https://sm.asisonline.org/Pages/The-War-on-Human-Trafficking.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The War on Human Trafficking2015-05-18T04:00:00Z0

 

 

https://sm.asisonline.org/Pages/El-Arte-de-la-Asimilación.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465El Arte de la Asimilación2015-05-22T04:00:00Z

 

 

https://sm.asisonline.org/Pages/Security-Market-Growth-Continues.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Security Market Growth Continues2015-05-15T04:00:00Z

 

 

https://sm.asisonline.org/Pages/Insider-Threats-in-the-Private-Sector.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Insider Threats in the Private Sector2015-05-26T04:00:00Z

 

 

https://sm.asisonline.org/Pages/Building-Cyber-Awareness.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Building Cyber Awareness2015-05-18T04:00:00Z

 

 

https://sm.asisonline.org/Pages/Live-Chemical-Training-.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Live Chemical Agent training2015-05-04T04:00:00Z
https://sm.asisonline.org/Pages/Shots-Fired.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Shots Fired2015-02-01T05:00:00Z
https://sm.asisonline.org/Pages/How-Security-Departments-Can-Leverage-Enterprise-Risk-Management.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465How Security Departments Can Leverage Enterprise Risk Management2015-02-27T05:00:00Z
https://sm.asisonline.org/Pages/Le-Toca-a-Usted-A-New-Spanish-Language-Column.aspxGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Le Toca a Usted: A New Spanish Language Column2015-05-04T04:00:00Z
https://sm.asisonline.org/Pages/An-Insider’s-Perspective.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465An Insider’s Perspective

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://sm.asisonline.org/Pages/The-Power-of-Physical-Security.aspxThe Power of Physical SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">A</span><span style="line-height:1.5em;">ny utilities security expert can effortlessly recite the details. In April 2013, someone snuck into an underground vault near a freeway in San Jose, California, and cut several telephone cables. Then, 30 minutes later, snipers shot at an electrical substation in Metcalf, California, for almost 20 minutes, knocking out 17 transformers that funnel power to Silicon Valley, before fleeing the scene and evading capture. </span></p><p>A major blackout was prevented by rerouting power around the downed station, but the attack caused more than $15 million in damage and brought physical threats to the electric grid to the forefront of discussions about the security of the United States’ critical infrastructure. It quickly became clear that cyberattacks were not the only threat to the U.S. power supply. </p><p>Two years have passed since the incident, and, while the snipers remain at large, the utility industry is taking steps to deter any future attacks.</p><p>“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry,” said acting Federal Energy Regulatory Commission (FERC) chairman Cheryl LaFleur in a statement in March 2014. (LaFleur was named permanent chairman in July 2014.) Following LaFleur’s statement, FERC directed the North American Electric Reliability Corporation (NERC) to develop new standards requiring owners and operators of the bulk-power system to address risks due to physical security threats and vulnerabilities.</p><p>The FERC order asked NERC to create a standard to identify and protect transmission stations, substations, and associated primary control centers that could cause widespread outages if compromised. </p><p>From those instructions, a 10-person drafting committee created the CIP-014 standard that focuses on transmission assessments and physical security. The standard requires transmission station and substation owners to perform a risk assessment of their systems to identify facilities that could have a critical impact on the power grid.</p><p>The order also requires owners and operators to develop and implement a security plan to address potential threats and vulnerabilities.​</p><h4>Participants</h4><p>The electric system is made up of three components: generators—coal fired, biomass, solar, and wind—that produce electricity; transmission—taking the electricity from the power source and moving it somewhere, such as a substation; and distribution—power moving from a facility to the meter in a home, business, or other building.</p><p>When electricity moves from a generation station, such as a wind farm, it goes to a substation that normally has transformers that decrease the voltage, often from 500 to 230 kilovolts (kV). From there, the substation transmits the power to another substation, which usually lowers the voltage even further to 115 kV so it can be used in residential and commercial facilities. </p><p>CIP-014 applies to transmission substations in the electric system, not the generators or the distribution stations. However, it doesn’t apply to all 55,000 transmission substations in the country, explains Allan Wick, CPP, PCI, PSP, a member of the standard drafting committee. </p><p>Instead, the standard relies on categories that determine which facilities must comply with the standard. The standard takes effect if a system that is “rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading with an interconnection,” Wick explains. </p><p>Because of these criteria, CIP-014 applies to transmission facilities that operate at 500 kV or higher, or single facilities that operate between 200 kV and 499 kV where the substation is connected at 200 kV or higher voltage to three or more other transmission stations that have an “aggregate weighted value” higher than 3,000 kV. </p><p>This means that few transmission substations will have to comply with standards. “By the time you use those criteria against what’s in the standard, [CIP-014] will only apply to 200 or fewer substations in the United States,” Wick says. The standard also applies to the control centers that operate those 200 substations—which are owned by roughly 30 different companies. </p><div><span class="Apple-tab-span" style="white-space:pre;"> </span></div><h4>Preparation</h4><p>FERC approved CIP-014 in November 2014, officially kickstarting the compliance process that owners need to complete by the first implementation date in October 2015. Their first responsibility is to perform an initial risk assessment (Requirement 1) to identify the transmission stations and substations the standard may apply to. Owners then have to identify the primary control centers that operationally control each transmission station or substation identified in the risk assessment.</p><p>Once these steps have been completed, owners will have 90 days to have an unaffiliated third party verify their assessments (R2). This third party can be a registered planning coordinator, transmission planner, reliability coordinator, or an entity that has transmission planning or analysis experience. </p><p>If the third party adds or removes a transmission station or substation from the original assessment, owners then have an additional 60 days to modify their risk assessments or document the basis for not making the appropriate changes.</p><p>Additionally, if the primary control centers identified are owned by a company other than the transmission station, that owner needs to be notified (R3) within seven days following the third-party verification that it has operational control of the primary control center.</p><p>After the initial risk assessment has been completed, transmission owners that are covered by the standard will perform subsequent assessments at least once every 30 months. Transmission owners that are not covered by the standard are also required by law to perform assessments, but only once every 60 months.​</p><h4>Physical Security</h4><p>Once the transmission analysis and identification have been completed, owners are required to conduct evaluations of the potential threats and vulnerabilities of a physical attack (R4) to each of their respective transmission stations, substations, and primary control centers.</p><p>These evaluations should include unique characteristics of the identified and verified transmission stations, substations, and control centers. For example, characteristics could include whether the substation is rural or urban, if it’s near a major highway, or if it’s in a valley. </p><p>For instance, the substation could be “set down in a small valley, so there are areas around it [from which] a shooter could either shoot the transformers or even use a rocket-propelled grenade to shoot something into it,” Wick explains.</p><p>Owners also need to detail any history of attacks on similar facilities, taking into account the “frequency, geographic proximity, and severity of past physical security related events,” according to the standard. CIP-014 asks owners to include intelligence or threat warnings they’ve received from law enforcement, the Electric Reliability Organization, the Electricity Sector Information Sharing and Analysis Center, and government agencies from either the United States or Canada.</p><p>Once these evaluations have been completed, and no more than 120 days after R2 is completed, owners are required to develop and implement a documented security plan and timeline that covers their respective transmission stations, substations, and primary control centers (R5). </p><p>Within the security plan, owners should include law enforcement contact and coordination information, provisions to evaluate evolving physical threats and their corresponding security measures, and resiliency or security measures designed “collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified” during R4.</p><p>The drafting committee chose this language specifically, Wick says, because “you can’t just do one of those—you need to put them together as a group to ‘deter, detect, delay,’ because those are the primary components…in a layered security program.”</p><p>The committee was also purposely less prescriptive about methods owners can use as part of their security measures. “We tried to build in maximum flexibility to arrive at the same end state for everybody,” Wick says. For instance, to delay someone “you can do that several different ways. You could have a 20-foot -high wall with razor tape, or you could do it with a chain link fence; there are so many options that you could use to mitigate the threats and vulnerabilities that are identified in R4.”</p><p>This nonprescriptive method has faced some criticism, but many others think it’s beneficial. The regulators “are not really telling you to go out and spend all sorts of money on increased cameras, spending a lot of money on fences,” says Rich Hyatt, PCI, manager of security services for Tucson Electric Power. “They’re kind of promoting that you should harden up your site, like vegetation removal, signage…it’s not like the government’s coming in and telling you to spend $5 million per substation.”</p><p>The committee is also allowing owners to take a twofold approach by giving them the opportunity to build in resiliency on the operational side and protect their assets with security measures.</p><p>For example, Tucson Electric Power is increasing its resiliency by hardening its substations, says Hyatt, who’s also a member of the ASIS International Utilities Council. This is important because sometimes transformers malfunction. “There’s always the likelihood of sabotage, but we also have a threat of malfunction or weather-related issues, or manmade stuff that could go into a transformer being taken out,” he explains.</p><p>Hyatt is also working with substation employees to improve emergency communication, another issue addressed in the standard. “We’re also engaging our…substation folks to beef up their emergency response and have additional spare parts in their inventory so they can respond if a transformer got shot out—we could get it back online quicker,” he explains.</p><p>However, Jake Parker—director of government relations for the Security Industry Association (SIA)—says physically protecting assets is the better way to go for utilities security. “We think that physical security measures are much more cost effective because the cost of hardening the structure can also be extremely steep,” he explains. </p><p>Once owners have drafted and implemented their physical security plans, they then need to be verified again by a third party reviewer (R6) within 90 days. This reviewer can be an entity or organization with physical security experience in the electric industry and whose review staff: has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification; is approved by the Electric Reliability Organization (ERO); is a government agency with physical security expertise; or is an entity or organization with law enforcement, government, or military physical security expertise.</p><p>The ASIS certifications requirement was included after a review of existing applicable certifications. “By holding one of those two certifications, it shows that you know what you’re talking about on physical security,” Wick explains. “We did reviews of any certification that had physical security requirements, and these were the only two that were suitable.”</p><p>If the reviewer recommends changes to the R4 evaluation or the security plan, owners then have 60 days to comply with those recommendations or document why they are not modifying their plans.</p><h4>Penalties</h4><p>CIP-014 has an aggressive implementation timetable; Parker says he expects most utilities to have their physical security plans in place by spring 2016. There are no penalties for owners who do not comply with the new standard, although owners who do comply are required to keep documentation as evidence to show compliance for three years. NERC is responsible for enforcement.</p><p>Despite the lack of penalties and the limited number of transmission stations and substations covered by the standard, many companies say the standard has inspired them. CIP-014 has given companies guidance on increasing their physical security, according to Parker.</p><p>“We’re seeing, given the current environment and response to what happened at Metcalf…that utilities are finding it easier to justify security improvements across the board via rate increases,” he explains.</p><p>The rate increases are the funding mechanism utilities can use to pay for physical security improvements. They can do this by bringing proposals to their boards and justifying small rate increases “to cover the cost of the security upgrades because of the standard, but also because of the need to improve physical security of the electric grid overall,” Parker adds. </p><p>Hyatt agrees, saying that the industry is doing a “really good job” on being proactive in “policing up” and increasing the use of best security practices. The incident at Metcalf, he adds, has “actually increased security’s perception among executives where we work that physical security is just as important as cybersecurity.” ​</p>
https://sm.asisonline.org/Pages/Insider-Threats-in-the-Private-Sector.aspxInsider Threats in the Private SectorGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">When document archive wikileaks started posting secret and classified information about the U.S. government’s role in the Iraq and Afghanistan wars in 2010, the federal government scrambled to address the security of classified information. President Barack Obama passed an executive order that called for the establishment of minimum standards for executive branch insider threat programs in 2012. But the guidance failed to address the private sector. This was made painfully clear when defense contractor Edward Snowden leaked thousands of classified documents. </span></p><p>The U.S. federal government is now poised to make changes to the 2012 National Insider Threat Policy, which requires government agencies handling classified information to develop an insider threat program. And with 90 percent of the nation’s classified information originating within the industrial environment, government defense contractors by extension must adhere to the policy. That’s where the National Industrial Security Program (NISP) enters the picture, explains John Fitzpatrick, the director of the Information Security Oversight Office (ISOO). </p><p>Every defense contractor that works with classified information must adhere to the NISP Operating Manual (NISPOM), which prescribes requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information. </p><p>The idea of the NISP is to have a mechanism for safeguarding classified information that is appropriately tailored to the industry environment, because companies are different from government agencies, according to Fitzpatrick. “The level of protection, once tailored, needs to be the same. That’s what the NISP does,” he explains.</p><p>A mandated insider threat program for the private sector is critical, because the damages caused by fraud, theft of intellectual property, IT sabotage, and espionage are on the rise, averaging $15 million over the last 10 years, according to a white paper by the Intelligence and National Security Alliance. The 2013 survey, A Preliminary Examination of Insider Threat Programs in the U.S. Private Sector, found that just over half of the 13 organizations interviewed have a formal insider threat mitigation program, and those programs were mostly technology-focused, monitoring network traffic and people that display suspicious online behavior. </p><p>However, the study points out that the insider threat is a person, not a computer, and “organizations must identify psychosocial events—anomalous, suspicious, or concerning nontechnical behaviors.”</p><p>The paper also recommends that companies develop an insider threat mitigation program that spans the entire organization, implements technical and nontechnical employee monitoring, practices an effective training and awareness program, and conducts counterintelligence inquiries and investigations.</p><p>The NISP Policy Advisory Committee (NISPPAC) announced in March 2014 that the organization was coordinating with the U.S. Department of Defense (DoD) to release the industry interpretation of the National Insider Threat Policy, finally producing a mandated insider threat program that is similar to the national policy. This guidance, called Conforming Change Two, will be officially added to the NISPOM by the end of July, contractually requiring all defense contractors that interact with classified information to develop an insider threat policy.</p><p>Taking an executive order aimed at government agencies and turning it into a cost-effective, industry-applicable standard isn’t an easy task. The NISPPAC, which represents NISP in creating standards, includes 13 representatives from executive branch agencies as well as eight representatives from the private sector, and is currently led by Fitzpatrick. He explains that the group’s goal is to take the applicable parts of the National Insider Threat Policy and edit it to be more easily understood and implemented by defense contractors. </p><p>The industry-interpreted insider threat program will require contractors to gather, integrate, and report relevant information indicative of a potential or actual insider threat, according to a DoD official. All contractors will have to complete yearly training on insider threat awareness and the security risks involved in handling classified information. A senior official from each organization must personally accept responsibility for the security of classified information systems. Contractors must also report any indications of an insider threat by using counterintelligence, security, information assurance, and human resources records.</p><p>Another change is shifting the responsibility of incident management from the contractor to the government. Under the new guidance, an appointed counterintelligence representative at the organization will serve as the point of contact with federal investigators if that company’s insider threat program has created an inquiry. </p><p>The core concept of the program puts more responsibility on the contractors to collaborate and take an active role in collecting information on potential insider threats, explains Daniel McGarvey, director of security programs at Global Skills X-change and the chair of the ASIS International Defense and Intelligence Council. Security, legal, human resources, and IT personnel will have to collaborate to successfully implement the program.</p><p>The collaboration between IT and human resources also places a much-needed emphasis on the behavior of a potential malicious insider—or even someone prone to workplace violence, McGarvey points out.</p><p>“It is pushing us to actually relook at how we handle insider threats—not only the theft of assets, but violence,” he explains. “Traditionally we’ve separated the two, but in terms of behavioral characteristics, we’ve realized it really isn’t a separate event, it’s just how people handle issues. This  is forcing us to think through it using current technologies.”</p><p>Fitzpatrick agrees. He says that being able to detect the change in a trusted person that would lead them to suddenly put classified information at risk should be built into the security environment. “What the insider threat emphasis through this national policy does is to remind organizations that they have more tools than simply locks on the doors, passwords on the computers, and periodic reinvestigations to assess that risk,” Fitzpatrick explains. “You need supervisors that notice that, ‘something’s wrong with that guy over the last couple months—what is that and why?’”</p><p>Fitzpatrick says the most important part of the NISPOM update is clarifying for contractors exactly what role they play in information-providing versus actively investigating an employee. Company liability concerns are a big issue, he says, and companies that currently investigate potential insider threats will have to give that responsibility to federal agencies instead. </p><p>“What is the line between what the government agencies will do in cooperation with the company, and what the government expects the company to do in response to a government requirement?” Fitzpatrick notes. “That’s the fine line that we have to make sure we make clear. We’re not asking companies to launch investigations, but we might ask them for information to support a government investigation.”</p><p>McGarvey has been working with the ASIS Defense and Intelligence Council, as well as members of the NISPPAC and the Defense Security Service, to preemptively address challenges before the conforming change is published—the DoD will require all cleared contractors to implement the changes within six months of publication. </p><p>One concern McGarvey raises involves the counterintelligence representative each organization is supposed to appoint—who should that individual be, and what training should they have? These questions aren’t outlined in the NISPOM change, McGarvey notes.</p><p>“There is no current counterintelligence training of any kind for security officers,” McGarvey says. “The only formal training is done by the government for federal counterintelligence officers. A security officer doesn’t need to know the full range of counterintelligence techniques and tradecraft, but there are selected areas they do need to know.”</p><p>To address this issue, McGarvey and the Defense and Intelligence Council has been analyzing aspects of the counterintelligence position and determining what critical skills are needed for the job. The council has put together a number of working groups—comprising both industry and government participants—to look at not only how the policy is written, but the impacts of implementation. Those groups will work to either develop an implementation approach or change the policy to make implementation feasible.</p><p>Another concern is the inevitable cost of implementation—one of NISP’s biggest roles is curbing the costs involved with implementing an executive order meant for government agencies. To tackle this, McGarvey says the council has created an insider threat certificate workshop that teaches cost-effective implementation tactics as well as how to use security metrics to increase the value of the conforming change.</p><p>“A lot of what we looked at was not adding anything, but repurposing some of the existing capabilities,” McGarvey explains. “We took what was mandatory and added to it to make it effective.” </p>
https://sm.asisonline.org/Pages/The-War-on-Human-Trafficking.aspxThe War on Human TraffickingGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Truck driver Kevin Kimmel was parked at a rest stop near Richmond, Virginia, on a night in early January 2015 when he noticed a young woman repeatedly peering out through the black curtains of a nearby RV. Kimmel grew suspicious watching a man go back and forth repeatedly between the convenience store and the RV. At one point, as the young lady was looking out the window, she seemed to be yanked away by someone else in the vehicle. Kimmel decided to call the police.</span></p><p>When the cops arrived, the man and a woman accompanying the girl said they were taking a family trip. But once officers separated the 20-year-old girl from the couple, they learned that she had been kidnapped in Iowa on Christmas Eve. The couple had starved, threatened, and tortured her, and they had forced her into an online prostitution scheme. The girl has since been reunited with her family, and the couple are facing federal charges of sex trafficking by force.</p><p>“If it was not for that truck driver who just noticed it was really suspicious and didn’t let it go until he got law enforcement out there, who knows where she would be,” says Kendis Paris, executive director of Truckers Against Trafficking, a nonprofit dedicated to educating the trucking industry on human trafficking. </p><p>The Polaris Project, a nonprofit that works to combat modern-day slavery, defines human trafficking as the use of force, fraud, or coercion to control other people for the purpose of engaging in commercial sex or forcing them to provide labor services against their will. </p><p>An estimated 100,000 to 300,000 American children are at risk of becoming child sex trafficking victims every year, and the average age of children entering the sex trade in America is 12 to 14, according to the National Center for Missing and Exploited Children (NCMEC). The increasing prevalence of sites like Craigslist and Backpage has allowed the illegal sex trade to migrate from street corners to the Internet, making it harder than ever to track down potential trafficking victims. </p><p>Although the statistics are staggering, there is hope. Federal task forces and national advocacy groups are partnering with industry professionals to bring awareness and collaboration, and provide the tools needed for bystanders to take action against potential trafficking situations, like Kimmel did at the truck stop.</p><p>Last summer, the FBI’s human traffick­ing task force in Boston approached Michael Soper, the chairman of Boston’s Hotel Security Association, about collaborating with hotels to look for victims of trafficking. Trafficking victims frequently move in and out of hotels; they are never kept in one place for long. An information- sharing partnership among the FBI, the Boston Police Department’s human trafficking unit, and the Hotel Security Association immediately took off.</p><p>“Once the problem was brought to the industry’s attention and the magnitude of it, everyone had one of those ‘Oh wow, this is really serious’ kind of moments,” Soper says. “In the old days I just thought prostitution at hotels was one of those things that existed and was part of running a hotel. Once the hotels realized that this is becoming a major issue, of course they wanted to be a part of the solution.”</p><p>The first step was developing a training program for housekeeping staff. Soper notes that staff members are the eyes and ears of hotels and can easily notice anything out of the ordinary, including the presence of prostitutes. “To have any type of campaign that’s designed for hotels to identify and respond to the human trafficking problem, we need to start with the very core of where most information about things happening at hotels comes from, and that’s the housekeeping department,” he explains. </p><p>Now, the housekeepers are trained on signs of human trafficking and when to report them. For example, housekeepers are cautioned to watch out for trafficking in rooms that request new sheets several times a day and house underage patrons who avoid eye contact, appear to be in poor health, or show signs of physical abuse. </p><p>With that information, hotel security directors can further investigate by trying to get a look at the woman or even scouring Craigslist or Backpage, where prostitution services are often listed. If there are any concerns, the hotel director will contact the FBI task force or Boston police, Soper explains. </p><p>The partnership has been successful in that more calls than ever before are being made to Boston human trafficking task forces, and Soper urges industry professionals to reach out to local task forces to acquire resources and collaborate on catching traffickers. </p><p>When human trafficking victims are not in hotels, they’re on the road. That’s why Truckers Against Trafficking is working to enlist the 3 million registered truck drivers in the United States to be the eyes and ears of the nation’s highways and rest stops. The organization partners with groups both in and outside the industry—trucking schools, large carriers, truck stop managers, and local and federal law enforcement—to provide training on the signs of human trafficking and what actions to take. For example, truckers should be wary when underage travelers have few personal possessions, are not allowed to speak, or lack knowledge about their destination.</p><p>“Right now it’s just so easy for these guys to operate unfettered along our nation’s highways, because they count on lack of communication, awareness, or networking,” notes Paris, the program’s executive director.</p><p>Beyond the sheer number of drivers, tapping into the trucking industry for assistance is valuable because they are more likely to come across trafficking situations at truck stops or while dropping off loads at events, casinos, and businesses, Paris says. “The girls are typically more easily recovered in transit because they’re out in the open, whereas sometimes in these brothels they’re all underground,” she explains. “It’s helping the people who are in these positions to identify and recognize what they’re looking at and knowing how to report it, and in such a way that they give actionable information when they call law enforcement.”</p><p>The first step is to educate: Paris says most people don’t notice the signs of human trafficking, or believe that potential victims are involved in prostitution by choice. “Even if she looks happy, folks need to consider that if you have anybody under the age of 18, you’re looking at a victim of human trafficking if they’re involved in commercial sex,” Paris says. “So often we hear, ‘I just never thought about it.’ For most people it’s not on their radar screen.”</p><p>Truckers Against Trafficking hosts a number of meetings involving carriers, truck stop managers, and state trucking associations, as well as attorneys general, the U.S. Department of Homeland Security, the FBI, and state and local law enforcement. </p><p>These meetings—“basically, mini-conferences,” Paris says—allow for an open dialogue between industry stake­holders and law enforcement on how to combat human trafficking in their community. Everyone re­ceives the same training, which allows truckers to feel more con­­­fident calling in a potential trafficking situation and helps law enforcement respond appropriately. The organization conducted four meetings across the country last year, but plans to hold eight meetings in 2015 due to high demand.</p><p>“There’s been a tremendous response from law enforcement—they get that there are more truckers out on the road than there are law enforcement at any time,” Paris explains. “They understand that truckers are a viable source of information, and they see things a lot of people don’t.”</p><p>Truckers Against Trafficking has cre­­ated a replicable training model currently used in at least 15 states, and Paris hopes it will be used by other industries. “Where I would love to see the model replicated is the motorcoach industry—buses and bus terminals,” Paris explains. “Imagine if every taxi driver was trained and knew what to look for.”</p><p>Other private security sector industries can play a big role in identifying human trafficking. A new training program developed through a partnership between the NCMEC and ASIS International gives security professionals the tools they need to help combat the issue, says Kristen Anderson, the executive director of training and outreach at NCMEC.</p><p>“Right now, law enforcement can’t do this alone,” Anderson says. “We focus so much time and effort working on education for law enforcement and prevention techniques for community members, but there is this whole layer of people who work in the private sector who play a potential role by virtue of their position. We’re trying to harness the human resources of the private sector security force to really join with us in this effort to keep kids safe and to know what to do if something does happen.”</p><p>The online training, which is available to ASIS members on the NCMEC website, educates security professionals on what to do if they find themselves in a situation involving a vulnerable child. For example, if a mother comes up to a security officer in the mall to report her child as missing, the training details the information the officer should collect while waiting for law enforcement.</p><p>Some situations must be handled del­i­cately—if a child makes a disclosure to someone in uniform or an authority figure, the officer should acknowledge the child, say that they believe him or her and stay with the child until law enforcement arrives. </p><p>“They should not to try to interview the child about whatever may have happened,” Anderson explains. “We want to assist law enforcement without getting involved in things that could jeopardize an investigation or traumatize the child in an unnecessary way because the officer isn’t trained in how to interview child victims.”</p><p>Anderson says the NCMEC training targeted to security professionals is just the start—the organization would like to develop more targeted training for the airline, mass transportation, and even healthcare industries.</p><p>“This isn’t something that we’ve done before in terms of engaging industry in this way,” she notes. “We have worked with a lot of private sector partners but not in this training element. We’re very excited about it.”</p>
https://sm.asisonline.org/Pages/Building-Cyber-Awareness.aspxBuilding Cyber AwarenessGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Early in 2009, while working the night shift as a contract security guard, Jesse William McGraw infiltrated more than 14 computers at the North Central Medical Plaza in Dallas, Texas. McGraw, who is the self-proclaimed leader of the hacking group Electronik Tribulation Army, installed a program on the computers that would allow him to remotely access them to launch DDoS (distributed denial of service) attacks on rival hacking organizations’ websites.</span></p><p>Among the computers McGraw hacked into were a nurses’ station computer—which had access to patient information protected by the Health Insurance Portability and Accountability Act (HIPAA)—and a heating, ventilation, and air conditioning computer that controlled the airflow to floors used by the hospital’s surgery center. Over several months in 2009, McGraw further compromised the hospital’s network by installing malicious code and removing security features, making the network even more vulnerable to cyberattacks.</p><p>To document his work, McGraw made a video and audio recording of his “botnet infiltration.” Set to the theme of Mission Impossible, McGraw described his actions: accessing an office and a computer without authorization, inserting a CD containing the 0phcrack program into the computer to bypass security, and inserting a removable storage device, which he claimed contained a malicious code or program. McGraw then posted the video to the Internet, asking other hackers to aid him in conducting a “massive DDoS” on July 4, 2009. </p><p>His online actions attracted the attention of the FBI, which, five days before his planned attack, arrested him on two charges of transmitting malicious code. McGraw pled guilty to the charges and was sentenced to 110 months in federal prison in 2011.</p><p>An attack similar to McGraw’s is even more worrisome now as companies are increasingly using building systems and access control systems that are connected to computers. Between 2011 and 2014, the number of cyber incidents reported to the U.S. Department of Homeland Security (DHS) that involved industrial control systems grew from 140 to 243 incidents—an increase of 74 percent. </p><p>Yet many private and public entities aren’t addressing the cyber risks associated with these systems. In fact, according to a Government Accountability Office (GAO) report, DHS is not assessing or addressing cyber risks to building and access control systems at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) at all.</p><p>“DHS has not developed a strategy, in part, because cyber threats involving these systems are an emerging issue,” the GAO found in its recent report. “By not developing a strategy document for assessing cyber risk to facility and security systems, DHS and, in particular, [the National Protection and Programs Directorate] have not effectively articulated a vision for organizing and prioritizing efforts to address the cyber risk facing federal facilities that DHS is responsible for protecting.”</p><p>Within most federal facilities there are building control systems that monitor and control building operations such as elevators, electrical power, heating, ventilation, and air conditioning. Many of these systems are connected to each other and to the Internet, making them extremely vulnerable to cyberattacks that could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or occupants, the GAO reports. For instance, a cyberattack could allow people to gain unauthorized access to facilities, damage temperature-sensitive equipment, and provide access to information systems.</p><p>And perpetrators aren’t just limited to outside actors; they can also come from insider threats. “Insider threats—which can include disgruntled employees, contractors, or other persons abusing their positions of trust—also represent a significant threat to building and access control systems, given their access to and knowledge of these systems,” the report explains.</p><p>Under the Homeland Security Act of 2002, DHS is required to protect federal facilities as well as people inside those facilities. As part of that responsibility, DHS’s National Protection and Programs Directorate (NPPD) is in charge of strengthening the security and resilience of U.S. physical and cyber-critical infrastructure against terrorist attacks, cyber events, natural disaster, or other catastrophic incidents.</p><p>Yet as a department, DHS lacks a strategy that defines the problem and identifies the roles and responsibilities for cyber risk to building and access control systems, according to the GAO. Also, the report notes that DHS has failed to analyze the necessary resources or identify a methodology for assessing such risk. </p><p>Additionally, the Interagency Security Committee (ISC), the body responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyberthreats to building and access control systems into its Design-Basis Threat report. The report aims to set standards based on leading security practices for all nonmilitary federal facilities to “ensure that agencies have effective physical security programs in place.”</p><p>However, cybersecurity has not been added to the report because “recent active shooter and workplace violence incidents have caused ISC to focus its efforts on policies in those areas first,” according to the GAO report. But the office has reported that “incorporating the cyber threat to building and access control systems in ISC’s Design-Basis Threat report will inform agencies about this threat so they can begin to assess its risk.”</p><p>Furthermore, the General Services Administration (GSA) has not “fully assessed” the risk of a cyberattack on building control systems consistent with the Federal Information Security Management Act of 2002 (FISMA) or its implementation guidelines. According to the GAO’s report, GSA has assessed security controls of building control systems, but has not fully assessed the elements of risk, such as threats, vulnerabilities, and consequences.</p><p>“For example, five of the 20 reports [GAO] reviewed showed that GSA assessed the building control device to determine if a user’s identity and password were required for login, but did not assess the system to determine if password complexity rules were enforced,” the GAO reports. “This could potentially lead to weak or insecure passwords being used to secure building control systems.”</p><p>Coleman Wolf, CPP, security lead for global engineering consulting firm ESD, said he was not surprised by the office’s overall findings. “The part that does surprise me is that some of the assessment that is supposed to go on is not going on, or the plans are not in place to conduct those assessments,” says Wolf, who is also the chair of the ASIS International IT Security Council. “I would expect that on the private sector side, but I just thought there were more stringent plans in place on the federal side.” </p><p>However, Wolf says he doesn’t think there will be a big drive for changes in assessing cyber risk of building systems until it begins to impact people at a personal level in their own homes. “As people start to see these kinds of potential consequences, I think people will start to demand more be done to assess and rectify these kinds of threats,” he predicts.</p><p>While the private sector begins to focus on building control systems, the public sector is complying with GAO’s recommendation that the appropriate government agencies should take steps to assess cyber risks. </p><p>“We [at DHS] are working to develop a strategy for addressing cyber risk to building and access control systems,” says S.Y. Lee, a DHS spokesman. “This strategy will utilize best practices and lessons learned from the private sector experiences of the DHS National Cybersecurity and Communications Integration Center’s Industrial Control systems Cyber Emergency Response Team (CERT).”</p><p>The ISC is also working with DHS’s US-CERT and ISC-CERT to incorporate potential cyber risks to buildings and access control systems into the Design-Basis Threat Report and Countermeasures Appendix. As the next step of the process, ISC will meet with GSA and other agencies to plan a comprehensive review of cyber risks to building access control systems. </p><p>It will then issue additional guidance to its federal partners on appropriate countermeasures in the next annual review of its Design-Basis Threat Report, which is scheduled for release in October 2015, according to a DHS official.</p><p>GSA also agreed with the findings of the report and said it will take “appropriate action” to make sure its assessments of cyber risks to building control systems are compliant with FISMA and implementing guidelines, according to a letter included in the report by Dan Tangherlini, a GSA administrator. </p><p>However, GSA did not respond to requests for comment before press time on what specific actions it planned to take to address cyber risks.</p>
https://sm.asisonline.org/Pages/The-Art-of-Assimilation.aspxThe Art of AssimilationGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">It’s the first day on the job for your organization’s latest hire, and the new employee is enthusiastic, energetic, buzzing around the office with a so-great-to-be-here attitude and a handshake and easy smile for all. </span></p><p>Fast forward a few months, and the new hire now seems diminished, disengaged, schlumping around the office with a what-was-I-thinking attitude and a demeanor that resembles a half-deflated balloon. An early exit from a job once considered a great career move may be imminent. </p><p>It’s a disheartening scenario, but a company can minimize the chances that it will ever happen with a strategic onboarding program. Effective onboarding, experts say, is a critical tool in maintaining high levels of employee engagement, satisfaction, and retention, and in reducing turnover costs. Yet many senior management teams view onboarding as an afterthought, if they think about it strategically at all. Given the stakes at play, this is inadvisable, says Laura DiFlorio, an onboarding expert with the Nobscot Corporation, a human resources consultancy specializing in retention management.  </p><p>“Managers can’t spend an hour with a new hire explaining processes and be done with it,” DiFlorio says. “It’s important to remember that even if a new hire is highly skilled and experienced, they know little to nothing about your company culture, your processes and expectations.”</p><p>Losing talented new employees because they are confused, feel alienated, or lack confidence may be an indicator of inadequate onboarding. But such a situation is remediable. An organization can go on the offensive and formulate an onboarding program that will help smoothly integrate new employees, reduce the time needed for new hires to reach high productivity, minimize early turnover, and possibly gain an edge over competitors. In this article, experts discuss the key components that are necessary to build an effective onboarding program and give best practice advice for its successful implementation.</p><h4>The Fragile New</h4><p>Onboarding, sometimes called organizational socialization, may be defined as a process through which new hires learn attitudes, knowledge, skills, and behaviors required to function effectively in their organizations, according to a report from the Society for Human Resource Management (SHRM) Foundation, Onboarding New Employees: Maximizing Success.</p><p>“Research and conventional wisdom both suggest that employees get about 90 days to prove themselves in a new job,” writes report author Talya Bauer, an onboarding expert and management professor at Portland State University.   </p><p>In addition, new hires are physiologically vulnerable during this period, says DiFlorio. She explains this as follows. When undertaking familiar tasks, most workers switch to autopilot to conserve energy and save brain power for things that require more conscious thought. Thus, a worker might switch into this mode while driving to work; once he or she arrives, that person cannot actually remember the trip itself.</p><p>New hires, on the other hand, have few auto-pilot opportunities. “Every action from the moment the new hire wakes up requires conscious thought. That uses a lot of energy and creates ‘new hire fatigue.’ It also makes new hires less resilient to things that are not going according to plans or expectations,” she explains. Thus, the mindset of new hires, although outwardly enthusiastic, is typically nervous, anxious, and a bit lost and confused.</p><p>With that fragile mindset, when things don’t go according to expectations, there’s a greater chance for either a “quick quit” when an employee leaves within the first 90 days—or early turnover, when an employee leaves within the first year. Such early exits are not uncommon, statistics show. Roughly 46 percent of newly hired employees fail within 18 months, while only 19 percent achieve unequivocal success, according to a study conducted by business consulting firm Leadership IQ.​</p><h4>Before Day One</h4><p>While no company wants early turnover, onboarding best practices can be hard to come by. The comprehensiveness of onboarding programs across U.S. organizations varies widely, according to the SHRM report. On one end are “passive” onboarding programs, which often include a brief one-time explanation of procedures and a checklist of disconnected tasks. The SHRM report estimates that about a third of all organizations conduct onboarding at this basic level. On the other end are programs like “L’Oreal Fit,” the L’Oreal company’s two-year, six-part integration program that includes personalized meeting programs, training, roundtable discussions, and field experiences, such as site visits and shadowing programs.</p><p>While many organizations might not have the budget or staffing to conduct a two-year program like L’Oreal’s, an effective onboarding program can still be run with modest means if certain key concepts are followed, experts say. An effective onboarding program, according to the SHRM report, has four levels: compliance, clarification, culture, and connection.</p><p>Compliance, the lowest level, is established when employees are taught basic company rules and regulations. The next level, clarification, is achieved when new hires understand their jobs and expectations. Passive onboarding programs generally operate on these first two levels.</p><p>The next two levels, however, are where organizations can distinguish themselves and reap the benefits of onboarding. Culture means providing employees with organizational norms, both formal and informal. Connection refers to the interpersonal relationships and information networks that new employees must establish for success.  </p><p>To launch an onboarding program that reaches all four levels, it’s crucial that the program start early—even before the new hire actually arrives, says George Bradt, author of Onboarding: How to Get Your New Employees Up to Speed in Half the Time.</p><p>In a sense, onboarding actually starts with recruiting, Bradt says. During the interview process, a candidate should be given information about the culture of the organization, and allowed time to do “due diligence” on what it would be like to work there. The hiring manager should encourage this, and not act like “a used car salesman” and oversell the position.  </p><p>Bradt also advises managers to ensure that everyone in the department is aligned with the new employee before he or she comes on board. Staff should know exactly what the new hire’s role will be and how they should coordinate and work with them. This is especially important, Bradt explains, because quick quits are usually due to conflicts with peers and other stakeholders, rather than with a supervisor who was instrumental in the hiring itself. “You get a lot of ‘I thought that was my job,’” Bradt says. “They trip over each other.”</p><p>In addition, many organizations are not prepared for a new hire’s first day. “It’s surprising, the stories you hear,” Bradt says. This mistake can be avoided if managers make the effort to ensure that the new employee’s computer and other technologies are working, that key cards and security clearances are ready, and that a work station is available and prepared. ​</p><h4>Socialization and Culture</h4><p>Once the employee is in the office every day, experts advise organizations to follow several practices to enhance the onboarding program.  </p><p>One focal point of the program should be the socialization process, in which a new hire moves from feeling like an outsider to connecting with, and identifying with, the organization, DiFlorio explains. This is crucial for avoiding early turnover; once a new hire identifies himself with the organization, he or she is less likely to quit. “It can be heard in the language that new employees use when they switch from talking about the company in terms of ‘they’ and move to the more self-inclusive ‘we,’” she says. </p><p>To increase the chances of successful socialization, managers should consider a new hire mentoring or “buddy” program to connect new employees with a more senior person in a similar role who can help acclimate them, experts say. Acculturation is critical; embedded in an organization’s culture are unconscious and unspoken beliefs that determine how things are done within the company. “When this information isn’t communicated, new employees can find it difficult to be successful and may feel ostracized or get discouraged,” Bauer writes in the SHRM report. For example, a company may claim to have a relaxed attitude about communications when a more rigid reporting structure is actually the norm. Having this information could help a new employee avoid embarrassing missteps. Thus, a mentor can be a great help in getting a new hire up to speed. </p><p>In addition to transferring cultural knowledge, a manager’s duties include making an effort to carve out space in the culture for the new hire, experts say. This is especially important if the organization has many long-term employees. In addition, the new hire’s supervisor should always keep in mind that they are the role model for the new hire. </p><p>“Managers should be careful to ‘walk the talk’ of the culture that they want to reinforce,” DiFlorio says. For example, a manager who frequently bypasses security checkpoints when coming into the office is not setting the optimal example for new hires. Another sound practice is for managers to arrange for the new hire to have frequent check-ins, not only with the manager but with the manager’s supervisor or the CSO. Frequent check-ins help reduce miscommunication and anxiety and keep the new hire on track, she adds. </p><p>To facilitate connection and relationships, security managers in particular should consider structuring extensive networking opportunities internally and externally. This can be particularly important if the firm’s security employees are perceived as the “company cops” who are neither socially nor culturally well integrated. </p><p> “Departments such as security can often feel like the unloved step-child to the rest of the organization. In this kind of environment, it’s important to build bridges as early and often as possible,” according to DiFlorio. Broadening onboarding programs to include components like cross-divisional mentoring programs, intradepartment training activities, and companywide online message boards can help break down silos and bring employees from different departments of the organization together, she adds.</p><h4>Measuring Success</h4><p>How does an organization know if its onboarding program is working? The SHRM report cites four areas, or “levers,” that companies can focus on to gauge onboarding effectiveness.</p><p>The first is self-efficacy, or self-confidence, in job performance. Self-efficacy has been shown to have an impact on organizational commitment, satisfaction, and turnover; when employees feel confident that they are doing the job well, their motivation and chances for success increase. “Organizations should target specific onboarding programs to help boost employees’ confidence as they navigate new organizational waters,” Bauer writes. For example, IBM assigns an “ask coach” to new hires to facilitate the early stages of the new job learning process.   </p><p>  The second is role clarity, or how well a new employee understands his or her role and responsibilities. Performance often suffers if expectations are ambiguous. Thus, managers should focus on making a new hire’s position as well-defined as possible, and they should also make an effort to avoid role conflict between new and existing employees. </p><p>  The third is social integration. Research has long found that acceptance by coworkers is a crucial indicator of employee adjustment, and acceptance into a work group is related to employee commitment level and turnover rate, according to the report. Whenever possible, managers should facilitate the new hire’s social comfort in the organization. Meeting and working with organizational “insiders” can also enhance the adjustment process for a new hire. Such meetings can help to clarify how the workplace culture interprets issues such as dress codes.</p><p>The fourth is knowledge of and fit within the organization’s culture. Understanding the company’s politics, goals, and values, as well as learning the firm’s unique language, are key indicators of employee adjustment. It’s up to managers to make the company’s culture transparent, Bauer writes in the report, and all managers  can enhance this process by showing how the new hire fits well within the organization. So, after the new hire’s skills and interests are discussed during the interview process, the manager can facilitate introductions and connections with existing employees based on that information. For example, someone who played varsity softball in college might be introduced to the captain of the company softball team.</p><p>Another good way to measure onboarding success is for the manager and new hire to collaborate on an individual plan for growth and performance, with clearly defined deliverables, DiFlorio says. Managers should identify the skills the employee brings with them, as well as identify areas that will require training, and then encourage the employee to develop their own training plan for how they can come up to speed and develop new skills, she says. </p><p>The final aspect to a successful onboarding program may be the most critical—new employees must actively facilitate the process. This can be done in a variety of ways, from engaging in small talk with coworkers to arranging informal lunches to participating in voluntary company functions.  </p><p>In this regard, it is often helpful for a new hire to “go slow to go fas​t,” Bauer writes in the SHRM report. Sometimes, go-getters adopt an extreme work-work-work attitude, in part to prove themselves. “A lot of times people want to jump in right away,” Bauer writes. But they may skip important aspects of building relationships and miss learning the subtler norms of the organization. </p><p>“Actually going to lunch the first week can make a big difference,” she adds.</p><p><em>To read the article in Spanish, </em><a href="/Pages/El-Arte-de-la-Asimilación.aspx"><em>click here</em></a><em>.</em></p>
https://sm.asisonline.org/Pages/Safety-First.aspxSafety FirstGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In June 2014, OSHA handed out a $135,200 fine to a Texas fruit and vegetable processor and its staffing agency for exposing temporary employees to dangerous noise levels, toxic chemicals, and other alleged hazards. The action is one of many, indicating that the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) has begun taking employers to task over safety violations involving temporary employees.​</p><p>The processor was cited for 12 serious safety and health violations, with a penalty of $76,100, for failing to prevent workers from exposure to hazardous chemicals; identify and evaluate respiratory hazards in the workplace; and ensure that a hearing conservation program was implemented for workers exposed to noise levels that would cause permanent hearing damage, according to an OSHA announcement. </p><p>Additionally, the processor was cited for a series of repeat violations, with penalties, for failing to ensure sufficient working space around electrical equipment and unobstructed access to fire extinguishers. Three other violations were given for failing to record injuries of temporary workers, review logs for accuracy, or ensure that safety instructions were clearly posted on dangerous machines.</p><p>OSHA inspectors also cited the staffing agency for one serious safety and health violation, with a penalty of $6,300, finding that temporary workers employed by the agency were exposed to chemical hazards and were not trained on chemical safety. </p><p>“Workers, whether employed directly by the company or as a temporary worker, require proper training on workplace hazards,” said Kelly C. Knighton, OSHA’s area director in San Antonio, in a press release. “Both host employers and staffing agencies have roles in complying with workplace health and safety requirements, and they share responsibility for ensuring worker safety and health.”</p><p>Along with its acti​ons in Texas, OSHA cited five companies, including four staffing agencies, for alleged violations that led to the death of a temporary employee in New Jersey. The administration also cited a waste management company for the death of a 31-year-old temporary employee tasked with loading garbage onto a disposal truck; he was killed on the third day of his new job. </p><p>These are just some of the instances where OSHA has taken action in recent months, and the agency’s interest in the safety and health of temporary employees is expected to continue.</p><p>This may not be surprising, given that the use of temporary employees has dramatically increased over the past 10 years. The U.S. Bureau of Labor Statistics (BLS) recently estimated that there were more than 2.8 million temporary employees in the United States. As temporary employee numbers have increased, so too have the numbers of injuries and deaths to those employees. These injuries and fatalities have piqued the interest of plaintiffs’ attorneys.</p><p>In April 2013, OSHA launched an initi­ative to further protect temporary employees from workplace hazards using enforcement, outreach, and training. OSHA noted that employers have the responsibility to provide the appropriate safety and health training to all employees regarding hazards in their specific workplace.</p><p>To determine whether employers are meeting this requirement, OSHA directed all of its inspectors to ascertain whether the employer had temporary employees working on the site and whether any of the identified temporary employees were exposed to noncompliant conditions at that work site. The initiative further directed the inspectors to determine, using records reviews and interviews, whether those employees had received the required training in a language and vocabulary they understood, and had recognized the hazards associated with the task they were performing.</p><p>While contingent on the specific facts of each case, staffing agencies and host employers are normally considered jointly responsible for maintaining a safe work environment for temporary employees. This means they share a duty to ensure that basic training, hazard communications, and record-keeping requirements are maintained. </p><p>Guiding employers are a variety of federal and state laws and regulations. OSHA has also identified steps employers should take to ensure safety at their facilities, including training, recordkeeping, and developing assessments.​</p><h4>Assessments</h4><p>OSHA recommends that the temporary staffing agency conduct an initial general safety and health assessment when evaluating workplaces. It also recommends that the agency periodically repeat the assessment at the host employer’s location to ensure that the temporary employees are being placed in a safe work environment and are being provided any necessary personal protective equipment.</p><p>If any unsafe areas are identified during the assessment, the temporary staffing agency should ask the host employer to correct those hazards, inform the temporary employees of the hazards identified, take reasonable alternative protective measures to protect the temporary employee, and remove its employee from the job if a significant hazard is not properly corrected. </p><p>For example, in June 2014 a temporary employee died from injuries sustained at an online retailer’s fulfillment center in Avenel, New Jersey, after he was trapped by a conveyor system and crushed while sorting packages. The contractor responsible for operating the facility was fined by OSHA, but so was the third-party logistics provider that had hired the temporary employee and three other temporary staffing agencies. The agencies were fined because they had failed to certify that a hazard assessment of the facility had been conducted before the temporary employee was assigned to work there. </p><p>“Temporary staffing agencies and host employers are jointly responsible for the safety and health of temporary employees. These employers must assess the work site to ensure that workers are adequately protected from potential haz­­ards,” said Patricia Jones, director of OSHA’s Avenel Area Office, in a press release on the incident. “It is essential that employers protect all workers from job hazards—both temporary and permanent workers.” </p><p>Similarly, the host employer should conduct an assessment to ensure it is providing a safe work environment for the temporary staffing agency’s em­ploy­ees. It should also identify and mitigate any safety and health hazards within the site where the temporary employee may be working. Additionally, the host employer should promptly mitigate any safety and health hazard identified by the temporary staffing agency’s initial and periodic health and safety assessments, as well as abate any safety, health, or environmental regulatory citation issued against the host employer’s work site.​</p><h4>Training</h4><p>OSHA recommends that the temporary staffing agency provide basic safety training to its employees. This includes an overview of topics applicable to the work site where they are being assigned. The staffing agency should maintain written training records of all its employees and ensure that the host employer’s site-specific training adequately addresses the potential hazards that its temporary employees may be exposed to while working at the host work site.</p><p>For the host employer, OSHA recommends that it provide all state and federally mandated compliance training applicable to the work environment and processes. In addition, it recommends that the host employer provide site-specific safety training to temporary employees in a language they best understand and in accordance with government regulations. These regulations may specify the minimum training requirements and the timeframe in which they must be delivered.</p><p>Some of the OSHA training applicable to temporary employees includes implementing lockout procedures along with safe handling of chemicals and understanding the host company’s hazard communication program. Additional training includes informing temporary employees of site-specific emergency procedures, proper certification training on powered industrial vehicles, and training on the proper use of personal protective equipment at the site.​</p><h4>Recordkeeping</h4><p>If the host employer directs the temporary employee’s work, the host employer will be responsible for maintaining the OSHA 300 logs, which record the work-related injuries and illnesses of temporary employees. This means that the host employer must record any temporary employee injury or illness on the OSHA 300 log, immediately notify the temporary staffing agency of any injury to a temporary employee, and offer alternative work to restricted temporary employees as part of the return-to-work program.</p><p>The temporary staffing agency is normally responsible for providing medical management of injuries suffered at the host employer’s work site. The temporary staffing agency usually provides any associated injury benefits and coordinates the administration of workers’ compensation and any other issues associated with the employee’s injury.​</p><h4>Other Considerations</h4><p>In addition to the legal liability associated with OSHA, there are other legal considerations that temporary staffing agencies and host employers should recognize, including state laws and tort liability.</p><p><strong>State laws.</strong> Workers’ rights groups, such as the National Staffing Workers Alliance and the National Council for Occupational Safety and Health, have issued a list of recommendations for improving safety for temporary agency employees. This includes recommending the passage of a Temporary Worker Right to Know law.</p><p>A similar law, enacted in Massachusetts in January 2013, requires employment agencies in the state to provide temporary employees with certain written information before the employees go to a new work site. This includes payment information, whether there is a strike or lockout at the job site, and whether the position requires special clothing, tools, licenses, or training. The law also prevents staffing agencies from providing false or misleading information to an applicant or employee, forcing temporary employees to go to an unwanted assignment, or sending temporary employees to a job assignment without a required license.</p><p><strong>Liability.</strong> As joint employers, normally the temporary staffing agency and the host employer enjoy the same workers’ compensation protection for an injury to a temporary employee. However, more states are allowing injured employees, whether full-time or temporary, to opt out of the workers’ compensation system if they can show that willful or intentional conduct or gross negligence resulted in the injury to those employees. This allows the temporary employee to potentially sue both the temporary staffing agency and the host employer for intentional tort, usually in state court.</p><p>In addition, if the injury to the temporary employee results in the death of that employee, there is a much greater chance of having criminal liability brought against both the temporary staffing agency and the host employer. While OSHA does have criminal provisions in the act, only two or three cases are referred each year to the U.S. Department of Justice for criminal prosecution.</p><p>The more likely scenario for criminal liability against the temporary staffing agency or the host employer comes at the state level. Either the county district attorney or the state attorney general could bring an action for negligent homicide or another form of criminal liability against either the temporary staffing agency or the host employer.</p><p>In such cases, both the temporary staffing agency and the host employer should retain appropriate legal counsel during both the OSHA inspection and any local or state police enforcement investigation. This will help preserve all legal rights or defenses available to either one of the entities.</p><p>It seems likely that the use of temporary employees will continue in the foreseeable future. This being the case, more employers will need to be aware of their legal rights, responsibilities, and potential liabilities when using temporary employees. Also, temporary staffing agencies should recognize that joint liability may be placed on them and that they should do everything to ensure that the temporary employees they provide to host employers are protected from any safety and health hazards.  </p><p><em><strong>Edwin G. Foulke, Jr.</strong>, is an Atlanta- based partner with Fisher & Phillips LLP, the cochair of the firm’s workplace safety and catastrophe management practice group, former assistant secretary of labor for occupational safety and health, and the former chair of the U.S. Occupational Safety and Health Review Commission.</em></p>

 UPCOMING EVENTS AND EDUCATION

06/08/2015 - 06/10/2015

06/08/2015 - 06/10/2015

Facility Security Design (Education)

06/08/2015 - 06/11-2015 
Effective Management for Security Professionals, Madrid, Spain (Education)​

​06/10/2015 - 06/11/2015
Security Force Management (Education)

06/15/2015 - 06/18/2015
Functional Management (APCIII)​​​ (Education)

06/17/2015
Contract is the Key: Protecting the Professional Security Provider (We​binar)

06/24/2015
Casino Robberies: Protecting the Casino and Guests (​Webinar)

​07/07/2015 - 07/08/2015
5th Annual CSO Roundtable Congress, Mexico​​​ (Conference)

​09/27/2015 - 10/01/2015

ASIS International 61st Annual Seminar and Exhibits​ (Conference)