https://sm.asisonline.org/Pages/The-Art-of-Assimilation.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Art of Assimilation2015-05-01T04:00:00Z0

 

 

https://sm.asisonline.org/Pages/DOJ-Releases-Best-Practices-for-Cyber-Incident-Response.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465DOJ Releases Best Practices for Cyber Incident Response2015-04-30T04:00:00Z

 

 

https://sm.asisonline.org/Pages/A-Giant-Leap-for-Arecont-Vision.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Giant Leap for Arecont Vision2015-02-12T05:00:00Z

 

 

https://sm.asisonline.org/Pages/Safety-First.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Safety First2015-05-01T04:00:00Z

 

 

https://sm.asisonline.org/Pages/Live-Chemical-Training-.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Live Chemical Agent training2015-05-04T04:00:00Z

 

 

https://sm.asisonline.org/Pages/Chemical-Emergency-Response-.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Video preview: Chemical Emergency Response 2015-03-03T05:00:00Z
https://sm.asisonline.org/Pages/60-Years-60-Milestones.aspxGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a434446560 Years: 60 Milestones2015-01-01T05:00:00Z
https://sm.asisonline.org/Pages/How-Security-Departments-Can-Leverage-Enterprise-Risk-Management.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465How Security Departments Can Leverage Enterprise Risk Management2015-02-27T05:00:00Z
https://sm.asisonline.org/Pages/Live-Chemical-Training-.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Live Chemical Agent training2015-05-04T04:00:00Z
https://sm.asisonline.org/Pages/house-passes-controversial-cyber-threat-info-sharing-bill-009804.aspxGP0|#db860c73-0e6f-4c13-98c4-fe5b1cf4a6b8;L0|#0db860c73-0e6f-4c13-98c4-fe5b1cf4a6b8|Cybercrime;GTSet|#8accba12-4830-47cd-9299-2b34a4344465;GPP|#91bd5d60-260d-42ec-a815-5fd358f1796dHouse Passes Controversial Cyber Threat Info Sharing Bill2012-04-27T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://sm.asisonline.org/Pages/Safety-First.aspxSafety FirstGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In June 2014, OSHA handed out a $135,200 fine to a Texas fruit and vegetable processor and its staffing agency for exposing temporary employees to dangerous noise levels, toxic chemicals, and other alleged hazards. The action is one of many, indicating that the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) has begun taking employers to task over safety violations involving temporary employees.​</p><p>The processor was cited for 12 serious safety and health violations, with a penalty of $76,100, for failing to prevent workers from exposure to hazardous chemicals; identify and evaluate respiratory hazards in the workplace; and ensure that a hearing conservation program was implemented for workers exposed to noise levels that would cause permanent hearing damage, according to an OSHA announcement. </p><p>Additionally, the processor was cited for a series of repeat violations, with penalties, for failing to ensure sufficient working space around electrical equipment and unobstructed access to fire extinguishers. Three other violations were given for failing to record injuries of temporary workers, review logs for accuracy, or ensure that safety instructions were clearly posted on dangerous machines.</p><p>OSHA inspectors also cited the staffing agency for one serious safety and health violation, with a penalty of $6,300, finding that temporary workers employed by the agency were exposed to chemical hazards and were not trained on chemical safety. </p><p>“Workers, whether employed directly by the company or as a temporary worker, require proper training on workplace hazards,” said Kelly C. Knighton, OSHA’s area director in San Antonio, in a press release. “Both host employers and staffing agencies have roles in complying with workplace health and safety requirements, and they share responsibility for ensuring worker safety and health.”</p><p>Along with its acti​ons in Texas, OSHA cited five companies, including four staffing agencies, for alleged violations that led to the death of a temporary employee in New Jersey. The administration also cited a waste management company for the death of a 31-year-old temporary employee tasked with loading garbage onto a disposal truck; he was killed on the third day of his new job. </p><p>These are just some of the instances where OSHA has taken action in recent months, and the agency’s interest in the safety and health of temporary employees is expected to continue.</p><p>This may not be surprising, given that the use of temporary employees has dramatically increased over the past 10 years. The U.S. Bureau of Labor Statistics (BLS) recently estimated that there were more than 2.8 million temporary employees in the United States. As temporary employee numbers have increased, so too have the numbers of injuries and deaths to those employees. These injuries and fatalities have piqued the interest of plaintiffs’ attorneys.</p><p>In April 2013, OSHA launched an initi­ative to further protect temporary employees from workplace hazards using enforcement, outreach, and training. OSHA noted that employers have the responsibility to provide the appropriate safety and health training to all employees regarding hazards in their specific workplace.</p><p>To determine whether employers are meeting this requirement, OSHA directed all of its inspectors to ascertain whether the employer had temporary employees working on the site and whether any of the identified temporary employees were exposed to noncompliant conditions at that work site. The initiative further directed the inspectors to determine, using records reviews and interviews, whether those employees had received the required training in a language and vocabulary they understood, and had recognized the hazards associated with the task they were performing.</p><p>While contingent on the specific facts of each case, staffing agencies and host employers are normally considered jointly responsible for maintaining a safe work environment for temporary employees. This means they share a duty to ensure that basic training, hazard communications, and record-keeping requirements are maintained. </p><p>Guiding employers are a variety of federal and state laws and regulations. OSHA has also identified steps employers should take to ensure safety at their facilities, including training, recordkeeping, and developing assessments.​</p><h4>Assessments</h4><p>OSHA recommends that the temporary staffing agency conduct an initial general safety and health assessment when evaluating workplaces. It also recommends that the agency periodically repeat the assessment at the host employer’s location to ensure that the temporary employees are being placed in a safe work environment and are being provided any necessary personal protective equipment.</p><p>If any unsafe areas are identified during the assessment, the temporary staffing agency should ask the host employer to correct those hazards, inform the temporary employees of the hazards identified, take reasonable alternative protective measures to protect the temporary employee, and remove its employee from the job if a significant hazard is not properly corrected. </p><p>For example, in June 2014 a temporary employee died from injuries sustained at an online retailer’s fulfillment center in Avenel, New Jersey, after he was trapped by a conveyor system and crushed while sorting packages. The contractor responsible for operating the facility was fined by OSHA, but so was the third-party logistics provider that had hired the temporary employee and three other temporary staffing agencies. The agencies were fined because they had failed to certify that a hazard assessment of the facility had been conducted before the temporary employee was assigned to work there. </p><p>“Temporary staffing agencies and host employers are jointly responsible for the safety and health of temporary employees. These employers must assess the work site to ensure that workers are adequately protected from potential haz­­ards,” said Patricia Jones, director of OSHA’s Avenel Area Office, in a press release on the incident. “It is essential that employers protect all workers from job hazards—both temporary and permanent workers.” </p><p>Similarly, the host employer should conduct an assessment to ensure it is providing a safe work environment for the temporary staffing agency’s em­ploy­ees. It should also identify and mitigate any safety and health hazards within the site where the temporary employee may be working. Additionally, the host employer should promptly mitigate any safety and health hazard identified by the temporary staffing agency’s initial and periodic health and safety assessments, as well as abate any safety, health, or environmental regulatory citation issued against the host employer’s work site.​</p><h4>Training</h4><p>OSHA recommends that the temporary staffing agency provide basic safety training to its employees. This includes an overview of topics applicable to the work site where they are being assigned. The staffing agency should maintain written training records of all its employees and ensure that the host employer’s site-specific training adequately addresses the potential hazards that its temporary employees may be exposed to while working at the host work site.</p><p>For the host employer, OSHA recommends that it provide all state and federally mandated compliance training applicable to the work environment and processes. In addition, it recommends that the host employer provide site-specific safety training to temporary employees in a language they best understand and in accordance with government regulations. These regulations may specify the minimum training requirements and the timeframe in which they must be delivered.</p><p>Some of the OSHA training applicable to temporary employees includes implementing lockout procedures along with safe handling of chemicals and understanding the host company’s hazard communication program. Additional training includes informing temporary employees of site-specific emergency procedures, proper certification training on powered industrial vehicles, and training on the proper use of personal protective equipment at the site.​</p><h4>Recordkeeping</h4><p>If the host employer directs the temporary employee’s work, the host employer will be responsible for maintaining the OSHA 300 logs, which record the work-related injuries and illnesses of temporary employees. This means that the host employer must record any temporary employee injury or illness on the OSHA 300 log, immediately notify the temporary staffing agency of any injury to a temporary employee, and offer alternative work to restricted temporary employees as part of the return-to-work program.</p><p>The temporary staffing agency is normally responsible for providing medical management of injuries suffered at the host employer’s work site. The temporary staffing agency usually provides any associated injury benefits and coordinates the administration of workers’ compensation and any other issues associated with the employee’s injury.​</p><h4>Other Considerations</h4><p>In addition to the legal liability associated with OSHA, there are other legal considerations that temporary staffing agencies and host employers should recognize, including state laws and tort liability.</p><p><strong>State laws.</strong> Workers’ rights groups, such as the National Staffing Workers Alliance and the National Council for Occupational Safety and Health, have issued a list of recommendations for improving safety for temporary agency employees. This includes recommending the passage of a Temporary Worker Right to Know law.</p><p>A similar law, enacted in Massachusetts in January 2013, requires employment agencies in the state to provide temporary employees with certain written information before the employees go to a new work site. This includes payment information, whether there is a strike or lockout at the job site, and whether the position requires special clothing, tools, licenses, or training. The law also prevents staffing agencies from providing false or misleading information to an applicant or employee, forcing temporary employees to go to an unwanted assignment, or sending temporary employees to a job assignment without a required license.</p><p><strong>Liability.</strong> As joint employers, normally the temporary staffing agency and the host employer enjoy the same workers’ compensation protection for an injury to a temporary employee. However, more states are allowing injured employees, whether full-time or temporary, to opt out of the workers’ compensation system if they can show that willful or intentional conduct or gross negligence resulted in the injury to those employees. This allows the temporary employee to potentially sue both the temporary staffing agency and the host employer for intentional tort, usually in state court.</p><p>In addition, if the injury to the temporary employee results in the death of that employee, there is a much greater chance of having criminal liability brought against both the temporary staffing agency and the host employer. While OSHA does have criminal provisions in the act, only two or three cases are referred each year to the U.S. Department of Justice for criminal prosecution.</p><p>The more likely scenario for criminal liability against the temporary staffing agency or the host employer comes at the state level. Either the county district attorney or the state attorney general could bring an action for negligent homicide or another form of criminal liability against either the temporary staffing agency or the host employer.</p><p>In such cases, both the temporary staffing agency and the host employer should retain appropriate legal counsel during both the OSHA inspection and any local or state police enforcement investigation. This will help preserve all legal rights or defenses available to either one of the entities.</p><p>It seems likely that the use of temporary employees will continue in the foreseeable future. This being the case, more employers will need to be aware of their legal rights, responsibilities, and potential liabilities when using temporary employees. Also, temporary staffing agencies should recognize that joint liability may be placed on them and that they should do everything to ensure that the temporary employees they provide to host employers are protected from any safety and health hazards.  </p><p><em><strong>Edwin G. Foulke, Jr.</strong>, is an Atlanta- based partner with Fisher & Phillips LLP, the cochair of the firm’s workplace safety and catastrophe management practice group, former assistant secretary of labor for occupational safety and health, and the former chair of the U.S. Occupational Safety and Health Review Commission.</em></p>
https://sm.asisonline.org/Pages/The-Art-of-Assimilation.aspxThe Art of AssimilationGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">It’s the first day on the job for your organization’s latest hire, and the new employee is enthusiastic, energetic, buzzing around the office with a so-great-to-be-here attitude and a handshake and easy smile for all. </span></p><p>Fast forward a few months, and the new hire now seems diminished, disengaged, schlumping around the office with a what-was-I-thinking attitude and a demeanor that resembles a half-deflated balloon. An early exit from a job once considered a great career move may be imminent. </p><p>It’s a disheartening scenario, but a company can minimize the chances that it will ever happen with a strategic onboarding program. Effective onboarding, experts say, is a critical tool in maintaining high levels of employee engagement, satisfaction, and retention, and in reducing turnover costs. Yet many senior management teams view onboarding as an afterthought, if they think about it strategically at all. Given the stakes at play, this is inadvisable, says Laura DiFlorio, an onboarding expert with the Nobscot Corporation, a human resources consultancy specializing in retention management.  </p><p>“Managers can’t spend an hour with a new hire explaining processes and be done with it,” DiFlorio says. “It’s important to remember that even if a new hire is highly skilled and experienced, they know little to nothing about your company culture, your processes and expectations.”</p><p>Losing talented new employees because they are confused, feel alienated, or lack confidence may be an indicator of inadequate onboarding. But such a situation is remediable. An organization can go on the offensive and formulate an onboarding program that will help smoothly integrate new employees, reduce the time needed for new hires to reach high productivity, minimize early turnover, and possibly gain an edge over competitors. In this article, experts discuss the key components that are necessary to build an effective onboarding program and give best practice advice for its successful implementation.</p><h4>The Fragile New</h4><p>Onboarding, sometimes called organizational socialization, may be defined as a process through which new hires learn attitudes, knowledge, skills, and behaviors required to function effectively in their organizations, according to a report from the Society for Human Resource Management (SHRM) Foundation, Onboarding New Employees: Maximizing Success.</p><p>“Research and conventional wisdom both suggest that employees get about 90 days to prove themselves in a new job,” writes report author Talya Bauer, an onboarding expert and management professor at Portland State University.   </p><p>In addition, new hires are physiologically vulnerable during this period, says DiFlorio. She explains this as follows. When undertaking familiar tasks, most workers switch to autopilot to conserve energy and save brain power for things that require more conscious thought. Thus, a worker might switch into this mode while driving to work; once he or she arrives, that person cannot actually remember the trip itself.</p><p>New hires, on the other hand, have few auto-pilot opportunities. “Every action from the moment the new hire wakes up requires conscious thought. That uses a lot of energy and creates ‘new hire fatigue.’ It also makes new hires less resilient to things that are not going according to plans or expectations,” she explains. Thus, the mindset of new hires, although outwardly enthusiastic, is typically nervous, anxious, and a bit lost and confused.</p><p>With that fragile mindset, when things don’t go according to expectations, there’s a greater chance for either a “quick quit” when an employee leaves within the first 90 days—or early turnover, when an employee leaves within the first year. Such early exits are not uncommon, statistics show. Roughly 46 percent of newly hired employees fail within 18 months, while only 19 percent achieve unequivocal success, according to a study conducted by business consulting firm Leadership IQ.​</p><h4>Before Day One</h4><p>While no company wants early turnover, onboarding best practices can be hard to come by. The comprehensiveness of onboarding programs across U.S. organizations varies widely, according to the SHRM report. On one end are “passive” onboarding programs, which often include a brief one-time explanation of procedures and a checklist of disconnected tasks. The SHRM report estimates that about a third of all organizations conduct onboarding at this basic level. On the other end are programs like “L’Oreal Fit,” the L’Oreal company’s two-year, six-part integration program that includes personalized meeting programs, training, roundtable discussions, and field experiences, such as site visits and shadowing programs.</p><p>While many organizations might not have the budget or staffing to conduct a two-year program like L’Oreal’s, an effective onboarding program can still be run with modest means if certain key concepts are followed, experts say. An effective onboarding program, according to the SHRM report, has four levels: compliance, clarification, culture, and connection.</p><p>Compliance, the lowest level, is established when employees are taught basic company rules and regulations. The next level, clarification, is achieved when new hires understand their jobs and expectations. Passive onboarding programs generally operate on these first two levels.</p><p>The next two levels, however, are where organizations can distinguish themselves and reap the benefits of onboarding. Culture means providing employees with organizational norms, both formal and informal. Connection refers to the interpersonal relationships and information networks that new employees must establish for success.  </p><p>To launch an onboarding program that reaches all four levels, it’s crucial that the program start early—even before the new hire actually arrives, says George Bradt, author of Onboarding: How to Get Your New Employees Up to Speed in Half the Time.</p><p>In a sense, onboarding actually starts with recruiting, Bradt says. During the interview process, a candidate should be given information about the culture of the organization, and allowed time to do “due diligence” on what it would be like to work there. The hiring manager should encourage this, and not act like “a used car salesman” and oversell the position.  </p><p>Bradt also advises managers to ensure that everyone in the department is aligned with the new employee before he or she comes on board. Staff should know exactly what the new hire’s role will be and how they should coordinate and work with them. This is especially important, Bradt explains, because quick quits are usually due to conflicts with peers and other stakeholders, rather than with a supervisor who was instrumental in the hiring itself. “You get a lot of ‘I thought that was my job,’” Bradt says. “They trip over each other.”</p><p>In addition, many organizations are not prepared for a new hire’s first day. “It’s surprising, the stories you hear,” Bradt says. This mistake can be avoided if managers make the effort to ensure that the new employee’s computer and other technologies are working, that key cards and security clearances are ready, and that a work station is available and prepared. ​</p><h4>Socialization and Culture</h4><p>Once the employee is in the office every day, experts advise organizations to follow several practices to enhance the onboarding program.  </p><p>One focal point of the program should be the socialization process, in which a new hire moves from feeling like an outsider to connecting with, and identifying with, the organization, DiFlorio explains. This is crucial for avoiding early turnover; once a new hire identifies himself with the organization, he or she is less likely to quit. “It can be heard in the language that new employees use when they switch from talking about the company in terms of ‘they’ and move to the more self-inclusive ‘we,’” she says. </p><p>To increase the chances of successful socialization, managers should consider a new hire mentoring or “buddy” program to connect new employees with a more senior person in a similar role who can help acclimate them, experts say. Acculturation is critical; embedded in an organization’s culture are unconscious and unspoken beliefs that determine how things are done within the company. “When this information isn’t communicated, new employees can find it difficult to be successful and may feel ostracized or get discouraged,” Bauer writes in the SHRM report. For example, a company may claim to have a relaxed attitude about communications when a more rigid reporting structure is actually the norm. Having this information could help a new employee avoid embarrassing missteps. Thus, a mentor can be a great help in getting a new hire up to speed. </p><p>In addition to transferring cultural knowledge, a manager’s duties include making an effort to carve out space in the culture for the new hire, experts say. This is especially important if the organization has many long-term employees. In addition, the new hire’s supervisor should always keep in mind that they are the role model for the new hire. </p><p>“Managers should be careful to ‘walk the talk’ of the culture that they want to reinforce,” DiFlorio says. For example, a manager who frequently bypasses security checkpoints when coming into the office is not setting the optimal example for new hires. Another sound practice is for managers to arrange for the new hire to have frequent check-ins, not only with the manager but with the manager’s supervisor or the CSO. Frequent check-ins help reduce miscommunication and anxiety and keep the new hire on track, she adds. </p><p>To facilitate connection and relationships, security managers in particular should consider structuring extensive networking opportunities internally and externally. This can be particularly important if the firm’s security employees are perceived as the “company cops” who are neither socially nor culturally well integrated. </p><p> “Departments such as security can often feel like the unloved step-child to the rest of the organization. In this kind of environment, it’s important to build bridges as early and often as possible,” according to DiFlorio. Broadening onboarding programs to include components like cross-divisional mentoring programs, intradepartment training activities, and companywide online message boards can help break down silos and bring employees from different departments of the organization together, she adds.</p><h4>Measuring Success</h4><p>How does an organization know if its onboarding program is working? The SHRM report cites four areas, or “levers,” that companies can focus on to gauge onboarding effectiveness.</p><p>The first is self-efficacy, or self-confidence, in job performance. Self-efficacy has been shown to have an impact on organizational commitment, satisfaction, and turnover; when employees feel confident that they are doing the job well, their motivation and chances for success increase. “Organizations should target specific onboarding programs to help boost employees’ confidence as they navigate new organizational waters,” Bauer writes. For example, IBM assigns an “ask coach” to new hires to facilitate the early stages of the new job learning process.   </p><p>  The second is role clarity, or how well a new employee understands his or her role and responsibilities. Performance often suffers if expectations are ambiguous. Thus, managers should focus on making a new hire’s position as well-defined as possible, and they should also make an effort to avoid role conflict between new and existing employees. </p><p>  The third is social integration. Research has long found that acceptance by coworkers is a crucial indicator of employee adjustment, and acceptance into a work group is related to employee commitment level and turnover rate, according to the report. Whenever possible, managers should facilitate the new hire’s social comfort in the organization. Meeting and working with organizational “insiders” can also enhance the adjustment process for a new hire. Such meetings can help to clarify how the workplace culture interprets issues such as dress codes.</p><p>The fourth is knowledge of and fit within the organization’s culture. Understanding the company’s politics, goals, and values, as well as learning the firm’s unique language, are key indicators of employee adjustment. It’s up to managers to make the company’s culture transparent, Bauer writes in the report, and all managers  can enhance this process by showing how the new hire fits well within the organization. So, after the new hire’s skills and interests are discussed during the interview process, the manager can facilitate introductions and connections with existing employees based on that information. For example, someone who played varsity softball in college might be introduced to the captain of the company softball team.</p><p>Another good way to measure onboarding success is for the manager and new hire to collaborate on an individual plan for growth and performance, with clearly defined deliverables, DiFlorio says. Managers should identify the skills the employee brings with them, as well as identify areas that will require training, and then encourage the employee to develop their own training plan for how they can come up to speed and develop new skills, she says. </p><p>The final aspect to a successful onboarding program may be the most critical—new employees must actively facilitate the process. This can be done in a variety of ways, from engaging in small talk with coworkers to arranging informal lunches to participating in voluntary company functions.  </p><p>In this regard, it is often helpful for a new hire to “go slow to go fast,” Bauer writes in the SHRM report. Sometimes, go-getters adopt an extreme work-work-work attitude, in part to prove themselves. “A lot of times people want to jump in right away,” Bauer writes. But they may skip important aspects of building relationships and miss learning the subtler norms of the organization. </p><p>“Actually going to lunch the first week can make a big difference,” she adds.</p>
https://sm.asisonline.org/Pages/The-Power-of-Physical-Security.aspxThe Power of Physical SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">A</span><span style="line-height:1.5em;">ny utilities security expert can effortlessly recite the details. In April 2013, someone snuck into an underground vault near a freeway in San Jose, California, and cut several telephone cables. Then, 30 minutes later, snipers shot at an electrical substation in Metcalf, California, for almost 20 minutes, knocking out 17 transformers that funnel power to Silicon Valley, before fleeing the scene and evading capture. </span></p><p>A major blackout was prevented by rerouting power around the downed station, but the attack caused more than $15 million in damage and brought physical threats to the electric grid to the forefront of discussions about the security of the United States’ critical infrastructure. It quickly became clear that cyberattacks were not the only threat to the U.S. power supply. </p><p>Two years have passed since the incident, and, while the snipers remain at large, the utility industry is taking steps to deter any future attacks.</p><p>“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry,” said acting Federal Energy Regulatory Commission (FERC) chairman Cheryl LaFleur in a statement in March 2014. (LaFleur was named permanent chairman in July 2014.) Following LaFleur’s statement, FERC directed the North American Electric Reliability Corporation (NERC) to develop new standards requiring owners and operators of the bulk-power system to address risks due to physical security threats and vulnerabilities.</p><p>The FERC order asked NERC to create a standard to identify and protect transmission stations, substations, and associated primary control centers that could cause widespread outages if compromised. </p><p>From those instructions, a 10-person drafting committee created the CIP-014 standard that focuses on transmission assessments and physical security. The standard requires transmission station and substation owners to perform a risk assessment of their systems to identify facilities that could have a critical impact on the power grid.</p><p>The order also requires owners and operators to develop and implement a security plan to address potential threats and vulnerabilities.​</p><h4>Participants</h4><p>The electric system is made up of three components: generators—coal fired, biomass, solar, and wind—that produce electricity; transmission—taking the electricity from the power source and moving it somewhere, such as a substation; and distribution—power moving from a facility to the meter in a home, business, or other building.</p><p>When electricity moves from a generation station, such as a wind farm, it goes to a substation that normally has transformers that decrease the voltage, often from 500 to 230 kilovolts (kV). From there, the substation transmits the power to another substation, which usually lowers the voltage even further to 115 kV so it can be used in residential and commercial facilities. </p><p>CIP-014 applies to transmission substations in the electric system, not the generators or the distribution stations. However, it doesn’t apply to all 55,000 transmission substations in the country, explains Allan Wick, CPP, PCI, PSP, a member of the standard drafting committee. </p><p>Instead, the standard relies on categories that determine which facilities must comply with the standard. The standard takes effect if a system that is “rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading with an interconnection,” Wick explains. </p><p>Because of these criteria, CIP-014 applies to transmission facilities that operate at 500 kV or higher, or single facilities that operate between 200 kV and 499 kV where the substation is connected at 200 kV or higher voltage to three or more other transmission stations that have an “aggregate weighted value” higher than 3,000 kV. </p><p>This means that few transmission substations will have to comply with standards. “By the time you use those criteria against what’s in the standard, [CIP-014] will only apply to 200 or fewer substations in the United States,” Wick says. The standard also applies to the control centers that operate those 200 substations—which are owned by roughly 30 different companies. </p><div><span class="Apple-tab-span" style="white-space:pre;"> </span></div><h4>Preparation</h4><p>FERC approved CIP-014 in November 2014, officially kickstarting the compliance process that owners need to complete by the first implementation date in October 2015. Their first responsibility is to perform an initial risk assessment (Requirement 1) to identify the transmission stations and substations the standard may apply to. Owners then have to identify the primary control centers that operationally control each transmission station or substation identified in the risk assessment.</p><p>Once these steps have been completed, owners will have 90 days to have an unaffiliated third party verify their assessments (R2). This third party can be a registered planning coordinator, transmission planner, reliability coordinator, or an entity that has transmission planning or analysis experience. </p><p>If the third party adds or removes a transmission station or substation from the original assessment, owners then have an additional 60 days to modify their risk assessments or document the basis for not making the appropriate changes.</p><p>Additionally, if the primary control centers identified are owned by a company other than the transmission station, that owner needs to be notified (R3) within seven days following the third-party verification that it has operational control of the primary control center.</p><p>After the initial risk assessment has been completed, transmission owners that are covered by the standard will perform subsequent assessments at least once every 30 months. Transmission owners that are not covered by the standard are also required by law to perform assessments, but only once every 60 months.​</p><h4>Physical Security</h4><p>Once the transmission analysis and identification have been completed, owners are required to conduct evaluations of the potential threats and vulnerabilities of a physical attack (R4) to each of their respective transmission stations, substations, and primary control centers.</p><p>These evaluations should include unique characteristics of the identified and verified transmission stations, substations, and control centers. For example, characteristics could include whether the substation is rural or urban, if it’s near a major highway, or if it’s in a valley. </p><p>For instance, the substation could be “set down in a small valley, so there are areas around it [from which] a shooter could either shoot the transformers or even use a rocket-propelled grenade to shoot something into it,” Wick explains.</p><p>Owners also need to detail any history of attacks on similar facilities, taking into account the “frequency, geographic proximity, and severity of past physical security related events,” according to the standard. CIP-014 asks owners to include intelligence or threat warnings they’ve received from law enforcement, the Electric Reliability Organization, the Electricity Sector Information Sharing and Analysis Center, and government agencies from either the United States or Canada.</p><p>Once these evaluations have been completed, and no more than 120 days after R2 is completed, owners are required to develop and implement a documented security plan and timeline that covers their respective transmission stations, substations, and primary control centers (R5). </p><p>Within the security plan, owners should include law enforcement contact and coordination information, provisions to evaluate evolving physical threats and their corresponding security measures, and resiliency or security measures designed “collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified” during R4.</p><p>The drafting committee chose this language specifically, Wick says, because “you can’t just do one of those—you need to put them together as a group to ‘deter, detect, delay,’ because those are the primary components…in a layered security program.”</p><p>The committee was also purposely less prescriptive about methods owners can use as part of their security measures. “We tried to build in maximum flexibility to arrive at the same end state for everybody,” Wick says. For instance, to delay someone “you can do that several different ways. You could have a 20-foot -high wall with razor tape, or you could do it with a chain link fence; there are so many options that you could use to mitigate the threats and vulnerabilities that are identified in R4.”</p><p>This nonprescriptive method has faced some criticism, but many others think it’s beneficial. The regulators “are not really telling you to go out and spend all sorts of money on increased cameras, spending a lot of money on fences,” says Rich Hyatt, PCI, manager of security services for Tucson Electric Power. “They’re kind of promoting that you should harden up your site, like vegetation removal, signage…it’s not like the government’s coming in and telling you to spend $5 million per substation.”</p><p>The committee is also allowing owners to take a twofold approach by giving them the opportunity to build in resiliency on the operational side and protect their assets with security measures.</p><p>For example, Tucson Electric Power is increasing its resiliency by hardening its substations, says Hyatt, who’s also a member of the ASIS International Utilities Council. This is important because sometimes transformers malfunction. “There’s always the likelihood of sabotage, but we also have a threat of malfunction or weather-related issues, or manmade stuff that could go into a transformer being taken out,” he explains.</p><p>Hyatt is also working with substation employees to improve emergency communication, another issue addressed in the standard. “We’re also engaging our…substation folks to beef up their emergency response and have additional spare parts in their inventory so they can respond if a transformer got shot out—we could get it back online quicker,” he explains.</p><p>However, Jake Parker—director of government relations for the Security Industry Association (SIA)—says physically protecting assets is the better way to go for utilities security. “We think that physical security measures are much more cost effective because the cost of hardening the structure can also be extremely steep,” he explains. </p><p>Once owners have drafted and implemented their physical security plans, they then need to be verified again by a third party reviewer (R6) within 90 days. This reviewer can be an entity or organization with physical security experience in the electric industry and whose review staff: has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification; is approved by the Electric Reliability Organization (ERO); is a government agency with physical security expertise; or is an entity or organization with law enforcement, government, or military physical security expertise.</p><p>The ASIS certifications requirement was included after a review of existing applicable certifications. “By holding one of those two certifications, it shows that you know what you’re talking about on physical security,” Wick explains. “We did reviews of any certification that had physical security requirements, and these were the only two that were suitable.”</p><p>If the reviewer recommends changes to the R4 evaluation or the security plan, owners then have 60 days to comply with those recommendations or document why they are not modifying their plans.</p><h4>Penalties</h4><p>CIP-014 has an aggressive implementation timetable; Parker says he expects most utilities to have their physical security plans in place by spring 2016. There are no penalties for owners who do not comply with the new standard, although owners who do comply are required to keep documentation as evidence to show compliance for three years. NERC is responsible for enforcement.</p><p>Despite the lack of penalties and the limited number of transmission stations and substations covered by the standard, many companies say the standard has inspired them. CIP-014 has given companies guidance on increasing their physical security, according to Parker.</p><p>“We’re seeing, given the current environment and response to what happened at Metcalf…that utilities are finding it easier to justify security improvements across the board via rate increases,” he explains.</p><p>The rate increases are the funding mechanism utilities can use to pay for physical security improvements. They can do this by bringing proposals to their boards and justifying small rate increases “to cover the cost of the security upgrades because of the standard, but also because of the need to improve physical security of the electric grid overall,” Parker adds. </p><p>Hyatt agrees, saying that the industry is doing a “really good job” on being proactive in “policing up” and increasing the use of best security practices. The incident at Metcalf, he adds, has “actually increased security’s perception among executives where we work that physical security is just as important as cybersecurity.”</p>
https://sm.asisonline.org/Pages/Book-Review---What-Your-CEO-Needs-to-Know-About-Reputation-Risk.aspxBook Review: Lukaszewski on Crisis CommunicationGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​<span style="line-height:1.5em;">Public relations expert James Lukaszewski brings a new and positive spin to crisis communication in this book. He dismisses some older beliefs and teachings and replaces them with newer concepts, guidance, tools, and solutions developed over his decades of experience in the field of crisis communication. The book takes into consideration the rapid changes we are living with today and advises readers on how to cope with them. It urges readers to prepare CEOs for unexpected events long before they might happen, and arms readers with insight on how to speak to executives—including keywords that will get their attention.</span></p><p>The book provides the framework for building an effective crisis management program, beginning with identification of existing vulnerabilities and potential risks. A good crisis communication program will have crucial messages prepared ahead of time, and executives and spokespersons will have practiced the plan in advance.</p><p>Victim recognition and handling are crucial to a successful crisis response, and the book outlines strat­egies for doing so. These strategies can reduce litigation and save money in the long run. The author also offers detailed advice on important topics such as dealing with the news media, press conferences, and social media. Case studies throughout the book illustrate these concepts.</p><p>The book is written in clear and plain language, very direct and therefore easy to understand. The book is a must-read for those involved in crisis management, in addition to every serious security practitioner and human resources professional.  </p><p><em><b>Reviewer: Werner Preining, CPP</b>, works for Interpool Security Ltd. in Vienna, Austria. He serves on the ASIS Crisis Management and Business Continuity Council, the Critical Infrastructure Working Group, and the Information Technology Security Council. He is also the chair of the ASIS Austria Chapter.</em></p>
https://sm.asisonline.org/Pages/Night-Watch.aspxNight WatchGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Car lots a</span><span style="line-height:1.5em;">re attractive to thieves. Even with a security officer on duty at night, it is virtually impossible for one person to protect hundreds of vehicles parked over several acres. And amid dense clusters of cars, it’s easy for intruders to move around unnoticed. A dealership that faced such a security challenge, Academy Ford of Laurel, Maryland, is located on a busy thoroughfare between Baltimore and Washington, D.C.</span></p><p>“I probably have close to 210 new and probably 80 used vehicles, and I have my service department that sees 80 customers a day, and I’ve got a body shop as well,” Mike Lynch, vice president of the dealership, tells Security Management. </p><p>For years, the dealership hired a security officer from a local contracting firm to watch the premises after hours, but there were still incidents. “I wouldn’t say our crime is really high here, but it’s just like any other place,” Lynch says. “If a thief wants something, they’re going to find a way of getting to it.”</p><p>A single guard on duty might spend 20 minutes on one end of the lot, Lynch says, which gives the criminals “20 minutes to do whatever they need to do—steal a tire, steal a tailgate, steal wheels. Those are the typical vandalism things we would run into when I had the guard company.”  </p><p>At the end of 2012, Academy Ford began looking for a way to not only enhance its security, but also to cut down on costs. A friend who worked at another dealership told Lynch about Eyewitness Surveillance of Hanover, Maryland, a remote surveillance company that remotely keeps an eye on assets after business hours, and he contacted the company. </p><p>Lynch saw a demo of the Eyewitness product in 2012, and purchased the surveillance system in February 2013. The company came to the dealership to set up the technology and install its proprietary HD cameras to ensure that the entire lot was covered. </p><p>The solution from Eyewitness uses software analytics and perimeter in­trusion technology to spot a person or large object when it comes into a specified field of view. The analytics are able to weed out unthreatening objects, such as debris. </p><p>When something of note comes into the camera’s field of view, a red box shows up around the object, follows it wherever it goes, and sends an alert to operators at the Eyewitness Tactical Operations Center, who monitor the camera feeds that are spread out across the dealership. The operators are also connected to the public address system at Academy Ford, so they can speak to anyone who walks onto the lot after hours. </p><p>“They can say, ‘Welcome to Academy Ford, we appreciate you visiting. We are closed, but we allow you to look at vehi­cles and shop for vehicles. If you need any assistance you’ll have to wait until 7 a.m. when the first employee arrives,’” Lynch notes.  </p><p>Operators also inform people that they are under video surveillance, and signage stating this fact is posted at the entrance to the lot. Lynch says he believes that the signs serve as a deterrent to anyone considering stealing from the dealership. </p><p>While people are allowed to browse the cars after hours, the operators at Eyewitness are trained to spot the difference between someone shopping and someone poised for theft. “They’ve been trained to know the person that’s hunched over and running between cars [is] not shopping, he’s looking to take something, and he may even have a lug wrench in his hand,” Lynch says. </p><p>If a person who fits the profile of an intruder enters the premises, Eyewitness will immediately escalate the live voice message to try to prevent the illegal or unauthorized activity from happening. If the behavior continues, operators will notify law enforcement and then inform different members of the Academy Ford leadership team by phone. </p><p>“The directives they have are to call my general manager first, then they’ll call me second,” says Lynch of the calling order. However, Lynch adds that since installing the technology, Academy Ford has had zero incidents of theft. </p><p>A password-protected Web portal is also available to authorized users, allowing Lynch and others at the dealership to view the surveillance feeds from any smart device anywhere with an Internet connection. The view is scalable and can be tailored to whatever number of cameras the user wants to look at. </p><p>Although no theft has occurred since Academy Ford chose Eyewitness, there have been cases where the solution proved useful. Because the dealership sits on a busy highway, there were traffic accidents right in front of Academy Ford, including one that damaged a few of the company’s used cars. Surveillance video captured the accident, which was crucial to the insurance investigation. And when a high-profile car chase sped past the dealership, Lynch was able to give video of the incident to law enforcement. </p><p>Lynch adds that the remote surveillance is useful for the areas at the dealership where cash is collected, both for the safety of the cashier and for monitoring employees handling the money. The cameras also provide a customer-service value, allowing Lynch to keep an eye on productivity. </p><p>“I can look at that camera toward the end of the day and make sure my service writers are actually going out and talking to our customers, and to make sure that they’re actually doing redelivery of vehicles,” notes Lynch. </p><p>The video from the cameras is kept for 30 days, then the storage cycle starts over, which Lynch says gives them plenty of time to go back and get any images they could need.  </p><p>Lynch notes the dealership has saved about 65 percent in surveillance costs since switching from guards to the remote video solution. “I’m truly happy having them, not only for the cost savings but just knowing that they’re there watching the lot while I’m sleeping” says Lynch. </p><p>While the remote surveillance option enhances security overall, Lynch emphasizes that it’s critical to be vigilant. “We observe our lot every day…all the managers are pretty habitual about driving through the lot and making sure everything looks good,” Lynch notes. “We lock our tailgates, we take our spare tires out of our vans. We don’t put candy out there just to be taken. So we do our own vigilance as well—you have to.”   </p>
https://sm.asisonline.org/Pages/ASIS-News-May-2015.aspxASIS News May 2015GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">The ASIS International 6th Middle East Security Conference & Exhibition filled the Intercontinental Dubai Festival City, Dubai, United Arab Emirates (UAE), February 15-17. More than 580 attendees from 45 countries gathered to take part in cutting-edge learning and networking opportunities, product showcases and demonstrations, discussions, and innovative educational sessions. The event was held under the patronage of His Excellency Lt. Gen. Dhahi Khalfan Tamim, deputy chairman of police and general security.</span></p><p>The conference opened with a keynote address by His Excellency Major General Khamis Mutar Al Muzainah, commander-in-chief of the Dubai Police, followed by a second keynote by Mohammed Al- Shammary, general manager of industrial security at Saudi Aramco.</p><p>During the second day, a panel discussion on how the introduction of security industry regulations has contributed to increasing industry’s performance and the effect on the customer and end user experiences was presented by leading experts and decision makers including His Excellency Dr. Khalid bin Saad Al-Ageel, general secretary of the Higher Commission for Industrial Security in the Ministry of Interior of the Kingdom of Saudi Arabia; Colonel Abdul Rahim Bin Shafi, director of the Anti-Organised Crime Department of the Dubai Police; and Dr. Marc Siegel, commissioner of the Global Standards Initiative of ASIS International. Professor Moray McLaren from the IE Business School in Madrid, Spain, was the closing keynote speaker, giving the presentation “A New Approach to Negotiation.”</p><p>During the two packed days, attendees were given access to 33 educational sessions featuring speakers from Saudi Aramco, Zurich Insurance Company, Johnson & Johnson, Securitas, G4S, Sanofi, and others. Thirty companies from around the globe showcased their products and services at the exhibition. In addition, several networking events were organized. Attendees enjoyed a welcome reception, followed by the ASIS International President’s Reception on Monday evening at Al Badia Golf Club, and a CSO Roundtable Summit designed for chief security officers was held in parallel during the conference and exhibition. </p><p>“The Middle East Security Conference was a great success, and I was very impressed with the level of expertise of the presenters. I personally gained a much better appreciation for regional security issues and the unique challenges our members face each day there. I had the opportunity to meet and network with new colleagues and feel confident I know who to call for now when navigating issues across the region,” notes ASIS President Dave N. Tyson, CPP.  “After attending some of the Middle East Advisory Council meeting and observing the energy and progress in action within that group and throughout the local chapters, there is reason for great optimism for both the growth of the Society and the increased value for members in the region.”</p><p>The ASIS 7th Middle East Security Conference & Exhibition will once again take place at the Intercontinental Dubai Festival City, February 21-23, 2016. For more information about the event please contact middleeast@asisonline.org.</p><h4>Al Ma’arefa Scholarship Launched</h4><p>The Al Ma’arefa (House of Knowledge) Scholarship was officially launched by Dubai Chapter Vice Chair Peter Page, CPP, at the February Dubai Chapter meeting held at the ASIS International 6th Middle East Security Conference and Exhibition in Dubai. The scholar­ship is believed to be a global first, wherein a chapter will partner with businesses to sponsor an ASIS member based in the Middle East to prepare for taking the Certified Protection Professional® (CPP), Physical Security Professional® (PSP), or Certified Professional Investigator® (PCI) examination.  </p><p>A scholarship committee has been established that will be led by the Dubai Chapter Foundation liaison officer. Its role is to assess potential candidates and to select the successful Al Ma’arefa scholar, as well as to manage the scholarship on an ongoing basis.</p><p>This year the scholarship will be open to Dubai Chapter members, and next year it will also be available to Abu Dhabi Chapter members. In 2017, the scholarship will be open to members throughout ASIS Region 12.</p><p>The scholarship committee will assess candidates on criteria including current membership in good standing with a chapter eligible for the scholarship, regular attendance at chapter meetings and events, ongoing professional development, the potential for volunteer leadership in the future, and financial need.</p><p>The Al Ma’arefa Scholarship sponsors are: Adenar Ltd., 360 Vision Technology, VMS, Xtralis, Canon, Maxxess, and Mitsubishi.</p>

 UPCOMING EVENTS AND EDUCATION

 

04/03/2015​
CSO Roundtable: Next Generation Security Threats​ (Webinar)

04/08/2015
The Hidden High Cost of Low-Priced Security Personnel​​ (Webinar)​

04/20/2015 - 04/21/2015
​P​SP Review Program, CPP Review Program, and PCI Review Program (Certifications)

04/22​/2015
Workplace Violence-Managing the Program​ (Webinar)

04/22/2015 - 04/23/2015
ASIS 25th New York Security Conference and Exhibition, New York City, New York, United States (Conference)

04/27/2015 - 04/28/2015
Enhanced Violence Assessment and Management (Education)

04/29/2015 - 04/30/2015
Active Shooter​ (Education)

​05/18/2015 - 05/19/2015​
8th Annual CSO Roundtable Summit​​, ​Miami, Florida, United States​​ (Conference)​​

​09/28/2015 - 10/01/2015
ASIS International 61st Annual Seminar and Exhibits​ (Conference)