THE SECURITY MANAGEMENT PLAN

PART 1 in this series explained that to legally operate a cannabis business, whether medical or recreational, a license or permit to operate must be obtained.  Every state has its own regulations and application process in place.  They all require security measures to provide for the safety and security of the operation, its associates, and the neighborhood within which it operates. Most states call this a “Security Plan” and require its details be submitted with the application to operate, but what exactly is a “Security Plan?”

I have worked with many in the industry who think that a Security Plan is a floorplan drawing with security devices added (cameras, electronic access control, alarm, door intercoms, etc.) They have their security integrator provide this as a design-build, selling and installing the equipment as well. PART 2 discussed this in more detail.

Unfortunately, this is only a part of a Security Plan and leaves the organization short.  A Security Plan includes a Security Management Plan, Security Operations Plan, and a Security Technology Plan.  All three must be included in a complete Security Plan.  This article will dive deeper into the Security Management Plan.

The Security Management Plan describes what will be done to ensure the security of all assets.  This plan can be very detailed but does not include specific details how any security functions or tasks will be performed as that will be documented in the Security Operations Plan and its SOPs.  It will generally document items for compliance and is more of a broad-based outline of what security measures will be used.  Policies and procedures are not found in the Security Management Plan.  For instance, it may look like:

1. Access to the facility will be controlled.
   • The facility will deploy an engineered electronic access control system.
   • Limited and Restricted Access areas will be defined within the facility.
   • Access authorization will be determined by role….
2. Video surveillance will be deployed.
   • All interior areas containing cannabis will be monitored by video
   • The exterior perimeter of the building will be monitored by video
   • All entrances/exits will be monitored by video.
   • All recorded video will be stored for 60 days……
3. An intrusion detection system will be deployed.
   • All perimeter doors, windows, rooms with an exterior wall, security equipment or monitoring rooms, cannabis storage, and cannabis waste storage areas will be protected by the system.
   • The system will be monitored continuously by a licensed UL-Listed central monitoring station.
   • Panic, hold up, and duress alarms will be utilized.
   • The local law enforcement agency will be notified automatically of any security breech.

Oftentimes the specific systems that will be used are named but they do not have to be.  When an organization standardizes on security technology or levels, those standards should be included as part of this plan.  The details of the system, the actual listing of limited and restricted access areas of the facility, and the various roles that would be authorized for access to those areas, may also be listed in the Security Management Plan especially if they are to be standards for the organization to follow.  Although there is some leeway with details that may be included, procedures (SOPs) should never be included.  Procedures for the actual administration and use of the systems belong in the Security Operations Plan. Similarly, how and when the intrusion detection system is armed; how the panic, hold up, and duress alarms are used and tested; and protocols for alarm response are all to be found in the Security Operations Plan.

What is actually covered, controlled, or monitored utilizing the tools in the technology plan is defined in the Security Management Plan and may be nothing more than simple compliance with the requirements of the security section of the application.  Utilizing a strong security management program’s operational SOPs with state of the art security systems will help an organization to be a beneficial addition to the community and its immediate neighbors.

It is best to utilize an experienced security consultant in the development of all parts of the Security Master Plan to ensure regulatory compliance, compliance with industry best practices and standards, and to help get it right the first time.  At the very least, a qualified security consultant with experience in the industry and knowledge of its operations and workflows should review any Security Technology Plan or Security Management Plan created by an integrator or security manager.

We will discuss the Security Operations Plan and its SOPs in the final article in this series.

Stay tuned and stay safe, and always remember that it is everyone’s responsibility to become an active participant in the safety and security of themselves, and others.

This article is the third in a series of four (4).