This article is the second in a series of four (4).

PART 1 in this series explained that to legally operate a cannabis business, whether medical or recreational, a license or permit to operate must be obtained. Every state has its own regulations and application process in place. They all require security measures to provide for the safety and security of the operation, its associates, and the neighborhood within which it operates. Most states call this a “Security Plan” and require its details be submitted with the application to operate, but what exactly is a “Security Plan?”

I have worked with many in the industry who think that a Security Plan is a floorplan drawing with security devices added (cameras, electronic access control, alarm, door intercoms, etc.) They have their security integrator provide this as a design-build, selling and installing the equipment as well.

Unfortunately, this is only a part of a Security Plan and leaves the organization short. A Security Plan includes a Security Management Plan, Security Operations Plan, and a Security Technology Plan.  All three must be included in a complete Security Plan. This article will dive deeper into the Security Technology Plan.

Many organizations have fallen prey to “security consultants” providing “security plans” only to find that they fall short in the security section of the permit/license application content.  Their “camera guy” or “alarm guy” or even their “IT guy” assured them they can provide the “security plan,” usually at no additional cost to the organization.  There is a cost, however:  an incomplete, and inadequate Security Plan.

Most integrators (defined as: security equipment companies, alarm companies, locksmiths, basically anyone selling and installing security equipment) hold themselves out as security consultants.  Then, if they work within the cannabis industry and install a system in a cannabis facility, they hold themselves out as experienced cannabis security consultants. The Security Technology Plan is more than a floorplan drawing with a security device overlay depicting cameras, alarm devices, and electronic door controls.  The technology plan should include elevations, riser diagrams, and schedules. Cut sheets, system capabilities and specifications including any programming and maintenance schedules should be part of the plan as well. Cyber aspects of security fall under this plan as well and should not be neglected. What is actually covered, controlled, or monitored utilizing the tools in the technology plan is defined in the Security Management Plan and should be more than simple compliance with the requirements of the security section of the application.

I have seen many installations utilizing a single type of indoor/outdoor IR capable camera for every camera. I also have seen the use of 360° cameras mounted to the ceiling in the center of rooms or even on the wall.  I have seen 360° PIR motion devices mounted in hallways and “cipher locks” utilizing a PIN entered into a keypad that are the exact same consumer-grade lock I utilize on the back door at my residence. I have seen bullet resistant glass (as opposed to bullet “proof” as it is often incorrectly called) installed in reception areas with simple gypsum walls beneath and surrounding it.  I have seen hollow wood doors as entry doors and intercoms for entry without any video coverage of who is being allowed to enter. I have seen “man traps” where both doors can be opened at the same time and “sally ports” that are nothing more than a residential garage, and I continue to see simple “prox” or low frequency proximity access credentials operating at 125KHz as opposed to smart card technology operating at the high 13.56MHz frequency or even mobile credentials utilizing near field or Bluetooth communication. I also have seen electronic access rights of “all doors,” and access rights assigned for convenience as opposed to role-based and actual need-based authorization. And finally, I have far too often found that remote access to video systems is granted to those outside of the security department and without restrictions.

These instances may satisfy compliance at first glance, but once in place and actually used as described in the Security Operations Plan, glaring holes will become apparent.  A regulatory compliance inspection of the facility may be passed initially, before actual operations begin but once it is discovered that the views provided by the 360° cameras are only an overview of the room and what is actually going on at the tables lining the perimeter of the trim room, for instance, is not able to be monitored by video surveillance, the regulators will insist upon a change (change = expenditure) and may possibly suspend operations until the changes are implemented and demonstrated to have corrected the deficiencies.

A Security Plan is what ultimately ensures compliance and is needed for a permit or license to operate.  Experiences in operations management should be taken into consideration in the development of information written into the Security Plan section of the application to operate.  Utilizing a strong security management program with state of the art security systems will help an organization be a beneficial addition to the community and its immediate neighbors.

It is best to utilize an experienced security consultant in the development of all parts of the Security Master Plan to ensure regulatory compliance, compliance with industry best practices and standards, and get it right the first time.  At the very least, a qualified security consultant with experience in the industry and knowledge of its operations and workflows should review any Security Technology Plan created by an integrator or security manager.

We will discuss the Security Management Plan, and Security Operations Plan separately in coming articles dedicated to each.

Stay tuned and stay safe, and always remember that it is everyone’s responsibility to become an active participant in the safety and security of themselves, and others.