| https://sm.asisonline.org/Pages/Preventing-Port-Problems.aspx | Preventing Port Problems | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>More than 90 percent of global trade is carried by sea, according to the International Maritime Organization, presenting a cost-effective method for goods to be shipped around the world. </p><p>One port that brings goods closer to customers, resulting in savings, is London Gateway, a deep-sea shipping port owned by DP (Dubai Ports) World. With 78 terminals in 53 countries globally, DP World is the third largest port operator in the world. </p><p>“One of our customers will save more than £1 million a month, just in transport costs, and take more than 2,500 trucks off the road,” says Colin Hitchcock, harbor master and head of International Ship and Port Facility Security (ISPS) at London Gateway, which is located on the north bank of the River Thames.</p><p>But this high transaction rate also presents an opportunity for thieves, making effective security a must to protect the goods being shipped and received. “We’ve been operating about four years now, and the first drug heist was a big deal,” says Hitchcock. “Now it’s sort of two or three times a week, to be honest.”</p><p>Drugs are just one of the many security concerns keeping DP World on the lookout. “I have threats of illegal immigrants coming in on ships, I’ve got people trying to break into the port itself to get cargo out of the containers, and then obviously we have cargos of interest that we have to monitor,” Hitchcock says. </p><p>“There’s a big problem with cars stolen-to-order, because we’re only a few miles from London. Basically, you can steal a car, put it in a box, and get it out of the country,” Hitchcock explains, adding that most of the stolen vehicles are headed for West Africa. “You can put two Range Rovers and an E-Class Mercedes dangling in a 40-foot container—so that’s quite big business going out.” </p><p>While London Gateway works closely with law enforcement and global crime agencies to counter these threats, it wanted to invest in a holistic physical security information management (PSIM) system to manage the various assets and operations around the port, which covers seven square miles. </p><p>When Hitchcock was told by the head office in Dubai that he could choose the security systems he needed, he says he was looking for a company that could customize its platform to meet London Gateway’s needs. “Anything we purchased had to be future-proofed and able to grow,” he notes.</p><p>In 2016, the port turned to the Converged Security and Information Management (CSIM) software from Vidsys, which brings together multiple sources of data and security information into one platform for situational awareness. </p><p>With CSIM, all of the port’s security and information management systems feed into one platform that provides situational awareness for all security and operations onsite, which include cameras, alarms, sensors, access control systems, and more.</p><p>Tying access control into CSIM has allowed the port to manage the various systems that grant or deny access to users throughout the port. “We have three main buildings, and each has its own access control,” Hitchcock says. “We’ve looked at each of the jobs that people do and asked, ‘Where does that person need to go, where does that person not need to go?’” </p><p>He adds that there are 55 different levels of access at the port, and that the server rooms have the most restricted access. “If anyone opens the server rooms an alarm goes off in the control room. We have cameras in there, and that’s automatically monitored from inside,” he says. </p><p>With a multitude of cameras installed on port property, having them all feed into one platform gives operators a comprehensive picture of operations, and allows them to quickly be alerted to possible trespassers. </p><p>The security cameras are set up to overlap coverage by 30 percent so that nothing is missed. “We also do a lighting diagram so there are no shadowy areas,” Hitchcock notes.</p><p>Another selling point for London Gateway was the fact that CSIM easily adapts to new systems the port incorporates. “That was one of the other main points with Vidsys—if we introduce new cameras or we introduce a new turnstile system or a new employee management system, the system is able to cope with it,” he notes. </p><p>London Gateway has several security alarms feeding into CSIM, as well as a PID (perimeter intrusion detection) system that runs for 600 meters around the port. When a sensor goes off, it is automatically pulled up in an alerts center. A list of standard operation procedures (SOPs) can be tailored to appear on screen, giving the operator a clear, step-by-step view of how to respond. </p><p>“We have about 30 SOPs that we’ve incorporated,” he says, adding that the procedures are reinforced during drills with police, fire, and emergency services. </p><p>In response to security incidents, Hitchcock says the port has developed an “onion skin” approach, with several layers to detect and mitigate any threats. “We have a perimeter fence, and an outer perimeter fence as well. So if anyone wanted to break in the port they’d have to get through both of those,” he says. </p><p>The next layer, the PID system, is covered by movement sensors and thermal imaging cameras. Should a trespasser trip any of those sensors, flashing blue lights are activated. There are also two drones that fly up and down the fence line and—if the unmanned vehicles spot someone—they begin flashing a blue light located on top. An audio alert plays over a loudspeaker that the party is trespassing. Finally, if these are ignored, a large spotlight targets the threat. </p><p>Recently, CSIM and the port’s multilayered response played a vital role in multiple arrests at London Gateway. A group of trespassers entered the property under the cover of night. “The thermal imaging cameras picked them up, there were two or three people,” Hitchcock says. The blue light and spotlight were both triggered, and the men tried to hide in some bushes. </p><p>Security immediately alerted port guards on site, as well as local law enforcement, who quickly responded. </p><p>With the Vidsys platform, video feeds can be simultaneously watched by law enforcement and the head office in Dubai when there is a security incident. “These poor chaps thought they were attempting to break in, thinking they were very covert, but actually the whole world—Dubai, Essex Police, U.K. military, and our own security—were all watching them,” Hitchock says. “The system worked very well indeed.”</p><p>With plans to expand and handle even more incoming and outgoing cargo, Hitchcock says he knows Vidsys will continue to accommodate London Gateway’s needs. “The big thing we found with Vidsys was its ability to listen, adapt, and incorporate what we wanted, as well as come up with new ideas,” he says. “And that was taken onboard.”</p><p>For More Information: Jasmeet Kapoor, kapoorj@vidsys.com, www.vidsys.com, 703.883.3730.</p> | | |
| https://sm.asisonline.org/Pages/Shaping-Sanctuary.aspx | Shaping Sanctuary | GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>As the holding and deportation of illegal immigrants from the United States took center stage over the summer, cities and states felt increasing pressure to pick a side. Should they enact so-called sanctuary city policies, limiting federal involvement in their law enforcement activities, and foster relationships with immigrant communities? Or should they work with federal officials to assist in detaining and deporting illegal immigrants, sometimes for profit?</p><p>The Trump administration's sweeping crackdown on undocumented citizens has affected a swath of people, from families crossing into the United States illegally to immigrants who have lived in the country for years. Most of U.S. President Donald Trump's message surrounding immigration enforcement has revolved around arresting and deporting criminals, making jails and prisons a target for federal authorities. And as some communities have begun making decisions about their level of support for U.S. Immigration and Customs Enforcement (ICE) within local judicial systems, it became clear just how complex the issue is.</p><p>Travis County, Texas—home to the state's capital, Austin—enacted a policy that prevents detention of individuals based solely on their immigration status in November 2016. While Austin's police department has not taken a public stance on cooperation with ICE, leaders have stated they will not focus on a person's immigration status but will still partner with federal agencies in immigration matters if the case involves criminal activity. </p><p>Travis County's proclamation sparked state legislators to pass an anti-sanctuary bill that, among other things, allows all law enforcement officials to ask detained individuals about their immigration status and requires them to honor immigration detainment requests from ICE. And while Austin has fought back against the bill, several state, county, and city law enforcement agencies operate within the city—including the police department, four county sheriff's departments, and the Texas Highway Patrol—making it more difficult to enact an across-the-board sanctuary policy.</p><p>Similar complications are playing out further east. Charlotte, North Carolina, attempted to put immigration protections in place in 2015, passing a resolution that prohibited the city's police department from inquiring about the immigration status of the people it came across, but—much like in Texas—state legislators prohibited policies that curbed the collection of immigration status information. In this case, though, the Mecklenburg County Sheriff's Office has maintained an agreement with ICE that allows them to identify and detain illegal immigrants. </p><p>And taking precedence over the policy complexities within states, counties, and cities is Trump's 2017 executive order to withhold funds and otherwise punish some 300 cities and officials that do not cooperate with ICE. The sanctuary city ban entered a legal back-and-forth, with one court blocking the order nationwide, and an appellate court later determining that Trump could not withhold funds from cities, but that the nationwide block of the order was too broad. The case will be sent back to a lower court to determine whether a wider ban is needed.</p><p>While local police departments may implement policies to build relationships with the city's immigrant community, county sheriff departments—which largely own local jails—may have more impact on a community's sanctuary policies, says Bipartisan Policy Center (BPC) political analyst Cristobal Ramon.</p><p>"I think that as this issue has really been spreading across the country and become a core part of the debate, that's where the pressure is coming from," Ramon tells Security Management. </p><p>"Independent of what states are doing with the laws and on the ground, a county sheriff's office may promote cooperation or not promote cooperation with ICE for a range of different reasons."</p><p>Ramon coauthored a February 2018 BPC report on the nexus between immigrants, the immigration enforcement system, and local law enforcement. The report focuses on immigrants who are detained in local jails, either awaiting trial or serving out terms of less than one year. There are many aspects that go into what makes a sanctuary city, but Ramon says one of the cornerstone aspects is what goes on inside city jails.</p><p>"These agencies can have a variety of policies that promote or limit the capacity of ICE to access noncitizens in their facilities…and these policies can be independent of the local police departments who do the majority of arrests and bookings," the BPC report states. </p><p>Sheriff's offices are already deeply intertwined with ICE operations—about half of ICE's total detention population is housed in state and local jails and facilities, including one of Mecklenburg County's jails. The BPC report outlines the varying levels of involvement sheriff's departments can play in federal immigration enforcement, from identifying illegal immigrants and reporting them to ICE to complying with immigration detainers—where a jail will hold an individual for up to 48 hours beyond their scheduled release date so that ICE can take them into custody. "County governments that operate jails are not required to honor detainer requests under federal regulations," the BPC report notes.</p><p>Other formal agreements include 287(g) agreements, which delegate many of ICE's powers to local law enforcement. Under the agreement, local jurisdictions receive money to pay for the training of officials that will allow them to legally inquire into a person's immigration status, detain individuals beyond the time they would be held in local custody, and issue Notice to Appear documents to begin deportation proceedings. More than 75 jurisdictions have entered into 287(g) agreements, and almost half of those joined under President Trump's revised program. In 2017, 287(g) agreements led to the deportation of some 6,000 illegal immigrants.</p><p>BPC studied five metropolitan areas—Atlanta, Austin, Charlotte, Denver, and Los Angeles—and only Charlotte's county sheriff has a 287(g) agreement. Ramon points out that the Fulton County Sheriff's Office, which oversees jails in Atlanta, had previously participated in the program but did not join Trump's revised agreement because they could not justify participation in the program. </p><p>"They did not interact with enough undocumented immigrants, and said that it was impractical," Ramon notes. However, six other counties in Georgia recently joined the 287(g) program. </p><p>At the beginning of this year, ICE announced a new program, known as a Basic Ordering Agreement (BOA), which gives sheriff's departments $50 and an arrest warrant to detain an immigrant for 48 hours after he or she should have been released. BOAs allow participants to circumvent legal issues and liabilities that have cropped up with counties involved with 287(g). The act of holding individuals past when they should be released violates the Constitution, immigrant advocates argue, so local jails that hold immigrants past a normal amount of time can be subject to litigation—which is often successful. Since a BOA is an agreement rather than a contract, it allows participating counties to detain immigrants without fear of liability. So far, 17 sheriff's offices in Florida participate in the program, and that number is expected to increase.</p><p>Ramon points out that finances can play a part in whether cities are immigrant-friendly. Incentives such as the $50 BOA fee and 287(g) grants and reimbursements for housing immigrants may entice local law enforcement, he says. And, in a broader scope, allowing privately run ICE facilities to operate in an area can bring significant financial benefits. </p><p>"As the debate about family detention and separation is ongoing and cities and counties are thinking about whether they want these facilities in their area, one of the arguments is that these facilities also bring in jobs," Ramon notes. "There is that component of additional financial revenue or jobs being created through private facilities. It's just something else people are considering at the moment."</p><p>County sheriff departments' actions go a long way in defining a city's status as immigrant-friendly. Mecklenburg County Sheriff's Office, for example, has solidified Charlotte's standing as hard on illegal immigration, despite the city's attempt to pass sanctuary city policies a few years ago. </p><p>And in Austin, the Travis County Sheriff's Office has set an example by completely cutting ties with ICE and permitting its officers to reject requests to detain individuals based on their immigration status. </p><p>Other sheriff's offices around the country fall in the middle, where some such as Denver will honor detainer requests but won't hold immigrants past their release periods. Other jurisdictions like Los Angeles allow ICE into jails despite a citywide push to end cooperation with the agency.</p><p>"The very term 'sanctuary cities' belies the fact that there are many law enforcement agencies that may operate within cities, and that the police can also operate at county or state levels," the BPC report states. "Policy makers should carefully analyze the practices of different levels of law enforcement across each state to develop policies based on a better understanding of cooperation between ICE and local law enforcement agencies."</p> | | |
| https://sm.asisonline.org/Pages/October-2018-Legal-Report-Resources.aspx | October 2018 Legal Report Resources | GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><strong>Harassment.</strong> Employees who do not report sexual harassment at work due to fear of retaliation may sue their employer later, <a href="http://www2.ca3.uscourts.gov/opinarch/172646p.pdf" target="_blank">a U.S. federal appeals court ruled.</a></p><p><strong>Hate crime. </strong>A U.S. federal jury <a href="https://www.scribd.com/document/345388586/USA-v-Marq-Vincent-Perez" target="_blank">convicted a man</a> of a hate crime for burning a mosque in Victoria, Texas, in 2017.</p><p><strong>Data transfer.</strong> Japan and the European Union <a href="http://trade.ec.europa.eu/doclib/press/index.cfm?id=1891" target="_blank">signed an agreement </a>to allow data to flow between the two entities in line with EU privacy standards.</p><p><strong>Surveillance.</strong> The U.S. House of Representatives <a href="https://www.congress.gov/bill/115th-congress/house-bill/4989?q=%7b%22search%22:%5b%22h.r.+4989%22%5d%7d&r=1" target="_blank">passed legislation </a>designed to protect diplomats from surveillance by consumer devices.</p><p><strong>Discrimination. </strong>Estee Lauder will pay $1.1 million and other relief <a href="https://www.eeoc.gov/eeoc/newsroom/release/7-17-18c.cfm">to settle charges</a> of sex discrimination against male employees. </p> | | |
| https://sm.asisonline.org/Pages/Smarter-Structures,-Safer-Spaces.aspx | Smarter Structures, Safer Spaces | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>Internet giant Google is known to build impressive campuses and office spaces for its workers. No exception is its Wharf 7 office in New South Wales, Australia, where it moved a number of employees when the company experienced a boom in growth in 2012.</p><p>The building was constructed to "encourage the interaction and collaboration that is key to the innovation Google promotes," IDEA Awards, an interior design awards program, states on its website. A gaming room, café, bridges, and walkways all contribute to the collaborative look and feel of the building. </p><p>While the interior design of Google's Wharf 7 is impressive, two security vulnerability researchers discovered that the system controlling much of the building's functionality had not received as much attention. </p><p>Billy Rios and Terry McCorkle, both of security firm Cylance, gained access to the corporation's building management system, a computer-based system that controls electrical and mechanical functions within the facility. They achieved this breach by exploiting unpatched vulnerabilities. In other words, they accessed the network that controls HVAC, lighting, fire and life safety systems, and more, because Google had not run security updates on some of those platforms.</p><p>"Among the data they accessed was a control panel showing blueprints of the floor and roof plans, as well as a clear view of water pipes snaked throughout the building and notations indicating the temperature of water in the pipes and the location of a kitchen leak," according to a May 2013 Wired article. </p><p>Upon learning of their research, Google promptly patched their systems and thanked the white-hat hackers for their warning. The lessons learned have far-reaching effects for facility and security professionals as they navigate their buildings' complex automation and control system environment.</p><h4>Intelligent Building Management Systems</h4><p>Intelligent building management systems (IBMS) are embedded in most contemporary buildings. IBMS continue to grow by anywhere from 15 to 34 percent each year, according to a report from revenue intelligence company MarketsandMarkets. Such growth is due to the demand for reduced operating costs, improved information flow, greater sustainability, and meeting increasing government regulation in building ownership and operations. </p><p>By 2022, it is estimated that the IBMS industry will be worth approximately $104 billion, according to a study by Transparency Market Research. However, this technological enhancement comes with a substantial set of security vulnerabilities that many facility and security professionals have not accounted for. As the Google example shows, if the security of IBMS is not considered, organizations will remain exposed to harm from nefarious actors.</p><p><strong>Vulnerabilities.</strong> The security vulnerabilities associated with IBMS stem from their incorporation across the built environment. IBMS integrate a building's operational management systems, such as HVAC, lighting, and life safety systems. They are also integrated into security systems, such as intruder detection, access control, and surveillance systems. </p><p>A detailed research project, funded by the ASIS International Foundation, the Building Owners and Managers Association (BOMA), and the Security Industry Association (SIA), recently investigated the security of IBMS, including vulnerabilities and mitigation strategies, as well as facility managers' understanding and practice.</p><p>The following is a discussion of the security issues associated with IBMS in the modern built environment. One of the more significant outcomes of the research project is Intelligent Building Management Systems: Guidance for Protecting Organizations. This guidance document was developed to be a consultation tool to aid the decision making of security and facility managers, as well as provide guidance to protect a building against an array of threats and risks.</p><h4>Explaining IBMS</h4><p>The scale of IBMS varies, from a small automated home heating system to a large and complex high-rise intelligent building, which centrally automates all functions including HVAC, lighting, elevators, audio-visual, security, and life safety systems, along with maintenance, administrative, and business functions. </p><p>With the advent of the Internet of Things (IoT), and its connectivity of all things electronic such as smartphones, vehicles, cashless vending, and more, IBMS will continue to expand into more diverse areas of everyday life. In other words, when you drive towards your building, the IoT will facilitate automatically opening the garage door as you arrive and allow your phone to open doors and turn on the building's lighting and heating. </p><p>The connectivity, automation, and control of the built environment with IBMS is achieved through a standardized technical architecture. This architecture is based on three defined component levels—management, automation, and field device. </p><p>The management level is the interface where a manager facilitates the day-to-day management of IBMS. The automation level is the core of IBMS and provides the primary automation and control devices, with controllers connected via a dedicated data network. The automation level implements defined rules set at the management level. The field device level includes the physical input sensors and output activators connected to the plant and equipment to monitor and control the built environment.</p><p><strong>Security risks.</strong> The fact that many IBMS devices are linked through a common communications protocol introduces security risks. These consequences can be divided into categories of loss, denial, and manipulation. All of these potential hazards threaten the organization's ability to maintain occupancy, manage operations, and protect data. Such risks can result in threats to life safety, as well as major financial loss and reputational damage.</p><p>When IBMS are compromised, consequences may range from denial of service attacks to manipulation of building systems. For example, turning HVAC off is denial of control that may be uncomfortable for the building occupants as the temperature changes, but also has the potential to shut down computer network servers when they overheat.</p><p>Vulnerabilities within IBMS vary significantly, ranging from physical access to a field-level device to a highly technical remote cyberattack. Unauthorized access to an automation level controller may allow an attacker to manipulate local control of field devices or launch a cyberattack on the automation network. This attack may allow the actor to map out how the building is used, alter the automation and control programs to unlock doors and isolate alarms, and further access the network covertly.</p><p>Though IBMS attacks are rarely publicly disclosed, there are a number of notable examples. The Target breach of 2013, for instance, compromised more than 41 million payment card users when a hacker stole an internal network access credential from a third-party HVAC maintainer. In Finland, a denial of service attack on a company's network shut down the heating in two buildings. Popular hacker search engines, such as Shodan, publish a list of IBMS vulnerabilities that can be easily accessed. </p><p>Failure to understand and properly respond to IBMS vulnerabilities will result in exposure to security risks. Because of their abstract nature and the fact that they are often presented in a highly technical manner, IBMS vulnerabilities can be difficult for practitioners to understand and mitigate.</p><h4>Project Findings</h4><p>While IBMS include security functionality, most IBMS are managed and operated by facility managers rather than security professionals. However, these facility operators tend to focus more on broad organizational functions and cost management, and less on security, making it pertinent that security professionals pay close attention to these vulnerabilities. </p><p>The project found that the body of IBMS security knowledge is spread across a diverse array of literature. To date, there is no single source document that security professionals can use to understand the significance of this security concern or guide their threat mitigation. </p><p>Furthermore, the project identified several important issues in the security of IBMS: professional responsibility and the siloed effect, awareness and understanding of vulnerabilities, who the IBMS security experts are, the integration of security systems, and the lack of a common language in the security of IBMS.</p><p><strong>Responsibility. </strong>The research found that facility professionals manage and operate IBMS, with 36 percent of participating building owners and operators indicating they have such a responsibility.</p><p>In contrast, security professionals predominately manage and operate the functional elements of the security systems, and information technology professionals manage and operate the technical elements of networked systems, including the broader IBMS architecture. Nevertheless, each profession generally focuses only on their areas of practice, resulting in silos of responsibilities.</p><p><strong>Awareness.</strong> The project also found a significant disconnect between security and facility professionals' understanding of IBMS threats and risks and their technical knowledge of vulnerability significance. Although 75 percent of the security and facility professionals responded that they had an awareness of IBMS architecture—and half of these participants featured IBMS risks in their risk management documentation—the majority displayed a limited understanding of IBMS technology and vulnerabilities.</p><p>Both security and facility professionals rated the criticality of IBMS vulnerabilities as relatively equal in criticality. Such findings support the assumption that many professionals lack technical understanding of IBMS vulnerabilities.</p><p><strong>Expertise.</strong> Within the project, an expert IBMS technical security group emerged. Integrators—vendors, installers, or maintainers—and cybersecurity professionals displayed a more accurate understanding of IBMS vulnerabilities and their organizational significance. This group rated attacks against the automation level equipment and its network at a higher criticality. Such attacks include manual override of the controller, automation network traffic monitoring, and unauthorized access to a workstation.</p><p>Unlike the security and facility professionals, who rated vulnerabilities at about the same level, the expert group identified a significant difference between the most and least critical vulnerabilities. This demonstrates that they hold a higher level of technical comprehension that can be leveraged by organizations to achieve more robust IBMS security.</p><p>However, many integrators provide service and maintenance, rather than best-practice operational and security advice. Participants noted that advice given by integrators may be viewed as an attempt to sell their products and services, and they may not be recognized as a strategic partner providing high-level IBMS security advice.</p><p>Effective management of the security of IBMS requires that integrators or cybersecurity professionals work with the facilities and security departments. These professionals could be in-house information technology or cybersecurity professionals, or third-party contractors such as integrators.</p><p>Half of the project's participants reported that IBMS integrated into their security systems, which can put these systems at increased risk. The type of security systems used varied widely among respondents. The study also showed a discrepancy between security and facility professionals' understanding of security risks and jurisdictional responsibilities. </p><p><strong>Language.</strong> The project found that the IBMS term "integration" is not widely understood and remains broad and undefined, with various interpretations of meaning depending on a person's occupational role. </p><p>Consequently, there is a lack of understanding and clarity of language with IBMS terms and practices. Differences in the security and facility professionals' idea of what integration means shows a cultural difference between the perspectives of IBMS. This discrepancy of language can result in a failure to address vulnerabilities to system integrity.</p><h4>The IBMS Guidance</h4><p>To overcome the security obstacles to IBMS, the project developed a guidance document, Intelligent Building Management Systems: Guidance for Protecting Organizations. This document provides a first-generation publication for all relevant professionals to address the many and changing IBMS threats and risks, as well as the organization's ability to maintain occupancy and operations. The guidance will not only aid decision making in IBMS protection, but will help to develop a common language between IBMS stakeholders.</p><p>The guidance directs the reader to identify the organization's criticality, or impact level, if exposed to an IBMS-related event. Criticalities are ranked, using a matrix, across one or many categories such as operations, finance, safety, regulatory, information, or occupancy. </p><p><strong>Security questions. </strong>Following are hierarchical, criticality-based IBMS security questions that are addressed. These security questions are divided into five levels of criticality that align to the criticality matrix, from low to critical. Responding to these questions facilitates either demonstrated compliance or the need to ask relevant professionals further questions.</p><p>The security questions are divided into subsections, comprising management, security risk management, personnel security, physical security, cybersecurity, incident response, continuity planning, and maintenance. A typical low level 1 security question is "Do you have a written and endorsed Security Policy?" In contrast, a critical level 5 security question asks "Do you undertake a IBMS specific threat assessment?" In all, there are 136 security questions, divided into impact levels from low to critical.</p><p><strong>Looking ahead.</strong> Intelligent building management systems are becoming embedded into new buildings for many reasons, including the drive for greater operational efficiency and the need to meet increasing regulation. All building devices and equipment are likely to be converged with IBMS at some level of automation, including security systems.</p><p>For security professionals to have an awareness and be relevant in the modern organization, they must possess a professional level of IBMS understanding. To raise awareness and provide guidance, Intelligent Building Management Systems: Guidance for Protecting Organizations provides both the security and facility professional with the aggregated information they need to address IBMS threats and risks. Familiarizing themselves with the results of the research project will help security practitioners work alongside other personnel to provide effective security to their facilities.</p><h4>SIDEBAR: ASIS INTERNATIONAL FOUNDATION IBMS REPORT RECOMMENDATIONS</h4><p> Across the security and facility professions, the ASIS International Foundation research project identified several key recommendations:</p><p><strong>Gain a better general awareness of your IBMS and its vulnerabilities.</strong> This awareness does not have to be a highly technical cybersecurity understanding; rather, a broad understanding of what your IBMS does, and its function in the business and physical locations. Many of the vulnerabilities are physical or procedural, in which general security strategies will provide a suitable level of protection.</p><p><strong>Form an IBMS security working group from across the organization's stakeholders. </strong>This group will help to break down the siloed approach of IBMS and improve cross-department cooperation with membership from security, cybersecurity, facilities, engineering, and other relevant stakeholders.</p><p><strong>Audit your building's IBMS.</strong> Know where the physical IBMS devices, such as controllers and communication networks, are located and their level of protection.</p><p><strong>Ensure that IBMS is included in your security risk management documentation.</strong> For example, are the IBMS listed as critical components in the documentation? How do they help in incident response, and what happens to your security systems when IBMS fail?</p><p><strong>Build a working partnership with IBMS experts</strong>, especially with information technology and cybersecurity professionals, as well as IBMS integrators. These professionals may be in-house or third-party contractors but should have an understanding of the security issues with IBMS.</p><p><strong>Obtain a copy of<em> Intelligent Building Management Systems: Guidance for Protecting Organizations</em>. </strong>This guidance will provide you with a tool to rate your building and a list of security questions you can use to start addressing your IBMS security. The guide provides a first-generation document for all professions to address the many and changing threats and risks to IBMS and its organization.</p><p><em><strong>Dave Brooks,</strong> PhD, MSc, BSc is the post graduate security science coordinator at Edith Cowan University in Western Australia. He is the ASIS International Western Australia Chapter 226 treasurer and member of the chapter's executive committee. <strong>Michael Coole, </strong>PhD, MSc, BSc is the security science course coordinator at Edith Cowan University in Western Australia. He is a member of the ASIS International Foundation Research Council.</em></p> | | |
| https://sm.asisonline.org/Pages/October-2018-Legal-Report.aspx | October 2018 Legal Report | GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <h4>Judicial Decisions</h4><p><strong>HARASSMENT.</strong> Employees who do not report sexual harassment at work due to fear of retaliation may still sue their employer, a U.S. federal appeals court ruled.</p><p>Sheri Minarsky was a part-time secretary at the Susquehanna County (Pennsylvania) Department of Veterans Affairs and had a daughter who had cancer. On Fridays, she worked for Director Thomas Yadlosky in an area of the office separated from other county employees.</p><p>In court documents, Minarsky said that Yadlosky began to sexually harass her shortly after the two began working together, including attempting to kiss her, approaching her from behind and embracing her, massaging her shoulders, and touching her face.</p><p>Yadlosky also allegedly questioned Minarsky about where she went during her lunch break and who she ate with, called her at home to ask her personal questions and became hostile if she did not answer the phone, and sent sexually explicit emails to her using the county's email system. </p><p> Minarsky said she told Yadlosky to stop the harassment when it first began, but he persisted. </p><p>Minarsky claimed that "Yadlosky knew that her young daughter was ill and thus knew Minarsky depended on her employment to pay medical bills," according to court documents. "She states that she feared speaking up to him in any context, let alone to protest his harassment, because he would react and sometimes become 'nasty.'"</p><p>Yadlosky's supervisor, Chief County Clerk Sylvia Beamer, became aware of his similar behavior towards two other women and verbally reprimanded him. The county commissioner also observed Yadlosky embracing a female employee and admonished him. However, there was no further action taken and neither Beamer nor the commissioner reported Yadlosky's behavior.</p><p>Minarsky later became aware of the reprimands from a fellow coworker and learned that other women had had similar encounters with Yadlosky. She did not report Yadlosky, per county policy, because he had told her not to trust the county commissioners and that they might terminate her position.</p><p>"These warnings, Minarsky contends, along with the fact that Yadlosky had been reprimanded unsuccessfully for his inappropriate advances toward others, prevented her from reporting Yadlosky," according to court documents.</p><p>Minarsky told her doctor about the harassment in April 2013. The doctor advised her to email Yadlosky about his conduct. She emailed Yadlosky on July 10, 2013, writing that his behavior made her uncomfortable and that she would like him to stop because she did not want to report him.</p><p>Yadlosky responded to the email, saying he was unaware his conduct bothered her, he would change his behavior, and that he was disturbed that she felt the need to email him instead of talking about it in person. Yadlosky also confronted Minarsky in the office about the email.</p><p>Minarsky confided in a friend and coworker about the incident. The coworker's supervisor overheard the conversation and reported Yadlosky to Beamer, who interviewed Minarsky about Yadlosky's conduct.</p><p>Beamer then interviewed Yadlosky—who admitted to the allegations and was put on paid administrative leave. He was later fired. Minarsky quit her part-time position a few years later, alleging she was uncomfortable remaining on staff because her workload increased, and her new supervisor routinely asked her who else she had caused to be fired.</p><p>Minarsky then filed suit against Susquehanna County and Yadlosky, claiming gender discrimination, sexual harassment through a hostile work environment, and quid pro quo sexual harassment—violations of Title VII of the Civil Rights Act; gender discrimination under the Pennsylvania Human Relations Act; and negligent hiring and retention under Pennsylvania state law. </p><p>A district court said the county acted reasonably, and that Minarsky's failure to report the harassment was "unreasonable" and was not "sufficient to excuse her failure to report," according to court documents. The lower court dismissed her case.</p><p>Minarsky appealed, and her case reached the U.S. Court of Appeals for the Third Circuit. It determined that there was enough dispute in material fact as to whether the county's sexual harassment policy was in place and effective that a jury should determine if the county "exercised reasonable care to prevent and correct promptly any sexually harassing behavior."</p><p>The appellate court also explained that considering the #MeToo movement, a jury could find that Minarsky did not act unreasonably in choosing not to report Yadlosky.</p><p>"…there may be a certain fallacy that underlies the notion that reporting sexual misconduct will end it," the court explained. "Victims do not always view it in this way. Instead, they anticipate negative consequences or fear that the harassers will face no reprimand; thus, more often than not, victims choose not to report the harassment." (Minarsky v. Susquehanna County, U.S. Court of Appeals for the Third Circuit, No. 17-2646, 2018) </p><p><strong>HATE CRIME.</strong> A U.S. federal jury convicted a man of a hate crime for burning a mosque in Victoria, Texas, in 2017.</p><p>Marq Vincent Perez, 26, was found guilty of a hate crime for burning the Victoria Islamic Center on January 28, 2017, and guilty of using fire to commit a felony. He was also convicted for having an unregistered destructive device used in a prior incident.</p><p>"Hate crimes are not only an attack on a specific victim, they threaten the cornerstone of diversity that America was built upon," said FBI Special Agent in Charge Perrye K. Turner in a statement on the conviction. "Perpetrators of hate crimes, like Perez, aim to chip away at our nation's foundations by instilling fear into entire communities with violence."</p><p>Court testimony revealed that Perez planned the event by doing reconnaissance of the mosque before January 28. Items from the mosque were also found at Perez's home, which were traced back to two prior burglaries.</p><p>Perez faces up to 20 years in federal prison for the hate crime conviction, up to 10 years in prison for possessing an unregistered destructive device, and a minimum of 10 years in prison for using fire to commit a felony. (U.S. v. Perez, U.S. District Court for the Southern District of Texas Corpus Christi Division, No. 4:17-165, 2018)</p><h4>Regulations</h4><p><strong>DATA TRANSFER. </strong>Japan and the European Union (EU) signed an agreement to allow data to flow between the two entities in the spirit of EU privacy standards. </p><p>As part of the agreement, Japan will implement several safeguards, including creating rules to provide EU individuals whose data is transferred to Japan with safeguards to strengthen the protection of sensitive data, conditions under which Japan can transfer that data to a third country, and individual rights to access and rectification to data. </p><p>Japan must also create a "complaint-handling mechanism to investigate and resolve complaints from Europeans" about their data, according to the European Commission.</p><p>"Data is the fuel of global economy and this agreement will allow for data to travel safely between us to the benefit of both our citizens and our economies," said Věra Jourová, EU commissioner for justice, consumers, and gender equality, in a statement. "At the same time, we reaffirm our commitment to shared values concerning the protection of personal data. This is why I am fully confident that by working together, we can shape the global standards for data protection and show common leadership in this important area."</p><h4>Legislation</h4><p><strong>SURVEILLANCE</strong></p><p>The U.S. House of Representatives passed legislation designed to protect diplomats from surveillance by consumer devices.</p><p>The bill (H.R. 4989) directs the U.S. Department of State to create a policy on the use of location-tracking devices at U.S. diplomatic and consular facilities. Government employees, staff, contractors, and members of other agencies working at those facilities would be subject to the policy.</p><p>The legislation was introduced in response to revelations that a fitness app used by U.S. military personnel revealed sensitive information about base locations and troop movements.</p><p>"Given press reporting about the risk posed by fitness location-tracking devices, we must evolve the ways in which we protect our diplomats to new and evolving technologies," said U.S. Representatives Joaquin Castro (D-TX) and Michael McCaul (R-TX), chair of the House Homeland Security Committee, and cosponsors of the bill. "As lawmakers, we must continue accounting for evolving technology that poses new threats, so we can protect those who risk their lives to serve our nation."</p><p>The bill now moves to the U.S. Senate Committee on Foreign Relations for consideration.</p><p><strong>INCARCERATION.</strong> California Governor Edmund G. Brown, Jr., signed legislation into law that abolishes the state's system of collecting bail from suspects awaiting trial.</p><p>Under the California Money Bail Reform Act (formerly S.B. 10), a new system will be created to determine whether defendants should be held in custody while awaiting trial. This decision will be made using an algorithm that assesses the defendant's risk to public safety and probability of missing his or her court date. </p><p>Defendants charged with misdemeanor crimes will be booked and released without undergoing a risk assessment, except for under certain circumstances. Victims of crimes must also be notified and given an opportunity to be heard on the defendant's custody status. "Our path to a more just criminal justice system is not complete, but today it made a transformational shift away from valuing private wealth and toward protecting public safety," said California Senator Robert Hertzberg, one of the bill's authors, in a statement on its signing.</p><h4>Elsewhere in the Courts</h4><p><strong>Hacking.</strong></p><p>The U.S. Department of Justice (DOJ) charged 12 Russian nationals for allegedly acting to interfere with the 2016 U.S. presidential election. The nationals—all members of a Russian Federation intelligence agency—were charged on 11 counts, including criminal conspiracy to commit an offense against the United States through cyber operations, aggravated identity theft to commit computer fraud, and conspiracy to attempt to hack into the computers of state boards of elections, secretaries of state, and U.S. companies that supplied technology to administer elections. (U<em>.S. v. Netyksho,</em> U.S. District Court for the District of Columbia, No. 18, 2, 371, 1030, 1028A, 1956, and 3551, 2018).</p><p><strong>Spying.</strong><strong> </strong></p><p>The U.S. Department of Justice (DOJ) unsealed allegations against Maria Butina, 29, a Russian citizen living in Washington, D.C., charging her with conspiracy to act as an agent of the Russian Federation in the United States without notifying the U.S. attorney general. The DOJ claims that Butina developed relationships with Americans and infiltrated influential organizations, such as the National Rifle Association, to advance Russian interests. (<em>U.S. v. Butina,</em> U.S. District Court for the District of Columbia, No. 18:18-cr-00218-TSC, 2018).</p><p><strong>Discrimination. </strong></p><p>Estée Lauder will pay $1.1 million and other relief to settle charges of sex discrimination against male employees. The U.S. Equal Employment Opportunity Commission (EEOC) alleged that the company provided less paid leave to male employees who were new fathers than female employees who were new mothers. "The EEOC also alleged that the company unlawfully denied new fathers return-to-work benefits provided to new mothers, such as temporary modified work schedules, to ease the transition to work after the arrival of a new child and exhaustion of paid parental leave," according to the EEOC. (<em>EEOC v. Estée Lauder,</em> U.S. District Court for the Eastern District of Pennsylvania, No. 2:17-cv-03897-JP, 2018).</p> | | |
| https://sm.asisonline.org/Pages/Cybersecurity-and-Infrastructure.aspx | Q&A: Cybersecurity and Infrastructure | GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>Jeanette Manfra serves as the U.S. Department of Homeland Security’s National Protection and Programs Directorate (NPPD) Assistant Secretary for the Office of Cybersecurity and Communications.</p><p><em>Q. What is NPPD's role in protecting the nation's cybersecurity infrastructure?</em></p><p><strong>A. </strong>We see ourselves as the national risk manager. It's not that we own all the risk or have the ability to unilaterally take actions to reduce that risk, but we are the organization that sits in the center between the intelligence community, U.S. Department of Defense, and law enforcement, and the threat side—federal networks, critical infrastructure, and all of our partners in the private sector—to understand what risk looks like for them and for the nation. We identify what risk looks like in coordination with our partners and what actions we can take, whether that's government actions or industry actions or collective actions to reduce that risk. Though NPPD's role won't change, legislation has been introduced to change our name from NPPD to the Cybersecurity Infrastructure Security Agency. This change is designed to help people understand what we do.</p><p><em>Q. How does cybersecurty affect the physical infrastructure of the country?</em></p><p><strong>A.</strong> The more dependent the delivery of those critical services becomes on technology and connectivity of networks, the more the attack surface increases. Risk can no longer be thought of as belonging to an individual organization. Previously, an organization could have a pretty full understanding of what its individual risk was and take steps to manage that risk. Now you're in a position where there's shared risk across the country. It's a different way we have to think about risk.</p><p><em><strong>Q. </strong>What are some examples of cybersecurity threats you're seeing? </em></p><p><strong>A. </strong>The things I am most concerned about revolve around critical services and functions. An adversary can disrupt those, whether by creating a situation where we're not able to trust the data, or by remotely manipulating something physical. Those are not theoretical threats. The department has spent the last several months raising awareness on what nation-states are attempting to do, but the good news is that the electric sector has a lot of resilience built into the industry to recover power quickly during an outage, and that can be applicable for a cyber situation—you don't always need a cyber solution for a cyber problem. </p><p><em><strong>Q. </strong>What's in store for NPPD in the coming months?</em></p><p><strong>A. </strong>We just announced the national risk management center, which will address all types of national risk and how we manage that risk collectively. Cybersecurity will be a big part of that. We're also very focused on workforce. By incorporating cybersecurity in curriculums and truly investing in teaching people about the security side of these technologies, we're not only raising a generation of individuals who understand how to be safer digital citizens, but we can recruit some of them to be professionals. </p> | | |