ASIS International, the largest association for security industry professionals in the world, recently published the first edition of the ASIS School Security Standard. This standard is the culmination of three years of work from a team of fifty school security experts, including COSECURE’s Joe Hendry and Drew Neckar, and establishes a comprehensive framework for developing, implementing, and maintaining a school security program across K-12 educational environments. It provides structured guidance to help schools assess risks, design protective strategies, and integrate physical security, behavioral threat assessment and management, and emergency operations planning into a cohesive and sustainable program.
Author’s Note: This standard used the framework of the American National Standards Institute (ANSI) for development and is an approved ANSI Standard. This ensured fair standards development, quality conformity assessment systems, and safeguarded the integrity of the project. It provided a neutral venue for us to coordinate standards-based solutions using private- and public-sector experts and stakeholders to initiate collaborative standardization activities that responded to international school security priorities. This process took two and a half years of meetings, debates, and two public comment sessions to reach a voluntary consensus standard. As we quickly learned, getting 40+ international school security experts to agree on standards is a messy, arduous, and ultimately rewarding process. It also requires the innate ability of the experts to be able to change your mind when presented with new information and empirical data.
It is important to understand the differences between a standard, a guideline, and a recommendation. They are all defined differently, though sometimes people mistakenly refer to them as the same thing. A standard is a definitive requirement that provides a basis for comparison and evaluation. It is the highest authority on a topic and is often legally binding, especially when adopted by a state or organization. Simply calling something a “standard” does not make it one. ANSI accredits standards developing organizations (SDOs) against a set of criteria to assure openness, balance, due process, and consensus in standards development. This inserts integrity into the system to allow users to differentiate between a properly developed standard and one simply being called a standard.
A guideline provides a framework or a set of instructions for actions. It is not mandatory, it is lower in authority and more general in application. A recommendation is a suggestion or endorsement of a particular course of action. Recommendations imply a degree of choice in deciding on what action to choose.
The ASIS Standard draws on already established industry guidance, such as the PASS K-12 Security Guideline and the Department of Homeland Security’s School Security Guide, and reflects a multi-hazard and multi-disciplinary perspective from a variety of professionals who worked on it. These professionals included school administration, security, architectural design, mental health, behavioral threat assessment, facilities management, life safety, emergency management, law enforcement, crisis communication, business continuity and legal.
The standard includes one of the most often missed security steps in schools- identifying and prioritizing risks (to be completed every three years). Many times a school will purchase a product or institute a security measure that is based on a single incident without conducting a risk assessment. An example of this is the explosion of after market security devices to be used on doors after the incident at Sandy Hook based on the false assumption that the gunman had breeched doors in the school. If schools had conducted a security risk assessment, completed by a competent individual like the new standard states, it is likely that money would have been spent on a separate security measure that would be more impactful on the prevention of the incident.
The standard encourages schools to take an enterprise security risk management approach to their security programs, and states that schools “shall” ensure that those responsible for implementing and managing the school security program are competent. This competency is based on knowledge, education, training, and experience that is appropriate to the assigned role. While it is understandable that most schools do not have a certified security professional on staff, it is recommended that school security leaders have the competency necessary to execute all elements of the school security program as outlined in the standard. Long gone are days where it was considered ok to make maintenance workers, or individuals with military or law enforcement backgrounds automatically school security directors. The role is much more complex today. Knowledge of finance, physical security systems integration, strategy, security management, communications, emergency planning, behavioral threat assessment, and recovery planning are all needed to not only be competent, but effective.
In Annex A of the document, covering Physical Protection Systems and Measures, one of the most significant “shall” statements in the document is this: The school shall implement measures to harden classrooms; where the design of classrooms prevents the ability to harden, the school shall provide alternate secure spaces for students and staff.
This means that the traditional single-option choice of traditional lockdown as an active assailant response is recognized as not being sufficient. Because traditional lockdown was adopted from Drive-by-Shooting(DBS) and earthquake drills, the infrastructure of schools has never changed to match the response of an active assailant that is likely already inside a facility. Simply turning off lights, sitting in a corner on the floor, and being quiet in the middle of a school day with almost every room occupied is not a plan. Because the FBI reported data for Active Assailants since 2014 in K-12 indicate that over 70% of the incidents begin inside a school with the assailant already in contact with their victims and now two incidents in which assailants have breeched locked doors, infrastructure change for classrooms was inevitable. There are now 26 “should” physical security recommended options for consideration to making a classroom compliant with this requirement.
Extremely important in the document is standards being established for Behavioral Threat Assessment and Management (BTAM). Many schools approaches to BTAM when assessed are best described as ad-hoc. We discover that many schools have only one or two individuals making decisions and lack the characteristics of a BTAM program.
The standard sets not only the characteristics and components of a successful BTAM program, but establishes the clear policies and procedures for one. It also provides guidance on case management systems, records, casefile contents, and reporting concerning behaviors.
It also, in depth explains how a school “shall” establish, implement, and maintain a documented process for assessing threats. The standard removes many of the issues that plague school threat assessment processes by clearly defining who is on the team, what their roles are, how reporting and document sharing occurs, establishes a clear management program, and focuses the BTAM team on managing the level of risk identified over discipline. Especially when students are the subject of an assessment, the strategy management may be encouraging pro-social behaviors, coping strategies, and supportive relationships.
Annex C covers the standards for Emergency Operations. This is to identify, prepare, prevent, mitigate, respond, and recover from any incident that significantly alters or disrupts normal school operations. Once again, this is part of the initial risk assessment of school and is instrumental in identifying needed training, physical security gaps, and needed planning. This assessment should state the needs into buckets of short-,mid-, and long-term recommendations. This section places strong emphasis on areas, such as post-incident recovery, which are often glossed over in many emergency plans and never practiced.
This include things such as activating the Reunification/Notification Center and planning for recovery past just doing reunification (medical needs, mental health, community resources, police needs, security, communications, etc.).
While the School Security Standard overall is 116 pages in length its key elements can be boiled down to the basic tenets that a school should:
• Have a competent professional to lead its school safety efforts;
• Proactively assess the security risks it faces; and
• Implement security measures that are best suited to mitigate the risks that it has identified.
The Standard is now available on the ASIS International website. Any school, district, city, or state that decides to adopt and implement the standard is establishing the best means for a comprehensive, evidence-based framework for proactively improving school security while maintaining a focus on education.