https://sm.asisonline.org/Pages/Seminar-Sneak-Peek---It’s-in-the-Numbers.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Seminar Sneak Peek: It’s in the Numbers0

 

 

https://sm.asisonline.org/Pages/Terror-Bombings-.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Terror Bombings

 

 

https://sm.asisonline.org/Pages/How-to-Practice-Ethics.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465How to Practice Ethics

 

 

https://sm.asisonline.org/Pages/Sounding-the-Alarm-at-Lone-Star.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Sounding the Alarm at Lone Star

 

 

https://sm.asisonline.org/Pages/New-Data-Rules.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465New Data Rules

 

 

https://sm.asisonline.org/Pages/Seminar-Sneak-Peek---It’s-in-the-Numbers.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Seminar Sneak Peek: It’s in the Numbers2016-08-30T04:00:00Z
https://sm.asisonline.org/Pages/In-the-Public-Interest.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465In the Public Interest2016-05-01T04:00:00Z
https://sm.asisonline.org/Pages/Cannabis-Cash.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Q&A: Cannabis Cash2016-07-01T04:00:00Z
https://sm.asisonline.org/Pages/Wagering-on-Preparation.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Wagering on Preparation2014-09-01T04:00:00Z
https://sm.asisonline.org/Pages/A-Failure-to-Communicate.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Failure to Communicate2016-07-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://sm.asisonline.org/Pages/Scholastic-Surveillance.aspxScholastic SurveillanceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>There’s a growing consensus on the issue of placing security cameras in schools—a recent study found that 72 percent of adults favor the practice. That percentage of support is up 7 percent from a year ago, when 65 percent were in favor of school cameras in a similar survey. </p><p>“This number has risen in recent years, with increased attention on preparedness in handling potential threats,” wrote Dean Drako, president and CEO of Eagle Eye Networks, which commissioned the study. The report compiled surveys from 1,500 respondents from all regions of the United States taken earlier this year. The survey defined schools as preschool/daycare, K-12, and college.  </p><p>Asked to cite why respondents saw security cameras as valuable, the most popular reason (cited by 64 percent of respondents) was to “identify criminals and facts after events.” This reason was followed by “real-time insights during emergencies,” at 59 percent, and “deterring crimes,” at 57 percent.   </p><p>In addition, 78 percent of respondents said they thought it was important for first responders to be able to access school video during an emergency. “This result signals the high value the community places on ensuring immediate situational awareness during a crisis on campus,” Drako wrote.  </p><p>In the report, the top five camera location priorities were at entrances and exits (76 percent), hallways (62 percent), and lunchrooms, playgrounds, and gyms (53 percent). Only a minority of respondents wanted cameras in classrooms (36 percent) and locker rooms and bathrooms (18 percent). </p><p>However, Kenneth Trump, president of National School Safety and Security Services, who has worked and consulted on school safety projects across the country, says he now sees a few complicating factors regarding the use of surveillance cameras in schools, based on the many assessments his consulting firm has done for schools from preschool through 12th grade. </p><p>“We often see that schools put cameras in based on a one-time shot in the arm funding—often due to state grants, or a one-time allocation in a capital improvement program,” Trump says. The launch of these new cameras is often featured in press conferences or public announcements. </p><p>But then, when the cameras need to be fixed or replaced three or four years down the road, the school district has no budget allocation at either the individual building or district level for repair or replacement. The cameras can then sit dormant for months, or even longer, while “parents, students, and staff are under the impression that cameras are functioning when they are not,” he explains.  </p><p>  Trump himself believes that cameras can be a useful tool in overall school security. “Cameras deter those who can be deterred,” he says.  And their footage can serve as evidence in some cases. “They serve a role, but there are limitations,” he adds.   </p><p>  Trump also says that, in his assessments, he has found an overall trend that some schools are putting disproportionately more emphasis on hardware and products, and less “on the people side” of school security. “School leaders are well-intended, but there is a lot of political pressure to do this,” he says. “And certainly there are a lot of opportunistic vendors.” </p><p>“Many school administrators will throw up some cameras to fortify their front entrance,” he continues. “But the reality is, it is what is behind those fortified walls that really makes up the heart of your school security program—which is your people.” </p><p>Of course, investing in “the people side” of school security takes time and money, he says. It often means professional development training not just for teachers and administrators, but for support staff: the bus drivers, who are the first and last ones to see students every day. Secretaries who might take a call from someone making a bomb threat. Custodians and food service staff, who may be the first ones to notice any strangers on campus. “They are on the front lines,” he says. “They should be included in tabletop exercises, along with the first responders.”  </p><p>However, training and development for all staff takes a funding investment, and some districts find it cheaper to buy more hardware instead. In addition, Trump says that he has been seeing another trend—hardware and product vendors in some states lobbying state legislators to put school security and emergency planning into the hands of homeland security officials, and out of hands of the school administrators, which could thwart training and development. </p><p>In the Eagle Eye survey, a majority of the respondents (56 percent) said they believe that visible security cameras would reduce bullying in schools. Again, however, Trump says that while cameras can be an effective component of an antibullying program, “the first and best line of defense is a well-trained and highly alert staff and student body.” Unlike a camera, staff can “see things that are invisible,” such as dynamics between students, which indicate potential or possible bullying. Technology can be a supplement, but not a substitute, for this. </p><p>Strong security programs continue to be sorely needed, as violent fatalities continue to be a problem in schools. Another recent report, which looked at the 2012-13 school year (the latest data available), found that nearly 3 percent of violent deaths among American school age youth took place at school or school-related environments. </p><p>The report, Indicators of School Crime and Safety: 2015, is a joint effort from the National Center for Education Statistics, U.S. Department of Education, and the Bureau of Justice Statistics at the U.S. Department of Justice. It found that, in the period from July 1, 2012, through June 30, 2013, there were a total of 41 school-associated homicides in U.S. elementary and secondary schools, slightly less than 3 percent of the total number of school-age homicides in America.   </p><p>The 3 percent figure has stayed consistent since annual statistics were first compiled for the 1992-93 school year. Authors of the study indicated that the percentage, although low, was still unacceptable. “Our nation’s schools should be safe havens for teaching and learning, free of crime and violence,” the authors wrote. </p>
https://sm.asisonline.org/Pages/To-Arm-or-Not-to-Arm.aspxTo Arm or Not to Arm?GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Steve Baker, CPP, PCI, PSP, is president of VTI Associates, a security consulting firm that provides use-of-force training and litigation services. He is also a certified instructor for security officer firearms training in the states of Nevada and Arizona. Baker talks with <em>Security Management</em> about the subject of arming guards and how companies can evaluate what options are best for them. </p><p> </p><p><strong>Q. What are some of the considerations businesses should weigh when deciding whether or not to arm guards?  </strong></p><p><strong>A. </strong>Companies should first ask whether there is a business need. What is the business trying to protect? What’s the threat for the facility, the nature of the business, assets that need protecting, hours of operation? Some places at different times of day may have different issues. For example, a gas station located near a busy highway may want an armed guard at night.  </p><p>Then they have to consider, will it be 100 percent arming, or is there going to be a mix of armed and unarmed personnel? And then, to break that down even further, what level of arming are we going to do—are we going to have it restricted to supervisors and managers only, or all officers?  </p><p>We also have to talk about the financial impact of screening, hiring, and retaining the employees; also training and equipping them. There’s the factor of law enforcement response time. All of these issues should play into that initial needs assessment. </p><p><strong>Q. What types of businesses typically arm their guards?  </strong></p><p><strong>A. </strong>The gaming industry historically has a lot of armed people, but it’s not universal. Sometimes you’ll get convenience stores and other properties where there’s a lot of public traffic coming through. Some of the utilities, depending on what they are and what they are protecting, have armed guards. </p><p><strong>Q. How about hospitals?  </strong></p><p><strong>A.</strong> A lot of them don’t want to have firearms. They really don’t want to be in the shooting business, if you will. However, nobody goes to the hospital happy. There’s a lot of anxiety no matter what. So if you’re going there as a patient you have anxiety, if you’re there because a loved one or a friend is ill or injured you have some anxiety, and then you have people with various maladies and mental disorders—all of which can make any property challenging.  </p><p>On top of that, there’s also the availability of drugs. And [thieves] know that the drugs are locked and secured, but they also know if they stick a weapon in somebody’s face, that person is more likely to comply with a request to open that cabinet.  </p><p><strong>Q: Besides firearms, what are the common types of force used by security guards? What are the potential drawbacks? </strong></p><p><strong>A. </strong>One of the things we look at is what options do you have on the continuum of force? Pepper spray is pretty widely used, though there can be some insurance issues because—while the use of it isn’t as severe as a firearm—it’s used more frequently. And it’s messy. It does subject people in the area to cross contamination and overspray, so other people may get a whiff of it, and that can result in some insurance claims. So you have that frequency versus severity calculation that the insurance companies all run, and that can sometimes impact your premiums. </p><p>Batons are actually difficult. They require a higher level of training, and what happens is people tend to go “medieval” with the stick. And the minute something happens, guards can forget all of their training, and it just becomes a club. And that’s problematic—the probability of injury is great with the baton. </p><p><strong>Q. Are handcuffs considered “force”? </strong></p><p><strong>A. </strong>Handcuffs are another option. They are not truly a weapon, and there’s a large training issue with using them. The adage of “slap on the cuffs” is a really bad way to put it. If you don’t place them on properly, and you were to come from a distance and slap them on someone, it’s like taking a steel rod and hitting yourself on the bones of your wrists. Your reaction is going to be to pull away, which we generally call resisting. So just by the method that we’re using to apply the handcuffs, a compliant person can suddenly appear noncompliant.  </p><p>In my classes, I have all the students handcuff each other after lunch. I leave them all handcuffed, and then I have them sit down and I lecture for about half an hour, so that they can understand what happens as they are sitting there handcuffed.  </p><p>And what happens is that, as you move around just a little bit, sometimes the handcuffs’ oval shape and the wrist’s oval shape don’t match up anymore, and it hurts badly. They say, “it’s too tight,” and you just take <span style="line-height:1.5em;">a couple of fingers and readjust the cuffs around the wrist. So cuffs are a little bit more complicated in their minor nuisances, but training makes </span><span style="line-height:1.5em;">a huge difference.  </span></p><p><strong>Q: Tasers seem to also be a popular choice for nonlethal force, though they come with their own set of challenges as well. What are the pros and cons of these devices? </strong></p><p><strong>A. </strong>When Taser first came out it was an alternative to deadly force. If you were in a situation where you were justified in using deadly force, you could use this nondeadly device and hopefully rectify the situation with that.  </p><p>I was actually on Taser’s initial advisory board when the company started branching out more into the security industry. Tasers are a wonderful device, and again you’ve got a higher training level. It’s not the fix-all that many people would like to believe it is. In law enforcement generally you have multiple officers available when deploying the Taser, at least in a perfect world. And usually those other officers have higher levels of force, like a firearm, for backup. So if a Taser doesn’t work and they have to escalate force, they can do so.  </p><p>But what I’ve found is that the use of Tasers [with guards] were tenfold to that of firearms, because there’s the perception that it’s “okay” to tase people. So there has to be a lot of training and judgment in use of force and appropriateness so that we don’t overuse these devices just because they are nonlethal. </p><p><strong>Q. What other topics do you cover in your training?  </strong></p><p><strong>A. </strong>We have to go through the basics of criminal and civil law, as well as criminal procedure. We have to touch on some risk management concepts. Security officers need to understand certain things–they are not the police. For law enforcement, their goal is to make arrests and address crime. Security’s responsibility is to keep their property reasonably safe. If a threat actor has departed the property, unlike law enforcement, guards don’t give chase, they need to turn that over to the police. And a lot of them don’t understand that. They have that mentality of, “well something happened and I have to chase them down and get them.”  </p><p>I always ask, are there any misdemeanor crimes where you’d be justified in shooting somebody? I can spend up to an hour on that question. The answer is no. That’s the reason they are misdemeanors, they are lesser crimes. So a punch in the nose is a misdemeanor. Are you going to shoot someone because they punched you in the nose? You shouldn’t—and if you do, you’re going to have problems. Now if they are beating you to death, that changes the situation. You’re now in justified fear of your life.  </p><p>It’s a split-second decision with a firearm, and if you’re wrong, it can be catastrophic to the officer, whoever the other person is, and to the organization.   </p>
https://sm.asisonline.org/Pages/The-Usual-Suspects.aspxThe Usual SuspectsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Whether large or small, from two to 431,000 employees, companies were similarly victimized, according to data patterns revealed in a new study. </p><p>As part of a larger study that focused on the creation of typologies and criminological perspectives related to trade secret theft, the authors of this article analyzed all 102 successful U.S. trade secret theft prosecutions from 1996 to 2014 using FBI and U.S. Department of Justice press releases, indictments, docket information, and other data related to the types of organizations that were victimized. </p><p>Trade secrets discussed in these cases are not public or published like copyrighted and patented materials. Instead, they are protected by the organization through the privilege of nondisclosure. This designation leaves the trade secrets protected in perpetuity—unlike patents and copyrights, which have limitations on the number of years they are safeguarded from use by competitors. </p><p>The theft of this type of protected information is illegal under the Economic Espionage Act (EEA) of 1996. It is considered a form of economic espionage or “larcenous learning,” because secrets are targeted and stolen from the rightful owner by individuals, rival companies, and even foreign countries through economic-espionage related activities.  </p><p>And trade secret theft is not a rare occurrence. American businesses owned an estimated $5 trillion worth of trade secrets in 2014, and approximately $300 billion was stolen per year, according to a statement made by Randall C. Coleman, assistant director of the FBI’s Counterintelligence Division, in a hearing before Congress.  </p><p>The authors’ analysis of these cases provides insight into the most common types of trade secret and economic espionage activities, as well as the prevalent characteristics of offenders. ​</p><h4>Who is Vulnerable? </h4><p>All companies, regardless of size and type, are vulnerable to trade secret theft. The majority of companies that were victimized were large (employing more than 1,000 employees), and many were easily recognized Fortune 500 companies.  </p><p>Organizations in the manufacturing sector were most likely to be victimized (64.6 percent), followed by service industries (19.2 percent), when examining sectors using their Standard Industrial Classification Codes. ​</p><h4>What is Stolen and How? </h4><p>The authors’ review of EEA cases showed that anything of actual or potential value—including current, future, or intrinsic—can be stolen or compromised when it comes to trade secret theft.  </p><p>This includes source code, photographs and images of machinery, proprietary software programs, sales order forecasts, customer and client lists, billing information, subscription lists, research data, and project data, to name a few examples. </p><p>While a common assumption may be that trade secret theft involves some degree of sophistication, the study suggests otherwise.  </p><p>For instance, a bartender who worked in the corporate dining room of MasterCard’s headquarters in Purchase, New York, stole reams of confidential material from the dining room and surrounding areas—including CD-ROMS and binders—that he offered to sell to Visa.  </p><p>Visa, however, reported him to the FBI, which set up a sting operation to negotiate the purchase of the materials. </p><p>In another case, Chinese nationals simply walked into corn production fields owned by Monsanto, DuPont, Pioneer, and LG Seeds, and stole bioengineered seeds after claiming they worked for the University of Iowa. </p><p>Trade secret theft episodes are not always long-term events. In fact, some  <span style="line-height:1.5em;">are short-term, opportunistic, one-</span><span style="line-height:1.5em;">time events.  </span></p><p>One example of this is when two engineers for Wyko Tire Technology—a company that supplied Goodyear parts for its tire assembly machines—were left unescorted in a Goodyear factory. They used the opportunity to take cell phone photos of proprietary machinery at the factory, despite being told not to. A Wyko IT manager later discovered the photos on one of the engineer’s e-mails and forwarded the message to Goodyear. ​</p><h4>Who’s the Thief? </h4><p>There is no one-size-fits-all profile for those who commit trade secret theft, according to the authors’ study. Even though the majority of cases involved insider threats, advanced analysis found no discernable offender profile.  </p><p>Additionally, the authors’ review showed that offenders were not distinguished by citizenship, age, gender, or employment status.  </p><p>However, some generalizations can be made about trade secret thefts and offenders. Any type of trade secret can be stolen, most thefts are simple, males commit trade secret theft more than females, and most thefts are committed by lone offenders. Citizens—not foreigners—commit most trade secret theft. </p><p>Insider threats. The majority of suspects in EEA cases were insider threats (83.3 percent). In most cases, the insider had legitimate access to trade secrets through the course of his or her daily work.  </p><p>These insiders were often in a position of trust, such as network administrators, executive secretaries, computer programmers, engineers, computer specialists, vice presidents, former owners, and IT directors. </p><p>Among these insider threats, most were still employees of the company (71.8 percent) when they were indicted. Next most prevalent were former employees, who committed the theft while still employed but who were detected post-employment (22.4 percent).  </p><p>The least likely insider threat was an invitee of the company (5.9 percent). This group included contract employees or subcontractors who had legitimate access to the company.  </p><p>The study also found that most insider threats are citizens and lone offenders. The majority of offenders were U.S. citizens (64.6 percent) and were U.S. born (53 percent), males (56 percent), and in their 40s. The majority of the internal threats were also lone assailants (67.5 percent). </p><p>This could be because in many trade secret theft cases, the employee leaving the organization used stolen trade secret–related information for professional gain. </p><p>In 2013, Ketankumar Maniar quit his job at a company that made disposable syringes. Prior to his resignation, however, he downloaded trade secret files onto his work laptop.  </p><p>Through an internal investigation, the company discovered that Maniar had downloaded these files. It contacted the authorities, and FBI agents later caught Maniar in a hotel room as he was preparing to leave for India. While FBI agents searched the room, Maniar admitted that he planned to use the trade secrets for future employment opportunities in India. </p><p>In another case, Xiang Dong Yu—an employee of 10 years with Ford Motor Company—quit to take a new position with Beijing Automotive. He was arrested by the FBI when he flew back to the United States and agents found at least 41 Ford design specifications on his Beijing Automotive–issued laptop. </p><p>If not seeking new employment opportunities, however, internal threats often created their own consulting or start-up companies, the study found. Such was the case with Yu Qin, a vice president of engineering and research and development at Controlled Power Company (CPC) who also had his own company for five years, unbeknownst to his employer. </p><p>In this case, Qin and his wife (a former employee of CPC and General Motors) were stealing trade secrets from both CPC and General Motors. Their thefts were discovered when CPC employees found a hard drive, which contained 16,000 confidential files <span style="line-height:1.5em;">that belonged to General Motors. </span></p><p>CPC management then sent the files to General Motors, which determined that Qin’s wife had stolen the electronic documents before her voluntary resignation. CPC then realized that Qin had also used trade secrets from CPC for his own consulting company. </p><p>While trade secret theft can help individuals achieve professional gain, personal financial gain should not be discounted. Trade secret theft is also committed by current or existing employees, who in most cases are motivated by financial gain or revenge.  </p><p>For instance, Yuan Li—who was employed by Sanofi—held a 50 percent partnership in Abby Pharmaceuticals. Sanofi was unaware of this fact.  </p><p>Li accessed an internal Sanofi database and downloaded information about Sanofi chemical compounds onto her Sanofi-issued laptop computer. She then transferred the information to her personal home computer by either e-mailing it to her personal e-mail address or by using a USB thumb drive. Li later made the Sanofi trade secrets available for sale on Abby’s website. </p><p>External threats. While the majority of trade secret theft cases involved internal threats, security professionals should not discount the external threat. External threats, those individuals who have no legitimate access to the company or to secret information, accounted for 16 of the prosecutions analyzed in the study. </p><p>The review of cases showed that these external threats included persons who were classified as true spies (38.9 percent) or employees from a rival company (23.5 percent). Other external threats included friends or relatives of current or former employees (29.4 percent) who exploited their friend or relative’s status as an employee to access and steal trade secrets. </p><p>The majority of these external offenders were also U.S. citizens (52.9 percent), U.S. born (100 percent), and males who were in their 40s. In cases where the number of suspects could be determined, lone assailants were the most common (48.7 percent), followed by pairs of suspects (31.3 percent). However, a few crimes included groups of conspirators. </p><p>For example, former Business Engine Software Corporation (BES) Chief Technology Officer Robert McKimmey from Business Engine Software Corporation conspired with other executives to illegally access competitor Niku’s computer network. McKimmey gained system administrator privileges at Niku and used the passwords from 15 different employees to download more than 1,000 files over a 10-month period ending in 2002. </p><p>The FBI investigated the intrusion, and McKimmey and the other executives later pleaded guilty to conspiracy to misappropriate trade secrets and interstate transportation of stolen property. ​</p><h4>How Were They Caught? </h4><p>The actual means of detection was difficult to determine because a majority of cases did not disclose the specific measures used, the authors’ study found. The information that does exist, however, shows that many incidents were discovered by monitoring the computer use of employees. More interestingly, companies and their employees reported trade secret thefts perpetrated on rivals and competitors. </p><p>For instance, a former Lockheed Martin employee was hired by Boeing. Later, a Boeing employee discovered that the former Lockheed Martin employee had classified Lockheed Martin documents in his workstation and immediately notified his supervisor.  </p><p>This led to an internal investigation, and Lockheed Martin and the U.S. Air Force were notified. A subsequent investigation by the FBI revealed that the employee had stolen 25,000 pages of documents from Boeing. </p><p>In another case, a former DuPont employee was seeking technical assistance from current and retired company employees. Several of these solicited employees contacted DuPont’s management because the information the former employee sought was proprietary. DuPont officials then relayed their concerns to the FBI. </p><p>The authors’ study confirmed that, due to the limited number of trade secret indictments and prosecutions, many thefts go undetected by organizations and law enforcement entities. Based on this finding, organizations should develop proactive means to deter and detect such crimes.  </p><p>Security professionals must be prepared to protect their trade secrets from individuals who have no identifiable profit. They should adopt a comprehensive and strategic approach toward protecting trade secrets because all companies—large and small—are vulnerable to trade secret theft.   </p><p>-- </p><p><em>Brian R. Johnson, Ph.D., is a professor in the School of Criminal Justice at Grand Valley State University in Allendale, Michigan, and specializes in private security and law enforcement. Christopher A. Kierkus, Ph.D., is an associate professor in the School of Criminal Justice at Grand Valley State University and specializes in research methods and criminology. Patrick M. Gerkin, Ph.D., is an associate professor in the School of Criminal Justice at Grand Valley State University and specializes in criminology, ethics, and restorative justice.  </em></p>
https://sm.asisonline.org/Pages/Sounding-the-Alarm-at-Lone-Star.aspxSounding the Alarm at Lone StarGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>In our interconnected world, the vast majority of people within a college campus community think little of an emergency and how the institution will communicate with them—until it happens. Then, they want timely information on what is occurring, what to do, and where they can learn more.  </p><p>There is an assumption that if anything happens, everyone will receive a text message instantly, the faculty and staff will know what to do, and there will be an announcement over a public address system. Expectations are set. </p><p>Recent events, like the shooting at Oregon’s Umpqua Community College in October 2015, have students, faculty, parents, and guests inquiring about the notification equipment and procedures in place on their campus. They want assurances that the emergency systems will work when needed. </p><p>Many institutions have opt-in text messaging solutions and public address systems used for a broad range of services, including special events. In an emergency, speakers, sirens, and horns are often the first warnings received that danger is present or imminent.  </p><p>To meet the expectation of the campus community, schools must understand what emergency communications are necessary, what the law requires, and what the school can afford.  </p><p>This was the challenge facing Lone Star College (LSC) in 2010. The largest higher education institution in the Houston area, with six colleges, eight centers, two university centers, and LSC-Online, LSC provides high-quality academic transfer, workforce education, and career training programs to more than 83,000 credit students each semester, and a total enrollment of 95,000 students. It would need a robust emergency communication system to support its diverse campus community. ​</p><h4>Crafting a Solution </h4><p>When LSC decided to create its notification system, LoneStarAlert, in 2010, it used a team approach, crafting a selection committee and choosing a sponsor who could move the project forward. An LSC vice chancellor responsible for safety and security was chosen as the sponsor—an indicator of the project’s importance within LSC. </p><p>LSC then began selecting its committee members, including a cross section of the organization: administrative, college relations, compliance, emergency management, facilities, IT, law enforcement, procurement, student services, and tenants. </p><p>The committee also included individuals who preferred the status quo system at LSC, which had six colleges and six alert systems with their own name, workflow, vendor, and contracts. Having individuals on the committee who represented each of these systems made them realize that one solution with one name was a better overall system for LSC. Because of this, these individuals felt they had a voice and were being heard, making them great ambassadors for the new system. </p><p>Once the committee was assembled, LSC began assessing its environment. It knew it had different systems and various levels of sophistication because the campus had buildings that ranged from 40 to less than five years old. The buildings were also geographically dispersed among the city of Houston and Harris and Montgomery Counties in Texas, each of which has its own building and fire codes.  </p><p>To tackle this service area—approximately the size of Rhode Island—LSC first targeted the LSC-Greenspoint Center, a mid-rise atrium building with the most stringent fire ordinances of all the buildings on LSC campuses.  </p><p>LSC also targeted buildings within two colleges: LSC-North Harris and LSC-Kingwood. LSC-North Harris was chosen because it is close to a major airport and runway. LSC-Kingwood was chosen because it falls under three jur­isdictions—half the campus sits in Montgomery County, the remaining half is in Harris County, and the entire campus is annexed by the City of Houston.  </p><p>Then, over a five-year period, LSC created a mass notification system (MNS) with multiple levels of redundancy. ​</p><h4>the lone star system </h4><p>LSC implemented LoneStarAlert in 2011, consolidating its various emergency campus text messaging services under one solution. LoneStarAlert is a Web-based warning system that can send voice and text alerts to registered individuals when an emergency occurs. </p><p>The system works by issuing an alert over speakers, via a prerecorded or live message, and through e-mail messages in English and Spanish. For example, for a lockdown the prerecorded message says: “Attention. Lockdown now. There is an emergency on campus. Go into the nearest room or closet and lock the door.” Messages also instruct the campus community to wait for further instructions while they remain in a safe place. </p><p>LoneStarAlert also uses text messages of 90 characters or less—in English and Spanish. For an active shooter situation, messages say “Lockdown now. Emergency on campus. Go to nearest safe place, stay calm, and wait for further instructions.”  </p><p>More than 100,000 users are registered for the alert system, and it is only used for emergency messaging and testing of the system. Users are added through an automated system at the beginning of the semester, and users also have the option to self-register.  </p><p>This information is collected in compliance with the State of Texas Education Code Section 51.218 Emergency Alert System. The code requires institutions of higher education to gather a student’s personal e-mail, cell phone, or telephone number to deliver emergency communiques; using only LSC’s e-mail and voice mail system does not satisfy the requirement. </p><p>This information must be added to LSC’s LoneStarAlert system once provided, typically during registration. This process is repeated at the start of each semester.  </p><p>The system is also designed as an opt-out system, rather than an opt-in (choosing to participate) system, in compliance with the code. LSC does not allow this data to be used for any other purpose.  </p><p>Some users are still reluctant to regist­er for LoneStarAlert for fear that their information will be sold to third-party marketers. Ensuring this personal information is only used for emergency use not only keeps LSC in compliance with state regulations, it also shows that the institution is committed to protecting users’ privacy.  </p><p>LSC has made a commitment to closely manage this information and grant access to it only on a need-to-know basis and as authorized.  ​</p><h4>targeting the lsc population </h4><p>For an MNS to work, the institution has to think of the recipients it wants to target and ensure the system is capable of sending alert messages to those target groups. </p><p>LSC identified its target groups as employees, distribution lists (internal and external response teams), dynamic groups (created as needed), geographical locations, networked equipment, students, contractors, tenants, and guests. </p><p>LSC also needed to consider its unique status as a commuter college without campus housing. Some students, employees, and guests visit different campus locations more than once throughout the semester. Sending an emergency communication to just one given area would limit the reach of the MNS, and might miss some individuals who are en route and others who want to know what is occurring on any LSC campus.  </p><p>Instead, the system would need to be structured to send emergency messages to all registered users, regardless of their location. This system would be easier for LSC to administer and more desirable for the LSC community. </p><p>LSC also knew that accessibility and inclusion would be key to the success of its MNS. The system would need to be accessible to individuals with physical, sensory, mental health, and cognitive or intellectual disabilities that affect their ability to function independently. </p><p>The system would also need to be inclusive of seniors, those with limited English proficiency, and unaccompanied minors on campus. LSC has dual education programs for high-school students, Discovery College for children during the summer, full- and part-time day care centers, high schools, and public libraries that all provide opportunities for underage guests on campus.  </p><p>To reach these individuals, LSC would need to design its MNS to provide information online and to enroll them through LoneStarAlert. Because minors cannot be asked directly for personal contact information, LSC would have to work with leaders of these various groups to contact parents and guardians—who would then provide the information that then allowed their child to be enrolled in the system. </p><p>LSC also knew that its system would need to reach the public libraries, four-year educational partners, school systems, executive conference centers, and commercial tenants that are a part of its campus. To reach these stakeholders, LSC would have to provide instructions and a means for individuals to self-register in LoneStarAlert. ​</p><h4>choosing the right integrator </h4><p>LSC awarded its initial MNS contract to a local system integrator, Convergint Technologies. They worked together to create LSC’s wide-area MNS, which is used for any hazard or threat that poses an imminent or present danger and requires immediate action. This includes an evacuation, shelter-in-place, or lockdown scenario. Advisories and alerts that do not pose an imminent or present danger are sent out via LSC e-mail. </p><p>LSC’s MNS is deployed using Windows and Microsoft SQL Servers in a secured and high availability environment. The servers are clustered into a shared pool of monitored resources, so if a host fails, the system immediately responds by restarting each affected host from a different host. </p><p>The MNS encodes and decodes audible signals and live-voice messages transmitted across a TCP/IP local area network using voice over Internet protocol (VoIP). LoneStarAlert text, voice mail, and e-mail are delivered using a Web-based application hosted by the provider. </p><p>LSC’s wide-area MNS command system is located at the main administrative offices and is interconnected with each campus’ central control station, comprising the total system.  </p><p>Each campus is classified as a zone, and each building within a zone is considered a sub-zone. Most campuses have sub-zones that are interconnected. This configuration enables activation of prerecorded, live voice, or tone signals that can be sent to a sub-zone, zones, or the total system, providing redundancy throughout the system. </p><p>LSC police dispatch is responsible for immediately distributing voice messages or alert signals. It is authorized—and empowered—to send emergency messages to the affected populations using either prerecorded messages or live messaging via the wide-area MNS and LoneStarAlert.  </p><p>Dispatchers will send an alert when requested by an officer on the scene, or when requested by senior leadership. They will also issue an alert if there is credible information coming to the dispatch center that warrants sending a message. </p><p>As part of its initial installation, LSC included speakers for common areas with signals adjusted so the message could be heard through a closed door. However, the level of noise in the area impacts the level of intelligible voice or tone that can be heard.  </p><p>Additionally, LSC has video displays at all of its campuses where emergency messages are displayed using a digital management system. This ensures that individuals who cannot hear the emergency alerts do not miss them. </p><p>LSC also uses a buddy system where a buddy will help ensure a person with functional needs is supported, and first responders are aware of their last known positions and conditions. This information is then captured—when provided—in each campus fire safety plan. </p><p>As an additional measure, most LSC campus community members have cell phones. This enables those who are deaf or have other hearing impairments to receive emergency text messages and, where available, two-way communications using the Telecommunications Relay Service (TRS).  </p><p>The TRS bridges the communication gap between voice telephone users and people with hearing impairments by allowing users anywhere in the United States to dial 711 to be connected to a TRS operator. The operator then serves as a link for the call, relaying the text of the calling party in voice to the called party, and converting to text what the called party voices back to the calling party. </p><p>Following the initial setup, in-house resources assumed most of the responsibility for supporting the system over a five-year period. However, the system integrator supplements LSC resources.  </p><p>Additional system integrators are also used to provide support for the MNS. Sharing the service responsibilities among multiple vendors provides redundancy in the event a vendor is unable to provide services to one or more of LSC’s locations. ​</p><h4>testing </h4><p>Whether a fire exit drill or a lockdown drill, testing of emergency communications processes and systems is a base requirement. LSC has a rolling three-year sustainability and exercise program that’s part of the LSC Emergency Management Plan, which tests the LoneStarAlert and its MNS. </p><p>In the beginning, some questioned the approach and anticipated backlash from disrupting operations by testing the systems. However, LSC quickly learned that the process built confidence within the community that the school is doing its part to keep its campus safe. </p><p>Testing also gave users who were registered incorrectly and did not receive text message alerts a chance to inform LSC. Users who did receive texts and e-mail alerts could also report how long it took to receive them. </p><p>This helped LSC determine that, on average, more than 95 percent of regis­tered users received text and e-mail alerts within two to three minutes of activation. </p><p>On one occasion when LoneStarAlert was not tested during a larger emergency management drill, LSC received negative feedback, debunking the myth that testing the system during normal operations is viewed negatively. This approach has helped LSC align its MNS with its brand.   </p><p>-- </p><p><em>Denise Walker is chief emergency management officer at Lone Star College System, responsible for policy and direction on emergency management; safety and security audits; fire safety; environment, public health, and safety; and victim advocacy. She serves as the chair of the Greater Houston Local Emergency Planning Committee and is executive member of the Texas Emergency Management Advisory Committee. She is the author of several books, including Mass Notification and Crisis Communications: Planning, Preparedness, and Systems.   ​</em></p>
https://sm.asisonline.org/Pages/How-to-Practice-Ethics.aspxHow to Practice EthicsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>“I am incredibly nervous that we will implode in a wave of accounting scandals…the business world will consider [our] past successes as nothing but an elaborate accounting hoax,” Sherron Watkins of Enron Corporation wrote in a six-page letter dated August 15, 2001. Watkins, Enron’s vice president of corporate development, sensed that the end was near for her firm, but even she did not know the extent of it. Enron Chief Executive Kenneth Lay, and his top lieutenants, had engineered one of the world’s largest fraudulent corporate accounting schemes in history. </p><p>Enron’s ultimate collapse resulted in the loss of $61 billion in shareholder value and the elimination of more than 5,000 jobs. Sixteen employees pleaded guilty for crimes committed at the company. Several top executives, including ex-CEO Jeffrey Skilling, landed in prison for their roles in the scheme and for lying to employees and investors about Enron’s financial health. Skilling was sentenced to 24 years in prison and fined $45 million. </p><p>As detailed in his seminal book Conspiracy of Fools, author Kurt Eichenwald revealed that greed and ambition were not the only reasons for Enron’s failure. Another crucial factor was the absence of an ethical culture, which ultimately enabled the wrongdoing.  </p><p>In the 15 years since Enron’s epic failure, the importance of maintaining an ethical culture continues to grow. As the world of security changes, corporations change, management approaches change, and technologies change. To remain ethically sound, organizations need more than a fixed set of specific rules contained within their codes of conduct. Security managers should take the lead in actively managing their department’s culture so that sound ethics are firmly embedded in all operations, which are in turn aligned with the organization’s values and mission.   </p><p>Ethics is the sum of the moral principles that help govern our behavior. Ethics allow us to distinguish between good and evil, between right and wrong. Ethics allow us to recognize virtue in ourselves, and in others. </p><p>On the organizational level, the ethical guardrails designed to keep employees within the lanes of proper behavior can usually be found in the organization’s code of conduct. Moreover, properly crafted mission, vision, and values statements may also serve as ethical flashcards, reminding employees of conduct expectations and cultural goals. All told, many organizations demand rigid compliance to an array of rules, policies, and behavioral guidelines. </p><p>At the same time, modern organizations of all types and sizes, in both the private and the public sectors, are embracing diversity. Employers are increasingly relying on a management philosophy that considers no two staffers alike. Each employee possesses their own unique truth, with distinctive background experiences, motivations, and values.   </p><p>This leads to a potential paradox. Employers are welcoming the wide range of backgrounds, opinions, and perspectives that their staff members provide, but at the same time they are demanding universal ethical conformity and compliance. Can this paradox be reconciled? Does it suggest that it is time to rethink ethical expectations and how organizations pursue them? </p><p>Some forward-thinking security leaders have found the answer. They have begun to understand ethical behavior not as a commodity, nor a goal to be fulfilled at some point in the future, but as a sustainable organizational condition. As such, it is dynamic. The pursuit of ethics is never-ending, because the organization that embraces it is continually evolving. The organization may downsize, expand operations, take on new markets, or change focus, but because sound ethics are embedded in its culture, it and its employees act ethically, regardless of circumstances.  </p><p>And so, the paradox of prized individualism versus universal rules compliance can be resolved by the careful management—or nurturing—of the organizational culture. Thus, as Enron and its investors so painfully discovered, active culture management is essential for an ethical organization. As Eichenwald revealed, when an organization fails to manage its own culture and push ethical considerations to the fore, it becomes ripe for ethical lapses, sometimes catastrophically so.   </p><p>Below are two real-world examples of security managers who encountered ethically challenging situations in their organizations. These leaders were able to manage the culture of their firms by taking actions that had positive ethical ripple effects through the organization.  ​</p><h4>mission creep </h4><p>To illustrate the importance of culture management to ethics, here’s how one hospital security manager—we will call her Rachel—changed her organization’s culture. </p><p>Rachel knew she faced challenges before she accepted her position. The hospital that had hired her, which mostly served the inner-city poor, had an aging infrastructure; many of the buildings that housed the institution’s staff of more than 4,000 employees were in disrepair. The administration’s approach to selecting and using its security officer force was similarly outdated.  </p><p>As the hospital’s first new director of security services in more than 20 years, the first thing Rachel addressed was the complacency that she found in the organization’s culture. To communicate her expectations and set a new tone, she privately met with each of her 85 full-time team members. In each meeting, she asked three questions: Who is your customer? What are their needs? What have you done to meet them? </p><p>The results were startling. Many on the team did not know whom they were serving. And many of the services that team members were offering were outside the department’s stated mission. For example, on occasion “volunteer” off-duty uniformed officers were provided for security purposes at hospital fund-raisers. The officers were expected to donate their time and work such events. Officers resented such treatment and complained, but executive management responded by questioning their loyalty to the community. </p><p>Moreover, some of the services and practices that were being offered appeared potentially unethical. One such service was the screening of domestic help for hospital executives, several prominent doctors, and the doctors’ friends. Not only were such services a distraction, and potentially unlawful—possibly noncompliant with the Fair Credit Reporting Act—they were in conflict with the hospital’s code of conduct. It was also clear to Rachel that the delivery of these services squandered resources, adversely impacted morale, and set a poor example.  </p><p>She decided to address the matter in her first meeting with the board of directors. She opened by emphasizing the importance of culture and ethics. “Setting the tone at the top by demonstrating our ethical behavior ought to be a priority if we desire to derive the most value from our hospital’s security function,” she told the board.   </p><p>Rachel then provided the board with a new mission statement she had prepared for her department. The mission statement was crisp and on point. It included four fundamental expectations: </p><ul><li><span style="line-height:1.5em;"> Treating all people with respect and dignity. </span><br></li><li><span style="line-height:1.5em;"> Performing and delivering all security services ethically and lawfully. </span><br></li><li><span style="line-height:1.5em;"> Demonstrating loyalty to the hospital and its mission to serve the community.  </span><br></li><li><span style="line-height:1.5em;">Embracing flexibility, innovation, and teamwork. <br><br></span></li></ul><p>She closed by identifying her team’s current activities. When she mentioned the employment screening of nonhospital applicants, she made it clear that she intended to discontinue that practice. She then discussed more beneficial current activities that she intended to renew and focus on. These activities included training for those officers responsible for the security and safety of emergency room staff; special training relative to the handling and management of violent patients and visitors; and a review of all officer benefits and compensation plans. </p><p>Not long after the meeting, the hospital’s administrator announced her intention to undertake a top-to-bottom examination of all nonhealthcare activities at the hospital, with a focus on ethical practices and code-of-conduct compliance. Thus, without making accusations or pointing fingers, Rachel successfully altered her organization’s culture by changing its perception of ethical conduct from the top down.  ​</p><h4>vendor management </h4><p>A regional security manager—we will call him Jose—worked for a global energy company and was based in a country in which the flow of petroleum dollars provided thousands of good paying jobs and a considerable amount of political stability. Jose’s predecessor enjoyed years of cozy relationships with both local authorities and contractors, and this inherited situation often made Jose’s job difficult.  </p><p> One of the most obvious challenges involved no-bid contracts. Technically, the organization had policies against such practices, but in actuality, long- </p><p>entrenched relationships and favored vendors sometimes won out over the rules.  In addition, these cozy relationships sometimes resulted in unapproved add-on change orders to contracts, which meant cost overruns for Jose’s company. Privately, Jose sometimes wondered how high up the corruption went. </p><p>Jose decided to meet the challenge head-on. He devised a five-step approach that was simple and effective. First, he met with his internal customers, such as site managers, project managers, and those responsible for operations. Together they identified needs, pain points, and priorities. </p><p>Second, he compiled a list of action items and activities to meet those needs and priorities. He refined and affirmed the lists with his constituents. Third, he met with his suppliers and vendors, and requested information regarding their service and delivery capabilities. </p><p>Fourth, he used all this collected information to carefully craft bid packages for the projects his customers identified as priorities, and formally presented them to each qualified vendor. Each package contained not only scoping and technical information, but regulatory compliance requirements, change order policies, and a new vendor code of ethics. Fifth, when the contracts were awarded, he held vendor orientation and safety meetings, and required sign-offs on the new vendor code of ethics.  </p><p>In the end, Jose’s professional and thoughtful approach to vendor selection and management proved rewarding. Many of the entrenched, poor performing vendors were replaced or left. Those that remained gained new respect for their customer, its business practices, and its ethical expectations.  ​</p><h4>shades of gray </h4><p>From these examples, it is easy to see that an ethical culture is a values-based one that often evolves incrementally. Small steps and straightforward actions by a single individual or group can ripple through an organization and ultimately produce seismic cultural changes.  </p><p>In these cases, Rachel and Jose were in organizations in which ethically questionable practices were apparent. But sometimes, ethical issues play out in a more oblique way. Take for example, a CSO we’ll call Robert, who worked for an international logistics organization spanning three continents. As a retired law enforcement officer from a U.S. federal agency, he had many well-placed friends both in and outside government. When needed, those friends, in addition to many former colleagues around the globe, served as both a reliable source of assistance and as fertile ground for recruiting. Robert also knew that the tactics sometimes used by his external resources did not always square with organizational policies and expectations. He ignored such exceptions and rationalized that they were merely the occasional cost of success. </p><p>Nevertheless, over several years Robert recruited and groomed one of the finest teams of security managers in the industry. Like Robert, all team members had law enforcement experience. As a group, they shared the same values, level of professionalism, and sense of duty. In terms of the latter, they all agreed that they had a duty to bring criminal offenders—whether they be employees, contractors, or vendors—to justice.  </p><p>One day, the company’s CEO addressed the group while participating in a management budget meeting. The CEO began by reading aloud the organization’s mission statement. He then asked each manager to reflect and identify one activity that they were routinely engaged in that was inconsistent with the mission statement. </p><p>Some chuckled or squirmed. Robert sat silent. He knew instantly that the impulse to pursue criminal offenders served neither his organization’s needs nor its mission. Instead, it was driven by his team’s sense of duty to enforce public law. While based on a clear ethi­cal impulse, the effort was not an effective deterrent, nor did it add value to the company.   </p><p>For several days, Robert considered his dilemma. He knew his team consisted of first-rate ethical professionals. However, his leadership had created a culture that put achievement of his personal ideals ahead of the ideals of the organization. Seeking a solution, he recalled what author Jim Collins wrote in his best-selling book, Good to Great: “You can’t start off by asking which direction you’re headed.…First you figure out if you’ve got all the right people on the bus.” </p><p> Collins suggested that making a clear-eyed assessment of key staff within an organization is one of the “brutal facts” leaders need to be willing to address as they look to set their team on the right path. “Sometimes more people need to be brought on board—and sometimes a longtime traveling companion needs to step off the bus before it can move forward,” Collins wrote. Robert realized that what his team lacked wasn’t ethical character or ability, it was diversity; every member came from a law enforcement background. What was needed was team members from different professional backgrounds, with a different base of experience and ideas.</p><p><span style="line-height:1.5em;">Over the course of the next 12 months, Robert committed himself to changing his team’s culture. He embraced the idea of putting the right people on the bus; in this particular case, that meant diversifying his team and recruiting outside the law enforcement community.  </span></p><p>The outcome was remarkable. After two years, the culture had been transformed. Prosecutions were pursued only when they furthered the organization’s mission. In cases where they did not, other approaches were used. The most fruitful of these was restitution, where the investigation was tailored toward recovering loss, rather than prosecuting or simply firing the offender. This proved very successful; often, not only were losses recovered, but so were the costs of the underlying investigation. </p><p>High ethical standards were still maintained in all operations; the team clearly communicated that the reduced number of prosecutions did not mean that the violations were less serious, or somehow excusable. Instead, the new approach communicated the concept that crimes of theft and embezzlement affect all members of an organization, not just the owners and shareholders, so restitution is the best course of redress for all concerned, and a sound ethical option.  </p><p>Soon, Robert’s division became nearly self-funded. Robert inverted the mindset of his team and turned his division into a profit center instead of a cost center. The transition was not painless, but it ultimately paid great dividends. Given the success of the new and more diverse hires, Robert worked with hu­­man resources to establish a new simple and effective recruiting strategy. The new strategy included recruiting constantly and deliberately; implement­ing a preemployment screening process that is ethical and has purpose; selling the organization, not the job; involving the team’s stakeholders and process-owners in the program; and focusing on the applicant’s character and values and not just his or her skills and experience. ​</p><h4>ethical attributes </h4><p>In all three of the real-world examples above, the security manager made positive and ethical culture changes that in turn changed the organization as a whole. That process began with the belief that cultural change is achievable, and that the organization is capable of the change necessary to sustain a more ethical environment.  </p><p>Ethical security managers know that good results are in part the product of good planning. But culture management isn’t just about planning and resource deployment. Nor is it just about policies and codes of conduct. It is rooted in our individual behavior—how do we as security professionals behave and manage our responsibilities?  </p><p>-- </p><p><em><strong>Eugene F. Ferraro, CPP, PCI,</strong> is a member of ASIS International and an ASIS Standards and Guidelines Commissioner. He is the former Chief Ethics Officer of Convercent, Inc., and has been in­volved in the study of organiza­tional culture, governance, and compliance as it relates to asset protection and loss prevention for more than 30 years. His most recent book, Virtues & the Virtuous: Inspir­ing Lessons and Insights about Virtue, Virtuosity, and the Essence of the Human Spirit is available on Amazon. </em></p>
https://sm.asisonline.org/Pages/Insights-on-Asia.aspxInsights on AsiaGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">When a major casino operator in Macau was six weeks out from opening a second phase of its resort development, senior management realized that the in-house security design had not been subject to third-party review or validation. Arup’s Hong Kong–based Resilience, Security, and Risk practice was asked to carry out a sitewide assessment, identify significant vulnerabilities and resulting risk levels, and manage the implementation of the necessary solutions in the short time remaining before opening. </span></p><p>The Macau casino project burgeoned into something bigger than originally intended. Arup’s initial review identified a number of operational practices that had been acquired over time and were obstructing the effective implementation of security. The team was tasked to address these, and to review policies and procedures. The project was then phased, initially focusing on critical measures required to be put in place for the opening. A follow-up phase closed out the second-tier items. The fast-track nature of the assessment posed a major challenge to a small team. Some team members reported to the site for a single area assessment and left 48 hours later, having slept on the property.  </p><p>In the end, opening day was incident-free. This was due, in part to the successful collaboration in operational planning for crowd management and incident response at the opening day events, and the involvement of Arup’s traffic team, which modeled crowd movements. </p><p>Founded in 1946 as a civil and structural engineering firm, Arup came to international prominence with its design of the Sydney Opera House, which opened in 1973. Arup currently has more than 10,000 employees and has added some 25 more disciplines to its repertoire, including all the major engineering specializations, as well as planning, transport, environmental, security, and risk consulting </p><p>Though Arup’s Resilience, Security, and Risk practice for East Asia is headquartered in Hong Kong; team members are also located in London, Singapore, Australia, and the United States. The Hong Kong group comprises 10 staff members who specialize in risk, security planning, and design. The team tackles everything from the initial risk assessment to intelligence, threat vulnerability studies, and natural hazards risk assessments. Through integration with specialists in other disciplines, and in other regions, it is able to conduct detailed analysis and modeling for specific risks such as explosions and earthquakes. </p><p>The team’s geographical range runs from India to Japan, working primarily on complex projects for major corporations. While some projects have more of a traditional security design focus, many require innovation. Some are new builds and some are major refurbishments or retrofits, and jobs range in duration from a few weeks to many years. </p><p>Because Arup is independent—not affiliated with any products or services—its advice is free of vendor bias. This allows the company to more easily spot overarching trends. Following is a discussion of emerging markets and security trends the group has witnessed in Asia.   ​</p><h4>Airports </h4><p>Arup has consulted for more than 100 airports within the last five years—ranging from some of the world’s largest international hubs to smaller regional airports. The company has identified several aviation security trends surrounding compliance, technology, expansion, and customer service. </p><p>Compliance. In the Asia-Pacific region, aviation is a growth market. This growth is driven from a national level as governments see the value of hosting international airports. Along with the airports comes an increasing awareness of the value of international security compliance standards.  </p><p>Work with individual airports is designed to determine how many of the domestic and international standards are going to affect a particular aviation operation. In airports with large hub capacity that are focusing on hosting international flights, becoming fully compliant with international regulations is imperative. </p><p>However, compliance with security regulations can help an airport of any size become a true competitor. For example, in Hong Kong there is no requirement for screening of U.S.-bound cargo because it is coming from a known and trusted airport that meets international screening regulations. However, airports in mainland China do not meet these regulations, meaning that U.S.-bound cargo must be thoroughly screened. This gives Hong Kong an advantage. Were airports in mainland China to gain that advantage by complying with tougher standards, they would be elevated and Hong Kong would no longer have an advantage. </p><p>These regulations apply to both the passenger and cargo sides of the operation. Currently, the European Union and the U.S. Transportation Security Administration issue regulations for passenger screening, and the U.S. Department of Homeland Security issues regulations for screening of cargo. </p><p>Another challenge is to keep an eye on the future of airport security policy. This policy analysis then drives what happens on the ground in terms of recommendations to clients. This is critical to maintain flexibility for the airport’s future security needs. For example, the sheer size of security equipment, both current and future, must be factored in to design specifications. </p><p>Technology. Another development in aviation security is the increasing awareness of technology and how essential it is in meeting requirements and combating threats. In this arena, airports must predict where the industry is moving and the implications of this for their operations. </p><p>For example, security practitioners in Asia are now debating the merits of metal detectors versus full-body scanning. Arup counsels that body scanners are the future, but there is still resistance from aviation security professionals, especially in India, due to cultural concerns around privacy. </p><p>Security influences the structure of the airport itself, and assessments frequently find that changes need to be made to load-bearing capacity and ceiling heights to accommodate the newer screening equipment, which is typically heavier and taller. </p><p>One client that is developing multiple airport facilities—some international and some with ambitions of being international—had questions about capacity. They wanted to know the maximum volume of passengers and cargo that could be pushed through the new spaces. Airport operators had to be refocused on basic security needs, analyzing airport perimeter protection before turning to passengers, baggage, and cargo. These basic security assessments are a necessary precursor to design solutions, because the most technologically advanced terminals in the world are vulnerable without adequate perimeter security. </p><p>Expansion. In addition to building new airports, there is a strong trend in the Asia-Pacific region to expand, upgrade, and enhance existing facilities. The challenge for airport owners and operators is to balance space de­mands among security requirements and other uses that are seen as commercial income generators. </p><p>With expansions, most of the work is done at the design level because the physical space is already established. In these cases, research on future trends is conducted from an operational perspective, applying benchmarking and best practices. </p><p>An example of this is check-in baggage screening. A standard system can always be designed to meet current needs, but security requirements are constantly changing with a lead time of up to nine years. With this knowledge of where the industry is going, designs can reserve space for specific types of technology. </p><p>Customer service. As airlines and airports in Asia introduce changes to enhance the passenger experience, the challenge for security is to ensure effective screening while keeping intrusion and disruption to a minimum. </p><p>To do this, operators are urged to promote security as a selling point. While airports such as Amsterdam and London Gatwick have embraced this philosophy, selling that message in a positive way in the Asian market has been a challenge. The airports that have employed this approach have totally revamped the passenger security experience, making it more pleasant and less stressful. </p><p>Some airports in Asia also try to benchmark their security against insurance. If airports have a quality security plan, they can negotiate an insurance discount. This is still quite a new concept for some airports, so more education is needed to demonstrate to airports that their up-front investment in security can yield rewards through lower insurance premiums. ​</p><h4>Casinos </h4><p>Casinos in Asia are technologically advanced but challenging environments that require large surveillance operations. Examples of this can be found on the island city of Macau—a gambling attraction known as the “Las Vegas of Asia.”  </p><p>For casinos, a detailed security plan is critical. For example, one casino client provided little input, asking for a standard layout. Once the casino opened, it was obvious that the cameras were in the wrong places, and significant changes to the camera configurations were needed. Like any other complex operation, casinos are urged to make decisions early and test them thoroughly.  </p><p>This is the approach for a new building project, Wynn Palace Macau. One of the most revolutionary facilities in Asia, Wynn has more than 7,000 cameras and thousands of access-controlled doors. The casino has exacting requirements for camera coverage of gaming tables—sometimes requiring multiple angles on the same location—and this can compound the security challenge. Each gaming table requires a different configuration to accommodate the rules of the game, and Wynn has hundreds of tables. </p><p>In addition, the level of detailed design required can also be extremely challenging. Wynn has exacting design standards for architectural finishes, which must be considered in the camera layouts. These also extend to the landscaping, where integration of the cameras into the luminaires was initially considered before a bespoke camera-mounting structure was eventually devised. </p><p>Casino operations go beyond gaming, and casino security goes beyond surveillance. Such operations face the usual challenges of access control associated with the hospitality environment—some casino properties integrate up to five independent five-star hotels within the development. In addition, the security plan must account for the movement of thousands of employees with different jobs, all with different access rights. With staff drawn from all over the region and comprising dozens of nationalities, there are challenges for communication, training, and the creation of a security culture. ​</p><h4>Master Planning Districts </h4><p>With burgeoning growth in recent years, city master planning has come to the fore as a design discipline. In Malaysia, Kuala Lumpur’s International Financial District (KLIFD) is intended to create a new financial services hub, clustering private sector tenants, key regulators, and high-end residential, as well as hospitality and commercial elements. The district is built around a landscaped area that uses crime prevention through environmental design (CPTED) principles. </p><p>The focus is on framing a security master plan to be adopted by successive project teams because KLIFD is being developed over an extended period of time. Instead of a single concept design for translation into construction, the project is focused on a philosophy of security, which, with some fixed elements, could be applied and interpreted by successive design teams, possibly from different commercial entities. The layout of major spaces such as standoff from public roads, the design of the shared utility tunnels, and security command, control, and communications infrastructure was set at an early stage. Security design for individual structures has been left to various design teams working under a set of guidelines for each of the different categories of space in the project. </p><p>In China, owners of the tallest tower in Beijing, located in the central business district, wanted an evacuation plan. The building covers an entire city block and holds more than 20,000 people. As part of the plan, the building is now linked to a districtwide management system that will notify building managers of any emergency that takes place in the district, such as a bomb scare in another building. </p><p>Another large planning project is the Macau Zhuhai Bridge. When completed, the bridge will connect the island of Macau to Hong Kong at a border-crossing facility adjacent to the airport. The plan for the project, which is a major Pearl River Delta infrastructure initiative, envisages commercial development in the border-crossing area and requires detailed coordination with the CIQP (customs, immigration, health services, and police) agencies who will service this new land border to China. </p><p>Some of the same issues were also addressed in security planning for Hong Kong’s new high-speed rail connection to Guangzhou, China’s “southern capital” and third-largest city. Another major infrastructure project, this has seen close collaborative work with the same CIQP agencies and the railway operator, detailed risk assessments for individual structures, and a resilience review for the main Hong Kong terminus. </p><h4>Data Centers </h4><p>Hong Kong has positioned itself as a regional data center hub, with government support and heavy investment from financial services and telecom providers. Typical security needs for data centers include threat, vulnerability, and risk assessments; concept and detailed design for physical and electronic security equipment and systems; and construction and installation supervision.  </p><p>Data center operators focus on availability, while end users are typically more concerned with the confidentiality and integrity of data and applications. This—and the fact that operators sometimes include nondata functions, such as employee break areas, in the design—means that security must provide for multiple levels of access, auditable controls for restricted spaces, and both monitoring and confidentiality for other areas. </p><p>Minimum perimeter screening is mandated, but where the screening takes place—at the main site entrance or in the lobby—is at the discretion of the facility owner. While some degree of vehicle screening is common, screening people in commercial buildings is still relatively unusual in many parts of Asia. </p><p>Other data center clients have specific concerns, ranging from blast effects and mitigation to whole-facility risk from fire, flooding, and systems failure, as well as security risk. </p><p>One common feature of all projects is that they all start at the strategic level, and security strives to be involved early in the project. If a company plans a security screening area poorly, for example, it is difficult and expensive to redesign it later. </p><p>Putting a proper operation and maintenance plan is place is also critical. Major international clients have seen sophisticated solutions fall apart because they are not maintained. In Shanghai, for example, two new buildings were erected with state-of-the-art security systems. However, the systems were not maintained and had to be replaced five years later.  </p><p>As economies in Asia continue to grow, security will continue to be a factor in building projects. Risks will also evolve, requiring that security practitioners stay current on the latest trends and how they fit into the various cultures in the region.  </p><p>​-- </p><p><em><strong>Damian Ryan </strong>leads Arup’s security consulting practice in East Asia from the company’s Hong Kong office. A former Hong Kong police officer, Ryan has 30 years’ experience in public and private-</em><span style="line-height:1.5em;"><em>sector security planning in the region. He is a member of ASIS International. Mark Turner, with the Hong Kong office of Arup, also contributed to this article.   ​</em></span></p>

 UPCOMING EVENTS AND EDUCATION