LPS 2082 Issue 1.0 SABRE – Security Assessment Standard For Buildings & Built Infrastructure Assets

This Standard identifies the LPCB technical requirements for rating the security risk management at a facility. The scope includes all types of built assets (buildings and built infrastructure assets) and is relevant to both new and existing (In-Use) facilities.

The Standard includes requirements at each stage in the life cycle of a built asset. It recognises that facility security is influenced by decisions made during pre-planning, planning, design, construction, operation, maintenance, refurbishment/modification and disposal/decommissioning of built assets.

The Standard has been structured and categorised into specific technical sections as illustrated in Figure 1, with each section defining a set of technical aims and associated technical requirements.

Facility Security Requirements

The goal of this section of the Standard is to assess whether management has established and maintained an understanding of their Facility Security Requirements. This understanding directs the planning and management efforts relating to facility security and is fundamental to the achievement of effective facility security.

There are two technical aims in this section:

  • FSR1: The Facility and its Context encourages the identification of all internal and external issues that will influence facility security.
  • FSR2: Facility Security Risks encourages the use of security risk assessment to identify priorities for action.

Planning for a Secure Facility

The goal of this section of the Standard is to assess whether management adopt a strategic and holistic approach to the identification and specification of appropriate and proportionate facility security controls.

There are three technical aims in this section:

  • PSF1: Facility Security Strategy encourages a strategic approach to facility security design and management planning.
  • PSF2: Facility Security Design encourages the design of environmental, physical and technological controls in accordance with the facility security strategy.
  • PSF3: Facility Security Risk Management Plan encourages the establishment of personnel and procedural controls that complement the facility security design.

Facility Security Implementation & Management

The goal of this section of the Standard is to assess whether there is strong leadership and commitment to security risk management at a facility. It describes a system for the governance of security at a facility and specific requirements relating to the management of security incidents and changes that will influence a facility and its security.

There are three technical aims in this section:

  • MAN1: Security Risk Management System encourages the development and operation of a facility level security risk management system that leads to effective security.
  • MAN2: Incident Management & Recovery encourages a proactive approach to incident management and recovery and the ongoing review of incident performance.
  • MAN3: Project Management encourages a security minded approach to project management so that change can be used as an opportunity for improvement rather than leading to potential compromises in security.

Innovation in Security Risk Management

The final technical section of the Standard encourages innovation and an aspirational approach to facility security risk management. It gives special recognition to facilities that adopt innovative technology and practices that address previously unresolved security requirements, deliver security performance efficiencies and/or support wider built environment performance objectives.

There is one technical aim in this section:

  • INN1: Innovation encourages the use of innovative solutions to improve the security performance of a facility.

This section defines terms used within this Loss Prevention Standard. Where possible, definitions of common terms were adopted from International, European and British Standards.

Please note that terms may have an alternative definition in law and in other standards, scheme documents or publications produced by BRE Global Limited.

Adaptability

Ability to change or modify the facility or its systems to maintain security in changing circumstances.

Adversary

A person or organisation that has the potential to impact the security of another person or organisation.

Asset

An item, thing or entity that has potential or actual value to an organisation. The value may be derived financially or due to the asset being critical to the organisation’s mission.

Building

A structure that has the provision of shelter for its occupants or contents as one of its main purposes; usually partially or totally enclosed and designed to stand permanently in one place.

Built Environment

Collection of man-made or inducted physical objects including buildings, other structures, infrastructure and spaces, located in a particular area or region.

Command & Control

The exercise of authority and direction over assigned resources in the accomplishment of security incident management and recovery.

Consequence

The outcome of a security incident that has an effect on objectives. Consequences may be categorised as: economic, harm to life, environmental, reputation, compliance and/or mission continuity.

Construction Works

Everything that is constructed or results from construction operations.

Convergent Threat

Threat utilising both the physical and cyber domains in order to achieve an adversary’s objectives.

Corporate Security Risk Management

The application of risk management principles in the pursuit of reducing the risks to which an organisation is exposed.

Cyber Security

A system of controls used to protect an organisation, its facilities and other assets (both physical & cyber) from cyber threats.

Defence in Depth

A security principle which if adopted will require an adversary to defeat a series of protective layers in sequence to defeat the overall system.

Dependency

The facility, its security or a security sub-system or component is dependent on another asset or service.

Design Basis Threat

Derived from a threat assessment, the description of the attributes and characteristics of a credible threat against which a facility and its assets are to be protected.

Employer

Person or organisation that commissions a project i.e. the construction of a facility or alterations to an existing facility; and is responsible for providing the strategic direction to the professional advisers, contractors and supply chain involved in the planning and implementation of a project.

Employer Representative(s)

Represents the Employer’s security interests during a project at a facility. If appropriate, the role may be fulfilled by the facility Security Manager(s) in the case of in use (existing) facilities.

Facility

A site and associated assets that is used by its owner for a defined purpose.

Facility Security Design

The physical and technological controls at the facility.

Facility Security Risk Management Plan

The proposed personnel and procedural controls required to achieve facility security objectives.

Facility Security Manager(s)

A role designated by the Responsible Person(s). The role is associated with the necessary Authorities and Responsibilities to ensure facility security objectives can be met.

Insider

People e.g. staff/contractors; that have either a working knowledge of the organisation and its security controls or who, due to their relationship with the organisation, have authorised access through one or more layers of the organisation’s cyber or physical security controls.

Integrated Design

A holistic approach to the design of a facility that, through the collaboration of many disciplines, leads to better design outcomes.

Interested Parties

Individual or group that has a vested interest in security decisions and activities at a facility.

In-Use

An existing facility incorporating one or more buildings or other structures that is used for a defined purpose.

Intervention

The act or actions of a response force undertaken with the aim of preventing an adversary successfully achieving their objectives and in doing so, preventing or mitigating the losses associated with a security incident.

Life Cycle

Consecutive and interlinked stages in the life of the facility under consideration.

Maintenance

Combination of all technical and associated administrative actions during service life, to retain a facility or asset in a state in which it can perform its required functions.

Modification

A project at an existing facility (In-Use) requiring an assessment/reassessment of facility security. Modifications include refurbishment and end of life activity such as decommissioning or demolition of an existing building or structure at a facility.

New Facility

The development of a new facility, which excludes projects where construction work is planned at an existing facility (In-Use) e.g. fit-out, refurbishment or modification. Construction works at existing facilities shall be assessed using the In-Use requirements of the Standard.

Outsider

People that do not have authorised access through one or more layers of an organisation’s cyber or physical security controls.

Performance

Ability to fulfil required functions under intended use conditions or behaviour when in use.

Personnel Security

A system of controls used to protect an organisation, its facilities and other assets against actions taken by insiders.

Policy

General commitment, direction, or intention of the Responsible Person(s) with respect to security risk management.

Procedure

An established/prescribed way of completing an action.

Process

Series of operations performed to achieve a desired result.

Product

Item or system manufactured or processed for incorporation in construction works; any goods or service.

Project

A planned activity, of defined duration, undertaken to achieve a specific goal and resulting in a change to the facility security needs or existing security function. Examples include:

  • Facility, building or asset disposal e.g. change of ownership or occupation
  • Facility modification/alteration involving construction work(s)
  • Demolition (End of Life)
  • Change of use

Project Security Manager(s)

A role within the project team designated by the Employer Representative(s), with the holder being responsible and accountable for compliance with the project security brief.

Recovery

Return to normal operations following a security incident and completion of response actions.

Resilience

Ability to maintain and adapt in response to changing circumstances, including changes in security threat, facility operations, maintenance and sub-system failures.

Response

The act or actions following the detection and confirmation of a security incident/breach.

Responsible Person

The person(s) holding ultimate responsibility for facility security. They can be identified as:

  • the person(s) in control of the facility (as occupier or otherwise) in connection with the carrying on by him of a trade, business or other undertaking (for profit or not); or
  • the owner(s), where the person(s) in control of the premises does not have control in connection with the carrying on by that person of a trade, business or other undertaking.

Physical Security

A system of controls used to protect an organisation, its facilities and other assets (physical and cyber) from physical threats.

Risk

Effect of uncertainty on objectives.

Risk Assessment

The process of identifying, analysing and evaluating security risk.

Risk Criteria

Terms of reference used to evaluate the significance or importance of an organisation’s risks. They are used to determine whether a specified level of risk is tolerable or intolerable.

Scalability

Ability to change or modify a facility, its systems or sub-systems to escalate or de-escalate security controls in response to changing security threat.

Security

State of being free from harm or fear of criminal activity.

Security Manager(s)

A security role appointed by the Responsible Person(s) or Employer Representative(s).

Security Risk

The likelihood that a threat will be realised, together with a measure of the potential consequences associated with the realisation of the threat.

Security Risk Management

Activities conducted to direct and control security risk(s).

Security Risk Management System

An organised, systematic approach to managing security risks which embeds security into the culture and day-to-day activities at a facility.

Significant Finding(s)

Risks that are important and warrant further attention as they exceed the facility risk criteria.

Site

Area of land under defined ownership on which a facility is constructed.

Threat

Statement or intention to inflict pain, injury, damage, or other hostile action to an organisation, a facility or assets.

User

Person or organisation for which a facility is designed or that makes use of a facility during its life (including the building owner, manager and occupants).

Vulnerability

A weakness to a security threat which reduces the security of a facility.

Evidence Requirements

SABRE is a third party assessment and certification scheme. The scheme is operated in a consistent and reliable manner and this provides confidence in the assessment ratings determined by the SABRE Assessors.

The SABRE Assessor determines the SABRE Rating and their assessment report is the formal record of the facility audit against the technical requirements outlined in this Standard.

The audit requires the certification applicant to share information relating to their facility and its security with the SABRE Assessor in order to facilitate assessment and certification. To maintain consistency, all certification decisions shall be based on verified and credible information that is traceable i.e. evidence based.

Evidence principles and a detailed commentary on the process of gathering evidence relating to a facility, its use in facility security assessment and for benchmarking purposes is provided in Scheme Document SD0229.

Technical Requirements

Facility Security Requirements Section

The requirements in this section encourage the Responsible Person(s) and their nominated Facility Security Manager(s) to establish and maintain an understanding of their facility security requirements and facility security risks, and in doing so allow:

  • development of appropriate security objectives;
  • informed decisions to be made in relation to facility risk(s); and
  • consideration of strategic options for mitigating these risks.

CORE TECHNICAL STANDARD REQUIREMENTS

Security Risk Assessment

  • The Security Manager(s) shall adopt security risk assessment as the basis for determining facility security function priorities.
  • Security risks shall be determined through the assessment of credible threats, facility vulnerabilities to those threats and associated consequences.
  • Risks shall be:

Threat Assessment (T)

  • The Security Manager(s) shall undertake a threat assessment, drawing on internal and external sources of information to identify credible security threats to the facility.
  • The threat assessment shall be conducted in consultation with interested parties.
  • The threat assessment shall take account of how the following factors related to the facility influence security threat:

Planning for a Secure Facility

The requirements in this section encourage:

  • adoption of a strategic approach to the planning and design of facility security controls;
  • appropriate balance between security design elements e.g. physical and technological security controls; and management e.g. personnel and procedural controls;
  • application of security risk management principles which have in mind the ultimate facility security objectives;
  • documentation and communication of management expectations at an early stage in the development of new construction projects;
  • integrated design to ensure solutions are fit for purpose.

CORE TECHNICAL STANDARD REQUIREMENTS

A Holistic Approach

  • The project Security Manager(s) shall develop a holistic security strategy for the facility.
  • The strategy shall make use of security-minded facility planning (physical environment) and the deployment of personnel, technological, physical and procedural controls to mitigate the highest priority security risks in accordance with the facility security objectives (FSR1.7).
  • The strategy shall outline the performance requirements of controls in relation to the primary security functions they perform, specifically:
  • Disrupt or Deny an attack on a facility through deployment of security controls that reduce the consequences of an adversary attack
  • Deter an attack by reducing facility target attractiveness. This will require the adversary to perceive a lower likelihood of success, higher level of effort for a similar or lesser gain and/or increased likelihood of response intervention.
  • Detect an attack should one be launched so that a timely and effective response may be initiated
  • Delay an attack for a sufficient time to allow appropriate on-site and off-site response to be initiated
  • Respond before the adversary completes an attack in order to reduce incident consequences

New Facility

  • Recover from an attack/security breach at the facility and return to normal operations

Facility Security Implementation & Management

The requirements in this section encourage:

  • leadership and commitment to facility security;
  • the operation and maintenance of an effective security risk management system;
  • a proactive approach to incident management, recovery and post incident review; and
  • a security minded approach to managing change that influences security requirements, security plans and management.
  • The requirements relating to Security Risk Management System (MAN1) and Incident Management & Recovery (MAN2) are applicable only to existing facilities (In-Use) and do not form part of the assessment of new facilities.
  • The requirements relating to Project Management (MAN3) are applicable to both new facilities and existing facilities (In-Use) that have undergone change which has influenced facility security requirements, facility security planning and/or the management of security.
LPS 2082 Issue 1.0 SABRE – Security Assessment Standard For Buildings & Built Infrastructure Assets

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top