Is Your Facility's Security Appropriate for the Public Trust It Carries?

All perimeter entry points are monitored: no unmanned or unmonitored access routes exist.

Note: A single unmonitored entry point is sufficient for an unauthorised person to enter.

Staff and authorised personnel use card or biometric access: not shared keys or PIN codes.

Note: Shared credentials cannot identify the individual who used them during an investigation.

Sensitive areas: server rooms, finance offices, records storage: have separate higher-tier access from general staff areas.

Note: Flat access control that opens every door to all staff is a persistent internal security gap.

Contractor and service provider access is time-limited and logged: not based on a standing pass.

Note: Contractors with indefinite access to institutional facilities create unmanaged long-term risk.

Access credentials are reviewed and updated when staff join, leave, or change roles.

Note: Inactive credentials that remain valid are a known vulnerability in access control systems.

Vehicle entry points have controlled access separate from pedestrian entry.

Note: Vehicle and pedestrian access require different control logic and different hardware.

All visitors are logged digitally with name, purpose, and the staff member or area they are visiting.

Note: Paper logs can be bypassed, cannot be searched, and do not constitute a reliable audit trail.

Visitors can only access the specific area they are visiting: not move freely through the facility.

Note: Visitor access that extends beyond the area of purpose creates internal security gaps.

Regular visitors: contractors, service providers, approved regular attendees: are pre-registered.

Note: Pre-registration reduces processing time per visitor and improves audit trail completeness.

You can produce a complete record of everyone on-site at any given time.

Note: This capability is required for emergency mustering, insurance investigations, and compliance audits.

Visitor badges or passes are time-limited and cannot be reused after the visit ends.

Note: Indefinitely valid visitor passes are a persistent access control gap in institutional settings.

Unscheduled visitors trigger a verification step before they are permitted to enter.

Note: Walk-in visitors without pre-registration should not receive the same access speed as expected visitors.

Camera coverage addresses all entry and exit points, common areas, and high-risk zones.

Note: Coverage gaps are usually discovered after an incident: a coverage audit prevents this.

Camera footage is clear enough to identify an individual's face in normal operating conditions.

Note: Footage that cannot identify individuals has limited value for safeguarding or police reports.

You can retrieve footage of a specific location and time window in under 10 minutes.

Note: Slow retrieval delays incident response, parent communications, and police investigations.

Footage retention meets your specific regulatory or policy requirements.

Note: MOE, MOH, and statutory board facilities may have different retention requirements: confirm yours.

Camera placement avoids private areas and complies with PDPA data minimisation requirements.

Note: Surveillance of private areas in institutional settings creates legal and reputational exposure.

Your facility has a documented and practised lockdown procedure.

Note: An undocumented procedure is not a procedure: it is a hope that will fail under pressure.

The lockdown procedure can secure all external access points simultaneously from a single trigger point.

Note: A lockdown that requires staff to manually secure each door sequentially is not a real lockdown.

All staff know their role in the emergency response procedure and have been trained within the last 12 months.

Note: Emergency procedures must be practised: reading a document is insufficient preparation.

The security system can generate a real-time occupancy count of everyone on-site.

Note: Emergency mustering requires knowing who should be accounted for: not guessing.

Emergency alerts can be sent to all staff devices simultaneously.

Note: Public address systems alone are insufficient for facilities where staff are distributed across multiple zones.

Your emergency response procedure has been reviewed against your current facility layout and staffing model within the last year.

Note: Procedures written for a different building layout or staffing structure may not work in practice.

Your facility has a documented communication procedure for notifying relevant authorities during an emergency.

Note: Knowing who to call and in what order is a documented requirement, not assumed knowledge.

Your security system documentation: camera placement, access policies, emergency procedures: is current and accessible.

Note: Outdated documentation is as problematic as no documentation during a regulatory inspection.

Your access control and visitor logs can be exported in a format suitable for a compliance audit.

Note: Logs that exist only in a proprietary system the vendor must retrieve are not audit-ready.

Your system generates reports that your management team actually reviews on a regular schedule.

Note: A system that produces no management reporting is not being governed: it is just running.

Security system changes: new staff credentials, access policy updates, system modifications: are documented with the date and reason.

Note: Undocumented changes create audit gaps that are difficult to explain to a regulator.

Your security infrastructure meets the procurement and technical standards applicable to your facility type.

Note: Government and statutory board facilities have specific procurement governance requirements for security systems.