This article is the second in a series of four (4).
PART 1 in this series explained that to legally operate a cannabis business, whether medical or recreational, a license or permit to operate must be obtained. Every state has its own regulations and application process in place. They all require security measures to provide for the safety and security of the operation, its associates, and the neighborhood within which it operates. Most states call this a “Security Plan” and require its details be submitted with the application to operate, but what exactly is a “Security Plan?”
I have worked with many in the industry who think that a Security Plan is a floorplan drawing with security devices added (cameras, electronic access control, alarm, door intercoms, etc.) They have their security integrator provide this as a design-build, selling and installing the equipment as well.
Unfortunately, this is only a part of a Security Plan and leaves the organization short. A Security Plan includes a Security Management Plan, Security Operations Plan, and a Security Technology Plan. All three must be included in a complete Security Plan. This article will dive deeper into the Security Technology Plan.
Many organizations have fallen prey to “security consultants” providing “security plans” only to find that they fall short in the security section of the permit/license application content. Their “camera guy” or “alarm guy” or even their “IT guy” assured them they can provide the “security plan,” usually at no additional cost to the organization. There is a cost, however: an incomplete, and inadequate Security Plan.
Most integrators (defined as: security equipment companies, alarm companies, locksmiths, basically anyone selling and installing security equipment) hold themselves out as security consultants. Then, if they work within the cannabis industry and install a system in a cannabis facility, they hold themselves out as experienced cannabis security consultants. The Security Technology Plan is more than a floorplan drawing with a security device overlay depicting cameras, alarm devices, and electronic door controls. The technology plan should include elevations, riser diagrams, and schedules. Cut sheets, system capabilities and specifications including any programming and maintenance schedules should be part of the plan as well. Cyber aspects of security fall under this plan as well and should not be neglected. What is actually covered, controlled, or monitored utilizing the tools in the technology plan is defined in the Security Management Plan and should be more than simple compliance with the requirements of the security section of the application.
I have seen many installations utilizing a single type of indoor/outdoor IR capable camera for every camera. I also have seen the use of 360° cameras mounted to the ceiling in the center of rooms or even on the wall. I have seen 360° PIR motion devices mounted in hallways and “cipher locks” utilizing a PIN entered into a keypad that are the exact same consumer-grade lock I utilize on the back door at my residence. I have seen bullet resistant glass (as opposed to bullet “proof” as it is often incorrectly called) installed in reception areas with simple gypsum walls beneath and surrounding it. I have seen hollow wood doors as entry doors and intercoms for entry without any video coverage of who is being allowed to enter. I have seen “man traps” where both doors can be opened at the same time and “sally ports” that are nothing more than a residential garage, and I continue to see simple “prox” or low frequency proximity access credentials operating at 125KHz as opposed to smart card technology operating at the high 13.56MHz frequency or even mobile credentials utilizing near field or Bluetooth communication. I also have seen electronic access rights of “all doors,” and access rights assigned for convenience as opposed to role-based and actual need-based authorization. And finally, I have far too often found that remote access to video systems is granted to those outside of the security department and without restrictions.
These instances may satisfy compliance at first glance, but once in place and actually used as described in the Security Operations Plan, glaring holes will become apparent. A regulatory compliance inspection of the facility may be passed initially, before actual operations begin but once it is discovered that the views provided by the 360° cameras are only an overview of the room and what is actually going on at the tables lining the perimeter of the trim room, for instance, is not able to be monitored by video surveillance, the regulators will insist upon a change (change = expenditure) and may possibly suspend operations until the changes are implemented and demonstrated to have corrected the deficiencies.
A Security Plan is what ultimately ensures compliance and is needed for a permit or license to operate. Experiences in operations management should be taken into consideration in the development of information written into the Security Plan section of the application to operate. Utilizing a strong security management program with state of the art security systems will help an organization be a beneficial addition to the community and its immediate neighbors.
It is best to utilize an experienced security consultant in the development of all parts of the Security Master Plan to ensure regulatory compliance, compliance with industry best practices and standards, and get it right the first time. At the very least, a qualified security consultant with experience in the industry and knowledge of its operations and workflows should review any Security Technology Plan created by an integrator or security manager.
We will discuss the Security Management Plan, and Security Operations Plan separately in coming articles dedicated to each.
Stay tuned and stay safe, and always remember that it is everyone’s responsibility to become an active participant in the safety and security of themselves, and others.
Tim Sutton is a Senior Security Consultant and Cannabis Security Practice Leader at Guidepost Solutions. He has more than 30 years of security experience. His expertise includes operational security management, program development, loss prevention, physical security, risk assessments, and technical security systems design and implementation. He has worked with clients in diverse sectors including medicinal and adult-use cannabis, healthcare, retail, government, manufacturing, and multi-use properties. Tim is a Director on the ASIS International Professional Standards Board, and a member of the ASTM International D37 Committee on Cannabis Standards.
Sutton has worked as director of security for Greenhouse Group and its Grassroots and Herbology banners, responsible for enterprise security risk management in all markets. Sutton has authored Master Security, Emergency Action and Fleet Safety Plans along with security training and operations manuals. He also conducted new hire background investigations and security advances at dispensaries.
Prior to Greenhouse, he worked as the director of security for Revolution Enterprises with similar security responsibilities.
Sutton has spoken at a number of cannabis industry events covering security subject matter. He first entered the cannabis industry as a security consultant when he authored security content for the extremely competitive Illinois permit application process winning two cultivation permits and three dispensary permits. After winning five IL permits, Mr. Sutton has provided security consulting services and authored consistently winning security plans and content for applications and operations in multiple states.
In addition to operational security director roles within the cannabis industry, Mr. Sutton has worked as a hospital security director, manufacturing facility security coordinator, and retail director of loss prevention and security. He also has held several positions within a security integrator operation including account executive, senior systems engineer, and licensee in charge and today provides security technology plans for multiple industries.
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
Notify me of follow-up comments by email.
Notify me of new posts by email.
NEWLY-proposed ‘safety’ levels of THC in European hemp and CBD food products have been condemned as ‘unacceptable, unnecessarily low, and not supported by scientific evidence’. In 2015, the European Food Safety Authority (EFSA) stipulated a minuscule maximum THC daily intake of 1μg (microgram) per kilogram of bodyweight (bw) in foodstuffs. While Member States and the…
More than 90 percent of Maine towns and cities still don’t allow recreational marijuana stores, even as sales in the industry have steadily grown since they started nearly a year ago. While Brewer and Orono are both on track to allow recreational cannabis stores sometime soon, they’ll join only three other Penobscot County communities that allow such shops — Bangor,…
In the recent competition for cannabis business licenses in Illinois, Ambrose Jackson’s team struck gold. They won rights to both grow and sell their own cannabis. Jackson is quitting his health care management job to commit full time to becoming a legal marijuana business owner. But he’s anxious about it, because now the hard part…
The state Cannabis Regulatory Commission will not begin accepting new applications for business licenses by this weekend, thereby missing a statutory deadline intended to keep development of the legal weed marketplace on track. But the commission at its meeting Tuesday evening did approve a new licensing platform to help it process applications when the time…