S 1.78 Security concept for use of building

Initiation responsibility: Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Planner

For elaboration of a practical and economical security concept for the use of a building, the required protection of the business processes used and the basic protection objectives, which often result from the business activity, must be identified. Such protection objectives may include, for example, protection of commodities, particular protection of some or all employees against attacks, or access protection and content protection for certain areas or individual rooms of the building.

A multitude of various security aspects must be considered for a building - from fire protection to the electric system to access control. Depending on the size of the institution and the building, various people may be responsible. That is why the individual roles and tasks must be clearly arranged. The responsible persons should agree in order to select appropriate security safeguards for the various areas based on the protection objectives.

It is good practice for planning of buildings to first consider the zones (see S 1.79 Formation of security zones). Many protection objectives can be achieved by it being neither required nor possible to directly enter a zone with a high security level from a zone with a low security level. Here, spatial segmentation should be adapted to the intended use of the building (see S 1.13 Layout of building parts requiring protection). Clearly identifiable and easy-to-secure transitions should be created between the individual security zones. Admissible transitions between the zones will then be designed in accordance with the required protection. Inadmissible transitions will be prevented or particularly safeguarded. This means that escape doors from security zones with a higher security level to the external area should be safeguarded so that unauthorised access from the external area into the internal area is prevented. Windows and entries must be safeguarded according to their protection requirement (see S 1.10 Safe doors and windows).

Each security zone should only include business processes with a required protection corresponding to the required protection of the security zone. Moreover, access should only be granted to persons whose tasks require such access. The entries to the security zones must be checked in accordance with their required protection so that unauthorised persons may not access these areas.

In almost all cases, this consideration should be supplemented by further measures against unauthorised accessing or sneaking in. The safeguard S 1.19 Protection against entering and breaking provides a corresponding overview.

If buildings include public or semi-public areas or if it is possible to see into the building e.g. via a window bank, S 1.12 Avoidance of references to the location of building parts requiring protection must be considered.

If protection of the content of the building (whether goods or the technical infrastructure) is particularly required, the security concept must consider the protection against water. The safeguard S 1.14 Automatic water drainage provides corresponding remarks.

All preventive and damage-minimising safeguards must be supplemented by detection safeguards (see S 1.18 Intruder and fire detection devices). The building's protection concept will only be complete if the relevant threats are counteracted by planning and design, and if supervising safeguards ensure that damaging events or accidental or intentional attempts to overcome protection and security measures are detected early. Only then it will be possible to initiate countermeasures.

The security concept for the building must be adapted to the overall security concept of the institution. It should be updated regularly, above all if changes of the building's use occur, e.g. after organisational changes of the institution.

Review questions:

© Federal Office for Information Security. All rights reserved.