|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Washington Navy Yard On Lockdown After Reports of Shooter2015-07-02T04:00:00Z1’s-Guide-to-Marijuana-in-the-Workplace.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465An Employer’s Guide to Marijuana in the Workplace2015-07-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Security Market Growth Continues2015-05-15T04:00:00Z|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Five Incidents That Shaped Crisis Management2015-06-29T04:00:00Z|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a434446560 Years: July2015-07-01T04:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Le Toca a Usted: A New Spanish Language Column2015-06-29T04:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a434446560 Years: 60 Milestones2015-01-01T05:00:00Z,-Colo.-Court-Rules.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Employers Can Fire Workers Who Use Medical Marijuana, Colo. Court Rules2015-06-15T04:00:00Z|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Proving Security's Value2012-09-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Surveillance for Security and Beyond2015-06-15T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now New Cyber NucleusGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">When Count Floris IV of Holland purchased land alongside a pond in 1230, he had no idea that his hunting grounds would encourage the development of a small village that would one day become the International City of Peace and Justice: The Hague.</span></p><p>Home to more than 500,000 people, The Hague today is a mixture of Dutch and international power as the seat of The Netherlands’ government and parliament, the International Court of Justice, the International Criminal Court, and a United Nations site.</p><p>However, over the past decade The Hague has also created a new role for itself as it works to become the European hub for cybersecurity. This is because peace, justice, and security are closely linked, says the city’s deputy mayor, Ingrid van Engelshoven.</p><p>“What we discovered is that The Hague region already had a lot of companies, government agencies—nationally and internationally—active on cybersecurity, and we were able to bring them all together,” she explains. “And because The Hague has this good reputation as the International City of Peace and Justice, we offer good grounds to stimulate discussions and innovation around cybersecurity.”</p><p>Ahead of a global cybersecurity summit this year, Engelshoven visited Washington, D.C., and Security Management had an opportunity to sit down with her to discuss cybersecurity initiatives and how The Hague is working to connect global innovators.</p><p>One of the leading organizations for bringing together innovators from around the world is The Hague Security Delta (HSD). Engelshoven describes the Delta—launched in 2010—as a “triple-helix organization” that brings together government, nonprofit institutions, and businesses to “support and bring on the market innovations in the security field.” </p><p>Approximately 3,100 security companies—400 of which are in The Hague region—are part of the Delta, which has created 61,500 jobs internationally. Companies and government along with international, research, and educational institutions can also partner with HSD to create knowledge bridges with the main global security centers in the United States, Canada, Singapore, and South Africa.</p><p>In February 2014, HSD opened its campus in The Hague, which houses an innovation center with labs for gaming, real-time intelligence and incident experience, education and training facilities, flexible office space, and meeting rooms.</p><p>A key focus of HSD is talent development for cybersecurity jobs because The Netherlands faces a shortage of qualified workers for those positions. “What we see, and I think you see it in the States also, is there are a lot of job opportunities, but not enough people who can fill the jobs,” Engelshoven says. </p><p>To combat this shortage, The Hague has been pursuing a variety of initiatives, including creating HSD’s Security Talent Community in December 2014. The community is designed to match demand for security talent with a supply of qualified personnel. </p><p>It also uses a Web platform to list current vacancies, assignments, internships, public and private training courses, degrees, and careers in security, so students and job seekers can make informed choices and companies can reach security talent, stated Xander Beenhakkers, program manager of human capital at HSD, in an official release.</p><p> “In this way we encourage a career in security, because only with enough qualified personnel, the national security cluster of HSD can keep working on security innovations, with the goal of creating more jobs, more activity, and a more secure world,” he added.</p><p>As part of the community, HSD has also created a Cyber Security Academy, which offers an accredited master’s degree in cybersecurity through cooperation with Leiden University, Delft University of Technology, and The Hague University of Applied Sciences.</p><p>The universities “created a master's degree that combines the technical side of cybersecurity with the legal and governance side, and having that in a combined master is quite unique in the world,” Engelshoven says. More than 25 professionals have enrolled in the program, and businesses will be able to give guest lectures as part of the curriculum.</p><p>To get young people interested in the field of cybersecurity, HSD also hosted a Hacklab for primary and secondary school students during Cyber Security Week. “So they can see it’s an interesting job—it’s fun—and I’m sure they were able to hack something,” Engelshoven jokes.</p><p>Along with developing talent, HSD is focused on building ties with other nations. During a Cyber Security Week held this April, it signed a memorandum of understanding with the U.S. Department of Homeland Security (DHS) Science and Technology Directorate. The agreement provides a framework for cooperation on security innovations and knowledge, and it also leads to new trade and business opportunities between The Netherlands and the United States.</p><p>For instance, DHS will work with HSD to bring together DHS personnel, first responders, end users, and private sector personnel in an online or face-to-face environment to exchange information and facilitate technical discussions on common goals and achievable objectives, according to a press release.</p><p>“All parties involved in this initiative will benefit from cost savings, technology awareness, and enhanced relationships,” the release said. “DHS will benefit by being made aware of technology solutions and services which fit the expressed needs of homeland security end users. Furthermore, the private sector will benefit by being made aware of specific, publicly available DHS and HSD requirements and capability gaps.”</p><p> Beyond HSD, The Hague is also focused on developing an international legal framework to provide a secure, open, and safe Internet with a good government structure, Engelshoven says. To further this effort, The Hague hosted the Global Conference on Cyberspace (GCCS) 2015 in mid-April, bringing together delegations from more than 100 nations for the third conference of its kind. The number of countries participating in the conference is encouraging, as it provided an opportunity to discuss creating a legal framework for the Internet.</p><p>“If they weren’t interested, they wouldn’t come,” she adds. “Everyone sees it as a big topic, because if you look at the financial sector and our critical infrastructure, everything that’s happening around the Internet of Things, more and more we will need a safe and secure Internet to keep our society going.”</p><p>During the GCCS, attendees further expressed the need for a free, open, and secure Internet as a global resource managed in the public’s interest. </p><p>“Together, we have to build the right frameworks to promote and enable participation, privacy, innovation, trade, competition, and investments,” said Netherlands Minister of Foreign Affairs Bert Koenders in the closing ceremony of the conference. “We all have to invest to keep the Internet open, free, and secure…all of the people should have access to all of the Internet, all of the time.”</p><p>To drive home this point, Koenders also included an objective in his Chair Statement, which outlines the positions that delegates agreed on and discussed over the course of the conference.</p><p>“We need to ensure that the various stakeholders play an active role in the ongoing discussions about [the Internet’s] governance, management, and security,” the statement said. “We must also ensure that those who do not yet have a voice in this debate are empowered to participate in these discussions—discussions which will also shape their future.”</p><p>The framework will also need to address privacy, which is a major concern in The Netherlands because a Dutch court recently overturned its data collection law. “The Dutch public doesn’t accept data collection by public authorities when they don’t see the need,” Engelshoven explains. “And more data collection than what’s necessary, when done by government, is not accepted.”</p><p>Instead, the framework will need to address privacy concerns so the Internet can remain secure and governments can maintain public trust. And The Hague is the perfect place to do this because of its track record, Engelshoven says. </p><p>“We provide a kind of trusted ground, and as the International City of Peace and Justice with all the international courts doing a lot of justice around the world, I think we have the right ecosystem to work on such a legal framework,” she explains. </p><p>For instance, Engelshoven says The Hague is working to develop a smart city solution using the Internet of Things. However, it will only be effective when “people trust your solution” and don’t feel that their information is being handed over to the private sector without a “clue what will be done with their information.”</p><p>While The Hague has made progress through its initiatives, Engelshoven says it’s just the beginning, and the city hopes to see its efforts grow to spur more innovation and more dialogue about cybersecurity and the Internet, just as she does in her role as deputy mayor. </p><p>“I’m not a specialist, but what I can do is connect people and conversation, and bring them together, and that’s a lovely role to play.” </p> New TestGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">In 1987, my high school debate team spent months arguing about drug and alcohol testing. We were consumed with one question: was drug testing an unacceptable invasion of privacy or an urgent necessity? We squared off as individuals, using the Lincoln-Douglas format to hammer home both the gross injustice of and the undeniable need for drug testing. We teamed up to conduct cross-examinations of each other, demanding that the audience weigh the horrors of invasive testing run amok versus impaired workers piloting airplanes.</span></p><p>Though extreme, the discussion was far from abstract. In 1986, the Reagan administration suggested across-the-board workplace drug testing as part of its War on Drugs. In 1988, an executive order required companies with federal contracts exceeding $25,000 to implement a drug-testing program. Such mandates were expanded when, in 1991, transit workers in safety-sensitive positions were required to undergo drug testing as well. The private sector soon followed suit. Exact numbers are hard to come by, but studies indicate that by the mid-1990s between 62 and 81 percent of private employers in the United States drug tested their employees.</p><p>The rest of the world takes a different approach to drug testing. In 2013, the Supreme Court of Canada ruled that random alcohol testing of employees in safety-sensitive positions was an invasion of privacy and an overreach on the part of management. In some European Union countries, such as The Netherlands, any drug testing of employees at all is illegal. In others, such as the United Kingdom and Germany, drug testing is permitted, but must be germane to the employment position in question. In China and India, as well as in many Latin American countries, drug testing is the not the norm because fewer substances are deemed illegal than in the United States.</p><p>Where there's smoke, there's fire, and that smoke is wafting into the United States. In recent years, popular mandates legalizing medical marijuana in many states immediately ran afoul of federal laws declaring that drug illegal. Now that four states—Alaska, Colorado, Oregon, and Washington— plus the District of Columbia have decriminalized recreational marijuana use, employers will be forced to rethink drug testing programs, and the U.S. judicial system will certainly revisit the issue. This makes the inclusion of <strong>background screening</strong>, including drug and alcohol testing, a particularly relevant entry into this month's "60 Years, 60 Milestones."</p><p>Background screening is only one of the privacy-related topics addressed in this month's milestones. Other issues rounding out the list include the <strong>privacy of personal information</strong>, the rise of <strong>social media and privacy</strong> concerns, the ubiquity of <strong>surveillance in public areas</strong>, and the corporate protection of privacy in the form of <strong>trade secrets</strong>. As this list indicates, the War on Drugs may be waning—but the war on privacy is just warming up.  </p> News July 2015GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​ASIS Launches China Security Conference </h4><p>ASIS International has announced that it will organize its first international event in mainland China, which will be held at the beginning of December. The tentative dates are December 3 and 4. The ASIS China Security Conference (ASIS China 2015) will consist of one-and-a-half days of educational sessions, a networking reception, and a lunch. The event follows the establishment of the ASIS Shanghai Chapter in 2014, strong membership growth in China, and accords with the ASIS Board of Directors’ goal of increasing the Society’s global presence. </p><p> This first iteration of the event will bring together a potential 100 to 150 key decision makers in corporate security from China, Asia, and the rest of the world.​</p><h4>Security Documents and Project Management Workshop</h4><p>Fifty-two people attended the inaugural Security Documents and Project Management workshop in San Diego, California. This new two-day program offers a detailed look at how facilities and projects are documented today. Whether trying to work with a local security vendor on a specific upgrade or helping the facilities department create a new facility, the language of project documentation can be daunting to the uninitiated security professional. A fundamental knowledge of how security-related facility projects are done is key to a project’s success. Understanding the design and construction process and its related documentation enhances the value of an educated facilities security program team member.</p><p>The class was taught by leading secu­rity design architects, engineers, and secu­rity experts, who shared their experiences in completing cost-effective facility security designs and projects. They were: Rick Lavelle, PSP, principal architect and owner, Creador Architecture, LLC; Mark Schreiber, CPP, president and principal consultant, Safeguard Consulting, Inc.; and J. Kelly Stewart, managing principal and CSO, Newcastle Consulting, LLC.</p><p>The curriculum included document management, the project predesign phase, the project phase, the bidding and contract phase, security consultants, security program integration, security system documentation, managing project changes, and completing the process.</p><h4>SRVP, RVP, and Council Chair Awards Given</h4><p>Bill Bradshaw, CPP, senior regional vice president (SRVP) of ASIS International Group 6 (Canada) has been named the 2014 SRVP of the Year. Additionally, Charles Andrews, CPP, regional vice president (RVP) of Group 3-C (Texas), has been honored as 2014 RVP of the Year, and Gary S. Miville, chair of the ASIS Cultural Properties Council, has been named the 2014 Council Chair of the Year. The announcements were made, and the winners honored, during the ASIS Annual Volunteer Leadership Conference on January 22 in Arlington, Virginia.</p><p>The Annual SRVP of the Year Award recognizes the significant contributions made by an outstanding SRVP to the regions within their assigned group, to ASIS, and to the security profession during the SRVP’s term of office. The Annual RVP of the Year Award recognizes the significant contributions made by an outstanding RVP to the chapters within his or her region, to ASIS, and to the security profession during the Regional Vice President’s term of office. The ASIS Council Chair of the Year Award recognizes chairs who perform their volunteer leadership positions with exceptional dedication and excellence.</p><p>All three of the awards also highlight excellence in support of the ASIS Strategic Plan in adhering to the goals and objectives; promotion of activities within the group or region in the areas of growth, professionalism, and influence on behalf of ASIS; the degree of assistance to increase region and chapter participation in membership recruitment and retention; mentorship of potential, new and existing ASIS members; and overall leadership.</p><p>Bradshaw is director of Bill Bradshaw Consulting, which specializes in assessment, system design, and project management for electronic access control, closed circuit video surveillance, intrusion alarm, and security lighting systems for commercial, industrial, institutional, and government building applications. Bradshaw has more than 25 years of experience in the field of security systems. He also has extensive experience in electronic security hardware and software, industry installation best practices, and overall physical security.</p><p>Andrews possesses 35 years of law enforcement, corporate security, business risk, and consulting experience, as well as experience in training and education in both domestic and international venues. He is chief security officer (CSO) of Butchko, Inc., of Houston, Texas, which is a provider of innovative solutions to challenging security requirements and of professional services focused in and around CSOs and their programs.</p><p>Miville is regional vice president for USentra/RIBI Security, a full-service, New England-based, privately-owned contract security company. Miville’s 40 years of security management experience includes tenures as a security coordinator with The Travelers and as area vice president with Securitas.</p><p>Bradshaw, Andrews, and Miville have all contributed enormous time and energy to ASIS. Miville says he believes that the benefits received from supporting the Society are many and that giving back is vital. “Every member should try and give back to our profession and to help raise the bar,” he states.</p> Packs A PunchGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">The Chemical Facility Anti-Terrorism Standards (CFATS) program got off to a bit of a rough start. In its first five years, it didn’t approve a single facility site security plan and was only authorized year-to-year via fiscal year funding for the U.S. Department of Homeland Security (DHS). In its first few rounds in the ring, CFATS could barely make it to the bell.</span></p><p>Fast forward from 2010 to 2015 however, and CFATS has come out swinging, rejuvenated by efforts to streamline the program, a focus on outreach to stakeholders, and a four-year authorization by Congress—a major victory for the program now in its eighth year. Security Management sat down with David Wulf, director of DHS’s Infrastructure Security Compliance Division, which oversees CFATS, to discuss these efforts and their implications for private security. </p><p>“It puts the program on stable footing, so it enables us to plan for the future of the program to continue to recruit and retain the best and brightest,” Wulf says. “It also provided much-deserved regulatory certainty for our industry stakeholders who, as they contemplate making CFATS-related investments in security, have the assurance that the program is really and truly here to stay.”</p><p>Authorized in 2007, CFATS identifies and regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with these chemicals. Facilities are divided into tiers (1 through 4) and are required to prepare security vulnerability assessments—which identify facility security vulnerabilities—and develop and implement site security plans that include measures that satisfy 18 identified risk-based performance standards.</p><p>Approximately 3,400 facilities in the United States—ranging from chemical manufacturers to fisheries to prisons—fall under CFATS regulations. “The universe of CFATS-regulated facilities is a pretty broad and diverse one,” Wulf says. “It’s much more than what folks might normally think of as a chemical facility.”</p><p>CFATS recently received a major boost with the passage of the CFATS Act by Congress. It not only authorizes the program for an additional four years, it also introduces new aspects to the program to further streamline the compliance process—both for DHS officials and for regulated facilities.</p><p>One of the major new developments with the passage of the CFATS Act is the creation of an Expedited Approval Program for Tier 3 and Tier 4 facilities. </p><p>Traditionally, the CFATS approval program requires regulated facilities to submit a site security plan to the program. CFATS then reviews the plan—called authorization—and completes an authorization inspection, which allows CFATS inspectors to visit the facility and meet with stakeholders to discuss how the site can meet the 18 risk-based performance standards they are required to address through nonprescriptive guidance. </p><p>The facility then creates a site security plan that best addresses the unique characteristics of its facility. That plan is submitted to CFATS for approval, the facility implements its plan, and CFATS conducts compliance inspections to ensure that the plan meets regulations. </p><p>With expedited approval, however, facilities will be placed on a fast track for approval. “It was really the brainchild of now-retired Sen. Tom Coburn (R-OK), who was looking at ways in which he could provide us a means to more quickly get through the backlog of site security plans that are awaiting approval,” Wulf explains. </p><p>To qualify for the program, Tier 3 and Tier 4 facilities will submit a site security plan that shows how they will meet the risk-based standards using methods that CFATS has outlined. If these methods don’t deviate from CFATS  guidelines, the facilities will automatically be granted approval and enter into the compliance cycle, bypassing the authorization inspection process.</p><p>For instance, CFATS-regulated facilities have to address perimeter security and have measures designed to deter, detect, and delay terrorist attacks. Under the normal approval process, facilities can choose a variety of measures to address this risk. “If a facility wants to do the expedited approval, it will have to essentially say, ‘I agree. We will have at least an 8-foot fence,’” Wulf explains.</p><p>The specific options that facilities can use to address the risk-based standards will be listed in guidance that the program plans to release this summer in the Federal Register and online. They were developed using best practices learned by DHS and stakeholders over the lifetime of the program, Wulf adds.</p><p>With the passage of the CFATS Act, the program is also pursuing approval from the Office of Management and Budget (OMB) for an information collection request. If approved, it will give facilities three different ways to comply with the part of the standard that requires a check to determine whether employees have ties with terrorists. </p><p>One option is allowing facilities to submit to DHS the personal identifying information of individuals who will have unescorted access to high-risk chemical facilities and their chemical holdings. Those individuals include employees and contractors who may have access to restricted areas of the facilities. That information will then be vetted against the Terrorist Screening Database, and the facility can allow those individuals access.</p><p>A second option allows facilities to leverage existing vetting programs and submit a limited amount of information to DHS to run a check on individual Transportation Worker Identification Credential (TWIC) cards or hazardous materials endorsements on commercial driver’s licenses. This option “would essentially verify the continuing validity of those existing credentials to ensure that they’re not counterfeit or expired,” Wulf adds.</p><p>The final option CFATS hopes to make available would be an electronic vetting option. It would allow facilities to use electronic vetting technologies, like TWIC card readers, without submitting additional information to CFATS. “Essentially, if a facility so chooses, it will be able to allow folks to rely on vetting essentially through visual inspection, allowing folks to use TWIC cards or other credentials as a flash pass,” Wulf says.</p><p>Once DHS receives approval from OMB, it plans to roll out the options for compliance in a phased manner, beginning with facilities that have already received approved security plans.</p><p>CFATS is also continuing its efforts to streamline various program processes, making considerable progress over the past few years by approving more than 1,700 site security plans—the approximate mid-point for nearly all regulated facilities.</p><p>It’s specifically worked to streamline the inspection process by doing more preliminary work with facilities before inspectors show up on site. “There are phone conversations, conference calls between the facilities and inspectors where they go through many of the risk-based performance standards, and they clarify what sorts of things will be important to have taken care of before the inspection,” Wulf adds. </p><p>CFATS is also taking a more corporate-friendly approach for companies that have multiple facilities regulated under the program. “More than a third of our regulated population consists of facilities that are part of multiple-facility companies,” Wulf explains. “And so where companies have multiple CFATS facilities, we give them the option to have assigned a company point of contact within our division.”</p><p>That point of contact works with the company at the corporate level to look at inspection scheduling efficiencies and to look at security policies that apply across all the company’s facilities. This allows inspectors to be familiar with the corporate security policies that exist when they get on site, making the inspection and site security plan approval process progress more quickly.</p><p>Additionally, CFATS continues to offer compliance assistance to regulated facilities through services like its help desk so they aren’t developing their site security plans “in a vacuum,” Wulf adds. “Our inspectors, our headquarters security specialists, are available. Our inspectors will make site visits—called compliance assistance visits—to work with facilities as they consider different options for meeting those nonprescriptive risk-based performance standards.”</p><p>This type of “full service” assistance is a significant part of the CFATS program and is one of the reasons it’s been able to make so much progress over the past few years. “The buy-in we’ve had from our regulated industry stakeholder community has been a huge part of why we’ve been able to make the progress that we have,” Wulf says. “And continuing to foster and continuing to focus on that compliance assistance as a priority is going to certainly be important going forward.” </p><p>Wulf says he’s optimistic that CFATS will approve at least 2,000 site security plans by this summer and complete site-security plan approvals within the next few years. </p><p>“We’re excited within the next year-and-a-half to get through the backlog of site-security plan approvals and get the program into a regular cycle of compliance inspection activity,” Wulf explains. “Essentially, that means getting out on a regular basis to inspect facilities that have already gotten their site security plans to the point of approval.”</p> AlertGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">When a gunman opened fire at Florida State University (FSU) in November 2014, the school’s police department was able to warn the entire campus within minutes, thanks to its mass emergency notification system. “Alerts went out within two-and-a-half minutes of the first gunshot,” says David Bujak, director of emergency management at the Tallahassee-based university.    </span></p><p>A dispatcher immediately activated the preprogrammed message warning of a “dangerous situation” with the simple touch of a button. “As soon as she heard the first couple phone calls, she opened the door and hit the button,” Bujak tells Security Management. </p><p>Three people, one of whom is likely permanently disabled, were injured by the gunman. The shooter, Myron May, a former student at the university, was killed by police on the scene. Without the mass notification system, Bujak fears that the incident could have been much worse.</p><p>FSU campus police operate the safety and security program, which consists of a sworn police force. While participating in the university’s semiannual security gap analysis in 2013, security and the FSU administration defined its mass notification goals. The university wanted to reach people “inside, outside, and by your side,” says Bujak, meaning no matter where people are on campus, they would be notified of an alert. </p><p>Bujak cites human behavioral studies that show it takes people three forms of input before they react in an emergency. “Our concept with the alert system is the same thing. I’d rather bombard you with multiple delivery methods [because] if you get multiple alerts you’re going to know something is up,” he says. </p><p>The overall project, known as the FSU Alert Emergency Notification System, has been in place for several years. The system “is actually a hybrid collection of mass notification providers combined to maximize our ability to get the word out in a timely manner,” Bujak says. However, in June 2013, the university added the Alertus Desktop Alert Client and the Alertus Beacon by Alertus Technologies.</p><p>According to Bujak, the university purchased the Alertus products to enhance indoor notification. The existing mass notification system included indoor sirens that could also communicate a custom message to building occupants during an emergency. But of the campus’s 473 buildings, only 60 had modern voice-capable fire alarms. </p><p>“So our ability to do indoor notification with fire alarms was limited to only a portion of the buildings on campus, and to do the others would be cost-prohibitive because to replace an entire fire alarm system was pricey,” Bujak notes. That’s where the Alertus Desktop Alert Client and the Alertus Beacon came in, which he says were cheaper than replacing the fire alarm systems. </p><p>When the emergency notification system is activated by campus police, the wall-mounted Alertus Beacon flashes strobe lights and makes a sirenlike noise. The Alertus Beacon also has a screen that displays an LED message, which can be tailored depending on the circumstance. The messages can be read from up to 15 feet away. In addition, the Alertus Desktop client sends a pop-up message to the screen of any desktop equipped with the feature. FSU has a number of technology-enhanced classrooms where teachers use a projector, and the desktop alert client is connected to those machines. </p><p>The main challenge the university faced was integrating the new system into the existing IT network. FSU has a decentralized IT structure—different colleges own and operate their own infrastructure—so the installation process for the Alertus Desktop was a bit slower than it would have been if all of the buildings were under one department, explains Bujak. “Once we got comfortable that the desktops were working properly, we sent out memos to all the IT managers on campus and said, ‘here it is, download it, install it…’ And we’ve had really good participation in that regard,” he notes. So far, the university has pushed the client to 1,400 machines. </p><p>Either the Alertus Beacon or the fire alarm voice capability is now manda­tory for new buildings that have a capacity of 20 or more people. However, there have been challenges to deploying the mass notification system, notes Bujak. For example, each beacon requires an Ethernet connection. “Many of our technology-enhanced classrooms do not have ample Ethernet connections available for the beacons,” he points out. So rather than dedicate resources specifically to installing beacons, he says, the technology-enhanced classrooms included the beacons as part of a broader upgrade program they are rolling out to those rooms instead.</p><p>FSU originally hoped to offer the desktop alerting client to the public from its website for a free download so that neighbors and parents could also be connected to the system. </p><p>“We’ve since been told by Alertus that once you start pushing 5,000 [electronic recipients], the servers are going to start having a hard time getting it out to everyone in a timely manner,” he says. “So we backtracked on that idea of making it just completely free-for-all, but we have made it available to pretty much any university-owned or managed computer.” </p><p>During the campus shooting, Bujak says that security was pleased with the system’s deployment. “People recount seeing multiple computer screens all in rows light up with the desktop alert, and it was pretty much simultaneous with the indoor siren messages they received, and the text messages they received,” he notes.</p> ProblemsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">In June of last year, a traveler entered a U.S. airport, got his boarding pass, and headed to the security checkpoint. A Transportation Security Administration (TSA) officer took the man’s travel and identity documents and noticed that the boarding pass said the traveler was eligible for TSA PreCheck, an expedited screening process. This is not unusual—various TSA programs allow low-risk travelers to go through the PreCheck line where they need not remove their jackets, belts, or shoes. However, in this case, the officer immediately went to his supervisor because the man who was approved for expedited screening happened to be a “notorious felon,” a former member of a domestic terrorist group who had been released from a multiple-year sentence in prison. (The identity of the felon was not publicly disclosed.)</span></p><p>According to TSA screening checkpoint operating procedures, TSA officers may increase the level of screening a passenger receives based on an articulable belief. That’s exactly what the TSA officer did when he recognized the felon. However, the officer’s supervisor told him to take no further action, and the felon was allowed to proceed through the PreCheck line, where he was able to leave on his shoes and belt and walk through a metal detector instead of a body scanner.</p><p>This vulnerability was reported by a whistleblower, and the U.S. Department of Homeland Security (DHS) Office of Inspector General (OIG) opened an investigation into the incident. The subsequent report, titled Allegation of Granting Expedited Screening through TSA PreCheck Improperly, recommended that the agency redefine how passengers are granted on-the-spot expedited screening, as well as modify its operating procedures to clarify the roles of security officers and their supervisors. The OIG also released a classified report to the TSA that further details the need to modify the PreCheck processes.</p><p>The incident is just the latest red flag for the TSA’s numerous risk-based screening programs, which are intended to strengthen security and improve the passenger experience, according to a Government Accountability Office (GAO) report on the program. </p><p>TSA’s Managed Inclusion program is also under the microscope. A December 2014 GAO report, Rapid Growth in Expedited Passenger Screening Highlights Need to Plan Effective Security Assessments, noted that Managed Inclusion has not been tested by the TSA for overall security effectiveness. The program, according to the GAO, “involves using real-time threat assessment methods, including randomization procedures and behavior detection officers, as well as either canine teams or explosives trace detection devices to screen non-TSA PreCheck Passengers in lanes that are otherwise dedicated to PreCheck passengers.”</p><p>Questions have been raised about the accuracy of behavior detection programs used in airports—government research studies have found that the ability of human observers to accurately identify deceptive behavior based on behavioral cues or indicators is the same as or slightly better than chance, at 54 percent. And in March, the American Civil Liberties Union (ACLU) filed a lawsuit demanding that the TSA hand over documents related to the behavior detection program known as Screening of Passengers by Observation Techniques (SPOT). The ACLU requested information regarding SPOT’s effectiveness, its impact on minorities, and its scientific underpinnings. </p><p>“What we know about SPOT suggests it wastes taxpayer money, leads to racial profiling, and should be scrapped,” said Hugh Handeyside, staff attorney with the ACLU National Security Project, in a press release. “The TSA has insisted on keeping documents about SPOT secret, but the agency can’t hide the fact that there’s no evidence the program works.”</p><p>On March 25, the House Homeland Security Subcommittee on Transpor-tation Security met to hear testimony from officials on the risk-assessment programs employed at the nation’s airports. TSA Chief Risk Officer Ken Fletcher explained that Managed Inclusion is just part of a “multilayered, risk-based” approach to targeted airport security that bolsters the PreCheck program.</p><p>Started in 2011, the PreCheck program “was one of the first initiatives in TSA’s shift toward a risk-based and intelligence-driven approach to security,” Fletcher told committee members. The program initially targeted certain low-risk passengers, such as active members of the military and U.S. Department of Defense employees, but was eventually opened to the public, allowing U.S. citizens to apply for PreCheck and benefit from expedited airport security procedures.</p><p>TSA uses its Secure Flight system to match every passenger’s identifying information against No Fly, terrorist, and other similar watch lists up to 72 hours before the passenger’s flight. If a PreCheck-approved passenger is cleared, the airline will mark that person’s boarding pass for expedited screening, according to the GAO report. The agency also uses the same process on low-risk populations who are not members of PreCheck to hasten passenger movement through airports—that’s how the convicted felon was able to go through expedited screening.</p><p>TSA has been vocal about aiming to provide expedited screening to the majority of the traveling public, and it is well on its way to achieving that goal: the percentage of passengers receiving some form of expedited screening increased from 9.6 percent in September 2013 to 50 percent by November 2014, Fletcher said. The GAO report notes that this was accomplished in part by expanding the Managed Inclusion program.</p><p>The on-the-spot, risk-based issuance of PreCheck status—both in the form of approving fliers by checking the watch lists and through Managed Inclusion—raises questions on what “low-risk” actually means. In response to the OIG’s report on the convicted felon incident, the TSA noted that “had the intelligence or national law enforcement communities felt that this traveler posed an elevated risk to commercial aviation, they would have…prevented the traveler from being designated as lower-risk.”</p><p>However, the OIG report went on to point out a paradox in the PreCheck system: had the felon formally applied for a PreCheck membership, he would have been denied due to his conviction. But since the felon never applied to the program and was not watchlisted, he was granted PreCheck status at the airport. “As a concept, TSA PreCheck is a positive step towards risk-based security screening,” the OIG report states. “However, TSA needs to modify TSA PreCheck vetting and screening processes.”</p><p>John Roth, the DHS Inspector General, said during the March hearing that the felon was granted PreCheck screening through risk assessment rules, not the application program. He also voiced concerns about the TSA’s response to OIG reports on the program—in one report, 17 recommendations were made, and the TSA did not accept the majority of them, he noted. </p><p>“We are disappointed that TSA did not concur with the majority of our recommendations, and we believe this represents TSA’s failure to understand the gravity of the situation,” Roth said. </p><p>Jennifer Grover, the director of the Homeland Security and Justice Division of the GAO, agreed that TSA has been “nonresponsive” to the various reports on the PreCheck program. “We recommended that the secretary of Homeland Security…limit future funding support for the agency’s behavior detection activities until TSA can provide scientifically validated evidence. The DHS did not concur with this recommendation.” </p><p>TSA’s Fletcher said that the agency is working with the DHS Office of Policy as well as the U.S. Customs and Border Patrol to establish a common definition for identifying “lower-risk” travelers. In the meantime, Fletcher said the TSA will continue to meet its goal of providing expedited screening to a majority of travelers by enrolling more low-risk populations in PreCheck. In addition, it will expand participation to other U.S. and foreign airlines.</p><p>“TSA will continue to focus on applying our risk-based security approaches to other aspects of transportation security,” Fletcher said. </p>