1. All Resources
  2. Facility Security

Here's all you need to know about coming up with a facility security plan


This site security plan will act as a template that ideally should be customized to the specific site based on its security needs. Lastly, it should summarize all personnel responsibilities and procedures involved.


The site security plan intends to provide direction for site officers to make adjustments to better the general facility. In addition to pre-existing security, this plan also outlines the mechanism for applicability, risk assessment, determining threat levels, the direction of authority and responsibility, access control, restrictions, data management, monitoring, updating, and testing.


The site security plan is applicable to every individual within the site and should receive the appropriate training or briefing before entering the building. This includes all staff, security personnel, faculty, and visitors.

Risk Assessment

The Information Technology Officer and the Security Officer are responsible for assessing the level of risk. Risk assessments are made in response to a potential of actual effects of an incident. From the facility’s physical security level perspective, this is completed through monitoring and testing the floor layout, location and security of restricted as well as sensitive areas, emergency standby equipment, existing policies, procedures, guidelines, training, and finally the knowledge of individuals on site.

Looking at risk assessment from the perspective of data security, the site security plan should be stored in a central location for easy access to individuals within the site, but protected from any outside use. It should also be updated when necessary and examined by the designated officials (such as the Information Technology Officer and the Security Officer) daily.

By constantly monitoring for changes and testing present procedures, the level of risk to the facility can effectively be gauged and the security countermeasures can be put in place.

When responding to an occurrence the format the of the response should start by reporting the event, notifying the pertinent responders or officers, responding to the incident, recovering, documenting, and briefing individuals on site on the occurrence.

Determining Threat Level

Similar to risk assessment, both the Information Technology Officer and the Security Officer must look at the security levels of the facility and its contents. However, the officer should also focus on the internal software security as well as the geographical context of the facility. This includes but is not limited to the security level of the region and country, as well as the history of the security software being used in PDAs, laptops, web-based servers, and file transfer protocol servers.

Access Control

It should be noted that access control includes both access to data, servers, and networks, as well as access to the physical site. The site security plan should include biometric or card-swipe security controls, isolation of restricted areas, password encryption, etc.

When a facility has more than one level of security (for example has public areas or several levels of security or clearance levels) separate procedures should be dedicated to each level of security. With restricted or higher security concerned areas, they should be physically more isolated, have more physical and network barriers, as well as a noticeable increase in closed-circuit television. Additionally, these areas should also involve systems with a higher probability of infiltration detection. More secure or restricted areas should include software that will assess or prevent unauthorized access.

Roles and Responsibility

The designated officials, primarily the Information Technology Officer and the Security Officer, are responsible for the physical security and integrity of data on site. This also includes overseeing the procedures for data disposal, account access control, password and protection policies, backup, and system storage. In addition to establishing these procedures, officers are also responsible for the training, education, and awareness of the site security plan.

Though a site security plan and the authority involved should always include the Information Technology Officer and the Security Officer, or similar equivalents, it can include other positions of authority. These roles and responsibilities are dependent on how this site security plan template is adjusted to the site. Common examples include but are not limited to a facility security committee, additional designated officers, security organizations, financial authority, and so on.


Human Resource Officers are also responsible for site security through the due diligence hiring process. While hiring potential individuals the Human Resource Officer must exercise an additional security vetting process as well as include non-disclosure and confidentiality agreements. This security vetting should include pre-employment background, criminal checks, as well as drug screenings administered by the appropriate agencies.

The Human Resource Officer is also responsible for communicating and passing on the employee handbook. Within the handbook should include the site security plan, as well as the confidentiality agreement, national and state labor laws, equal employment and non-discrimination policies, and leave or compensation policies. Finally, after initial hiring, the new employee should also attend any training conducted by the Information Technology Officer and the Security Officer.


The use of detection and application for security measures should be constant. Designated officers should push for updated firewall protection, anti-virus management software, and intruder detection devices. Any activity or behavior that leaves individuals or systems vulnerable should be immediately detected, reported, and repaired. A line of communication should also be established to ensure that all individuals on site have an equivalent understanding of the site security plan.

Updating and Testing

The site security plan should be updated and tested at least once a year. However, it is the responsibility of the Information Technology Officer and the Security Officer to critically evaluate and continuously improve the site security plan. With every new change, the site security plan should then be communicated accordingly.

Kisi Products
Regain Full Control the Easy Way

Discover what makes Kisi the most advanced cloud access control solution.

Just starting?
Download our Access Control guide

Get this full guide in PDF format, plus other great security content from Kisi. We're offering this guide as a free download and you will also be signed up to get content from the Kisi blog.

Download Guide
Kisi Download Guide