of the patient being aggressive towards the security officer and the security officer was only defending himself. A comprehensive security expert opinion report was generated using a widely accepted Forensic Methodology best practice as well as other professional resources. The report addressed all Statement of Facts in the court filed Complaint, and offered an opinion on the testimony provided in both the Interrogatories and Depositions.

Results

After submitting our Expert Opinion report the case eventually settled prior to the deposition of our expert or appearing in court to testify.

Security Access Control

Our firm was retained to conduct a security risk assessment of the client’s properties which included numerous campuses in an urban setting, as well as satellite campuses located in smaller communities. Our client was a large employer with over 4,000 employees and had corporate influence on a regional level.Hospitality Security and Housing Security Due to internal security issues, as well as perceived security lapses and/or inefficiencies, the administration requested a comprehensive review of all aspects of the corporate security including security technology, staffing, operations, training, policies, and management. As part of the overall security risk assessment we found that the most often reoccurring issue was the fact that access control, both electronic controls and physical controls were not functioning and/or being managed properly as per industry accepted standards and best practices. Mainly it was found that the doors, both interior and exterior, were not locked, and in many cases could not be locked due to staff manipulation. Therefore their environmental security was at risk and was likely the root cause of several security related incidents in the past. Our approach was to evaluate all aspects of their present state of security and determine their risks, vulnerabilities, and where there future threats to the organization may come from.

Security Methodology

Although this organization had conducted security risk assessments in the past, from all appearances those assessments were not comprehensive enough to address all security concerns. We base that opinion on the fact that the issues identified during our assessment had been ongoing for years and there was no identified methodology used as part of the past assessments. In order to conduct a proper security risk assessment the person or security expert leading the project must have an industry accepted methodology so that the project’s scope and overall approach can be determined prior to the commencement of the project, as well as throughout the review all the way into the final report phase. Our approach was to utilize a hybrid of the Department of Homeland Security, ASIS International, IAPSC, CARVER and RAM methodologies. These are all proven methodologies utilized by numerous security experts across all disciplines. Each of the methodologies has strengths that an expert can draw from, and in many cases experts will pull from more than one resource. The best way to describe our approach is to say that depending on the project, client, and business type, we will employ the most practical methodology available, and we often find that a hybrid approach is the best option. In essence, this is not a time to utilize a cookie-cutter approach or go at a project without a proven technique, and if it requires the use of more than one method a security expert should do so. In addition to the methodology in most cases there are industry standards, best practices, and depending on the project there are often proven crime prevention strategies. In this case study all of those resources were utilized. For industry standards we pulled from resources such as ASIS International, IAPSC, and several other recognized entities. There are also numerous research papers and publications available online or for purchase. Our professional library includes publications such as the Protection of Assets manuals, which is one of the best resources for security professionals.

Case Study

As with every other physical security risk assessment we will review access control, which will include locks on doors and windows. There are numerous types of locking devices that range from latches that offer very little security, all the way up to and including electronic access control equipment. The most common type of locking device is a door lock, and this normally involves a key cylinder and a key. Even with locks and keys there are several levels of security. For example a home has a standard lock and key with the key having one cut of “teeth” along an edge of the key blade. More sophisticated keys will often have other features such as side cuts (e.g. A four-sided key [also known as a cross or cruciform key] has four sides, making it harder to duplicate and the lock harder to pick). Another often found locking system is what is referred to as a Chiper lock. Although these can be very convenient for staff to use, their price is hundreds of dollars each, and they can actually offer less security than a lock and key. When conducting the tour of the facilities for this client we found all of the above locking systems in use. Since the security director had not been in his position for a long time there was no information available as to why certain locks were used in some locations. Generally speaking the type of locking system used would have been determined during a previous security risk assessment or as part of the security master plan.Security Access Control Since the general intent of a door locking system is to secure that portal either at all times or during certain times (i.e. after-hours), and with the chipper locks costing in the $500-$900 range each, and electronic access control costs per door can be between $2,000-$5,000, as a security manager you want to insure that the equipment is placed in order of priority, and that it not only functions as designed and intended but that security officers monitor the use and functionality of the devices. However, that is not always the case. As illustrated in this picture staff had manipulated the door locking system so that it would not lock. Again, although this locking device, a Chiper lock, is a very easy lock to use by staff, and offers immediate access once the code is entered into the keypad, staff felt as if it was too much work to enter the code so they defeated the lock as shown in the picture.

Locksmith Management

In some organizations the actual servicing of the locks and keys is conducted by the Facilities staff (maintenance department). In others security may have a role in the actual locks and keys, or in some cases the entire job of changing locks and cutting keys are sub-contracted out to a certified locksmith service. In this case all locksmith services were in-house by the facilities staff and there was very little oversight by security. In fact, it was difficult to ascertain if security had any role whatsoever in the planning, installation, or management of the locksmith services. Security was by all accounts the department responsible for the security of the facilities and yet they had no direct or indirect oversight of any part of the services. In fact when the security officers were asked about the locks being manipulated to the point where they would not function and what they felt their role was in addressing that issue, they were consistent in their response that they did not know what to do. We also found that there was no inventory of master keys for the client, so in reality they had no idea how many master keys there were or who possessed them. Of course this is an issue for any business, let alone a multi-million dollar operation.

Analysis

Overall the security risks associated with the access control systems for this client were very high. At a few locations there were doors that could not be secured even after hours, and there was no way to determine how long this vulnerability had been present. Although security management was an interim position at the time of this assessment, it was clear that the most recent manager had no system in place to manage access control. There was no security management plan, security master plan, or any form of access control plan in place.

Security Culture

Overall there was a corporate culture of security, yet staff was placing blind faith in the security department and its management. The internal operations of the security department presented no evidence of ongoing security training of the officers, nor was there any indication that the former security management had sought out any continuing education or training. Security officers were never trained on how to manage access control or how to report/document adverse findings while making their rounds. Although during every shift the officers observed unsecured doors and windows, and clearly understood related risks and vulnerabilities, they were never trained on how to address the issue.

Conclusions and Recommendations

As part of our security risk assessment report we made numerous recommendations for immediate changes based on industry standards and best practices. Keep in mind that in most cases there are no requirements that security actually perform locksmith duties which could include key cutting, changing lock cores or repairing door hardware. However, security being the department that is responsible for the access control must have overall management oversight of all parts of the access control systems. In other words, maintenance may replace a door lock and cut a key, but not without the oversight and approval of security management. As for the recommendations; First and foremost we recommended that the organization seek out a security director that had experience in access control systems as well as security management. The client had certain requirements for the next security director so we built those into the recommendations to insure that they had a roadmap of sorts to find the right person for the job. While going through the advertising, interviewing and selection process we recommended that the organization conduct a complete inventory of the existing locks and keys, as well as access control devices such as key fobs, card access, and bio-metrics. We also suggested that they immediately conduct a system-wide review of all locking devices and correct any locks that have been manipulated so that the lock could not engage as designed. At the same time we recommended that all cipher lock door codes be changed and individual access codes be assigned to each person that needs access, so that there was not one code for everyone.

Other Recommendations Included:

  • A complete review of access control systems in use to determine their intent, functionality, and effectiveness.
  • Development of an Access Control Master Plan as based on known or perceived security risks, designating priority migration to an electronic access control system.
  • Training for the security staff to recognize security deficiencies and take corrective actions in a timely manner.
  • Assigning and training a designated locksmith for the organization’s properties (Note: Contracting out this service was not feasible due to security and confidentiality reasons).
  • Update the Security Master Plan to include identifying security sensitive areas, or high-risk areas, and document the types of access controls in use, as well as the management of systems.
  • A complete and comprehensive inventory of all locks and keys to determine who has what keys and to determine if they needed those keys.
  • An immediate re-key of any security sensitive areas, and to insure that those new keys were off the existing master key system and keyed to a completely new keyway.
  • Development of a Security Master Plan upon the hire of a professional security director.
In conclusion we provided the client with over 35 recommendations that not only informed them what to do, but also what the expected outcome should be of each of those recommendations. Each recommendation was aligned with an existing security standard as published through a number of professional organizations.

Law Enforcement Contracted Private Security

There are times when a law enforcement agency will need to retain the services of a private security contractor to guard or watch a patient in an inpatient setting. Law enforcement contracted private security has become more common in the last 5-8 years as a result of staffing and budget challenges with law enforcement agencies.

Guarding Forensic PatientsGuarding Forensic Patients

A forensic patient is one that is under the control, in a number of different ways, of a law enforcement agency. For example when a police officer brings a person that is in custody to a hospital to be treated for a medical issue, or requires a medical clearance prior to being booked into a correctional facility, that patient is under the control of the police officer.

Over the years there has been a trend in many states and jurisdictions where police officers would “un-arrest” a prisoner so that the person could be treated in a hospital. After receiving treatment the police officer would basically re-arrest that person and take them into custody. That may seem odd to most people, but in most cases this happens because the law enforcement agency does not want to be responsible for the medical bills of that patient.

One case that happened in California is a prime example of this practice. In that case a deputy sheriff arrived at a medical center with a prisoner in an orange jail jumpsuit, who was also handcuffed and had shackles around his ankles. After leading the prisoner into the emergency department the deputy proceeded to remove the handcuffs and shackles and advised the medical staff that he (the deputy) was leaving and he will be back later to pick up the prisoner and return him to the county jail. Shortly thereafter the deputy left the hospital without his prisoner much to the dismay of the E.D. staff. In this case not only did the deputy relinquish custody of his prisoner, he left the medical center without proper security for that prisoner.

In the above case this deputy had no security plans for the patient/prisoner and in fact he likely placed the entire facility at risk for the period of time that he was off the medical center property. Although the practice of “un-arresting” a prisoner is an ongoing concern in many states, for the most part law enforcement officers will normally remain with the prisoner for security reason.

In some cases a prisoner will need to be admitted into the hospital for treatment and their stay can be extended if their medical condition warrants it. When this happens the law enforcement agency will determine if security is needed 24/7. Although they will often ask the medical center to provide such security, in many cases the medical center will turn down those requests due to a number of reasons. If there is a need or requirement for 1 on 1 security for the patient, it is normally the responsibility of the law enforcement agency to provide such security, either with a member of their staff or they will contract with a private security contractor for such services.

Contracted Private Security

The main reason that law enforcement agencies do not place a police officer on patient security duty is the costs. First, most agencies cannot afford the costs of 24/7 security by a police officer, which will normally be done on an overtime basis.

In other cases the law enforcement agency may have minimal staffing and they cannot take someone off of their regular schedule for this special assignment.

Because of the reasons stated above, and possibly other reasons, law enforcement agencies will often seek out a private contractor to perform the security services at a fraction of the costs that they would spend on a peace officer doing the same duties.

In these cases the security contractor is being hired and managed by the law enforcement agency, not the hospital. This arrangement can and has caused problems in the past and can increase liability for all parties if this arrangement is not properly managed.

Qualified Security Contractor

So when law enforcement is looking to contract out guarding of their prisoner is there a certain level of qualification that the agency is looking for? Is there a minimal standard for guarding a prisoner/patient? The short answer is no, other than some states require security officers to possess a “Guard Card” to work as a security officer. However, that does not mean that the “guard” has received any training in forensic patients, and in fact in most cases they have likely not received anything more than minimal state mandated security training at best.

When we evaluated the contracting of private security contractors that were hired by law enforcement agencies in a few states we found that there was no required training that was mandated by the law enforcement agency. In fact, when it came time to contract the service out the deciding factor in almost all cases was the amount of the bid for providing services, in other words what agency had the lowest bid.

In one hospital system it was found that the law enforcement agency made no attempt to insure that their contractor had the proper license to perform services, and/or to carry weapons. Keep in mind that the law enforcement agency negotiated a contract, but they were not aware of the states laws that governed the security contractor. It was only when the hospital security management investigated the security contractor that it was discovered that several laws were being violated on their campus.

Management of Contract Security on Private Property

In the above case the hospital was not responsible for managing the security contractor, as their contracting agency was a sheriff’s department. In this case the only role that the hospital played in this arrangement was that the hospital security was required as part of their accreditation process to ensure that the contract security staff was oriented as to the hospital’s emergency responses for internal emergencies such as fires, cardiac arrests and so on. It was this responsibility that resulted in the security contractor being banned from the property.

During the orientation process, which occurs each time a new security officers arrives to guard the patient/prisoner, a security guard refused to cooperate with the hospital security staff. The hospital security management also received complaints that the contract security guards were not guarding their prisoners and in fact were “harassing” the nurses and playing music so loud that other patients were complaining.

As a result the hospitals security management called the manager of the contract security company and advised them that there were complaints and that their security guards were refusing to receive required training provided as part of orientation. It was at this point that the contract security manager stated that “his guards” did not have to do anything that the hospital security asked of them and that they were not to answer to the hospital regarding the training or complaints.

At about the same time the hospital security officers noticed that several of the contract security guards were armed with firearms. During one evening shift a hospital security supervisor checked the state database to see if the security officers were properly licensed through the state as required by law. It was at this point that the hospital discovered that not only did the security guards not have the state mandated permits to carry firearms as a security guard; in some cases they did not have their guard cards as also required by state law.

When the hospital security management was made aware of this they immediately contacted the sheriff’s department and asked why they have armed security guards at the medical center that were not properly licensed. At first the deputy in charge of hiring the security guards was taken aback by the revelation that the security guards were armed at all. The deputy stated that they were not aware that the security guards were possessing firearms and they had not requested the contract security company to arm their guards. The deputy stated that he would look into the problem and promised that it would be corrected. However, as far as the hospital was concerned they were not going to allow the private security contractor back on the medical center campus under any circumstances.

Keep in mind that the contract security company was retained by the sheriff’s department, and they were performing duties on their behalf and yet the sheriff was not managing their contractor. As a result there were unlicensed security guards, carrying unauthorized firearms and without the proper permits who were not even guarding their prisoner/patient.

Now there may be some people questioning the fact that the hospital security management required the security contractor to leave the campus, but in the end the hospital is private property and they have the right to decide who will be on their property at any given time. This organization agreed to allow the Sheriff’s department to bring in a new contractor on the condition that the new firm were properly licensed and agreed to receive the Forensic Orientation training and cooperate with the medical center’s staff and policies.

Contracted Security Services Issues

Having a law enforcement presence within a medical center is nothing new, and the same is true about a law enforcement agency contracting out security services for guarding patients. The issues identified with this case study was the fact that the law enforcement agency was not properly managing their contractor, in the sense that they did not ensure that the security guards were properly licensed both as a security guard and also to carry firearms.

In this type of arrangement it was the responsibility of the law enforcement agency to perform their due diligence in advance of retaining the private security contractor, as well as managing their duties and performance. Of course it is the responsibility too of the contract security company management to ensure that they too are following the laws, but in this case the law enforcement agency claimed that they were not aware of the licensing issues, and the contract security firm did not disclose it.

On the other hand, in most cases a hospital may not always conduct their own internal due diligence on a contractor hired by a law enforcement agency, but in this case it was a necessity.

Unless the medical center is a public facility, for example a county or state owned and managed facility; they are likely considered private organizations and can decide who will be allowed on their property. However, hospital security managers may believe that they have no control over security guard companies hired by law enforcement to guard prisoner/patients. Now while it is always a good practice to cooperate with law enforcement, even if your facility is private property, you still must ensure that your facility is properly managed at all times.

As a private organization it would be in your best interest to verify the credentials of any contract security service that works within your facility to guard patients for law enforcement. We are not suggesting a “Joint Employer” or "Co-Employer" relationship, more so that you are ensuring that you are not unknowingly allowing your organization’s risk and liability exposure to be increased.

In the above mentioned case not only were unlicensed security guards providing security services within the medical center, they were also carrying firearms without a state mandated permit and training and without the permission or knowledge of the law enforcement agency that retained them.

In this case the hospital had every right to conduct their due diligence of the contract security company and require them to be properly oriented to their facility’s emergency response systems and processes. Once the medical center became aware of the fact that firearms were on the campus, and they were not authorized by the law enforcement agency or properly licensed and/or permitted, the hospital security management was well within their rights to demand that the security guards leave the property. At no time was the hospital refusing a qualified security contractor from being on the campus, they were just requiring that all applicable laws, regulations, and policies were being followed at all times.

Conclusion

In closing it should be clear that a private organization can and should insist on compliance from all contractors and outside services that perform services on their campus. If your organization is not already performing their internal due diligence on similar services that might be within your facility on any given day, now is the time to consider a change.

Some questions that you should consider with security guard contractors hired by law enforcement agencies are as follows:

  • Is the security contractor properly licensed?
  • Are the security guards that will be working on your campus properly licensed?
  • If firearms are authorized by the law enforcement agency, has the security company provided the proper training to the officers?
  • Is there a requirement that firearms even be on the campus?
  • Does every security guard that is carrying a firearm have the proper permits and training?
  • Who is the point of contact for the hospital with regards to any issues with the guards or services?

In the end, if you are not verifying the above information upfront you may have increased liability for your organization. Plausible Deniability is not a good defense strategy. The medical center in this case requires numerous checks and balances now to ensure that they have properly vetted any security contractor that works on any of their campuses.

 
TOP