Security Management Magazine Cover
​Beginning December 2016, Security Management will also be available as a PDF. View ​Issues available for Download

 August 2018 to Implement ESRM2018-08-01T04:00:00Z<p>​International Paper (IP) is one of the world's leading producers of fiber-based packaging, pulp, and paper. Headquartered in Memphis, Tennessee, IP employs approximately 52,000 people worldwide and has operations in more than 24 countries serving customers around the globe. </p><h4>The Challenge</h4><p>When IP's director of security announced his retirement, the IP team—Deon Vaughan, vice president, deputy general counsel, chief ethics and compliance officer; Casey Yanero, HR manager, corporate staff groups; and Jennifer Carsley, director, legal operations—recognized it was time to transform corporate security to an enterprise level function.  </p><p>The ever-changing threat landscape and IP's core values of "Safety, Ethics and Stewardship" underscored the need for IP to transition to a proactive security posture. To lead this transition, IP hired Art Fierro, CPP, in February 2017 to fill the newly created chief security officer (CSO) role.</p><h4>ESRM Solution</h4><p>Enterprise security risk management (ESRM) links security activities to an enterprise's mission and business goals through risk management methods. </p><p>The CSO's role in ESRM is to manage risks to enterprise people and assets in partnership with the business leaders. ESRM involves collaborating with business leaders on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, and then implementing the strategy in line with accepted levels of business risk tolerance.</p><p>Fierro's background is rooted in ESRM in both the government (FBI) and the corporate space. To move IP from a traditional security organization to an ESRM enterprise model, Fierro conducted an extensive security analysis to identify where the organization excelled and where the data showed opportunities for improvement.  </p><p>The analysis included conversations across business groups and corporate partners. It served as the foundation for IP's ESRM strategy and helped create its vision statement: "To protect IP people, information, products, and the corporate brand in support of business objectives and enterprise success."</p><p>IP's new enterprise security strategy is grounded in the principles of security mitigation steps based on risk and using cost-benefit analysis to ensure a return on security investment. The strategy also aligned with IP business operations and is designed to help achieve business objectives—meaning security would not just be a cost center but also a business enabler.</p><h4>Partnerships</h4><p>Sharon Ryan, senior vice president, general counsel, and corporate secretary, embraced ESRM as IP's new enterprise security strategy, because the strategy was aligned with IP's core values and business strategy.  </p><p>"We recognize that by adopting the latest risk management strategies in enterprise security and bringing on experienced security professionals, not only are we helping protect our people and property, we are also reducing the risk of negative exposure related to our brand and reputation," she says. </p><p>Ryan supported the strategy by rebranding IP Corporate Security to Enterprise Security Management and creating three new positions reporting to Fierro and designed to address IP's enterprise risks: global threat manager, global physical security manager, and global investigations manager. The three functional roles cover the spectrum of enterprise risk and each has a deployment roadmap, which ties into the larger Enterprise Security Management global strategy.</p><p>Vaughan also supported the effort by endorsing a campaign for Enterprise Security Management to build partnerships across business lines, such as IP's Environmental Health and Safety (EHS) department, and to partner on initiatives to protect IP's employees—one of Enterprise Security Management's strategic objectives.</p><h4>Outcomes</h4><p> With the endorsement of ESRM at the leadership level, Fierro was able to work with partners to create a risk-based security program to focus security resources on identified risks. The program also provides the operating manual for vulnerability and risk assessments, so IP can make informed business decisions about its risk tolerance.</p><p>Enterprise Security Management created a new concept, a virtual operations center, which produces a global threat picture that helps it identify and address emerging global threats to IP employees and facilities. The virtual operations center is outsourced to leverage economies of scale, leading edge technology, and professional threat analysts and operators, while providing an excellent return on security spend.</p><p>Over the past year, Enterprise Security Management focused on a number of strategic initiatives. One is the geospatial traveler-tracking program for IP's traveling employees. </p><p>The program provides real-time mobile device GPS monitoring, on a voluntary basis, with a panic button for emergencies. The program is monitored  at all times by the virtual operations center.  </p><p>Another initiative is the corporate campus security capital improvement project. Enterprise Security Management is leading a security improvement project for IP's corporate headquarters based on ASIS International physical security standards and guidelines, as well as geographic risk demographics and the return on security spend. </p><p>Enterprise Security Management also launched its first national security guard force contract to consolidate and standardize guard force operations across certain U.S.-based facilities. The consolidated operations agreement helps ensure consistency and reduce cost.  </p><p>Enterprise Security Management is also working with EHS to add a security aspect to the current field assessment process to identify actual risk at IP's global locations. Assessment results will be used to develop security recommendations, including leveraging security technology.      </p><p>Additionally, Enterprise Security Management created a new active shooter response training program for employees. The training included Virginia Tech shooting survivor Kristina Anderson, who shared a survivor's perspective, as well as the Memphis Police Department, which provided training for employees on Run. Hide. Fight. The active shooter plan is also available on IP's internal website for employees to reference.</p><p>Working across business groups and with critical internal partners, Enterprise Security Management developed new crisis communications reporting, dissemination, and functional requirements that include mass communications features for a unified enterprise response to manmade or natural disasters.  </p><p><em><strong>Art Fierro, CPP,</strong> is CSO at International Paper. He formerly served as CEO of Ronin Option - Cyber; executive vice president at Resilient Integrated Systems; and vice president at 20th Century Fox Film Corporation. He is a member of ASIS International. ​</em></p> Goals: Past DueGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​On May 15, 2018, the U.S. Department of Homeland Security (DHS) released its cybersecurity strategy for the next five years.</p><p>"The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," said DHS Secretary Kirstjen Nielsen in a statement on the strategy's release. "Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself."</p><p>Between 2006 and 2015, the number of cyber incidents on U.S. federal government systems that were reported to DHS increased more than tenfold—including the massive Office of Personnel Management breach that compromised the records of more than 4 million U.S. federal employees and affected 22 million people.</p><p>"The growing interconnection of cyber and physical systems within critical infrastructure also creates the potential risk for malicious cyber activity to result in direct physical consequences," according to DHS. "For example, the December 2015 overriding of controls in the Ukrainian electric grid resulted in widespread loss of power."</p><p>More recent incidents, such as WannaCry and NotPetya, have also demonstrated the threat of using the Internet of Things to conduct cyberattacks with far-reaching consequences.</p><p>Because of this, Nielsen said DHS is "rethinking its approach" to cybersecurity to confront systemic risks by issuing its strategy guide. The guide was a requirement under the National Defense Authorization Act of 2017 and lays out a five-part approach to manage national cyber risk: identifying risk, reducing vulnerability, reducing threat, mitigating consequences, and enabling cybersecurity outcomes.</p><p>"Through our efforts to accomplish seven identified goals across these five pillars, we work to ensure the availability of critical national functions and to foster efficiency, innovation, trustworthy communication, and economic prosperity in ways consistent with our national values and that protect privacy and civil liberties," DHS said.</p><p>To understand the cybersecurity landscape and its risks, and address vulnerabilities, threats, and consequences of DHS's cybersecurity activities, the department must first be able to identify risks. </p><p>The department's first goal in this pillar of its strategy is to assess cybersecurity risks so it understands the "evolving national cybersecurity risk posture to inform and prioritize risk management activities," according to the strategy.</p><p>To do this, DHS said it plans to work with stakeholders—sector-specific agencies, nonfederal cybersecurity firms, and others—to understand trends in threats, vulnerabilities, interdependencies, and potential consequences so the department can prioritize its activities and budget accordingly.</p><p>"DHS must also take stock of gaps in national analytic capabilities and risk management efforts to ensure a robust understanding of the effectiveness of cybersecurity efforts," the strategy explained. "We must anticipate the changes that future technological innovation will bring, ensure long-term preparedness, and prevent a 'failure of imagination.'"</p><p>As part of this goal, DHS has set specific objectives, including identifying evolving cybersecurity risks that affect economic security, public health, and national security; identifying and creating plans to address gaps in analytic capabilities; and developing plans and scenarios for future technology deployments that could be disruptive.</p><p>Another pillar of DHS's strategy is to reduce the vulnerability of U.S. federal agencies across the board. </p><p>"DHS leads the effort to secure the federal enterprise and must use all available mechanisms to ensure that every agency maintains an adequate level of cybersecurity, commensurate with its own risks and with those of the larger enterprise," according to the strategy.</p><p>To assist the rest of the U.S. federal government, DHS will work with the Office of Management and Budget (OMB) to address systemic risks and interdependencies between agencies. </p><p>"DHS must also support agency efforts to reduce their vulnerabilities to cyber threats by providing tailored capabilities, tools, and services to protect legacy systems, as well as cloud and shared infrastructure," the strategy explained. "Within its own systems, DHS must continue to adopt new technologies and serve as a model for other agencies in the implementation of cybersecurity best practices."</p><p>As part of this pillar, DHS laid out sub-objectives to more clearly define how it will achieve this goal. These include developing and implementing a clear governance model for U.S. federal cybersecurity; issuing new or revised policies and recommendations to ensure adequate cybersecurity across the enterprise; and providing agencies with integrated and operationally relevant information necessary to understand and manage their cyber risk.</p><p>One example of this in action prior to the release of the strategy was DHS's binding operational directive 18-01, which required U.S. federal agencies to increase their email and Web security. Specifically, DHS mandated that agencies implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) for their email systems. (See "Spoofing the CEO," Security Management, October 2016.)</p><p>Another goal of this pillar of the strategy is to protect critical infrastructure by partnering with stakeholders to ensure national cybersecurity risks are managed. This partnership is key because a majority of the critical infrastructure in the United States is owned and operated by the private sector.</p><p>"DHS must partner with key stakeholders, including sector specific agencies and the private sector, to drive better cybersecurity by promoting the development and adoption of best practices and international standards, by providing services like risk assessments and other technical offerings, and by improving engagement efforts to advance cybersecurity risk management efforts," the strategy stated. </p><p>An example of this in action was DHS's response to the 2017 WannaCry ransomware attack. During the attack, DHS's National Protection and Programs Directorate partnered with other agencies and the private sector to help U.S. hospitals—a major target of WannaCry—ensure their systems were not vulnerable to the malware. It also released an unclassified technical alert to help defenders defeat the malware and prevent is spread.</p><p>In addition to reducing vulnerability, DHS's strategy also outlines a goal to reduce threats in cyberspace overall. </p><p>"In partnership with other law enforcement agencies, DHS must prevent cyber crime and disrupt criminals and criminal organizations who use cyberspace to carry out their illicit activities and leverage identified threat activity and trends to inform national risk management efforts," the strategy explained.</p><p>To do this, DHS will create investigative priorities related to illicit cyber activity, identify and conduct high-impact investigations of cybercrimes by transnational criminal organizations, disrupt online marketplaces for malicious cyber activity, and develop options to disrupt, counter, and deter transnational criminal organizations.</p><p>The final portions of the DHS strategy are to mitigate consequences and enable cybersecurity outcomes. </p><p>With the rise of cybercrime and illicit cyberactivity, DHS must have a role in limiting the impact of significant cyber incidents, the department said. </p><p>"Many cyber incidents do not require a national response," the strategy explained. "But when they do, DHS plays a unique role in responding to cyber incidents to mitigate potential consequences by providing technical assistance to affected entities and other assets that are at risk and investigating the underlying crimes."</p><p>DHS took this role, for example, in July 2017 when the U.S. Secret Service—part of DHS—worked with international law enforcement to arrest a Russian national who allegedly operated BTC-e.</p><p>"From 2011 to 2017, BTC-e is alleged with facilitating over $4 billion worth of Bitcoin transactions worldwide for cyber criminals engaging in computer hacking, identity theft, ransomware, public corruption, and narcotics distribution," DHS said. "Researchers estimate approximately 95 percent of ransomware payments were laundered through BTC-e."</p><p>While the strategy is an important framework for the U.S. federal government, it has been met with criticism. </p><p>Ray DeMeo, chief operating officer of Virsec, says the DHS strategy is high-level and is missing an implementation plan.</p><p>"One of the document's guiding principles is to foster innovation and agility—this is a big ask, where existing time horizons must be reduced from years down to months," DeMeo says. "We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happening daily, if we are going to change the asymmetric nature of today's threat landscape."</p><p>DeMeo also says he will be looking for more information from DHS—a department with a domestic mandate—about how it intends to address cybersecurity globally.</p><p>"The reality is that a large portion of Internet crime is driven from the international Wild West, from areas with lax law enforcement or actional nation-state sponsorship," he explains. "This problem is as much diplomatic as it is technological."</p><p>Two of the most vocal critics have been U.S. Representative Bennie G. Thompson (D-MS), ranking member of the House Homeland Security Committee, and U.S. Representative Cedric L. Richmond (D-LA), ranking member of the Cybersecurity and Infrastructure Protection Subcommittee and author of the legislation that originally mandated the strategy.</p><p>In a joint statement, Thompson and Richmond said the strategy is overly focused on policies and procedures that DHS needs to develop further. </p><p>"It also fails to mention—at any point—one of the most pressing cybersecurity challenges of the moment: election security," they said. "The fact is, because of the department's failure to adhere to the statutorily-mandated deadline, it lost time and missed opportunities to make progress maturing its cybersecurity posture and capabilities."</p><p>The congressmen added that they hoped to see more information about how DHS plans to implement its strategy in another report, which is due to Congress by August 15, 2018.</p><p>"In particular, we expect it will provide greater detail on the roles and responsibilities that components will undertake, a description of any new authorities it needs to fulfill its mission to secure federal networks, as well as an explanation of what resources the department will need," Thompson and Richmond said.</p><p>As of <em>Security Management</em>'s press time, DHS had not submitted an implementation plan to Congress. ​</p> in for SafetyGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A penny can go a long way. This concept that many small contributions add up to a big sum was the inspiration for a one-cent sales tax in Georgia, known as the Education Special Purpose Local Option Sales Tax (ESPLOST).</p><p>The public funding effort has helped further an environment of safety and security at local schools, says Mike Sholl, director of operations for the Catoosa County Public Schools.</p><p>Catoosa County Public Schools, made up of 17 elementary, middle, and high schools, plus a performance learning center, is currently in the fifth phase of the ESPLOST funding. Sholl explains that community members were polled on how they would like to see the public education dollars spent.</p><p>"We have townhall meetings and we do surveys, and the number one priority for parents is the safety of our schools," he tells Security Management. "So when we started ESPLOST V, that led us to implement all the safety initiatives we have." </p><p>Those initiatives include collaborating with local law enforcement to prepare for emergency response, and a variety of technological solutions to support security. "We have door buzzing systems, we've added cameras to our schools, so we've spent a lot of time and money on making our schools as safe as we possibly can," Sholl says.<img src="/ASIS%20SM%20Callout%20Images/0818%20CS%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:550px;" /></p><p>The local sheriff's office works closely with the district. There are plans to add live monitoring capabilities for police, allowing them to view events as they happen via campus cameras and provide dispatch. In addition, the district employs several school resource officers who either work full-time on a campus or divide their time among the schools. </p><p>Among Catoosa County's top concerns is the possibility of an active assailant situation at its schools. It wanted to be able to quickly notify law enforcement and provide teachers and students with the ability to quickly react, all while following policies and procedures. The district knew investing in this type of solution would aid in all types of hazardous situations, including medical emergencies, natural disasters, and other incidents. </p><p>At a regional school safety conference in 2015, Catoosa discovered SIELOX CLASS (crisis lockdown alert status system), a daily incident and crisis reporting tool. The district chose Tiger Creek Elementary, one of its 10 elementary schools, as its test case for the product, and installed it in early 2016.   </p><p>SIELOX CLASS operates via a Web or mobile interface that provides teachers or administrators with several customized options for sending different alerts, so it can be pulled up on any mobile device or computer. A dashboard with customized alerts allows teachers and administrators to perform a variety of tasks. Colored buttons make it easy to distinguish what type of incident is being reported, from a medical alert for the nurse's office to a 911 call in a life-threatening situation.  </p><p>"Our playgrounds are a good distance away from the school building. So—say a child gets injured on the playground, and could break a leg or an arm or hit his head or her head—that teacher can initiate the blue medical alert and get someone on the way out there," Sholl notes.</p><p>Teachers use CLASS daily for their morning check-in to let administrators know that they and their students are in the building. In the event of an incident, a chat box will pop up for all CLASS users where communication can take place. </p><p>"An important part of bringing in SIELOX was communication, and the ability to check-in," says David Beard, principal at Tiger Creek. "Each of the individual classrooms is represented by a different color and a different square, and we know the status of those rooms based on the color system that SIELOX uses." </p><p>CLASS also gives first responders and administrators a clear picture of where students and teachers are at any given moment. "If teachers leave the building or take students off campus, they will use SIELOX CLASS to let us know that they are no longer on the premises," says Braden Moreland, assistant principal at Ringgold Elementary, adding that it would help responders to know that they are not on campus in the event of an emergency. </p><p>The district also tied SIELOX CLASS to its cameras throughout the building, setting up an alert that would notify users of motion detection in a lockdown situation. </p><p>"We decided that we would like to use CLASS to detect motion in the building, so that if we did go into a hard lockdown there would be no traffic in the halls," Beard says. "If everybody else is locked down and out of the building, the sheriff's office has a good idea of where that perpetrator would be." </p><p>The district regularly conducts drills for all types of hazardous scenarios, including its dangerous situation protocol, known as "Run, Hide, Survive." With a panic button on the app, any teacher can initiate a lockdown at the school. </p><p>For enhanced situational awareness, the district incorporated camera views into the lockdown feature of CLASS. "The teacher gets the popup that says 'lockdown' and gets a bullet list of instructions on what to do, as well as two camera views of the hallway outside their classroom," Beard explains. "So, if he or she wants to do the run part of Run, Hide, Survive, he or she can see if there's any danger outside the doorway, and then make that decision to run with the children. So that's another layer we've added with SIELOX, and it works very well." </p><p> The district notes that, thankfully, no lockdown procedure has ever been necessary outside of a drill. However, an accidental activation of the lockdown feature by a receptionist at an elementary school proved the value of the product. </p><p>"She was trying to log out and she accidentally hit the lockdown icon, and of course I immediately received a text and I was on the phone calling the principal," Sholl says. "He went and found out that it was a false alarm, and within two minutes, the sheriff's deputy had pulled into the campus, because he had been notified and dispatched to that school." </p><p>The district plans to have SIELOX CLASS deployed at all 17 schools by the end of the 2017–2018 school year.</p><p>"CLASS provides a very quick response and gets the word out very quickly to lots of people," Sholl says. "The accidental lockdown just proved to us that it's very efficient and works how we want it to work." </p><p><em>For more information: Karen Evans, </em><a href=""><em></em></a><em>, </em><a href=""><em></em></a><em>, 856.861.4568. ​</em></p> Risk ManagementGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Private sector companies are not the only organizations that are embracing enterprise risk management. The U.S. government continues to do so too, albeit slowly. And recently, one U.S. federal agency released new draft guidelines on how risk management principles can be applied to critical infrastructure's information systems.<img src="/ASIS%20SM%20Callout%20Images/0818%20NT%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:289px;" /></p><p>The proposed guidelines come from the U.S. Department of Commerce's National Institute of Standards and Technology (NIST). For the last few years, NIST has worked on refining its Risk Management Framework (RMF), which is aimed at helping organizations integrate information security principles and practices into enterprise risk management programs. </p><p>The RMF includes, among other components, a structured process for valuing organizational assets for selecting, implementing, and assessing security controls; and for monitoring security controls. Government officials say this RMF is especially necessary because threats to U.S. critical infrastructure are outpacing efforts to reduce vulnerabilities. </p><p>"There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure," writes Ron Ross, a NIST computer scientist, in the foreword of the new guidelines.</p><p>The guidelines have seven objectives: strengthen the links between high-level risk management efforts and lower-level operational activities; institutionalize risk management preparatory activities; demonstrate how the RMF can be aligned with NIST's Cybersecurity Framework; integrate privacy concepts into the RMF; promote the development of secure software systems; integrate supply chain risk management principles into the RMF; and provide an alternative approach to selecting security controls. </p><p>In addition, the new guidelines include instructions for tasks that will help prepare organizations to use the RMF for their information systems and programs. These tasks are divided into separate categories—organization level and system level.   </p><p>On the organization level, these tasks include assigning risk management roles to employees, establishing an overall risk management strategy, assessing organization-wide risks, establishing and documenting baselines for stakeholder protection needs, categorizing the comparative impact levels of different information systems, and developing an organization-wide strategy for continuous monitoring. </p><p>On the systems level, the tasks include identifying the business mission that the system supports, identifying stakeholders that have an interest in the system, categorizing the types of information the system uses, conducting a system-level risk assessment, identifying the system's protection and privacy requirements, and registering the system for purposes of management and oversight. </p><p>"Given the significant and ever-increasing danger of the threats, it is imperative that organizations remain vigilant and that leaders and managers at all organizational levels understand their responsibilities and are accountable for protecting organizational assets and for managing security risks," NIST says in the guidelines.</p> Not-So-Easy PiecesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Alignment is in. Many cities, municipalities, corporations, and school systems are taking steps to align their physical security systems so that security programs across locations will be fully integrated.</p><p>The benefits of such a move are numerous. Uniformity across systems makes it easier for end users, and converged systems are easier to manage from operation centers. Moreover, having only one system makes maintenance and upgrades easier, and this can help provide long-term stability. </p><p>But achieving alignment is no easy feat. Navigating a physical security installation across several facilities can be a difficult undertaking; often, such a project includes wrangling a mish-mash of individual products to get them to function under one cohesive system. Alternatively, some take the approach of completely redesigning the physical security system so that it reflects current best practice design standards. Both paths can be difficult.  </p><p>In addition, the potential pitfalls of attempting a unification project are numerous. What is the installation environment in each facility? Which key players need to be involved at each facility, and at what level of involvement? What type of network infrastructure must be in place to integrate the systems? </p><p>In hopes of avoiding pitfalls, many organizations will hire project managers and consultants to spearhead alignment projects. This type of management, however, is usually complex and unpredictable work. Thus, one of the most useful attributes a security practitioner can have is experience in project management.</p><p>Although there is no one roadmap for successful project completion, and despite all the caveats, most projects can be broken down into five stages. The main purpose of this article is to walk the reader through these stages, which experts sometimes refer to as "process groups." The five process groups are initiating, planning, executing, monitoring and controlling, and closing. For our purposes, the second process, planning, can be considered the design process, and the third process, executing, can be considered the installation process. </p><p>Although these stages will remain consistent, the role and scope of a project manager's responsibilities will change from project to project. And, there may be many project managers on a single project: one for the design team, one representing the owner, one who serves as an installation project manager in the field, and others. Each will have different responsibilities.   </p><p>Primarily, this article is written from the point of view of the project manager who is outside of the org­anization and is hired by an owner to design and manage a project that will be installed by a third-party contractor, either through a public bid or the solicitation of proposals. Typically, this type of manager would be a consultant who works on a project-by-project basis with different teams and organizations, for the procurement and installation of a multi-facility physical security system.</p><p>However, the concepts and best practice guidance offered here could be applied to almost anyone involved with the management or supervision of physical security projects, whether that person is inside or outside the organization.​</p><h4>Initiating</h4><p>As a project kicks off, the act of project management is often the act of discovery. The project may be ill-defined, just a blurry picture of the needs and goals of the project's owner. But an ill-defined project cannot be effectively managed, so it is often the project manager's task to focus the project with the owner into a clear and actionable roadmap.</p><p>For the project manager, one of the main goals of the initiating process is to get up to speed with the requirements, history, and expectations of the project. This includes understanding who the project stakeholders are and determining the project's requirements, constraints, and assumptions.  </p><p>Physical security projects can be sponsored by a range of departments in an organization, including security, facilities, IT, finance, and general management. But these departments may have different levels of familiarity with physical security systems, so the project manager must gain an understanding of how well the owner's team knows physical security. This understanding should then inform the project manager's general approach, including the process of assembling the design team. </p><p>This understanding can be gained during the meetings that take place during the initiating process. For example, the design or project management teams may be akin to experts—they will design and demonstrate how the systems work and function together and explain design best practices. In another project, the design team may merely be documenting the project for an owner who already has a strong grasp and understanding of physical security best practices and the needs of each facility. </p><p>Another key task of the initiating process is to learn the requirements and goals of the project. What is the general scope? What physical protection systems will be affected? Will this be a replacement project, or will it integrate with existing systems? Is there a deadline for installation completion? If grant money is involved, is there a deadline for spending funds? Each answer is part of the roadmap.</p><p>Once the initially hazy picture has come into focus, the project manager may take the next steps. These include developing a rough estimate of how many days will need to be spent in the field documenting existing conditions and systems, and how many designers should be hired to create design documents. Other decisions involve who will sit on the project stakeholder's team, whether the owner will require manufacturer demonstrations, and what a reasonable cost for the project looks like. </p><p>During this stage, the project manager may discover that the existing team of stakeholders is inadequate. In this case, the project manager should try to ensure that all decision makers are included, and that, if applicable, teams not directly associated with security are also represented, or at a minimum made aware of the project. Other stakeholders, for example, could include facility directors, senior management, service providers, IT teams, and grant funding representatives. If the project is for a municipal, city, or public organization, the owner may prefer to involve law enforcement in the early stages and throughout the process.</p><p>By the end of this first stage, all stakeholders should understand their roles within the project, what will be expected of them, and the type of work that will be performed on their systems or the facilities they manage. Accomplishing this early is important. It is never a good idea to inform an IT director of an IP video surveillance project a week before the network electronics are scheduled to be installed.​</p><h4>Design</h4><p>The greatest indicator of a well-executed project is a well-executed design process. The overall objective of this process is to create a complete set of project documents that a third-party contractor or integrator can then use to create a proposal or bid. </p><p>These documents, typically referred to collectively as the project manual, will typically include plan drawings, wiring diagrams, and riser and elevation drawings. They also include specifications explaining the scope, the installation standards, the configurations of various systems, and other pertinent information. Front-end documents in the manual often describe the nature of the project and any general requirements that the bidding contractor must adhere to. </p><p> To create a thorough project manual, it is important for the project manager to assemble a qualified design team. Physical security projects can be derailed by subpar designs that do not consider each facet of each system's requirements. The design team must be able to accurately document the correct configuration requirements among systems; all installation best practices and requirements; the code requirements and testing parameters; and the closeout tasks such as training.</p><p>Once the design team is assembled, the project manager begins the process of creating progressively more detailed designs and reviewing them periodically with the owner. A good guide is to review the design documents at 50 percent completion, 75 percent, 98 percent, and 100 percent. At each review, it should be conveyed to the owner what was refined, changed, omitted, or added from the last review. </p><p>The overall cost and the installation schedule should also be reviewed at those junctures. Most likely, the project will have a specific budget and installation schedule that the design team must adhere to. At each design milestone, the project manager must ensure that the owner understands the budget and schedule. Any major design change should be reviewed with the owner.</p><p>If the project does not have a predetermined budget, the project manager should have a usable estimated cost range after project initiation. At the halfway point, an estimate within a few percentage points of the actual cost should be completed and reviewed with the owner. It is also important the owner understands how any future requests will affect the budget and installation schedule. </p><p>Ideally, the project should leave 10 percent of the total budget in contingency to cover unforeseen costs. For example, for a project with a budget of $1 million, the design team should allocate up to $900,000 and leave $100,000 for contingencies. Aside from this practice, some projects also contain a management contingency designed to cover changes in project scope directed by management. However, this contingency may or may not be shared with the project manager, and it may not be included in the total project budget. </p><p>When it comes time to estimate individual costs, the environment and condition of existing facilities should be kept in mind. Areas likely to add surprise costs to the project should be reviewed. Take ceilings, for example. If the facility has open ceilings, will the low-voltage cabling need to be run in conduit? If so, how much cost will that add? Or, consider data closets. Is there adequate wall space to mount patch panels, switches, and servers? Is there wall space to mount security panels? Other areas that should be reviewed for cost impact include power requirements, configuration fees for integrating systems, and software fees for updating out-of-date systems, among other items.</p><p>Taken together, the overall goal of the planning and design process is to create a project manual that is fair to both the owner's needs for attaining the project goals, as well as the contractor's needs to correctly price the project. </p><p>Many potential headaches that could occur during the installation process can be mitigated by giving the contractor a realistic schedule for procurement and installation of the systems, and by ensuring that the project comes in at or under budget. This is done by informing the owner early and often of the realistic requirements that the scope of the project will require. All cost-saving measures should be considered during the design process when at all possible.</p><p>Throughout the design process, the project manager and design team should constantly ask themselves, "If I were a contractor, would I be able to properly price this project based on the project manual documents without adding change orders in the field?" Many projects are soured by an incomplete project manual that puts the contractor in the disadvantaged position of having to constantly submit change orders to correct their fee. ​</p><h4>Executing</h4><p>If the goals of the planning process were accomplished—including properly and completely documenting the physical security systems, their installation requirements, and all responsibilities required by the installation contractor—then the executing process should run relatively smoothly.</p><p>During the executing process, the contractor who was awarded the project proceeds with installing and testing the systems. Sometimes the project manager and design team stay on to manage the schedule and invoices, review the installation and test results, and generally ensure that that the project is being installed to the quality standards documented in the project manual on behalf of the owner. </p><p>The relationships among designers, consultants, project managers, and contractors should be built on teamwork and based on the shared goal of providing the owner with a well-executed project and physical security system. The best projects are those where a mutual respect and a spirit of genuine collaboration are exhibited by all parties and where the project manager has the best interest of all parties in mind.</p><p> Although, careful initial documentation of exactly what is expected of the installation will help avoid oversights and miscommunications, it is still prudent, and often mandatory, for the project manager to review and approve the work being completed. During this process, the manager's best strategy for ensuring that the project is executed well is to stay vigilant in correcting all possible holdups.</p><p>If the overall budget fails to capture all installation costs, change orders can occur during the installation process, after the project has been awarded to a contractor. A change order is a claim to a change in scope that usually comes with an associated cost. It is used by the contractor to seek fees for the change. Change orders can be owner directed or project directed, and they can be legitimate or illegitimate. </p><p>Here's an example of a legitimate, owner-directed change order. After a project manual went out to bid and the project was awarded to a contractor, the owner requested to add access control hardware to a door. This hardware was not included in the design, so the contractor was not allowed to give a cost associated with it. Seeking a fee to now include that door in the installation was a legitimate change order. </p><p>Here's an example of a legitimate project-directed change order. The contractor discovered that 100 feet of conduit was needed to mount a video surveillance camera in an open-ceiling mechanical space. The project manual did not clearly document that the contractor would need conduit at this location, so the contractor sought to submit a change order for the cost of procuring and installing the conduit.</p><p>Illegitimate change orders occur when a contractor seeks fees for a task or product that was clearly documented in the project manual and, therefore, should have been included in the proposal or bid. It should be noted that legitimate or illegitimate status will not determine if the change order will be accepted by the project. Change order acceptance or rejection is determined by the project manager, owner, and other applicable stakeholders.</p><p>One benchmark of success for the project is the number and scope of change orders. In other words, how close was the executed project to the agreed upon budget and original design?​</p><h4>Monitoring and Controlling</h4><p>If the project manager's responsibility is to review and sign off on the installation, it is best to do so early and often. The goal is to correct minor issues before they grow into major issues. </p><p>For example, let's assume a contractor completes a 200-door access control project across 20 different facilities, but does not properly secure the cabling above the ceiling grid as designed. The longer the project manager waits to get on site and review the work, the more difficult it will be to fix this mistake. If the cabling contractor is a subcontractor of the prime contractor and is finished with the scope of work, by the time the project manager is on site to review the work, it may be impossible to correct these mistakes.</p><p>The project manager should be on site to review, at a minimum, the first few devices that are installed to ensure that the installation is clean and to specification. Indeed, many contractors prefer this method of installation kickoff because it will ensure that the installation is on the right track. </p><p>Common installation mistakes found on physical security projects can include sloppy or exposed cabling to devices; installation of sensors, cameras, and other devices that are not plumb or properly secured; low-voltage cabling strung across the ceiling grid and not on cabling support; failure to firestop applicable penetrations; and poor cable management and cable terminations in the data closets and control panels, among other things.</p><p>All site visits, communications between owner and contractor, issuances of work that need to be fixed, and approvals of work done correctly should always be formally documented and distributed to the entire team in field reports and punch lists. In turn, the contractor must document any corrections or installation requirements that are completed. </p><p>Requests for information from the field, product submittals, invoice submittals, and general project housekeeping should be reviewed and answered by the project manager in a timely matter to ensure that the project is not delayed due to lack of direction for the contractor or owner.  </p><p>Sometimes, the biggest roadblocks to completing a project on schedule are the tasks that must be completed by the owner. It is important that the project manager also manage this side of the project. He or she should inform the owner early and often when tasks will be due and should sometimes advise them on how they can be best completed. These tasks may include providing IP addresses for cameras, printing and issuing badges for new access control systems in time for system cutovers, providing configuration on network electronics if required, and configuring and relaying information related to VLANs, among other things. </p><p>Often, contractors are only allowed to invoice for work completed or for devices that were purchased and delivered to the facility. If the project manager is tasked with reviewing invoices, it should be easy to approve or reject fees based on work completed because the project manager has periodically seen and reviewed the work in person.</p><p>Most projects will require that the project hold a retainer against the contractor's fee until the project is 100 percent complete. This retainer is held until the end of the project, after all the installation and miscellaneous responsibilities of the contractor have been met. Each project may have specific requirements in terms of payment and proof of work for payment that should be reviewed and adhered to by all parties.  ​</p><h4>Closing</h4><p>The closing process can be initiated when 10 percent of the project is left to complete. Common tasks to be completed during the closeout process include administering training, delivering operation and maintenance manuals, final testing of systems, reviewing the system test results, reviewing cabling test results, and handing over the systems to the owner. </p><p>It is a good idea to start closeout tasks when the project is around 75 percent complete. However, getting the owner and relevant stakeholders together for training and close-out meetings can be a difficult task depending on their schedules. If the project is being completed in a school district, for example, training may need to wait for a professional development day, so it is best to book training as soon as the trainer is available. </p><p>Depending on the owner's level of expertise, it may also be beneficial to include additional training in the project manual two to six months after the project is handed over to the owner. This will allow the owner to schedule refresher training if desired. </p><p>Once the project manager and design team accept the final installation; all closeout deliverables are finalized; and all final fees, contingencies, and invoices are paid; the project is handed over to the owner and the project is considered complete. </p><p>Successful project completion requires improvisation, teamwork, thoroughness, and foresight. All are skills that are developed over time and through hands-on experience on projects of different sizes and types. The best project managers are those who learn from their mistakes, document their lessons learned, and share those insights with the project management and security management communities.  </p><p><em><strong>Nicholas D'Agostino, </strong>PSP, PMP, is a senior manager of system design for D'Agostino & Associates, a technology consulting firm. He has spearheaded multiple city-wide physical security upgrade projects throughout the Northeast. He can be reached at D'Agostino is a member of ASIS International.</em></p> Online August 2018GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​EUROPEAN TERRORISM</h4><p><a href="" target="_blank">The EU Terrorism Situation and Trend Report 2018 ​</a>provides an overview of the nature and volume of terrorist attacks in the EU in 2017.</p><h4>INFORMATION SECURITY</h4><p>The U.S. Department of Commerce's National Institute of Standards and Technology<a href="" target="_blank"> issued a draft update to its Risk Management Framework​</a> to help organizations integrate information security principles and practices into enterprise risk management programs. </p><h4>SCHOOL SECURITY PLANS</h4><p>A <a href="" target="_blank">report from the U.S. Government Accountability Office​</a> evaluates the number of schools requiring hazard-specific plans, such as active shooter, suicide threat or incident, and bomb threats, among others. </p><h4>CYBER STRATEGY</h4><p>The U.S. Department of Homeland Security h<a href="" target="_blank">as released its cybersecurity strategy​</a> for the next five years.</p><h4>GLOBAL FRAUD</h4><p><a href="" target="_blank">Report to the Nations</a> from the Association of Certified Fraud Examiners looks at 2,690 cases of fraud in 125 countries. It explores the costs, schemes, victims, and perpetrators of fraud. Another report, <a href="" target="_blank">UK Business Payments Barometer 2017</a>, focuses on fraud in the United Kingdom.</p><h4>U.S. IMMIGRATION</h4><p>Two <a href="">federal reports </a>detail<a href="" target="_blank"> the challenges </a>faced by U.S. immigration services to issue and manage green cards.</p><h4>DRESS CODES</h4><p><a href="" target="_blank">New guidelines​</a> from the United Kingdom Government Equalities Office prohibit employees from singling out women in dress codes. </p><h4>RETENTION</h4><p>A former CIA contractor<a href="" target="_blank"> pleaded guilty</a> to illegally retaining classified materials during the course of his employment.</p> SmartsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>In the hit 1999 movie The Matrix, people go about their daily lives unaware they are in a simulated, alternate reality being controlled by greater powers. In one scene, the main character Neo, played by Keanu Reeves, sees a black cat walk past a doorway. A few moments later, the same cat walks by again.</p><p>"Déjà vu," he says aloud. His comrades, who know they live in the Matrix, are disturbed by the claim and press him on what he saw. When he says he observed the same black cat walk by—twice—they spring into action, explaining that a déjà vu demarcates a glitch or change in their synthetic world.  </p><p>A similar concept exists in the field of countersurveillance, referred to as the déjà vu effect. While traveling in a foreign place, if the same person or vehicle appears twice, it is likely not a coincidence. Someone could be following the traveler, scoping him or her out as a potential target for crime. I learned to rely on this principle during my time as a CIA case officer, traveling to some of the most dangerous parts of the globe to collect intelligence. </p><p>However, one does not have to be in a war zone or third-world country to encounter threats. Much like the Matrix, even a seemingly normal setting can quickly turn upside down and require quick thinking. Simple observation of one's surroundings, like being on the lookout for the déjà vu effect, will greatly help solo travelers maintain their personal security. </p><p>Similar to a corporate travel security program that tracks executives or employees while on business, individuals can protect themselves by adopting a portable set of principles and concepts that they can take them with them wherever they go. </p><p>There are three key concepts that must be in place for a personal travel security program to work. Just like a physical security or cybersecurity program at a large corporation, a personal travel security plan must first be effective to protect the individual. If a building has a fence that is not properly maintained or a camera system that is broken, the physical security program is considered ineffective. If someone relies on a personal security program that he or she cannot recall from memory and put into action, it will be unsuccessful. </p><p>The second aspect of a personal security program is the concept of risk. In enterprise security, there are assets, threats, vulnerabilities, and countermeasures. In personal security, the asset being protected is oneself. The threats are usually external to the traveler, but vulnerability—weakness—is a unique element of personal security risk. Vulnerabilities can exist both outside or within the individual. Understanding this unique aspect of personal security risk is crucial. The countermeasures to mitigate risk can be learned and taken with the traveler to stay safe.</p><p>The third element in a personal travel security program is timing. You make your own luck in personal security, and if your timing is off, it could make the difference between avoiding being kidnapped or sitting in captivity.​</p><h4>Personal Security Principles</h4><p>Understanding these three concepts—effectiveness, risk, and timing—will allow the traveler to grasp the five foundational principles to the personal security program. These principles can be easily recalled from memory and applied in even the most stressful of circumstances. </p><p><strong>Preparation. </strong>The first and most important principle behind an effective personal security program is preparation. Effective preparation diminishes doubt and mitigates the fear of the unknown. Note that eliminating fear is never the goal. When harnessed properly, healthy fear can be helpful rather than harmful. Advance preparation also gives one the confidence of knowing that unexpected circumstances can be dealt with, no matter how little one knows the local language or culture.</p><p>Travelers should research the area they are traveling to and familiarize themselves with the location geographically. Use the Internet and other means before arriving, but also conduct a mental site survey once you arrive on-site. In the Middle East, for example, few streets have names. Take note of major landmarks, roadways, and other characteristics that stand out in case you may have to remember where you were at any point in time. </p><p>Planning in advance for potential physical and mental health needs is another element of preparation. It is best to be a "walking pharmacy," and travel with several drugs for common ailments and illnesses. If the traveler or a comrade should become ill, it can be a major handicap. </p><p>Mental health is often overlooked when preparing for a trip. Attempt to have your affairs in order before leaving home. There are three elements to "engineering" peace of mind: electronic communications and backup, enlisting a point-of-contact that can make decisions on your behalf, and duress plans—a way to discreetly convey you are in trouble. Having a will, bills paid, and accounts in order are also important. When relationships with loved ones, friends, or coworkers are at loose ends, it can truly eat away at a person who finds him or herself in captivity, or an otherwise distressing travel situation. </p><p>Packing light is advisable, only bring one carry-on bag so that arms and hands are as free as possible. Documentation and money are two key areas that should be taken care of in advance. Essential documents, including passport and any travel visas, should be kept close to one's person and not put in checked luggage, as well as important credit cards. </p><p>Normally, bringing roughly $300 to $500 in U.S. currency should suffice, but be sure to work out how much cash you may need over the course of the trip. Small U.S. bills are handy, and something of value that everyone recognizes—the U.S. dollar is often an acceptable form of currency in a pinch. The traveler should break down the total amount into $20 bills and divide that roughly in half between checked luggage and the important items to be carried on.</p><p>Small bills also allow the traveler to find and pay cash for personal transportation upon arriving at the destination. When you do not have the luxury of prearranged travel by a corporate security program, choosing your own transport on-site is critical, versus having it solicited or having someone else choose it. </p><p>In some high-risk locales, drivers for hire typically wait outside airports, bus stations, and train stations, and are on call. It is advisable to be deliberate and maintain control of how you choose transportation. Look first for kiosks with taxis for hire or hotels with shuttle transport. If none are available, ask an airline representative what transport can be trusted. The last resort is to look for marked taxis outside and choose one—do not let it be chosen for you.</p><p> Keeping and maintaining the element of unpredictability is important to your security. If the driver you hire is reliable, it is worthwhile to keep the same driver to take you from place to place throughout the duration of your trip. This allows you to build a relationship with that person and have someone you trust to get you around the area. </p><p><strong>Detection.</strong> The second principle to a personal security program is detection. It's imperative for the traveler not just to see what is around him or her, but to observe it. Observing is intelligent detection and keeps you in the present moment. </p><p>Such skills can be important in preventing crimes such as pickpocketing. Travelers who are preoccupied, even mentally, make themselves a vulnerable target. Take off the ear buds or headphones, stay alert, and keep your mental focus on the here and now. </p><p>London's Piccadilly Circus, for example, is an infamous place for pickpockets. These crews target travelers who are distracted, whether it be window shopping, talking on cell phones, or sightseeing. Pickpockets work in teams, with one person designated to distract the victim, another to take the item, and a third to move it away from the crime scene. Someone on this team may have already scoped out where important effects are kept without the individual's awareness.</p><p>The déjà vu effect discussed earlier comes into play in the element of detection. If you are walking down the street toward an ATM, for example, and someone seems to be following or keeping pace with you, pay attention to that. Being aware of this allows you to assess it, and take proactive action. Most often, petty thieves move on to easier targets once they realize they have been spotted.   </p><p><strong>Deterrence.</strong> The third principle to an effective personal security program is deterrence. Deterrence is how you look and behave. Blending in with your environment helps eliminate the possibility that someone will see you as a target, but this is not just achieved by the clothes you wear. </p><p>While a subtle wardrobe is an essential element to maintaining personal security, so is a sense of confidence in the traveler's gait as he or she goes from point A to point B. </p><p>Keep smartphones and other valuable items tucked away in a bag. Be discreet when accessing them in a public place. Threat actors look for low-hanging fruit, so part of deterrence is making oneself appear less vulnerable to assault. The goal is to make it harder for the bad guys to go after the traveler in any way. </p><p>Deterrence can apply to the type of car you use when renting a vehicle. For example, while with the CIA and afterwards in the international consulting world, I took trips into Mexico, Yemen, Africa, and elsewhere in the developing world. I consistently looked for cars that were worn and unattractive. I drove through the first mud puddle I could find, and did not wash the vehicle over the course of the trip. The more dented and dirty, the better. It blends.  </p><p>The last two principles of a personal security program—delay and defense—are a last resort and should not come into play if the first three principles are aptly applied. The traveler should deploy the last two principles to survive and escape threats with as little harm as possible.</p><p><strong>Delay.</strong> The fourth element, delay, comes into play when you have been targeted, particularly on the street. Putting space between yourself and the threat buys you time—time to run, or time to prepare to defend yourself. </p><p>While traveling, I carry decoy items with me to create delay in a mugging situation. One is a throwaway wallet, stuffed with fake credit cards and petty cash sticking out of the sides. Tossing this to the threat creates enough time to get away without losing items of real value. I also wear a cheap watch that looks expensive. In Central America, I once used such a decoy watch to get away from a thief, who ended up with a cheap fake Rolex. </p><p>Carrying a whistle is also advisable, because it adds the element of surprise and draws attention to the scene—not normally an adversary's desire. With delay, one is creating distance between oneself and the threat. The greater the distance, the greater the chance of survival. </p><p><strong>Defense.</strong> The final principle is defense. What does the traveler do if his or her options are being mugged, injured, or killed—or fighting back? No matter a person's age or level of physical fitness, there are certain defensive tactics that can increase one's margin for survival and potentially limit the amount of harm done. Consulting a self-defense expert on tips and techniques, whether they are hand-to-hand combat, or firearms training, is certainly advisable. However, if the adversary has a weapon—particularly a firearm—it is wise to go along with his or her demands.</p><p><strong>Captivity.</strong> Should you be abducted, if you are able, make a scene—yell and scream as loud as possible. Doing so creates witnesses, which can help when a search is conducted. One former U.S. drug enforcement agent did just this while being kidnapped in Mexico, and witnesses helped police in the search that eventually led to his rescue. </p><p>In the rare circumstance that you are kidnapped, once you're physically controlled, stop struggling physically. The last thing you want is to go into captivity with a broken nose or broken bone. Part of a personal security program is staying alive, so be prepared for the possibility of this circumstance. Have one or two key phone numbers memorized, so that if you are unexpectedly released in an unfamiliar place you can make a call to someone who will answer. </p><p>Communicate with the captors and let them know if medication or other physical care is needed. Try to build a relationship with the people who are responsible for you so that they are inclined to hesitate before harming you. </p><p>Kidnaps for ransom have become increasingly commonplace in countries like Mexico and Colombia. Travelers should have a plan in place before leaving home for a lawyer or third party to help negotiate release. A loved one should not be responsible for negotiations, because they can bring too many emotions into the transaction.  </p><p>One area where your family or loved ones can help, is having a prepared list of "signs of life" questions for those aiding in the release or rescue; statements or facts that only you and that person know. These can be communicated by the captors to the loved one so that they know the person is, in fact, alive. Duress phrases, such as, "make sure you water the garden," (when, in fact, you might not have a garden) that signal safety or distress without the captor's knowledge can be useful.</p><p>Finally, in a rescue operation, you should know that law enforcement or the military might not immediately recognize you as the victim. Let the operation unfold, keep low, and keep your hands visible so that you're not inadvertently harmed in the cross fire.  </p><p><strong>Skills for life. </strong>While working as a CIA officer abroad, I traveled and worked for decades without a badge or weapon and learned to bring the aforementioned skills to bear to keep myself and those for whom I was responsible safe. With or without the support of an executive protection program, traveling solo requires a person to rely primarily on himself or herself for basic security. </p><p>The five elements of a personal travel security program—preparation, detection, deterrence, delay, and defense—should be thought of as mental pegs. Take the details that go under each concept and hang them on those five pegs. Then you can quickly and effectively grab the tools needed in high-risk situations and environments. Internalizing these skills will help build good instincts, increase your awareness, and ultimately provide life-saving protection.</p><p><em><strong>Charles Goslin, CPP,</strong> Principal & Owner, CG Security Associates, LLC, is a retired CIA operations officer and veteran of U.S. Army Intelligence with 35 years of experience. He is a member of the ASIS International Houston Chapter and serves on the Book of the Year Award Committee. He is the author of the book Understanding Personal Security and Risk: A Guide for Business Travelers. ​</em></p> Worlds on Delivery for Higher Standards Buzz on the High Life Returned to the Future Review: Credit Card Fraud's-Note---In-Sync.aspx2018-07-01T04:00:00ZEditor's Note: In Sync Review: Ethical Forensics Precious Property Conversations: Checking In & Coaching Up Chain Company Makes Access Control a Priority 911 the Bar: Food Defense Safety Strategy on Campus Review-Understanding Personal Security and Risk.aspx2018-06-01T04:00:00ZBook Review: Understanding Personal Security and Risk Ways to Improve Healthcare Security

- Issues

August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 June 2002 May 2002 April 2002 March 2002 February 2002 January 2002 December 2001 November 2001 October 2001 September 2001 August 2001 July 2001 June 2001 May 2001 April 2001 March 2001 February 2001 January 2001 December 2000 November 2000 October 2000 September 2000 August 2000 July 2000 June 2000 May 2000 April 2000 March 2000 February 2000 January 2000