Re: RFC 2527 Physical Security Controls Question

[TMetzinger@xxxxxxx]

John Kennedy and Lynn Wheeler both made excellent points about the potential 
need for absolute top-grade physical security in a commercial CA operation.  
It all seems to come down (as always) to risk assessment and balancing the 
cost of security against it's benefits.

In the commercial world, especially in the financial and medical sectors, the 
potential liability for a CA operator could be enormous, easily justifying 
the cost of physical security measures rivalling that found around weapons of 
mass destruction.

This brings up an interesting question though...  For a government, it's very 
easy to designate a resourse as being sufficiently valuable to authorize the 
use of deadly force to protect it - try to get close to a stealth aircraft 
sometime. For commercial applications, however, even where billions of 
dollars may be at stake, it's harder (if not impossible) to implement that 
final line of security.  

So for you non-government types, would your CA physical security include 
lethal defenses?  Can anyone think of any application for a non-government CA 
that would require such defenses?  I'm not talking about just armed guards 
here...  I'm talking about defenses that would kill an unauthorized 
individual who entered protected space BEFORE they did any damage besides 
entering that space. 

Timothy M. Metzinger
Technical Director
Drug Enforcement Administration
Office of Information Systems
(202) 307-9884
(888) 385-0705