PSR 20 Days of Christmas!

ICARAS are strong advocates of the NZ Government’s Protective Security Requirements (PSR). To that end, we have been working with Santa to move his North Pole gift manufacturing and rapid distribution operations into compliance with the PSR framework.

Below is a light-hearted and very tongue-in-cheek look at Santa’s protective security journey through the PSR Mandatory Requirements 20 days of Christmas, courtesy of our ever-conscientious Security Risk Elfvisor Chris (with apologies to the PSR team…).

 

🎄🎄🎄

On the first day of Christmas, the PSR gave to me…

🎁 🎁 🎁

GOV1 – Establish and maintain the right governance

Santa is a busy man. While he understands the importance of security, he has a billion toys to think about, so leaves security up to his small team of security elves within the Security Northern Operations – Workshop (SNOW) team. As his head of security is only a tier four elf manager, he doesn’t ever get time with the big man to discuss security issues.

The security manager, a very conscientious elf who formally served in the Polar Law Enforcement And Defence Section (PLEADS), noticed discrepancies in the candy cane stock numbers that he couldn’t explain. While he wanted to undertake an investigation, Workshop policy stated that any use of security cameras to observe working elves needed to be signed off at the Executive level. Months of mistletoe memos, e-cards and carol calls failed to navigate their way through the bureaucratic North Pole management structure and the head security elf was no closer to understanding what was going on.

Unfortunately, one day it all became clear. Plastered across the front page of the Magical Times was a photo of a group of Workshop elves, high on sugar from snorting candy cane dust, writing their names in the snow with a warm liquid that wasn’t their coffee… The reputational damage to Santa’s operations across the mystical realm was immense – the Easter Bunny and Tooth Fairy stopped talking to him and Jack Frost gave him the cold shoulder.

Once the snow settled and the internal review was completed, Santa designated a Security Principal Elf – Executive Director (SPEED) that chaired the Committee for Operational Protective Security (COPS) and reported directly to him to ensure he wasn’t caught out with his (or his elf’s) pants down again.

🎄🎄🎄

On the second day of Christmas, the PSR gave to me…

🎁 🎁 🎁

GOV2 – Take a risk-based approach

Despite his traditional methods, Santa is a high-tech gadget guy. He is no Scrooge and loves the latest and greatest when it comes to technology, including advances in reindeer stealth and rapid-fire stocking stuffers. And this extends to the physical security control systems protecting ‘The Workshop’. He regularly hosts security integrators at the North Pole to demonstrate their most capable, and expensive, new tools (though this is not a widely known fact, as elf lawyers are experts at NDAs).

Unfortunately, even Santa is not immune to the economic times we find ourselves in. Despite his bulk-buying power, the cost of raw supplies and consumables for his massive toy-making enterprise has significantly increased, without a commensurate increase in cookie and milk payments.

So, Santa takes a risk-based approach to determining his protective security control measure requirements. Reluctantly, he has decided not to procure the latest air-defence system with Grinch-seeking technology but will rely on NORAD to protect the skies over the North Pole. Instead, he will replace the aging firewalls protecting his database of naughty and nice children and invest in new Yule-tide padlocks for the candy cane store. While they don’t have the same wow-factor as missile launchers on the back of the sleigh, they will mitigate the actual risks faced by ‘The Workshop’ and its jolly inhabitants.

🎄🎄🎄

On the third day of Christmas, the PSR gave to me…

🎁 🎁 🎁

GOV3 – Prepare for business continuity

Despite our modern understanding of science, some traditions are hard to let go of. In fact, back in the 16th century, Santa signed a perpetual coal supply agreement that even his elf lawyers are unable to get out of. At the time he thought the number of naughty children would only continue to increase but neglected to foresee how five hundred years of providing families free coal would change the global climate.

Unfortunately, environmental activists have scant regard for the finer details of contractual law in the face of global catastrophe and are increasingly pressuring Jolly Kris Kringle to dispense with his ‘free fossil fuel distribution service’.

This issue recently came to a head when climate activists discovered the secret location of ‘The Workshop’ from an unauthorised disclosure on the internet. Droves of protestors descended on the North Pole on Christmas Eve and staged an ‘occupation’ of Santa’s Sleigh Trajectory and Navigation Instrument Control Centre (ST NICC), gluing their hands to the reindeer. This sleigh was loaded and ready to go, but unable to take off.

Fortunately, the recently formed Committee for Operational Protective Security (COPS) had developed a robust set of business continuity plans. This included a backup sleigh, led by Rudolph’s younger cousin Randy the radar-guided reindeer, on standby should Sleigh Bell One be unavailable for use. So, millions of children around the world still received their Christmas presents, along with a few lumps of coal.

🎄🎄🎄

On the fourth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

GOV4 – Build security awareness

Elves are friendly and trusting by nature, so Santa has a regular program of security awareness education for his staff. This includes displaying posters like “Loose Lips Sink Sleighs” and “Only Reindeer Have Tails – Don’t Let Others Follow You Though the Door”.

The North Pole is a busy place and so readily available resources are used whenever possible in security awareness campaigns:

  • The Lone Worker Policy is based on the “Home Alone” movie.

  • Security elves watch the “Die Hard” series of movies as refresher training on appropriate Christmas area defence techniques.

  • The “Gremlins” movie is used to demonstrate what can go wrong when you don’t follow the rules.

  • “Secret Santa” is used as tool to reinforce the “need-to-know” principle.

  • “Security-in-Depth” is explained using a game of pass-the-parcel, with each layer unwrapped one at a time.

  • Santa’s Personal Protection Team use “The Nightmare Before Christmas” movie as a basis for counter-kidnapping exercises.

Santa has developed a ‘Snowman’ framework, utilising both a ‘carrot’ and ‘stick’ approach to encourage security compliance. Where good security awareness and culture is observed, staff are rewarded with Bauble Bonuses. However, non-compliance with security procedures risks screenings of the movie “Love Actually”…

🎄🎄🎄

On the fifth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

GOV5 – Manage risks when working with others

The global population is ever growing, placing increasing pressure on Santa’s operations. ‘The Workshop’ has reached capacity and now relies heavily on outsourced resources. This includes the Global Integrated Future Transport Service (GIFTS) research and development contract, looking at the next generation of present delivery systems. This contract was awarded to the Delightful Institute of Research and Technology (DIRT), a little know organisation that charged a surprisingly low fee for their work.

While Santa’s elf lawyers drafted an excellent Non-Disclosure Agreement (NDA) covering the sensitive CHRISTMAS-IN-CONFIDENCE information that was to be shared with DIRT, no one thought to undertake due diligence on the DIRT organisation itself. Unfortunately, buried under a series of shell companies and cookie cut-out corporations, DIRT is owned by none other than Krampus.

Krampus has a small share of the year-end festive market, primarily limited to early December deliveries to naughty children in central and eastern Europe. However, he had always envied Santa’s operations and decided Xmas espionage was his best chance to mistletoe in on St Nick’s territory.

Fortunately, Santa maintained his own network of dirty snowman informants, who for a few Christmas cookies and a bottle of Christmas spirits would throw their own grandma under a moving reindeer. They caught wind of the plot and rang the warning sleigh bells back at ‘The Workshop’ before any damage was done.

So, nothing was grown from the DIRT engagement and GIFTS was re-gifted to a more reputable firm.

🎄🎄🎄

On the sixth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

GOV6 – Manage security incidents

The specific location of ‘The Workshop’ and its perimeter access points is a closely guarded secret. However, after the incident with the protestors that nearly cancelled Christmas, it was clear this sensitive information had been disclosed. Not having a lot of faith in humans and fearing an external contractor had been indiscrete, the Committee for Operational Protective Security (COPS) decided to launch an investigation.

The Special Investigation Providers of the External General Governance – Northern Operations Group (SIP EGG-NOG) were engaged to undertake an independent investigation, with full access across all branches of the Christmas operations.

Alarmingly, they discovered the unauthorised access was gained through a chimney entrance known only to the Arctic Circle, a small group comprised of only the most highly decorated Workshop executives. As the investigation unfolded, it became clear the information had come from Santa himself.

Christmas Eve is a stressful time, and in a moment of weakness, Santa got caught kissing Mummy under the mistletoe. He invited her back to the North Pole for a New Year liaison but didn’t realise she was in fact an investigative journalist. And in the pop of a Christmas cracker, the information was all over the internet.

So, it goes to show, it doesn’t matter if you are the star on the top of the tree or the pine needle that has dropped to the floor, security covers all branches of the organisation.

🎄🎄🎄

On the seventh day of Christmas, the PSR gave to me…

🎁 🎁 🎁

GOV7 – Be able to respond to increased threat levels

As the incident with the environmental activist occupation continued to send ripples throughout the polar region, the Committee for Operational Protective Security (COPS) realised their security posture was as fragile as a glass bauble. To prepare for when tidings of great joy turned into an all-in snowball fight, a threat alert level system was developed.

To ensure all elf staff were comfortable with the system, regular exercises are held under various alert level conditions, including:

  • ‘Fresh Snow’ – The response to unidentified white powder arriving through the mail system.

  • ‘Green Bauble, Red Bauble’ – Friend or foe identification check exercise.

  • ‘Hedge of Holly’ – Perimeter protection exercise.

  • ‘Sleigh bells a-ringing’ – Regular audible alarm notification checks.

  • ‘Carol Singers’ – Procedure for the unexpected arrival of groups of unknown people.

By being prepared, it allows all of Santa’s helpers to have a happy holiday season.

🎄🎄🎄

On the eighth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

GOV8 – Assess your capability

Like many large organisations working across a global market, Santa’s Workshop is always busy, and security often takes a backseat to the manufacturing and delivery priority operations. However, after a number of recent security incidents, the Security Leadership Executive – Internal Governance and Hierarchy (SLEIGH) Steering Group of the Committee for Operational Protective Security (COPS) decided to contract in external experts to assess ‘The Workshop’s’ security capability.

Independent Christmas Advocates and Representatives Advising Santa (ICARAS) Consultants were engaged to undertake a Christmas Capability Maturity Model (CCMM) workshop with Santa’s staff. Broad representation was included, ranging from corner office executive elves, to tinsel testers and toy tradies, to elf-on-the-shelf field staff and reindeer stable hands. Even the employee union was involved – the Joint International Network of Gift Logistics Elves (JINGLE).

The key findings from the CCMM were:

  • Security governance showed significant improvements recently with the introduction of the Security Principal Elf – Executive Director (SPEED), COPS and the SLEIGH Steering Group.

  • Security culture is still relatively poor. While the commercial-based programs provide entertaining means to impart generic security information, more ‘Workshop’-focused material is required to address the specific North Pole environment and ensure security isn’t left out in the cold.

  • Policies and procedures are lacking. Rather than formal security documentation, systems are agreed with a nod and the twinkle of an eye. Processes are passed down the generations through what is known as the Elf-To-Elf Relational and Natural Active Learning (ETERNAL) concept. While appearing timeless, the lack written policies and procedures risks an inconsistent application of security across the wider Polar region.

Santa was briefed on the results and agreed that an annual maturity review was appropriate, timed to begin after the boxing day sales, where he picked up much of his stock for the following Christmas.

🎄🎄🎄

On the ninth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

PERSEC1 – Recruit the right person

The Grinch has been trying to steal Christmas for longer than most people can remember. Many of his attempts have focused on disrupting Santa’s operations at the pointy end of the process, through the ‘reclamation’ of gifts post-delivery. However, this is incredibly resource intensive, with success rates lower than the temperature in his Mount Crumpit cave. He had always dreamed of infiltrating Santa’s workshop from the inside.

Then, one day, fate smiled on the Grinch. His nephew was sent to stay with him for a while. James, an out-of-work actor, was a very friendly, though slightly dim-witted, chap. But most excitedly, James was exceptionally short for a Grinch. So short, in fact, that he may well pass as an elf…

Through his front company, Magical Advancements in Design (MAD), the Grinch engaged Wētā Workshop and James was transformed into the cutest elf imaginable. A few calls later and James had an interview (or audition, as James liked to call it) with the head of Elf Resources for ‘The Workshop’. Everything went well, and soon a job offer was being prepared for a junior Resident Attendant in Training (RAT) position within Santa’s ‘Red House' official residence. But before the offer was presented, the Head of Elf Resources (HER) insisted full reference and criminal checks be undertaken due to the close working relationship with the Big Man.

Unfortunately, the Grinch’s planning had not stretched this far, and James’ cover began to crumble to pieces around him like a ten-year-old Christmas cake. Needless to say, the offer was immediately withdrawn, and James was sent back to tinsel-town in shame. Which goes to show, that it always pays to make a pre-employment list and do the checks twice, or someone might try and pull a ‘holly-wood’ on you.

🎄🎄🎄

On the tenth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

PERSEC2 – Ensure their ongoing suitability

Back in the day, finding the way to each and every house on the planet was a difficult task. But Rudolph was a very bright reindeer would always have his nose out in front, regularly taking pride of place at the head of the sleigh. But technology has advanced. Not only does GPS, smartphones, and elaborate driver aids enable the Christmas Eve delivery run to be plotted and flown precisely with minimal human or elf involvement, but sophisticated sensor and air defence systems are able to detect even the slightest light distortion in the night sky. Leading the sleigh is more about stealth and less about the snout…

Unfortunately, this means Rudolph is no longer suitable to be part of the forward pack and has been retired from front-line sleigh duties. Needless to say, Rudolph wasn’t happy when he was told about this, and the language he used contained more spice than a glass of mulled wine. But equally, Santa was well aware of the risks of dumping a bitter and twisted old reindeer with a head full of Christmas magic (and Workshop secrets) onto the streets.

Instead, he was redeployed into a newly created Security Lighting Engineering and Design (SLED) role where his specialist skills are in high demand. In fact, he seems to have a real nose for the job and his staff have taken quite a shine to him.

🎄🎄🎄

On the eleventh day of Christmas, the PSR gave to me…

🎁 🎁 🎁

PERSEC3 – Manage their departure

Elves work extraordinarily hard, and many play just as hard. In what has become the latest craze at the North Pole, someone discovered that an incredible sugar high can be achieved by snorting crushed candy cane dust, enabling work-weary elves to party all night long (which, at the North Pole, can be a very long time). Unfortunately, such an intense sugar hit can have severe, negative impacts on cognitive ability, in what is known as Cerebral Reduced Activity from Sugar Hypersensitivity (CRASH). As such, it has been listed as a banned substance under Disciplinary Elf Code number 25 (DEC-25). Despite this, elves will be elves, and a demand for candy cane dust remains.

Santa is responsible for maintaining the world’s strategic stock of candy canes, so ‘The Workshop’ holds the largest supply of the striped treats on the planet. A few enterprising elves realised the opportunity this presented, and a few candy canes would drop off the back of the sleigh every now and then, to be crushed and sold discretely at the mistletoe markets.

But then a few of the pink and white powder users made it into the press and the whole operation came to a crashing end, turning to dust. Several staff lost their jobs in the crackdown, including the Deputy of Operations, Production and Engineering (DOPE), a very senior elf with wide-ranging access throughout ‘The Workshop’.

Unfortunately, against the advice of the Security Principal Elf – Executive Director (SPEED), the electronic access system was only audited every six months. DOPE’s permissions were not immediately revoked, and he returned to ‘The Workshop’ one evening a few days later filled with rage. He was found by the early shift cleaning crew the following morning in the stables, incoherent, covered in candy cane dust and reeking of Christmas spirits. Around him, smashed and unusable, was thousands of dollars of candy cane stock, along with several reindeer sporting serious sugar headaches…

So don’t be a dope and let your departure checklists gather dust, keep your security administration up to speed.

🎄🎄🎄

On the twelfth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

PERSEC4 – Manage national security clearances

Santa is very well travelled but doesn’t have time to use a passport. So, while he maintains border agreements with many of the world’s governments through the Global Reindeer and Elf Access Treaty (GREAT), at times he has found himself in some very difficult positions (and not just the small chimney kind). 

In an incident that was kept under wraps, Santa once had a run in with the US Secret Service. It was Christmas 2015 and, as part of his regular Christmas Eve delivery run, Santa stopped off at the White House. Unfortunately, Santa’s security clearance had expired earlier in the year, and he had forgotten to submit his application to have it renewed to the Authorised Access Renewal Group Headquarters (AARGH). Upon arrival in Washington DC, he was denied entry to any of the many White House chimneys by the Secret Service sniper teams stationed on the White House roof. Not only did the Obama children go without Christmas presents that year, but the significant delay also caused by the denied entry attempt nearly derailed the entire delivery schedule.

So, what have we learnt from Santa’s Secret Service story? While your great travel history might not be cause for alarm, forgetting your paperwork will most certainly cause you to be denied.

🎄🎄🎄

On the thirteenth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

INFOSEC1 – Understand what you need to protect

When most people think of Santa’s Workshop, they think of toy production and Christmas present delivery. But what they often don’t think about is the huge amount of personal information Santa and his helpers hold.

For a start, Santa maintains a list of every child on earth in his naughty and nice list, also known as the Annual Behaviour of Children Directory (ABCD). This information, once stored on paper but now kept within a searchable electronic database, includes the name, address, behavioural history, and toy preferences of billons of people.

Along with the ABCD, Santa also receives a significant volume of personal correspondence from children the world over. While this is increasingly electronic in nature (e-mail, SMS, social media), he still receives tens of thousands of paper-based letters and cards every year. These, too, are classed as personal information and must be appropriately processed and stored.

To manage the vast quantities of information he holds, Santa has a dedicated information management team, the Christmas Collection, Receipt, Analysis and Collation of Kid’s Egregious Requests (Christmas CRACKER) division. Primarily drawn from the field of librarians, these specialist Santa’s Helpers Handling Sensitive Holdings (SHHSH) ensure only those with a valid need-to-know can access ‘The Workshop’ data centres and document vaults.

Whilst the majority of the information processed at ‘The Workshop’ is protectively marked CHRISTMAS-IN-CONFIDENCE, the aggregate of such large volumes means the SECRET SANTA protective security standard is applied to all Physical and Electronic Processing and Storage Information (PEPSI) systems. And there is one thing you can be sure of, within the Arctic Circle, ’The Workshop’ PEPSI is always cold…

🎄🎄🎄

On the fourteenth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

INFOSEC2 – Design your information security

In a world where people are much more conscious of their personal safety and protecting their property, Santa’s operating environment outside of the North Pole has become increasingly unpredictable. From guard dogs and armed occupants to stale cookies and rancid milk, Santa faces a wide range of threats every time he slides down a chimney.

To mitigate these threats, Santa uses a distributed network of elf-on-a-shelf operatives for surveillance of high-risk gift drop-off points. Deep undercover as wooden toys, these Covert Elf Operatives (CEO) communicate covertly back to headquarters using the Strategic and Tactical Awareness Intelligence Network (STAIN) – code name SILENT NIGHT.

Some very sensitive information is passed across SILENT NIGHT, not the least of which is the location and real identity of the CEO, so this data must be protected while in transit back to 'The Workshop'. This is achieved using a sophisticated encoding technique operating in the magical frequency band known as Wideband Advanced Security with Highly Encoded Delivery (WASHED).

Once the SILENT NIGHT information comes out of WASHED STAIN, it must still be protected. Data is compartmented and stored in Segregated Operational Data Archives (SODA) constructed and managed to SECRET SANTA protective security standards. Only strictly vetted Enhanced Security Capability Assurance Principal Elves (ESCAPE) can access the SILENT NIGHT data.

So, if you don’t want WASHED STAIN data leaking from your SODA, ensure your information is secured to SECRET SANTA standards to protect your CEO.

🎄🎄🎄

On the fifteenth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

INFOSEC3 – Validate your security measures

Santa must move with the times. While he used to run an entirely paper-based operation, the North Pole now has an extensive information and communications technology network infrastructure, which is fully integrated into the world wide web to ensure digital connectivity with both suppliers and clients. This is run by the ever-growing Network Engineering and Resource Department (NERD), supported by the Software Application Deployment, Management And Networking (SAD MAN) group. To protect his network, Santa’s helpers run the latest Border Intrusion and Gateway Rapid Enhanced Deployment Security Alert Confirmation Kit (BIG RED SACK) protocols on the polar routers.

But ‘The Workshop’ is also a very busy place. While procedures state that all network changes must be tested within an isolated sandbox environment before deployment into the live production environment, this step is often overlooked. Santa’s helpers would rather go to the beach than play in a sandbox…

On one such occasion, a NERD elf configured a BIG RED SACK firewall. He had a lot to do so dialled directly into the operational router, checking his to-do list twice rather than his code. Unfortunately, a small typo introduced a small hole in the firewall, which was a significant vulnerability.

The Grinch must also move with the times, so has developed a cyber Network Exploitation Team (NET) as part of his Seasonal Anti-Santa Strategy (SASS). Due to the hole in the BIG RED SACK, the Grinch NET was able to infiltrate Santa’s network to access the Annual Behaviour of Children Directory (ABCD) list, inverting the entries to provide toys to the naughty children and coal to the nice children. Fortunately, an eagle-eyed Handling And Management (HAM) elf detected the discrepancy in toy production numbers and was able to uncover the problem.

To avoid a hole in your SACK from the SASS-inspired NET, ensure your NERD uses a sandbox to validate your information security.

🎄🎄🎄

On the sixteenth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

INFOSEC4 – Keep your security up to date

With a toy manufacturing operation on such a massive scale, Santa’s supply chain stretches further than the fairy lights on the Times Square Christmas tree. Nothing much grows at the North Pole, so everything from Christmas mince and mistletoe to pavlova and plum pudding needs to be externally sourced. This means Santa is dealing with a wide range of suppliers, from large multi-national conglomerates providing raw materials by the metric tonne to small family-owned artisans supplying bespoke components for unique gifts.

The logistics of this is immense, so Santa insists on all his suppliers providing digital Direct Order and Supply (DOS) software to enable his Handling And Management (HAM) elves to keep track of it all. His large suppliers have teams of developers, so are able to provide a regular stream of software updates and patches. And many of his smaller suppliers use cloud-based subscription services, such as Xmas Everyday Re-Ordering (XERO) and Managing All Resupply by Keyboard Enabled Technology (MARKET).

However, Santa has one supplier that is a little different. Sparks Near And Far Unlimited (SNAFU) has cornered the fire lighting market, being the only remaining supplier of the little flammable heads on the end of matchsticks. This small business believes in keeping it in the family, so employed Uncle Nick Oar (UNO) to develop their DOS. But UNO wasn’t one to hang around, and soon set sail to brighter opportunities, so the SNAFU DOS was never patched.

This came to the attention of the Santa’s Software Application Deployment, Management And Networking (SAD MAN) group, who raised the issue to the Committee for Operational Protective Security (COPS). Given the prevalence of disposable lighters over matches, it was decided to cancel the SNAFU contract rather than risk potential compromise through unpatched software.

So, don’t be a SNAFU and let your flame die, keep your information security up to date rather than using an UNO DOS.

🎄🎄🎄

On the seventeenth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

PHYSEC1 – Understand what you need to protect

The foundation of an effective risk-based approach to security is a robust Protective Security Threat Assessment. And the North Pole has a lot of potential threats, from stray cold war ballistic missiles to Grinch intrusions. Unfortunately, Santa’s threat assessment is rather dated and hasn’t accounted for an emerging threat.

With the warming climate and retreating ice shelves, polar bears are moving further north. While they have traditionally kept well clear of ‘The Workshop’ and its surroundings, they are finding themselves running out of options. Polar bears are also loners. They like nothing more than a gentle stroll around their territory and frequent naps. Most of all, they like their peace and quiet.

‘The Workshop’, on the other hand, is always a hive of activity, with a constant excited buzz about the air. Right throughout the cold, dark, northern winter, Santa’s compound is lit up like a Christmas tree, with a regular stream of delivery trucks coming and going along the Northern Operational Inter-State Expressway (NOISE).

This was all a bit too much for the polar bears, who formed the Northern Action Group (NAG) to discuss what could be done about this disruption. But committees take time, and a more radicalised splinter group formed, Santa Must Answer for his Constant Kaos (SMACK – polar bears aren’t known for their spelling). They decided enough was enough and attacked the weakest part of the perimeter.

Reindeer are generally pretty good at looking after themselves with their massive racks of antlers, and Santa’s pack are the peak of the species. So the reindeer enclosure was surrounded by a fairly flimsy fence, which was no match for a group of sleep deprived white balls of fur and fury. As the bears smashed their way through the decorated gingerbread guardhouse, Dancer and Prancer managed to grab Olive the other reindeer, pirouette around a ballistic shard of royal icing and waltz away from the danger. Fortunately, no Elves or Deer (ED) needed attention in the Emergency Department (ED) that day.

But the incident brought into sharp focus the need for regular assessments of the threat to identify what people, animals, information, and assets need protecting. Otherwise the NOISE from your operations might result in a SMACK from NAG.

🎄🎄🎄

On the eighteenth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

PHYSEC2 – Design your physical security

There are a wide range of areas within ‘The Workshop’. The mailroom processes hundreds of millions of incoming letters during the busy pre-Christmas rush and the audit office are making lists then checking them twice. There are woodworking and metalworking shops, halls of sewing machines, and warehouses full of soft toy stuffing. Along with the now notorious candy cane store…

But alongside the administration and production areas are Research And Internal Development (RAID) laboratories, where secret squirrels nut out ideas for new toys for the next generation of children. Commercial toy producers out in the ‘warm world’ to the south would give their left stocking and a hundred years of advent calendar chocolate to get hold of the prototypes being developed here, so the strictest controls are required to restrict access.

On the advice of the Committee for Operational Protective Security (COPS), Santa has adopted the PSR Security Zoning methodology to ensure consistent and appropriate security control measures are applied across the wider Polar Infrastructure and Property Estate (PIPE). An assessment of the Christmas and Holiday Impact Level Line (CHILL) shows both the RAID and candy cane store to be Extreme – Serious Impact on Manufacturing and Production Levels for Elves (SIMPLE) resulting in a Zone 5 (or Gold Ring Security) area.

As we all know, rooms should be treated as a six-sided box. In a Zone Five, all four corners of the room must be covered by alarm sensors with three redundant communications paths for monitoring. Two-factor authentication is employed to ensure no one elf can have lone worker access. This system in detailed in a 12-step checklist, turned into a song to help the security elves remember it.

Santa’s SIMPLE CHILL shows Five/Gold Rings are required to avoid his RAID being raided, giving his COPS the confidence to design an appropriate physical security solution.

🎄🎄🎄

On the nineteenth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

PHYSEC3 – Validate your security measures

When assessing your security, independence is the key to getting a Full, Unbiased and Neutral (FUN) view. Santa knew the southern hemisphere had the most FUN security consultants, so engaged a team of penguin infiltration specialists to red team ‘The Workshop’ physical security controls.

Originally from Antarctica but now based out of Madagascar, The Penguins are a crack team of former black and white beret special forces from the unit known as “Birds of a Different Feather”. Preferring a holistic approach to Penetration And Vulnerability (PAV) testing, the cream of the crop unit spent several weeks prior to the operation on Developing an Inner Reindeer and Elf (DIRE) persona.

But after all the recent security incidents and events, the Security Principal Elf – Executive Director (SPEED) and Security Northern Operations – Workshop (SNOW) team were ready. The FUN consultants gave it everything they had, from Social Engineering Elf Data (SEED) and Straight-Out Warfare (SOW) approaches to taking turns at Shielded Light Invisible Penetration (SLIP) and Slow, Low In-Direct Encroachment (SLIDE) manoeuvres, they couldn’t breach the perimeter.

Santa initially thought they had provided a half-baked PAV, but on reading their Full Environmental Security Testing – Investigation of Vulnerabilities and Exposure (FESTIVE) report, he was satisfied they weren’t just high on candy cane dust. He was jolly pleased at the performance of his team and issued them an extra tot of Christmas spirit for their efforts.

If you don’t want a DIRE PAV to SEED, SOW, SLIP and SLIDE through your defences, commission a FUN FESTIVE report from an independent consultant to validate your physical security measures are at the SNOW standard.

🎄🎄🎄

On the twentieth day of Christmas, the PSR gave to me…

🎁 🎁 🎁

PHYSEC4 – Keep your security up to date

Santa loves new technology and his risk-based approach to protective security enables him to focus his passion into the areas of North Pole security that really need it. One issue that has been an ongoing issue is access control.

Elves are a dichotomy. They are master craftsmen, able to create delicate and beautiful toys fit for royalty. But they are also clumsy and forgetful. You would be amazed at how many children have received a bonus North Pole access card for Christmas that has been accidently wrapped up with their presents. And that’s if the elves even remember to bring their access card to work in the first place…

Integrating biometric sensors into access control systems is a current trend and would solve the access card issue. However, most systems are developed for the mainstream market and only work with humans. Given the human workforce at ‘The Workshop’ is less than 1%, these systems are simply not fit for purpose.

So, Santa has invested in a new range of biometric scanners to integrate into the Elf Access Control System (EACS). The Species Agnostic Detection (SAD) sensor can read human fingerprints, elf ear prints, and reindeer nose prints enabling the full range of Workshop staff to be enrolled. Coupled with individual Secret Personal Identification Numbers (SPIN), full the two-factor authentication access can be achieved. And, at the insistence of the Reindeer’s Union Northern (RUN), Santa also invested in a full bear-proof fence around the reindeer yard, complete with a new boiled-candy reinforced gingerbread guardhouse.

While a SPIN-enabled SAD EACS will keep RUN away, keeping your physical security up to date will keep your humans safe.

🎄🎄🎄

That marks the end of our PSR 20 days of Christmas, we hope you enjoyed Santa’s somewhat silly but hopefully jolly journey through the PSR mandated requirements! If you would like to know more about taking a PSR approach to your protective security, please get in touch with us – we promise a smoother journey than Santa’s experience!

🎁 🎁 🎁

We hope you have a fantastic Christmas and wish you all the best for 2024!

Previous
Previous

Understanding the Power of a Risk-Based Approach in Protective Security

Next
Next

Unlocking Synergy: The Merits and Benefits of Holistic Organisational Physical Security Risk Management