16.3 Building security

Since NSOs possess confidential and personal information, they must take building security seriously and restrict not only digital but also physical access to buildings and related infrastructure. The key to managing building security focuses on two main aspects: visitor management and access control (🔗), both of which start at the entrance to the building. Access control can be implemented using electronic devices (such as keys, electronic locks on automatically closing doors or mantraps), ideally combined with surveillance devices such as cameras. The general recommendation is to limit the number of visitor access points and enforce the rule that both visitors and staff must wear identification badges that are visible at all times and visitors escorted by staff. Electronic gates enabling access control are introduced at multiple locations are recommended if finance is available. This also allows structuring the building space into different zones with specific access control depending on the security restrictions needed. For most sensitive areas, to increase the access security, control should be organized with two- or three-factor authentication, which includes:

• something the user knows, e.g., a password, passphrase or PIN;

• something the user has, such as smart card or a key fob;

• something the user is, such as fingerprint, verified by biometric measurement.

Ensuring the safety of personnel should be a major preoccupation of any manager. Every employee should pass basic safety training (that includes handling a fire extinguisher), and at least one person in each organizational unit should be trained in providing first aid. Evacuation plans should be displayed in every room, evacuation routes should be marked, and evacuation exercises should be performed regularly (preferably at least once every two years). Secure and monitored access to buildings is also important in ensuring personnel’s safety, including protecting personal and organizational property.