| https://sm.asisonline.org/Pages/Book-Review----Healthcare-Emergency-Incident-Management.aspx | Book Review: Healthcare Emergency Incident Management | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>Published by Butterworth-Heinemann. www.Elsevier.com. 106 pages. $59.95.</p><p>An exceptional resource for professionals who manage healthcare emergencies, <em>Healthcare Emergency Incident Management Operations Guide </em>is also a great reference for security professionals in other industries. </p><p>Over the years, many healthcare organizations have used the incident management protocols of the California Emergency Medical Services Authority's Hospital Emergency Incident Command System, as well as the U.S. National Incident Management System. Both have good parts to them, so many organizations will at least use them for a baseline as they develop their own internal emergency management system.</p><p>Author Jan Glarum begins with the history of the incident command systems and goes on to explain the pros and cons of each. He also gives readers a sense of where they should go when developing their own plans and what they should look like.</p><p>The wide-ranging collection of information is easy to read and accessible, even for the novice healthcare security or emergency management professional. Examples of managing and evaluating the effectiveness of an emergency management program add value, as do the charts and illustrations throughout the guide. Almost a dozen examples of forms offer a template that readers can use to develop their own forms. </p><p>Those looking for a healthcare emergency management guide to develop—or refine—an existing program will find this book to be a good starting point.</p><p><em>Reviewer: John M. White, CPP, is president and CEO of Protection Management, LLC. An honorably retired law enforcement officer with more than 40 years of protection experience, he is a published author and serves on the ASIS Healthcare Security Council.</em></p> | | |
| https://sm.asisonline.org/Pages/Personnel Peril.aspx | Personnel Peril | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>When employees steal proprietary information, they don't just cause headaches for the organization—they erode confidence in the trustworthiness of screened employees and vetted business partners. Following the recent spate of high-profile incidents—including leaks by U.S. National Security Agency contractor Edward Snowden in 2013, violent attacks on Fort Hood by Major Nidal Hasan in 2009, and Washington Navy Yard shooter Aaron Alexis in 2013—the U.S. government determined that existing vetting processes and security standards for sensitive programs were inadequate. Key policy changes were implemented, including a new requirement for government organizations and certain government contractors to establish an insider threat program. The requirements changed the way government-affiliated organizations approached employee management and codified existing insider threat practices.</p><p>What does that mean for private sector organizations, even if they don't work with the government? Certain features of a U.S. Department of Defense (DoD)-style insider threat program may be relatively easy to implement and offer considerable security enhancements. Traditional administrative and physical security practices—locked doors, alarm systems, and inventory controls—are focused externally and are largely ineffective at preventing employees and other authorized persons from committing harmful acts.</p><p>Integrating an insider threat policy with employee and event best practices can create a well-rounded employee management program that benefits workers and the organization. Educating employees on how to recognize and report potential insider threat information can also have a positive effect on the organization's culture and emphasize everyone's role in keeping a safe, secure work environment.</p><p>Concurrent Technologies Corporation (CTC), an independent, nonprofit organization that conducts applied scientific research and development for government and industry, faced this exact challenge upon the creation of a nuclear research facility. </p><p>With industrial space and laboratories in five states, and more than 25 percent of employees telecommuting, CTC's potential insider threat profile is typical among many technology companies in the United States. Protection of sensitive government programs, client information, and intellectual property is paramount to success in a highly competitive environment. </p><p>But the August 2017 establishment of CTC's Center for Advanced Nuclear Manufacturing (CANM) in Johnstown, Pennsylvania, created new insider threat challenges that CTC had to address. The CANM is designed to bring fabrication technology and materials expertise to the emerging next generation of commercial nuclear power plants and will conduct business only with private sector organizations that are working on small nuclear reactors. While CTC works with both industry and sensitive government programs—and must abide by federal insider threat policies—it wanted CANM to have a government-grade insider threat program that would defend against all kinds of manmade threats—from petty theft to intellectual property issues to event management. </p><p>A planned ribbon cutting and open house event at the CANM would place about 75 visitors in close proximity to CTC's intellectual property and advanced technology—and would serve as the first real test of the organization's new insider threat policy. </p><h4>Tailoring a Solution</h4><p>The FBI, U.S. Department of Homeland Security (DHS), and U.S. Defense Security Service provide tools for industry organizations to develop insider threat programs, including online training courses and brochures available through public websites. The tools identify specific behaviors that may indicate the presence of an insider threat. </p><p>Simply educating employees on what to watch for may improve the chances of averting a workplace incident. Other insider threat program features, such as information sharing and incident reporting, could also prove beneficial. Initiatives can be tailored to fit the organization, and security practitioners may find that their programs already include parts of the overall insider threat framework outlined in government directives. </p><p>This was true for CTC as it began to build a more robust insider threat program. While the organization had taken an informal approach to communicating potential employee issues, it was nowhere near the formalized program needed. To make sure the program covered all threats, CTC created an insider threat working group.</p><p><strong>Comprehensive support. </strong>An insider threat program relies on buy-in throughout the organization. A single official with authority to develop policies and procedures should be appointed to manage the program. He or she should also be responsible for determining when to report substantive insider threat information to law enforcement and other entities outside the organization.</p><p>CTC appointed an insider threat program official and established a working group with membership based on relevant roles, including representatives from security, human resources, IT, executive management, and ethics and compliance. The working group conducted several program reviews and established the types of activities to watch out for or report. </p><p>The group also ensured that all employees completed awareness training in the time leading up to the CANM open house and helped foster a culture of communication so that employees would not hesitate to report concerns about visitors or fellow employees. Line employees are often the first to sense that something is off—if they notice changes in an employee's routine or behavior, they should know how to safely and effectively communicate the information to team leaders without fear of retribution. </p><p>Security staff and senior managers stood ready to work with department managers and labor representatives to reduce or eliminate social barriers to reporting. Reporting policy violations and unusual or suspicious behavior must not be viewed as tattling. Instead, it should be emphasized that timely reporting may save the company or business unit from significant financial loss, unfair competition, or even a tragic incident.</p><p><strong>Team approach. </strong>Effective information sharing and collaboration among security stakeholders in the organization are essential for a stalwart insider threat program. Functional leaders—like the ones in CTC's insider threat working group—typically monitor organizational performance in areas relevant to detecting a potential insider threat. For example, larger organizations usually rely on a CISO to detect violation or circumvention of policies regarding systems access, file transfers, software installation, and other network activities. Likewise, the human resources department should track, analyze, and share information on trends in employee misconduct, including harassment complaints and drug testing. In reviewing such information, the team must take care to protect employee privacy and focus only on security-relevant factors that might create concerns of an insider threat and identify needed adjustments in policies and training. </p><p>For special events and unusual situations, organizations should not shy away from reaching out for help. The CTC insider threat program's leader contacted the FBI private sector coordinator, Defense Security Service representatives, and local law enforcement officials several weeks before the open house to inform them about the event and to obtain updated threat information. The FBI coordinator participated in an event rehearsal and walkthrough, and provided a tailored counterintelligence briefing to CANM engineers, program managers, and support staff, offering specific recommendations to limit risk while accomplishing overall open house objectives. </p><p><strong>Training. </strong>Employees should feel that they share a common security interest—success for themselves and for the entire organization requires their commitment to protecting intellectual property, proprietary information, and other valuable resources. Leaders must emphasize these points and encourage employees to actively support security programs and procedures. Employee commitment and loyalty to a common cause cannot be assumed, particularly in industries that experience high employee turnover. </p><p>Training employees to watch for specific activities and behaviors that may indicate an insider threat is the key to viable information reporting within the organization. Employees tend to recognize differences in a coworker's attitude, work ethic, or behavior well before an incident occurs, so they must know when and how to report concerns. Employees must also know how to recognize suspicious emails, scams, phishing attempts, and social engineering tricks to avoid becoming an unwitting insider or being coerced into providing information or other assistance. Training should also emphasize the importance of following basic rules aimed at mitigating risk, such as locking or switching off computer workstations when unattended. </p><p>CANM employees were trained in traditional insider threat identification messages but were also given tips on identifying and reporting suspicious behavior at the open house event. </p><p>Because engineers, program managers, and event staff integrated security best practices into their job requirements, enhanced security was everywhere yet remained unseen at the event.</p><p><strong>Written plans. </strong>The insider threat working group at CTC identified all written guidance regarding employee behavior, from harassment policies and timekeeping systems to travel plans and procedures and integrated it into the plan. The insider threat program features a risk mitigation plan that identifies insider threat stakeholders, roles and responsibilities, resources, policies, and procedures. The team of stakeholders meet periodically to review the plan, share and assess potential insider threat information, and determine additional actions needed to protect people, operations, intellectual property, and other resources.</p><p>For example, at a stakeholder meeting, someone in charge of travel finances might point out that the rental car budget for the previous month was 20 percent larger than normal. Human resources personnel can revisit employee travel dates and potentially identify excessive use of rental vehicles for personal travel. The same insider threat reporting procedures should be followed to address the problem. </p><h4>Redefining Insider Threats</h4><p>CTC's reevaluation and preparation paid off—the open house event went smoothly for staff and visitors alike. </p><p>CTC security officials are also reaping longer-term benefits from the CANM experience. For example, the department is improving its approach to training by conducting lunchtime seminars and more personal interviews with employees to reinforce the significant role that each employee plays in countering insider threats, even if security is not their primary role.</p><p>In addition to the CANM program, other business changes prompted CTC to reassess potential threats and strengthen routine security procedures. New contracts with government clients outside the DoD brought new requirements and concerns for protecting sensitive information processed and stored on company networks. The company invested in new equipment, and other areas of business development brought increased interaction with international customers—along with added challenges for ensuring compliance with American export laws. </p><p>By thinking outside the box in regard to an insider threat, CDC was able to create a well-rounded employee management policy that is capable of addressing a variety of organizational concerns. Addressing a wide scope of potentially problematic employee-related activity—not just intellectual property or workplace violence concerns—through an insider threat lens strengthens the entire program and makes it more adaptable for addressing other business concerns.</p><p>As an example, security staff worked with shop floor staff and project managers to revise the facility's access control plan. Doors to certain industrial areas within the 250,000-square foot CANM were closed to employees who did not have a clear need for access. Facility access hours were restricted for many employees, and a proximity card in addition to a six-digit PIN is now required to use doors that are not routinely monitored. Process owners and senior managers fully grasped the need for such procedural changes and strongly supported the recommendations. </p><p>As international business contacts expanded, the security, contracts, and export compliance departments worked closely with program managers to ensure that export licenses encompass all international dealings involving protected technologies. The company's enterprise visitor system, internally developed in 2012 and upgraded in 2015, electronically routes international visit requests for coordination and approval. This ensures that the right managers and technicians are informed, projects are shrouded, or operations are suspended or rescheduled as needed. </p><p>With such low- or no-cost security enhancements in place, establishing an insider threat program required only a modest effort to formalize plans and procedures, chartering a working group, and expanding existing training. Other corporations working exclusively or extensively with government contracts can engineer similar results. </p><p>Increasing awareness of insider threats and encouraging employees to report suspicious behavior and policy violations has directly led to improved overall security. For example, information received in recent months from frontline employees has enabled managers to correct internal issues and mitigate vulnerabilities in how the company purchases, inventories, and accounts for low-cost supplies, equipment, and bench tools. Workers in the affected areas recognize how the changes reduce risk of pilferage and unauthorized use of company assets. Minimizing such losses helps the company control overhead costs, remain competitive, and protect jobs and salaries. </p><p>If an organization is unaccustomed to a regimen of safety and security rules during daily business operations, it may take months to evolve a security culture where employees are likely to bring their concerns forward and key supervisors can evaluate information and respond effectively. The advantages of starting now almost certainly outweigh the risk of what could come later. </p><h4>Sidebar: How Nuclear-Level Security Influenced Today’s
Insider Threat Programs<br></h4><p></p><p>Concerns about insider threats are not new. In the mid-1940s, during the highly secretive Manhattan Project—the United States' efforts to develop the world's first atomic weapons—leaders were most concerned that a trusted insider could be blackmailed or tempted to commit espionage for money. Losing atomic secrets to enemies could have drastic—and deadly—consequences. The art of protecting critical research, test activities, materiel and weapons production, and plans for use of nuclear weapons was woven into the Manhattan Project and remains a hallmark of security within U.S. Department of Defense (DoD) nuclear programs.</p><p>The personnel clearance process and the personnel reliability program (PRP) have been central in addressing insider threats to nuclear capabilities since the 1960s. Clearance processes are designed to screen people for trustworthiness and must be strictly followed prior to granting an individual access to classified nuclear design information, plans, capabilities, or operating procedures. A personnel clearance is based on favorable evaluation of factors such as the person's demonstrated financial responsibility, personal conduct, and allegiance to the United States. Cleared individuals are reinvestigated periodically to ensure continued access is appropriate. Those in unusually sensitive and critical positions may be subjected to polygraphs. </p><p>The PRP is an added layer of administrative security comprising procedures, automated notifications, tiered supervision, and other checks designed to ensure workers are mentally and physically fit at the time they perform critical tasks, such as nuclear command and control, maintenance, or armed security. PRP requirements and standards are risk averse—the slightest concern may result in temporary suspension from normal duties until circumstances change or a problem is resolved. A common reason for temporary suspension from duties under the PRP is use of prescription medication, which may cause drowsiness. Minor disciplinary infractions may also result in PRP suspension, triggering security measures that block access to restricted facilities and information systems.</p><p>Together, clearance processes and the PRP foster a heightened safety and security environment where workers are dutybound to report relevant information about themselves and others to appropriate authorities. Such an environment is essential based on the destructive power and political significance of the nuclear arsenal. Senior government and military personnel hold leaders within the nuclear community accountable for evaluating conditions that may detract from anyone's assigned tasks under PRP. For example, removal of the responsible unit commander is often the outcome of failure to properly adhere to PRP guidelines. </p><p>Historically, these stringent screening and reliability standards are seldom applied to government and contractor enterprises outside nuclear communities. Since 2013, however, government officials have increasingly acknowledged the threat of insiders. Personnel clearance processes are now bolstered with additional screening and random selection for background checks between the traditional timespans for periodic reinvestigation. Additionally, government clearance adjudicators may now review and consider social media information when determining overall eligibility for access to national security information.</p><p>A series of U.S. Department of Homeland Security and DoD documents and guidelines mandate insider threat programs for agencies and certain contractors but stop short of requiring self-reporting measures such as those associated with the DoD PRP due to cost, legal concerns, and other practical considerations. A PRP-like mindset, however, can be encouraged within any operation where inattention to detail, slowed reaction time, or lapse in judgment could result in injury, death, or unacceptable material or financial loss.</p><p><br> </p><p><em>Ronald R. Newsom, CPP, is a retired U.S. Air Force officer now employed with Concurrent Technologies Corporation, a recipient of the DoD 2017 Colonel James S. Cogswell Award for sustained excellence in industrial security. Newsom is a member of ASIS International. He also serves as the Chair of the National Classification Management Society's Appalachian Chapter. </em></p> | | |
| https://sm.asisonline.org/Pages/Active-Assailant,-Unarmed-Officer.aspx | Active Assailant, Unarmed Officer | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>The concept that small acts can have large ramifications is called the butterfly effect. The phrase, based on a thesis by American mathematician and meteorologist Edward Lorenz, refers to the idea that a butterfly's wings could create tiny changes in the atmosphere that may ultimately delay, accelerate, or even prevent the occurrence of a tornado in another location.</p><p>The level of awareness exhibited by security personnel can have a butterfly effect on an active assailant's perception of risk. Active shooter attacks often end when the perpetrator is apprehended or killed by law enforcement, or when the attacker commits suicide—rarely do assailants run or escape. Having security guards onsite may mitigate the chances of an attack, but this type of embedded response is no guarantee that the attacker will be deterred or stopped. </p><p>In the case of the Orlando Pulse Nightclub massacre, for example, there was a uniformed Orlando police officer onsite providing security. At Mandalay Bay where a gunman opened fire on the crowd below, killing 59 people, a security officer exchanged gunfire with the assailant during the massacre. And most recently, an armed school resource officer was on campus during the February shooting that killed 17 people at a high school in Parkland, Florida. </p><p>However, security officers can also focus on the events that occur before an attack. People who intend to commit violence often give themselves away by their physical appearance or behavior. By engaging people with simple hospitality principles, a security officer is more likely to observe warning signs. This enhanced awareness allows the guard to implement security methods that may deter the attacker. </p><p>Even when the worst-case scenario occurs, a security officer's situational awareness is critical. Early detection enables officers to respond more quickly and help others by providing instructions that can mitigate the attack. By observing physical and behavioral cues, acting upon concerns, and implementing effective response methods, unarmed guards can help prevent or mitigate active assailant attacks.</p><h4>Preattack Indicators </h4><p>Because most attacks represent the killer's first and last act of violence, the assailant often exhibits telltale signs of the incident to come. With little to no prior criminal record or experience in extreme violence, they may show behavioral and physical indicators that give their bad intentions away. Looking out for these early warning signs, or preattack indicators (PAINs), can alert the security practitioner to potential trouble and possibly thwart attacks. </p><p>PAINs are physical actions that include movement patterns, carried objects, appearance, or dress. They are also behavioral elements, such as facial expressions or demeanor. PAINs do not automatically indicate danger, because they can be consistent with perfectly innocent explanations. By carefully and prudently observing people who are determined not to be a danger, the officer can learn how to better distinguish future threats.</p><p>In the rare instances when PAINs are associated with imminent danger and immediate action is required, awareness will greatly improve response, because the element of surprise that may elicit the fight-or-flight response is removed. </p><p><strong>Normalcy bias.</strong> Trying to look for someone in a crowd who could be an attacker is like looking for a needle in a stack of needles. Since active assailant attacks are rare, there is a tendency to discredit PAINs in favor of the norm. Effective security requires a certain level of paranoia that avoids the "it can't happen here" mentality.</p><p>Establishing a thorough understanding of what is normal allows the guard to have a baseline. Then the security officer remains alert and vigilant during normal activities, and can easily transition to a heightened state of alert when a change occurs to the baseline.</p><p><strong>Customer service.</strong> Proactivity on the part of the guard is not to be confused with aggression, because customer service is still a priority. Security should view each person as a customer, not a suspect, until a significant change to the baseline occurs. Professional and nonthreatening behavior from security is more likely to elicit cooperation. </p><p>In customer service, the 10-5 Rule is a gold standard. The rule states that when the staff member is within 10 feet of guests, staff should make eye contact and smile to acknowledge them. Within five feet of a guest, a sincere greeting or friendly gesture should accompany the eye contact and smile. </p><p>The 10-5 Rule reminds others of the presence of a professional security force while keeping the security officer engaged with visitors. </p><p>Making eye contact with a person is an effective first step to determine if a basic level of mutual trust exists. At around 10 feet, make brief eye contact with a pleasant demeanor, then scan for PAINs. (See infographic, page 41.)</p><p>If PAINs are observed, engage the person in a focused conversation. In this context, professionalism is key. A focused conversation should not resemble interrogation. </p><p><strong>Active engagement.</strong> The purpose of a focused conversation is to determine if the person poses a risk. A polite "where are you heading?" to learn that person's trip story can be an effective conversation starter. </p><p>There are two types of trip stories—past and future. A past trip means the person has completed the purpose of the trip, and a future trip means the person is on their way to a specific place. This basic framework helps the officer determine whether the trip story is verifiable by providing specific details of sights seen and actions taken. A vague, unverifiable trip story does not indicate imminent violence, but it does indicate deception.</p><p>Officers should expect occasional negative reactions and be prepared to encounter individuals who refuse to cooperate. Appropriate measures should be taken to deal with such persons, including asking for another officer to help and continuing to question the individual.</p><p><strong>Low-risk groups.</strong> Just as there are universal indicators of imminent danger, there are groups of people that, absent an overt hostile act, can be statistically discounted as a threat. These low-risk groups can be removed from the 10-5 Rule, including families, children, people older than 70 years, known guests of the facility, and people known and trusted by the officer. </p><p><strong>High-risk people. </strong>After the focused conversation, those not eliminated as a possible threat must be monitored. Ideally, the person can be denied access and escorted out of the area. If not, supervisors need to be alerted and the person should be followed by an officer. Using video surveillance is also a possibility. The officer should be prepared to document their concerns and articulate—based on PAINs and the focused conversation—why the person was considered a threat.</p><p>If it becomes apparent that the person is dangerous, immediate action should be taken. The first step is to alert others and request assistance. The following actions will be based upon the perceived threat and the location. Options may range from initiating heightened security procedures and observing the subject to an immediate evacuation of the area.</p><h4>Attack Response</h4><p>Regardless of the specific factors leading up to the situation, it is imperative that security officers understand how to respond to a violent attack. </p><p>Some responses require compartmentalizing occupants away from the assailant, which is associated with the lockdown concept. However, not all situations call for these measures. Lockdown or compartmentalization is a valid tactic, but it lacks the flexibility needed to adequately mitigate all active assailant attacks. A lockdown does not help people in areas that cannot be secured or those having direct contact with the perpetrator. In an active assailant attack, these are the people at the greatest risk.</p><p>Not every human-based threat or intrusion requires Run. Hide. Fight. decisions. Under these far more common nonactive shooter events, using the word "lockdown" can cause a high percentage of occupants to falsely assume there is an active shooter, creating unnecessary panic and anxiety. Instead, these scenarios require heightened security procedures.</p><p><strong>Heightened procedures. </strong>Situations requiring heightened security can range from a threat of school or workplace violence to civil unrest. What measures are taken to increase security depend on several factors, including the nature of the threat, the mission of the facility, the architecture and layout of the facility, and law enforcement presence or response time. </p><p>Based on these factors, leaders must determine which measures are most prudent given the circumstances, and security officers should be prepared to guide facility occupants. </p><p>When necessary, guards should communicate the fact that security has been heightened in simple language, such as "Attention, guests: we have a situation that requires heightened security. Please move inside a secure location." These messages get people's attention without causing unnecessary panic. Additional information can be shared as needed. </p><p><strong>Attacks.</strong> All leading U.S. federal preparedness and response organizations, including the U.S. Department of Homeland Security, the U.S. Department of Education, and the U.S. Department of Justice, recommend the option-based Run. Hide. Fight. approach. This recommendation is not limited to U.S. government agencies—Run. Hide. Fight. can be applied to many organizations and settings.</p><p>When deciding which option is best, determining whether the guard has direct or indirect contact with the shooter is essential. Direct contact means there are no barriers between the guard's location and the attacker, and the assailant is close enough to pose immediate danger.</p><p>With indirect contact, the attacker is inside or near the facility or general area, but distance or barriers delay the attacker's ability to cause harm.</p><p>After determining the level of contact, the survival options of the protocol are applied. The guard should also be prepared to advise those around him or her on which option to choose and to assist others. </p><p>Given their large presence at events, facilities, schools, and other venues, both armed and unarmed security officers play a critical role in preventing and mitigating active assailant attacks.</p><p>Because the killer is likely to have a target location for the attack in mind—whether it be a school cafeteria, concert, or church service—the presence of trained, engaged, and aware security can disrupt the attack. </p><p>Unarmed guards have a variety of tools at their disposal to protect the public and mitigate potentially dangerous situations. With a combination of active observance, engaged conversation, and–when necessary–heightened security procedures, security personnel can serve as a major deterrent against those who intend to commit harm. </p><p><em>Brad Spicer is the founder of SafePlans, a firm specializing in all-hazards emergency preparedness technology and active shooter defense training. He is an army veteran with 20 years of state and local law enforcement service and is a member of the ASIS School Safety and Security Council. He can be reached at brad@safeplans.com.</em></p> | | |
| https://sm.asisonline.org/Pages/Take-No-Chances.aspx | Take No Chances | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>Security processes are working properly if nothing happens, as the adage goes—much to the chagrin of the security manager looking for buy-in from the C-suite. But if something does go wrong at an organization, the error lies in either the company's risk profile or its implementation of mitigation procedures. Using risk management principles to create a risk profile and implement procedures to mitigate those risks should leave no gray areas for an incident to occur, says Doug Powell, CPP, PSP, security project manager at BC Hydro. Security Management sat down with Powell, the 2017 recipient of the Roy N. Bordes Council Memb er of Excellence Award, to discuss how to create a mitigation program that only gets stronger after a security incident.</p><h4>Weigh the Risks…</h4><p>A basic tenet of risk management principles is understanding what risks an organization faces by conducting a thorough risk assessment. "For me, nothing should happen in the security program in terms of making key decisions around protection principles until you've been through your risk management exercise, which will do two things for you: tell you where you have gaps or weaknesses, and what the priority is for addressing those," Powell says. </p><p>Look for the risks that are high-probability, low-impact—such as copper theft—and low-probability, high-impact—such as a terror attack—and build a protection plan that primarily addresses those, Powell says. </p><p>"You use that prioritization to get funding," he explains. "I tell people there's a broad spectrum of risks you have to consider, but there are two that you focus on that I call the board-level risks—the ones the board would be interested in because they could bring down the company."</p><h4>…And Use Them to Build a Strategy</h4><p>Establishing those risk categories will not only help get buy-in from the C-suite but frame the company's security strategy.</p><p>"You should never say something like, 'well, the copper losses are so small that we're not going to deal with this at all,' in the same way you're not going to say that you'll never likely be attacked by terrorists so let's not worry about it," Powell says. "With that in place, you should have an effective mitigation strategy on the table."</p><h4>Flesh Out the Baseline…</h4><p>While getting buy-in may rely on emphasizing the impact a risk can have on business operations, the security team needs to have a well-rounded understanding of the risk itself. Powell illustrates the distinction by using an example of how protesters might affect critical infrastructure.</p><p>"It's one thing to say that there's risk of work being disrupted or of a pipeline being taken out of service by protesters, but it's quite another thing to say that in the context of who these protesters are," according to Powell. </p><p>"You have one level of protesters who are just people concerned about the environment, but all they really do is write letters to the government and show up and carry picket signs to let you know they are concerned. The more extreme groups are the ones that would come with explosives or physically confront your workers or who would blockade machinery," Powell explains.</p><p>While these two groups of people both fall under the protester category, the risks they present—and how to respond to them—are vastly different.</p><p>"You have to understand the characteristics of your adversaries before you can adequately plot the seriousness of the risk," Powell explains. "Would it be serious if our pipeline got blown up? You bet it would. But who has the capability to do that? Are they on our radar? And what's the probability that we would ever interact with them? There's a bit more than just saying it's a bad thing if it happens."</p><h4>…And Keep It Updated</h4><p>Don't let an incident be the impetus for conducting a new risk assessment. Creating a governance model will facilitate regular reviews of the risk assessment and how it is conducted.</p><p>"If you do it well at the head end, you should be mitigating to those standards," Powell says. "Risk doesn't happen once a year, it's an ongoing process where you establish the baseline, mitigate to the baseline, and start watching your environment to see if anything bad is coming at you that you should be taking seriously because the world is dynamic."</p><p>Consistent monitoring of threats allows the mitigation strategy to be adjusted before weaknesses are discovered and exploited.</p><p>"The monitoring aspect is critical, and after an incident you might say that the reason your mitigation plan failed is you simply didn't monitor your environment enough to realize there were new risk indicators you should have picked up," Powell says. "The risk management process is dynamic, it never stops, it's continually evolving, and whether something happens to cause you to reevaluate or whether you reevaluate because that's your normal practice, that has to happen."</p><h4>Establish a Process…</h4><p>Through risk management, a security incident occurs when the risk assessment was not accurate, or the mitigation processes were not properly carried out. After an incident, security managers should never feel blindsided—they must identify the shortcomings in their processes.</p><p>"When something critical happens, the first thing you will do is go back to your risk profile and ask yourself some key questions," Powell advises. "Did we get it right? Did we miss something? How did this incident occur if in fact we had our risk profile correct? Or did our mitigation planning not match well with the risk profile we had developed? If we had this assessed as low-risk but it happened anyway, maybe we got something wrong. If it was high-risk and it happened anyway, what was the cause?"</p><p>If the security program matches the risk profile and an incident still occurred, it's time for the organization to change the baseline.</p><p>"Did we understand our adversary?" Powell asks. "Was it someone we anticipated or someone we didn't anticipate? If it was someone we anticipated, how did they get in to do this thing without our being able to stop it or understand that they were even going to do it? Do we have the right security in place, did we do the right analysis on the adversarial groups in the first place? What did we miss? Are there new players in town? Is there something going on in another country that we weren't aware of or ignored because we didn't think it impacted us over here in our part of the world?"</p><p>And, if it turns out that the risk profile was inaccurate despite proper governance and maintenance, don't just update it—understand why it was wrong. "Look at whether your intelligence programs or social media monitoring are robust enough," Powell suggests.</p><p>"If you had 10 or 100 metal theft incidents in a month, you want to go back and ask why this is continuing to happen," Powell notes. "We've already assessed it as a risk and tried to mitigate it. For me, the two things are intrinsically connected. If you're performing risk management well, then your mitigation programs should mirror that assessment. If it doesn't, there's a problem, and that's what this review process does, it gets you into the problem."</p><h4>…And Use It Consistently</h4><p>Whether it's copper theft or a terrorist attack, the incident management process should be carried out in the same way.</p><p>"That should always be a typical incident management process for any kind of event," Powell says. "What varies is input, but the methodology has got to be identical. If it's metal theft, it's a pretty simple thing—we have some thieves, they broke into a substation, removed ground wires, and as a result this happened. What can we do to mitigate that happening at other substations in the future? </p><p>If it's a terrorist attack, of course a lot more people will be involved, and you'll be asking some very challenging questions. The process becomes a lot more complex because the potential for damage or consequence value is much higher, but the methodology has to be the same all the time."</p><p>"Overall, whether you're looking at a security breach that happened because you exposed your cables and the bad guys were able to cut them or whether it was a new, more dangerous group coming at you that you weren't aware of, or because you neglected to identify the risk appropriately—all of this has to go into that evaluative process after something happens," Powell says. "Then you have to reestablish your baseline, so you're going back into that risk analysis and move to mitigate it according to what that new baseline is. If something bad happens that's what you do—go back to the baseline and discover what went wrong, and once you know, you seek to mitigate it to the new baseline." </p> | | |
| https://sm.asisonline.org/Pages/April-2018-ASIS-News.aspx | April 2018 ASIS News | GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <h4>Introducing Global Security Exchange</h4><p>GLOBAL SECURITY EXCHANGE (GSX) is the new name for the ASIS International Annual Seminar and Exhibits, the security industry's flagship educational and networking event. The move reflects the Society's commitment to unite the full spectrum of security—cyber and operational security professionals from all verticals across the private and public sectors, allied organizations and partners, and the industry's leading service and solution providers—for the most comprehensive security event in the world. </p><p>"GSX is setting a new bar for education, networking, and security product and service excellence—addressing the issues critical to all sectors of the global marketplace," says Ron Rosenbaum, chief global marketing and business development officer at ASIS International. "The new name, branding, and messaging reflect the global nature of our event, as well as our commitment to facilitating the exchange of ideas, best practices, and product and service innovations among all industry professionals."</p><p>Registration for GSX opened in March with strong numbers, due in part to high levels of engagement on social media and positive buzz stemming from the brand reveal.</p><p>"Global Security Exchange will build upon the change and reinvention introduced at ASIS 2017," says 2018 ASIS President Richard E. Chase, CPP, PCI, PSP. "What won't change is our commitment to reinvesting, promoting, and furthering the security profession year-round. This is a source of great professional pride, and a clear brand differentiator between GSX and other industry events." </p><p>GSX will continue to offer best-in-class education, networking, and business-building opportunities that provide ongoing benefits for attendees and exhibitors alike. The education—led by ASIS, InfraGard, and ISSA subject matter experts—will deliver an immersive and interactive learning environment for security professionals at all experience levels. </p><p>"We believe learning shouldn't be reserved for the classroom," Rosenbaum says. "It's important for attendees to get hands-on access to new and emerging technologies, as well as ideas and insights that offer new perspectives on current and looming challenges. With immersive reality, robotics, and drone demos, as well as expanded Impact Learning Theater and Career Center programming, GSX will transform the traditional exhibit hall format to provide the industry's most robust and engaging technology and solutions experience."</p><p>Building on more than six decades of event excellence, GSX will take place September 23-27 in Las Vegas, Nevada, USA. For more information and to register, visit gsx.org.</p><h4>Upcoming Global Events</h4><p><strong>ASIS Europe 2018</strong></p><p>April 18-20</p><p>Rotterdam, The Netherlands</p><p>Big Data and artificial intelligence are main themes of ASIS Europe 2018—"Blurred Boundaries—Clear Risks." Opening keynote speaker Tom Raftery, global vice president, futurist, and IoT evangelist, SAP, will set the tone for the conference with his insight into the business opportunities presented by Big Data, artificial intelligence, and automation. Classroom training sessions will provide concise, practical learning.</p><p>The free Show Pass, available until April 17, includes access to education sessions in the Technology and Solutions Track, coaching and advice at the ASIS Europe Career Centre, and the networking hub of the exhibition floor. Full information and registration is on the event website asiseurope.org. </p><p><strong>11th Annual CSO Summit</strong></p><p>April 29-May 1</p><p>Minneapolis, Minnesota, USA</p><p>CSOs, policymakers, and global thought leaders will gather at the 11th Annual CSO Summit for strategic-level discussions, executive development, and exclusive networking opportunities. </p><p>Taking place at Target Plaza Commons in Minneapolis, this forum will feature futurist Scott Klososky; executive coach Angela Scalpello; a behind-the-scenes tour of the U.S. Bank Stadium, home of the Minnesota Vikings; and sessions on security risk management, leadership skills, and the changing technology landscape. </p><p>This event is open only to CSO Center members and those eligible for CSO Center membership. Learn more and register at asisonline.org/CSOSummit. </p><p><strong>28th New York City Security Conference & Expo</strong></p><p>May 16-17</p><p>New York, New York, USA</p><p>The Northeast's most anticipated security event will bring together 2,200+ security professionals for two days of valuable networking opportunities, an exhibit floor showcasing solutions from 110+ exhibitors, and expert-led education sessions examining critical issues and trends in enterprise risk and public safety.</p><p>Thought leaders will speak on drone and artificial intelligence technologies, protecting soft targets, and how enterprise security risk management can turn security into a business enabler.</p><p>Special events during the conference include an opening reception on the expo floor and a luncheon honoring the ASIS New York Chapter's Person of the Year—His Eminence, Timothy Cardinal Dolan, Archbishop of New York. For more information and to register, visit asisonline.org/nyc2018.</p><h4>Early Careerist Job Study</h4><p>ASIS International is conducting a job analysis study to determine the body of knowledge needed by those new to or transitioning into the security management field. </p><p>In January, a panel of security professionals developed a list of knowledge and skill statements and determined the overall domains of practice in which these statements belong. To ensure that the profession agrees with the panel's recommendations, a survey will be sent to all ASIS members in early April to validate the work of this panel. Based on the results of the survey, ASIS will decide if this newly developed body of knowledge can be used to create a new certification program. </p><p>This new certification is envisioned to be the first rung on a security management professional's career ladder. ASIS encourages all members—especially those new to the field and professionals who hire those new to the field—to complete this survey and help advance the creation of this important stepping stone into the profession.</p><h4>ASIS INTERNATIONAL CUP 2018 KICKS OFF</h4><p>The ASIS International Cup rewards individuals who recruit the largest number of new members to ASIS from March through June. The single highest recruiter will receive a free all-access pass to GSX, September 23-27 in Las Vegas, a three-night hotel reservation, and $500 towards GSX travel expenses.</p><p>The second-place prize is a $500 Amazon gift card, and the third-place prize is a $250 Amazon gift card. All recruiters will earn an entry into a drawing for gift cards to WorldSoccerShop.com. In 2017, the winner, Ronald Lee Martin, CPP, recruited 13 new members. </p><p>To learn more and to locate recruitment tools, visit asisonline.org/InternationalCup. Get in the game and win big!</p><h4>ASIS Life Members</h4><p>ASIS congratulates Dennis G. Byerly, CPP, and Andrew Wyczlinski, CPP, who have been granted lifetime membership to ASIS. </p><p>Byerly has been a member of ASIS for 27 years. He has been a longtime member of the Commercial Real Estate Council, and he served as a council vice chair for multiple terms. He was also a member of the Critical Infrastructure Working Group. </p><p>Wyczlinski has belonged to ASIS since 1977. He has been an active member of the National Capital Chapter; the Dayton, Ohio, Chapter; the San Antonio Chapter; and now the North Texas Chapter. In addition, he was a founding member and chapter chair for the Fredericksburg/Quantico Chapter. </p><h4>Member Book Review</h4><p><strong>Private Investigation and Homeland Security. By Daniel J. Benny. CRC Press; crcpress.com; 181 pages; $79.95.</strong></p><p>In the popular media, private investigators are frequently portrayed as shadowy and unprincipled gumshoes working cases on cheating spouses and sitting in cars on stakeouts. This may be true to a small degree, but in his book, <em>Private Investigation and Homeland Security, </em>Daniel J. Benny makes a strong case for broadening the scope of private investigator services into the homeland security arena.</p><p>A quick glance through the book's comprehensive table of contents provides the reader with a preview of all things relating to the private investigation—from establishing an investigative business to countering cyberattacks and implementing technical systems. </p><p>Much of the homeland security investigation how-to content relates to various components of physical security and background investigations. The author includes an ancillary section on security consulting, which encompasses a broad discussion of intrusion detection systems, access control, and locking devices. At times readers may struggle to connect the dots as the author introduces varied content that may not seem relevant to the subject at hand.</p><p>The author could have neatly packaged the seemingly disparate physical security and investigative components of the book together for the readers by probing into the importance of the partnership between law enforcement and the private sector. The private sector owns and protects 85 percent of the nation's infrastructure, while local law enforcement often possesses threat information regarding infrastructure. Thus, to effectively protect the homeland's infrastructure, law enforcement and the private sector must continue to work collaboratively, because neither possesses the necessary resources to do so alone. </p><p>There is plenty of knowledge that can be used by investigators and general security practitioners alike. While the book covers a multitude of security-oriented topics, readers may find themselves questioning the relevance of some content. The appendices comprise nearly 30 percent of the book and cite some narrowly focused regulatory statutes, including New York security guard and Virginia private investigator training outlines.</p><p>This book would best serve one who is contemplating a foray into the private investigative industry or a more advanced practitioner who wishes to broaden investigative service offerings. </p><p><em>Reviewer: Doug Beaver, CPP, is chair of the ASIS Cultural Properties Council and a member of the Global Terrorism and Political Instability Council. He is the director of security for the National Museum of Women in the Arts in Washington, D.C. </em></p> | | |
| https://sm.asisonline.org/Pages/The-Price-of-Destruction.aspx | The Price of Destruction | GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>"In 2017, the U.S. experienced a rare combination of high disaster frequency, disaster cost, and diversity of weather and climate extreme events," the U.S. National Oceanic and Atmospheric Administration (NOAA) says in a recent report. "Billion-dollar disasters occurred in six of the seven disaster event categories we analyze."</p><p>The final tally of destruction, calculated by NOAA's National Centers for Environmental Information, is a record breaker. Disasters caused $306 billion in total damage in 2017, making it the costliest U.S. disaster year since the agency started keeping track in 1980. The previous record was $215 billion (adjusted for inflation) in 2005, the year of Hurricanes Katrina, Rita, Dennis, and Wilma. </p><p>What made 2017 so costly? The bulk of the damage, $265 billion, came from Hurricanes Harvey, Irma, and Marie, which wreaked havoc on areas in the southern United States, the Caribbean, and Puerto Rico. The costliest was Harvey, which incurred $125 billion in damage, second only to Katrina's $160 billion in damage. </p><p>Billion-dollar disasters are nothing new; since 1980, the United States has suffered 215 disasters costing $1 billion or more, for a total of more than $1.2 trillion in damage, according to NOAA. But one of the features that distinguished 2017 was the quantity of billion-dollar disasters—16, which tied 2011 for highest number of events. </p><p>These 16 disasters varied in nature. They began with a tornado and storms in the southern states, California flooding, and a damaging freeze in the Southeast. That spring brought a drought to the Dakotas and Montana. Hailstorms and severe weather came to Colorado in May and Minnesota in June. Western wildfires occurred in the summer and fall. The big trio of hurricanes hit in August and September.</p><p>Although hurricanes were the costliest disasters, wildfires were also exceptionally damaging. The fires burned more than 9.8 million acres, with cumulative costs approaching $18 billion. This was triple the previous wildfire cost record of $6 billion in 1991, according to NOAA.</p><p>Finally, one reason behind the damage increases is that there are more homes and businesses in harm's way. </p><p>"The increase in population and material wealth over the last several decades are an important factor for the increased damage potential," the report says. "…Many population centers and infrastructure exist in vulnerable areas like coasts and river floodplains, while building codes are often insufficient in reducing damage from extreme events." </p> | | |