More Headlines

 

 

https://sm.asisonline.org/Pages/New-Survey-on-Crisis-Management-Opens.aspxNew Survey on Crisis Management OpensGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Crises that organizations face come in many forms, from workplace violence to weather catastrophes. <a href="https://www.surveymonkey.com/r/asiscrisismgmt" target="_blank">This survey</a>, a partnership between <em>Security Management </em>magazine and Dataminr, collects information on how organizations structure their crisis management efforts and how they incorporate social media data into the process.</p>
https://sm.asisonline.org/Pages/How-to-Foster-A-Safety-Culture.aspxHow to Foster A Safety CultureGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​While the events of September 11, 2001, are engrained in the hearts and minds of people around the world, many may not realize they were the impetus for one of the most wide-ranging security awareness programs ever to be implemented.</p><p>Coined by a Manhattan advertising executive, the phrase "See Something, Say Something" would become the tagline of a U.S. Department of Homeland Security awareness campaign. Through various program materials from the U.S. government, the campaign sought to empower everyday citizens to protect their neighbors and communities by recognizing and reporting suspicious behavior. </p><p>Today, See Something, Say Something is established throughout much of the United States and even other countries, revealing itself in virtually every public corner, from mass transit systems to sports stadiums. </p><p>Much like this campaign, corporate security officers should establish a security awareness program within their organizations as part of a holistic physical security model. These programs are designed to promote a secure work setting and protect the company's assets.</p><p>But whereas See Something, Say Something was born out of a national sense of purpose following a grave tragedy—ultimately garnering significant financial support and public enthusiasm—security executives who want to build a security awareness program must do so organically. ​</p><h4>Building Blocks<img src="/ASIS%20SM%20Callout%20Images/photo1.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:269px;" /></h4><p>The successful implementation of a security awareness program is, by nature, a complex process that encompasses many aspects of program development, collaboration, communications, and branding, all with the goal of instilling and sustaining a security consciousness within the organization.  </p><p>So how do security leaders use com­p­any culture and existing security policies and procedures to organically develop a security awareness program? Examples of program models at General Motors Financial Company (GM Financial), ESPN, and Capital One, established with the help of the author, demonstrate the success of a corporate security awareness model through effective marketing and messaging, employee recognition, leveraging of partnerships, and buy-in from company executives. </p><p><strong>Program scope.</strong> Clearly defining the scope and purpose of the security awareness program is the first step towards effectively shaping it. At GM Financial, this process began by promoting the concept that security is a shared responsibility, and that each team member, regardless of title or position, had an important role to play in keeping GM Financial facilities safe and secure. </p><p>The scope of the program—branded as "Ready.Set.Safe!"—sought to create a culture of awareness and preparedness that transcended the more common security concerns, and included several aspects of emergency preparedness—fire and life safety, active shooter awareness, severe weather response, and more—to drive both a heightened readiness for emergent events and a strong safety culture.</p><p><strong>Communications and marketing</strong>. A successful messaging strategy for a security awareness program is essential, as is providing frequent campaign reminders for employees. This requires leveraging the expertise of the corporate communications and marketing group within the organization. These departments can lend invaluable support towards messaging development and branding components, and they can employ a variety of creative messaging tools to promote security awareness programming in a strategic and effective way. </p><p>At GM Financial, a variety of messaging platforms were developed that could be embedded into the natural flow of the employees' workday. This included use of the company intranet (articles, banners, and rotating message carousels); digital message display boards throughout employee work areas; static signage at facility entrances, cafeterias and high-traffic areas; and pop-up banners. Portable signs can also be deployed at company events, town halls, and other outside events. </p><p>Branded giveaway items with useful business applications, such as mousepads or pens, ensure that the Ready.Set.Safe! messaging is within view throughout the day. These giveaways have proven popular at HR fairs and other company events where corporate security representatives want to promote security awareness.​</p><h4><img src="/ASIS%20SM%20Callout%20Images/photo2.png" class="ms-rtePosition-1" alt="" style="margin:5px;width:500px;height:240px;" />Employee Involvement</h4><p>Raising security awareness among team members often requires a cultural shift in organizational thinking and employee behavior. An effective security awareness program must be supported by an equally effective company security model that team members are confident in. </p><p>This confidence must exist within all tiers of the organization—from the executive boardroom to the individual contributor level—for a true security culture to take root. At GM Financial, it is this alignment that enabled an effective and comprehensive security awareness program to become embedded within the organizational mindset. </p><p>New hires are exposed to the company's security and safety culture on their first day during orientation, as corporate security team members present an overview of the department's responsibilities and introduce new employees to the Ready.Set.Safe! program. The issuance of the employee photo ID/access badge during the onboarding process gives the corporate security team an additional opportunity to promote a safe facility culture by interfacing directly with the new hire.</p><p><strong>A joint launch.</strong> At ESPN, a global multimedia sports entertainment programming company where the author served as director of facility security, a similar approach was used to develop and successfully launch its security awareness program, "Community Watch." This program, part of a larger enterprisewide security awareness effort by parent-organization The Walt Disney Company, is a successful example of a contemporary security awareness platform with clear value proposition throughout the organization. The company's security organization successfully partnered with its creative designers, corporate communications team, human resources, and other business units to develop a multifaceted security awareness program. </p><p>ESPN sponsored a "Security and Safety Awareness Day" at its headquarters campus, which featured public safety partners from law enforcement, fire, and paramedic agencies on hand to promote security and safety best practices. The annual event was attended by hundreds of company employees and received positive feedback. </p><p>The information promoted at this event—including fire safety, cybersecurity, severe weather safety, driving safety, and several other safety-related topics—could also be used by team members in their homes and personal environments. </p><p><strong>Ease of reporting. </strong>When security incidents occur, or suspicious activity arises, it must be reported in a timely manner. Providing an easy means by which team members can communicate and report these threats and potential threats is essential. At GM Financial, the global security operations center (GSOC) serves as the central communications hub and primary reporting point for team member security concerns on a 24/7 basis. </p><p>Working with the telecommunications group, corporate security acquired a unique, easy-to-remember telephone number for employees to use to contact the GSOC. All employees can dial 4-GSOC from their desk phones for direct connection to a GSOC specialist from any U.S.-based GM Financial location. Employees are also encouraged to program the seven-digit GSOC telephone number into their personal phones to contact the GSOC directly, should the need arise, when they are in company parking areas or on company property. </p><p><strong>Recognition programs. </strong>Acknowledging team members who help promote the security awareness program helps reinforce the importance of a security culture. At Capital One Financial Corporation (where the author served as director of regional security operations for the company's northeast U.S. and Canadian markets), the organization's "Be Safe" program formally recognized team members for their actions and reporting to help protect company assets. These team members were presented with a plaque by the regional director of security and their local business leadership team. The award presentations were published in an article on the company's intranet site, further demonstrating the value placed on workplace safety and security by the company. </p><p>One unique program component at ESPN featured an interactive sports-themed contest where employees demonstrated how well they knew their coworkers. Participation in the contest, which was possible via the company's intranet, required the employee to first review a security awareness message. Winners were selected monthly, presented with Community Watch branded giveaway items by the director of security, and featured in the following month's contest, posted as an article link on the company's intranet site.</p><p><strong>Company initiatives. </strong>The growth and sustainability of any program relies upon leveraging existing security initiatives within the organization. At GM Financial, the corporate security <img src="/ASIS%20SM%20Callout%20Images/photo3.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:213px;" />organization also oversees the company's emergency response team. Approximately 900 team members from across the enterprise are trained to serve as volunteer first responders to medical and other workplace emergencies. </p><p>These dedicated team members are natural stakeholders of the security awareness program and demonstrate the company's commitment to employee safety. Their work aligns with the "Secure Facility" initiative, the most recently launched component of the Ready.Set.Safe! program. </p><p>GM Financial has certain security policies it has chosen to highlight with colorful posters. An anti-piggybacking initiative was established to ensure that unauthorized individuals do not follow employees into the workplace after they introduce their credentials at the door. A billboard-like poster that reminds team members of this campaign marks another examp​le where effective communications strategies have been developed and employed. </p><p>Another component of GM Financial's security awareness program is the company's active shooter awareness training. Each year, all team members complete a structured learning module via the company's learning management platform. The module includes a video that presents options for consideration during an active shooter event, as well as a knowledge assessment. The learning module is supplemented by awareness messaging material, displayed in common areas such as employee break rooms, and a virtual quick reference guide. Tabletop exercises and train-the-trainer sessions for emergency preparedness coordinators have also been developed. These sessions include awareness tips on how to recognize and report potential workplace violence situations. </p><p><strong>Cultural differences. </strong>While there are best practices that should be considered when implementing a security awareness program, each company has a unique organizational culture and operating environments that play a central role in determining how the program can be effectively established. Corporations that operate internationally can be presented with additional cultural factors that should be thoughtfully considered before implementing a security awareness program in these environments. </p><p>For example, some countries may experience low crime rates within their societies and may view security awareness programming as unnecessary, while others may view the reporting of suspicious behavior to be socially improper for their culture, akin to snitching. It is important that senior security executives understand and appreciate cultural differences, and that proposed security awareness programming is discussed with business leadership in these operating environments. </p><p>When developing messaging materials and translating them, language differences should be considered. Use of phrases that are common or well understood in one language may translate awkwardly into another language, causing confusion or alarm. The company's communications group can help to ensure that messaging is culturally appropriate in its translated form.</p><p><strong>Holistic model.</strong> Creating and implementing an effective security awareness program in a large corporation requires a holistic approach that must complement the company's security model and align with the company's culture. Colorful posters and creative messaging materials will do little to engender security awareness if they are not supported by the security organization's ability to respond to and address security concerns in a professional, timely, effective manner. The security organization must enjoy the confidence of employees at all levels to ensure that the awareness program achieves credibility and its intended purpose. </p><p>Examples of how such programs at GM Financial, ESPN, and Capital One were successfully implemented show that the model works across various types of enterprises. Obtaining executive support and partnership with key business stakeholders will help achieve buy-in for the programming. Creativity should be added into awareness efforts, and the security culture must be engaging for team members, because most will want to participate in an environment that is both enjoyable and purposeful. Fostering an environment where the concept of security is viewed as a shared responsibility is central to achieving the cultural shift, one in which employees view themselves as owners and stakeholders in the security program.  </p><p><em><strong>David Aflalo, CPP</strong>, is senior vice president of corporate security for GM Financial. He is a member of the ASIS CSO Center for Leadership and Development, where he chaired the Center's mentoring committee. He also serves on the ASIS Banking and Financial Services Council, and is a member of the International Security Management Association (ISMA).​ ​</em></p>
https://sm.asisonline.org/Pages/Smarter-Structures,-Safer-Spaces.aspxSmarter Structures, Safer SpacesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Internet giant Google is known to build impressive campuses and office spaces for its workers. No exception is its Wharf 7 office in New South Wales, Australia, where it moved a number of employees when the company experienced a boom in growth in 2012.</p><p>The building was constructed to "encourage the interaction and collaboration that is key to the innovation Google promotes," IDEA Awards, an interior design awards program, states on its website. A gaming room, café, bridges, and walkways all contribute to the collaborative look and feel of the building. </p><p>While the interior design of Google's Wharf 7 is impressive, two security vulnerability re­search­ers discovered that the system controlling much of the building's functionality had not received as much attention. </p><p>Billy Rios and Terry McCorkle, both of security firm Cylance, gained access to the corporation's building management system, a computer-based system that controls electrical and mechanical functions within the facility. They achieved this breach by exploiting unpatched vulnerabilities. In other words, they accessed the network that controls HVAC, lighting, fire and life safety systems, and more, because Google had not run security updates on some of those platforms.</p><p>"Among the data they accessed was a control panel showing blueprints of the floor and roof plans, as well as a clear view of water pipes snaked throughout the building and notations indicating the temperature of water in the pipes and the location of a kitchen leak," according to a May 2013 Wired article. </p><p>Upon learning of their research, Google promptly patched their systems and thanked the white-hat hackers for their warning. The lessons learned have far-reaching effects for facility and security professionals as they navigate their buildings' complex automation and control system environment.​</p><h4>Intelligent Building Management Systems</h4><p>Intelligent building management systems (IBMS) are embedded in most contemporary buildings. IBMS continue to grow by anywhere from 15 to 34 percent each year, according to a report from revenue intelligence company MarketsandMarkets. Such growth is due to the demand for reduced operating costs, improved information flow, greater sustainability, and meeting increasing government regulation in building ownership and operations. </p><p>By 2022, it is estimated that the IBMS industry will be worth approximately $104 billion, according to a study by Transparency Market Research. However, this technological enhancement comes with a substantial set of security vulnerabilities that many facility and security professionals have not accounted for. As the Google example shows, if the security of IBMS is not considered, organizations will remain exposed to harm from nefarious actors.</p><p><strong>Vulnerabilities.</strong> The security vulnerabilities associated with IBMS stem from their incorporation across the built environment. IBMS integrate a building's operational management systems, such as HVAC, lighting, and life safety systems. They are also integrated into security systems, such as intruder detection, access control, and surveillance systems. </p><p>A detailed research project, funded by the ASIS International Foundation, the Building Owners and Managers Association (BOMA), and the Security Industry Association (SIA), recently investigated the security of IBMS, including vulnerabilities and mitigation strategies, as well as facility managers' understanding and practice.</p><p>The following is a discussion of the security issues associated with IBMS in the modern built environment. One of the more significant outcomes of the research project is Intelligent Building Management Systems: Guidance for Protecting Organizations. This guidance document was developed to be a consultation tool to aid the decision making of security and facility managers, as well as provide guidance to protect a building against an array of threats and risks.​</p><h4>Explaining IBMS</h4><p>The scale of IBMS varies, from a small automated home heating system to a large and complex high-rise intelligent building, which centrally automates all functions including HVAC, lighting, elevators, audio-visual, security, and life safety systems, along with maintenance, administrative, and business functions. </p><p>With the advent of the Internet of Things (IoT), and its connectivity of all things electronic such as smartphones, vehicles, cashless vending, and more, IBMS will continue to expand into more diverse areas of everyday life. In other words, when you drive towards your building, the IoT will facilitate automatically opening the garage door as you arrive and allow your phone to open doors and turn on the building's lighting and heating. </p><p>The connectivity, automation, and control of the built environment with IBMS is achieved through a standardized technical architecture. This architecture is based on three defined component levels—management, automation, and field device. </p><p>The management level is the interface where a manager facilitates the day-to-day management of IBMS. The automation level is the core of IBMS and provides the primary automation and control devices, with controllers connected via a dedicated data network. The automation level implements defined rules set at the management level. The field device level includes the physical input sensors and output activators connected to the plant and equipment to monitor and control the built environment.</p><p><strong>Security risks.</strong> The fact that many IBMS devices are linked through a common communications protocol introduces security risks. These consequences can be divided into categories of loss, denial, and manipulation. All of these potential hazards threaten the organization's ability to maintain occupancy, manage operations, and protect data. Such risks can result in threats to life safety, as well as major financial loss and reputational damage.</p><p>When IBMS are compromised, consequences may range from denial of service attacks to manipulation of building systems. For example, turning HVAC off is denial of control that may be uncomfortable for the building occupants as the temperature changes, but also has the potential to shut down computer network servers when they overheat.</p><p>Vulnerabilities within IBMS vary significantly, ranging from physical access to a field-level device to a highly technical remote cyberattack. Unauthorized access to an automation level controller may allow an attacker to manipulate local control of field devices or launch a cyberattack on the automation network. This attack may allow the actor to map out how the building is used, alter the automation and control programs to unlock doors and isolate alarms, and further access the network covertly.</p><p>Though IBMS attacks are rarely publicly disclosed, there are a number of notable examples. The Target breach of 2013, for instance, compromised more than 41 million payment card users when a hacker stole an internal network access credential from a third-party HVAC maintainer. In Finland, a denial of service attack on a company's network shut down the heating in two buildings. Popular hacker search engines, such as Shodan, publish a list of IBMS vulnerabilities that can be easily accessed. </p><p>Failure to understand and properly respond to IBMS vulnerabilities will result in exposure to security risks. Because of their abstract nature and the fact that they are often presented in a highly technical manner, IBMS vulnerabilities can be difficult for practitioners to understand and mitigate.</p><h4>Project Findings</h4><p>While IBMS include security functionality, most IBMS are managed and operated by facility managers rather than security professionals. However, these facility operators tend to focus more on broad organizational functions and cost management, and less on security, making it pertinent that security professionals pay close attention to these vulnerabilities. </p><p>The project found that the body of IBMS security knowledge is spread across a diverse array of literature. To date, there is no single source document that security professionals can use to understand the significance of this security concern or guide their threat mitigation. </p><p>Furthermore, the project identified several important issues in the security of IBMS: professional responsibility and the siloed effect, awareness and understanding of vulnerabilities, who the IBMS security experts are, the integration of security systems, and the lack of a common language in the security of IBMS.</p><p><strong>Responsibility. </strong>The research found that facility professionals manage and operate IBMS, with 36 percent of participating building owners and operators indicating they have such a responsibility.</p><p>In contrast, security professionals predominately manage and operate the functional elements of the security systems, and information technology professionals manage and operate the technical elements of networked systems, including the broader IBMS architecture. Nevertheless, each profession generally focuses only on their areas of practice, resulting in silos of responsibilities.</p><p><strong>Awareness.</strong> The project also found a significant disconnect between security and facility professionals' understanding of IBMS threats and risks and their technical knowledge of vulnerability significance. Although 75 percent of the security and facility professionals responded that they had an awareness of IBMS architecture—and half of these participants featured IBMS risks in their risk management documentation—the majority displayed a limited understanding of IBMS technology and vulnerabilities.</p><p>Both security and facility professionals rated the criticality of IBMS vulnerabilities as relatively equal in criticality. Such findings support the assumption that many professionals lack technical understanding of IBMS vulnerabilities.</p><p><strong>Expertise.</strong> Within the project, an expert IBMS technical security group emerged. Integrators—vendors, installers, or maintainers—and cybersecurity professionals displayed a more accurate understanding of IBMS vulnerabilities and their organizational significance. This group rated attacks against the automation level equipment and its network at a higher criticality. Such attacks include manual override of the controller, automation network traffic monitoring, and unauthorized access to a workstation.</p><p>Unlike the security and facility professionals, who rated vulnerabilities at about the same level, the expert group identified a significant difference between the most and least critical vulnerabilities. This demonstrates that they hold a higher level of technical comprehension that can be leveraged by organizations to achieve more robust IBMS security.</p><p>However, many integrators provide service and maintenance, rather than best-practice operational and security advice. Participants noted that advice given by integrators may be viewed as an attempt to sell their products and services, and they may not be recognized as a strategic partner providing high-level IBMS security advice.</p><p>Effective management of the security of IBMS requires that integrators or cybersecurity professionals work with the facilities and security departments. These professionals could be in-house information technology or cybersecurity professionals, or third-party contractors such as integrators.</p><p>Half of the project's participants reported that IBMS integrated into their security systems, which can put these systems at increased risk. The type of security systems used varied widely among respondents. The study also showed a discrepancy between security and facility professionals' understanding of security risks and jurisdictional responsibilities. </p><p><strong>Language.</strong> The project found that the IBMS term "integration" is not widely understood and remains broad and undefined, with various interpretations of meaning depending on a person's occupational role. </p><p>Consequently, there is a lack of understanding and clarity of language with IBMS terms and practices. Differences in the security and facility professionals' idea of what integration means shows a cultural difference between the perspectives of IBMS. This discrepancy of language can result in a failure to address vulnerabilities to system integrity.​</p><h4>The IBMS Guidance</h4><p>To overcome the security obstacles to IBMS, the project developed a guidance document, Intelligent Building Management Systems: Guidance for Protecting Organizations. This document provides a first-generation publication for all relevant professionals to address the many and changing IBMS threats and risks, as well as the organization's ability to maintain occupancy and operations. The guidance will not only aid decision making in IBMS protection, but will help to develop a common language between IBMS stakeholders.</p><p>The guidance directs the reader to identify the organization's criticality, or impact level, if exposed to an IBMS-related event. Criticalities are ranked, using a matrix, across one or many categories such as operations, finance, safety, regulatory, information, or occupancy. </p><p><strong>Security questions. </strong>Following are hierarchical, criticality-based IBMS security questions that are addressed. These security questions are divided into five levels of criticality that align to the criticality matrix, from low to critical. Responding to these questions facilitates either demonstrated compliance or the need to ask relevant professionals further questions.</p><p>The security questions are divided into subsections, comprising management, security risk management, personnel security, physical security, cybersecurity, incident response, continuity planning, and maintenance. A typical low level 1 security question is "Do you have a written and endorsed Security Policy?" In contrast, a critical level 5 security question asks "Do you undertake a IBMS specific threat assessment?" In all, there are 136 security questions, divided into impact levels from low to critical.</p><p><strong>Looking ahead.</strong> Intelligent building management systems are becoming embedded into new buildings for many reasons, including the drive for greater operational efficiency and the need to meet increasing regulation. All building devices and equipment are likely to be converged with IBMS at some level of automation, including security systems.</p><p>For security professionals to have an awareness and be relevant in the modern organization, they must possess a professional level of IBMS understanding. To raise awareness and provide guidance, Intelligent Building Management Systems: Guidance for Protecting Organizations provides both the security and facility professional with the aggregated information they need to address IBMS threats and risks. Familiarizing themselves with the results of the research project will help security practitioners work alongside other personnel to provide effective security to their facilities.</p><h4>SIDEBAR: ASIS INTERNATIONAL FOUNDATION IBMS REPORT RECOMMENDATIONS</h4><p> Across the security and facility professions, the ASIS International Foundation research project identified several key recommendations:</p><p><strong>Gain a better general awareness of your IBMS and its vulnerabilities.</strong> This awareness does not have to be a highly technical cybersecurity understanding; rather, a broad understanding of what your IBMS does, and its function in the business and physical locations. Many of the vulnerabilities are physical or procedural, in which general security strategies will provide a suitable level of protection.</p><p><strong>Form an IBMS security working group from across the organization's stakeholders. </strong>This group will help to break down the siloed approach of IBMS and improve cross-department cooperation with membership from security, cybersecurity, facilities, engineering, and other relevant stakeholders.</p><p><strong>Audit your building's IBMS.</strong> Know where the physical IBMS devices, such as controllers and communication networks, are located and their level of protection.</p><p><strong>Ensure that IBMS is included in your security risk management documentation.</strong> For example, are the IBMS listed as critical components in the documentation? How do they help in incident response, and what happens to your security systems when IBMS fail?</p><p><strong>Build a working partnership with IBMS experts</strong>, especially with information technology and cybersecurity professionals, as well as IBMS integrators. These professionals may be in-house or third-party contractors but should have an understanding of the security issues with IBMS.</p><p><strong>Obtain a copy of<em> Intelligent Building Management Systems: Guidance for Protecting Organizations</em>. </strong>This guidance will provide you with a tool to rate your building and a list of security questions you can use to start addressing your IBMS security. The guide provides a first-generation document for all professions to address the many and changing threats and risks to IBMS and its organization.​</p><p><em><strong>Dave Brooks,</strong> PhD, MSc, BSc is the post graduate security science coordinator at Edith Cowan University in Western Australia. He is the ASIS International Western Australia Chapter 226 treasurer and member of the chapter's executive committee. <strong>Michael Coole, </strong>PhD, MSc, BSc is the security science course coordinator at Edith Cowan University in Western Australia. He is a member of the ASIS International Foundation Research Council.</em></p>
https://sm.asisonline.org/Pages/An-Investment-in-Employees.aspxAn Investment in EmployeesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Investing in personnel remains one of the most cost-effective business decisions in an organization's strategic planning, as well as in its formulation of short- and long-term budgetary projections.</p><p>Such investment is paramount to security programs where life safety and business risk are the focal point of operations. These programs' services are often the front lines of defense for mitigating risk and promoting safety. </p><p>Despite the business need for organizations to implement professional development programs (PDPs) in support of maintaining training standards, succession planning, and enhancing motivation within the workplace, some organizations may fall short in establishing dynamically structured programs. They can be used to nurture and develop employee talent, while generating a return on investment to further continued success within the public or private sector.​</p><h4>PDP Basics</h4><p>The framework for PDPs can be implemented with little to no cost—especially with collaboration from business partners or professional associations. Depending on the organization's budget allocations, developmental opportunities that consist of classes, seminars, mentoring, and coaching may be available to provide avenues for co-op partnerships.</p><p>Many successful PDPs rely upon pillars that focus on training courses that bolster specialized skill sets to include leadership, management, critical thinking, and soft skills. They capitalize upon mentoring and leadership coaching programs that provide training while emphasizing problem solving and the dynamics of situational and strategic leadership. </p><p>Most PDPs also include rotational assignments that provide opportunities to experience other organizational cultures. This allows employees to build an understanding of how different organizations operate and interact with stakeholders in pursuit of strategic goals.  </p><p>A PDP's development, and subsequent implementation, must have the buy-in and support from senior level management to be effective. This means management must see the program as a necessity for continued organizational efficiency, productivity, and growth to support the organization's mission, vision, and strategic goals.</p><p>A PDP must be aligned with the organization's vision statement. This vision statement, which is inherently adaptable in light of the organizational culture, environment, and business needs, should be a long-term strategically defined statement of what the organization aims to achieve as it continues to operate in the future.</p><p>The vision statement is the crux of any successful PDP that will empower employees to create a personalized career plan that enables them to align their goals with the company's vision statement.</p><p>The vision statement is fundamentally different from a mission statement. A mission statement outlines the essential purpose of the organization—how it carries out its processes while showcasing the values it holds true in support of upholding its vision. </p><p>For instance, the U.S. Department of Agriculture (USDA) Office of Inspector General's mission statement is "to promote economy, efficiency, and integrity in [USDA] programs and operations through the successful execution of audits, investigations, and reviews." The agency's vision statement is "Our work advances the value, safety, and integrity of USDA programs and operations."</p><p>Many successful employee development programs have constructed leadership tenets for their respective organizations. These tenets are directly aligned with an organization's vision and mission statements, and provide a guideline for increased team and employee performance.</p><p>One successful model of leadership tenets is the U.S. State Department's Bureau of Diplomatic Security (DS) Leadership Tenets. The foreword of these tenets concisely dovetails into DS's vision and mission statements in pursuit of codifying its leadership tenets for all employees.</p><p>"Strong, capable leadership is critical to the success of the Diplomatic Security mission of providing a safe and secure environment for the conduct of U.S. foreign policy through our protection, criminal, and overseas programs," the foreword reads. "As a law enforcement and security organization, we manage programs to protect personnel, facilities, and information, but we must lead our people. The Diplomatic Security Leadership Tenets establish our expectations for all DS employees, regardless of grade or position, in our pursuit of service to the Department and the Nation."</p><p>The DS Leadership Tenets embrace several key themes that are important to any organization, including moral courage, leadership by example, delegation, continuous learning, collaboration, and effective communication.</p><p>International organizations have taken their leadership tenets a step further by having them translated for their foreign-based offices. They have also delved deeper into the constructs of their tenets by creating talking points that address the importance and application of the tenets to provoke critical thinking within the organization. </p><p>An example of a talking point regarding the tenet of "learn constantly" focuses on the phrase that learning is a life-long endeavor.  </p><p>If we do not learn constantly, our performance will not be sustainable in light of organizational change. All personnel should actively seek opportunities to learn in furtherance of developing and enhancing their skill sets and identify learning opportunities available within the organization. </p><p>Employees should also explore their options. What internal and external training opportunities exist? Has the employee been taking advantage of these opportunities? If not, what barriers exist and how can they be remedied for them to take advantage of these training opportunities?  </p><p>This example provides an avenue to pursue constructive dialogue in a group setting. It promotes effective communication that employs a candid assessment to collaborate on a remedy—one that can be supported by the organization and its employees to cultivate new training opportunities.</p><p>Such an application is particularly important to further promote a sense of global citizenship within organizations where there are differences in cultural norms where they operate.​</p><h4>Individual Planning</h4><p>Another key component to an organization's PDP is the institution of individual development plans (IDPs) for employees. This tool provides an employee with a roadmap that identifies professional short- and long-term goals that are aligned with an organization's vision and mission statements.</p><p>IDPs can address countless objectives to concentrate on the development of specialized knowledge concerning a new process, crafting innovations that focus on enabling greater efficiency, or forging new relationships that empower the employee, as well as the organization.</p><p>IDPs also provide an avenue for management to work with the employee in solidifying career endeavors and to assist managers in better understanding an employee's ambitions. </p><p>The U.S. Office of Personnel Management (OPM) published a public resource that provides a blueprint for managers and employees to implement IDPs within the public and private sectors. OPM deliverables on this topic elaborate on IDP's phases of development that include the importance of preplanning, meetings to discuss plan formulation, drafting, implementing, and evaluating the IDP.</p><p>Managers should shepherd the employee's IDP development by ensuring that his or her career goals complement the organization's vision, mission, and strategic goals. Additionally, the selected goals should be constructed using the SMART methodology—where goals are specific, measurable, attainable, relevant, and timely.</p><p>Each goal needs to have specific characteristics embedded that directly address how the goal is important. Is the goal measurable—can an employee's progress be measured and tracked toward completion? Is the goal attainable—is it reasonable that an employee can accomplish this goal, including completing the requisite milestones needed to achieve it?  Furthermore, is the goal relevant—does it support the employee's personal vision statement? And is it timely—is the employee able to complete the goal within the timeframe identified for completion?</p><p>For example, "During the rating period, I will serve as a volunteer leader within a professional organization, council, or working group that enables the agency's mission and strategic goals to be broadcast to a greater audience while simultaneously developing partnerships that foster collaboration in support of shared organizational interests." This statement is an exemplar of a SMART goal that concisely addresses the aforementioned characteristics.</p><p>Since this is a personalized deliverable that is self-driven, the onus of responsibility for completing the IDP ultimately rests upon the employee. For instance, if a goal was to build upon one's interpersonal skills by broadcasting the company's brand to an outside organization during a meeting, seminar, or conference, the employee would need to conduct research and seek out potential speaking opportunities in support of completing this goal.​</p><h4>Executive Connection</h4><p>Many executives have taken their respective IDPs to the next level by strategically linking their goals to OPM's executive core qualifications (ECQs). These are, as defined by OPM, "the competencies needed to build a federal corporate culture that drives for results, serves customers, and builds successful teams and coalitions within and outside the organization."</p><p>These competencies transgress through the public and private sectors and focus on the concepts of Leading Change, Leading People, Results Driven, Business Acumen, and Building Coalitions.</p><p>These ECQs are grounded in OPM's outlined fundamental core competencies of Interpersonal Skills, Oral Communication, Integrity/Honesty, Written Communication, Continual Learning, and Public Service Motivation. The sustained emphasis on these foundational competencies serves as the cornerstone that empowers an employee's aptitude to develop ECQs in support of career advancement. Many government agencies align their managers' and executives' performance plans with these ECQs to further their continued professional development while concurrently advancing organizational endeavors.</p><p>When revisiting the previously provided SMART goal example that focuses on volunteer leadership, this goal is strategically linked to the ECQs of Leading People, Leading Change, and Building Coalitions. It is also inherently linked to the fundamental core competencies in terms of developing Interpersonal Skills.  </p><p>Furthermore, this particular illustration is an excellent IDP goal for an employee who currently does not have a managerial position, but wishes to actively seek out leadership opportunities to gain experience and demonstrate aptitude for career advancement.  </p><p>It is also important to note the process of how IDP goals were achieved and how they directly addressed an ECQ where such an assessment could be used in a performance evaluation that documents an employee's progression on these fronts. ​</p><h4>Training</h4><p>Another vital component of an established PDP is the ability to increase substantive knowledge through training courses and seminars. While organizational budgets vary widely in terms of the amount of funding allocated for training, there are several avenues to seek training opportunities with minimal costs—especially for security professionals.</p><p>Frequently, professional associations offer discounted group rates, as well as free webinars to members. </p><p>The U.S. Federal Emergency Management Agency's Emergency Preparedness Institute also offers a myriad of free online classes to the general public. These courses focus on specialized topics, including the Incident Command System, emergency preparedness, continuity of operations, and workplace violence.</p><p>Collaborative partnerships with other organizations can also be cultivated to support a reduction in training costs. In-house trainers can be used to share case studies, lessons learned, and best practices with local businesses and agencies to create a grassroots co-op training initiative. Such avenues provide a platform for dynamic training opportunities at reasonable costs.  </p><p>Examples of government partnerships range from the various federal executive boards to fusion centers located throughout the United States. From an international perspective, many American embassies and consulates shepherd Overseas Security Advisory Councils that provide invaluable networking and training briefings that support business growth by addressing crime and safety trends that may affect American businesses and their employees operating abroad.</p><p>One common theme when assessing developmental opportunities for employees is that organizations often provide a training course to staff where there is little to no opportunity to apply the skills they learned from the instruction. </p><p>This lack of application to the workplace environment is a fatal flaw for a PDP where the concepts are not reinforced through application. Without this application, course concepts are not personally tested and reinforced. This negates the added value of the objectives of the course.</p><p>To address this deficiency, IDPs can be drafted to not only pursue training on a particular subject matter, but to build in the application facet of the training material to support a special project based upon business needs. Organizations can facilitate working groups to support deliverables or create shadowing programs where employees nurture additional skill sets that support the organization while employees pursue the opportunity to expound upon the concepts and practices they learned in their training. </p><p>Such an example is a sponsored leadership development program that uses a curriculum that examines leadership principles and traits by assessing case studies. After the classroom portion has been completed, students are assigned an experienced mentor who guides the recently trained employees in applying the lessons learned in the coursework to their current work environment where their sponsoring organization also provides them special projects to complete that enhance the overall learning experience.</p><p>Organizations can also turn to professional associations and nonprofit organizations to empower employees through training programs, leadership symposiums, and national conferences. </p><p>One model training program of a nonprofit organization that ties in the key elements of a vision statement, training, and its successful application in support of goal setting is the Boy Scouts of America (BSA) Wood Badge Course. This six-day course, geared towards adult leaders of scouting groups, touches upon several key leadership principles that have been time tested within the military, civil service, and private business circles.</p><p>The course's five central themes of Living the Values, Bringing the Vision to Life, Models for Success, Tools of the Trade, and Leading to Make a Difference are not only applicable to professional endeavors but to personal development as well. </p><p>The curriculum is grounded from leadership training principles derived from Ken Blanchard, Max De Pree, and Stephen Covey. The same skills covered in this course can be found in many mainstream seminars, which can cost several thousands of dollars. BSA leaders can receive this same level of training at significantly reduced costs because BSA purchased royalties for some of its course material that is used by private vendors.</p><p>The course consists of classroom and practical field training outdoors that supports teamwork. After the course's completion, students have 18 months to complete five special projects, called "tickets." These tickets focus on program improvement at the local and regional levels of the BSA organization, as well as one personalized ticket for self-improvement. </p><p>Examples of such tickets could be planning and implementing targeted recruitment initiatives to generate more interest in scouting in a geographic area. They could also be streamlining social media and website platforms to convey a concise and targeted message to the general public about the benefits of scouting for today's youth. </p><p>Once all of the tickets have been completed and verified, attendees formally graduate the course. Feedback regarding the Wood Badge experience has been noteworthy through the years. </p><p>Serving as a chapter or council officer for one of these organizations can also give employees leadership, managerial, and budgetary experience. These opportunities directly support résumé building, especially if an employee has not had much involvement on these fronts or wants to build upon these attributes to further his or her career.</p><p>Mentoring programs can also prove to be a force multiplier in support of structured employee development programs. Numerous organizations possess formalized mentoring programs for employees that enable them to achieve a better sense of the organization's mission and how their duties and responsibilities impact the organization as a whole.</p><p>Another developmental opportunity that builds upon an employee being able to assess his or her standing in pursuit of his or her career goals is leadership coaching. Various U.S. federal government entities take advantage of their own in-house leadership coaching programs where certified coaches provide sessions to their employees for a duration of time.</p><p>U.S. federal agencies that do not have a leadership coaching program can partake in coaching programs offered by OPM and the U.S. Department of Treasury. Opportunities are also available for selected federal employees to receive free certification training. They then donate their time to provide leadership coaching sessions to other federal employees, as needed, to support a co-op coaching program.</p><p>Similar initiatives are also in place within the private sector where individuals who have completed their coaching coursework need a requisite number of coaching sessions to achieve a certification. </p><p>For instance, individuals who seek an International Coaching Federation (ICF) certification as an Associate Certified Coach must complete an ICF Accredited Coach Training Program, attest to 100 hours of coaching experience with at least eight clients—where 75 hours must be paid—and complete a Coach Knowledge Assessment.   </p><p>Certification opportunities such as these empower an organization to capitalize on an invaluable training opportunity for their employees, which in turn is an investment when the newly minted leadership coaches provide services to the company's personnel.​</p><h4>Solicit Feedback</h4><p>The final component of any successful PDP is the ability to receive constructive feedback to evaluate the program, as well as employees' progress. </p><p>Supervisors and employees should embrace the 360-degree evaluation process to support obtaining constructive feedback and performance assessments from their subordinates, peers, and supervisors to advance continued improvement of the program and employee target goals.</p><p>A model PDP should remain adaptable in light of the fiscal climate, while continuously striving to be resourceful in support of training and developmental opportunities for the employees. Management, in addition to curriculum and training specialists, should be cognizant of cost-effective deliverables where participation demonstrates a true return on investment. </p><p>A successful PDP will include several multifaceted concepts that rely on the organization to provide the framework of what it envisions for its future. These concepts should demonstrate a business need to develop employees and support career progression for the benefit of the organization.</p><p>This caliber of professional development planning capitalizes on promoting efficiency, while allowing the organization to bear the baseline cost for successfully implementing a model PDP that is innovative, resourceful, and forward leaning in furtherance of developing the next generation of strategic leaders.  </p><p><em>The views expressed in this article solely represent those of the author and do not necessarily represent the views of or otherwise constitute an endorsement by the U.S. Department of Agriculture, USDA's Office of Inspector General, or the United States.</em></p><p><em><strong>Robert Baggett, CPP, PCI, PSP, JD, MPA</strong>, is an assistant special agent-in-charge for the U.S. Department of Agriculture Office of Inspector General's Western Region Office in Oakland, California. He serves as the chair of the ASIS International Academic and Training Programs Council and is a member of the ASIS Leadership and Management Practices council and the Investigations Council. During 17 years of public service, Baggett worked on several performance-based initiatives focused on professional development programs, individual development plan assessments, and organizational succession planning. ​</em></p>
https://sm.asisonline.org/Pages/Preventing-Port-Problems.aspxPreventing Port ProblemsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​More than 90 percent of global trade is carried by sea, according to the International Maritime Organization, presenting a cost-effective method for goods to be shipped around the world. </p><p>One port that brings goods closer to customers, resulting in savings, is London Gateway, a deep-sea shipping port owned by DP (Dubai Ports) World. With 78 terminals in 53 countries globally, DP World is the third largest port operator in the world. </p><p>“One of our customers will save more than £1 million a month, just in transport costs, and take more than 2,500 trucks off the road,” says Colin Hitchcock, harbor master and head of International Ship and Port Facility Security (ISPS) at London Gateway, which is located on the north bank of the River Thames.</p><p>But this high transaction rate also presents an opportunity for thieves, making effective security a must to protect the goods being shipped and received. “We’ve been operating about four years now, and the first drug heist was a big deal,” says Hitchcock. “Now it’s sort of two or three times a week, to be honest.”</p><p>Drugs are just one of the many security concerns keeping DP World on the lookout. “I have threats of illegal immigrants coming in on ships, I’ve got people trying to break into the port itself to get cargo out of the containers, and then obviously we have cargos of interest that we have to monitor,” Hitchcock says. </p><p>“There’s a big problem with cars stolen-to-order, because we’re only a few miles from London. Basically, you can steal a car, put it in a box, and get it out of the country,” Hitchcock explains, adding that most of the stolen vehicles are headed for West Africa. “You can put two Range Rovers and an E-Class Mercedes dangling in a 40-foot container—so that’s quite big business going out.” </p><p>While London Gateway works closely with law enforcement and global crime agencies to counter these threats, it wanted to invest in a holistic physical security information management (PSIM) system to manage the various assets and operations around the port, which covers seven square miles.  </p><p>When Hitchcock was told by the head office in Dubai that he could choose the security systems he needed, he says he was looking for a company that could customize its platform to meet London Gateway’s needs. “Anything we purchased had to be future-proofed and able to grow,” he notes.</p><p>In 2016, the port turned to the Converged Security and Information Management (CSIM) software from Vidsys, which brings together multiple sources of data and security information into one platform for situational awareness. </p><p>With CSIM, all of the port’s security and information management systems feed into one platform that provides situational awareness for all security and operations onsite, which include cameras, alarms, sensors, access control systems, and more.</p><p>Tying access control into CSIM has allowed the port to manage the various systems that grant or deny access to users throughout the port. “We have three main buildings, and each has its own access control,” Hitchcock says. “We’ve looked at each of the jobs that people do and asked, ‘Where does that person need to go, where does that person not need to go?’”  </p><p>He adds that there are 55 different levels of access at the port, and that the server rooms have the most restricted access. “If anyone opens the server rooms an alarm goes off in the control room. We have cameras in there, and that’s automatically monitored from inside,” he says. </p><p>With a multitude of cameras installed on port property, having them all feed into one platform gives operators a comprehensive picture of operations, and allows them to quickly be alerted to possible trespassers. </p><p>The security cameras are set up to overlap coverage by 30 percent so that nothing is missed. “We also do a lighting diagram so there are no shadowy areas,” Hitchcock notes.</p><p>Another selling point for London Gateway was the fact that CSIM easily adapts to new systems the port incorporates. “That was one of the other main points with Vidsys—if we introduce new cameras or we introduce a new turnstile system or a new employee management system, the system is able to cope with it,” he notes. </p><p>London Gateway has several security alarms feeding into CSIM, as well as a PID (perimeter intrusion detection) system that runs for 600 meters around the port. When a sensor goes off, it is automatically pulled up in an alerts center. A list of standard operation procedures (SOPs) can be tailored to appear on screen, giving the operator a clear, step-by-step view of how to respond. </p><p>“We have about 30 SOPs that we’ve incorporated,” he says, adding that the procedures are reinforced during drills with police, fire, and emergency services.  </p><p>In response to security incidents, Hitchcock says the port has developed an “onion skin” approach, with several layers to detect and mitigate any threats. “We have a perimeter fence, and an outer perimeter fence as well. So if anyone wanted to break in the port they’d have to get through both of those,” he says. </p><p>The next layer, the PID system, is covered by movement sensors and thermal imaging cameras. Should a trespasser trip any of those sensors, flashing blue lights are activated. There are also two drones that fly up and down the fence line and—if the unmanned vehicles spot someone—they begin flashing a blue light located on top. An audio alert plays over a loudspeaker that the party is trespassing. Finally, if these are ignored, a large spotlight targets the threat. </p><p>Recently, CSIM and the port’s multilayered response played a vital role in multiple arrests at London Gateway. A group of trespassers entered the property under the cover of night. “The thermal imaging cameras picked them up, there were two or three people,” Hitchcock says. The blue light and spotlight were both triggered, and the men tried to hide in some bushes. </p><p>Security immediately alerted port guards on site, as well as local law enforcement, who quickly responded. </p><p>With the Vidsys platform, video feeds can be simultaneously watched by law enforcement and the head office in Dubai when there is a security incident. “These poor chaps thought they were attempting to break in, thinking they were very covert, but actually the whole world—Dubai, Essex Police, U.K. military, and our own security—were all watching them,” Hitchock says. “The system worked very well indeed.”</p><p>With plans to expand and handle even more incoming and outgoing cargo, Hitchcock says he knows Vidsys will continue to accommodate London Gateway’s needs. “The big thing we found with Vidsys was its ability to listen, adapt, and incorporate what we wanted, as well as come up with new ideas,” he says. “And that was taken onboard.”</p><p>For More Information: Jasmeet Kapoor, kapoorj@vidsys.com, www.vidsys.com, 703.883.3730.</p>
https://sm.asisonline.org/Pages/A-Stronger-Handshake.aspxA Stronger HandshakeGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The announcement came as a shock to the cybersecurity industry. In October 2017, the U.S. Computer Emergency Readiness Team (CERT) reached out to roughly 100 organizations to alert them of a new vulnerability affecting a major Wi-Fi protocol—WPA2. </p><p>“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol,” it said. “The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.”</p><p>The specific vulnerability was Key Reinstallation Attacks, otherwise know as KRACK, which allowed attackers to interrupt the authentication process to create a key for encrypted data on a secure network. </p><p>Richard Gold, lead security analyst for Digital Shadows, describes KRACK as a method of violating how cryptographic connections work. The worst-case scenario would allow this attack to disable encryption on a network—meaning an attacker would be able to see all data on the network.</p><p>“For a security protocol, that’s a pretty devastating attack,” he says.</p><p>While there have been no reports of an attacker using KRACK on an organization to compromise its security, actions have been taken to beef up Wi-Fi protocol security in general since its release. </p><p>After the October CERT announcement, patches were released to address the problem and the Wi-Fi Alliance introduced new security enhancements for WPA2 in January. </p><p>These new enhancements helped lay the groundwork for the alliance’s new protocol—WPA3—which was released in June 2018. </p><p>“WPA3 takes the lead in providing the industry’s strongest protections in the ever-changing security landscape,” said Edgar Figueroa, president and CEO of the Wi-Fi Alliance, in a statement upon its release. “WPA3 continues the evolution of Wi-Fi security and maintains the brand promise of Wi-Fi Protected Access.”</p><p>The Wi-Fi Alliance is made up of 818 companies across the world and is designed to foster “interoperability, adoption, and evolution of Wi-Fi globally,” according to its website. As part of this effort, it releases Wi-Fi protocols, including WPA2 in 2004. </p><p>WPA2 was widely adopted by organizations for corporate use (WPA2-Enterprise) and by device manufacturers for private use (WPA2-Personal). However, it was not—as the KRACK vulnerability demonstrated—immune from attack.</p><p>Gold, who has led teams to attack WPA2-Personal and WPA2-Enterprise networks, explains how it can be done.</p><p>WPA2-Personal relies on using a password to gain access to the Wi-Fi network. Someone who wants to have access to the network must have the correct password. So, for instance, a houseguest might ask the homeowner for the password to the Wi-Fi network to connect his or her iPhone.</p><p>When the visitor enters the password to join the network, the iPhone and the Wi-Fi router will perform what’s called a handshake—a check to see that the iPhone is using the right credentials. </p><p>“What you can do as an attacker is sniff that handshake—listen to that handshake,” Gold says. “And you’ll capture in an encrypted form the hashed form of the password.”</p><p>An attacker can then take that collected hash, plug it into a machine that’s not on the Wi-Fi network, and run through a list of hashed words until the attacker finds a match—this is known as a dictionary attack.</p><p>To pull this off, the attacker is relying on the fact that most people choose poor passwords, so Gold says it’s typically an effective method of attack to gain access to the network because most people fail to create strong passwords or they reuse the same password for multiple accounts.</p><p>Attacking a WPA2-Enterprise network takes a little more effort. Instead of using a password to authenticate a user and his or her device, the network often uses a Windows authentication mechanism.</p><p>“It’s based on you as an individual, your password, the same password you type to log into Windows; that’s the same password you type to log into authenticate to the wireless network,” Gold explains. “They have merged those two authentication systems together.”</p><p>These authentication systems run through a server, called a radius server. An attacker would set up a server that impersonates the real radius server.</p><p>“What happens is then I—the attacker—wander around the office or nearby and due to the way the wireless standard works, your device will try to connect to the access points it thinks are the best, the one with the best signal strength,” Gold says. </p><p>If the impersonating server has more strength, victims’ devices would likely connect to it using their credentials. The attacker would then capture those hashed credentials, plug them into a machine that’s not on the targeted network, and use a dictionary attack to obtain the password information needed to gain access to the network.</p><p>Then, the attacker can go back, connect to the network using those stolen credentials, and use that connection to access corporate data or launch a cyberattack.</p><p>To address these vulnerabilities, the Wi-Fi Alliance began crafting a new protocol several years ago and released it in June 2018.</p><p>“Building on the widespread adoption of WPA2 over more than a decade, WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, and deliver increased cryptographic strength for highly sensitive data markets,” the alliance said in a statement on the new protocol’s release. </p><p>The major change from WPA2 to WPA3 is the handshake that devices use to authenticate with a Wi-Fi router to connect to a Wi-Fi network. This new handshake is called Dragon Fly and is designed to deliver protection even when users choose poor passwords.</p><p>This improved handshake will address two major security problems, Gold says.</p><p>“One is that it will provide protection even when users choose poor passwords because of the way it generates cryptographic parameters for the exchange, and it’s supposed to prevent you from doing offline attacks,” he explains.</p><p>The Dragon Fly handshake directly addresses those offline attacks, requiring those attempting to gain access to the network be talking to the Wi-Fi router on the network. Attackers will not be able to save hashed passwords, take them offline to conduct a dictionary attack, and then come back to infiltrate the network later.</p><p>“That’s exactly the right thing to be focusing on, because, as we can see, dictionary attacks are what we use—almost exclusively,” Gold says. “Directly addressing those concerns with the Dragon Fly handshake is a really good thing.”</p><p>Along with the improved handshake, which is required to achieve the WPA3 certification, the Wi-Fi Alliance made suggestions that organizations can implement to improve their Wi-Fi security. </p><p>Organizations have the option to use 192-bit minimum-strength security protocols and cryptographic tools, an increase from the former industry standard of 128-bites. This option is not available for WPA3-Personal because the alliance “addressed 192-bit security in scenarios where this level of support is necessary, such as highly sensitive environments like military, government, or finance,” it said.</p><p>And for open Wi-Fi networks, Wi-Fi networks that do not require a password to join, such as those often found in lobbies or cafes, the Wi-Fi Alliance released Wi-Fi Enhanced Open. </p><p>“Wi-Fi Enhanced Open addresses open or public networks by integrating cryptography mechanisms to provide each user with unique individual encryption that protects data exchange between a user device and the Wi-Fi network,” the alliance explained.</p><p>Currently when a user connects a device to an open or public network, the traffic between that device and the Wi-Fi router is visible to others on the network. With Wi-Fi Enhanced, the network would use what’s called opportunistic wireless encryption. </p><p>The router will basically ask a device that’s trying to connect if it supports encryption. If it does, such as a device that’s WPA3 certified, it sets up an encrypted channel for communications automatically.</p><p>“So that hop of sending traffic from your device to the router will be encrypted, so even other people on the network will not be able to see your traffic,” Gold says. “That’s basically encryption without you having to do anything—which is quite cool.”</p><p>The WPA3 protocol was released over the summer, and Qualcomm announced it would support it across its entire line of products and services shortly afterwards. Intel, Cisco, Broadcom, and Aruba also said in press statements that they would support implementation of the new protocol in their products.</p><p>However, Gold says he thinks broad adoption of WPA3 will be slow—especially because the Wi-Fi Alliance will continue to support WPA2 for the time being.</p><p>“Most equipment will support both for the foreseeable future, which actually raises an interesting issue,” he adds. “Whenever there are multiple versions of something running, the first thing to think about is how as an attacker do I stop people from using this new modern stuff with good security features and use the old broken stuff instead?”</p><p>For instance, an attacker would look to downgrade devices to WPA2 so they can be more easily compromised.</p><p>“If I can force you to use WPA2, and you’re using a bad password, then I’m probably going to have a good chance to get in,” Gold says. </p><p>And just because KRACK has not been used to compromise an organization’s network—that we know of—doesn’t mean that attackers will not develop even more robust methods to access Wi-Fi networks.</p><p>“These guys did a great piece of work and now other people will be building on it,” Gold says. “There will be more in the future for this avenue of attacks.”   ​</p>
https://sm.asisonline.org/Pages/October-2018-Industry-News.aspxOctober 2018 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​World-Class Security</h4><p>Ion Oblemenco Stadium in the Romanian city of Craiova is home to football club CS Universitatea Craiova and has more than 30,000 seats. The futuristic stadium was built to host international and premium league matches, requiring a security solution that meets European football championship standards for safety.</p><p>Craiova officials chose Bosch to implement a complete security solution. Bosch experts installed a fire and safety solution with four fire panels and 1,500 detectors. The sound system includes Electro-Voice Pro Sound speakers for music and commentary, Dynacord Promatrix for evacuation, Bosch loudspeakers for interior sound, and a conference and interpretation system for the pressroom.</p><p>The fully integrated video security system supports 211 cameras, centrally managed via the Bosch Video Management System. Video is monitored by operator personnel and members of Romania’s police during matches and stored on two Bosch DIVAR IP 7000 network video recording units.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Panda Restaurant Group, Inc., deployed 3xLOGIC VIGIL Trends Business Intelligence software to its North American locations. Interface Security Systems is the integrator and project manager.</p><p>Acronis formed a new technology partnership with Arsenal Football Club to protect data and the club’s IT infrastructure.</p><p>Noodigs Realty Services selected Acuant AssureID for identity verification.</p><p>AEON Credit Service and Fujitsu are testing a cardless payment system using Fujitsu’s palm vein biometric authentication technology.</p><p>Altronix added Paxton Access to its portfolio of Trove Access and Power Integration Solutions.</p><p>Certiport and EC-Council will launch the EC-Council Associate Series certification exams, practice tests, and curriculum.</p><p>Chubb partnered with DynaRisk to offer a cyber loss mitigation service to its Cyber Enterprise Risk Management policyholders in the United Kingdom and Ireland.</p><p>Comodo Cybersecurity announced that Western New Mexico University has chosen Comodo Advanced Endpoint Protection to secure IT assets.</p><p>Country Kitchen selected DTT as its preferred vendor for loss prevention services. </p><p>Endace and Ixia signed a technology partnership agreement to focus on complementary and integrated network solutions.</p><p>GS1 announced a partnership with Optiseller to enable retailers to check their Global Trade Item Numbers (GTINs) across all eBay listings.</p><p>GTL and Sentinel Offender Services will collaborate on advance­ments in offender tracking and monitoring technology.</p><p>Ilitch Holdings, Inc., selected Avigilon Corporation, a Motorola Solutions company, to enhance customer experience and safety at its Detroit properties, including Little Caesars Arena, Comerica Park, offices, and retailers. Identify, Inc., installed the video solution.</p><p>Keepit A/S is collaborating with Veritas Technologies LLC to provide data protection for the Veritas SaaS Backup solution.</p><p>Legrand announced that its On-Q Digital Audio System has been integrated with Alarm.com.</p><p>N8 Identity is now a Microsoft Azure Silver Partner.</p><p>Caesars Entertainment EMEA deployed Pivot3 HCI to protect critical video surveillance data.</p><p>TITUS and Virtru will partner to deliver integrated data security and compliance offerings for enterprises of all sizes.</p><h4>GOVERNMENT CONTRACTS</h4><p>Axon announced that the Honolulu Police Department will deploy 1,200 Axon Body 2 cameras with unlimited storage on Evidence.com.</p><p>Attenti electronic monitoring solutions were selected for an additional term by the Florida Department of Corrections.</p><p>CGI will enhance the cybersecurity posture and risk awareness of federal government agencies participating in a U.S. Department of Homeland Security (DHS) program.</p><p>Dragos, Inc., was selected by the U.S. National Cybersecurity Center of Excellence as a collaborator on the Energy Sector Asset Management Project.</p><p>Edesix recently won the contract to supply body-worn cameras to Staffordshire Fire and Rescue in the United Kingdom.</p><p>Argentina selected HID Global to upgrade its ICAO electronic passport. </p><p>KT Corporation completed a new digital system for national identification in Tanzania.</p><p>Park Assist has a parking guidance system contract for San Francisco International Airport. </p><p>The Mission and Installation Contracting Command at Fort Gordon, Georgia, awarded a contract for cybersecurity training to root9B, LLC.</p><p>Salient CRGT, Inc., was awarded a task order to provide enterprise IT support to the U.S. Defense Technology Security Administration.</p><p>Trust Automation Inc. worked with DHS to obtain license to the Autonomic Intelligent Cyber Sensor technology developed by Idaho National Laboratories.</p><p>Unisys Corporation was selected by the U.S. Navy to develop, operate, and manage software used for secure messaging.</p><p>The Vermont State Department of Motor Vehicles selected Valid USA, Inc., to provide secure driver’s licenses and identification cards. </p><p>The Public Safety Information Sharing and Analysis Organization is adopting the VirnetX Gabriel Collaboration Suite to facilitate secure communications with its member network.</p><p>The Ministry of Home Affairs of the People’s Republic of Bangladesh commissioned Veridos to supply and implement electronic passports and border control systems.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>Avigilon video systems and access control software received SAFETY Act designation as approved technologies from the DHS. </p><p>Coalfire received the Employer Support of the Guard and Reserve Pro Patria Award from the U.S. Department of Defense.</p><p>Dahua Technology USA announced that its 2MP AI Network Box Camera won the 2018 ESX Innovation Award in the video analytics category.</p><p>ECI won the Best Multi-Layer SDN Controller award for its Muse software at NGON 2018.</p><p>Evive Disaster Recovery, Production Network, and User Acceptance Testing applications earned Certified status for information security by HITRUST.</p><p>Illumio Adaptive Security Platform is compliant with the Federal Information Processing Standard (FIPS) 140-2 Level 1 security certification and is in the evaluation stage for Common Criteria certification. </p><p>Italtel announced that its Brazil team won the Technical Readiness Brazil award from Cisco.</p><p>ONVIF announced the winner of its Open Source Spotlight Challenge: CAM X, submitted by Liqiao Ying, offers an object detection system that uses blockchain solutions for storing information obtained from ONVIF cameras. </p><p>Persistent Systems, LLC, announced that its MPU5 mobile ad hoc networking radio received a Level 2 FIPS 140-2 security validation. </p><p>Senstar Symphony received Lenel factory certification and joined the Lenel OpenAccess Alliance Program.​</p><h4>ANNOUNCEMENTS</h4><p>ADME, Inc., parent company of Apollo Security Access Control, created ApolloEM, a new division for sales and support for its software OEM and integration partners. </p><p>Arecont Vision was acquired by Costar Technologies, Inc.</p><p>ASSA ABLOY is acquiring Swiss company Planet GDZ and Chicago-based Door Systems.</p><p>Boon Edam Inc. launched interactive troubleshooting guides for service technicians in the Americas.</p><p>The Brand Safety Institute was launched to advance brand protection through research, education, and professional certification. </p><p>CannaGuard Security is offering franchising opportunities for providing compliant security systems to licensed cannabis growers and retailers.</p><p>CyberInt, in cooperation with Check Point Software Technologies, led Brazilian authorities to cybercriminal Douglas Arrial, who created a phishing kit to sell on the Dark Web.</p><p>Edesix opened a U.S. office in New Jer­sey that will house both U.S. and U.K. staff.</p><p>ExteNet Systems joined the Safer Buildings Coalition to help set standards for in-building public safety wireless communications. </p><p>The Nevada Institute for Autonomous Systems launched the Nevada Drone Center of Excellence for Public Safety to reduce air hazards from drone incursions as drones enter the commercial air traffic system. </p><p>Nice S.p.A. acquired FIBARO.</p><p>RealNetworks, Inc., announced the free and immediate availability of SAFR for K-12, an AI and machine learning based facial recognition solution to help enhance safety in K-12 schools in the United States and Canada. </p><p>Red Hawk Fire & Security, LLC., purchased Security and Data Technologies, Inc., to reach customers in Philadelphia, eastern Pennsylvania, parts of New Jersey, and Delaware.</p><p>Safe-T acquired the intellectual property and marks of CyKick Labs, Ltd.</p><p>Securiosity is a new weekly cyber­security podcast from Scoop News Group.</p><p>SecurityScorecard investigated the top 15 CISOs and their programs and created a downloadable report.</p><p>Sonitrol of Lexington and Bates Security joined with 3xLOGIC to upgrade security for The Nest Center for Women, Children, and Families in Lexington, Kentucky.</p><p>The Streaming Video Alliance published a document on forensic watermarking for streaming media.</p><p>Structured Innovations merged with Legacy Marketing, a manufacturers’ representative agency in the Great Lakes region.</p><p>Summit Companies purchased the Michigan branch offices of Indianapolis-based Koorsen Fire & Security, Inc.</p><p>Threat Sketch released Malicious IT Employee: A Survival Guide, a white paper addressing internal threats. </p><p>Thycotic released a free Incident Response Policy Template, which outlines proactive steps companies can take to build resilience and be prepared to respond to a cyber incident.</p>
https://sm.asisonline.org/Pages/Shaping-Sanctuary.aspxShaping SanctuaryGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​As the holding and deportation of illegal immigrants from the United States took center stage over the summer, cities and states felt increasing pressure to pick a side. Should they enact so-called sanctuary city policies, limiting federal involvement in their law enforcement activities, and foster relationships with immigrant communities? Or should they work with federal officials to assist in detaining and deporting illegal immigrants, sometimes for profit?</p><p>The Trump administration's sweeping crackdown on undocumented citizens has affected a swath of people, from families crossing into the United States illegally to immigrants who have lived in the country for years. Most of U.S. President Donald Trump's message surrounding immigration enforcement has revolved around arresting and deporting criminals, making jails and prisons a target for federal authorities. And as some communities have begun making decisions about their level of support for U.S. Immigration and Customs Enforcement (ICE) within local judicial systems, it became clear just how complex the issue is.</p><p>Travis County, Texas—home to the state's capital, Austin—enacted a policy that prevents detention of individuals based solely on their immigration status in November 2016. While Austin's police department has not taken a public stance on cooperation with ICE, leaders have stated they will not focus on a person's immigration status but will still partner with federal agencies in immigration matters if the case involves criminal activity. </p><p>Travis County's proclamation sparked state legislators to pass an anti-sanctuary bill that, among other things, allows all law enforcement officials to ask detained individuals about their immigration status and requires them to honor immigration detainment requests from ICE. And while Austin has fought back against the bill, several state, county, and city law enforcement agencies operate within the city—including the police department, four county sheriff's departments, and the Texas Highway Patrol—making it more difficult to enact an across-the-board sanctuary policy.</p><p>Similar complications are playing out further east. Charlotte, North Carolina, attempted to put immigration protections in place in 2015, passing a resolution that prohibited the city's police department from inquiring about the immigration status of the people it came across, but—much like in Texas—state legislators prohibited policies that curbed the collection of immigration status information. In this case, though, the Mecklenburg County Sheriff's Office has maintained an agreement with ICE that allows them to identify and detain illegal immigrants. </p><p>And taking precedence over the policy complexities within states, counties, and cities is Trump's 2017 executive order to withhold funds and otherwise punish some 300 cities and officials that do not cooperate with ICE. The sanctuary city ban entered a legal back-and-forth, with one court blocking the order nationwide, and an appellate court later determining that Trump could not withhold funds from cities, but that the nationwide block of the order was too broad. The case will be sent back to a lower court to determine whether a wider ban is needed.</p><p>While local police departments may implement policies to build relationships with the city's immigrant community, county sheriff departments—which largely own local jails—may have more impact on a community's sanctuary policies, says Bipartisan Policy Center (BPC) political analyst Cristobal Ramo ́n.</p><p>"I think that as this issue has really been spreading across the country and become a core part of the debate, that's where the pressure is coming from," Ramo ́n tells Security Management. </p><p>"Independent of what states are doing with the laws and on the ground, a county sheriff's office may promote cooperation or not promote cooperation with ICE for a range of different reasons."</p><p>Ramo ́n coauthored a February 2018 BPC report on the nexus between immigrants, the immigration enforcement system, and local law enforcement. The report focuses on immigrants who are detained in local jails, either awaiting trial or serving out terms of less than one year. There are many aspects that go into what makes a sanctuary city, but Ramo ́n says one of the cornerstone aspects is what goes on inside city jails.</p><p>"These agencies can have a variety of policies that promote or limit the capacity of ICE to access noncitizens in their facilities…and these policies can be independent of the local police departments who do the majority of arrests and bookings," the BPC report states. </p><p>Sheriff's offices are already deeply intertwined with ICE operations—about half of ICE's total detention population is housed in state and local jails and facilities, including one of Mecklenburg County's jails. The BPC report outlines the varying levels of involvement sheriff's departments can play in federal immigration enforcement, from identifying illegal immigrants and reporting them to ICE to complying with immigration detainers—where a jail will hold an individual for up to 48 hours beyond their scheduled release date so that ICE can take them into custody. "County governments that operate jails are not required to honor detainer requests under federal regulations," the BPC report notes.</p><p>Other formal agreements include 287(g) agreements, which delegate many of ICE's powers to local law enforcement. Under the agreement, local jurisdictions receive money to pay for the training of officials that will allow them to legally inquire into a person's immigration status, detain individuals beyond the time they would be held in local custody, and issue Notice to Appear documents to begin deportation proceedings. More than 75 jurisdictions have entered into 287(g) agreements, and almost half of those joined under President Trump's revised program. In 2017, 287(g) agreements led to the deportation of some 6,000 illegal immigrants.</p><p>BPC studied five metropolitan areas—Atlanta, Austin, Charlotte, Denver, and Los Angeles—and only Charlotte's county sheriff has a 287(g) agreement. Ramo ́n points out that the Fulton County Sheriff's Office, which oversees jails in Atlanta, had previously participated in the program but did not join Trump's revised agreement because they could not justify participation in the program. </p><p>"They did not interact with enough undocumented immigrants, and said that it was impractical," Ramo ́n notes. However, six other counties in Georgia recently joined the 287(g) program. </p><p>At the beginning of this year, ICE announced a new program, known as a Basic Ordering Agreement (BOA), which gives sheriff's departments $50 and an arrest warrant to detain an immigrant for 48 hours after he or she should have been released. BOAs allow participants to circumvent legal issues and liabilities that have cropped up with counties involved with 287(g). The act of holding individuals past when they should be released violates the Constitution, immigrant advocates argue, so local jails that hold immigrants past a normal amount of time can be subject to litigation—which is often successful. Since a BOA is an agreement rather than a contract, it allows participating counties to detain immigrants without fear of liability. So far, 17 sheriff's offices in Florida participate in the program, and that number is expected to increase.</p><p>Ramo ́n points out that finances can play a part in whether cities are immigrant-friendly. Incentives such as the $50 BOA fee and 287(g) grants and reimbursements for housing immigrants may entice local law enforcement, he says. And, in a broader scope, allowing privately run ICE facilities to operate in an area can bring significant financial benefits. </p><p>"As the debate about family detention and separation is ongoing and cities and counties are thinking about whether they want these facilities in their area, one of the arguments is that these facilities also bring in jobs," Ramo ́n notes. "There is that component of additional financial revenue or jobs being created through private facilities. It's just something else people are considering at the moment."</p><p>County sheriff departments' actions go a long way in defining a city's status as immigrant-friendly. Mecklenburg County Sheriff's Office, for example, has solidified Charlotte's standing as hard on illegal immigration, despite the city's attempt to pass sanctuary city policies a few years ago. </p><p>And in Austin, the Travis County Sheriff's Office has set an example by completely cutting ties with ICE and permitting its officers to reject requests to detain individuals based on their immigration status. </p><p>Other sheriff's offices around the country fall in the middle, where some such as Denver will honor detainer requests but won't hold immigrants past their release periods. Other jurisdictions like Los Angeles allow ICE into jails despite a citywide push to end cooperation with the agency.</p><p>"The very term 'sanctuary cities' belies the fact that there are many law enforcement agencies that may operate within cities, and that the police can also operate at county or state levels," the BPC report states. "Policy makers should carefully analyze the practices of different levels of law enforcement across each state to develop policies based on a better understanding of cooperation between ICE and local law enforcement agencies."</p>
https://sm.asisonline.org/Pages/Portrait-of-a-Shooter.aspxPortrait of a ShooterGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Do active shooters display any detectable warning behaviors at some point before an attack? The FBI has found that they do.</p><p>In the new report A Study of Pre-Attack Behaviors of Active Shooters in the U.S. between 2000 and 2013, authors and researchers from the FBI’s Behavioral Analysis Unit looked at a scientific sample of 63 active shooters who were involved in the 160 active shootings that occurred in the 2000-2013 time period. The FBI found that most of these 63 shooters exhibited four warning behaviors before they attacked. </p><p>These four warning signs, which the report calls “concerning behaviors,” were noticed around the shooter’s mental health (62 percent), interpersonal interactions (57 percent), leakage of violent intentions (56 percent), and quality of thinking or communications (54 percent).</p><p>“What emerges is a complex and troubling picture of individuals who fail to successfully navigate multiple stressors in their lives while concurrently displaying four to five observable, concerning behaviors,” is how the report describes the 63 active shooters. The FBI defines active shooter as someone actively killing (or attempting to kill) people in a populated area. Not all active shootings are classified as mass shootings, which is a broader category of shootings in which three or more people are killed. </p><p>Other shooter characteristics emerge from the FBI’s data portrait. A large majority (77 percent) spent a week or more planning the attack. Very few (8 percent) obtained their firearms illegally. And, contrary to the stereotype of a shooter as isolated and cut off from society, the study found that 68 percent of shooters lived with someone else, and 86 percent had significant in-person social interactions with at least one other person in the year of the attack.  </p><p>In addition, almost all of the shooters were under a significant amount of stress. On average, the shooters were experiencing 3.6 separate stressors in their lives in the year before they attacked, the report finds. The most common stressors were mental health (experienced by 62 percent of shooters), financial strain (49 percent), and job stress (35 percent). </p><p>However, the FBI cautions that the mental health stressor is not synonymous with a diagnosis of mental illness. “The Stressor ‘mental health’ indicates that the active shooter appeared to be struggling with (most commonly) depression, anxiety, paranoia, etc., in their daily life in the year before the attack,” the authors write. So, while 62 percent of the shooters were experiencing a mental health stressor, in only 25 percent of the cases was the FBI able to verify that the shooter received an actual mental illness diagnosis. In 37 percent of cases, the FBI could not determine if a diagnosis had been received or not.</p><p>Demographically, there are two characteristics that were common among the shooters. The overwhelming majority (94 percent) were male, and a solid majority (63 percent) were white. However, a range of different races were represented. Shooters have been Asian, black, Hispanic, Middle Eastern, and Native American. </p><p>As for the troubling behaviors, the report emphasizes that these behaviors were “objectively knowable” to others. This, then, addresses a particular issue, according to the FBI: “the possibility of identifying active shooters before they attack by being alert for observable, concerning behaviors.” However, one fact that works against this possibility is that troubling behaviors are not always reported. In fact, the study found that the most common response to an observed concerning behavior was to communicate directly to the shooter (83 percent) or do nothing (54 percent). The behavior was reported to law enforcement in 41 percent of cases. </p><p>Brad Spicer, a member of the ASIS School Safety and Security Council and president and CEO of SafePlans, says that the FBI’s study is of significant value for those looking to detect and prevent school shootings. “If an incident occurs at X time on a time line, then everything before X is an opportunity to prevent the incident,” Spicer says. The study is also a good supplement to another valuable resource for school shootings, the FBI’s four-pronged assessment model, Spicer adds. That model was released in a previous FBI report, The School Shooter: A Threat Assessment Perspective. </p><p>Under the four-pronged assessment model, a student who has made a threat is evaluated based on circumstances and behaviors in four areas: personality of the student, family dynamics, school dynamics, and social dynamics. “It continues to be refined. It’s a great resource,” Spicer says. </p><p>In the school setting, early detection of troubling behaviors is not only a good way to help prevent future violence, but it also has value as a tool for identifying students who may need support and help, Spicer says. Once identified, remedial assistance can then be given, the level of which will be appropriate to the case at hand. “This is not a situation where we are going to be engaging the SWAT team and dragging the child into the hallway,” he explains. </p><p>In the workplace, information generated by the FBI’s study can be used as part of a threat assessment program that educates employees about what to look for in terms of possible concerning behaviors, Spicer explains. A team can then review possible threats, to make sure they are legitimate. “You never want to ignore a problem,” he says. </p><p>However, Spicer also explained that he was not surprised by the FBI’s assertion that troubling behaviors often go unreported, such as the report’s finding that nothing is done in 54 percent of cases. This is especially true where the person observing the behavior has an intimate relationship with the suspect, such as a family member or spouse, Spicer explains. </p><p>“While that reluctance is understandable, no one should ignore their own built-in danger detector: their intuition,” says Spicer, who adds that intuition is helpful and correct in two ways—it is always acting in the subject’s best interest, and it is always based on something. So, a spouse or family member whose intuition is telling them that the troubling behavior they are witnessing could be signaling something serious should report this, perhaps to a threat assessment professional in the workplace, or a mental health professional. </p><p>“There’s no easy button for preparedness,” Spicer says. “People have to take some accountability and use the resources that are out there.” </p><p>Those resources now also include a new guide by the U.S. Department of Homeland Security, K-12 School Security: A Guide for Preventing and Protecting Against Gun Violence. </p><p>The guide includes information on developing a school security process called Connect, Plan, Train, Report (CPTR). It also includes sections on threat assessment teams, mental health and school climate issues, and the importance of looking for behavioral warning signs. </p><p>“The importance of detecting and addressing concerning behavior, thoughts, or statements cannot be overstated,” the guide’s authors write. “In fact, preventing violence by detecting and addressing these red flags is more effective than any physical security measure.” ​</p>
https://sm.asisonline.org/Pages/Artful-Manipulation.aspxArtful ManipulationGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p>Chief financial officer Malcolm Fisher never thought he would be victimized by cybercrime—until a social engineer successfully impersonated him and bilked his company out of more than $125,000. </p><p>It was relatively easy for the criminal to identify Fisher as a high-value target given his key position within the company—his bio was readily available on the company website. And Fisher's social media profiles on Facebook, Twitter, and LinkedIn revealed several bits of information that marked him as a dream target for a diligent social engineer.   </p><p>Fisher frequently participated in poker tournaments and was not modest in describing his success at the table. He posted about attending an upcoming tournament in Las Vegas and catalogued his travel plans across social media platforms. Shortly after his arrival to Las Vegas, Fisher received a text message from what appeared to be the tournament organizer providing a link to the updated schedule. When he clicked on the link, nothing seemed to happen—but he had just unwittingly provided the social engineer with entry into his company-issued mobile device. </p><p>Knowing that the tournament started at 11 the next morning, the fraudster hijacked Fisher's email account and sent an urgent message at 11:15 a.m. to a colleague. The email—supposedly written by Fisher—instructed the employee to immediately wire $125,000 to a vendor, noting that he would be out of touch for several hours because he was attending the tournament. </p><p>The employee, never questioning his boss's instructions, immediately processed the wire transfer. While Fisher left Las Vegas very pleased with his tournament winnings, he soon learned that he was the one who got played.   </p><p>This scenario is not unusual. With more focus than ever on enterprise cybersecurity and preventing data breaches, many executives believe that technology alone provides sufficient protection against such threats. </p><p>But sophisticated threat actors—whether they be nation states, criminals, activists, or disloyal competitors—will frequently target the most significant vulnerability found in most organizations: the human factor. The interaction between human beings and the technology meant to protect the organization is frequently referred to as the weakest link in security.</p><p>The most common method used by these threat actors to exploit the human factor vulnerability is social engineering. In fact, according to the 2018 Verizon Data Breach Investigations Report, more than 90 percent of successful security breaches start with some aspect of social engineering.  </p><p>Social engineering is the skillful manipulation of organizational insiders to undertake certain actions of interest to the social engineer. Insiders are not only employees of the organization—they include anyone who may have unescorted access into a target organization, including service providers such as the guard force, cleaning crews, catering companies, vending machine stockers, maintenance contractors, and more.</p><p>Greater awareness and insight into this process provides a better opportunity to mitigate the risk of social engineering attacks.   </p><h4> Collecting the Data</h4><p>Prior to launching any type of attack against the target, a professional social engineer will spend time collecting available open source information. While such collection may be from a variety of resources, the most frequent medium is simple online research. </p><p>Almost every organization has a website with information about the company, its products and services, executive profiles, press releases, contact information, and career opportunities. <br></p><p>While all such sections may provide useful information to a social engineer, executive profiles—which often contain full names, titles, pictures, and a brief biographic sketch—provide considerable insight into key insiders and where they fit into the organizational structure. </p><p>Career opportunities, along with company contact information, provide exploitable details and a portal through which a social engineer may seek direct or indirect contact with the organization.        </p><p><strong>Job postings and reviews. </strong>Whether posted on the organization's website or advertised on online job boards, job postings can provide a wealth of information. At a bare minimum, such postings will usually reveal the basic preferred IT qualifications sought from an applicant, providing valuable insight into the operating systems and software programs the organization uses. The job description might also provide insight concerning potential expansion of the organization, whether it be geographically or through a new product or service.  </p><p>With a job posting, an organization is inviting contact with someone from the outside. It provides social engineers an opportunity to electronically submit a cover letter or resume—either directly through human resources or to someone else within the organization chosen by the social engineer to forward the resume onward. The email, along with attachments, can be a medium to introduce malware into the target's system. </p><p>While less frequently exploited, such job postings can also create opportunities for social engineers to interview with the employer and elicit sensitive information. </p><p>Employer review sites such as Glassdoor can provide useful workplace insights posted by employees. These reviews inform the social engineer about the pulse regarding the morale within the organization. Generally, it is much easier to manipulate a disgruntled employee than someone who is happy and loyal to his or her employer.  </p><p><strong>Social media and search engines</strong>. While an organization may aggressively use social media to help promote their products and services, an unintended consequence can be the leakage of exploitable information. </p><p>Employees often upload photographs of themselves and coworkers in the workplace, revealing information about physical workspaces to include actual floor plans, office configurations, security system hardware, IT systems, employee badges, or employee dress. Much of this information can be extremely useful if planning an actual physical intrusion into the company.    </p><p>Creative Google searches will take the social engineer well beyond the most popular entries surfaced regarding the organization's name. </p><p>For example, a simple yet creative search of the company's name and the words "pdf" or "confidential" may surface documents such as employee manuals, employee benefit packages, IT user guides, or contracts. These searches can identify companies subcontracted by the target company for services such as janitorial, trash disposal, security, catering, or temporary staff. </p><p>A search for public court records will provide access to nationwide criminal and civil court documents. These documents will frequently contain operational details regarding the target company or officials that the company would have preferred to maintain confidential.  </p><p>A common misconception regarding the Internet is that once a company has deleted or modified information previously contained on its corporate website, the original information is no longer available. This is false. </p><p>The Wayback Machine is a digital archive of the World Wide Web and enables users to see archived versions of web pages as far back as 1996. Even if an organization's new security director decided to remove potentially sensitive information from the entity's website, the social engineer can attempt to use the Wayback Machine to retrieve it.  </p><p>Sites such as Google Maps help the social engineer virtually conduct reconnaissance—if the social engineer considered launching an intrusion into target offices, he or she would want to learn as much as possible about access points, access control including badge readers or other access systems, surveillance cameras, and guards. </p><p>The social engineer could also use the maps to identify businesses near the target location that employees may frequent and orchestrate a run-in, resulting in a onetime casual conversation with an employee to carefully gather information not available via open source. It could also be an opportunity to develop an employee for use as a future insider source. </p><p>A second potential objective for the reconnaissance is the identification of locations in the vicinity that make deliveries to the target's office, such as flower shops or restaurants. With this information in hand, the social engineer may decide to impersonate someone making a delivery to obtain unescorted access onto the premises. </p><p><strong>Insiders. </strong>Beyond collecting information on the organization, social engineers also target insiders in these entities. There could literally be several thousand employees in a medium to large organization, but the social engineer only needs to collect useful data on one or more well-placed individuals. </p><p>He or she will want to know as much as possible about targeted insiders' personal and professional backgrounds, as well as an indication of what their motivations may be. With this information in hand, the social engineer can better manipulate them.  </p><p>The most common starting point for data collection on insiders is through social media sites. While there are hundreds of such sites bringing together more than 3.3. billion users, social engineers will typically use sites providing the most prolific information.   </p><p>Facebook can be used to find pictures of a targeted insider and their network of contacts. Here one can learn where the targets live, their age and birthdate, where they went to school, their hobbies and interests, and past and future travel plans. When faced with a target who may enact privacy settings, the resourceful social engineer will turn to the accounts of the target's spouse or children that may lack such privacy settings.    </p><p>Twitter can provide play-by-play action of where the target is and what they are doing at that moment. And on LinkedIn, a social engineer will learn about the target's professional, academic, and work profile; professional interests; and network of contacts.​</p><h4>Manipulating Targets</h4><p>Social engineers use four types of attack vectors to scam companies out of money, intellectual property, or data.</p><p><strong>Phishing. </strong>Phishing currently represents more than 90 percent of all social engineering attacks. This includes typical spam emails requesting that the recipient click a link or open an attachment embedded in the email, which could lead to the downloading of malicious tools that could potentially compromise the recipient's computer, if not the entire IT network. </p><p>While such emails do not target specific people and are literally sent out by the thousands, even a small percentage of recipient victims who click on the link may provide the sender with a viable return on investment. </p><p>Professional social engineers will use spear phishing, which effectively tailors the email to a specific target leveraging information previously gleaned from data collection. This will greatly enhance the likelihood that the chosen target will click on the link or open the attachment. </p><p>Another variation would involve the social engineer creating a fictitious LinkedIn account and engaging the target on a specific issue. If the target has a tendency of not accepting invitations from unknown individuals, the social engineer will first invite the target's peers to connect. Then, when the target sees that several of his industry peers are already connected to this fictitious profile, he will also likely accept. </p><p>Once successfully linked, the social engineer will exchange a few emails with the target, leading to one hosting the link or attachment containing the malware. As their previous exchanges have likely resulted in the building of rapport and trust, the target will likely fall vulnerable to the attack.    </p><p><strong>Smishing. </strong>This technique is similar to phishing, but instead of using email as a medium to deliver the attack, the social engineer will send a link or attachment via text message. The result is the same. While smishing is not yet as common as its phishing cousin, it is expected to begin mirroring trends in mass marketing, which is moving more and more to SMS due to the high open rates.  </p><p><strong>Vishing.</strong> For professional social engineers, vishing can be fun and exhilarating. While requiring a little more skill, vishing is typically much more effective than the previously mentioned techniques. Here the social engineer will telephone the target using any one of several ploys or pretexts. To increase credibility, the social engineer will spoof the call and manipulate the caller ID seen on recipient's end.  </p><p>Say a social engineer wants to collect protected information regarding the status of a new product at a target company headquartered in Chicago. Posing as a new assistant to the company's vice president of operations, the social engineer will call the operations manager for one of the target firm's laboratories in Los Angeles. </p><p>To add credibility, the social engineer will spoof the call, making it appear as though the telephone number is from the vice president's Chicago office. She will state that the vice president is making final preparations for a meeting about to take place and urgently needs updates on the product's rollout date and expenditures compared to budgeted figures. As the request appears to be genuinely coming from someone in a position of authority, combined with urgency, the social engineer will likely be successful. </p><p><strong>Direct intrusion. </strong>While considered the most difficult of the four techniques to execute, this is usually the most successful. It involves face-to-face interaction with the target. </p><p>The social engineer can choose from a variety of pretexts for attempting this contact, including posing as someone with an appointment inside of the building, IT support, a fire inspector conducting a survey, or a member of contracted service providers. </p><p>The social engineer could easily pose as someone making a delivery of a package requiring the recipient's signature, even going so far as to procure a FedEx or UPS uniform online. After reviewing the identified locations near the target facility, the social engineer could also pose as someone making a delivery of flowers, office supplies, or fast food. </p><p>Once inside the facility with unescorted access, the social engineer may emplace listening devices in conference rooms or keyboard loggers to capture specific information, such as network usernames and passwords. </p><p>How difficult would it be for a social engineer to leave several thumb drives around the premises marked "Confidential Payroll?" Betting on the nature of human curiosity, the social engineer would expect that at least one of the employees would find and insert one of the drives into the computer, hoping to see what compensation others are receiving in the company. When they do, the social engineer is successful in uploading malicious files, potentially compromising the network.  </p><p>Another successful ploy involves the social engineer posing as an executive recruiter. Without a need to divulge the name of a specific client, the "recruiter" can directly contact the target insider, saying that they were impressed by the insider's professional background as seen on LinkedIn and believe that the target may be a great candidate for an attractive position they are trying to fill. </p><p>Feeling nothing to lose, the target will frequently allow the social engineer, either over the telephone or during a personal meeting, to elicit considerable information regarding the target's own background, as well as confidential information regarding current and past employers.        </p><h4>​Influence Techniques</h4><p>Perhaps the main character trait that makes humans so vulnerable to a social engineering ploy is the tendency to blindly trust everyone, even people they do not know. This blind trust can be fatal to an organization's security posture. It is this trust that makes it easy for social engineers to convince their victims that they are whoever they pretend to be.  </p><p>In addition to leveraging trust, professional social engineers will also exploit any number of influence techniques. As victims are more likely to assist someone they find to be pleasant, the social engineer will attempt to develop strong personal rapport prior to making the request. Similarly, if the social engineer conducts a significant courtesy or kind deed for the victim, the target will often feel a strong sense of obligation to reciprocate by performing a deed for the social engineer.  </p><p>Victims are more likely to comply if they believe that the request is coming from someone in authority, or if the social engineer pressures the target by implying that refusing to assist will be seen by others as socially unacceptable. Another tactic involves the social engineer asking for something that the victim initially finds implausible to comply with. The victim will subsequently agree to comply with a request from the social engineer which appears to be meeting halfway. </p><p>The social engineer may also take advantage of the perception of scarcity, putting pressure on the victim to make a quick decision as the perceived window of opportunity for the victim is about to close.  ​</p><h4>Mitigating Attacks</h4><p>There are basic measures that can significantly lower the risk that an organization will be victimized. </p><p>First, the amount of unnecessary, yet exploitable, data about organizations that can be found online needs to be minimized. In addition to establishing clear policies regarding what employees can post online regarding the organization, there must be someone responsible to periodically scan key sites to ensure compliance. The more data available to social engineers, the more likely the organization will be on a list of targets. </p><p>While unenforceable, this same practice should be encouraged among the organization's employees regarding the personal information they post on social media.      </p><p>A second measure is establishing social engineering awareness training within the organization. Such training will sensitize employees to recognize potential social engineering attacks and what specific actions they should take. </p><p>Warning signs of a potential social engineer at work may involve a caller refusing to give a callback number, making an unusual request, or showing discomfort when questioned. Employees should also take note if a caller makes claims of authority, stresses urgency, or threatens negative consequences if the employee doesn't act. And if a caller engages in name dropping, flirting, or complimenting, that could be a red flag as well.</p><p>Once alerted, employees need to know what actions to take—simply not complying with the social engineer's request is not enough. Organizations need to have a system in place where the employee can promptly bring such attacks to the attention of security, via incident reports.  </p><p>Employees need to receive this type of training on a periodic basis, ideally annually. To be truly effective, the training should be accompanied by social engineering penetration testing, which mimics potential ploys used by threat actors to breach the organization's security. </p><p>By conducting a social engineering awareness campaign, employees will remain alert to such threats and undertake appropriate actions, thereby decreasing existing vulnerabilities. </p><p>In all interactions—whether via email, text, over the phone, or in person—employees must first verify that the person is who they say they are and that they have a legitimate request. Remember this slogan: verify before trusting. n</p><p><em>Peter Warmka, CPP, is director of business intelligence for Strategic Risk Management and an adjunct professor for Webster University's cybersecurity masters program. He is a frequent speaker on social engineering threats at conferences for trade associations and wealth management advisory firms. Warmka is a member of ASIS International.</em></p>
https://sm.asisonline.org/Pages/A-Failure-to-Plan.aspxA Failure to PlanGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p>A rare meteorological event occurred in 2017 when three Category 4 hurricanes were simultaneously ongoing in the Pacific Ocean. At the same time, wildfires swept across the western United States in California, Montana, and North and South Dakota.<br></p><p>Harvard climate expert James McCarthy indicated that "economic losses from extreme weather-related events are rapidly escalating," in an article for The Universal Ecological Fund.</p><p>Supporting McCarthy's finding, Swiss Re said in a report to its shareholders that "total economic losses from natural catastrophes and man-made disasters amounted to USD $175 billion in 2016, almost twice the USD $94 billion seen in 2015."</p><p>Global insured losses from disasters also totaled $54 billion in 2016, up from $38 billion in 2015, according to Swiss Re, a leading reinsurance company.</p><p>Yet many organizations continue to struggle with their emergency and crisis management plans. This article includes some case studies that provide insights into common challenges during an emergency and recommendations on how organizations can respond and recover, quicker.​</p><h4>Lessons Learned</h4><p>Recently, one of the authors was conducting a threat, vulnerability, and risk assessment for a large corporation on the East Coast of the United States. While at the corporation, the author met with the company's business continuity and emergency management director.</p><p>When asked about the company's emergency management program and response, the director produced a four-inch binder with a cover titled Emergency Operation Plan (EOP). </p><p>The director said the plan was developed by a consultant, who assisted in creating the National Incident Management System (NIMS) and the Incident Command System (ICS) framework, an operational protocol hierarchy that integrates public, private, and government resources to address domestic incidents across all phases of an emergency.</p><p>The EOP defined the scope of preparedness and incident management activities necessary for the organization. It described its organizational structure, roles and responsibilities, policies, and protocols for providing emergency support.</p><p>The plan was robust and capable of handling any type of emergency. The robustness of the plan, however, provided unfounded trust in the efficacy of response and presented some cognitive biases that were apparent when interviewing others beyond the director.</p><p>For instance, everyone interviewed knew of the EOP, but no one knew their role or how to activate the plan should an emergency occur. They relied on the director to provide that direction. </p><p>When the plan was tested, one of the authors introduced a wildcard element by removing the director from the response process. This drastically increased the response time of the organization and taught a lesson that the plan did not account for: staff redundancy. </p><p>The organization needed a more granular version of its response so employees and key members of the crisis management team would know how to activate it should the director be unable to do so.</p><p><strong>Communication. </strong>On August 23, 2011, in New York City shortly after 1:00 p.m. the high-rise building one of the authors was in began to sway. There was no communication about what was happening from building or security personnel.</p><p> A woman yelled out "it's happening again!" in a reference to 9/11, and people began to run to the stairwells to evacuate the building.</p><p>With the evacuation in full swing, an announcement was made: "A vibration has been felt in the building. Please stay at your location. More information will be provided."</p><p>Most people, however, had already begun to evacuate. They were determined to get out of the building and disregarded the message. The author on site remained in the building until another announcement was made over the public-address system that a 5.8 earthquake had occurred in Virginia and everyone should evacuate the building.</p><p>The author evacuated the building, stepped outside, and began to look for a mustering point. But the streets were flooded with people, making emergency vehicle access impossible and presenting a dangerous situation with the thousands of pounds of glass from the building above.</p><p>This incident demonstrates that if there is not clear communication during an event, people will act—and will encourage others to do so—possibly putting themselves in an even more dangerous position.</p><p><strong>Leadership. </strong>One of the authors had the opportunity to tour a critical infrastructure situational awareness room recently. The large facility was tiered like a movie theater, supporting floor-to-ceiling monitors that were concave to allow sightlines from within the room.</p><p>During a review of emergency operations, the author was assured that the response program was sophisticated and included redundancies in staffing technology. </p><p>"Has the building ever lost power?" the author asked, after which the room went dark. Emergency lights activated and everyone in the room began to look to others to take charge of the response.</p><p>Once time had elapsed, people gathered their thoughts, regained their composure, and transferred the critical systems to an off-site backup. The incident showcased the lesson that there will be a lapse in response time while people reference their crisis manual to find out who's in charge—creating overall recovery delays.</p><p><strong>Changes.</strong> For every emergency plan the authors have tested, one of the key lessons is that an emergency action and crisis plan is a continual work in progress. As threats change, the plan must continue to adapt.</p><p>One example of this lesson in action occurred at a California hospital five years ago. The hospital decided to conduct an active shooter drill with the help of its patients. However, it announced that it was conducting the drill by issuing a "code silver" over the public-address system.</p><p>The emergency department staff began to respond, but patients and visitors were confused because they did not understand what a code silver meant. To include participation in the drill, the hospital needed to more clearly communicate what was happening so patients and visitors could effectively respond.​</p><h4>Effective Response</h4><p>Based on the lessons learned from the authors' experiences of testing emergency response plans, they recommend organizations conduct fidelity testing of their incident management planning and training. This will help organizations apply the right level of scrutiny to their plans and actions.</p><p>Applying fidelity testing to incident response training and execution can incorporate simple, but effective, gap analyses of critical program and process design qualities. This testing will help stakeholders understand their level of preparedness and response orchestration.</p><p><strong>Validity. </strong>Check the validity of the original incident management plan. A review is the first step because the plan sets the framework for incident management and articulates all actions before, during, and after an incident—including training. </p><p>The plan should be based on a proven model, such as NIMS, and incorporate actionable, strategic, and tactical direction for each designated participant.</p><p>The organization should also look for gaps and assumptions made in the plan. For example, a specific role in the plan may be assigned to a functional leader but lack substantive direction for execution. Or, the designated leader may not have the right level of composure to execute his or her tasks under pressure.</p><p>If the plan needs to be updated to address these issues, the organization should make those changes before carrying out the full fidelity test. This is because the test will only work if the plan is comprehensive and actionable in terms of preparation, execution, and training requirements.</p><p><strong>Vigilance. </strong>Check the current level of responders' vigilant behavior. A qualitative method for determining an organization's level of preparedness is to observe how quickly designated responders can switch their mental processes and physical actions from a state of normalcy to a state of active response.</p><p>A simple way to test this is through a surprise, scenario-based activation of each responder who is then timed from initiation to completion of the test. These tests should be conducted at least quarterly, and organizations should determine whether the desired outcomes were achieved based on the presented scenario.</p><p>In turn, this will help each responder retain information about the test results and make improvements in smaller, more manageable increments.</p><p>After re-testing, organizations should report on implemented improvements and their scale as part of established metrics, such as overall achievement of desired outcomes, reduction of time for task and process completion, and retention of information.</p><p><strong>Training. </strong>Organizations should assess their current training by assessing the design, frequency, and knowledge retention of that training. It's important to determine whether existing training is actionable and produces desired outcomes from each participant with a minimum number of assumption gaps. </p><p>Good training programs will include a blend of interactive and practical content designed to be emotionally compelling for participants; interactive and practical exercises with the element of surprise; well-researched, relevant, and comprehensive training scenarios; and strict time parameters for completion of individual and team tasks.</p><p>Additionally, training programs should have metrics tied to gaps between demonstrated execution and desired outcomes, such as time to complete tasks and processes, as well as quality of task completion relative to desired outcomes.</p><p>Along with these characteristics, training programs should also include immediate post-exercise documented feedback with follow-up actions, and continuous improvement demonstrated through metrics.</p><p><strong>Simplify. </strong>Each responder should have defined parameters of their responsibility during incidents. A well-designed fidelity test will identify these parameters—dubbed sandboxing—to assess how each responder executes the plan in relation to them. </p><p>To assist with this process, it's useful to create flowcharts of each responder's assigned process. This will help determine three findings: whether assigned tasks of each responder are simple enough to execute and connect well with processes of other responders; the abilities of each responder in executing certain tasks; and what skill gaps responders can close on their own with help from others.</p><p><strong>Recognition. </strong>Skill gaps are like assumptions. When unknown or ignored, they often serve as the root cause of incident management failures. This is why it's important to identify skill gaps as part of a fidelity testing exercise.</p><p>This exercise will make it easier to uncover skill gaps. It is difficult for individual incident responders to objectively identify skill gaps on their own because of inherent psychological biases, such as confirmation bias, overconfidence, or timidity.</p><p>According to multiple psychological studies, humans learn better from the mistakes of others or when their mistakes are noted by friends and colleagues.</p><p>Identifying and mitigating skill gaps helps the entire incident management program and demonstrates the organization's commitment to improvement and resilience. When expressed statistically, the mitigation of skill gaps can help demonstrate the overall program's value.</p><p><strong>Technology.</strong> Another benefit of well-designed and executed fidelity testing is the identification and mitigation of gaps in technologies used for incident management.</p><p>One of the most trivial—but often overlooked—issues is secure and interoperable radio communication. There have been numerous incidents, including 9/11, during which radio communication failed because of physical and electronic interference or other factors. Because radios were not interoperable, no one knew what others were doing.</p><p>In addition to radios, various other technological tools can be analyzed to understand their individual and collective benefits and shortcomings. It is always a good idea to demonstrate gap reductions or eliminations, both qualitatively and quantitatively, because this is most directly relatable to senior leadership.</p><p>Re-test. It is a natural process to re-test incident management programs. The key is to build habits for continual improvement because the main objective is to achieve optimal orchestration of human and technological performance during training and real incidents with minimal assumptions and skill gaps.</p><p>Real orchestration occurs when these components are present: a validated, justifiable, and actionable plan; scenario-driven, relevant, and frequently administered training that's timed and entails emotionally compelling interactive and practical content; continual program improvement; and meaningful metrics related to desired outcomes.</p><p>Incident management is best achieved through orchestration of individual components and responders and technology. Today, many organizations continue to struggle with achieving orchestration because of unaddressed skill gaps and assumptions in their planning. But this can be addressed and prevented in the future through fidelity testing. </p><p>"If you fail to plan, you are planning to fail," said Benjamin Franklin, and emergency and crisis management plans are no exception. </p><p>A well maintained and trained emergency management plan can provide significant dividends in recovery. Given the natural—and man-made—challenges ahead of us, emergency planning should be a staple in every organization.   </p><h4>​Sidebar: Reasons for Failure<br></h4><p>​There are many reasons that emergency response plans fail. Below are some examples of problem statements that can contribute to failure.</p><p><strong>It won't happen to me.</strong> People often fail to recognize that a crisis can happen to them, and organizations are no different. People and organizations tend to be concerned with large ever-changing threats, while forgetting more closely related operational issues.             </p><p>L<strong>oose plans without governance, leadership, or skills. </strong>Many emergency plans are check marks for organizational certifications or accreditations. They are handed down by the board or C-suite without a complete understanding of organizational resources and the total economic impact of creating a well-orchestrated and functional plan. ​When a formal security organization does not exist, the edict and direction of the plan will fall to an existing employee or department, who may hire a consultant or conduct an online search to cut and paste a plan that is not relevant or applicable to the organization.</p><p><strong>Too much information.</strong> Emergency plans are not simple. And for large organizations, they can be lengthy and create information overload that increases the time it takes to respond to an incident.</p><p><strong>Lack of training.</strong> Live action drills can be costly and create productivity challenges. Organizations have taken to Web-based learning, which exacerbates the problem because employees rush to get through the training, often retaining little of what they have learned. However, the organization obtains a mark for conveying the information and considers itself prepared.</p><p><br></p><p><em>Ilya Umanskiy, PSP, RAMCAP, MA, is founder and principal at Sphere State, Inc. Sean A. Ahrens, MA CPP, CSC, FSyl, is security market group leader for AEI/Affiliated Engineers, Inc., and specializes in threat assessment, crisis management, and security systems design. He can be reached at sahrens@aeieng.com.</em></p>
https://sm.asisonline.org/Pages/Stay.aspxStayGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Roughly 42 million U.S. employees, or more than one in four workers, will leave their jobs this year to go work for another company, according to the recently released 2018 Retention Report: Truth and Trends in Turnover.</p><p>It doesn't have to be this way. "More than three in four employees (77 percent) who quit could have been retained by employers," write the authors of the study, which was conducted by the Work Institute using data from more than 234,000 exit interviews.</p><p>Turnover trends such as these are compelling many companies and managers to up their games when it comes to their employee retention strategies. And through better retention, these firms are hoping to avoid the high costs of turnover. For example, the retention report finds that U.S. employers will pay $600 billion in turnover costs in 2018. Companies can expect that annual cost to increase to $680 billion by 2020, according to the study. </p><p>But achieving success in retaining talent can be challenging for another reason: the current labor market, which by historic standards is in a very tight, low unemployment phase. In early June, the U.S. Labor Department announced that, for the first time on record, jobs outnumbered job seekers. </p><p>"We now have more jobs than people to do them, which means our labor [shortages] are going to get worse," Society for Human Resource Management (SHRM) President and CEO Johnny C. Taylor said in his opening address at the SHRM 2018 annual meeting in Chicago.</p><p>That development is a "really alarming" one for organizations who are trying to retain talent, says Gabriel Stavsky, a talent management consultant with Retensa Employee Retention Strategies. "Think about the implications of that. Employees will have that upper hand," Stavsky says.  </p><p>Why do employees leave? According to the Retention Report, the three top specific reasons for employees to leave jobs in 2017 were career development (21 percent), work-life balance (13 percent), and manager behavior (11 percent). Experts say these reasons all fall under one broad umbrella reason of why employees leave companies: their employer is not meeting their expectations and needs. </p><p>Armed with this knowledge, managers can strengthen their retention strategies and efforts and retain more employees by focusing more on the needs and expectations of the workers. Some best practice guidance on how to do this follows.  ​</p><h4>Retention Starts Early</h4><p>Most experts agree that retention efforts should start on day one, and this makes the onboarding process crucial to retention success—and, sometimes, a predictor as to whether the employee will be short-term or long-term. Yet only 12 percent of U.S. employees strongly agree that their company does a good job of onboarding new employees, according to a Gallup poll released last year. </p><p>Successful onboarding should accomplish three things, according to Gallup workplace consultant Robert Gabsa: employees learn what makes the company unique, employees learn exactly how their jobs help fulfill the company's mission, and employees experience the mission and values of the company. "Employees yearn to feel connected to their roles, colleagues, managers, and companies," writes Gabsa in a recent article for Gallup.com. "By creating better experiences in the onboarding phase, companies can build these emotional connections early in the employee journey."</p><p>Given this, the onboarding process should be a two-way one, says Amy Hirsh Robinson, a principal with Interchange Consulting Group who discussed retention strategies recently in a presentation at SHRM 2018. Managers should communicate the company's story and accomplishments to new employees, but they should also focus on the new employee by communicating how his or her skill sets and work accomplishments will help the firm. </p><p>But this is where many firms fall down, says Robinson, who has worked with many large companies on onboarding issues and observed a common trend in those assignments. Companies are often good at telling their own story, but a continual focus on the company makes the employee feel left out–especially younger workers who want to be recognized. "None of the companies focused on the new employee as an individual," she says. "It was falling flat, especially on the Millennials."</p><p>So, Robinson recommends a different approach: early in the onboarding process, managers should sit down with new employees and discuss their background and previous experiences, and how those may fit in to their current job and the organization's mission. "Companies need to connect the employee to the organization's mission or purpose and demonstrate how that employee personally impacts the brand or customer experience," Gabsa writes. "Feeling like your job matters is an underrated aspect of performance."</p><p> Some firms that pride themselves on best practice onboarding will even have managers sit down with the employee and draft a sample career path, based on the employee's future goals. "The employees are so appreciative," Robinson says. And managers can supplement this career path exercise by relating examples of former employees who held the same position as the new employee and went on to have a successful career, she adds. </p><p>Robinson also advises managers to give new employees meaningful work as early as possible; this shows trust in their abilities and engages them from the start. And managers should not simply rely on organizational charts to explain work flow and reporting structures. Instead, they should try to explain the unwritten rules and process quirks regarding how things work.</p><p>On a more granular level, managers should make the effort to ensure that common onboarding pitfalls are avoided, Robinson says. Orientation sessions should not be overloaded with detailed policy information. She cited one company that held a four-hour orientation session that consisted almost exclusively of policy and benefit information discussed in excruciating detail. "It felt so penalizing to the new employees," she says. Instead, companies should try to communicate policy details through online or printed materials and focus on overviews during in-person meetings.   </p><p>Another common pitfall is not having a clean work station ready for the employee on the first day, Robinson says. "It happens all the time," she says. Finally, managers should not assume that what worked for them when they were hired will work for all new employees. Some new employees prefer a more hands-off "sink-or-swim" approach, while others like to be more actively guided, so managers should tailor their approaches to whichever style will work best for the employee.   </p><h4>Culture, Connection, Contribution</h4><p>Let's say that a new employee emerges from a successful onboarding process and continues to work for the organization. Company leaders and managers should continue to focus on the employee's needs and expectations to maximize the firm's chances of retaining the employee.  </p><p>However, these needs and expectations change across the lifecycle of the employee, Stavsky says. "At two weeks, they are different from what they will be at two years," he explains. </p><p>Workers from different generations sometimes have different needs, says Jo Danehl, a retention expert and global practice leader with Crown World Mobility, an international management consulting firm. "Elder Gen X employees are often driven by stability and financial security," Danehl says. "However, in my experience, I see Gen Y to be more interested in company qualities like its approach to corporate social responsibility (CSR) and global citizenship, while also highly focused on their growing career path. </p><p>"We're still getting to know the younger generations, but they're adding elements like purpose, communication, and overall experience," she adds. "Finding the right balance to each one of these motivations is key to a sustainable culture."</p><p>Indeed, many if not most experts cite company culture as a key factor in retaining talent by successfully meeting an employee's expectations and needs. However, exactly what constitutes a company's culture can be hard to define. "Culture is one of those catchall terms, a nebulous term for the feel and experience of working somewhere," Stavsky says.  </p><p>A company's culture is created through experiences that employees have with peers, managers, and executives. And maintaining a positive employee experience is highly effective retention strategy, says Greg Stevens, an industrial/organizational research consultant with Globoforce. "The key to that is a more human workplace," explains Stevens, who also spoke at the SHRM 2018 conference. And culture is one of the three pillars of a more human workplace, with connection and contribution being the other two, he adds. All three pillars support successful retention. </p><p>Connection, the second pillar, is supported in two ways. One is through positive and productive relationships with coworkers, Stevens says. The other involves work-life balance, so that the employee is not overwhelmed by work but stays connected with his or her life outside of work. This means that job responsibilities cannot be 24/7; there is enough flexibility to "offer chances to recharge and disconnect," he explains. </p><p>Thus, even meaningful work done in a workplace with a positive culture can become too all-consuming, and this can work against retention efforts because the employee may look for a position that offers more time for personal matters. "We all have lives outside of work," Stavsky says. "You want to have balance, and the autonomy to live it effectively."</p><p>The third pillar, contribution, can be supported by careful efforts by management to find out where an employees' abilities are especially strong, and then to make good use of them. "To retain talent, a company has to identify and capitalize on the skills of its talent," Danehl says. "It is critical to articulate skills…and show that the contribution is valued."</p><p>However, sometimes managers fail to do this because they are fixated on improving what they consider to be the weaknesses of the employee. "Let's think about how we develop talent. A lot of focus is put on areas for performance improvement, while the areas of strength remain largely untouched," Danehl explains. "How much better would it be for both employee motivation and retention to leverage employee skills—which are, after all, why they were probably hired in the first place," she says.​</p><h4>Power Should Seek Truth</h4><p>Another key factor in effective retention is opportunity, experts say. Employees need opportunities to grow as an employee and opportunities to advance their career.   </p><p>Danehl says that all thriving company cultures boast two attributes—effective leadership and opportunity. "Retention will suffer if these two qualities are not positive, present, and evident in the workplace," she explains. </p><p>In Robinson's view, once a career plan has been sketched out for an employee, managers should continually help the employee support it by assigning them to strategic projects or rotations and giving them opportunities to showcase their ideas via new platforms. "Train your managers to be good career developers," Robinson says.</p><p>Finally, the Retention Report finds that effective employee retention strategies must be built on accurate knowledge and understanding of employees needs and expectations. "Employers must not limit the extent to which employees can express their ideas, preferences, expectations, and intents," the authors write.</p><p>This means that managers and company leaders should "ask for feedback in a way that brings out the truth," according to the report. So, employees should not only be asked to rate aspects of their job and the workplace on a numerical scale of 1-10. They should also be asked why they rate as they do, what improvements they would like to see, what is important to them, and more. </p><p>"All managers and companies should know why their employees join, why their employees stay, and why their employees leave," Stavsky says.  ​ ​</p>
https://sm.asisonline.org/Pages/Lessons-in-Violence-Prevention.aspxLessons in Violence PreventionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It has happened at an outdoor concert in Las Vegas. A work meeting in San Bernardino, California. A nightclub in Orlando. A high school in Parkland, Florida. A church in Sutherland Springs, Texas. An elementary school in Newtown, Connecticut. A movie theater in Aurora, Colorado. An Army base in Fort Hood, Texas. A college campus in Blacksburg, Virginia. And a newsroom in Annapolis, Maryland.</p><p>We can't forget Umpqua Community College in Roseburg, Oregon; the Emanuel African Baptist Church in Charleston, South Carolina; the U.S. Navy Yard in Washington, D.C.; an adult school classroom in Binghamton, New York; a restaurant in Killeen, Texas; a McDonald's in San Ysidro, California; post offices in Dana Point, California; Edmond, Oklahoma; Escondido, California; and Royal Oak, Michigan; a law office in San Francisco; and a beauty salon in Seal Beach, California.</p><p>The first modern-day mass shooting in the United States occurred in 1966 when Charles Whitman killed 16 people and wounded 30 with a rifle from the clock tower on the University of Texas (UT) Austin campus. His murder spree remains one of the top 10 deadliest active shooter attacks in the United States. And active shooter incidents are on the rise—a new FBI report found that 2017 saw the most incidents and most people killed in any one year since 2000.</p><p>Active assailant events have killed too many people to still refer to such workplace violence, school campus violence, or mass shootings in public places as rare. But while horrific incidents in the last several years make the news and keep police, politicians, parents, business owners, and employees awake at night, recall that this has been going on since Whitman fired that first shot from the UT clock tower so long ago. What has happened then will certainly happen again, despite the best efforts of law enforcement responders and security professionals around the country and internationally. These cases deeply scar the cities, schools, campuses, and communities where they happened, forever. The anniversary dates get further and further out as the years and even the decades pass, but no one associated with these events ever forgets. </p><p>How safety and security officials plan for and respond to these incidents, though, has continuously evolved over the decades, and will continue to do so as new research, best practices, and lessons learned are adopted.</p><p>Ticking bombs. Defusing Violence in the Workplace—which the author co-wrote in 1994 with then-San Diego Police psychologist Dr. Michael Mantell—was one of the first business books on active shooters. The book set out a 21-step profile of a potential workplace shooter based on many of the cases that happened up to 1994—usually at U.S. Post Office facilities. The postmaster general at that time even wrote the foreword for our book, showing how attached experts were to the idea that workplace violence was mostly committed by white males in their 30s to 50s, with a military history and access to guns. </p><p>However, it soon became clear how wrong these profiles were. The April 1999 Columbine High School shooting changed collective thinking away from the focus on profiles toward the current emphasis on preattack behaviors and information leakage to third parties about the attackers' preferred targets and plans.</p><h4> Evolving Perceptions</h4><p>For threat assessment experts and security management professionals, the shootings that took 13 lives at Columbine High School were the equivalent to the 9/11 attacks—they completely changed the thinking about how to respond to these types of events. Much like the United States' post-9/11 terrorism fight around the world, engaging an active shooter on sight became the new normal post-Columbine.</p><p>Law enforcement had to change its tactical response to what were now being called active shooters, because at Columbine there were multiple perpetrators who were not there to take hostages and make demands, but to kill others and then themselves. Security experts will never forget hearing recordings of shots fired and the anguished cries inside those buildings as the officers on scene followed their usual protocol: set up a perimeter and wait for the SWAT team to arrive. </p><p>Columbine taught security practitioners about preattack behaviors, the leakage of information by the perpetrators, and the need for arriving police officers to respond quickly, form into tactical teams, and use whatever firearms they had to enter the building and stop the attackers. This model has become standard police procedure for active shooters and mass attackers at schools and businesses in the United States.</p><p><strong>Research and models. </strong>Two U.S. Secret Service (USSS) reports—Protective Intelligence and Threat Assessment Investigations from 2000 and the 2004 Safe School Initiative, authored by USSS Supervisory Special Agent Bryan Vossekuil and psychologists Dr. Robert Fein and Dr. Marisa Reddy—have contributed immensely to the understanding of planned attacks against protected targets, workplace violence, and school violence prevention. These two comprehensive reports should be studied by every security practitioner who faces the potential for violence at their facilities. </p><p>Protective Intelligence and Threat Assessment Investigations was also known as the Exceptional Case Study Project (ECSP) because it focused on data from assassinations of political figures as far back as Abraham Lincoln in 1865, as well as research into school and workplace violence attacks and interviews of surviving political assassins and school and workplace attackers in prison. </p><p>The ECSP laid out the concept that some people make threats and some people pose threats. There should be more focus on people who pose threats and less on those who just make verbal or written threats, because the presence of such threats is not the best indicator of a pending attack. The ECSP also discussed the idea that people who engage in lethal violence often engage in third-party leakage—they warn other people such as coworkers, family members, or students of their plans, but not the targets they intend to harm. The student that wants to shoot his teacher rarely directly threatens that teacher, because it would lead to consequences such as being arrested or suspended, thereby interrupting the opportunity to attack.  </p><p>In the early years of threat assessment and management, there was a tendency to overreact to direct verbal or posted threats and underreact to third-party threats. While all threats need to be investigated, the new emphasis is on listening more closely for these leakage events, and training employees and students to have the courage to report them to the safety and security stakeholders for the business or school.</p><p>The Safe School Initiative, also coauthored by Dr. Randy Borum from the University of South Florida and Bill Modzeleski from the U.S. Department of Education, offered the conclusion that there is no known or useful profile of a school shooter. This research also showed that most perpetrators are on a path from ideas to actions, meaning they follow a distinct process that starts with a grievance, followed by a violent ideation that may last for weeks, months, or even years. They begin to make a plan, acquire or practice with a weapon, stalk their targets, make a series of dry runs, and then attack.</p><p>Two recent reports by the FBI's Behavioral Analysis Unit expand on this concept, detailing preattack behaviors of active shooters based on a study of incidents from 2000 to 2013. The active shooters examined in the study could not be identified prior to attacking based on demographics alone, but concrete patterns emerged in their preattack behaviors. A majority of attackers acquired their firearms legally, and more than three-quarters of attackers spent a week or more preparing. The average attacker had experienced multiple stressors in the year before they lashed out, but only 25 percent had ever been diagnosed with a mental illness. And in the majority of attacks, at least one of the victims was specifically targeted—the most common grievance reported was adverse interpersonal or employment action taken against the shooter. </p><p>A key to identification and resolution of threat cases is early identification of such attack-related behaviors. Perpetrators of targeted acts of violence engage in covert and overt behaviors prior to their attacks: they consider, plan, prepare, and share—and not with their target, but usually with third parties. One challenge security faces is educating scared, concerned, or anxious employees or students on how to disclose what they have heard and to whom, so security stakeholders can assess the information in context, formulate a deterrence plan, and take proactive steps.​</p><h4>Defining Threat Assessments</h4><p>In the post-Columbine world, we began to define a series of investigative processes as a threat assessment—a way to interpret data gathered from a wide variety of sources such as direct observation, records reviews, witness reports, past behaviors, and potential current targets, to form an opinion about the seriousness of a situation. </p><p>Conducting threat assessments became both a science and an intuitive art, and moved away from the limits of profiles, demographic characteristics, or historical statistics. Threat assessment activities underwent a shift from predicting violence—which is not possible—to identifying the behaviors of potential attackers, their targets, and the means and methods for harming those targets as a "window in time." The concept of threat assessments began to take on a new professionalism, moving beyond the realm of just mental health clinicians or law enforcement and into areas crossing over into the fields of security, human resources, prosecution, corrections, educational facilities, and research.   </p><p>Efforts in preventing mass shootings, stopping active shooters, and workplace and school violence prevention continue today, especially in light of recent attacks. We stand on the shoulders of researchers and threat assessment practitioners who were doing this work long before Columbine. Their work supports today's active assailant best practices and is based on extensive research.</p><p>Early researchers—including Dr. Fred Calhoun's work on threats against federal judges and Steve Weston's research on threat assessment—teach the theory that Howlers howl and Hunters hunt, meaning that there is more to worry about from the potential perpetrator who works in stealth than the person who "howls" and wants to be seen as intentionally provocative, disruptive, or sinister. The Hunter wants to be successful and not be stopped by security or the police, so this attacker does not warn. In the past, a lot of investigative energy, security assets, and resources were put towards threats made by Howlers who would say, "I've put a bomb near the loading dock!" or "I'm gonna come there and shoot up the whole school!"</p><p>Security and human resource-related associations are taking the lead in providing research, analysis of incidents, training, and the creation of national standards related to workplace violence and school violence prevention. Such organizations include ASIS International, the Association of Threat Assessment Professionals, and the Society for Human Resource Management. Other groups with input into the prevention of workplace and school violence include the International Association of Chiefs of Police, the National Sheriffs Association, and the National Association of School Resource Officers.​</p><h4>Threat Assessment Teams</h4><p> The biggest shift in the movement towards making the threat assessment process more professional and structured was the emergence of Threat Assessment Teams (TATs). These groups are also called threat management teams, crisis response teams, or critical incident response teams, and they now populate private-sector businesses, school districts, college and university campuses, and public-sector entities ranging from utilities to cities and counties.</p><p>TATs don't need to be formally appointed, but they must be staffed by the organization's safety and security stakeholders. This often includes representatives from executive management, human resources, security, legal counsel, facilities, IT, communications, safety, and risk management. The team can also benefit from support by local law enforcement commanders, mental health clinicians or Employee Assistance Program (EAP) providers, or labor relations or union representatives.</p><p>The function of the TAT is to discuss its coordinated, measured—but urgent— responses to potential crisis situations, including threats or violence towards the organization or its employees, employee-to-employee bullying, high-risk employee discipline or terminations, domestic violence crossovers with employees, threats to the organization's facilities, cyberthreats, and vexatious litigants.</p><p>The value of TATs—which are often run by human resources or security representatives, because of their familiarity with employee-related issues—is to take the best advice from the group and not get manipulated into "seeing the ocean through one drinking straw." In other words, the police may have strong feelings about making an arrest; the threatening employee's manager may want to terminate; and the facilities representative may want to lock the building down. These are all potential solutions and should be put up for group discussion before a final decision is made.</p><h4>Run. Hide. Fight. </h4><p>The Run. Hide. Fight. video created in 2012 by the U.S. Department of Homeland Security (DHS) and the City of Houston is short and to the point. If you are ever confronted by an active shooter, run out of the building, taking as many people as safely as you can with you; hide out in the best room you can barricade; and be ready to fight back if the shooter breaches your room. This active shooter protocol is designed to get employees out of the way of the attacker and the responding police by leaving the facility or locking the room down. In most cases, attackers have a short window of time to carry out their plan—usually five to 10 minutes—before police arrive.</p><p>All of the videos and training programs that have emerged as a response to workplace or campus shooters have the same goals: don't wait for the police to rescue you, get out of their way while they confront the attacker, and be prepared to fight back or provide first aid to save your life and help save the lives of your coworkers, customers, or students.</p><h4>​Domestic Violence in the Workplace </h4><p><strong></strong>One exception to Calhoun and Weston's Howlers vs. Hunters model is called the Intimacy Effect. In cases where there has been previous sexual intimacy between the suspect and the victim, the chances for fatal violence go up dramatically. These perpetrators are Howlers who become Hunters because they are obsessed with hurting or killing their former partner. </p><p>Murder is still the leading cause of death for women in the workplace, and has been for decades, according to the U.S. Occupational Safety and Health Administration. Most women who are killed on the job are shot during robberies at retail facilities or attacked by their former partners while working. As a workplace issue—one that many managers, supervisors, and human resources professionals are still reluctant to address—domestic violence crossover from home to work continues to take the lives of many female employees, especially in states where there are no laws preventing employees from being fired for revealing their victim status to their employer. </p><p>In California, legislation was passed in 2013 that gives domestic violence victim-employees protected class status—like age, race, or gender—and dictates that employers not only cannot fire an employee who brings a domestic violence issue to their attention but must also help create a workplace safety plan to provide protection and support. Fewer than 10 states in the United States offer similar supportive legislation, which is something domestic violence advocacy groups are trying to change.</p><h4>Continued Evolution </h4><p><strong></strong>Progress is being made to thwart potential workplace, school, and mass attackers, but there is still a long way to go to stop future perpetrators. These attackers learn from the methods and mistakes of their predecessors—but so do threat assessment experts and security practitioners. Threat assessment experts need to continue to develop new strategies for schools and businesses.</p><p>Scheduling yearly Run. Hide. Fight. drills that focus on the value of the first two steps is becoming more common, as is training employees and students to listen for—and properly report—preattack leakage threats from potential perpetrators. More organizations and school districts are establishing TATs to address crises, and there has been a bigger emphasis on getting funding for more well-trained school resource officers. </p><p>When it comes to addressing a potential active shooter who is moving on the path from ideas to action, proactive interventional responses by mental health clinicians and law enforcement officers alike is becoming an established best practice. Open dialogue about teaching all parents who own guns to practice safe storage in their homes is more common as well. And if a mass shooting is successfully carried out, there has been a greater emphasis on encouraging national media to not cover the attackers by name and face.</p><p>While facility security has evolved from the model of relying on gates, guards, and guns, it is still important to install appropriate security devices and update procedures periodically.</p><p>How security practitioners handle the threat of mass attackers on campuses and active shooters in workplaces, churches, and malls has changed over the past 25 years. There are many committed people who have made it their life's work to help stop these attacks, and the fight for peace at businesses and schools will continue.  ​</p><p>​ <em>Dr. Steve Albrecht, CPP, is a 22-year member of ASIS. As a keynote speaker, author, and trainer, he specializes in violence prevention. He has written 18 books on business, security, and criminal justice subjects. he can be reached at DrSteve@DrSteveAlbrecht.com.</em></p><h4>Resources Mentioned in this Article</h4><p></p><p>Dr. John Monahan, from the University of Virginia Law School is regarded as the "the leading thinker on the issue of violence risk assessment." </p><p>Hollywood security expert and threat assessment pioneer Gavin de Becker is best known for his groundbreaking work in protective intelligence gathering and his best-selling 1997 book, <em>The Gift of Fear.</em></p><p>Dr. Reid Meloy and Dr. Kris Mohandie are known for their research and speaking work on stalking perpetrators, "predatory versus affective violence," and their widely-used violence risk assessment models, methods, and practices.</p><p>The FBI's Behavioral Analysis Unit has often provided critical research, including two highly-detailed recent reports edited by Supervisory Special Agent Andre Simons: "<a href="https://www.fbi.gov/file-repository/active-shooter-study-2000-2013-1.pdf" target="_blank">A Study of Active Shooter Incidents in the US Between 2000 and 2013</a>" and "<a href="https://www.fbi.gov/file-repository/pre-attack-behaviors-of-active-shooters-in-us-2000-2013.pdf/view" target="_blank">A Study of the Pre-Attack Behaviors of Active Shooter Incidents in the US Between 2000 and 2013.</a>" Supervisory Special Agent Eugene Rugala edited the FBI's 2004 report, "<a href="https://www.fbi.gov/file-repository/stats-services-publications-workplace-violence-workplace-violence" target="_blank">Workplace Violence: Issues in Response</a>."</p><p>Dr. Ted Calhoun and Steve Weston's threat assessment books, presentations, and research and development of the concept known as "Hunters versus Howlers." Calhoun's seminal 1998 book, written for the US Marshals, <em>Hunters and Howlers: Threats and Violence Against Federal Judicial Officials in the United States, 1789 to 1993</em>, taught us to pay more attention to people who don't just draw attention to themselves by making verba​l or written threats.</p>
https://sm.asisonline.org/Pages/A-World-of-Risk.aspxA World of RiskGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>Protecting People with Big Intel<br></h4><p>Nick Lovrien, CPP, chief global security officer at Facebook and member of the CSO Center for Leadership and Development at ASIS International, talks about the worldwide reach and team effort behind its intelligence operations. </p><p><strong><em>Q: What's a day like in the life of Facebook's chief global security officer? If Security Management followed you around, what might we see and whom might we speak to?</em></strong></p><p><strong><img src="/ASIS%20SM%20Callout%20Images/Lovrien%20headshot%201%20(C)MargaretAustinPhotography-045.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:200px;" />A:</strong> I have the fortunate opportunity to lead a remarkable group of security professionals who collectively are some of the most specialized, talented, and passionate leaders in the industry. Each day is met with collaboration to ensure we strategically align with Facebook's values of being bold, focusing on impact, moving fast, being open, and building social value throughout the communities that Facebook serves.  </p><p>My division's daily focus is delivering a safe and secure environment for the company, teams, and individuals who deliver on Facebook's mission to give people the power to build community and bring the world closer together.</p><p>In support of the Facebook mission, our global security team is responsible for ensuring that we keep the things that our Facebook teams value safe and secure. This means that we protect the people of Facebook by creating a safe environment for our culture to flourish. We ensure Facebook's physical and intellectual assets are safe and secure, from buildings and servers to prototypes and ideas. Additionally, we set out to help make smart, informed decisions to protect Facebook's reputation.</p><p><strong><em>Q: When it comes to having physical locations and employees all over the world, what are the biggest security challenges that Facebook faces, and what are some of the future threats that you see as relevant?</em> </strong></p><p><strong>A: </strong>One of the biggest challenges we face is ensuring that we deliver and implement a consistent approach to our holistic global security program. We strive to do this while balancing the ever-evolving global risk landscape that we face—not only where our current offices and data centers are located, but also the locations that Facebook personnel may travel to throughout the world.</p><p>The global security program is designed and focused to proactively identify potential impacts to our people, assets, or reputation. To do this, we rely heavily on intelligence to identify and mitigate risk before it is ever realized. This enables our business partners to make informed decisions on any situation that may have a potential impact to our business, ranging from severe weather to civil unrest.</p><p><strong><em> Q: </em></strong><strong><em>As physical and logical systems become increasingly merged, many security professionals are finding themselves focused on cybersecurity as much as physical security. What would be your advice for these professionals as they try to balance the two areas?</em></strong></p><p><strong>A:</strong> Both are equally relevant, considering the critical dynamic and the global operating environment. Our industry has to be nimble enough to counteract any and all measures, regardless of what aspect of security they are trying to breach. A collaborative approach leveraging specialized cross-functional teams to assess and mitigate physical, cyber, and information risks is essential in delivering a sound holistic security program. Emerging technologies promise great benefits, but also bring new risks that must be addressed jointly. </p><p><br></p><h4>​Target Talks Teamwork</h4><p>Mark Krause, CPP, senior director, corporate security at the Target Corporation, discusses implementing ESRM and building partnerships across the enterprise. Krause is a member of the CSO Center for Leadership and Development.​</p><p><strong><em>Q: The enterprise risk management landscape has also evolved tremendously over the past decade or so. As threats to organizations become increasingly sophisticated, what are some of the things Target is doing as a global retailer to keep up with these evolving times?​<img src="/ASIS%20SM%20Callout%20Images/MK%20Headshot-4x5.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:240px;" /></em></strong></p><p><strong>A:</strong> With the retail landscape evolving as quickly as it is, Target has been aggressively investing in our stores, the digital and physical shopping experience, and exclusive brands. That investment is exciting for our guests, but also comes with additional risk that pushes our security teams to operate differently. </p><p>Our teams are primarily focused on enabling our business partners to deliver on our company priorities. We have made adjustments to implement enterprise security risk management (ESRM) at Target, including the use of a common framework and a common platform to manage risk. Additionally, we've driven deeper internal collaboration among stakeholders and built strong awareness campaigns to ensure our team members understand the sophisticated threats we face today.</p><p><strong><em> Q:</em></strong><em> </em><strong><em>​In what ways do legal, security, and assets protection partner at Target? Do security and assets protection functions report up to legal?</em></strong></p><p><strong>A: </strong>Our organization has evolved over time to meet the needs of the business. Our security team includes an assets protection group that secures our stores and distribution locations, an information security team to manage cyber threats, and a corporate security team that takes the lead on enterprise security. While each team reports to different leaders, the strong partnerships and processes that we have in place enable the model to work. Each group builds deep subject matter expertise in their primary discipline, which strengthens our overall security approach. Our work is driven by a shared vision of a safe place for our guests to shop, team members to work, and communities to thrive.​</p><p><strong><em>Q: When it comes to investigations related to safety and security, what are some best practices that Target implements to make sure it's working side by side with the security team?</em></strong></p><p><strong>A: </strong>As you would imagine, being a large retailer with a global footprint means we will always have security incidents to manage. But we work hard to minimize the risk, including having a few best practices that guide our security response. </p><p>First, we make a significant investment in our teams and partnerships to make sure we have responders who are prepared and effective. Target has a long history of engaging with public partners, like federal and local law enforcement agencies, and we feel this builds stronger communities. Second, our teams use a shared escalation model, which ensures we're using the appropriate resources and having consistent oversight with each situation we face. </p><p>We also use a full suite of technology tools, like enterprise video and a mass notification system, along with specialized capabilities, like forensic services and threat assessment professionals, through the lifecycle of an incident. All of these efforts drive a consistent and collaborative response to the full range of incidents we encounter. </p><p><br></p><h4>​Sidebar: <strong></strong>Microsoft Takes the Risk Out of Business<br></h4><p>​In the unpredictable global climate of fake news, unstable politics, and information overload, how does a Fortune 100 company with more than 100,000 employees globally know when and where a threat may happen? How does it prepare for and mitigate those risks in a timely, effective manner?</p><p>Recently rebranded as the Microsoft Global Security Center of Intelligence, this business unit at Microsoft is responsible for taking incoming information from various open-source data streams and putting it into actionable intelligence.</p><p>"Assessing impact to the company is our biggest value proposition to Microsoft," says Liz Maloney, global intelligence manager. Forecasting what the cost of a risk may be to the brand, company reputation, and bottom line enables Microsoft to make smarter security and business decisions. </p><p>As part of its rebranding, the Center wanted to create a think-tank feel around its operations, says Charles Randolph, senior director at the Center of Intelligence/Center of Protection, so that it could better interpret geopolitical events and other nuanced situations that could impact the company. "Politics are going to affect corporations for the foreseeable future, therefore we needed to fill a gap," Randolph notes, "and get somebody who can translate that into, 'how does this affect a corporation, what might the geopolitical implications be—to not just travelers, but also decisionmakers?'" </p><p>To achieve that, the Center hired a Ph.D. in public policy and a journalist to add to the diversity of opinion within the Center, and further dissect current events that might affect risk. "Yes, we do need to cover traditional threats, such as terrorism and assisting with intelligence support to cyber," Randolph says, "but maybe there are other things like economic sanctions that could affect a corporation."</p><p>While the human element of intelligence is valued at Microsoft, the Center must grapple with huge amounts of data being fed into its operations every day. Randolph explains how Microsoft translates that information is into useful, meaningful intelligence for the organization.</p><p>"You start out with a data 'bog.' I've got all this data—its good, it's bad, it's indifferent—and it's kind of stinky, and we have to clear it out," he explains.  </p><p>That data is then filtered into a data lake, "and we feed those lakes into data warehouses," he says. </p><p>Once the information is organized, it is assessed by company analysts who work by region to determine whether a threat, risk, vulnerability, or situation may impact Microsoft.</p><p>Oftentimes, that risk information is presented to the affected business unit in the form of a scenario. "Our bread-and-butter is developing scenarios," Maloney says, "scenarios that will tell you the various courses of action that might occur and identify some triggers and indicators along the way that might show you, 'okay this where the scenario is going, and this is the decision that you're likely going to have to make.'"</p><p>Organizing data into lakes is still just a small part of what the Center does, Maloney says. "We don't want to mistake big data for valuable data," she notes. "We're trying to get the right data sets—not necessarily the most information—and make those really accessible and customized." </p><p>The Center continues to use artificial intelligence and other emergent technologies to make the best decisions, enabling its analysts to spend their time looking only at quality information. "Philosophically that's what we want to do," Randolph explains. "We want big data, machine learning, AI, and algorithms to help find the bronze needle in the stack of gold needles, so the analyst can say 'here's the bronze needle I need to look at.'"</p>
https://sm.asisonline.org/Pages/Election-Hardening.aspxElection HardeningGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Cybersecurity and the importance of cyber hygiene took front and center stage during the 2016 U.S. Presidential Election campaign season. Voter database systems were compromised, national political parties were breached, and the Democratic candidate's campaign was hacked via a phishing email.​</p><p>​To address the problem and increase election security before the 2018 midterm elections, Congress authorized $380 million for the U.S. Election Assistance Commission (EAC) to issue to U.S. states and territories.</p><p>"This much-needed funding will provide states with essential resources to secure and improve election systems," said EAC Chairman Thomas Hicks in a statement. "The EAC is committed to making these funds available as soon as feasibly possible, and we fully expect this money will be deployed in meaningful ways to support the 2018 elections."</p><p>The funds were made available via grants and could be used to improve the administration of U.S. federal elections, including for enhancing election technology and improving election security. </p><p>Specifically, recipients could use the funds to replace voting equipment with technology that creates a ​verified paper record; implement a post-election audit system; upgrade election-related computer systems to address cyber vulnerabilities; put election officials through cybersecurity training; implement cybersecurity best practices for election systems; or fund other activities to improve the security of elections.<img src="/ASIS%20SM%20Callout%20Images/0918%20Cyber%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></p><p>The EAC used a voting age population formula to determine how much of the $380 million each state and territory was eligible for, with the smallest receiving $3 million. New York, for instance, requested and received $19.5 million in May 2018 to make improvements to its election systems. </p><p>However, some are skeptical about the amount of money made available to the states and territories and the impact—if any—it will have on election security overall.</p><p>John Dickson, principal at the cyber firm Denim Group, says there are two risks that election officials are attempting to address with the funds: technical risk and political risk.</p><p>"Because they have a limited amount of time to put these resources to work, it's almost obvious that you would focus on the crown jewels—you'd spend at the state level protecting the infrastructure at the state level," Dickson explains. "The problem is, the voting machines out there are crazy—there are thousands of them—so if you were to just disburse the money to all the counties, it would have no meaningful impact. But, politically, the secretaries of state can't hoard the money."</p><p>Dickson, a former U.S. Navy intelligence officer who lives in San Antonio, has met with election officials from Texas, Missouri, and Kansas, and had conversations with officials from an additional 12 U.S. states. </p><p>Most of these conversations have focused on how to beef up election security in the limited time leading up to the November midterm elections.</p><p>"A common theme I've heard was that they are going to try to spend it in a wise way but recognize that this might be as much about the 2020 election as it is the 2018 midterm elections," Dickson says. "Right now, there are 50 different states that are looking to do this 50 different ways. It's an exercise in democracy watching how this plays out."</p><p>While each state and territory will take its own approach to spending the funds, Dickson cautions against spending all of the money on hardware—such as upgraded voting machines that create paper trails of votes.</p><p>"A major mistake would be to spend it all on hardware," Dickson says. "The amount of money they would have to spend, there's no way they would make a dent in that."</p><p>For instance, in Dickson's own county there are 2,842 voting machines. Each new machine would cost at least $300, and to replace all of them at that price point would be almost $900,000. And that's just a single county in Texas, which received $24.4 million for the entire state.</p><p>"In fact I don't think the attackers are going to go after the endpoint because it's just easier to hit the aggregation points," Dickson adds. </p><p>To better understand the security threats to elections, many election officials are turning to the U.S. Department of Homeland Security (DHS), which classified election infrastructure as critical infrastructure in January 2017 prior to U.S. President Donald Trump's inauguration.</p><p>"Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law," said then DHS Secretary Jeh Johnson in a statement. </p><p>Included in DHS's definition of election infrastructure are voter registration databases and associated IT systems; IT infrastructure and systems used to manage elections; voting systems and associated infrastructure; storage facilities for election and voting system infrastructure; and polling places—including early voting locations.</p><p>"I have reached this determination so that election infrastructure will, on a more formal and enduring basis, be a priority for cybersecurity assistance and protections that the Department of Homeland Security provides to a range of private and public-sector entities," Johnson said.</p><p>Classifying election infrastructure as critical infrastructure also allowed DHS to grant individuals security clearances to give them more access to threat indicator information, and to establish an Elections Information Sharing and Analysis Center (E-ISAC). </p><p>DHS is using the E-ISAC to share cyber threat indicators, vulnerability information, risk analysis, best practices, and guidance with more than 700 members across the United States. </p><p>While DHS has goals and benchmarks to achieve prior to the November midterms, it's also seeking to lay a strong foundation for the 2020 U.S. presidential election and beyond. On that list of goals is to begin to conduct exercises with federal partners, and state and local governments—like exercises done to test the resilience of the electric grid and other critical infrastructure sectors.</p><p>Not included in DHS's definition of election infrastructure that raises concerns, however, are campaigns and political committees. Dickson finds this worrisome because in the lead-up to the 2016 U.S. presidential election, both major political parties—the Democrats and the Republicans—were targeted.</p><p>Democratic candidate former U.S. Secretary of State Hillary Clinton's campaign was breached by Russian hackers when her campaign chairman, John Podesta, opened a phishing email. The hackers used that access to obtain emails sent between campaign staffers that were then distributed widely online in the run-up to the election.</p><p>And just before Security Management's press time, the U.S. Department of Justice charged 12 Russian intelligence officers with hacking Democratic officials. </p><p>"We know that the goal of the conspirators was to have an impact on the election," said Deputy Attorney General Rod Rosenstein in a statement about the charges, which included conspiracy to commit an offense against the United States by releasing stolen documents to interfere with the 2016 presidential election, aggravated identity theft, conspiracy to launder money, and conspiracy to commit an offense against the United States by attempting to hack state boards of elections, secretaries of state, and U.S. companies that supplied software to administer elections.</p><p>To address this threat, DHS did partner with the Harvard Belfer Center's Defending Digital Democracy project to release The Cybersecurity Campaign Playbook because it says that all campaigns, at all levels, have been hacked.</p><p>"While the recommendations in this playbook apply universally, it is primarily intended for campaigns that do not have the resources to hire full-time, professional cybersecurity staff," according to the playbook. "We offer basic building blocks to a cybersecurity risk mitigation strategy that people without technical training can implement."</p><p>Those building blocks include a checklist for all campaigns: setting the tone that cybersecurity is taken seriously; using cloud services to store information; using two-factor authentication for all important accounts; creating strong passwords; and having a plan in case the campaign is breached.</p><p>"It's important that cybersecurity is tightly integrated into HR and IT work, since correctly onboarding staff, provisioning hardware, and controlling permissions will be critical to your strategy," according to the playbook.</p><p>The playbook also includes guidance for steps all campaigns should take to increase their security, such as establishing a strong information security culture, to enhanced steps that can be taken later, such as hiring a dedicated IT professional.</p><p>Defending Digital Democracy released its first playbook in November 2017 and followed it up with a playbook for European elections. </p><p>However, some are skeptical that campaigns will follow through with the recommendations made in the playbooks to enhance their security—making them vulnerable.</p><p>"It makes sense to the 2020 presidential campaigns for either major party and maybe super big senatorial races," Dickson says, adding that he thinks it's unlikely that smaller campaigns will adopt similar practices.</p><p>Representatives from the Defending Digital Democracy project did not return requests for comment prior to <em>Security Managemen</em>t's press time.</p>
https://sm.asisonline.org/Pages/Open-Doors,-Secure-Spaces.aspxOpen Doors, Secure SpacesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Bold Believers Church of Christ in Dayton, Ohio, strives to maintain a hospitable, welcoming environment for people coming through its doors, but it also keeps an eye out for people who don't have good intentions.<img src="/ASIS%20SM%20Callout%20Images/0918%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:246px;" /></p><p>"We have principles and policies in place that allow us to make some discerning decisions about who's really in need, and who's trying to take advantage of the situation," says Cleavon Matthews, minister at the church. </p><p>Like other houses of worship, the church also faces the reality of attacks on soft targets around the world. A shooting in September 2017 hit home for the congregation: in Tennessee, a gunman opened fire during Sunday morning services at a fellow Church of Christ, part of the same denomination as Bold Believers. One person died and seven were injured.  </p><p>In 2017, when the church wanted to upgrade its worship space to accommodate its growing congregation, it moved into a building that had formerly housed a Jewish synagogue. The new space features three levels and 40,000 square feet of space.  </p><p>But leaving its former building meant abandoning a sense of comfort and security, Matthews says. </p><p>"We were at the other location for 30 plus years; there's a level of comfort and a sense of safety there, and it's a much smaller facility that didn't require as much security," he says. "Moving here was a tremendous cultural change for our church." </p><p>The new worship space is in a less-developed area, and one of the major hospitals nearby is preparing to close later this year, which Matthews calls a significant blow to the neighborhood. </p><p>"There are efforts being made by some groups to revitalize the area, but the socioeconomic status of the area is poor," Matthews says. "One of the reasons we came here was to make a difference in the lives of people here—especially children, women, and families."  </p><p>When the church began to renovate the building's interior and exterior, it knew it wanted to invest in a security system to protect the facility and expensive construction equipment. </p><p>"In this area, security is of the utmost importance to us and it was one of the first things we invested in once we acquired the building," Matthews notes. </p><p>The previous owners of the synagogue had a subscription with Sonitrol of SW Ohio, a video and audio verification service that monitors for alarms in real-time. There were already a few cameras installed around and outside the building. Bold Believers decided to take over the existing subscription to Sonitrol and add additional cameras and a video management system, both manufactured by 3xLOGIC. Sonitrol of SW Ohio was also the integrator for the technology upgrades, which began in April 2017.   </p><p>The surveillance system includes Multi-Sensor NVR cameras from 3xLOGIC that detect motion and glass break. There are also door contact sensors that alarm when a door is opened. The church has more than a dozen cameras in and around the building, seven of which are multi-sensor. </p><p>"It's not a small building, so that's why it's so important to have the cameras to cover all of those different levels and the corridors," Matthews notes. "That way, you know if someone's in the building and you can find out where they are." </p><p>The church can arm the system at any time, usually when no one is on the premises. If an alarm goes off—whether it be a door contact sensor, motion detection, or audio—it's immediately picked up at the Sonitrol monitoring station. Sonitrol dispatchers can view a live feed of the cameras to verify that the alarm is legitimate, and contact law enforcement. </p><p>Another element that appealed to Matthews about Sonitrol was the ability to arm the system and view camera feeds and alarms remotely through an app on his smartphone, which other church leaders have access to as well.  </p><p>In February 2018, the system caught a trespasser who walked into the building in the middle of the night. </p><p>"The individual entered through a door that had been left unlocked, so it was just like he was going into his own house," notes Duane Pettiford, a leader at Bold Believers. "That particular door did not have a contact sensor, but the motion sensor cameras were able to pick him up."  </p><p>A dispatcher at Sonitrol immediately responded to the alarm and called law enforcement, who quickly arrived on scene. Because Bold Believers had numbered its doors for Sonitrol, the dispatcher was able to give police a guided, step-by-step description of where the trespasser was in the church. </p><p>The church set up a list of contacts for Sonitrol to call in the event of an alarm, so Pettiford received a call at about 3:30 a.m. </p><p>"I was in a deep sleep and not very cognizant of what I said, but I was very happy with the results, and that they were able to prevent any damage from being done or things from being taken," he says. "The product did its job."  </p><p>The mobile feature comes in handy daily, Matthews adds, to cut down on false alarms and provide peace of mind. </p><p>"Sometimes we get calls because of the construction that's going on and there's a loud noise. I can look [at the video] and say, 'Okay, well there's a contractor there, there's no need to call the police,'" he says. "It eliminates some of those calls that probably would have been made, and the police would have wasted their time." </p><p>Pettiford iterates that Sonitrol keeps the premises safe by having a set of eyes on the building around the clock, allowing the church to focus on working with the congregation and local population. </p><p>"We're in a precarious position, because we want our doors to be open for people that want to know Christ, so we can't put up bars," he says. "We have Sonitrol to keep the doors open." </p><p>For more information: Suzi Abell, suzi.abell@3xlogic.com, www.3xlogic.com; 317.445.2937; Alison Shiver, ashiver@shiversecurityservices.com, www.sonitrol.com, 513.719.4000, ext. 101. ​</p>
https://sm.asisonline.org/Pages/September-2018-Industry-News.aspxSeptember 2018 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Preserving the Dream</h4><p>"If you build it, he will come." Those words inspired a farmer to create a baseball diamond in the midst of an Iowa cornfield in the 1989 movie Field of Dreams. The set of that movie is now a tourist attraction that draws 110,000 visitors to rural Iowa each year. </p><p>In January, vandalism caused thousands of dollars of damage to the site, including destruction of an irrigation system. In response, Control Installations of Iowa and 3xLOGIC, Inc., teamed up to donate a complete video surveillance system for the location.</p><p>The installation includes an eight-channel V250 NVR; a thermal imager, pointed at the bridge leading to the site entrance; a mini-dome to cover the retail sales area; and two cameras covering the field itself. The recording equipment is installed on a shelf in the retail store. </p><p>"We hadn't really thought much about security, because for 29 years we had no incidents," says Denise Stillman, manager of the site. Now that the system is in place, she can keep tabs on the field at all times via the mobile app, View Lite II.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>AMAG Technology welcomed TagMaster to its Symmetry Preferred Partner Program. </p><p>Arteco video event management solutions integrate with the Paxton Net2 networked access control system to give users insights into potential risks or incidents.</p><p>Cognitious, an Ashridge Group company, is providing health and safety services to Delapré Abbey, including risk assessment and security surveys. </p><p>Air Tahiti Nui installed RFID tags </p><p>on life vests on its aircraft using the EAM RFID TagControl Solution on its entire fleet of A340-300 aircraft.</p><p>Gallaher is providing fire alarm, access control, video surveillance, and burglar alarm infrastructure for the Cathedral of the Most Sacred Heart of Jesus in Knoxville, Tennessee. </p><p>ISONAS Inc. joined Entrust Datacard as a Technology Alliance Partner to provide a solution that supports both access control and ID credentialing software. ISONAS is also partnering with Genetec Inc. to give customers choices in access control software solutions.</p><p>Napco Security Technologies, Inc., is providing Trilogy Networx Locks for use on the Malibu, California, campus of Pepperdine University.</p><p>NEC Corporation is providing facial recognition software for use in Stream System smartphones from Algerian electronics manufacturer Bomare Company. </p><p>PSA announced that Active Risk Survival, Inc., joined its Business Solutions Provider program with tactical awareness training for sales professionals, risk assessment, and policy reviews for all-hazard preparedness.</p><p>RiskIQ chose Precise Technologies as its distributor in the Middle East, Turkey, and Africa market, excluding South Africa.</p><p>The Royal Bank of Canada is investing in research at Ben-Gurion University's Cyber Security Research Center to support the development of adversarial artificial intelligence.</p><p>RTI announced seamless integration with the modular 2N IP Verso and compact IP Solo IP intercoms, allowing them to be used with any RTI control device featuring video intercom capabilities.</p><p>Physical security solution provider Safetell entered into a partnership with Abbey Protect to distribute the SECURABLINDS product line.</p><p>A Senstar LM100 hybrid perimeter intrusion detection and intelligent lighting system will be coupled with layers of video analytics and surveillance cameras to protect a brewery. Senstar worked with installer EON Solution SA de CV on the project.</p><p>Thycotic and Logicalis are collaborating to bring identity and access management solutions to businesses globally.</p><p>Uplift Data Partners is the preferred commercial drone provider for 3DR, which will help customers capture 2D and 3D imagery using Site Scan drone software.​</p><h4>GOVERNMENT CONTRACTS</h4><p>Altibase is providing the Korean National Police Agency with database technologies. </p><p>Axon and its United Kingdom subsidiary, Axon Public Safety UK Limited, announced that Cumbria Constabulary is using Axon Citizen for Officers and purchased Axon Body 2 and Flex 2 cameras. </p><p>CenturyLink, Inc., was awarded a contract through the Houston-Galveston Area Council for 911 equipment and emergency call management solutions.</p><p>DetectaChem has a contract with the U.S. Department of the Navy for its SEEKERe Explosive Detection Kit.</p><p>IDEMIA and the Iowa Department of Transportation rolled out a newly designed driver's license and state identification card with security features that thwart counterfeiting and decrease the possibility of identity theft. </p><p>Intellisense Systems, Inc., is working with the City of Torrance Office of Emergency Services in California to evaluate its flood detection system and advanced weather sensor products for real-time notification of hazardous road conditions and washouts created by flash floods.</p><p>IPVideo Corporation was selected by the Plainfield Police Department in Illinois to help upgrade its current interview recording system.</p><p>Louroe Electronics, in partnership with Cardinal Peak, developed new audio recording hardware for the FBI to use in interviews and interrogations.</p><p>The U.S. Marine Corps Warfighting Laboratory is working with Senso­fusion to develop a ground-based mobile counter-UAS solution based on Sensofusion's AIRFENCE.</p><p>Cleveland Metropolitan School District in Ohio is using STANLEY IntelAssure to assess surveillance data streams and alert security personnel with actionable information on how to quickly solve detected problems.</p><p>StreamWIDE was selected to supply its Team On Mission solution to the French Ministry of the Interior to establish broadband radio communications and deploy tactical networks via a converged platform.</p><p>The U.S. Defense Nuclear Facilities Safety Board awarded TalaTek a contract to perform network risk and vulnerability assessment services, including penetration testing and a social engineering educational campaign for its workers.</p><p>Threat Sketch released The Nonprofit Guide to Cybersecurity, which was developed with funding and support from the U.S. Department of Homeland Security, National Protection and Programs Directorate.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>ANDE Corporation announced that its ANDE Rapid DNA Identification System received National DNA Index System approval from the FBI.</p><p>BUILDINGS magazine named EcoFlex Exit Trim from ASSA ABLOY Group brands SARGENT and Corbin Russwin as a 2018 Money-Saving Product winner.</p><p>Crystal Group Inc. is one of 15 recipients of the 2018 U.S. Secretary of Defense Employer Support Freedom Award, which honors employers for their support of U.S. National Guard and Reserve employees.</p><p>Dedrone announced that its team of Echodyne Corporation, Squarehead Technologies, and Battelle won first place at ThunderDrone's outdoor demonstration at Nellis Air Force Base.</p><p>Dortronics Systems, Inc., announced that its training courses have been recognized by BICSI for Continuing Education Credits.</p><p>The Essence Care@Home Communicator won the ESX Innovation Award for PERS Systems. </p><p>ICU Medical, Inc., is the first medical device manufacturer to obtain certification under the UL Cybersecurity Assurance Program, a new cybersecurity management program from UL.</p><p>Metalcraft received its ISO 9001:2015 certificate from Intertek, affirming that the company adheres to the standard for quality management.</p><p>Middle Atlantic Products announced that the new L7 Series Lectern and DC Power Distribution solutions were honored at InfoComm 2018.</p><p>Napco Security Technologies, Inc., announced that its Napco FireLink Integrated 32Pt Fire Alarm Control Panel & Dual Path Cell/IP Communicator was chosen as ESX 2018 Innovation Award Winner in the Fire Controllers & Control Panels category.</p><p>At the 2018 North American Retail Fraud Awards, Oncam and its part­ner VAS were recognized by Retail Risk for their retail-centric Cloud Searching Dashboard. </p><p>Qolsys, Inc., announced that its IQ Panels with PowerG have earned the UL Listed Mark.</p><p>Vanderbilt announced that its cloud-based access control and video management solution, ACT365, was chosen as a 2018 Money-Saving Products Award winner by BUILDINGS magazine.​</p><h4>ANNOUNCEMENTS</h4><p>BluePoint Alert Solutions formed the Institute of Proactive Responsibility, a new service focused on helping schools, businesses, communities, and local law enforcement better prepare for emergency situations.</p><p>Dallmeier is celebrating 15 years of market presence in North America this year, including more than 60 large casino installations. </p><p>The FIDO Alliance announced a mutual liaison relationship with India PKI Forum. </p><p>Walmart, Nestle, Kroger, and Tyson Foods are working with IBM Food Trust to construct a blockchain to track food across the globe, identify issues, and support speedy recalls.</p><p>Travel intelligence firm iJET Inter­national, Inc., changed its comp­any name to WorldAware, Inc.</p><p>Mission 500 announced that its third service trip will be in Ponce, Puerto Rico, October 31–November 4, 2018, where volunteers will work with local partners to help families in need.</p><p>National Electrical Manufacturers Association introduced a new technical Standard, NEMA TS 8-2018, Cyber and Physical Security for Intelligent Transportation Systems.</p><p>The Protection Bureau awarded educational scholarships to seven children of company employees.</p><p>Smiths Detection opened its first Customer Experience Centre in Asia Pacific in Johor Bahru, Malaysia.</p><p>True Security Design launched a new division, Pangaro Training Services, to evaluate vulnerabilities and security threats in a customer's existing security system.</p><p>Vigilant Solutions acquired the assets of ShotCaller Global Inc.</p><p>WatchGuard, Inc., opened its new worldwide headquarters in Allen, Texas.</p><p>Williams Data Management introduced ShredMyFiles.com, a certified mobile document and hard drive shred­ding service for southern California. ​</p>
https://sm.asisonline.org/Pages/The-Dual-Use-Problem.aspxThe Dual Use ProblemGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A researcher in Canada with $100,000 to spend ordered bits of horsepox DNA from a commercial vendor on the Internet and introduced it to cells, successfully turning the previously eradicated virus into an infectious agent. In China, 36 people had cells removed from their bodies, which were then altered and infused back into them.</p><p>Such experiments sound straight out of a sci-fi movie, but they are being carried out with more frequency by experts worldwide—and drawing a precarious line between using the technology for noble or nefarious purposes. Fortunately, these examples were for good—the Canadian experiment is paving the way for effective vaccines and gene therapy, and the Chinese clinical trials were used to treat patients with cancer.</p><p>However, even these well-intentioned scientific experiments could inadvertently cause harm down the road. The Canadian horsepox reconstitution raised concerns that the relatively simple and legal process could be used for darker purposes—the researchers admitted that the same process could be used to bring back small­pox, one of the deadliest diseases in history.</p><p>"Have I in­creas­ed the risk by showing how to do this? I don't know," the lead virologist of the experiment told Science magazine. "Maybe yes. But the reality is that the risk was always there."</p><p>This concept is known as the dual use problem, and it's what is spurring the U.S. government to quietly increase research and spending into unrealized biothreats stemming from scientific advances that are intended to be used for good. Studies hone in on seemingly far-flung biological threats, such as antimicrobial resistance, chemical inhibitors used to pacify populations, cyberattacks on people, and nanoweapons—microscopic poisons, drones, or bombs. </p><p>"The same methods that might be used to defeat cancers could be used to destroy adversaries through virulent pandemics," notes the Lexington Institute's 2018 report, Invisible Scourge, on the danger of chemical or biological attacks. "Breakthroughs in microbiology might thus become major threats to national security."</p><p>The U.S. Department of Defense (DOD) recently commissioned a report by the National Academies of Sciences, Engineering, and Medicine to determine the top emerging synthetic biology threats. The 234-page report details high-risk technologies based on their ease of use, the ability for use as an effective weapon, expertise and resources required to carry out an attack, and the ability to mitigate an attack.</p><p>Three potential capabilities stood out to researchers as high-risk: recreating known pathogenic viruses, making existing bacteria more dangerous, and making harmful biochemicals via in situ synthesis. While the scenarios discussed in the report are unlikely or impossible today, they are expected to become more feasible as research—often conducted for beneficial purposes—continues.</p><p>"Some malicious applications of synthetic biology may not seem plausible now, but could become achievable if certain barriers are overcome," the report notes. These include knowledge or technological barriers.</p><p>"Since synthetic biology-enabled weapons might be unpredictable and hard to monitor or detect, DOD should consider evaluating how the public health infrastructure needs to be strengthened to adequately recognize a potential attack," the report states.</p><p>Michael Imperiale, a University of Michigan professor and chair of the committee that wrote the report, tells Security Management that while most of the results were predictable, there were threats that he had not previously thought of. Imperiale has studied the biology of viruses and their effect on biosecurity for more than 30 years and says that one of the highest-risk capabilities surprised him.</p><p>"Using bacteria to deliver chemical or toxins in situ—that's not something I'd previously thought of," Imperiale says. "As we discussed it, I think most of us became surprised at what the potential problems could be with that. It would be relatively easy to engineer, and how would we know?"</p><p>This capability involves a microbe that enters a person's gut and makes biochemicals out of the infected person's microbes. It is particularly sinister because it masquerades as a naturally-occurring pathogen—similar to e. coli—and would be extremely difficult to recognize as an intentional attack. </p><p>"Imagine we could engineer a bacterium to synthesize some toxic chemical, something that makes people ill, and somehow had a way to introduce that into a person's microbiome—their gut—in an organism, maybe by contaminating a food supply," Imperiale explains. "The person would get sick, and the signs and symptoms would be those of a chemical exposure, but the causative agent is an infectious agent. How do you treat that, and how do you deal with that from an epidemiological point of view in terms of preventing potential spread? And if you're looking for a chemical [in the infected person] but not finding it, what do you do? It presents a lot of problems. In effect what you've done is turned a biological organism into a chemical attack. You've blurred the lines between bio and chem."</p><p>Even if the suspect bacteria were identified, it would still be difficult to figure out where the attack originated and who was responsible. The other two high-risk capabilities pose similar challenges—the Canadian horsepox experiment was a textbook case of recreating a known pathogenic virus, Imperiale says, and modifying bacteria to make it more dangerous has a relatively low technological threshold. There are no tools in place that would deter or prevent the development of modified bacterial pathogens. </p><p>The report identifies several other potential capabilities that are of lower concern but are still notable for the type and span of damage they can cause. For example, while the current ability to develop a new pathogen is low, it can easily be weaponized—and in an especially insidious way. Pathogens can be created with never-before-seen features, the report notes, including the ability to target specific ethnicities. </p><p>"Such features include, for example, the ability to target specific tissues or cell types using genetic logic, or the ability to produce aberrant neurological effects," the report states. "Similarly, such pathogens could employ novel timing mechanisms, creating a delay between the time of exposure and the onset of symptoms."</p><p>Imperiale notes that this type of attack would be less effective in the United States due the diversity of the population. "But, obviously, there are other reasons someone might want to attack specific ethnic groups as opposed to an attack on the U.S.," he says.</p><p>While Imperiale notes that the focus of the report was emerging synthetic biology threats and not the government's ability to address them, an overarching recommendation is to build a framework to assess synthetic biology capabilities and their implications. To prepare for such threats, the government needs to strengthen its preparedness against existing, nonmalicious biological threats.</p><p>"The nation's experience preparing for naturally occurring diseases provides a strong foundation for developing strategies to prevent and respond to emerging biologically enabled threats, particularly those based on naturally occurring pathogens," the report notes.</p><p>"Even though we didn't go into mitigation capabilities, we talked about how some of the existing public health infrastructure can play a very important role here," Imperiale says. "It's primed to look for these kinds of things, and that can certainly help out."</p><p>Another recommendation suggests that the government should not rely so heavily on its Select Agents list, which notes potentially harmful bio-agents and dictates the possession, use, or transfer of them. </p><p>"Strategies based on lists…will be insufficient for managing risks arising from the application of synthetic biology," the report says. "While measures to control access to physical materials such as synthetic nucleic acids and microbial strains have merits, such approaches will not be effective in mitigating all types of synthetic biology-enabled attacks."</p><p>Indeed, the horsepox DNA used in Canada could be obtained legally because it is not on the list, and the report notes that one of the most high-risk biological capabilities—modifying bacteria—would render the list useless. "The Select Agents list and voluntary screening guidelines are not likely to be sufficient to deter or prevent the development of modified bacterial pathogens," according to the report. </p><p>"We're not telling the government to throw the lists away. We're saying it's not enough, and the question is, what do you do next?" Imperiale says. "Ideally, if I could create something, it'd be some sort of means for detecting when a DNA sequence is going to encode something harmful, and you could screen for that."</p><p>While the DOD-commissioned study focuses on emerging technology that could be used for nefarious purposes, biological warfare has been around for a long time. The Lexington Institute notes that the technology needed to deploy such weapons is readily available. "The precursors for chemical weapons—choking agents, blister agents, blood agents, nerve agents—are manufactured at thousands of sites around the world," the Lexington Institute report states. "The technology needed to edit or synthesize organisms so that they can be used to spread disabling disease is now widely available in global commerce, and inexpensive."</p><p>While international conventions have banned the manufacturing of chemical weapons, more than 30,000 chemicals can be used to manu­facture choking, blister, blood, or nerve agents—and many of those are manufactured commercially. "Sub­stances that might be turned into lethal tools of war are so commonplace in modern industry that diversion to illicit purposes is difficult to prevent," the report says. "The majority are dual-use chemicals produced at commercial sites that might be diverted to destructive ends." </p><p>The dual use problem creates a challenge for government and industry to monitor or stop the production of such commonplace substances or emerging technologies that can provide beneficial, meaningful advances in sciences. And, while many of the biological capabilities listed in the DOD-commissioned report still feel like science fiction, Imperiale says the effects may be all too real.</p><p>"It's hard to guess when someone might try to do this," Imperiale says. "On the other hand, if someone did it and were successful, you could imagine the implications of that. It's like a movie scenario, with a biological attack—and there's something about a biological attack that I think raises a special level of fear. It's something that might be able to spread and carry on, as opposed to someone blowing up a bomb. I think it is really something we need to pay attention to as a country, and as a world. I think the DOD is going to take this very seriously, and hopefully they will be able to take care of us." ​</p>
https://sm.asisonline.org/Pages/Soft-Targets,-Hard-Challenges.aspxSoft Targets, Hard ChallengesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Soft targets pose a particularly difficult protection challenge. Take, for example, the 2017 Las Vegas shooting, when concertgoers enjoying a music festival at the Las Vegas Village open performance venue suddenly became targets for an active shooter firing more than 1,100 rounds from his hotel suite.</p><p>The scope of the tragedy—the deadliest U.S. mass shooting committed by an individual, which left 58 dead—made a deep impression on many interested in security, including officials at the U.S. Department of Homeland Security (DHS). "The Las Vegas shooting was really a catalyzing moment for our department," Bob Kolasky, DHS deputy assistant secretary for infrastructure protection, tells Security Management.  </p><p>Ten days after the shooting, U.S. President Donald Trump nominated Kirstjen Nielsen to be the new secretary of homeland security. When Nielsen took over the position, one of her first priorities was to raise awareness of DHS' existing security guidance and resources, so that they could be well-used by those who need them, Kolasky says.   </p><p>"We want to make sure our security resources are publicized, so they can help," he explains. As the Vegas shooting illustrated, soft targets seemed to be a good initial focus for DHS "to advance the security of things that traditionally haven't been that secure," he adds. </p><p>And so earlier this year DHS issued a resource guide and security plan overview for Soft Targets and Crowded Places (ST-CPs). In the overview, DHS defines ST-CPs as "locations that are easily accessible to large numbers of people and that have limited security or protective measures in place making them vulnerable to attack." This includes spaces such as schools, sports venues, transportation hubs, shopping venues, bars, restaurants, hotels, places of worship, tourist attractions, theaters, and civic spaces, according to DHS. </p><p>"ST-CPs do not have to be buildings and can include open spaces such as parks and pedestrian malls. ST-CPs will not necessarily be crowded at all times—crowd densities may vary," DHS says in the overview. "Securing these locations and venues is essential to preserving our way of life and sustaining the engine of our economy."</p><p>The guide is a catalog of soft target resources for businesses, first responders, government, and the general public. It is broken up into action categories such as identify suspicious behavior; protect, screen, and allow access to facilities; prepare and respond to active assailants; prevent and respond to bombings; and protect against unmanned aircraft systems (UAS).</p><p>DHS decided to include the latter category on UAS because of two recent developments, Kolasky says. First, various incidents overseas have demonstrated that some terrorists have the capacity to use UAS to cause harm. "We see that the threat is real," he explains. Second, for some U.S. sports facilities, defending against UAS "is something that is a top-of-mind concern," he says. </p><p>"There's demand from the security profession and there's a threat that warranted it," Kolasky explains.</p><p>The resources that the guide links to in each action category vary, and include informational materials, in-person and online training opportunities, videos, websites, and other tools. Although some of the resources were created in collaboration with partners, the DHS guide does not link to any resources that have no government connection. "That would be a more time-consuming effort and one that is fraught, at least a little bit, with the implications that recommending suggests endorsement," Kolasky says. "For now, we haven't worked through that."</p><p>One soft target expert, Jennifer Hesterman, says she was "really surprised" when the resource guide and overview were made public, because previously the agency had not been active with resource promotion. "They have been pretty quiet on the DHS side," says Hesterman, the author of Soft Target Hardening: Protecting People from Attack, which won ASIS International's 2015 Security Book of the Year Award.</p><p>Nevertheless, Hesterman says she is pleased with the issuance of the guide, for a few reasons. One is that it is a valuable public acknowledgment by the federal government of the risks of attacks. This is helpful at a time when some members of the public suspect that security professionals sometimes overplay risk because it benefits them professionally. "I've been called a merchant of doom," she says. "People think we just want to generate business, and so we will tell them horrible and scary things."  </p><p>Moreover, given the frequency of attacks like school shootings, some people are experiencing "security fatigue," and they simply do not want to discuss the topic any more, Hesterman explains. And to avoid causing widespread panic among the citizenry, federal officials are often measured in their communications about risk, so sometimes no sense of urgency comes through.</p><p>This is understandable, she says, but it's also important to realize that growing threats are out there, such as more attacks on critical infrastructure facilities. Citizens have the right to understand such risks, so in that respect the new DHS guide is helpful, she adds.</p><p>As for the section on UAS, Hesterman says it is a valuable asset for security practitioners. "Terrorists are already using drones to advance their goals," she explains. She also emphasizes that, on this issue like many others, "we have to think about what's next." Drones are also being used for security purposes, "but we have to think about how drones can be hacked. They can he hacked and grounded," she says. </p><p>Another growing area of vulnerability for soft targets is insider threats, she adds. In part, this is driven by a principle she explains as: "People have a public life, a private life, and a secret life." That secret life could include a gambling problem or another secret addiction that could push the person to extreme actions, and even those close to them may not realize that they are unraveling. "Insider threat is huge, and it's totally overlooked," Hesterman says.</p><p>Finally, Hesterman says the potential soft target threat of terror groups like ISIS has also grown.  Overseas, these groups have attacked soft targets like schools, whether it be Boko Haram kidnapping students in Nigeria or the Taliban killing more than 100 in an officer school in Pakistan. For these militant groups, soft targets are legitimate ones. "Terror groups and lone actors can leverage those to fit their agenda," she says. In fact, one statistic holds that 90 percent of war casualties are civilians, she adds. "Now it's like downtown is where the battle is."</p><p>The soft target guide and overview may turn out to be the first in a series of efforts by DHS to better leverage its preventative resources, officials say. The department released a similar guide and overview for school shootings in August (which will be covered in a future issue of Security Management), and officials are con­ducting a departmentwide review to determine what other resources can be promoted. ​</p>
https://sm.asisonline.org/Pages/Book-Review-Floods.aspxBook Review: FloodsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​ISTE Press Ltd.; Elsevier.com; 424 pages; $175.</p><p>The 24 chapters in <em>Floods: Volume 2—Risk Management </em>are written by contributing authors and edited by Freddy Vinet. Most of the authors hail from France and all are knowledgeable in crisis management and emergency planning. The chapters are interwoven effectively so there is no loss of continuity. Some chapters focus on technical matters, while others deal with operations. However, the combination of topics and styles keeps the reader interested.</p><p>Today, many organizations and agencies take an all-hazards approach to emergency management, but this book isolates one segment of a disaster—the flood. It delves into flood defense systems and flooding challenges. For readers who are not familiar with floods, the authors discuss the International Levee Handbook, which incorporates three main issues: external erosion, internal erosion, and instabilities. </p><p>The levee assessment and system risk analysis used globally today are discussed. Other topics include fragile and flood-prone areas around the world, including along the Yangtze River in China, the Mississippi and St. Louis Rivers in the United States, and the Languedoc-Roussillon region of France.</p><p>Societal challenges to flood mitigation, as the world learns more about dealing with severe weather, include the economic failure of government and business to prioritize these issues. It is also progressively problematic to circumvent the urbanization or development of potential flood zones.</p><p>The book explores current strategies to reduce the impact of flooding by incorporating crisis management theories and focusing on the reconfiguration and design of flooding structures. The authors discuss natural approaches, cost and benefit analysis, geography, and history to support their ideas and provide viable options for society. Emergency managers, governmental agencies, and professors in this field will find the book informative.</p><p><em>Reviewer: </em><em>Kevin Cassidy is a professor in the Security, Fire, and Emergency Management Department at John Jay College. He is a member of ASIS. ​ ​</em></p>
https://sm.asisonline.org/Pages/Survey-to-Explore-Use-of-Mobile-Forensics-Technology.aspxSurvey to Explore Use of Mobile Forensics TechnologyGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>​Security Management</em> magazine, with partner MSAB, has commissioned <a href="http://bit.ly/ASISMobileForensicsSM" target="_blank">a survey</a> to examine current trends and challenges in deploying mobile forensics technology.</p><p>A growing number of corporate legal, investigation, and security departments need to gain access to data from company-owned or supplied mobile devices, including smartphones and tablets, in connection with internal investigations, corporate policy violations, HR matters, IT security events, e-discover cases, or other reasons. This survey is gathering information on current practices, challenges, and technology needs in this area.</p><p><em>​Security Management </em>Research remains a unique opportunity to leverage the strength and breadth of the ASIS International membership to the benefit of those members and the security of everything they protect. Participants will receive aggregated results as well as be entered into a drawing to win a $200 Amazon gift card.<br> <br>The survey should take approximately five minutes to complete. All responses will be kept strictly confidential. To access the survey, <a href="http://bit.ly/ASISMobileForensicsSM" target="_blank">click here.</a></p>
https://sm.asisonline.org/Pages/TOMANDO-VUELO.aspxTOMANDO VUELOGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p style="text-align:justify;">​En el condado rural de Grant, Washington, el personal de servicios públicos no sólo protege las subestaciones remotas: también ayuda a responder a los llamados de emergencia de la comunidad. Sin embargo, luego de un encuentro preocupante, quedó claro que algo tenía que cambiar; y los responsables de seguridad buscaron soluciones mirando hacia el cielo.</p><p style="text-align:justify;">El equipo de líderes de seguridad del Departamento de Utilidades Públicas del Condado de Grant (PUD en inglés) se reunió el marzo pasado para repasar un incidente inquietante que había ocurrido la noche anterior: un oficial de seguridad del PUD había respondido a reportes de un hombre aparentemente intoxicado disparando un arma indiscriminadamente en un pueblo cercano. Para el personal de seguridad del PUD no es extraño responder a llamados que no estén relacionados con los serivicos públicos por la naturaleza geográfica y rural del área, y esa noche un oficial desarmado llegó a la escena del disturbio antes que las fuerzas de seguridad. Afortunadamente, fue capaz de mantener al hombre en calma hasta que llegó la policía, y el evento terminó sin complicaciones. Sin embargo, luego de la revisión quedó claro que el oficial de seguridad estuvo expuesto a un gran riesgo.</p><p style="text-align:justify;">"Tenemos asuntos con gente intoxicada, o casos de violencia doméstica a los que siempre somos los primeros respondientes, porque las fuerzas de seguridad están a un largo camino de distancia", explica Nick Weber, CPP, SPP, gerente de seguridad del PUD del Condado de Grant. "Hemos visto nuestro vehículo de patrulla abollado por patadas de los residentes, gente disparando armas de fuego, y hemos pensado '¿cómo podemos hacer ésto mejor?'" El equipo debatió soluciones e inicialmente bromeó sobre usar un dron para mitigar problemas. Pero, tras una mayor consideración, Weber cuenta que la idea empezó a ganar mayor tracción. Utilizando un dron genérico, el PUD pudo entrenar a sus oficiales de seguridad subcontratados para echar un vistazo a una situación potencialmente peligrosa antes de exponerse a ellos mismos, reduciendo los tiempos de respuesta. El dron incluso podría ser utilizado para realizar evaluaciones preventivas de seguridad en las infraestructuras críticas del condado.</p><p style="text-align:justify;">"Hemos tenido problemas al lidiar con el hecho de exponer al peligro a personal de seguridad desarmado para resolver asuntos relacionados con el ambiente humano, así como al buscar formas de mejorar nuestro uso del tiempo y de recursos para realizar evaluaciones de seguridad en las subestaciones, represas, y otras estructuras críticas", comenta el entonces supervisor de seguridad física Brady Phelps, CPP, PSP. "Queríamos explorar los desafíos y oportunidades que los drones podrían presentar." Phelps, quien ahora trabaja como auditor para el Consejo de Coordinación de Western Electricity, comenzó a darle forma al plan junto a Weber y al gerente de cuentas de servicios de vigilancia George Hainer.</p><p style="text-align:justify;"><strong>EN LA INDUSTRIA</strong></p><p style="text-align:justify;">El uso de drones para propósitos de seguridad está continuamente tomando ritmo. En el verano de 2016, más de 2.000 organizaciones se habían postulado para recibir exenciones comerciales a través de la Adminstración Federal de la Aviación de USA (FAA) para utilizar drones con fines de gestión de emergencias, seguridad, o gestión de riesgos, de acuerdo con la Asociación Internacional de Sistemas de Vehículos No Tripulados. Y un informe de IFSEC Global denota que el mercado internacional de drones para seguridad crecerá a US$10 millardos para el 2020.</p><p style="text-align:justify;">Pero las solicitudes para exenciones comerciales no llevan a contar con programas de drones de la noche a la mañana, y el equipo de seguridad del PUD del Condado de Grant no estaba al tanto de ninguna otra compañía de servicios públicos que hubiera utilizado drones para mejorar la respuesta a emergencias. El Departamento del Alguacil del condado había estado utilizando drones para investigaciones durante alrededor de seis meses, y el PUD lo pudo contactar más adelante en el proceso para pedir consejos sobre la concesión, pero primero tenía que delinear un programa y conseguir su aprobación y financiamiento.</p><p style="text-align:justify;">"Estábamos preocupados por la posible percepción de que el departamento de seguridad estaba comprando juguetes, y que otras áreas se quejaran porque algunas de las cosas que hacemos en el equipo de seguridad son geniales y haya algo de envidia", cuenta Hainer. "También había algo de preocupación sobre desperdiciar dinero. Conversamos con nuestro jefe y acordamos crear políticas de uso estrictas, así como estándares de seguridad contra delitos y accidentes, y seguimos adelante con nuestro presupuesto para comprar tres drones de nivel doméstico como prueba.</p><p style="text-align:justify;">Mientras que el potencial de los drones parece infinito, Phelps remarca la importancia de entender a fondo sus capacidades y límites para explicar las posibilidades disponibles a aquellos que tienen que dar su aprobación, sin hacer promesas poco realistas. Y mientras que los drones iban a ser principalmente usados para las operaciones de seguridad, el PUD quería compartir ese capital con otros departamentos de infraestructuras críticas en el condado.</p><p style="text-align:justify;">"Establecer ese entendimiento firme de las capacidades de los drones nos ayudó para acudir a otros departamentos con necesidades similares", explica Phelps. "Queríamos ver cómo el departamento de tendido eléctrico o la represa podrían usarlos, así que presentamos ante sus líderes nuestra nueva herramienta con intención de compartirla. Éso eliminó aquella percepción interna al demostrar que se trata de una herramienta de negocios y que queremos ayudar a solucionar problemas, lo que aportó considerablemente a la aprobación por parte de la organización entera".</p><p style="text-align:justify;">Como parte de una demostración, el equipo del PUD trabajó con el departamento de la represa del condado para conducir el relevamiento de un dique usando drones. Lo que normalmente hubiera tomado tres o cuatro horas e implicaría exponer a trabajadores a condiciones peligrosas, tomó siete minutos y capturó un clarísimo video de alta definición que permitió una evaluación fácil.</p><p style="text-align:justify;"><strong>REGULACIONES Y MÁS ALLÁ</strong></p><p style="text-align:justify;">Antes de que el PUD pudiera comenzar a desplegar sus drones de forma regular, tuvo que cumplir varios criterios impuestos por el gobierno de los Estados Unidos de América. A diferencia de los usuarios individuales, las empresas o entidades públicas deben postularse para exenciones comerciales a través de la FAA. Adicionalmente, al PUD le interesaba la posibilidad de volar sus drones fuera de su línea de visión y de noche, lo que también requería dispensas. Otro desafío fue determinar quien iba a pilotear los drones, ya que todos los operadores deben certificarse en la FAA, lo cual consume tiempo y reduce la cantidad de personas que podrían utilizar la tecnología. "Pasar el examen es un gran problema para algunos guardias que no tienen la más mínima idea sobre aeroplanos", denota Hainer.</p><p style="text-align:justify;">Luego de consultar al Departamento del Alguacil del Condado de Grant, Hainer (quien había anteriormente contado con una licencia de piloto privado) comenzó el proceso para certificarse por la FAA como el piloto líder del equipo, permitiéndole conducir vuelos y entrenar a otros. El PUD todavía está esperando otro certificado del FAA que le posibilitaría al equipo a certificar sus propios pilotos.</p><p style="text-align:justify;">Durante el extenso proceso de certificación, surgió otro desafío imprevisto: los guardias de seguridad subcontratados del PUD que típicamente responderían a las emergencias presentaron un amparo a través de su unión sindical argumentando que el programa de drones les quitaría sus puestos de trabajo. Para atender este problema, el equipo de seguridad del PUD acordó que, además de Hainer, serían entrenados alrededor de 14 guardias para operar los drones. "Hay una gran posibilidad de que ellos vayan a necesitar más los drones que nosotros internamente", destaca Hainer.</p><p style="text-align:justify;">Weber detalló los esfuerzos del equipo para asegurarle a los ejecutivos que el programa no sería usado incorrectamente, ya que uno de los mayores casos de uso de los drones también es el que presenta mayores desafíos: una de las zonas clave de patrullaje del PUD está conformada por las tierras de ambos lados del Río Columbia, un estrecho de alrededor de 80 kilómetros con sólo un punto público de cruce.</p><p style="text-align:justify;">"La Ley de Murphy tiende a persistir en aquella zona de patrulla: siempre tenemos, de forma desmesurada, informes de incidentes del lado del río opuesto a donde nuestro guardia esté patrullando, haciendo que un vehículo tome más de 30 minutos para responder aunque tenga que realizar un recorrido de dos o tres kilómetros", denota Weber. Responder a una llamada con un dron permitiría al personal de seguridad contar con una buena conciencia situacional dentro de la franja de los 10 minutos y entender qué clase de respuesta adicional podría necesitarse. "¿Tenemos que ir a levantar basura o se trata de un delincuente violento?", explica.</p><p style="text-align:justify;">Sin embargo, un ejecutivo se mostró preocupado por el uso de drones a lo largo del río durante los meses de verano, que presentan una alta concentración de personas y es cuando más se necesitan. ¿Qué pasa si un guardia de seguridad decide utilizar un dron para seguir a un bote lleno de jóvenes en bikinis?</p><p style="text-align:justify;">"Ésa es una preocupación legítima", declara Hainer. "Habrá requirimientos estrictos sobre qué clase de eventos permitirán el despliegue del dron, la creación de un plan de vuelo y la coordinación con el Centro de Operaciones de Seguridad; especialmente cerca de las infraestructuras críticas. Cada vuelo va a involucrar un montón de papeleo para asegurarnos de que nunca sea usado incorrectamente."</p><p style="text-align:justify;">El PUD acordó restringir estrictamente el uso a situaciones en donde el dron resultaría significativamente más eficiente o pondría al personal fuera de peligro, dice Weber. Cuando una llamada llega al Centro de Operaciones de Seguridad, los guardias necesitarán documentar la justificación y un plan de vuelo antes de despachar un dron, así como notificar si el camino planteado se encuentra dentro de los 400 metros de distancia de una planta de energía, una línea de transmisión, o una subestación. "Estos controles proveen una certeza razonable para nuestra alta dirección de que los drones serán operados únicamente por personal entrenado y tendrán un propósito de negocios documentado antes de cada vuelo", explica Weber.</p><p style="text-align:justify;">Mientras que el progama de respuesta a emergencias con drones todavía está en sus albores, el PUD está esperando el resto de certificaciones y exenciones de la FAA, y Hainer está entrenando a los guardias para operarlos: el equipo ya ha comenzado a conducir evaluaciones de seguridad para el mismo departamento y para otros, tales como el relevamiento de represas.</p><p style="text-align:justify;">"Ahora mismo, estamos utilizando imágenes de Google Earth para realizar evaluaciones de amenazas y hay algo de retraso   al determinar qué es certero: un par de áreas no tienen imágenes actualizadas, y algunas otras son de baja calidad", comenta Hainer. "Estaríamos lanzando el dron utilizando un programa que compila las imágenes áreas para su posterior uso en planes de respuesta y evaluaciones de amenazas, siendo de mejor y más precisa calidad."</p><p style="text-align:justify;">Weber declara que el equipo está muy entusiasmado por los tiempos reducidos de respuesta y el potencial de mantener a salvo al personal de seguridad, pero el programa de drones también tendrá otros usos prácticos. El PUD planea utilizar drones para estar pendiente de las subestaciones remotas y líneas de transmisión, en vez de apoyarse en costosas cámaras o en vigilancia ambulante con vehículos terrestres. Phelps señala que los drones también pueden ser usados para asegurarse de que los sitios permanecen en cumplimiento de las normas y directrices.</p><p style="text-align:justify;">"Somos uno de los primeros grupos en la industria de la electricidad en hacer ésto, y no hay un camino exacto a seguir", dice Weber. "El departamento del alguacil ha sido de gran ayuda porque su programa está seis meses adelantado al nuestro; y a nuestro departamento de riesgos, que está encargado de los seguros, éso le genera comodidad por todos los beneficios que conlleva."</p><p style="text-align:justify;">El equipo declara que está encantado con que el programa sea lanzado a tiempo para los meses de verano que son más concurridos a lo largo del río, y que los miembros del personal están ansiosos por descubrir qué otras aplicaciones pueden tener los drones, tanto para la seguridad como para la gestión de infraestructuras críticas.</p><p style="text-align:justify;">"Las limitaciones no serán fijadas por la FAA, sino por mi imaginación", dice Hainer. "Los drones proveerán muchas más oportunidades que amenazas."</p><p style="text-align:justify;"><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Managemen<em>t is not responsible for errors in translation. Readers can refer to the</em><a href="/Pages/Employee-Theft.aspx?_ga=2.70499794.39132647.1534948271-192103165.1495546562"><em> </em></a><a href="/Pages/Taking-Flight.aspx"><em>original English version here​.</em><br> </a>​</p>
https://sm.asisonline.org/Pages/New-Survey-on-Active-Shooter-Preparation-Opens.aspxNew Survey on Active Shooter Preparation OpensGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Everbridge, in conjunction with <em>Security Management</em> magazine, is <a href="http://bit.ly/SMactiveshooter" target="_blank">conducting research</a> to uncover trends in active shooter incident preparation. Specifically, the research will be used to:</p><ul><li><p>Assess trends in active shooter preparations across various businesses and sectors.</p></li><li><p>Benchmark organizational emergency communications capabilities.</p></li><li><p>Identify vulnerabilities in the level of preparedness for active shooter incidents.</p></li></ul><p>This joint research project provides a unique opportunity to leverage the knowledge and experience of <em>Security Management </em>readers, as well as others in the security field to provide a snapshot of trends and practice in this important security area. Only aggregate data will be reported; your participation in the 2018 Active Shooter Preparedness Survey is greatly appreciated. </p><p>To take the survey, <a href="http://bit.ly/SMactiveshooter" target="_blank">click here.</a></p>
https://sm.asisonline.org/Pages/The-Fraudster-Down-the-Hall.aspxThe Fraudster Down the HallGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Employees are stealing from their own companies, and they are taking much more than just paper clips and Post-it Notes. Occupational fraud—sometimes called internal fraud—is globally costing businesses the equivalent of billions of dollars annually, according to a new global report.</p><p>The methods used by the culprits vary. Some skim cash from the reserves or walk away with inventory. Some alter numbers on payroll checks. And some pull off various embezzlement schemes, such as reporting false expenses or changing financial statements. The one commonality is that it is the organization's own employees who are perpetuating the misdeeds. Sometimes they act in collusion with each other, and sometimes they act alone.  </p><p>The findings come from Report to the Nations, an extensive study issued in April by the Association of Certified Fraud Examiners (ACFE). The study looked at 2,690 cases of fraud spanning 23 industries in 125 countries between January 2016 and October 2017. It is the tenth edition of the report, which ACFE issues every two years. </p><p>All told, the 2,690 cases of fraud resulted in losses that exceeded $7.1 billion. But the "true global cost of fraud is likely magnitudes higher," the report's authors write. ACFE estimates that 5 percent of worldwide business revenue is lost to fraud, which would come out to roughly $4 trillion annually. </p><p>"It's safe to say the problem remains huge," says John Warren, vice president and general counsel of ACFE and one of the authors of the report. </p><p>Given the magnitude of the losses, it's not surprising that another report, this one focused on the United Kingdom and issued last year by Bottomline Technologies, finds that executive concern about internal fraud spiked in just one year's time. </p><p>In the Bottomline report, UK Business Payments Barometer 2017, the percentage of study respondents who cited internal fraud as something they were concerned about jumped from 13 percent in 2016 to 31 percent in 2017, "a staggering 138 percent relative year-on-year increase," the authors write.</p><p>"There appear to be heightened levels of apprehension amongst financial decisionmakers," according to the report. "Equally as concerning is that almost 60 percent of financial decisionmakers simply did not know whether they had been impacted by [internal] fraud or not."</p><p>Occupational fraud, experts say, is an egalitarian crime; the culprit is just as likely to be a top executive as an obscure low-level employee. </p><p>"A fraudster doesn't look like a fraudster," Warren explains. "They look like everybody else. It legitimately could be anyone. It's not the person who looks sketchy. It could be the person who comes over to your house for dinner on the weekend." </p><p>When a fraudster is caught, coworkers are frequently shocked.</p><p>Historically, occupational fraud has been looked at as an accounting problem—numbers that don't add up tip off company leaders that something is wrong, Warren says. But ACFE's report shows otherwise. </p><p>"Part of our message is that it's not really an accounting problem, it's a behavior problem," Warren says. </p><p>In every edition of the report, ACFE has surveyed 17 different "red flag" behavioral indicators that tend to be associated with fraudsters. "What's fascinating is, every time we do the study, the same six rank highest," Warren says. </p><p>Those six red flag behavioral indicators are: living beyond one's means, financial difficulties, unusually close association with a vendor or customer, control issues and an unwillingness to share duties, divorce or other family problems, and a "wheeler-dealer" attitude or cultivated self-image. In at least 85 percent of the cases examined in the report, the fraudster displayed at least one of these red flags; in 50 percent of cases, he or she displayed multiple red flags. </p><p>Both male and female fraudsters exhibit these behavioral indicators, but often in different proportions, experts say. </p><p>"Studies in the past have shown that male perpetrators were more likely to be the wheeler-dealer-living-beyond-their-means type, whereas the women found themselves in some sort of financial distress and decided this was their easiest, or only, path for relief," says Shannon Walker, a fraud expert who is founder and CEO of WhistleBlower Security Inc. </p><p>ACFE's report bears out Walker's view. For female fraudsters, the most common red flag by far is financial difficulties; it occurs in 40 percent of cases, compared with only 24 percent of cases for males. And for males, the wheeler-dealer red flag was present in 16 percent of cases, compared with only 6 percent of cases for females. </p><p>"It does look like there are differences in the reasons why women steal, as opposed to men," Warren says. In addition, on average women commit smaller frauds than men do; losses tend to be 80 to 100 percent greater with men, he adds.  </p><p>Experts also say that security efforts to prevent occupational fraud can benefit from an understanding of the motivations and conditions underlying the crimes. </p><p>"Very few wake up in the morning and decide to rob their organization," Walker says. "Many have pressures to perform at work, pressures at home, or are suffering from various addictions that inform their decisionmaking processes."</p><p>Warren uses the "fraud triangle" model to explain the three conditions that are often present in occupational fraud incidents. </p><p>First, the employee is under financial pressure. Second, he or she is given an opportunity to commit fraud, such as access to company resources. Third, the employee rationalizes the theft to him or herself. </p><p>"They may think, 'I was borrowing it, I was going to pay it back,'" Warren says. Or, employees may feel the company owes them because they deserved a promotion and never received it.  </p><p>And if employees are on the verge of stealing, poor internal controls can help push them over the edge, Walker explains. </p><p>"Certainly, lack of controls or oversight contribute to the opportunity for those at risk to take that first step and steal," she says. "Once that wedge has been crossed, it becomes much easier for the fraudster to escalate."</p><p>In fact, the ACFE study found that nearly half of frauds examined in the report occurred because of internal control weaknesses. </p><p>For organizations that want to strengthen internal controls, Walker recommends maintaining consistent employee background checks before hiring; ensuring that sensitive duties are entrusted to more than one employee; implementing spot audit programs and conducting random audits on particularly vulnerable areas; and training employees about fraud prevention and the red flags they should be aware of.  </p><p>The other key to occupational fraud prevention lies in organizational culture, experts say.</p><p>Here, the tone is set at the top, Warren says. Organizational managers who always act ethically and treat all employees respectfully are leading by example; employees will often follow suit. </p><p>"But if leadership is pushing the boundaries, and wading into that ethical grey area, people will take cues from that," Warren says.</p><p>Walker agrees and says that some organizational leaders are taking steps to preempt bad situations by openly supporting a company code of conduct and ethics. </p><p>"Complacency and lack of a strong tone from the top are two of the most key indicators as to whether you are at risk," she says. "When management is seen as unengaged, unappreciative or apathetic, it creates an opportunity for a fraudster or potential fraudster to strike." ​</p>
https://sm.asisonline.org/Pages/Checking-in-for-Safety.aspxChecking in for SafetyGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A penny can go a long way. This concept that many small contributions add up to a big sum was the inspiration for a one-cent sales tax in Georgia, known as the Education Special Purpose Local Option Sales Tax (ESPLOST).</p><p>The public funding effort has helped further an environment of safety and security at local schools, says Mike Sholl, director of operations for the Catoosa County Public Schools.</p><p>Catoosa County Public Schools, made up of 17 elementary, middle, and high schools, plus a performance learning center, is currently in the fifth phase of the ESPLOST funding. Sholl explains that community members were polled on how they would like to see the public education dollars spent.</p><p>"We have townhall meetings and we do surveys, and the number one priority for parents is the safety of our schools," he tells Security Management. "So when we started ESPLOST V, that led us to implement all the safety initiatives we have." </p><p>Those initiatives include collaborating with local law enforcement to prepare for emergency response, and a variety of technological solutions to support security. "We have door buzzing systems, we've added cameras to our schools, so we've spent a lot of time and money on making our schools as safe as we possibly can," Sholl says.<img src="/ASIS%20SM%20Callout%20Images/0818%20CS%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:550px;" /></p><p>The local sheriff's office works closely with the district. There are plans to add live monitoring capabilities for police, allowing them to view events as they happen via campus cameras and provide dispatch. In addition, the district employs several school resource officers who either work full-time on a campus or divide their time among the schools. </p><p>Among Catoosa County's top concerns is the possibility of an active assailant situation at its schools. It wanted to be able to quickly notify law enforcement and provide teachers and students with the ability to quickly react, all while following policies and procedures. The district knew investing in this type of solution would aid in all types of hazardous situations, including medical emergencies, natural disasters, and other incidents. </p><p>At a regional school safety conference in 2015, Catoosa discovered SIELOX CLASS (crisis lockdown alert status system), a daily incident and crisis reporting tool. The district chose Tiger Creek Elementary, one of its 10 elementary schools, as its test case for the product, and installed it in early 2016.   </p><p>SIELOX CLASS operates via a Web or mobile interface that provides teachers or administrators with several customized options for sending different alerts, so it can be pulled up on any mobile device or computer. A dashboard with customized alerts allows teachers and administrators to perform a variety of tasks. Colored buttons make it easy to distinguish what type of incident is being reported, from a medical alert for the nurse's office to a 911 call in a life-threatening situation.  </p><p>"Our playgrounds are a good distance away from the school building. So—say a child gets injured on the playground, and could break a leg or an arm or hit his head or her head—that teacher can initiate the blue medical alert and get someone on the way out there," Sholl notes.</p><p>Teachers use CLASS daily for their morning check-in to let administrators know that they and their students are in the building. In the event of an incident, a chat box will pop up for all CLASS users where communication can take place. </p><p>"An important part of bringing in SIELOX was communication, and the ability to check-in," says David Beard, principal at Tiger Creek. "Each of the individual classrooms is represented by a different color and a different square, and we know the status of those rooms based on the color system that SIELOX uses." </p><p>CLASS also gives first responders and administrators a clear picture of where students and teachers are at any given moment. "If teachers leave the building or take students off campus, they will use SIELOX CLASS to let us know that they are no longer on the premises," says Braden Moreland, assistant principal at Ringgold Elementary, adding that it would help responders to know that they are not on campus in the event of an emergency. </p><p>The district also tied SIELOX CLASS to its cameras throughout the building, setting up an alert that would notify users of motion detection in a lockdown situation. </p><p>"We decided that we would like to use CLASS to detect motion in the building, so that if we did go into a hard lockdown there would be no traffic in the halls," Beard says. "If everybody else is locked down and out of the building, the sheriff's office has a good idea of where that perpetrator would be." </p><p>The district regularly conducts drills for all types of hazardous scenarios, including its dangerous situation protocol, known as "Run, Hide, Survive." With a panic button on the app, any teacher can initiate a lockdown at the school. </p><p>For enhanced situational awareness, the district incorporated camera views into the lockdown feature of CLASS. "The teacher gets the popup that says 'lockdown' and gets a bullet list of instructions on what to do, as well as two camera views of the hallway outside their classroom," Beard explains. "So, if he or she wants to do the run part of Run, Hide, Survive, he or she can see if there's any danger outside the doorway, and then make that decision to run with the children. So that's another layer we've added with SIELOX, and it works very well." </p><p> The district notes that, thankfully, no lockdown procedure has ever been necessary outside of a drill. However, an accidental activation of the lockdown feature by a receptionist at an elementary school proved the value of the product. </p><p>"She was trying to log out and she accidentally hit the lockdown icon, and of course I immediately received a text and I was on the phone calling the principal," Sholl says. "He went and found out that it was a false alarm, and within two minutes, the sheriff's deputy had pulled into the campus, because he had been notified and dispatched to that school." </p><p>The district plans to have SIELOX CLASS deployed at all 17 schools by the end of the 2017–2018 school year.</p><p>"CLASS provides a very quick response and gets the word out very quickly to lots of people," Sholl says. "The accidental lockdown just proved to us that it's very efficient and works how we want it to work." </p><p><em>For more information: Karen Evans, </em><a href="mailto:karen.evans@sielox.com"><em>karen.evans@sielox.com</em></a><em>, </em><a href="http://www.sielox.com/"><em>www.sielox.com</em></a><em>, 856.861.4568. ​</em></p>
https://sm.asisonline.org/Pages/Cyber-Goals-Past-Due.aspxCyber Goals: Past DueGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​On May 15, 2018, the U.S. Department of Homeland Security (DHS) released its cybersecurity strategy for the next five years.</p><p>"The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," said DHS Secretary Kirstjen Nielsen in a statement on the strategy's release. "Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself."</p><p>Between 2006 and 2015, the number of cyber incidents on U.S. federal government systems that were reported to DHS increased more than tenfold—including the massive Office of Personnel Management breach that compromised the records of more than 4 million U.S. federal employees and affected 22 million people.</p><p>"The growing interconnection of cyber and physical systems within critical infrastructure also creates the potential risk for malicious cyber activity to result in direct physical consequences," according to DHS. "For example, the December 2015 overriding of controls in the Ukrainian electric grid resulted in widespread loss of power."</p><p>More recent incidents, such as WannaCry and NotPetya, have also demonstrated the threat of using the Internet of Things to conduct cyberattacks with far-reaching consequences.</p><p>Because of this, Nielsen said DHS is "rethinking its approach" to cybersecurity to confront systemic risks by issuing its strategy guide. The guide was a requirement under the National Defense Authorization Act of 2017 and lays out a five-part approach to manage national cyber risk: identifying risk, reducing vulnerability, reducing threat, mitigating consequences, and enabling cybersecurity outcomes.</p><p>"Through our efforts to accomplish seven identified goals across these five pillars, we work to ensure the availability of critical national functions and to foster efficiency, innovation, trustworthy communication, and economic prosperity in ways consistent with our national values and that protect privacy and civil liberties," DHS said.</p><p>To understand the cybersecurity landscape and its risks, and address vulnerabilities, threats, and consequences of DHS's cybersecurity activities, the department must first be able to identify risks. </p><p>The department's first goal in this pillar of its strategy is to assess cybersecurity risks so it understands the "evolving national cybersecurity risk posture to inform and prioritize risk management activities," according to the strategy.</p><p>To do this, DHS said it plans to work with stakeholders—sector-specific agencies, nonfederal cybersecurity firms, and others—to understand trends in threats, vulnerabilities, interdependencies, and potential consequences so the department can prioritize its activities and budget accordingly.</p><p>"DHS must also take stock of gaps in national analytic capabilities and risk management efforts to ensure a robust understanding of the effectiveness of cybersecurity efforts," the strategy explained. "We must anticipate the changes that future technological innovation will bring, ensure long-term preparedness, and prevent a 'failure of imagination.'"</p><p>As part of this goal, DHS has set specific objectives, including identifying evolving cybersecurity risks that affect economic security, public health, and national security; identifying and creating plans to address gaps in analytic capabilities; and developing plans and scenarios for future technology deployments that could be disruptive.</p><p>Another pillar of DHS's strategy is to reduce the vulnerability of U.S. federal agencies across the board. </p><p>"DHS leads the effort to secure the federal enterprise and must use all available mechanisms to ensure that every agency maintains an adequate level of cybersecurity, commensurate with its own risks and with those of the larger enterprise," according to the strategy.</p><p>To assist the rest of the U.S. federal government, DHS will work with the Office of Management and Budget (OMB) to address systemic risks and interdependencies between agencies. </p><p>"DHS must also support agency efforts to reduce their vulnerabilities to cyber threats by providing tailored capabilities, tools, and services to protect legacy systems, as well as cloud and shared infrastructure," the strategy explained. "Within its own systems, DHS must continue to adopt new technologies and serve as a model for other agencies in the implementation of cybersecurity best practices."</p><p>As part of this pillar, DHS laid out sub-objectives to more clearly define how it will achieve this goal. These include developing and implementing a clear governance model for U.S. federal cybersecurity; issuing new or revised policies and recommendations to ensure adequate cybersecurity across the enterprise; and providing agencies with integrated and operationally relevant information necessary to understand and manage their cyber risk.</p><p>One example of this in action prior to the release of the strategy was DHS's binding operational directive 18-01, which required U.S. federal agencies to increase their email and Web security. Specifically, DHS mandated that agencies implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) for their email systems. (See "Spoofing the CEO," Security Management, October 2016.)</p><p>Another goal of this pillar of the strategy is to protect critical infrastructure by partnering with stakeholders to ensure national cybersecurity risks are managed. This partnership is key because a majority of the critical infrastructure in the United States is owned and operated by the private sector.</p><p>"DHS must partner with key stakeholders, including sector specific agencies and the private sector, to drive better cybersecurity by promoting the development and adoption of best practices and international standards, by providing services like risk assessments and other technical offerings, and by improving engagement efforts to advance cybersecurity risk management efforts," the strategy stated. </p><p>An example of this in action was DHS's response to the 2017 WannaCry ransomware attack. During the attack, DHS's National Protection and Programs Directorate partnered with other agencies and the private sector to help U.S. hospitals—a major target of WannaCry—ensure their systems were not vulnerable to the malware. It also released an unclassified technical alert to help defenders defeat the malware and prevent is spread.</p><p>In addition to reducing vulnerability, DHS's strategy also outlines a goal to reduce threats in cyberspace overall. </p><p>"In partnership with other law enforcement agencies, DHS must prevent cyber crime and disrupt criminals and criminal organizations who use cyberspace to carry out their illicit activities and leverage identified threat activity and trends to inform national risk management efforts," the strategy explained.</p><p>To do this, DHS will create investigative priorities related to illicit cyber activity, identify and conduct high-impact investigations of cybercrimes by transnational criminal organizations, disrupt online marketplaces for malicious cyber activity, and develop options to disrupt, counter, and deter transnational criminal organizations.</p><p>The final portions of the DHS strategy are to mitigate consequences and enable cybersecurity outcomes. </p><p>With the rise of cybercrime and illicit cyberactivity, DHS must have a role in limiting the impact of significant cyber incidents, the department said. </p><p>"Many cyber incidents do not require a national response," the strategy explained. "But when they do, DHS plays a unique role in responding to cyber incidents to mitigate potential consequences by providing technical assistance to affected entities and other assets that are at risk and investigating the underlying crimes."</p><p>DHS took this role, for example, in July 2017 when the U.S. Secret Service—part of DHS—worked with international law enforcement to arrest a Russian national who allegedly operated BTC-e.</p><p>"From 2011 to 2017, BTC-e is alleged with facilitating over $4 billion worth of Bitcoin transactions worldwide for cyber criminals engaging in computer hacking, identity theft, ransomware, public corruption, and narcotics distribution," DHS said. "Researchers estimate approximately 95 percent of ransomware payments were laundered through BTC-e."</p><p>While the strategy is an important framework for the U.S. federal government, it has been met with criticism. </p><p>Ray DeMeo, chief operating officer of Virsec, says the DHS strategy is high-level and is missing an implementation plan.</p><p>"One of the document's guiding principles is to foster innovation and agility—this is a big ask, where existing time horizons must be reduced from years down to months," DeMeo says. "We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happening daily, if we are going to change the asymmetric nature of today's threat landscape."</p><p>DeMeo also says he will be looking for more information from DHS—a department with a domestic mandate—about how it intends to address cybersecurity globally.</p><p>"The reality is that a large portion of Internet crime is driven from the international Wild West, from areas with lax law enforcement or actional nation-state sponsorship," he explains. "This problem is as much diplomatic as it is technological."</p><p>Two of the most vocal critics have been U.S. Representative Bennie G. Thompson (D-MS), ranking member of the House Homeland Security Committee, and U.S. Representative Cedric L. Richmond (D-LA), ranking member of the Cybersecurity and Infrastructure Protection Subcommittee and author of the legislation that originally mandated the strategy.</p><p>In a joint statement, Thompson and Richmond said the strategy is overly focused on policies and procedures that DHS needs to develop further. </p><p>"It also fails to mention—at any point—one of the most pressing cybersecurity challenges of the moment: election security," they said. "The fact is, because of the department's failure to adhere to the statutorily-mandated deadline, it lost time and missed opportunities to make progress maturing its cybersecurity posture and capabilities."</p><p>The congressmen added that they hoped to see more information about how DHS plans to implement its strategy in another report, which is due to Congress by August 15, 2018.</p><p>"In particular, we expect it will provide greater detail on the roles and responsibilities that components will undertake, a description of any new authorities it needs to fulfill its mission to secure federal networks, as well as an explanation of what resources the department will need," Thompson and Richmond said.</p><p>As of <em>Security Management</em>'s press time, DHS had not submitted an implementation plan to Congress. ​</p>
https://sm.asisonline.org/Pages/Getting-the-Green-Light.aspxGetting the Green LightGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The current administration in the U.S. White House has raised concerns about the national security threat posed by the immigration system, which sparked a crackdown on foreigners residing both legally and illegally in the United States. An increase in arrests of illegal immigrants during U.S. President Donald Trump's first year in office, combined with the deadly fall 2017 truck attack in New York by an ISIS-inspired green card holder, raises questions about what it takes to live in the United States legally, and just how secure that process is.</p><p>A recent series of federal reports reveals that the process for granting permanent residence to foreign nationals—commonly known as issuing a green card—is inefficient and stuck in the 20th century. The largely paper-based application process is riddled with inaccurate information, and the time it takes for an application to be processed is more than twice the U.S. Department of Homeland Security's (DHS's) stated goal time.</p><p>U.S. Citizenship and Immigration Services (USCIS), which operates under DHS, oversees the processing of more than 50 types of foreign national benefits, including green cards. An April 2018 USCIS report documenting the issuance of green cards to legal immigrant workers sponsored by their employers paints a grim picture: immigrants from India with advanced degrees, for example, have a projected wait of 151 years to receive their green cards.<img src="/ASIS%20SM%20Callout%20Images/0818%20NS%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:352px;" /> </p><p>Not all waits for green cards are so long—several factors affect the quantity and frequency of green card dispersion, including the category of visa through which immigrants apply, their country of origin, their family, employment or education status, and more. According to a March 2018 DHS Office of the Inspector General (OIG) report, USCIS field offices have an average completion time of more than seven months. The department's goal completion time is four months, which is achieved in fewer than 3 percent of cases, according to the OIG report. </p><p>"Lawmakers, immigration advocates, and the public have raised concerns about how long USCIS takes to adjudicate green card applications," the OIG report notes.</p><p>In addition, USCIS posts inaccurate green card application completion times on its website, which causes confusion for applicants and within the department itself. The OIG report found that the calculated date of when a decision will be made on an application is already six weeks out of date once it is posted on the website because it takes time to collect internal data. </p><p>"The information is confusing, unhelpful, and makes it very difficult to determine how long applicants can realistically wait for a decision," the OIG report states.</p><p>The website can also skew a field office's perceived rate of productivity. If a field office's number of pending applications rises suddenly, it can move the calculated decision date backwards. </p><p>"This apparent lengthening in processing time may make a field office appear inefficient when the reality may be quite different," the report states.</p><p>One example cited involved the Reno, Nevada, field office, which on the USCIS website appeared to have slow processing times—but was actually completing applications more quickly than the national average. Due to the office's efficiency, USCIS shifted more applications from other offices to Reno, which caused the website processing time to spike and display an inaccurate calculation—for a while, Reno was showed to take an average of 518 days to complete applications, when it actually completed them in about 184 days. </p><p>The overall delay in processing applications may be a matter of perception as well, according to the OIG. Because the application process consistently takes twice as long as the USCIS goal time, the report states that it is unrealistic and should be reassessed. In efforts to meet the current goal processing time, the department has spent $42.5 million in a five-year span for inspection service officers to work overtime to clear the backlog.</p><p>"USCIS has used temporary staffing assignments and overtime to keep processing times low, but it currently takes, on average, more than twice the amount of time," the OIG report notes. "We believe USCIS is not meeting its 120-day goal because the goal itself is unrealistic given the complexity of adjudications and factors beyond USCIS' control that affect the timeline. A goal that does not reflect operational realities contributes to unmet customer expectations and reduces trust in USCIS."</p><p>The OIG wasn't the only federal entity to investigate the green card application process. In a 2017 report, the U.S. Government Accountability Office (GAO) investigated just what is taking so long when it comes to processing green card applications—and whether the system ensures the integrity of the immigration process.</p><p>USCIS has been trying since 2006 to transform its current paper-based system into an electronic one but has faced management and development challenges—GAO notes that over the last 10 years, it has made 30 recommendations to address weaknesses in the program, 18 of which USCIS has complied with.</p><p>The so-called transformation program to create a software platform to process green card applications has experienced "significant cost increases and schedule delays," GAO reports. The program's most recent baseline indicates that it will cost up to $3.1 billion and be fully deployed by March 2019—that's an increase of $1 billion and four years longer than previously thought. The program has been operating in breach—without a DHS-approved acquisition strategy and baseline due to exceeding a previous baseline—off and on since 2013. </p><p>"The program did not complete deployment of system functionality associated with its Citizenship line of business by its September 2016 deadline, resulting in another schedule breach," says Carol Harris, director of information technology acquisition management issues at GAO. "Since then, we have reported that the program remains in breach. Until the program re-baselines, it is unclear whether USCIS still intends to fully deploy by March 2019."</p><p>After the September 2016 breach, USCIS had planned to re-baseline the program in February 2017, but GAO reports that in December 2016, DHS leadership instructed the department to stop development on the project and instead develop a remediation plan. "DHS leadership elected to continue with the program's pause in new development following program reviews in March 2017, July 2017, and October 2017," GAO noted in a recent update. The program's office also underwent a reorganization in January 2017. When asked if the pause in development was due to the new White House administration, Harris says that GAO did not investigate or report on the reason for revising the remediation plan.</p><p>The continual delays in deploying a fully electronic application system are impacting the ability of USCIS to realize the cost savings and benefits of the eventual transformation, GAO notes. Currently, legacy systems must remain operational until the electronic system is fully deployed. Even in 2014, GAO notes, it cost USCIS an extra $71 million to maintain both systems. And a previous software system that the department spent eight years and $475 million to develop was decommissioned in 2016 due to its instability.</p><p>There are still serious questions about whether the new software—if or when it's fully deployed—will solve the department's backlog woes. GAO notes that by operating in breach status for so long and not addressing key practices for software development, USCIS risks deploying a system that does not meet its cost, schedule, or performance needs.</p><p>"It is more important than ever that USCIS consistently follow key practices associated with software development, systems integration and testing, and contract management and execute effective program oversight and governance," the GAO report states.</p><p>OIG notes that a larger percentage of foreign nationals may be subject to interviews in the future, further lengthening the amount of time it will take to complete the green card application process. That report recommended that USCIS update its website to more accurately reflect the length of the application process and to reassess the current goal of 120 days, and the department concurred, noting that it will monitor processing times over the next year and consider a new goal time. </p><p>"The integrity of the citizenship process depends on careful adjudication of green card applications," the OIG report states. "Given their responsibility and the consequences of their decisions, [information service officers] should continue to be given time to thoroughly vet applicants, especially if adjudicating green card applications becomes more complex." ​</p>
https://sm.asisonline.org/Pages/How-to-Implement-ESRM.aspxHow to Implement ESRMGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​International Paper (IP) is one of the world's leading producers of fiber-based packaging, pulp, and paper. Headquartered in Memphis, Tennessee, IP employs approximately 52,000 people worldwide and has operations in more than 24 countries serving customers around the globe. </p><h4>The Challenge</h4><p>When IP's director of security announced his retirement, the IP team—Deon Vaughan, vice president, deputy general counsel, chief ethics and compliance officer; Casey Yanero, HR manager, corporate staff groups; and Jennifer Carsley, director, legal operations—recognized it was time to transform corporate security to an enterprise level function.  </p><p>The ever-changing threat landscape and IP's core values of "Safety, Ethics and Stewardship" underscored the need for IP to transition to a proactive security posture. To lead this transition, IP hired Art Fierro, CPP, in February 2017 to fill the newly created chief security officer (CSO) role.</p><h4>ESRM Solution</h4><p>Enterprise security risk management (ESRM) links security activities to an enterprise's mission and business goals through risk management methods. </p><p>The CSO's role in ESRM is to manage risks to enterprise people and assets in partnership with the business leaders. ESRM involves collaborating with business leaders on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, and then implementing the strategy in line with accepted levels of business risk tolerance.</p><p>Fierro's background is rooted in ESRM in both the government (FBI) and the corporate space. To move IP from a traditional security organization to an ESRM enterprise model, Fierro conducted an extensive security analysis to identify where the organization excelled and where the data showed opportunities for improvement.  </p><p>The analysis included conversations across business groups and corporate partners. It served as the foundation for IP's ESRM strategy and helped create its vision statement: "To protect IP people, information, products, and the corporate brand in support of business objectives and enterprise success."</p><p>IP's new enterprise security strategy is grounded in the principles of security mitigation steps based on risk and using cost-benefit analysis to ensure a return on security investment. The strategy also aligned with IP business operations and is designed to help achieve business objectives—meaning security would not just be a cost center but also a business enabler.</p><h4>Partnerships</h4><p>Sharon Ryan, senior vice president, general counsel, and corporate secretary, embraced ESRM as IP's new enterprise security strategy, because the strategy was aligned with IP's core values and business strategy.  </p><p>"We recognize that by adopting the latest risk management strategies in enterprise security and bringing on experienced security professionals, not only are we helping protect our people and property, we are also reducing the risk of negative exposure related to our brand and reputation," she says. </p><p>Ryan supported the strategy by rebranding IP Corporate Security to Enterprise Security Management and creating three new positions reporting to Fierro and designed to address IP's enterprise risks: global threat manager, global physical security manager, and global investigations manager. The three functional roles cover the spectrum of enterprise risk and each has a deployment roadmap, which ties into the larger Enterprise Security Management global strategy.</p><p>Vaughan also supported the effort by endorsing a campaign for Enterprise Security Management to build partnerships across business lines, such as IP's Environmental Health and Safety (EHS) department, and to partner on initiatives to protect IP's employees—one of Enterprise Security Management's strategic objectives.</p><h4>Outcomes</h4><p> With the endorsement of ESRM at the leadership level, Fierro was able to work with partners to create a risk-based security program to focus security resources on identified risks. The program also provides the operating manual for vulnerability and risk assessments, so IP can make informed business decisions about its risk tolerance.</p><p>Enterprise Security Management created a new concept, a virtual operations center, which produces a global threat picture that helps it identify and address emerging global threats to IP employees and facilities. The virtual operations center is outsourced to leverage economies of scale, leading edge technology, and professional threat analysts and operators, while providing an excellent return on security spend.</p><p>Over the past year, Enterprise Security Management focused on a number of strategic initiatives. One is the geospatial traveler-tracking program for IP's traveling employees. </p><p>The program provides real-time mobile device GPS monitoring, on a voluntary basis, with a panic button for emergencies. The program is monitored  at all times by the virtual operations center.  </p><p>Another initiative is the corporate campus security capital improvement project. Enterprise Security Management is leading a security improvement project for IP's corporate headquarters based on ASIS International physical security standards and guidelines, as well as geographic risk demographics and the return on security spend. </p><p>Enterprise Security Management also launched its first national security guard force contract to consolidate and standardize guard force operations across certain U.S.-based facilities. The consolidated operations agreement helps ensure consistency and reduce cost.  </p><p>Enterprise Security Management is also working with EHS to add a security aspect to the current field assessment process to identify actual risk at IP's global locations. Assessment results will be used to develop security recommendations, including leveraging security technology.      </p><p>Additionally, Enterprise Security Management created a new active shooter response training program for employees. The training included Virginia Tech shooting survivor Kristina Anderson, who shared a survivor's perspective, as well as the Memphis Police Department, which provided training for employees on Run. Hide. Fight. The active shooter plan is also available on IP's internal website for employees to reference.</p><p>Working across business groups and with critical internal partners, Enterprise Security Management developed new crisis communications reporting, dissemination, and functional requirements that include mass communications features for a unified enterprise response to manmade or natural disasters.  </p><p><em><strong>Art Fierro, CPP,</strong> is CSO at International Paper. He formerly served as CEO of Ronin Option - Cyber; executive vice president at Resilient Integrated Systems; and vice president at 20th Century Fox Film Corporation. He is a member of ASIS International. ​</em></p>
https://sm.asisonline.org/Pages/Street-Smarts.aspxStreet SmartsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>In the hit 1999 movie The Matrix, people go about their daily lives unaware they are in a simulated, alternate reality being controlled by greater powers. In one scene, the main character Neo, played by Keanu Reeves, sees a black cat walk past a doorway. A few moments later, the same cat walks by again.</p><p>"Déjà vu," he says aloud. His comrades, who know they live in the Matrix, are disturbed by the claim and press him on what he saw. When he says he observed the same black cat walk by—twice—they spring into action, explaining that a déjà vu demarcates a glitch or change in their synthetic world.  </p><p>A similar concept exists in the field of countersurveillance, referred to as the déjà vu effect. While traveling in a foreign place, if the same person or vehicle appears twice, it is likely not a coincidence. Someone could be following the traveler, scoping him or her out as a potential target for crime. I learned to rely on this principle during my time as a CIA case officer, traveling to some of the most dangerous parts of the globe to collect intelligence. </p><p>However, one does not have to be in a war zone or third-world country to encounter threats. Much like the Matrix, even a seemingly normal setting can quickly turn upside down and require quick thinking. Simple observation of one's surroundings, like being on the lookout for the déjà vu effect, will greatly help solo travelers maintain their personal security. </p><p>Similar to a corporate travel security program that tracks executives or employees while on business, individuals can protect themselves by adopting a portable set of principles and concepts that they can take them with them wherever they go. </p><p>There are three key concepts that must be in place for a personal travel security program to work. Just like a physical security or cybersecurity program at a large corporation, a personal travel security plan must first be effective to protect the individual. If a building has a fence that is not properly maintained or a camera system that is broken, the physical security program is considered ineffective. If someone relies on a personal security program that he or she cannot recall from memory and put into action, it will be unsuccessful. </p><p>The second aspect of a personal security program is the concept of risk. In enterprise security, there are assets, threats, vulnerabilities, and countermeasures. In personal security, the asset being protected is oneself. The threats are usually external to the traveler, but vulnerability—weakness—is a unique element of personal security risk. Vulnerabilities can exist both outside or within the individual. Understanding this unique aspect of personal security risk is crucial. The countermeasures to mitigate risk can be learned and taken with the traveler to stay safe.</p><p>The third element in a personal travel security program is timing. You make your own luck in personal security, and if your timing is off, it could make the difference between avoiding being kidnapped or sitting in captivity.​</p><h4>Personal Security Principles</h4><p>Understanding these three concepts—effectiveness, risk, and timing—will allow the traveler to grasp the five foundational principles to the personal security program. These principles can be easily recalled from memory and applied in even the most stressful of circumstances. </p><p><strong>Preparation. </strong>The first and most important principle behind an effective personal security program is preparation. Effective preparation diminishes doubt and mitigates the fear of the unknown. Note that eliminating fear is never the goal. When harnessed properly, healthy fear can be helpful rather than harmful. Advance preparation also gives one the confidence of knowing that unexpected circumstances can be dealt with, no matter how little one knows the local language or culture.</p><p>Travelers should research the area they are traveling to and familiarize themselves with the location geographically. Use the Internet and other means before arriving, but also conduct a mental site survey once you arrive on-site. In the Middle East, for example, few streets have names. Take note of major landmarks, roadways, and other characteristics that stand out in case you may have to remember where you were at any point in time. </p><p>Planning in advance for potential physical and mental health needs is another element of preparation. It is best to be a "walking pharmacy," and travel with several drugs for common ailments and illnesses. If the traveler or a comrade should become ill, it can be a major handicap. </p><p>Mental health is often overlooked when preparing for a trip. Attempt to have your affairs in order before leaving home. There are three elements to "engineering" peace of mind: electronic communications and backup, enlisting a point-of-contact that can make decisions on your behalf, and duress plans—a way to discreetly convey you are in trouble. Having a will, bills paid, and accounts in order are also important. When relationships with loved ones, friends, or coworkers are at loose ends, it can truly eat away at a person who finds him or herself in captivity, or an otherwise distressing travel situation. </p><p>Packing light is advisable, only bring one carry-on bag so that arms and hands are as free as possible. Documentation and money are two key areas that should be taken care of in advance. Essential documents, including passport and any travel visas, should be kept close to one's person and not put in checked luggage, as well as important credit cards. </p><p>Normally, bringing roughly $300 to $500 in U.S. currency should suffice, but be sure to work out how much cash you may need over the course of the trip. Small U.S. bills are handy, and something of value that everyone recognizes—the U.S. dollar is often an acceptable form of currency in a pinch. The traveler should break down the total amount into $20 bills and divide that roughly in half between checked luggage and the important items to be carried on.</p><p>Small bills also allow the traveler to find and pay cash for personal transportation upon arriving at the destination. When you do not have the luxury of prearranged travel by a corporate security program, choosing your own transport on-site is critical, versus having it solicited or having someone else choose it. </p><p>In some high-risk locales, drivers for hire typically wait outside airports, bus stations, and train stations, and are on call. It is advisable to be deliberate and maintain control of how you choose transportation. Look first for kiosks with taxis for hire or hotels with shuttle transport. If none are available, ask an airline representative what transport can be trusted. The last resort is to look for marked taxis outside and choose one—do not let it be chosen for you.</p><p> Keeping and maintaining the element of unpredictability is important to your security. If the driver you hire is reliable, it is worthwhile to keep the same driver to take you from place to place throughout the duration of your trip. This allows you to build a relationship with that person and have someone you trust to get you around the area. </p><p><strong>Detection.</strong> The second principle to a personal security program is detection. It's imperative for the traveler not just to see what is around him or her, but to observe it. Observing is intelligent detection and keeps you in the present moment. </p><p>Such skills can be important in preventing crimes such as pickpocketing. Travelers who are preoccupied, even mentally, make themselves a vulnerable target. Take off the ear buds or headphones, stay alert, and keep your mental focus on the here and now. </p><p>London's Piccadilly Circus, for example, is an infamous place for pickpockets. These crews target travelers who are distracted, whether it be window shopping, talking on cell phones, or sightseeing. Pickpockets work in teams, with one person designated to distract the victim, another to take the item, and a third to move it away from the crime scene. Someone on this team may have already scoped out where important effects are kept without the individual's awareness.</p><p>The déjà vu effect discussed earlier comes into play in the element of detection. If you are walking down the street toward an ATM, for example, and someone seems to be following or keeping pace with you, pay attention to that. Being aware of this allows you to assess it, and take proactive action. Most often, petty thieves move on to easier targets once they realize they have been spotted.   </p><p><strong>Deterrence.</strong> The third principle to an effective personal security program is deterrence. Deterrence is how you look and behave. Blending in with your environment helps eliminate the possibility that someone will see you as a target, but this is not just achieved by the clothes you wear. </p><p>While a subtle wardrobe is an essential element to maintaining personal security, so is a sense of confidence in the traveler's gait as he or she goes from point A to point B. </p><p>Keep smartphones and other valuable items tucked away in a bag. Be discreet when accessing them in a public place. Threat actors look for low-hanging fruit, so part of deterrence is making oneself appear less vulnerable to assault. The goal is to make it harder for the bad guys to go after the traveler in any way. </p><p>Deterrence can apply to the type of car you use when renting a vehicle. For example, while with the CIA and afterwards in the international consulting world, I took trips into Mexico, Yemen, Africa, and elsewhere in the developing world. I consistently looked for cars that were worn and unattractive. I drove through the first mud puddle I could find, and did not wash the vehicle over the course of the trip. The more dented and dirty, the better. It blends.  </p><p>The last two principles of a personal security program—delay and defense—are a last resort and should not come into play if the first three principles are aptly applied. The traveler should deploy the last two principles to survive and escape threats with as little harm as possible.</p><p><strong>Delay.</strong> The fourth element, delay, comes into play when you have been targeted, particularly on the street. Putting space between yourself and the threat buys you time—time to run, or time to prepare to defend yourself. </p><p>While traveling, I carry decoy items with me to create delay in a mugging situation. One is a throwaway wallet, stuffed with fake credit cards and petty cash sticking out of the sides. Tossing this to the threat creates enough time to get away without losing items of real value. I also wear a cheap watch that looks expensive. In Central America, I once used such a decoy watch to get away from a thief, who ended up with a cheap fake Rolex. </p><p>Carrying a whistle is also advisable, because it adds the element of surprise and draws attention to the scene—not normally an adversary's desire. With delay, one is creating distance between oneself and the threat. The greater the distance, the greater the chance of survival. </p><p><strong>Defense.</strong> The final principle is defense. What does the traveler do if his or her options are being mugged, injured, or killed—or fighting back? No matter a person's age or level of physical fitness, there are certain defensive tactics that can increase one's margin for survival and potentially limit the amount of harm done. Consulting a self-defense expert on tips and techniques, whether they are hand-to-hand combat, or firearms training, is certainly advisable. However, if the adversary has a weapon—particularly a firearm—it is wise to go along with his or her demands.</p><p><strong>Captivity.</strong> Should you be abducted, if you are able, make a scene—yell and scream as loud as possible. Doing so creates witnesses, which can help when a search is conducted. One former U.S. drug enforcement agent did just this while being kidnapped in Mexico, and witnesses helped police in the search that eventually led to his rescue. </p><p>In the rare circumstance that you are kidnapped, once you're physically controlled, stop struggling physically. The last thing you want is to go into captivity with a broken nose or broken bone. Part of a personal security program is staying alive, so be prepared for the possibility of this circumstance. Have one or two key phone numbers memorized, so that if you are unexpectedly released in an unfamiliar place you can make a call to someone who will answer. </p><p>Communicate with the captors and let them know if medication or other physical care is needed. Try to build a relationship with the people who are responsible for you so that they are inclined to hesitate before harming you. </p><p>Kidnaps for ransom have become increasingly commonplace in countries like Mexico and Colombia. Travelers should have a plan in place before leaving home for a lawyer or third party to help negotiate release. A loved one should not be responsible for negotiations, because they can bring too many emotions into the transaction.  </p><p>One area where your family or loved ones can help, is having a prepared list of "signs of life" questions for those aiding in the release or rescue; statements or facts that only you and that person know. These can be communicated by the captors to the loved one so that they know the person is, in fact, alive. Duress phrases, such as, "make sure you water the garden," (when, in fact, you might not have a garden) that signal safety or distress without the captor's knowledge can be useful.</p><p>Finally, in a rescue operation, you should know that law enforcement or the military might not immediately recognize you as the victim. Let the operation unfold, keep low, and keep your hands visible so that you're not inadvertently harmed in the cross fire.  </p><p><strong>Skills for life. </strong>While working as a CIA officer abroad, I traveled and worked for decades without a badge or weapon and learned to bring the aforementioned skills to bear to keep myself and those for whom I was responsible safe. With or without the support of an executive protection program, traveling solo requires a person to rely primarily on himself or herself for basic security. </p><p>The five elements of a personal travel security program—preparation, detection, deterrence, delay, and defense—should be thought of as mental pegs. Take the details that go under each concept and hang them on those five pegs. Then you can quickly and effectively grab the tools needed in high-risk situations and environments. Internalizing these skills will help build good instincts, increase your awareness, and ultimately provide life-saving protection.</p><p><em><strong>Charles Goslin, CPP,</strong> Principal & Owner, CG Security Associates, LLC, is a retired CIA operations officer and veteran of U.S. Army Intelligence with 35 years of experience. He is a member of the ASIS International Houston Chapter and serves on the Book of the Year Award Committee. He is the author of the book Understanding Personal Security and Risk: A Guide for Business Travelers. ​</em></p>
https://sm.asisonline.org/Pages/Five-Not-So-Easy-Pieces.aspxFive Not-So-Easy PiecesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Alignment is in. Many cities, municipalities, corporations, and school systems are taking steps to align their physical security systems so that security programs across locations will be fully integrated.</p><p>The benefits of such a move are numerous. Uniformity across systems makes it easier for end users, and converged systems are easier to manage from operation centers. Moreover, having only one system makes maintenance and upgrades easier, and this can help provide long-term stability. </p><p>But achieving alignment is no easy feat. Navigating a physical security installation across several facilities can be a difficult undertaking; often, such a project includes wrangling a mish-mash of individual products to get them to function under one cohesive system. Alternatively, some take the approach of completely redesigning the physical security system so that it reflects current best practice design standards. Both paths can be difficult.  </p><p>In addition, the potential pitfalls of attempting a unification project are numerous. What is the installation environment in each facility? Which key players need to be involved at each facility, and at what level of involvement? What type of network infrastructure must be in place to integrate the systems? </p><p>In hopes of avoiding pitfalls, many organizations will hire project managers and consultants to spearhead alignment projects. This type of management, however, is usually complex and unpredictable work. Thus, one of the most useful attributes a security practitioner can have is experience in project management.</p><p>Although there is no one roadmap for successful project completion, and despite all the caveats, most projects can be broken down into five stages. The main purpose of this article is to walk the reader through these stages, which experts sometimes refer to as "process groups." The five process groups are initiating, planning, executing, monitoring and controlling, and closing. For our purposes, the second process, planning, can be considered the design process, and the third process, executing, can be considered the installation process. </p><p>Although these stages will remain consistent, the role and scope of a project manager's responsibilities will change from project to project. And, there may be many project managers on a single project: one for the design team, one representing the owner, one who serves as an installation project manager in the field, and others. Each will have different responsibilities.   </p><p>Primarily, this article is written from the point of view of the project manager who is outside of the org­anization and is hired by an owner to design and manage a project that will be installed by a third-party contractor, either through a public bid or the solicitation of proposals. Typically, this type of manager would be a consultant who works on a project-by-project basis with different teams and organizations, for the procurement and installation of a multi-facility physical security system.</p><p>However, the concepts and best practice guidance offered here could be applied to almost anyone involved with the management or supervision of physical security projects, whether that person is inside or outside the organization.​</p><h4>Initiating</h4><p>As a project kicks off, the act of project management is often the act of discovery. The project may be ill-defined, just a blurry picture of the needs and goals of the project's owner. But an ill-defined project cannot be effectively managed, so it is often the project manager's task to focus the project with the owner into a clear and actionable roadmap.</p><p>For the project manager, one of the main goals of the initiating process is to get up to speed with the requirements, history, and expectations of the project. This includes understanding who the project stakeholders are and determining the project's requirements, constraints, and assumptions.  </p><p>Physical security projects can be sponsored by a range of departments in an organization, including security, facilities, IT, finance, and general management. But these departments may have different levels of familiarity with physical security systems, so the project manager must gain an understanding of how well the owner's team knows physical security. This understanding should then inform the project manager's general approach, including the process of assembling the design team. </p><p>This understanding can be gained during the meetings that take place during the initiating process. For example, the design or project management teams may be akin to experts—they will design and demonstrate how the systems work and function together and explain design best practices. In another project, the design team may merely be documenting the project for an owner who already has a strong grasp and understanding of physical security best practices and the needs of each facility. </p><p>Another key task of the initiating process is to learn the requirements and goals of the project. What is the general scope? What physical protection systems will be affected? Will this be a replacement project, or will it integrate with existing systems? Is there a deadline for installation completion? If grant money is involved, is there a deadline for spending funds? Each answer is part of the roadmap.</p><p>Once the initially hazy picture has come into focus, the project manager may take the next steps. These include developing a rough estimate of how many days will need to be spent in the field documenting existing conditions and systems, and how many designers should be hired to create design documents. Other decisions involve who will sit on the project stakeholder's team, whether the owner will require manufacturer demonstrations, and what a reasonable cost for the project looks like. </p><p>During this stage, the project manager may discover that the existing team of stakeholders is inadequate. In this case, the project manager should try to ensure that all decision makers are included, and that, if applicable, teams not directly associated with security are also represented, or at a minimum made aware of the project. Other stakeholders, for example, could include facility directors, senior management, service providers, IT teams, and grant funding representatives. If the project is for a municipal, city, or public organization, the owner may prefer to involve law enforcement in the early stages and throughout the process.</p><p>By the end of this first stage, all stakeholders should understand their roles within the project, what will be expected of them, and the type of work that will be performed on their systems or the facilities they manage. Accomplishing this early is important. It is never a good idea to inform an IT director of an IP video surveillance project a week before the network electronics are scheduled to be installed.​</p><h4>Design</h4><p>The greatest indicator of a well-executed project is a well-executed design process. The overall objective of this process is to create a complete set of project documents that a third-party contractor or integrator can then use to create a proposal or bid. </p><p>These documents, typically referred to collectively as the project manual, will typically include plan drawings, wiring diagrams, and riser and elevation drawings. They also include specifications explaining the scope, the installation standards, the configurations of various systems, and other pertinent information. Front-end documents in the manual often describe the nature of the project and any general requirements that the bidding contractor must adhere to. </p><p> To create a thorough project manual, it is important for the project manager to assemble a qualified design team. Physical security projects can be derailed by subpar designs that do not consider each facet of each system's requirements. The design team must be able to accurately document the correct configuration requirements among systems; all installation best practices and requirements; the code requirements and testing parameters; and the closeout tasks such as training.</p><p>Once the design team is assembled, the project manager begins the process of creating progressively more detailed designs and reviewing them periodically with the owner. A good guide is to review the design documents at 50 percent completion, 75 percent, 98 percent, and 100 percent. At each review, it should be conveyed to the owner what was refined, changed, omitted, or added from the last review. </p><p>The overall cost and the installation schedule should also be reviewed at those junctures. Most likely, the project will have a specific budget and installation schedule that the design team must adhere to. At each design milestone, the project manager must ensure that the owner understands the budget and schedule. Any major design change should be reviewed with the owner.</p><p>If the project does not have a predetermined budget, the project manager should have a usable estimated cost range after project initiation. At the halfway point, an estimate within a few percentage points of the actual cost should be completed and reviewed with the owner. It is also important the owner understands how any future requests will affect the budget and installation schedule. </p><p>Ideally, the project should leave 10 percent of the total budget in contingency to cover unforeseen costs. For example, for a project with a budget of $1 million, the design team should allocate up to $900,000 and leave $100,000 for contingencies. Aside from this practice, some projects also contain a management contingency designed to cover changes in project scope directed by management. However, this contingency may or may not be shared with the project manager, and it may not be included in the total project budget. </p><p>When it comes time to estimate individual costs, the environment and condition of existing facilities should be kept in mind. Areas likely to add surprise costs to the project should be reviewed. Take ceilings, for example. If the facility has open ceilings, will the low-voltage cabling need to be run in conduit? If so, how much cost will that add? Or, consider data closets. Is there adequate wall space to mount patch panels, switches, and servers? Is there wall space to mount security panels? Other areas that should be reviewed for cost impact include power requirements, configuration fees for integrating systems, and software fees for updating out-of-date systems, among other items.</p><p>Taken together, the overall goal of the planning and design process is to create a project manual that is fair to both the owner's needs for attaining the project goals, as well as the contractor's needs to correctly price the project. </p><p>Many potential headaches that could occur during the installation process can be mitigated by giving the contractor a realistic schedule for procurement and installation of the systems, and by ensuring that the project comes in at or under budget. This is done by informing the owner early and often of the realistic requirements that the scope of the project will require. All cost-saving measures should be considered during the design process when at all possible.</p><p>Throughout the design process, the project manager and design team should constantly ask themselves, "If I were a contractor, would I be able to properly price this project based on the project manual documents without adding change orders in the field?" Many projects are soured by an incomplete project manual that puts the contractor in the disadvantaged position of having to constantly submit change orders to correct their fee. ​</p><h4>Executing</h4><p>If the goals of the planning process were accomplished—including properly and completely documenting the physical security systems, their installation requirements, and all responsibilities required by the installation contractor—then the executing process should run relatively smoothly.</p><p>During the executing process, the contractor who was awarded the project proceeds with installing and testing the systems. Sometimes the project manager and design team stay on to manage the schedule and invoices, review the installation and test results, and generally ensure that that the project is being installed to the quality standards documented in the project manual on behalf of the owner. </p><p>The relationships among designers, consultants, project managers, and contractors should be built on teamwork and based on the shared goal of providing the owner with a well-executed project and physical security system. The best projects are those where a mutual respect and a spirit of genuine collaboration are exhibited by all parties and where the project manager has the best interest of all parties in mind.</p><p> Although, careful initial documentation of exactly what is expected of the installation will help avoid oversights and miscommunications, it is still prudent, and often mandatory, for the project manager to review and approve the work being completed. During this process, the manager's best strategy for ensuring that the project is executed well is to stay vigilant in correcting all possible holdups.</p><p>If the overall budget fails to capture all installation costs, change orders can occur during the installation process, after the project has been awarded to a contractor. A change order is a claim to a change in scope that usually comes with an associated cost. It is used by the contractor to seek fees for the change. Change orders can be owner directed or project directed, and they can be legitimate or illegitimate. </p><p>Here's an example of a legitimate, owner-directed change order. After a project manual went out to bid and the project was awarded to a contractor, the owner requested to add access control hardware to a door. This hardware was not included in the design, so the contractor was not allowed to give a cost associated with it. Seeking a fee to now include that door in the installation was a legitimate change order. </p><p>Here's an example of a legitimate project-directed change order. The contractor discovered that 100 feet of conduit was needed to mount a video surveillance camera in an open-ceiling mechanical space. The project manual did not clearly document that the contractor would need conduit at this location, so the contractor sought to submit a change order for the cost of procuring and installing the conduit.</p><p>Illegitimate change orders occur when a contractor seeks fees for a task or product that was clearly documented in the project manual and, therefore, should have been included in the proposal or bid. It should be noted that legitimate or illegitimate status will not determine if the change order will be accepted by the project. Change order acceptance or rejection is determined by the project manager, owner, and other applicable stakeholders.</p><p>One benchmark of success for the project is the number and scope of change orders. In other words, how close was the executed project to the agreed upon budget and original design?​</p><h4>Monitoring and Controlling</h4><p>If the project manager's responsibility is to review and sign off on the installation, it is best to do so early and often. The goal is to correct minor issues before they grow into major issues. </p><p>For example, let's assume a contractor completes a 200-door access control project across 20 different facilities, but does not properly secure the cabling above the ceiling grid as designed. The longer the project manager waits to get on site and review the work, the more difficult it will be to fix this mistake. If the cabling contractor is a subcontractor of the prime contractor and is finished with the scope of work, by the time the project manager is on site to review the work, it may be impossible to correct these mistakes.</p><p>The project manager should be on site to review, at a minimum, the first few devices that are installed to ensure that the installation is clean and to specification. Indeed, many contractors prefer this method of installation kickoff because it will ensure that the installation is on the right track. </p><p>Common installation mistakes found on physical security projects can include sloppy or exposed cabling to devices; installation of sensors, cameras, and other devices that are not plumb or properly secured; low-voltage cabling strung across the ceiling grid and not on cabling support; failure to firestop applicable penetrations; and poor cable management and cable terminations in the data closets and control panels, among other things.</p><p>All site visits, communications between owner and contractor, issuances of work that need to be fixed, and approvals of work done correctly should always be formally documented and distributed to the entire team in field reports and punch lists. In turn, the contractor must document any corrections or installation requirements that are completed. </p><p>Requests for information from the field, product submittals, invoice submittals, and general project housekeeping should be reviewed and answered by the project manager in a timely matter to ensure that the project is not delayed due to lack of direction for the contractor or owner.  </p><p>Sometimes, the biggest roadblocks to completing a project on schedule are the tasks that must be completed by the owner. It is important that the project manager also manage this side of the project. He or she should inform the owner early and often when tasks will be due and should sometimes advise them on how they can be best completed. These tasks may include providing IP addresses for cameras, printing and issuing badges for new access control systems in time for system cutovers, providing configuration on network electronics if required, and configuring and relaying information related to VLANs, among other things. </p><p>Often, contractors are only allowed to invoice for work completed or for devices that were purchased and delivered to the facility. If the project manager is tasked with reviewing invoices, it should be easy to approve or reject fees based on work completed because the project manager has periodically seen and reviewed the work in person.</p><p>Most projects will require that the project hold a retainer against the contractor's fee until the project is 100 percent complete. This retainer is held until the end of the project, after all the installation and miscellaneous responsibilities of the contractor have been met. Each project may have specific requirements in terms of payment and proof of work for payment that should be reviewed and adhered to by all parties.  ​</p><h4>Closing</h4><p>The closing process can be initiated when 10 percent of the project is left to complete. Common tasks to be completed during the closeout process include administering training, delivering operation and maintenance manuals, final testing of systems, reviewing the system test results, reviewing cabling test results, and handing over the systems to the owner. </p><p>It is a good idea to start closeout tasks when the project is around 75 percent complete. However, getting the owner and relevant stakeholders together for training and close-out meetings can be a difficult task depending on their schedules. If the project is being completed in a school district, for example, training may need to wait for a professional development day, so it is best to book training as soon as the trainer is available. </p><p>Depending on the owner's level of expertise, it may also be beneficial to include additional training in the project manual two to six months after the project is handed over to the owner. This will allow the owner to schedule refresher training if desired. </p><p>Once the project manager and design team accept the final installation; all closeout deliverables are finalized; and all final fees, contingencies, and invoices are paid; the project is handed over to the owner and the project is considered complete. </p><p>Successful project completion requires improvisation, teamwork, thoroughness, and foresight. All are skills that are developed over time and through hands-on experience on projects of different sizes and types. The best project managers are those who learn from their mistakes, document their lessons learned, and share those insights with the project management and security management communities.  </p><p><em><strong>Nicholas D'Agostino, </strong>PSP, PMP, is a senior manager of system design for D'Agostino & Associates, a technology consulting firm. He has spearheaded multiple city-wide physical security upgrade projects throughout the Northeast. He can be reached at NickD@DA-Technology.com. D'Agostino is a member of ASIS International.</em></p>
https://sm.asisonline.org/Pages/A-Screening-Minefield.aspxA Screening MinefieldGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Drug use by American workers is the highest it's been in more than a decade, and some companies and states are changing their preemployment screening processes to account for the shift. More than half of U.S. states have legalized the use of cannabis either medically or recreationally. This shift, combined with a strong economy that makes finding quality job candidates more challenging, is compelling some organizations to adapt.</p><h4> Nationwide Trends</h4><p>Quest Diagnostics, a leading provider of drug screening services, recently released its annual Drug Testing Index, an analysis of national workplace drug positivity trends derived from its lab analysis. Its 2017 statistics show that 4.2 percent of employees screened for drug use tested positive last year—the highest positivity rate in more than a decade. Rates of cocaine use among tested employees rose, as did methamphetamine use in the Midwest and South United States.</p><p>One statistic is sure to catch the attention of employers—the rate of employees testing positive for marijuana has continued a five-year increase, but increases were most striking in states that have legalized the recreational use of marijuana. This is true for both the general U.S. workforce, as well as the federally mandated, safety-sensitive workforce—rail, bus, and truck drivers; pilots; and workers in nuclear power plants, as mandated by the U.S. Department of Transportation (DOT). </p><p>"These increases are similar to the increases we observed after recreational marijuana use statutes were passed in Washington and Colorado," said Barry Sample, senior director of science and technology for Quest Diagnostics, in a statement. "While it is too early to tell if this is a trend, our data suggests that the recreational use of marijuana is spilling into the workforce, including among individuals most responsible for keeping our communities safe. We encourage policy analysts to track these trends closely to determine whether a correlation between the state legalization of marijuana and increased workforce drug use, as suggested by our data, bears out in other research."</p><p>As the legalization of medical and recreational cannabis continues to spread throughout the United States, it's becoming clear that the employment challenges it poses are not going away any time soon. In 2017, researchers saw a slight decline in testing for marijuana in the workplace—98.4 percent of tests screened for marijuana, compared to 99 percent in 2016. About 70 percent of drug tests in the workplace are for preemployment screening, according to Quest.</p><p>Several nationwide organizations have already taken steps to ease zero-tolerance policies, including AutoNation, Inc., which employs 26,000 people across the country. </p><p>Below is a selection of how employers across the country are adapting.Birnbaum explains. ​</p><h4>Nevada</h4><p>Recreational use of marijuana was legalized in late 2016, but the market was not launched until last July—and took off from there. Forbes reported that in just four months, Nevada sold $37.9 million in cannabis products—that's compared to the $22.56 million that Colorado made in the first four months of its legalization. </p><p>The popularity of recreational marijuana is reflected in the Drug Testing Index, which found a 43 percent jump in employees who tested positive for marijuana in the last six months of 2017 alone. That also includes a 39 percent increase in marijuana positivity in safety-sensitive workers. </p><p>And less than a year after Nevada residents could start legally buying marijuana, companies are responding. Caesar's Entertainment Corporation—owner of Caesar's Palace in Las Vegas—announced in May that it would no longer screen job candidates for marijuana use. The organization has stated that it was missing out on quality candidates due to "counterproductive" marijuana prescreening policies. The company will continue to prescreen safety-sensitive positions, as mandated by the DOT, and will test employees who are believed to be impaired at work. No other gaming employers have publicly altered their prescreening policies as of press time.​</p><h4>Maine</h4><p>In 2017, citizens of Maine approved a new law that not only legalized recreational marijuana use but made it illegal for employers to prescreen job applicants for marijuana use. While retail shops aren't expected to open until next year, employers had to cease drug screening starting in February of this year. The law also states that employers cannot refuse to employ someone 21 or older who uses marijuana outside of the workplace. However, a previous mandate that employers could not discipline employees who tested positive for marijuana—because they may have used it outside of the workplace—was revised in May.</p><p>The law "does not affect the ability of employers to enact and enforce workplace policies restricting the use of marijuana by employees or to discipline employees who are under the influence of marijuana in the workplace." </p><p>Organizations that employ DOT-designated safety-sensitive workers—who, under federal law, must be tested for marijuana use—face a gray area in the contrasting state and federal laws. Those organizations are still federally required to drug test designated workers but are not exempt from the state's rules on punishing employees who use marijuana outside of work. So, if a job applicant or employee in a safety-sensitive position tests positive for marijuana use, Maine employers might not be able to take any adverse action against them, beyond stopping the employee from performing safety-sensitive functions. </p><p>The antidiscrimination law was revised in May and now allows employers to discipline workers who are under the influence of marijuana in the workplace in accordance with the employer's policy on marijuana. It remains to be seen whether Maine's conflicting nondiscrimination provisions will be enforced by the courts, or how the revised disciplinary rule will play out in the workplace.​</p><h4>New York</h4><p>While some employers may be quietly removing marijuana testing from their preemployment process, others may choose to enforce existing regulations more loosely. That appears to be the case with the New York Fire Department (FDNY), where reports have emerged that more than two dozen firefighters have returned to work after testing positive for drugs. The current FDNY manual describes a zero-tolerance policy, but more recently firefighters have been telling reporters that employees who fail a drug test are instead sent to an eight-week rehabilitation program and must acquire a dozen character references to rejoin the forces—albeit at a different firehouse.</p><h4>Rhode Island</h4><p>While some employers may be quietly removing marijuana testing from their preemployment process, others may choose to enforce existing regulations more loosely. That appears to be the case with the New York Fire Department (FDNY), where reports have emerged that more than two dozen firefighters have returned to work after testing positive for drugs. The current FDNY manual describes a zero-tolerance policy, but more recently firefighters have been telling reporters that employees who fail a drug test are instead sent to an eight-week rehabilitation program and must acquire a dozen character references to rejoin the forces—albeit at a different firehouse. ​</p>
https://sm.asisonline.org/Pages/Organizational-Health,-Individual-Wellness.aspxOrganizational Health, Individual WellnessGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The Texas Medical Center is the largest medical complex in the world. More than 60 institutions operate within its 2.1-square-mile footprint in Houston, including The University of Texas Health Science Center, which produces the most healthcare graduates in the state, and the MD Anderson Cancer Center, a joint academic institution and cancer treatment and research center.</p><p>It's up to the University of Texas Police at Houston (UTP-H) to protect the 25,000-plus employees, 5,000 students, and 135,000 patients treated annually at the two institutions and across multiple cities—a Texas-sized job that requires the efforts of sworn officers, public safety officers, and civilians. The unique organization, which combines police and security operations under the same umbrella, serves a disparate community of patients, teachers, students, and healthcare workers. And a few years ago, the need for the ability to adapt and respond to an increasingly complex threat profile became apparent to UTP-H leadership.</p><p>"Don't get me wrong—we really did a great job of responding and mitigating threats, but we were response-</p><p>oriented," says UTP-H Chief of Police and Chief Security Officer William Adcox. "Frankly, we weren't able to take a systematic focus across the entire risk spectrum on an institutionwide basis."</p><p>To do so, UTP-H took inspiration from the industry it serves. "Prevention has always been a major tenet of healthcare, and we wanted to look at opportunities where we could contribute to the prevention piece within security," Adcox explains. "We saw the organizational value in shifting to looking at prevention, integration, and near-miss opportunities, to the point where we even looked at our traditional planning cycle and how we could become more agile and adaptive to the threats."</p><p>The department embarked on a three-year process to overhaul its operations to become a more adaptable, responsive force with a shared purpose of prevention, protection, and preparedness. </p><p>"We wanted to try and get upstream of harm—prevent incidents before they occur, and be prepared to deal with what is occurring," says Raymond Gerwitz, director of risk strategy and operational excellence at UTP-H. "We created a shared purpose around prevention, preparedness, and protection and are engaging everyone in the idea. It's no longer enough to protect and serve—we want to prevent too."​</p><h4>Building an Operations Center</h4><p>When approaching the department's overhaul, leaders adopted a business state of mind. Most of UTP-H's senior leaders hold MBAs and have been trained in business principles, and Gerwitz says that mindset—an unusual one for security organizations—has gone a long way to inform the department's operational strategy.</p><p>"We ask, 'How can we operate more like a business rather than a security group?'" Gerwitz says. "We looked at the strategies of communities we serve, took those principles, and adapted them to our environment. You won't find many police departments or security groups that have a strategy map—it's not a thing they think about. We took that from corporate America and blended it into how we do things."</p><p>UTP-H began its overhaul with an internal value analysis that assessed operations at a day-to-day level to determine whether they aligned with the department's updated goals.</p><p>"We look at different groupings of employees, every single task that they perform—how much time does it take, and what resources, and why they do it. Because there's a law or regulation? Or because there's an organizational policy? Or because it's historically done? Or because there's an executive directive?" Adcox says. "You break it out and that gives you a good picture of your internal value analysis so that you can look at those tasks that you can effectively quit doing and see what bandwidth you can pick up."</p><p>One result of the analysis was the transition from a traditional police and security dispatch center into a more forward-facing risk operations center. </p><p>"In the call center's case, there were opportunities there to retire some misaligned tasks and insert new responsibilities that bring the value we're looking to provide to the organization," Gerwitz explains. "In essence it becomes a mathematical formula—I can retire tasks that are limited in value and repurpose the staff to increase value without adding headcount." </p><p>Adcox says that it is important for employees to have both security training and a business mindset. "We really started placing priority on identifying members of our organization and people we would be bringing in that had a business acumen and were able to help lead us in new directions," he says. "We've been fortunate and able to recruit capable individuals who bought into the vision. It all starts with your people, and that's what's critical. Getting the right people in the right roles and then ensuring that there's a shared purpose—that's how we approached it."</p><p>The new department structure includes five service lines—healthcare security, investigative services, police services, risk management, and threat management—which often work together to respond to an incident. </p><p>"For the longest time, the face of the department was police services—the individual who wore the uniform, but now we have these five major service lines—the groups that set us on this journey of prevention," Gerwitz explains. "A big part of being engaged is understanding everyone's contribution—everyone has a role to play, even if it's in the background."  </p><p>Gerwitz notes that the approach has paid off. Thanks to a combination of training and monitoring how calls are addressed, the percentage of calls handled by a single team member has increased. These percentages are tracked monthly and shared with staff, encouraging open conversations about how calls are managed and keeping team members engaged.​</p><h4>Data-Informed Operations</h4><p>The switch in response protocol illustrates how UTP-H is achieving its goal of predictive policing by focusing more on analyzing calls and encounters. Adcox says that previously, as in many organizations, analysts would log the data of the encounter but not use it.</p><p>"That was our response—we'd handle it, log it, and move on," Adcox says. "We didn't know the basis for the suspicious person—what's the story? Now, we analyze and take data that comes in from multiple calls and visualize the data, and that better informs our officers of any trends, repeat offenders, potential threats that were averted, and what to look for. We now have an extended prevention opportunity on behalf of the communities we serve."</p><p>For example, the operations center team is now encouraged to handle call loads on their own without passing them along to another section to streamline the process. </p><p>"If they take care of a call on their own, they receive credit from a performance perspective on that," Gerwitz says. "If they hand it off to someone else downstream, then they don't. We monitor the percentage of things they are doing on their own on behalf of the organization without handing it off, because that generates efficiencies for us. And it empowers that group to try to handle things without having to go to others to get it done."</p><p>If a call comes in about a suspicious person on campus, the operator can look at surveillance footage and recognize that person as an employee. Operators may reach out to that employee's manager and ask why that person is in that area, but they don't send a resource out to respond because they know it's an authorized person who is perhaps in that area for a reason. </p><p>Gerwitz emphasizes how data visualization informs all aspects of the combined protection model.</p><p>"How do we want to go about creating a new shared purpose and engage the shift towards prevention? Let's find data we need," Gerwitz says. "We know the narrative, so what's the data that supports it? Now we have that data, so we create visuals to enlighten our staff and get them engaged in what we're all trying to do. For a long time, this information was kept in databases and didn't resonate with our managers."​</p><h4>Shared Purpose</h4><p>Part of any organizational restructuring often includes developing a strategic plan, but once changes become the new normal it can be hard to measure whether operations are still true to that plan. Adcox and Gerwitz say the department constantly checks whether the department's efforts point to its guiding principles.</p><p>"Three years ago, when we started this process, strategic planning was viewed as a necessary evil," Gerwitz says. "There's this perception that our efforts were a waste of time because we wouldn't really use it. We had to change that mindset and educate everyone that some of what we're trying to do will be unrealized, some will be impacted by emergent needs, or executive mandates, or in response to particular threats. It's okay not to do everything as planned, but there is value in planning."</p><p>Data analysis and visualization play a big part in both sticking to the plan and adapting where needed. UTP-H does not shy away from recalibrating or retiring components in the department if they do not show added value. </p><p>"Putting all these things in place is good but validating and proving that they are providing value intended is the most significant piece," Gerwitz says. "How do you show people that you're doing the things you say? Or, if you need to, how do you recalibrate your organization to do something more valuable? In today's security field you have to adapt to threats coming, you can't lay back and rely on the same strategies. We don't spend a lot of time on traditional analysis. We let the current predict the future."</p><p>All calls, incidents, and interactions are meticulously documented in a robust, interactive database that can be accessed by employees and managers alike. In a demonstration, Gerwitz was able to assess all slip and fall incidents that occurred in May—27 instances—and in a few clicks could drill down and view when and where the incidents occurred, who was the responding officer, and the final outcome.</p><p>"To be able to see this type of detail is very powerful for supervisors and managers, we ask them to go in and conduct management by visualization," Gerwitz explains. "It's easy for them to see what's going on in their teams, and they can adapt their strategies based on what they're hearing from the outside—if there are lots of vehicle and pedestrian hazards in a certain area, they can look and see whether we're in those areas or we need to adapt our patrol tactics."</p><p>Near misses are of particular interest to the department, because they signal both a looming threat and an area where predictive policing can be used.</p><p>"We're almost fanatical about failure or near misses," Adcox explains. "We're not interested in numbers—how many doors we check that have to be secured, that kind of thing. What we are interested in are the doors that should have been secured that were found unsecured, or individuals in a certain part of the hospital who don't belong or are lost—those are near misses. We'll see how often that's occurring or if it's the same individuals. We have got to get in front of something happening."</p><p>UTP-H relies on metrics to inform its tactics and mitigate negative trends before they affect the community.</p><p>"It might be how we view and put together video feeds, or we might put together a specific covert operation or put cameras in certain areas," Adcox explains. "It might be working within a specific group of employees, asking them to watch for certain activity and report a certain way. It's very proactive."​</p><h4>Empowering Employees</h4><p>All employees have access to performance and value visualization tools in the spirit of transparency and to understand the operations of the entire department and the impact their teams have in keeping the institutions safe. Gerwitz says that most employees don't view the information every day, but they are alerted when new resources are added. There has been a lot of thought put into how the data is accessed—the department is on its second iteration of the visualization tool, he notes.</p><p>"It's now much more graphic and in line with how people want to consume information," Gerwitz says. </p><p>Managers will also put together visualization boards specific to their teams, and in the case of groups like security officers who aren't often in front of computers, they will print them off and review them during meetings.</p><p>"It has been helpful in allowing people to straightforwardly show their value," Gerwitz explains. "Before we put this in place, it was hard for people when they were stopped to tell me how your team benefits what we're trying to do—it was hard for them to articulate that in a way that made sense to people. This program makes it easy. I think that's the biggest benefit to the department—now managers are able to adapt and show value at any moment based on what teams are doing. From an organizational perspective, the feedback we get from senior executives who use these processes themselves brings a lot of credibility to our team."​</p><h4>Connecting with Communities</h4><p>Adcox has worked with UT Health and MD Anderson for 14 years and is aware of the challenges of protecting the esteemed educational and healthcare facilities. Part of UTP-H's transition included opening more dialogue between the department and the institutions to ensure they are working towards the same goals.</p><p>"We bring in leaders from the institutions and walk them through our process and spend time on things they value," Gerwitz says. "If we bring in the clinical team, we'll spend a lot more time on issues they deal with in the clinics and how we adapt our training, versus meeting with the finance folks, where we validate our programs and show value."</p><p>One example of partnership between UTP-H and the institutions it serves is the approach to people experiencing a mental crisis. Beyond developing a trusted response protocol, the UTP-H threat management team strives to work with the school and hospital to predict potential personnel issues before they come to fruition.  </p><p>"You bring all these pieces of information together, so they can present to you a real picture of what the situation is," Adcox explains. "You're able to get people help in advance of losing their jobs or harming themselves or someone else. It's been very effective, and we have progressive data and use data visualization to show that."</p><p>If an employee, patient, or visitor is actively in mental crisis, the threat management team is trained on how to respond and follow up. Gerwitz says that 98 percent of UTP-H responders are certified mental health officers due to the unique stresses of the joint education and healthcare environment—most other law enforcement departments in Texas provide less than 10 percent of their officers such training, he says.</p><p>"That employee in crisis will be assessed using tools we have been trained on to screen for the person's mental state," Gerwitz explains. "So, say on a scale of one to 10, I'm an eight—I'm in a bad place, and the responders apply a strategy to bring me down. Following that event, through peer review or interacting with me as they continue to monitor my status, they reassess me, and now I'm a five—they measure that delta."</p><p>The team has a calculated goal for an average reduction of the intervention score and, using data visualization tools, can track how successful different intervention methods are and adapt intervention tactics based on those statistics across a variety of populations. </p><p>"It's a team effort across the institutions—there are others participating in this effort, such as human resources, employee health programs, supervisors, and we can track who all handled each case and its outcome," Gerwitz explains.  </p><p>Being able to map out the outcomes of police interactions with people in crisis has been impactful in promoting relations between the institutions and UTP-H, Gerwitz adds. Of the 98 threat intervention cases he mapped out, only two resulted in arrest. This statistic goes a long way in garnering trust with hospital employees who might be wary of involving police in a mental crisis.</p><p> "For a long time while implementing this, we had to break down the walls of thought that if you call the police, someone is going to get arrested," Gerwitz says, adding that the outcome statistic was well received by clinicians. "To me, this is the more high-level analytical, value-driven style, compared to performance monitoring that goes on in typical security operations."</p><p>Adcox agrees, noting that such data illustrates UTP-H's thoughtful approach to conflict in such a sensitive environment.</p><p>"In our business, our whole approach is an organizational health, individual wellness method," Adcox says. "It is not in any way a prosecutorial or criminal justice approach. Because we have a police component, you have that extra tool in your toolbelt if you need to bring a situation under control."​</p><h4>Partners in Business and Purpose</h4><p>Gerwitz says that another important culture shift has been thinking about the business success of the organizations UTP-H serves, not just its own success. </p><p> "Not only are these healthcare institutions and educators, they are also businesses," he says. "Part of the value we've been able to distill from all of this is that if you act like a business partner and are treated like a business partner, you can do better with your allocated resources and meeting the goals of the organization."</p><p>Adcox explains that UTP-H has assessed where its operations overlap with UT Health and MD Anderson and partners with them to share knowledge and training. In areas such as investigations and crisis training, the department can step in and share its own resources for the benefit of the entire organization.</p><p>"I cannot stress enough the importance of going into each of these places that perform these critical functions for these organizations and working with them," Adcox says. "Have a joint training, let us explain what we do and what our expertise is, and they'll teach you what's important to them, and then you have the trust factor and can start talking about how to integrate and help each other."</p><p>Since UTP-H is known for its high level of conflict resolution training, it has partnered with UT Health to train nursing students on handling people in mental crisis—everything from body language in the hospital room to handling a patient's family to deescalating conflict. Adcox says UTP-H also trains clinicians, physicians, and nurses working at the facilities in the same practices.</p><p>"We're able to bring that into play because of the expertise we've had to develop in being effective in our organization," Adcox says. "We also have an immersive simulation center so that you actually have practical, holistic experiences and not just the classroom. This technology is for the entire organization, not just us."</p><p>By aligning UTP-H with UT Health and MD Anderson's enterprise goals and overarching missions, the department is now seen as an equal and valuable partner—in business and protection alike.</p><p>"The struggle we have on the security and law enforcement side is that we're not accepted as legitimate business partners, we're a cost center that's a necessary evil," Gerwitz says. "You have to hold yourself to the same accountability and integrity and commitment to the organization as any other business unit. You're no different from the other teams working on behalf of the organization. This business approach is aimed at making sure we're being good stewards of the resources provided. When people believe you're doing that, they'll support you."  ​</p>
https://sm.asisonline.org/Pages/Survey-to-Analyze-Trends-in-Executive-Protection.aspxSurvey to Analyze Trends in Executive ProtectionGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>​Security Management </em>magazine, with partner Groundwork, has <a href="https://www.surveymonkey.com/r/ASISexecprotect" target="_blank">commissioned a survey</a> to examine current trends and challenges in executive protection planning and practice. Specifically, the research will be used to:</p><ul style="list-style-type:disc;"><li><p>Offer a perspective on the current state of industry practice today</p></li><li><p>Identify common challenges and key success factors</p></li><li><p>Establish the context around the priority of C-suite protection</p></li><li><p>Begin to define best practices on how to capitalize on current trends and identify emerging risks</p></li></ul><p><em>Security Management </em>research remains a unique opportunity to leverage the strength and breadth of the ASIS International membership to the benefit of those members and the security of everything they protect.</p><p>The survey will take approximately eight minutes to complete. Only aggregate data will be reported and your participation will remain confidential. To participate in the survey, <a href="https://www.surveymonkey.com/r/ASISexecprotect" target="_blank">click here.​</a></p>
https://sm.asisonline.org/Pages/The-Future-CSO.aspxQ&A: The Future CSOGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​CSO roles are becoming more prevalent in corporations while evolving to address security challenges. Scott Klososky, founding partner of Future Point of View, shares how.</p><p><strong><em> Q. </em></strong><em>What do you think the CSO role will look like in five years? ​</em></p><p><strong>A. </strong>The CSO role will have complete responsibility for integrated security across physical, electronic, and cyber. CSOs will report directly to the board in many cases and will have a long list of specific dangers they are charged with preventing. They will be responsible for things like stopping employee theft of data, preventing employees  from giving up passwords or compromising systems, and drone defense. They will be heavily involved in the organization's risk management system and will have a say in the insurance that is purchased to offset risk in specific threat areas. Another responsibility will be providing personal protection and intelligence in regard to travel for senior executives, board members, and their families. That will include social media scrubbing for the company, as well as for senior executives and board members.</p><p><strong><em>Q</em></strong><em>. What will the reporting structure to CSOs look like in the future?</em></p><p><strong>A.</strong> CSOs will have a VP of cyber, VP of physical, and VP of electronic security reporting to them. They will have specific people who are dedicated to the three different areas of security: the company, access control and surveillance systems, and cybersecurity. They will also be more closely aligned with HR because the human firewall is becoming such a problem. There is no way to protect an organization properly if the CSO does not have control over all aspects of security defense. Today, it is broken up across organizations and is too far removed from HR to be completely effective. The threats we are defending against will require this level of integration and collaboration.</p><p><strong><em>Q.</em></strong><em> Will the dynamic between security and the rest of the organization shift?</em></p><p><strong>A. </strong>To do security well, the CSO will have to develop strong collaboration with HR, IT, and operations. Then the CSO will have to participate in areas like risk and insurance. I see a future where a strong CSO is well-known and well-liked by all leadership. The CSO will be involved in lots of departmental meetings across the organization to determine new threat vectors and to build the relationships necessary to put up a solid defense. Today, CSOs can hide behind the scenes, and that needs to stop. They need to be out front with relationships across the organization, so they are looked at as a necessary element in the strategy of the organization.</p><p><strong><em>Q. </em></strong><em>What about smaller businesses and organizations? How will they keep pace with emerging security threats?</em></p><p><strong>A. </strong>There is only one real answer and that is to use contractors and vendors. Small and medium-sized organizations cannot pay for a full-time CSO in many cases, yet they need a smaller version of an integrated security model. They can rent the talent for a price they can afford by using local and regional security firms who are used to dealing with smaller clients. I suspect that security firms will build processes and systems to better handle these customers, so they are not left out in the cold.   </p>
https://sm.asisonline.org/Pages/The-Returned.aspxThe ReturnedGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The fall of Raqqa, ISIS's last and most symbolic stronghold, to Syria last fall granted a moment of relief worldwide and to the forces that had spent years doggedly eradicating the extremist group from the region. ISIS's so-called caliphate—a physical manifestation of its jihadist tenets—had finally been vanquished, and many thousands of its fighters had been killed or captured. Those who were left retreated to pockets of Syria.</p><p>But along with the tactical victory came the threat that national security experts had been warning of for years: the return of foreign fighters—and their extremist beliefs and training—to their countries of origin. Some 38,000 foreigners from 120 countries traveled to Iraq and Syria during ISIS's reign to aid the group in achieving its goal of building a caliphate. An estimated 7,000 of those foreign terrorist fighters (FTFs) died on the battlefield, and almost 15,000 left the conflict zones. Of those who left, about a third have been imprisoned and almost half—more than 6,800 people—have returned home without entering the criminal justice system.</p><p>"The fate and location of a sizeable proportion of FTFs appears to be uncertain," notes a March United Nations (UN) report on returning fighters. "Identifying and locating these remaining FTFs remains a critical priority for the international community."</p><p>Another challenge is determining whether returnees are defectors from ISIS, are merely supporters who have nowhere to go, or were sent home to continue their work. </p><p>While foreign fighters have not returned to their countries of origin in large numbers, as expected, they continue to trickle in—travelers turning up at an embassy in Turkey claiming they have lost their passport and wishing to return home, or a young family with expertly forged documents that allowed them back into a country that might otherwise turn them away.</p><p>Countries must figure out how to address such situations, and the approaches taken vary considerably. The process so far has been strewn with pitfalls, from an inability to prosecute foreign fighters over a lack of evidence to differentiating between ISIS defectors and jihadists to reintegrating children that were brought to the war zone or were born there. Several wide-ranging studies are looking at the makeup of the foreign fighters and the challenges countries may face in accepting them back into their borders.</p><p>While there have been many waves of foreign fighters for different causes over the years, the current group of ISIS foreign fighters is larger, more global, and more diverse in terms of age, gender, and experience in conflict zones, according to the UN report. They are also "the most operationally experienced, lethally skilled, and highly networked group of FTFs to date," the report notes.</p><p>The actual threat of these returning fighters has not yet been realized, but the UN report notes that foreign fighters have been involved in European terrorist attacks from 2014 to 2017.</p><p>"Although only 18 percent of attackers were known FTFs, the attacks they carried out were among the most lethal," the report states. "Most foreign fighters do not prove a threat on return, but those who do are highly dangerous and have been involved in a substantial proportion of the domestic plots in the West."</p><p>Another report written by the nonprofit research organization Soufan Center acknowledges that there is a range of returnees, from those who were only briefly with ISIS and came home after realizing it was not what they expected to those who were dispatched to return home and continue their efforts. </p><p>"These trained terrorists are not so much returnees as fighters dispatched to operate outside the caliphate," the report states. Due to the difference in threats these two groups cause, they should be dealt with differently.</p><p>Defectors should undergo close psychological and police assessment. "Terrorism is as much emotional as ideological, and even those who returned disillusioned or revolted by what they saw, or simply mentally or physically exhausted, may over time look back on the caliphate more positively and blame outsiders for its failures," the Soufan Center report says.</p><p>A study of returned fighters by psychologists for the Homeland Security Affairs Journal encourages countries to look carefully into the motivations and vulnerabilities of those who traveled to join ISIS. </p><p>"It will be incumbent on Western states to find adequate ways of determining who among returnees is a security risk at present, who may become one in the future, specifically by returning their allegiance to this violent group, and who can be safely reintegrated into society for the long term," the journal article states. </p><p>Resorting to imprisoning the worst offenders—if not all returning fighters—may seem like the best option, but it could make matters worse. Prisons are known to encourage and spread jihadist ideals. But, if managed well, prison can be a place for rehabilitation—which is especially important because those charged with terrorist offenses in the European Union spend an average of five years behind bars. </p><p>"Prison, or the threat of it, also appears to be a major stressor driving some back into the arms of ISIS," the journal article explains. "There is a tension in all societies between repressive measures against those involved in terrorism and rehabilitative measures that may put society at increased risk."</p><p>"Prison authorities are divided on the merits of segregating prisoners convicted of terrorism from the general prison population as the risk that an extremist prisoner will exert malign influence on his fellows, rather than become deradicalized through their influence, depends on too many variables to be easily calculated," the Soufan Center report finds. "At the same time, if extremists are grouped together, their views are likely to harden and they will form close bonds."</p><p>In its report, the UN reminds countries that a hardline response to returning foreign fighters may not be the most effective—especially since former jihadis will continue to return to their countries of origin for years to come.</p><p>"Returning and relocating FTFs are likely to remain a significant long-term challenge, requiring Member States to balance repressive and 'soft' responses," the UN report notes. "Many states have struggled to secure criminal convictions for FTFs, while imprisonment may delay, but not necessarily reduce, the threat they pose."</p><p>Britain. Home to notorious foreign fighters including teenage runaways and Jihadi John—a now-deceased member of the murderous quartet dubbed the ISIS Beatles—Britain is dealing with the aftermath of some 850 citizens who traveled to join ISIS. The capture of two members of the ISIS Beatles, who were responsible for the beheading of 27 foreigners, illustrates the challenges the country faces in prosecuting its citizens for involvement in ISIS. </p><p>The two Brits were captured by the United States-backed Syrian Democratic Forces (SDF) in January and remain held in Syria, where they have been continuously interrogated by U.S. forces under an agreement with the SDF. The United Kingdom stripped the men of their citizenship—an increasingly common practice in Britain—leaving them in legal limbo. </p><p>This is not an isolated scenario—the United States is urging countries to take responsibility for the hundreds of foreign fighters held by the SDF, but most do not want to repatriate citizens-turned-jihadi fighters.</p><p>Nobody has made moves to bring a case against the two men due to a lack of evidence needed to convict them of war crimes. The British jihadis mocked the situation in a recent interview with CNN, noting that accusations of their involvement in dozens of murders for ISIS were merely allegations. "I am not a democratic person, but I am being subjected to democratic law," one of the men said in the interview. "So it is only right for those who claim to uphold this to fully uphold it."</p><p>Canada. With about 180 Canadian foreign fighters in Syria and Iraq—including 60 that have already returned—Canada has implemented programs aimed at monitoring and deradicalization. Prime Minister Justin Trudeau has stated that returning fighters will be prosecuted where evidence exists, but rehabilitation should take priority so they do not pose a longer-term threat to the public.</p><p>The Canada Centre for Community Engagement and Prevention of Violence is tasked with countering radicalization and violence at an individual level, but focuses on research and does not directly interact with radicalized people. Quebec's Centre for the Prevention of Radicalization Leading to Violence has conducted 199 interventions of jihadist radicals—however, it has not yet worked with returnees.</p><p>France. France had one of the larger contingents of foreign fighters, with more than 1,000 citizens journeying to Iraq and Syria to join ISIS. An estimated 300 were killed and about 250 have returned to France, where they have either been imprisoned or placed on house arrest. France has determined that any ISIS fighters captured by the SDF will not be repatriated and should face justice in Syria. </p><p>France's criminal division recently released a report on jihadi women based on the court hearings of returning French women. Although jihadist ideology states that women cannot fight, some testified that they were given operational roles in ISIS that included recruiting, policing, and enforcing punishment. </p><p>"Although several French women were forced into joining the Islamic State by their husbands, most of the female recruits interviewed on their return to France expressed an attachment to the jihadist project," French newspaper Le Monde reports the memo as saying. The discovery has caused France to rethink its approach to returning female fighters, changing its policy to automatically arrest female returnees and monitor them more closely. Of the 72 women who have returned to France, 26 have been indicted, 15 have been arrested awaiting trial, and six have been tried.</p><p>Reintegration efforts in France are faltering, and the country's first center for deradicalization of young people closed due to a lack of use.</p><p>United States. With less than 100 citizens successfully traveling to Iraq and Syria to join ISIS, the United States is dealing with the return of 12 foreign fighters—nine of which have been arrested and charged with terrorism-related offenses, and three that have not yet faced criminal charges. Unlike many countries, the U.S. had an existing law against jihadist travel before the flood of foreign fighters journeyed to join ISIS. Under that law it has charged some 153 citizens who attempted to join ISIS or plotted ISIS-inspired schemes. </p><p>And a report by George Washington University's Program on Extremism notes that due to the difficulties of gathering evidence of a traveler's activities in Syria or Iraq that is admissible in a court of law, prosecutors often have to charge the returned fighters with lesser offenses.</p><p>"While the average prison sentence for individuals who attempted (but failed) to travel to Syria and Iraq is approximately 14 years, the seven successful travelers that have been convicted from 2011 to 2017 received an average sentence of 10 years in prison," the report states.</p><p>While deradicalization and reintegration resources have been reduced under U.S. President Donald Trump, the report notes that such programs will be necessary once the returned jihadists are released from prison. There are currently no deradicalization or rehabilitation programs for jihadist inmates in the U.S. federal prison system.</p><p>"Without these programs, incarcerated travelers have few incentives to renege on their beliefs and may attempt to build networks in prison or radicalize other prisoners," the report states. ​</p>
https://sm.asisonline.org/Pages/Catastrophe-on-Delivery.aspxCatastrophe on DeliveryGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The city of Austin, the warm and colorful Texas capital—known for its Tex-Mex cuisine, live music, and popular grassroots slogan "Keep Austin Weird"—was set completely on edge in March 2018 by an unusual and most unwelcome threat: a package bomber.</p><p>From March 2 through March 20, Mark Anthony Conditt perpetrated five bomb attacks before blowing himself up. In each of his first three attacks, Conditt dropped off a conventional-looking delivery package at three different residences in the city. All three packages contained pipe bombs that exploded when opened. The first two recipients were killed; the third was badly injured. These three doorstep bombs were followed by a tripwire bomb Conditt left on the side of a road. It injured two nearby pedestrians when it detonated.<img src="/ASIS%20SM%20Callout%20Images/0718%20NT%20Chart.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:225px;" /></p><p>But on March 20, the bomber changed his modus operandi (M.O.). He sent his next package through the Federal Express (FedEx) delivery system; it exploded on a conveyor belt at a FedEx facility in Schertz, Texas, a town outside of San Antonio. One employee was injured. About six hours after the Schertz explosion, Austin police received a call about another suspicious package at a FedEx facility in southeast Austin, not far from the airport. That package was disrupted by law enforcement, and no injuries were reported. A day later the b​omber blew himself up inside his vehicle after he was pulled over by police, injuring one law enforcement officer in the process. </p><p>That switch in M.O. from dropping off bombs at houses and roads to shipping them is somewhat unusual for a bomber, says Fred Burton, an Austin-based chief security officer for Stratfor who followed the events closely.  </p><p>"The change seemed predicated on adjustments he made due to the news media coverage surrounding the events that were taking place. There was tremendous local and national news coverage, press conferences, and everything," Burton explains.</p><p>Had the bomber stuck to his original approach of doorstep bombing, he likely would have been able to wreak havoc for even longer than he did, Burton says. Instead, when he started using FedEx, his bombs entered an efficient, tightly tracked supply chain that leaves a lot of digital bread crumbs. "That was a big plus for the investigation," Burton explains. </p><p>The unsettling events in Austin also put a spotlight on the issue of postal and shipping security. Burton, who was a counterterrorism agent for the U.S. Department of State from 1985 to 1999, remembers the Pan Am Flight 103 bombing in 1988, where a suitcase bomb placed in the luggage cargo area of the plane exploded over Lockerbie, Scotland.</p><p>Since that incident, package security has improved by leaps and bounds, with vast improvements in screening device technology and explosive detection instruments, Burton explains. In the United States, the anthrax attacks of 2001 spurred many advances in postal security: "You have had so many drastic changes since the anthrax scare," Burton says. </p><p>Indeed, the anthrax episode did lead U.S. officials to beef up postal security. The U.S. Postal Inspection Service (USPIS), the security arm of the U.S. Postal Service (USPS), enhanced its Dangerous Mail Investigation program to deal with the threat. And since then, authorities have established the National Postal Model for the Delivery of Medical Countermeasures, a contingency program under which medical countermeasures can be delivered in case of a catastrophic event such as an anthrax attack. </p><p>Currently, packages sent through the U.S. mail face several layers of security, according to Pamela Cichon, CPP, a program manager and postal inspector with the Security and Crime Prevention Group at USPIS. "Postal employees are trained to identify suspicious parcels and are provided standard operating procedures to follow when they encounter a suspicious parcel," says Cichon. "Specially trained postal inspectors recognize the common characteristics of suspicious mail."</p><p>In addition, retail clerks ask customers questions about the contents of an item being mailed, Cichon explains. But beyond those generalities, the USPIS does not discuss specific operating procedures regarding suspicious packages. "We do not comment publicly on our security measures, in order to prevent attempts to compromise or minimize their effectiveness," she says.</p><p>Since the USPS is typically the final delivery point for UPS and FedEx packages, the agency has collaborative relationships with both services. "We collaborate on best practices and also work joint investigations," she explains. </p><p>Collaboration also occurs between U.S. federal postal authorities and law enforcement agencies, in cases of potential security breaches or fraud. For example, in March 2017, the FBI announced that it was conducting a joint investigation with the USPIS regarding packages that contained potential destructive devices which were sent to U.S. military sites.</p><p>Such collaborations are "not an uncommon event," Cichon says: "The Inspection Service conducts joint investigations with all federal and state law enforcement partners frequently. When the mail system or USPS employees are at risk or being used to further criminal activity, the Inspection Service responds and investigates."</p><p>But officials, postal workers, and law enforcement officers are not the only ones responsible for postal and package security, Burton says. Demand for services like Amazon have spiked, and this has led to a sharp increase in "the sheer volume of packages on any given day around the whole world, and the United States," he explains. "What the Austin bombing did is remind all of us in this business the importance of mail and package handling." </p><p>For the services that work with packages, having a well-trained workforce with sharp observational skills is critical. But consumers must also play their part. "If you come home from work and there's an unexpected package, be careful. Don't touch it unless you are expecting something," Burton advises. </p><p>It's best not to move the package, he adds. And the consumer should try to do a little due diligence through observation, and consider: Who is it specifically addressed to? Is the sender's name blank? What is on the return address?  </p><p>These tips may seem simple, but they can be a challenge to follow, because they work against a common human impulse: the enticing feeling of possibility, or delight, embodied by an anonymous package, which may contain an unexpected gift or something equally wonderful. "You want to see what's hidden behind Door Number Three," Burton says. "But you may not want to know."  </p><p>Another challenge is the diminishing situational awareness of contemporary life. "Most people are multitasking all the time, and they are not very aware of their surroundings," Burton says. So, they may be checking email messages on their smartphone while they absentmindedly pick up a package with one hand and drag it into the house.</p><p>"I think it boils down to common sense and situational awareness," Burton says. "Is that package addressed to you? If not, why are you opening it? There has to be a little common sense to security at times." </p><p>In that respect, the bombing episode held some valuable security lessons. But "the one fearful part," Burton explains, is that it could serve as an unwitting demonstration to a militant group like the Islamic State (ISIS) on how to create chaos: "I worry about the copycat terrorism ramifications." </p><p>And this concern stems in part from the fact that the Austin-based Burton felt firsthand the waves of fear that swept through the streets as the bomber remained at large for days on end. "Oh my gosh," he says, "it quasi-paralyzed the city." ​</p>
https://sm.asisonline.org/Pages/Brac-to-the-Future.aspxBrac to the FutureGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Since the end of the Cold War, the U.S. Department of Defense (DoD) has been attempting to realign and increase the efficiency of military agencies with its ongoing Base Realignment and Closure (BRAC) process. Hundreds of military installations have been closed in five separate BRAC rounds, which began in 1988.</p><p>The most recent realignment round, BRAC 2005, was a massive undertaking, the costliest and most complicated to date. In contrast to previous rounds, which focused on reducing infrastructure, the goals for BRAC 2005 included an ambitious transformation of military operations. More than a dozen major installations were scheduled for closure, including the Navy Supply Corps School, Fort Gillem, and Fort McPherson, all in the U.S. state of Georgia. </p><p>Although there has not been another round since 2005 (largely due to funding issues), the BRAC process will continue, officials say. And so, the U.S. Government Accountability Office (GAO) was asked by Congress to review DoD's performance during BRAC 2005, so that DoD could improve future BRAC rounds. </p><p>The report, Military Bases: DOD Should Address Challenges with Communication and Mission Changes to Improve Future Base Realignment and Closure Rounds, examines to what extent the DoD has measured the achievement of its BRAC 2005 goals, and whether DoD is in a good position to measure the goal achievement of any future BRAC rounds. It also examines whether DoD has yet implemented previous GAO recommendations on the BRAC process, which were aimed at addressing potential challenges to improving performance of future BRAC rounds.</p><p>The report's findings were somewhat disquieting. In general, DoD did not measure the achievement level of the BRAC 2005 goals of reducing excess military infrastructure, transforming operations, and promoting joint activities among the different departments.</p><p>"Air Force officials stated that they did not measure the achievement of goals but that it would have been helpful to have metrics to measure success, especially because DoD had requested from Congress another BRAC round," the report found. </p><p>U.S. Army, Navy, and Marine Corps officials also said that they did not track performance measures or otherwise measure BRAC 2005 goal achievement. </p><p>In response, DoD officials argued that the agency should not be required to measure the achievement of its BRAC goals, and so there are no current plans to do so. And officials from the Army, Navy, and Air Force all stated that, although they did not measure goal achievement, they did measure the savings produced as a result of BRAC 2005 moves. </p><p>Still, the GAO argued that measuring savings is not enough. "Measuring savings did not allow DoD to know whether it achieved the goal of reducing excess infrastructure," the report states. </p><p>The report makes a plea to Congress: require metrics to increase the chances of future BRAC success. "If Congress would like to increase its oversight for any future BRAC round, requiring DoD to identify appropriate measures of effectiveness and track achievement of its goals would provide it with improved visibility over the expected outcomes," the report says. ​</p>
https://sm.asisonline.org/Pages/Striving-for-Higher-Standards.aspxStriving for Higher StandardsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The cannabis industry is full of contradictions. Although more than half of the United States has legalized—and therefore legitimized—some form of cannabis commerce and usage, it remains illegal under federal law. The drug's stringent controlled substance label prevents it from being researched, and banks take a risk if they accept money from cannabis companies.</p><p>The industry's strict state-by-state regulations mix policy, political influence, and borrowed best practices to create detailed rules that vary vastly by location and can be difficult to interpret and implement, and a lack of overarching guidance can leave organizations vulnerable. </p><p>And where the security industry falls into all of this—with its reliance on metrics, experience, and best practices—is still being explored. The challenge of protecting a product that just years ago was considered criminal cannot be ignored. And, as each U.S. state implements different regulations that are enforced by different entities, it's difficult to compare notes with other security practitioners trying to navigate the nascent industry.​</p><h4>A Growing Industry</h4><p>Tim Sutton, CPP, was working as a senior systems engineer for a security integrator in 2013 when his company received a call from someone who was going to apply for a cultivation center permit. Medical cannabis legalization in Illinois was going into effect at the start of 2014, and the caller needed someone to write a security plan—one that would set the standard for cultivation center security in Illinois.</p><p>The task fell to Sutton, who used his experience with creating security plans for other industries to outline a proposal to win the contract. He integrated foundational security principles, including asset identification, threat assessment, hazard vulnerability analysis, and physical security measures, into the proposal. The plan also took other factors into consideration, such as geographical, architectural, and operational elements, as well as electronic security systems and policies and procedures. </p><p>His firm won the job, and that's when the real work began, Sutton says.</p><p>"There really aren't too many resources available for security plans in general, let alone within the medical cannabis industry," Sutton explains. "As much as security principles remain constant, the application of these security principles must remain variable to be effective."</p><p>Site security plans had to follow the newly outlined laws, which differ from state to state and range from vague to incredibly detailed—and, at times, confusing, Sutton says.</p><p>"Many of the requirements under the law really made me wonder how in the world they were included, but the security plan had to meet all of the requirements," he says. "The security plans are generally considered for between 20 to 30 percent of the total score for the application depending upon the particular state, and many times the score of the security plan is used as a tie-breaker in the awarding of a permit."</p><p>Sutton was able to tour established cultivation centers and dispensaries in another state to better understand how they worked, what security measures were in place, and how those compared to what Illinois would require. "This also allowed me to see many things that I wanted to be sure to avoid or improve upon when writing plans for other organizations," he adds.</p><p>The application Sutton created was approved, and the cannabis company was able to open two cultivation centers. "That was huge," Sutton says. "Illinois is very highly regulated."</p><p>Sutton went on to work with another cannabis company, won three dispensary permits for them, and suddenly found himself an expert in the industry's security. "That's the way it was," he says. "You win one permit in Illinois and that means something. I didn't realize how important that was."</p><p>Since then, Sutton has helped cannabis organizations all over the country apply for dispensary and cultivation center permits and now works as the director of security for Grassroots Cannabis, where he's responsible for security at sites in several states, including Illinois, Pennsylvania, and Maryland. Many cannabis organizations are consolidating, since it takes a lot of money—and expertise—to successfully open and run a dispensary or cultivation center. </p><p>"Nobody knows what they are doing," Sutton notes. "I've never grown marijuana and not many people have ever even seen it. These organizations are consolidating and trying to branch out to other states."​</p><h4>Varied Governance</h4><p>The path a state takes to legalize medical or recreational cannabis—and who is involved in that process—is one of the biggest indicators of what the law looks like and how it's regulated, says Bob Morgan, special counsel for Much Shelist and former statewide project coordinator for Illinois' medical cannabis pilot program. Morgan was involved in crafting the legislation and framework for the program and managed its implementation once the law was enacted in January 2014. </p><p>"Every state that develops a medical cannabis program creates it in its own image, which reflects the political, cultural, and administrative structure of its respected law," Morgan tells Security Management. "Illinois was no different. It had multiple agencies that were responsible for implementing the program—the Illinois State Police and the Departments of Agriculture, Public Health, and Financial and Professional Regulation (IDFPR). Those agencies collectively were responsible for establishing security measures and regulations for the industry, from start to finish."</p><p>Ultimately, each state will model the cannabis industry after another existing industry—often based on what agencies are responsible for its implementation, Morgan notes.</p><p>"Colorado's medical cannabis program was overseen by its Department of Revenue," Morgan says. "So, the culture and process and structure of the Department of Revenue has laid the groundwork for the subsequent medical, and now recreational, marijuana industry. In Illinois, our agencies here all put a significant imprint of their agency culture on the program we have now. In a state like Florida, the Department of Health is overseeing implementation of the medical marijuana program. That determines whether a state will treat the cannabis industry like a pharmacy, or a bank, or a casino."</p><p>Sutton has experienced firsthand the challenges of the differing approaches to the industry. Despite being proficient at writing security plans for the cannabis industry in Illinois—a notoriously highly regulated state—he says navigating security specifics in many states can be daunting for an unexperienced practitioner. "I always read the rules and the law, and every part of the law," he says.</p><p>For example, Sutton was tasked with developing a security plan for a cannabis organization in Hawaii. Its permitting rules are broken down into sections, including one for security, which dictates that, among other things, an organization must retain 30 days of video in its archives.</p><p> "An inexperienced person would design a system that retains 30 days of footage and feel like they're doing what they should do," Sutton says. "But, if you read the rest of the rules and the section on records retention, there's a retention requirement of a year for you to keep inventory reports, employment files, and electronic video archives. If you didn't read that whole rule, you'd never know that and would design the system for 30 days and it would be 12 times too small. It's terrible. That's how I attack it—I read the whole rule, not just the security section."</p><h4>Regulations vs. Best Practices</h4><p>To overcome the challenge of crafting Illinois' medical cannabis regulations in 2014 without national guidance, Morgan created a listserv of state cannabis program directors from around the country to share best practices. He also pulled ideas from the rules in place for pharmacies and casinos in the states.</p><p>"We weren't really recreating the wheel, we were taking the best ideas and security measures we could find and incorporating that into the industry as we shaped it," Morgan explains. "Part of this is driven by the problem of the federal government's prohibition, which requires each state to do this in a haphazard way."</p><p>Some states—including Illinois—may have "gone overboard" with regulating the nascent industry due to a lack of national best practices, Morgan notes. For instance, Illinois is the only state that requires patients to be fingerprinted to get a medical cannabis card. </p><p>"That was a political consideration—it had nothing to do with policy or security, it was politics, unfortunately," Morgan says. "Almost every state has some variation of that."</p><p>Sutton agrees, noting that he has had to comply with head-scratching security requirements in both Illinois and other states. Illinois' Department of Agriculture oversees regulation at cultivation centers, while distribution centers answer to the IDFPR. The two departments wrote the regulations for their respective facilities, meaning that an organization trying to open both cultivation and distribution centers may need to abide by two separate sets of rules. And sometimes those rules don't align with overarching best practices in the security industry, Sutton says.</p><p>"For cultivation centers I record on motion, at five frames per second, even though the rules require three frames per second on an alarm—that's it," Sutton says. The video surveillance rules for dispensaries were initially vague, and Sutton says most security directors defaulted to using security industry best practices and designed their systems to record on motion. However, IDFPR later clarified that dispensaries would require constant recording, not motion-based.</p><p> "Now you jump up about three or four times the storage and processing power, just to satisfy that," Sutton says. "And then they went and arbitrarily pulled this number out of their back pocket that we would need to record at seven frames per second—I have no idea where that came from."</p><p>Sutton has run into similar challenges in several states. </p><p>"There are a lot of things written that don't make sense with why they were done—it depends on who contributed to writing the law," Sutton says. "They all think they are very secure and are writing the best plans, but there are some really big variants out there. Some do not have many requirements at all and leave them written pretty vaguely and open for interpretation, which has its own pitfalls, and a lot of others are so extremely specific, and I don't know where they get this stuff. They've got a lot of old technology and use terminology that's really outdated."</p><p>Morgan says this type of experience is not unusual. "With cannabis, it's still such a new industry and so heavily influenced by politics that we result in these kinds of sometimes unnecessary regulations," he notes. "The political pressures and ideology drives ridiculous regulation and laws that are based on fear as opposed to pragmatic security measures."</p><p>Regulation enforcement is a regular part of the cannabis industry, even after an organization is approved for a license. In Illinois, the state police enforce the state's regulations, while one of the two designated departments makes sure each facility is adhering to its permit specifications. Sutton says that while the inspections help prevent people from skirting regulations, they can also focus on the wrong problems. </p><p>"The Illinois Department of Agriculture comes every week and audits us against our security plan that we submitted," Sutton says. "All they care about is what we said we'd do in our application. If I said in my plan that all my cameras are going to be three megapixels and that I will have 200 days of archives, they'll come inspect those things every week. The Illinois State Police come in and audit to the actual law. They're going to make sure you have a video system that meets whatever the law says. They don't care how you're using it or that you're being effective and proactive."</p><h4>Above and Beyond</h4><p>These challenges were apparent to a group of people who last year started the National Association of Cannabis Businesses (NACB), the first and only self-regulatory organization in the cannabis industry. NACB President Andrew Kline, a former federal prosecutor and White House advisor, says that the organization establishes industry best practices that help cannabis businesses transcend varying state regulations and hold themselves to a higher standard.</p><p>"Professional organizations like banks and insurance companies had no idea who to do business with," Kline says. "The idea was to start a self-regulatory organization where we would vet our members and then develop national standards and use those standards as rules for our member companies. We want to demonstrate that these companies meant business, that they were trying to go above and beyond what they were required to do at the state level in terms of compliance requirements, and signal to professional entities that these businesses can be trusted, because it's a new industry and there are some actors who aren't as trustworthy."</p><p>NACB is also setting its sights to a future where the cannabis industry would be federally recognized, and a set of national guidelines would be needed. Kline says that when the organization started, it positioned itself to create best practices in line with the Obama Administration's priorities, but with the rescission of the Cole memo—which culled enforcement of the federal marijuana prohibition—and the Trump Administration, there is less clarity of national priorities.</p><p>In fact—despite the vague or overregulation issues Sutton and Morgan experienced—Attorney General Jeff Sessions suggests that many of the individual states' regulations that are on the books today are not sufficient to protect the public interest, Kline notes.</p><p>"The national standards that we're looking to build are in alignment with federal priorities for public health and safety, and as we develop them with our members, in many cases we will be more rigorous than state law to show just how serious these members' businesses are in demonstrating they are good actors," Kline says. "We're baking into our standards what we believe the federal government should care about, but there isn't as much clarity today as there was a few months ago."</p><p>The current environment of regulatory uncertainty—both at the state and federal levels—can be a hindrance to cannabis organizations, and the NACB's approach is especially useful for organizations that operate in several states with disparate regulations.</p><p>For instance, Nevada's regulations do not permit fruit imagery on cannabis product packaging, while Colorado—which has more liberal regulations than Nevada—does allow fruit imagery, Klein explains. In such a case, NACB would create a standard that would be more akin to Nevada's rules than Colorado's.</p><p>Well-researched best practices are especially important when it comes to security, since dispensaries have products and financial assets that are lucrative to criminals (see Security Management's May 2018 News and Trends department for more on how banks and cannabis businesses interact).</p><p>"Security becomes even more complicated when you're dealing with people who are taking in large amounts of cash and don't necessarily have a good place to put it," Kline says. "It's costly, particularly for companies who are operating in more than one state."</p><p>Sutton agrees that overarching guidance is needed in the cannabis industry, especially when it comes to the nuanced role of security. Those who want to start a cannabis-based organization may not know what to look for in a security director, Sutton notes, and operational security personnel may be reluctant to work for an industry that remains taboo. The cannabis industry needs experienced operational security practitioners to continue paving the way, and Sutton says he would like to see more security directors become board-certified through ASIS or similar organizations.  </p><p>"I refuse to be siloed and just be the guy who is worried about video and access control," Sutton says. "I worry about it and I love it; however, there are so many other things you have to make sure you're following that do involve security. It touches everything. Security has to be at the table in deciding how you're going to operate, it's more than just your physical systems."</p><p>Morgan says he has seen a shift in the role security and law enforcement are playing in the cannabis industry. Initially, he says the Illinois State Police and local law enforcement were opposed to medical cannabis programs, but today his successor who runs the program at the state level is a former sheriff who changed his way of thinking. "He has seen the way the program works and can articulate how it's safe," Morgan notes.</p><p>"Everyone who knew me beforehand was shocked to hear that I was writing security plans for the medical cannabis industry," Sutton says. "I was the no-fun guy who was very much anti-drug and, for the most part, toed the line when it came to abiding the law. I rationalized it as making sure these companies were tight when it came to security and felt that as it was not illegal, I had no problem with it.... The turning point for me was the passion of the people in the industry and the fact that I wasn't dealing with hippies growing pot in their basement or garage. I was working with people who genuinely believed in their cause and truly considered cannabis as medicinal."  </p><p>Morgan continues to help governments and businesses create medical cannabis programs and says he hopes Illinois—which renewed its medical cannabis program through 2020—will revisit some of its more stringent regulations.</p><p>"It would absolutely be fair to say that Illinois has more than enough data points to show that our regulations can be scaled back in some areas where they were overly politicized," Morgan says. "Regulations such as fingerprinting patients and the extent of security measures each facility has to have in terms of the number of cameras and other requirements. This was an experiment to see how it was working and what wasn't working well, and to improve it. And that's what's happening throughout the country."  </p>
https://sm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspxPerformance Conversations: Checking In & Coaching UpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The management revolution in the U.S. workplace has gained momentum. Performance management is out. Performance motivation is in.</p><p>The dreaded annual review process—bureaucratic, form-heavy, often dreaded by both managers and employees—is out. Performance conversations—frequent, agile, light on formality but heavy on coaching and two-way feedback—are in.   </p><p>With all this in mind, Security Management explores the roots and reasons for this trend and asks management experts to provide best practice guidance and principles on how security mangers may conduct effective and engaging performance conversations.​</p><h4>Annual Review Issues</h4><p>Many managers first became aware of significant changes in performance reviews around 2012, when the digital media company Adobe publicly announced that it was abolishing the traditional annual review process. </p><p>As a result, Adobe's voluntary turnover was reduced by 30 percent, according to a Deloitte report, and other firms began following its lead.</p><p>In late 2016, the movement received another big boost when one of the largest companies in the world, Accenture, announced that it was joining the revolt. </p><p>"Imagine, for a company of 330,000 people, changing the performance management process—it's huge," Accenture CEO Pierre Nanterme told The Washington Post. "We're going to get rid of probably 90 percent of what we did in the past." </p><p>Meanwhile, smaller organizations have taken their cue from these corporations. "People management practices tend to be a follow-the-leader game," says Phil Haussler, an HR expert at Quantum Workplace who studies workplace and management issues. </p><p>In one sense, the changes were understandable, given that so many workers on different levels—from front line employees to senior management executives—have expressed concerns about the annual review process. </p><p>"I think the revolution is at least acknowledging the underlying problems of performance reviews—such as that everyone hates them, and they are not that useful," says Jordan Birnbaum, the chief behavioral economist for ADP.  </p><p>Moreover, many of these concerns are supported by research, adds Birnbaum, a behavioral economist who is familiar with studies in his field (as is Haussler) that have shown that the annual review practice can be problematic.</p><p> For example, research shows that the common annual review process of linking a performance evaluation to a pay raise largely destroys the development aspect of the assessment. When this linkage is present, it is natural for an employee to switch into an impression management mindset, rather than focus on how the information can assist in professional growth. </p><p>"For the employee, it can become more about posturing, making sure that I show my best self," Haussler explains. </p><p>Another undermining effect of this linkage is that it negatively affects motivation. Research has shown that intrinsic motivation (doing something because it has inherent value) is a much more powerful and productive driver than extrinsic motivation (doing something in exchange for a tangible reward). </p><p>One study, for example, looked at children enthusiastically playing a game. When study supervisors told the children that they would receive a prize if they won, the children quickly lost interest, Birnbaum explains.   </p><p> It's also difficult to ensure that the annual review is based on sound, accurate data. Studies show that if managers or employees know that their performance feedback will be read by others, they are likely to inflate it, by a fairly large standard deviation, Birnbaum explains. </p><p>One reason for this is that it is often in the manager's best interest to give a glowing review—it can help the department look good in the eyes of senior management. Similarly, if the employee knows that senior management will read the review, he or she may not be honest with their criticism of a manager, for fear that it will cause a rift in their relationship.  </p><p>The other big issue that plagues the annual process is bias, which in this context researchers call the "idiosyncratic rater effect." </p><p>"We are all terribly biased," Birnbaum says. Studies show that in performance reviews, one behavior, good or bad, can have undue influence on the entire evaluation. </p><p>For instance, take an employee who is always late to meetings who has a manager that hates lateness. The employee may find that the manager's strong feeling about lack of punctuality may bleed into other unrelated areas of the evaluation, causing a lower-then-deserved ranking. </p><p>"The feedback is more about the person who's providing it, than about the person who's receiving it," Birnbaum explains. </p><h4>Transitioning</h4><p>Given these problems, the traditional annual review may now be "on life support," as Haussler says. But is not completely dead. Some companies are retaining the annual review but changing its evaluation methods and process in hopes of improving it.</p><p>But many companies that are retaining the annual review in some form are still making use of more frequent one-on-one performance conversations between managers and employees. These conversations range widely and include anything from once-a-month (or even once-a-week) casual check-in conversations to more structured quarterly meetings that incorporate two-way feedback, coaching, professional development guidance, brainstorming, and career advice.  </p><p>"There's not one single practice that we are seeing everyone move to—it's all on a spectrum, and each organization decides for itself how far it wants to move on the spectrum," Haussler says. ​</p><h4>Five Principles, Four Questions</h4><p>How can security managers adopt the practice of regular performance conversations? Leadership and workplace communications expert Skip Weisman provides some best practice guidance that may help in implementation. </p><p>First, Weisman lays out five keys to effective performance appraisals: Begin with clear expectations; have regular conversations; capture and log performance; provide "feedforward;" and focus on helping. </p><p>Second, Weisman suggests that one-on-one meetings themselves can be designed around four basic questions for the employee: What do you think you did well this month? What is something you feel you need to get better at? What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?</p><p>Although brief, the four-question format makes the structure of the meeting clear to both the manager and the employee. It also provides an opportunity for an open, fruitful two-way discussion. </p><p>For example, let's say the employee thought his or her performance on a certain task was outstanding, but the manager believed it was subpar. Discussing this discrepancy gives the manager the opportunity to clarify task expectation, and it gives the employee an opportunity to explain what his or her day-to-day is like in the trenches.  </p><p>"In the workplace environment, the employee is seeing things and experiencing things from their own perspective," Weisman says. "The manager should be asking about this and be open to hearing it."  </p><p>This two-way concept is key, Haussler agrees, and it should apply from the beginning of the process because the manager should not dictate what will be discussed. The employee should be the primary driver of the agenda. </p><p>"The employee owns their career, and the employee earns their conversation," Haussler says. The process may work even better if both participants have a chance to confer days before the meeting and decide what will be discussed, he adds. This gives both the time to consider the points they would like to make, instead of "just showing up with a pad and pencil."</p><p>In terms of the frequency of the meetings, Weisman advises (under his second principle) that the conversations be frequent—at least quarterly, if not once a month. Haussler agrees, and adds that research his firm has conducted on employee engagement has found that the most engaged employees have meaningful performance conversations at least once a month, if not more frequently.</p><p>Another benefit of frequent meetings is that it can help transform managers into coaches, a common organizational goal. "A coach would never give performance feedback only once a year," Haussler says. </p><p>And some organizations are going all-in on this transformation by offering coaching training and resources to their managers, to help them move toward a continuous coaching practice that improves employee engagement. </p><p>Of course, in cases where a manager has a large staff, the manager may be concerned that having a performance conversation with 10 direct reports once a month will be too burdensome timewise. </p><p>But Haussler says that this time issue should be put into perspective. By one standard, an effective manager invests roughly 200 hours per year into coaching staff, which breaks down to roughly 16 hours per month. If the manager has 10 direct reports, a 20-minute monthly meeting with each of them should consume roughly four hours of coaching time every month. That should be workable; if the manager sees that as too burdensome, then "maybe they ought not to be a manager," Haussler says. ​</p><h4>Start Positive </h4><p>Under Weisman's four-question model, the conversation begins with a recognition of positive accomplishment. This is critical for a few reasons, experts say. </p><p>One is that many busy workplaces fall under a kind of unspoken rule: if employees are doing things well, they don't need to be recognized; feedback is only needed to point out and correct mistakes. "Typically, a lot of employees don't get a lot of positive feedback," Weisman says.</p><p>But this can lead to problems, such as employees who feel undervalued. Moreover, studies show that negative feedback is best processed and learned from when it comes with five to seven bits of positive feedback, Birnbaum says. </p><p>One 2004 study of teams, for example, found that the highest performing teams received 5.6 positive statements for every negative statement. Without these positives, the employee feels the feedback isn't fair because positive accomplishments are not recognized. </p><p>"Human beings' psyches are fragile. It's very tricky to provide feedback that is useful and not harmful," Birnbaum explains. </p><p>Thus, starting out the conversation with what was done well allows managers to recognize accomplishments, and explain how they matter to the organization's success, which bolsters employee engagement and helps trigger intrinsic motivations, experts say.</p><p>When the second question of "What is something you feel you need to get better at?" is discussed, Weisman recommends that managers use the "feedforward" approach, a concept attributed to management expert Marshall Goldsmith. </p><p>For example, if the employee brings up a task that he or she failed at, the manager should direct the conversation forward and focus on the coachable moment of how performance of the task could be improved in the future. </p><p>Brief summaries of the discussion of both these questions can be recorded by both manager and employee as part of an ongoing effort to capture and log performance. So, if the one-on-one meetings are monthly, and the company is retaining its annual review process, the 12 months of summary notes will make the end-of-year review paperwork much easier for both parties, allowing both to avoid trying to document a year-long evaluation in one review.    ​</p><h4>Two-Way Street  </h4><p>The last two questions of the performance conversation model—"What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?"—are critical, because they reinforce the open and two-way nature of the conversation, Weisman says. </p><p>One common employee criticism of the traditional annual review is that it can turn into a one-way grilling of the mistakes the employee has made throughout the year. However, the third question gives the manager an opportunity to walk a mile in the employee's shoes, and better understand what challenges he or she is facing, the overall working conditions, and the factors that impact his or her performance. </p><p>Building on this concept, the fourth question of "Where do you need help, and what can I do to help you?" keeps the focus on the employee's perspective and allows the employee to provide feedforward to explore how a process could be changed, or what a manager could do differently in the future. </p><p>For example, say an employee feels he or she is fighting burnout due to a heavy workload. This can lead to a discussion where the manager and employee go through tasks and decide which could possibly be minimized, jettisoned, or outsourced.</p><p>Such discussions fulfill Weisman's final principle of a focus on helping. They also reinforce perhaps the most important message of the performance conversation—it is a two-way street in which both parties try to help each other improve, regardless of rank or position in the company.</p><p>"No one stops learning. No one stops growing," Weisman says.  ​</p>
https://sm.asisonline.org/Pages/Preserving-Precious-Property.aspxPreserving Precious PropertyGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In late 2011, Ricardo Sanz Marcos received a disturbing phone call. As a consultant with the cultural properties firm PROARPA Security Asset Protection and Cultural Heritage, he was used to receiving security inquiries about cultural properties, but he dreaded this type of news the most. An ancient Roman villa known as the Villa of Santa Cruz, in the province of Burgos, Spain, had been robbed.</p><p>Thieves had carelessly removed tiles from a centuries-old mosaic, called "The Return of Bacchus of India," situated in the middle of the house. The 5th century floor mosaic, which depicted a Roman god, was one of the largest and best preserved in Europe and was rare for its size of 66 square meters. </p><p>"The mosaic was destroyed when they stole it," Sanz Marcos recalls. "It was a pity because it was a beautiful mosaic." </p><p>Normally, art thieves who rob archaeological sites are careful to preserve the works they steal, but Sanz Marcos notes that the economic crisis in Spain has left many thieves desperate to make off with precious artifacts. </p><p>Thankfully, the artwork was restored to match the original as closely as possible. "Now there is a replica of the mosaic at the site," he notes. "The art technicians are very talented." </p><p>After the incident, which occurred in December 2011, Sanz Marcos was called to evaluate security measures at the Roman villa and assess how they could be improved. He says that visit was when he "fell in love" with an ancient archaeological site in Spain, known as the site of Colonia Clunia Sulpicia, not far from the villa. </p><p>Just a few years later, Sanz Marcos and a fellow cultural properties expert would complete a comprehensive site and survey risk assessment for the ancient archaeological site, one of only a few such assessments ever conducted.  ​</p><h4>Cultural Properties</h4><p>For ASIS Cultural Properties Council member James Clark, CPP, bringing value to the international membership around cultural properties security was a challenge he wanted to solve. "We were trying to increase our own knowledge base and our own body of knowledge, because we really needed that," he says of the council. "Things are going on in Europe that haven't been going on in the United States—there's the whole business of terrorism at sites in Syria, and a few years ago in Iran." </p><p>Threats. Clark, managing partner of Clark Security Group, LLC, an independent security consultancy in Cleveland, Ohio, notes that terrorism has had a destructive effect on cultural properties worldwide. Many headlines have been dedicated to Syria, where the Islamic State has purposefully destroyed countless ruins and artifacts.</p><p>But warfare is not the only threat to these historic sites. People who simply pick up relics, not understanding or knowing their value, can be a major threat to site preservation, he says. Lack of preventative measures, such as onsite security and technology systems, puts cultural properties at risk as well. </p><p>"My experience in South America and Central America—in Mexico in particular—is that there are varying degrees of security," he says. "There are some really fabulous sites in Mexico where there is no security. There are sites all over Central America—even Machu Picchu in Peru—that have periodic security. It's a challenge in all these places." </p><p>So, when Clark met fellow council member Ricardo Sanz Marcos, they immediately connected over their joint desire to bring more recognition and security to international cultural properties. </p><p>"We hit it off pretty quickly, and we started talking about how we could bring benefit to what he's been practicing in Europe, and particularly in Spain," Clark says. </p><p><strong>CRISP Grant.</strong> Sanz Marcos was passionate about creating a standard of protection for smaller cultural properties around the world that didn't draw the same level of attention as larger sites like the Mayan Ruins, or other locations designated as World Heritage Sites by the United Nations Educational, Scientific, and Cultural Organization (UNESCO). </p><p>"South of the Mexican border, down to South America, the south of Africa, the southwest of Asia—they are developing countries and they don't have the same level of industry or economy as developed nations, but they have cultural properties in the middle of the jungle or the middle of the desert," Sanz Marcos says. "That was the cornerstone of the Clunia report, to make a standard of protection for cultural properties in developing countries."</p><p>He and Clark worked with then council chair Robert Carotenuto, CPP, PCI, PSP, associate vice president of security at the New York Botanical Garden, to write a CRISP (Connecting Research in Security to Practice) grant proposal to the ASIS International Foundation. Carotenuto says that he hoped the grant would give the council a way to produce a document of critical significance for the field and international members. </p><p>Carotenuto credits former ASIS Foundation Board member Dr. Arthur Kingsbury, CPP, who had extensive experience in archaeological security, and Gary Miville, another former Cultural Properties Council chair, with helping them put together the grant. </p><p>After submitting the proposal, they were awarded the CRISP grant, and chose to do several site surveys and a security risk assessment at the place near and dear to Sanz Marcos's heart—Clunia. </p><p>"The grant was helpful because it gave us the ability to pick a topic, a subject, and a location that were nonthreatening," Clark says, referring to the lack of terroristic threat in Spain. "But there were some challenges because it was in a remote location, it's a huge property, and nobody was really taking care of it to a great degree." They began their research in November 2016, and published their findings in a CRISP report in January 2018. </p><p>Clark and Sanz Marcos conducted a four-day site survey, assessed the threats and risks to the property, and provided recommendations for increasing security at Clunia. They paid visits to nearby historic sites as well, and conducted meetings with stakeholders, including employees working on-site, cultural ministries, mayors of surrounding towns, and a security advisor in charge of the site's contract with Securitas. </p><p>Based on their findings, the authors provided detailed recommendations to the stakeholders, which they hoped would increase tourism, community involvement, and overall prosperity at Clunia. </p><h4>Challenges</h4><p>Clunia is situated on a plateau in the Province of Burgos in the Castilla y León region of North Central Spain, approximately 150 miles north of Madrid. The location is all but remote, nestled next to the town of Peñalba de Castro, which has a population of fewer than 85 people. Excavation of the site began in 1915, and archeologists found over the following decades that the colony was once a significant Roman city of the Iberian Peninsula, known as Hispania. </p><p>Clunia, which dates to the first century BC, is believed by scholars to be "the most representative of all the archaeological ruins that have been found from the Roman period in the Northern Iberian Peninsula," according to the site survey. The site includes a forum with a basilica, a temple, Roman baths, an aqueduct, and one of the largest theaters on the peninsula. Pottery, mosaics, sculptures, Roman coins, glass, and pieces of jewelry have been discovered at the site, as well as Christian symbols that indicate one of the first Christian communities in Hispania may have lived in Clunia. </p><p>The inhabitants were skilled, Clark says, as evidenced by the colony's remains. "They had farms, they had grain, they grew grapes, they made wine, they had hot and cold running water, and they were phenomenal engineers," he notes. "They could do whatever they wanted because they had those skills."</p><p>Still, only about 15,000 visitors a year come to see Clunia. Limited financial resources were found to be a major factor contributing to the site's poor security, with most funds coming from public administration budgets.</p><p><strong>Threats.</strong> Clunia's remote location, Clark explains, contributes to the property's security challenges. "The police response is an hour away," Clark notes, based on information he received from the Spanish Ministry of Culture. He adds that the threat of fire, as well as fire response, is another obstacle. The area is mostly dry grassland, making it prone to brushfires, and departments have limited resources to fight blazes in large remote areas. </p><p>"Those are the primary issues: fire, theft, and then just damage to the site," Clark notes. "When the grasslands are destroyed, the rains just wash away the soil which takes away the protection of the yet-to-be uncovered ruins." </p><p>While terrorism was not found to be a significant risk to Clunia, one of the biggest challenges was theft of material over time from the site. Security around the 6-kilometer (3.5 mile) perimeter and within the site was severely limited, leaving precious artifacts exposed to potential theft and the fragile ruins unguarded. </p><p>"The town right next to the site has homes and buildings adorned with all kinds of artifacts from Clunia, and anybody can go to the site and pick something up," Clark says. "Fortune seekers who bring their metal detectors in are able to find Roman coins and other objects that were obviously not excavated." </p><p>With limited security patrols, intruders were often able to dig large numbers of holes in search of artifacts. "On a single day in 2015, site personnel discovered more than 165 holes dug into the ground by unknown intruders who had sufficient time to render such destruction without discovery," they write in the report. "It is unknown what, if anything, was removed during these incidents."</p><p>While there was a lock on the gate that guarded the site entrance, several keys had been given out to members of the community, and to shepherds who needed to pass through with their flocks to graze.</p><p><strong>Resources.</strong> Clark and Sanz Marcos found in their assessment that security personnel and technologies at Clunia were severely limited. During public hours, a staff member who sold tickets at the gate and a guide who explained the history of the site were the only people consistently on the property. Additionally, a contract guard worked between 11:00 p.m. and 6:15 a.m., but the guard had no patrol vehicle to make tours. </p><p>The visitor center and artifact building, plus specific high-value artifacts inside, had alarm systems, but no one was monitoring video in real time. And with slow law enforcement response times, even if an alarm was triggered, the bad actors would have time to get away. ​</p><h4>Recommendations</h4><p>Based on their assessment, Clark and Sanz Marcos made several recommendations to increase both security and community involvement at Clunia. Their final recommendation was a holistic security approach with three components. The approach aimed to get the community on board with a sense of ownership of Clunia, provide policies and practices that complement the security technology and officers in place, and provide those officers with tools and technology that allow them to deter or stop bad actors from accessing the site. </p><p><strong>Intrusion detection.</strong> The authors recommended several security technologies, providing a detailed summary of costs for each specific purchase, such as re-keying the perimeter gates, adding thermal cameras, and purchasing an all-weather, all-terrain vehicle for the security guard. </p><p>Re-keying the gate would solve the issue of several missing keys that had been given out over the years. But the authors recommended that shepherds could continue grazing on the property, because it turned out the sheep helped prevent fire outbreaks by eating the dry brush. </p><p>Strategically placed cameras would notify security staff when someone penetrates the fence or trespasses on the site. "One of the technologies that we recommended were thermal imaging cameras mounted on poles, which can detect movement or motions up to a mile," Clark says. "We recommended four or five of those on the site."</p><p>Establishing a full-time security presence during all hours Clunia is closed to the public was suggested, which would include two officers: one to staff a control center within the visitor center, and another to perform patrols.</p><p>Clark adds that a new visitors center currently under construction could house a new video monitoring location and would serve as a further deterrent to people trying to desecrate the site. "This would allow people to park their vehicles, go through a pedestrian gate, go through the visitors center, pass a small museum there, then go up on the site," he says. "They wouldn't be able to bring metal detectors and shovels—and things of that nature—where they could desecrate the site." </p><p><strong>Community awareness.</strong> Because the Spanish Cultural Ministry has limited financial resources, Clark and Sanz Marcos determined that increasing community buy-in around Clunia could generate more revenue for protecting it. By educating surrounding communities about the history and significance of the site, the authors indicated the value that Clunia could bring to restaurants, hotels, and other nearby merchants. </p><p>"This process should begin by first working with community leaders such as mayors, legislative representatives, and business people, followed by focused community meetings, informational brochures, and regular communications from the cultural ministry," they write in the report. </p><p>They suggested a training program to educate schools, neighborhood associations, and other institutions about Clunia, and recommended a marketing strategy in conjunction with nearby properties to draw tourism. </p><p>Sanz Marcos iterates the importance of community buy-in for the success of any historic site. "If you transform the cultural property into a sustainable industry that creates jobs, health, wealth, and a better life for the population around it, you can preserve the property," Sanz Marcos notes. "We have to leave our cultural properties for our children in better condition than we received them."</p><p>While Clunia was Clark's first archaeological site survey, he has performed risk assessments at museums, libraries, and other cultural properties throughout his career. He says he found that the basic principles of effective physical security applied to Clunia. "The biggest surprise to me was how relatively simple the solutions are," he says. "You really need to do vulnerability assessments on all these sites. There's a lot of common ground here. but there are also a lot of idiosyncrasies about each individual site."</p><p>Carotenuto echoes the importance of paying attention to the uniqueness of each cultural property and says it's a best practice for any risk assessment. "As security professionals, we don't just go in and tell someone, 'Well, this is what you need,'" he says. "It has to be tailored to that environment, it has to fit with the culture of that place, and that to me is the most interesting thing about the Clunia report—they realized they needed to embrace the culture of that site." </p>
https://sm.asisonline.org/Pages/Bridging-Worlds.aspxBridging WorldsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Effective security professionals are great innovators by nature. Continually forced to do more with less, security managers create new ideas in an ever-changing industry.</p><p>However, in the security field, the ways in which value is created are changing all the time. So are the strategies required to protect that value. For security managers, the challenge is to be the type of leader who understands how the value creation process is changing, and to then lead the security department so that it best leverages its value for success. </p><p>This type of leadership works best through collaboration. Kevin Kruse, the founder and CEO of LEADx.org, de­scribes leadership as "a process of social influence which maximizes the efforts of oth­ers towards the achievement of a goal." Undoubtedly, the process of social influence is key for security leaders, who typically do not have the authority to tell every­one in the organization what to do and have them comply.</p><p>Moreover, the environment that today's security manager is trying to lead in is filled with rapid change. These changes include massive shifts in technology in both software and hardware, as well as vast changes in the compliance landscape. For security leaders who are not experts in cybersecurity, such as physical security managers, these developments can be daunting to understand and get a handle on. But avoiding them and staying completely within one's silo or area of expertise can make collaboration difficult, and it will lessen the likelihood of effective social influence. </p><p>On the other hand, physical security managers who make the effort to gain an understanding of the effects of these technology and compliance changes, and how their effects can be harnessed to bolster the security of the overall enterprise, can then build bridges between different sections of the security world. These bridges break down silos, and they increase the social influence of the security manager and the chances of successful collaboration. </p><p>With that in mind, this article will discuss a few current technology and compliance developments, and the impact they might have on enterprise security.  ​</p><h4>DevOps</h4><p>DevOps, a software engineering culture and practice aimed at unifying software development (Dev) and software operation (Ops), is changing the way that digital experiences are being created in software.</p><p>One of the main characteristics of the DevOps movement is a push to automate and monitor all steps of software construction, including integration, testing, and deployment. As a result, some of the aims of Dev­Ops are shorter development cycles, in­creased deployment frequency, and releases that are closely aligned with business objectives. </p><p>DevOps specialists John Willis and Damon Edwards have used four terms to define the movement—culture, automation, measurement, and sharing. Under this approach, which is radically different from the traditional one, software is delivered continuously. Teams that had previously worked in silos come together to achieve common goals. As soon as someone comes up with an idea for a new digital experience, a cross-functional team can quickly turn it into reality.</p><p>The DevOps movement is catching on. Currently, 27 percent of surveyed organizations are using a DevOps methodology, according to the latest version of the annual report, The State of DevOps, published by software services company Puppet in 2017. Clearly, the use of DevOps is on the rise, and it is something that security managers should be up to speed on. </p><p>Compare the execution of some security functions in a DevOps versus a pre-DevOps world. In the pre-DevOps world, organizations built technologies in private data centers, and security professionals focused on protecting the perimeter of those centers. Similarly, the traditional brand of waterfall software development (where progress flows in only one direction—down—like a waterfall) takes time, enough time for lengthy cybersecurity reviews and approvals to take place. During this painstaking process, there is a strong focus on preventing breaches from occurring.</p><p>In the DevOps world, use of cloud infrastructure and automation transforms technology infrastructure so that it is now managed as software via application programming interfaces (APIs). The focus is on application and API security, instead of the traditional focus on host and network security. In this world, almost every software company is both a vendor to other software companies and a customer. </p><p>The connected ecosystem of the DevOps world pushes enterprise security away from its previous commonly assumed role as a cost center and pushes it toward the clear position of business driver. It is explicitly requested during the sales process—usually in the form of a vendor security questionnaire. A DevOps world assumes that security incidents are happening all the time and acts accordingly.</p><p>But security managers should know that buying a DevOps product can be different from buying a more traditional enterprise IT product that is installed in a private data center. </p><p>The purchase of the traditional product often meant building a long-term, old-school relationship that required significant investment by both parties. This eventually built trust, if both parties acted in good faith. </p><p>In contrast, Cloud, Security as a Service (SaaS), and other DevOps solutions have been described as "easy come, easy go," and they are often acquired in a low-friction transaction environment, over a shorter time frame. The quality, security, and regulatory compliance of these solutions must be expressed to the security manager in a more explicit way.</p><p>To illustrate, consider the following example. A DevOps vendor has begun to close a deal with its first big enterprise client. Now that the enterprise client has decided that it is interested in purchasing the DevOps vendor's product, it's time for the enterprise client's security team to get involved (just as the legal and purchasing departments will get involved regarding the contract and payment components of the transaction). </p><p>The enterprise security team sends the DevOps vendor a security questionnaire, which typically contains many questions. In some cases, receiving these types of security questionnaires can be intimidating to a DevOps vendor. In other cases, it can inspire the vendor to help drive and continue to mature the security program. </p><p>But no matter what the DevOps vendor's initial reaction is, the role of security has been transformed. It's an obvious and crucial part of completing the sale, from the point of view of both the vendor and the enterprise organization. Thus, the perception of security here is as an explicit business driver, which was not necessarily the case in the traditional IT product world. </p><p>Of course, physical security managers do not need to become technical experts on software development. However, understanding how DevOps changes the transaction process and the perception of security could become valuable knowledge for security managers of all types, including physical security managers. </p><p>Moving forward, the potential commercial advantages of the DevOps approach will likely make the software development trend an attractive one for many more organizations. Physical security managers who can meet this trend with a basic understanding of its potential impact will be well-positioned to collaborate with technology managers, for the benefit of the enterprise's overall security. ​ </p><h4>IoT Security</h4><p>In a recent survey by Business Insider Intelligence, executives were asked various questions about the Internet of Things (IoT). Security was found to be one of the most consistent concerns, chosen by 39 percent of survey respondents, well ahead of other concerns like questionable ROI, lack of a use case, and price. The security concern, in a nutshell, is that increased adoption of IoT technology may expose organizations to new, more prevalent hacks.</p><p>In the past few years, security ex­perts have executed, for demonstration purposes, alarming hacks on connected vehicles (2015), sniper rifles (2015), and cardiac devices (2017). Technically, many of the security vulnerabilities exploited in these hacks are similar to those of more conventional technologies such as servers, but the methods for detecting and addressing vulnerabilities in a connected web of smaller and less capable devices can be much more complex. </p><p>"Paradoxically, the very principle that makes the IoT so powerful—the ability to share data with everyone and everything—creates a huge cybersecurity threat," write Christopher J. Rezendes and W. David Stephenson in a recent Harvard Business Review article, "Cyber Security in the Internet of Things." As with any software product, the best approach for reducing the risk of software-connected vehicles and other types of systems is to assess and monitor security during the product development lifecycle. </p><p>Security managers should evaluate IoT systems with misuse and abuse cases in mind, considering how IoT features might be unintentionally misused or intentionally abused. In this way, the approach to reviewing an IoT system is not much different from the approach that has been commonly used for years to assess software security.</p><p>The methodology is called threat modeling, and this can be done either by an internal security team or outsourced to a third party that specializes in this type of analysis. The first step in creating a threat model is to identify the assets, security controls, threat agents, and threats within the system. The next step is to estimate the likelihood and impact of each threat within the system. Then, an associated mitigation plan for each potential flaw is developed.  </p><p>It is also critical for security managers to ensure that security fundamentals remain in place when working with the IoT environment. One of the founding principles of IoT security is that access should always be shut down where it's not necessary.</p><p>In addition, because IoT devices are primarily consumer facing, it's also important for security leaders to ensure that consumers are aware of and actively implementing cybersecurity basics such as the use of strong passwords and software updates.</p><p>Like DevOps, IoT systems are very likely to become more widespread in the next few years. Familiarity with the threat modeling process and other means of evaluation and sustaining bedrock principles will be valuable tools for security leaders, including physical security specialists, to possess. In addition, managers who supervise enterprise security risk management (ESRM) programs will find that IoT threat models often complement the overall ESRM program. This is because both take the same approach of using risk management principles to identify potential threats and their likelihood, and then strategically allocating resources to fight the threats.  ​</p><h4>GDPR</h4><p>For the past decade and a half, security professionals have been navigating a changing regulatory environment. To date, many regulatory compliance frameworks have been applicable to only one specific industry. Payment Card Industry (PCI) standards apply to financial services, the Health Insurance Portability and Accountability Act (HIPAA) applies to the medical field, and the Sarbanes–Oxley Act (SOX) applies to public companies. </p><p>Additionally, each set of rules and regulations has different enforcement mechanisms. PCI, for example, applies differently to various tiers of an organization, and the actual fines that have been paid by noncompliant organizations have been fairly limited. </p><p>But all of that changes with the General Data Protection Regulation (GDPR). GDPR enforcement officially began in May 2018, and it applies to organizations located within the European Union (EU) and to organizations located outside of the EU that offer goods or services to, or monitor the behavior of, EU citizens. Organizations that do not comply with GDPR requirements can be fined up to 4 percent of annual global revenue or up to €20 million (roughly $24 million), whichever is greater.</p><p>While the focus is on consumer privacy, GDPR has a lot to say about processes and procedures surrounding data breaches, vendor security, and data protection in general. At a high level, the regulation requires organizations to develop a data inventory and continuously track how data is processed, stored, and transferred. </p><p>Given this, many proactive security leaders will be developing plans for how to proceed when it comes to either providing vendor services or leveraging a vendor for data processing, storage, or transfer. Many will also develop plans for responding to an incident that takes into consideration what action is required by GDPR in the case of a breach. A physical security manager who has sufficient working knowledge of GDPR can be a valuable asset as a participant in this plan development, and the enterprise at large will benefit from the fact that the plan was a collaborative effort between different security specialists.</p><p>For more information, the full GDPR document is available publicly. There are also many guides, runbooks, and "do's and don'ts" online that professionals can review to learn how others are interpreting the information. ​</p><h4>Bridging Worlds in Person</h4><p>DevOps, IoT security, and GDPR comp­liance are all rapidly changing areas within the overall technology and regulatory landscape, and they all offer opportunities for security managers who are not cybersecurity specialists to build bridges into the worlds of technology and information compliance. </p><p>Physical security managers who had educated themselves on the basics of these topics can then learn more when meeting with technology specialists. Such meetings often proceed more smoothly if the physical security manager goes into the meeting with a productive eager-to-learn attitude.    </p><p>So, when meeting with technology and compliance experts, ask questions and save your demands. Spend twice as much time listening as talking. The more curious you are, the more likely you are to learn something that will benefit you as you put together an approach toward improving overall enterprise security.</p><p>Some important questions for a physical security manager to ask a technology manager or engineer might include: What's important to you? What are your top priorities this quarter? What worries do you have about getting your job done? This information can be used to align security goals with technology goals. It can also provide context, and a more accurate answer, for a security manager who is mulling over the question of why security tasks do not seem to receive the time or resource allocations that they should. </p><p>A similar approach will also benefit physical security managers who want to build bridges with the organization's business leaders. Before meeting with these leaders, security managers should spend time learning about the business side of the organization. Then, they can dive into specifics during the meeting, using the same types of open-ended questions used with technology leaders. </p><p>Astute security leaders know that they cannot approach business and technology teams and order them to work in a certain way. If security managers do not spend time and effort learning about how other specialists work, what their priorities are, and what risks matter to them, trust will be hard to build. When was the last time you listened to the advice of someone you didn't trust?    </p><p><em>Caroline Wong, vice president of security strategy at Cobalt.io, has held executive security and management positions at eBay, Symantec, Cigital, and Zynga. ​</em></p>
https://sm.asisonline.org/Pages/Eye-on-the-High-Life.aspxEye on the High LifeGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Nestled in downtown Austin, Texas, The Bowie is a high-rise apartment tower that offers luxury amenities to its residents. "We have the highest price per square foot in all of Texas," notes Timothy Colgan, former general manager at The Bowie. "It's the small touches that set us apart."</p><p>The Bowie opened in 2015, and one of its not-so-small touches is the rooftop infinity pool atop the 36th floor. But with high-rise glamour comes the need for heightened security, leading property management to invest in video, Colgan says. That's why when he took over as general manager in the spring of 2017, his first question was whether he could manage the existing video system from his mobile device. </p><p><img src="/ASIS%20SM%20Callout%20Images/0718%20CS%20Stats%20Box.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:311px;" /> While there were options for mobile access, he found the existing video management system (VMS) difficult to use, and it was burdensome to pull up previously recorded video. "It was an extremely complicated software to navigate, even to go back to view video footage," Colgan tells Security Management. </p><p>"It's important to be able to go back and retrieve camera footage if and when it is required, to give you some insight into the before and after," he explains.</p><p>Besides having a vested interest in protecting its residents, The Bowie has commercial space on the eighth and ninth floors, so management was concerned about monitoring the nonresidential activity taking place inside the building. </p><p>"From a risk management standpoint, probably the most helpful thing you could possibly ask for is camera footage, especially in the event you're filling out an incident report," Colgan notes. "Sometimes bad things do happen and having them on camera, especially elevator footage or pool footage—it can make a world of difference." </p><p>The president of Eagle Eye Networks, Ken Francis, was a resident at The Bowie and approached Colgan about possibly installing his company's Eagle Eye Cloud Security Camera VMS. The company manufactures cameras that come equipped with VMS software, which allows users to manage and record video completely in the cloud. Customers have the option to purchase hardware if they want to perform local recording. </p><p>For Colgan, having the ability to easily manage the VMS from any smart device appealed to him, as did the quality of the high-definition cameras, which can capture facial details and detect motion.</p><p>Several Eagle Eye cameras were strategically installed in and around the property, including at the infinity pool, the parking garage, and the 10th floor rooftop terrace dog park. Users can manage the cameras and footage from an app available on smart devices, as well as from any desktop computer. With the click of a button, users can turn cameras on or off, email videos, adjust camera settings, and manage how long cameras retain video. </p><p>"I use that app all day every day, even during my time away from the office," Colgan says, adding that he can grant or restrict access to the platform for employees. "A team member may give me a call and say, 'Hey, take a look at what's happening on the 31st floor—is this a get together that you would like us to break up?'"</p><p>The quality of the cameras allows management to clearly make out facial or license plate details and identify persons or vehicles of interest. "One new camera is inside the parking garage, which allows me to see high definition of exiting cars and faces of individuals coming into the garage," Colgan says, adding that he can look up license plate numbers in the property management system. If the vehicle is unauthorized, the towing company is contacted.</p><p>From a liability standpoint, key incidents the property wants to capture are slips, trips, and falls, which can happen at any time. "We had a fall incident that took place on the property in an amenities space," he says. When filing the subsequent incident report and insurance claim, he says that having clear video of the event helped prove that the building was not at fault.  </p><p>"Being able to identify fault is extremely important from a risk management standpoint," Colgan explains. "The camera that witnessed the incident…had recently been replaced by Eagle Eye, and gave us a clear enough shot in the dark to see what actually happened." </p><p>Residents at The Bowie have high expectations not for only their security, but also for their privacy, and management uses the Cloud Security Camera VMS to improve their quality of life. Colgan explains that this makes documenting incidents throughout the property even more critical. </p><p>"In the elevators, you're in a confined space and unfortunately people don't always behave as you would expect," he notes. "Now we're able to not only see what happens on the elevator, but on the floor to which people are exiting, which helps us to narrow down who the particular person is." </p><p>In addition to the elevators, keeping track of activity at the dog park has become a point of concern. "One of the big projects that Eagle Eye helped with was installing three very large dome cameras in the dog park," he says. "We were having trouble with people not picking up after their pets, and we wanted the ability to hold people accountable." </p><p>With the dome cameras, everything that transpires in the dog park is captured, and repeat offenders who fail to clean up after their pets are easily identified. The Eagle Eye VMS software has an algorithm that can be programmed to pick up on specific actions, and Colgan says The Bowie will eventually take advantage of that feature to automatically alert when someone doesn't pick up after their dog. </p><p>Even for luxury living, security is never a guarantee. But Colgan says having the Eagle Eye Cloud Security Camera VMS gives the residents peace of mind that they're being watched over.</p><p>"Crime does not have an address," Colgan says. "But at the end of the day, we have tools in place to try to assist when things do come up. When people come in the building, they can see we have that technology there." </p><p><em>For more information: Deborah Demarchi, </em><a href="mailto:ddemarchi@eagleeyenetworks.com"><em>ddemarchi@eagleeyenetworks.com</em></a><em>, www.eagleeyenetworks.com, 949.813.6223. ​</em></p>
https://sm.asisonline.org/Pages/Blockchain-Buzz.aspxBlockchain BuzzGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The year was 1960. And Charles W. Bachman was unsatisfied with computers. They were supposed to revolutionize the way companies did business but accessing vital information and making changes was a time consuming—and frustrating—process.</p><p>Bachman, then a software engineer at General Electric, and his team came up with a solution to the problem. He created the Integrated Data Store (IDS), the first direct-access database management system, which would allow businesses to link data sets and make changes to them with greater ease.</p><p>IDS would change the future of computing, and databases and their management systems are now used in millions of applications around the world for inventory control, employment records, and transactions.</p><p>"IDS and its derivative systems are still in use today, supporting a thousand mainframe installations," Bachman wrote in an article for IEEE Annals of the History of Computing in October 2009.</p><p>Around the same time that Bachman wrote his article, another piece of technology was invented that is now changing computing in a similar way: the blockchain.</p><p>"A blockchain is similar to a database, but rather than being stored in one place and governed by one company or one set of people who run it and administer it, a blockchain is simultaneously run by thousands—or millions—of people around the world," says Michael Perklin, chief information security officer at ShapeShift.io and board member of the CryptoCurrency Certification Consortium and The Bitcoin Foundation. "There is no real, geographic home."</p><p>And blockchain technology is poised for a bright future. Research and advisory firm Gartner predicts that the business value-add of blockchain will reach $176 billion by 2025 and be more than $3.1 trillion by 2030.</p><p>What is a blockchain? In October 2008, Satoshi Nakamoto created the cryptocurrency known as Bitcoin. To keep track of Bitcoin transactions and verify them, Nakamoto also created another technology—a blockchain. </p><p>A blockchain is a database system that allows peers to validate changes made to the system, rather than relying on central authority. One of the easiest ways to explain how a blockchain works is to discuss it in terms of a transaction. </p><p>For example, Alice requests that Bob pay her 15 Bitcoins. Her request is broadcast to a network of computers—called nodes. Using cryptography, the nodes make sure the transaction is valid. If it's valid, a new block is added to existing blocks associated with Alice's account to create a chain. Built into these blocks are digital hashes, which make it evident if anyone attempts to alter a block in the chain. </p><p>"With a database, it's possible to falsify a record without leaving any trace because, by default, most databases don't have these tamper-evident capabilities—but blockchains do," Perklin says. "So, if I try to alter my balance and say I have 1,000 Bitcoins. I send this update to the world through the replication mechanism; as every other computer in the world starts receiving this message from me, they take a look at the tamper-evident seal on it, and they realize immediately that this is not a valid update and ignore it." </p><p>Most other systems, including databases, lack this validation factor.</p><p>"By default, databases don't do any checking at all because it's assumed that you have access to that database," Perklin says. "You have an account, you have permission to make a change, it assumed that change is valid, and if you have permission to make it, it'll make it for you."</p><p>By contrast, there are no user accounts associated with blockchains. Nodes on the network act as validators, conducting integrity checks to make sure that false information is not added to the blockchain. And this validation process happens within nanoseconds. </p><p>Beyond validation, there are other benefits to blockchain technology. For instance, it is more resilient than relying on a central authority.</p><p>"The data simultaneously exists on thousands or millions of computers around the world at the same time," Perklin explains. "If one server were to go down, the data is still available to everyone else in the world. By contrast, if something like PayPal were to go offline, nobody can use PayPal until PayPal comes back online."</p><p>If one server, or several went out due to a massive Internet outage, a blockchain would continue to work using servers located elsewhere. </p><p>How are they used? Blockchains were initially created to facilitate Bitcoin and have also been used to support other cryptocurrencies. Since then, blockchains have been applied to other projects but the technology is still in the early phases of adoption. </p><p>One use case is for document validation. Users can employ block-chain technology to verify the integrity of a document to ensure that it has not be altered. </p><p>For instance, publicly traded companies release certain financial records to the public every month. If a malicious insider who stole from the company wanted to alter the documents to cover up the crime, the insider could do that after the chief financial officer prepared the documents.</p><p>Using software that uses blockchain technology, a chief financial officer could add a time stamp to the prepared financials that would appear in the blockchain. </p><p>"This adds a tamper-evident seal that lives in the…blockchain that can attest that at this time and on this day, this was the exact state of the financial affairs," Perklin says. "Now a few days later when bad guys take these financials, alter them, and publish them to the world, if somebody wanted to check the validity they can compare it to what the CFO put in…they will see it has been altered."</p><p>This type of timestamping authenticator can also be used to verify video recordings, Perklin says, such as a recording of a police officer using excessive force against a protestor.</p><p>"A few months later when they are in court and the recorder is accused of photoshopping the video, they can say, 'No, this time stamp proves that this existed on the day at exactly 3:30 in the afternoon—the time this really happened,'" he explains.</p><p>These are just some initial use cases for blockchain and more will come, but one area Perklin says he does not think blockchain technology will be used for is anything involving private information.</p><p>"The nature of blockchain is that all the information is public, and every one of those thousands or millions of computers around the world, they can read all the information, so they can validate all the information," Perklin adds. "Now I've lost my privacy. Anything that has a privacy component is not a good fit for a blockchain application."</p><p>Others are also skeptical of the potential security use for blockchain technology, including Ron Rivest, institute professor at the Massachusetts Institute of Technology and one of the inventors of the RSA algorithm.</p><p>Speaking at the RSA Conference in San Francisco in April 2018, Rivest said that blockchains are being viewed as "security pixie dust" with developers promising that any application will "be made better by blockchain properties."</p><p>This is not accurate, Rivest said, citing the example of using blockchain technology for election security in the United States. </p><p>"In voting, it would be a bad idea because of the private ballot—and it needs to be centralized," he said, adding that the centralized system is needed to ensure that votes are counted but that the identity of who cast them would remain private.</p><p>"Blockchains have limited security properties that may or may not fit what you need," Rivest said.</p><p>The U.S. Securities and Exchange Commission (SEC) has also stepped up recently to crack down on companies that are adding blockchain to their name to raise their stock price.</p><p>"The SEC is looking closely at the disclosures of public companies that shift their business models to capitalize on the perceived promise of distributed ledger technology and whether the disclosures comply with the securities laws, particularly in the case of an offering," said SEC Chairman Jay Clayton in a statement. </p><p>All of this is part of a technology that's just in its beginning phases, similar to what the world saw with the introduction of computers and databases. </p><p>"It took decades for people to apply interesting features to that dumb wire between boxes," Perklin says. "I'm sure that in 20 years, we're going to look back at all the different ways companies started using blockchain and think...this was the future." ​</p><p> </p>
https://sm.asisonline.org/Pages/July-2018-Industry-News.aspxJuly 2018 Industry NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​</h4><h4>A NEW BALL GAME</h4><p>When the Great American Ball Park, home of the Cincinnati Reds, needed to upgrade its visual systems, it turned to integrator Nor-Com. The state-of-the-art video distribution system would enable the ball park to distribute HD video to a range of sources throughout the venue. Nor-Com outfitted the ballpark with the intelligent Ultra HD Over IP platform from Just Add Power (J+P).</p><p>The platform has kept pace with changing video distribution requirements, progressing through the extensive upgrades around the stadium. As a result, new video spaces continue to be brought online and updated for a seamless video experience. Most recently, Nor-Com used J+P's 2G and 3G transmitters and receivers within the redesigned Scouts Club, Champions Club, HandleBar, and Reds Connect Zone. The team can distribute transmissions from multiple sources throughout the facility, including HD tuners for the game feed, Blu-ray players, the scoreboard feed, laptop and PC inputs for digital signage, social media feeds, and a press feed. </p><p>In each space, users can control and switch any source via an iPad, with minimal training. The modular approach to video distribution allows the team to build upon its existing infrastructure and keep pace with evolving video content requirements and standards.​</p><h4>PARTNERSHIPS AND DEALS​</h4><p>ASSA ABLOY announced partnerships </p><p>with Averics, BluB0X, Dot Origin, Identiv, and Viscount. Also, AccessNsite, Lenel, Open Options, and RS2 are the first partners to integrate with ASSA ABLOY's PIV-enabled solutions. </p><p>Anchore and stackArmor announced a strategic partnership to deliver enhanced container security and compliance solutions. </p><p>Integrating Arteco Video Event Management Software with Paxton's access control platform gives users insights into potential risks or incidents.  </p><p>Auth0 was selected by National </p><p>Geographic Partners, LLC, to centralize identity for its properties around the world.</p><p>BlackRidge Technology International, Inc., is collaborating with Marist College to develop a blockchain application to eliminate fraud from philanthropic contributions. </p><p>Bold Technologies integrated its ManitouNEO with the CHeKT video monitoring platform to enable alarm-based video.</p><p>The Cambridge Pixel Video Security Display system was selected for a military mobile protection program in the Middle East, partner Defense Integrated Solutions Security Systems.</p><p>Captis Intelligence signed a national dealer agreement with NAVCO. </p><p>FST Biometrics installed its In-Motion Identification solution at the Wellington College Health & Fitness Club in the United Kingdom.</p><p>A surveillance system provided by Hikvision Canada Inc. was installed by Off Grid Surveillance Platforms for Ajax Hyundai in Ontario, Canada.</p><p>Invixium is working with integration partners Galaxy Control Systems, RS2 Technologies, Honeywell, Genetec, Gallagher Security, Paxton Access, Siemens, Remsdaq, and S2 Security.</p><p>Interactive and home automation features from Alarm.com can now be controlled by iotega.</p><p>JCB Co. Ltd. is testing its latest JCB Biometrics Card with fingerprint authentication. The payment solution is provided by IDEMIA, and Toppan Printing is personalizing the cards.</p><p>Kentec Electronics Ltd. supplied its Taktis fire detection and alarm technology to Scotland's Dumfries Baptist Church.</p><p>Manything signed on three new distribution partners: Brooklyn Low Voltage Supply, DSG Distributors, and Tristate Telecom.</p><p>Milestone Systems' open platform IP video management software is helping Carrasco Lakes in Uruguay provide better security control. The networked solution, executed by Foxsys, allows ongoing expansions, including more than 30 new cameras from Hikvision and Arecont Vision.</p><p>MOBOTIX is partnering with ClearSite Communications, Inc., to provide a platform that allows cameras and sensors to be deployed at remote locations. </p><p>The National Fire Protection Association and ASTM International created a joint working group to create "use-case scenarios" for law enforcement and first responders using drones in operations. </p><p>NETSHIELD Corporation is partnering with ZON Digital Insurance to include cyber insurance coverage bundled with its suite of cybersecurity solutions for small and medium enterprises.</p><p>Nozomi Networks Inc. and SecureLink are working together to broaden SecureLink Germany's delivery of services to customers across Germany, Austria, and Switzerland. </p><p>Nuvias signed a pan-European distribution agreement with FireEye.</p><p>Overland-Tandberg announced that ABP Tech now offers its SnapServer Network Attached Storage integrated with ABP Tech's Mx-MSP remote video surveillance monitoring software.</p><p>The Quantum video surveillance storage portfolio is now available through Convergint Technologies.</p><p>Transition Networks partnered with ScanSource, Inc., to expand delivery of its edge connectivity solutions with a focus on physical security networks.</p><p>TrapX Security is collaborating with Check Point Software Technologies Ltd. to provide a real-time visibility, threat detection, and rapid threat containment solution.</p><p>TÜV Rheinland and SecurityMatters announced a strategic partnership to help worldwide industrial services clients detect and remediate cybersecurity threats.</p><p>Virsec entered into an alliance with Raytheon to help defend government and critical infrastructure entities from advanced cyberattacks.​</p><h4>GOVERNMENT CONTRACTS</h4><p>Kent Police and Essex Police will deploy Axon cameras, along with licenses on Evidence.com.</p><p>Dedrone announced a partnership with Defense Innovation Unit Experimental, a U.S. Department of Defense organization, to experiment with technology for assessing, measuring, and responding to adversarial unmanned aircraft systems.</p><p>Ellipse Global will supply mobile base camps to support field operations under a contract with the U.S. General Services Administration. </p><p>ESO announced that its Electronic Health Record and Fire Incidents software platforms were chosen by the Indianapolis Fire Department to collect and analyze data and comply with reporting requirements for the National Emergency Medical Services Information System and the National Fire Incident Reporting System.</p><p>Uruguay's Ministry of the Interior worked with the Uruguayan Football Association and H&O Tecnología to implement Herta facial recognition technology for three major football venues. </p><p>The U.S. Department of Homeland Security Science and Technology Directorate's Silicon Valley Innovation Program awarded a contract to iProov to help U.S. Customs and Border Protection improve the passenger entry operation process.</p><p>MSA Safety Incorporated will provide G1 self-contained breathing apparatus and accessories to the Metropolitan Fire Brigade and Country Fire Authority in Victoria, Australia.</p><p>NC4 announced that the Lansing Police Department chose the NC4 Street Smart solution to support community-based, problem-oriented, and data-driven policing strategy.</p><p>Neurotechnology completed a multibiometric voter registration deduplication project for the Democratic Republic of the Congo, working directly with the Independent National Electoral Commission. It compared 46.5 million multibiometric facial and fingerprint voter records in less than two months and identified more than 5.3 million duplicates.</p><p>The United Kingdom's Serious Fraud Office is using OpenText Axcelerate to expedite its investigations by automating document analysis.</p><p>QinetiQ North America was selected for the engineering and manufacturing development phase of the U.S. Department of Defense Common Robotic System (Individual) program. </p><p>A Sielox layered security solution is securing New Jersey's Upper Township School District.</p><p>Israel Police selected Siklu wireless links to secure the Gay Pride Parade in the City of Jerusalem.</p><p>The U.S. Transportation Security Administration chose Unisys to secure, operate, maintain, and protect screening equipment in U.S. airports.</p><p>VirTra, Inc., received a purchase order for its training simulators under a contract with the U.S. Department of State.</p><p>WidePoint Corporation received an award from U.S. Customs and Border Protection for cellular wireless managed services.</p><p>Spokane Valley City Hall in Washington has integrated video surveillance, access control, and intrusion systems, specified by Coffman Engineers and configured and installed by EVCO Sound & Electronics.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>Mission 500 presented its Corporate Social Responsibility Award to Altronix Corporation. </p><p>Amika Mobile announced that its Amika Mobility Server platform for critical and emergency communication was selected as the Best Emergency Communication Solution by Security Products and Security Today Magazine for the fourth year in a row.</p><p>Attivo Networks and Exabeam were among the 2018 Best Places to Work listed by the San Francisco Business Times and the Silicon Valley Business Journal. </p><p>Bates Security won a SAMMY award for Integrated Installation of the Year for a school security project. The project involved Sonitrol of Lexington, Bates Security, and 3xLOGIC collaborating on an advanced access control system for Frederick Douglass High School in Lexington, Kentucky.</p><p>Camden Door Controls received UL 294 listing for its new electric strikes.</p><p>The Texas Committee for Employer Support of the Guard and Reserve recognized Delta Risk with the Pro Patria Award in the Small Business category.</p><p>Essence Smart Care was awarded the 2018 SilverEco & Ageing Well International Award for its Care@Home Smart Alerting solutions. </p><p>HGH Infrared Systems won the SECONA Shield 2018 Award in the category Innovative Product of the Year - Hardware CCTV.</p><p>Middle Atlantic Products was recognized with two Stellar Service Awards by the readers of Systems Contractor News for its Middle Atlantic website and design services.</p><p>Milestone Systems announced that Soko Aoki won its Milestone Community Kickstarter Contest 2018 for integrating XProtect VMS with 360-degree enabled cameras and a head-mounted display.</p><p>Pivot3 won multiple technology awards for the latest version of its critical video surveillance software platform. The honors include a 2018 MVP Award from Security Sales & Integration, a 2018 Government Security Award from Security Today, and a 2018 Secure Campus Award from Campus Security and Life Safety. </p><p>Safe-T Group Ltd. announced that its Reverse-Access Technology was granted a patent from the U.S. Patent and Trademark Office.</p><p>Sectra's encrypted smartphone was approved by the European Union for the communication of information at the RESTRICTED security level. </p><p>The Security Industry Association (SIA) announced winners of the SIA New Product Showcase Awards Program. IPConfigure was recognized with the Best New Product award for its Orchid Core VMS for AXIS Camera Application Platform. The Judges' Choice Award was presented to Allegion for its Von Duprin Remote Undogging and Monitoring Kit. The judges presented awards in a total of 29 product and service categories. Find the full list of winners at www.iscwest.com/SIANPS/. </p><p>Security Innovation won eight Info Security Product Guide Global Excellence Awards, including a Grand Trophy prize.</p><p>Securonix announced that its Next Gen SIEM solution was recognized as the top security information and event management solution in the 2018 SC Magazine Trust Award for the Best SIEM Solution.</p><p>Sielox LLC named Milsk Company Inc. as its 2017 manufacturer's representative firm of the year. </p><p>Trillium Secure, Inc., took home the grand prize at CyberTech Asia 2018 for its SecureIoT cybersecurity suite and cybersecurity as a service business model.</p><p>The University of Ryerson granted Privacy By Design Certification to the Vision-Box Identity Management Platform Orchestra. </p><p>VITEC announced that its EZ TV video wall processor won the Best of Show Award at the 2018 NAB Show from Sound & Video Contractor magazine.​</p><h4>ANNOUNCEMENTS</h4><p>Ben-Gurion University of the Negev and University of Washington researchers have developed a new method to detect fake accounts on most types of social networks, including Facebook and Twitter.</p><p>Bold Technologies introduced its new learning and training platform, BoldU.</p><p>Camden Door Controls launched an enhanced switch-selection wizard on its website.</p><p>Clery Center and StopHazing partnered to develop a data-driven Hazing Prevention Framework based on principles of prevention science and findings from the Hazing Prevention Consortium. The partners released the Hazing Prevention Toolkit for Campus Professionals.</p><p>Corporate Investigative Services is celebrating 30 years in business.</p><p>Critical Start completed the acquisition of Advanced Threat Analytics.</p><p>Datavant acquired Universal Patient Key, a provider of HIPAA-compliant de-identification services for healthcare data.</p><p>Memphis-based Electronic Security Specialists purchased required commercial fire alarm accounts from neighboring Frase Protection. </p><p>The Gaming Standards Association launched its new Blockchain Committee.</p><p>The California Hotel and Lodging Association partnered with Guardian Group to provide all hotel members with the Guardian Seal Recognition and Response Training to prevent human trafficking.</p><p>Honeywell opened an industrial cybersecurity center of excellence in Asia, with the support of the Singapore Economic Development Board.</p><p>InfoArmor, Inc., unveiled a new brand identity, with a redesigned website, an updated logo, and an improved user experience.</p><p>KPMG acquired cybersecurity firm Egyde to help clients with cybersecurity risks.</p><p>Mavin Technologies is offering Mavin Prime, a free edition of Mavin's Security Management Platform that supports up to eight readers.</p><p>NuState Energy Holdings, Inc., changed its name to Visium Technologies, Inc., to reflect the company's primary focus on technology and cybersecurity. </p><p>OnSSI released The Hardening Guide for Networked Video Surveillance Systems. The free downloadable guide provides specific recommendations for applying cybersecurity measures to protect systems from potential threats.</p><p>PDFPageLock.com released free security software utility PDF Page Lock, which enables users to lock or hide selected pages of a PDF document with a password encryption.</p><p>PeopleFacts and SNH Capital Partners I, LP, acquired TRAK-1 to create a leading competitor in the U.S. background screening market.</p><p>Polaris Alpha recently opened a new laboratory designed to help federal agencies understand the impact of the Federal Communications Commission's auctioning of communications spectrum.</p><p>Qualys, Inc., acquired the software assets of 1Mobility of Singapore.</p><p>RapidDeploy installed its computer-assisted dispatch platform in the testing laboratory at the Internet2 Technology Evaluation Center at Texas A&M University.</p><p>ShotSpotter published the 2017 National Gunfire Index.</p><p>Spearfish West Africa opened in Abuja, Nigeria, as a subsidiary of Spearfish Security. </p><p>Tourism Malaysia announced the launch of My Tourist Assist, a mobile app to support safe travel for tourists in the country. The app was developed by UST Global and managed by Jana Tiga Holdings Sdn Bhd.</p><p>VirtualArmour International Inc. established the VirtualArmour Academy, a new institution for cybersecurity education and training.</p><p>VOTI Detection opened new global headquarters in Montreal to produce leading-edge x-ray security scanning systems. ​</p>
https://sm.asisonline.org/Pages/Newsroom Shooting Demonstrates Vulnerabilities Of Run Hide Fight Response.aspxNewsroom Shooting Highlights Challenges of Securing Open OfficesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A 38-year-old Maryland native allegedly opened fire on an Annapolis-based newsroom​, killing five people and providing a grim reminder that security best practices are not one-size-fits-all. </p><p>The suspected shooter, Jarrod W. Ramos, had a longstanding grievance with <em>The Capital Gazette</em> stemming from the paper's 2011 coverage of a harassment charge against him. He pursued—and prolongated—legal action against the reporter, publisher, and judge involved. He also started a website and several Twitter accounts berating the newspaper.  ​</p><p>In 2013, the paper and one of the targeted reporters contacted police to discuss filing a restraining order or misdemeanor charges due to the prolonged harassment but ultimately decided to not follow through for fear of further antagonizing him, <a href="http://www.baltimoresun.com/news/maryland/crime/bs-md-ramos-charges-20180629-story.html" target="_blank">the <em>Baltimore Sun</em> reports</a>.  </p><p>The reporter and the publisher involved in the legal proceedings from more than seven years no longer work at <em>The Capital Gazette.</em></p><p>"If you fire somebody or have an incident with them, it's typical to feel that their retaliation is going to be in the near future, but that's not necessarily true," says Michael Crane, CPP, security consultant and attorney at Securisks. "You hear stories where people come back after a year or two—and in this case, it was after five or more years."</p><p>Crane—who is also the chair of the ASIS Active Assailant Working Group—notes it appears that the paper followed security best practices after the threats escalated in 2013.</p><p>"Between his lawsuit and the threats that he made, that certainly should have given them an increased sense of surveillance or security," Crane says. "What you want to do in that type of situation is conduct an assessment to harden your facility. I'm assuming that part of the newspaper contacting the police was putting in access control on a locked front door so nobody could just walk in without being buzzed in."</p><p><em>The Capital Gazette</em> shares a building with several other commercial tenants. The shooter entered through the building's rear entrance and, despite closed access to the newsroom, was able to enter by shooting through a glass door or window. <em>The Capital Gazette</em>—like many newsrooms and office spaces—has an entirely open floorplan, with glass windows all around the room, reporters working at desks in the middle, and half-walls along one side for editors' offices, <a href="https://www.cnn.com/2018/06/29/us/inside-capital-gazette-newsroom-shooting/index.html">according to CNN</a>.</p><p>As the gunman proceeded to systematically fire his 12-gauge pump-action shotgun along the room, some employees ran to the back door. However, before entering the building, the gunman had barricaded the door. One man who tried to force the door open was shot and killed. </p><p>The rest of the employees hid as best they could under desks and behind filing cabinets. After less than two minutes of shooting, police arrived and the shooter ceased his attack to hide under a desk, before being captured by responders.</p><p>"The police were there in 60 to 90 seconds—that's absolutely tremendous and should be applauded," <span style="background-color:#ffffff;">says </span><span style="background-color:#ffffff;">Kevin Doss, CPP, PSP, CEO at Level 4 Security. </span>"However, five people were killed in less than 90 seconds. These happen quickly, so performing a threat assessment, hardening facilities, planning procedures, and training are all critical—you're only going to have a split second to react."<br></p><p>Building a training program based on an organization's specific needs and threat points--and that implements both physical security measures and procedures--is imperative for success, Doss explains. Media organizations, for example, are higher-risk targets because they publish news that is bound to cause grievances. </p><p>"You can take a basic program, and then we talk about site specifics, and that’s where a risk assessment is critical," says Doss. "You can’t use a cookie-cutter approach to an asymmetrical threat like active shooter because that threat can change characteristics. People are going to have a plan of attack before they show up, and this guy did—he had a plan to lock people in."</p><p>Doss has trained U.S. federal agencies using the U.S. Department of Homeland Security's Run. Hide. Fight. active shooter protocol and now uses a similar approach when training organizations. He notes that he is working with more companies that have open offices—often featuring open workspaces and glass instead of walls and doors. Active shooter training must account for this increasingly-popular type of workspace, he tells <em>Security Management.</em></p><p>"Look at your workspace from a survival capability," Doss says. "If it was all open space, there are very few places to hide. At that point train yourself--what could I do if a shooter gets here? If door is barricaded, look at breaking a window or looking at another method. That’s where training comes into play because you don’t want to figure that out during an emergency. You want a planned course of action to train on. If you’re not trained on it, you won’t know to do it."</p><p>Crane agrees, noting that even open office environments should ensure that there are safe places to hide, such as bathrooms or conference rooms with locked doors. Doss points out that while glazing is common in many offices and allows for natural surveillance, it's also the weakest barrier. Hardening that vulnerability by using polycarbonate or bulletproof glass, or adding a shatterproof film, can help in such instances. </p><div><p>Crane discusses the challenge of assessing the true danger of a person—either an insider or someone in the community—with a longstanding grudge. Threat assessment teams are helpful in keeping track of terminated employees or customers or people who have been making threats.</p><p>"You have to look at active assailant as a subset of a workplace violence incident, which has been going on for years," Crane explains. "The majority of our workplace violence incidents are domestic related and can spill into the workplace. However, as rare as it is, active assailants do happen. Recognizing behavior and doing something about that behavior, contacting the police, increasing security, limiting access into your facilities, training as to run-hide-fight, those are the only things you can really do."</p><p>Doss says threat assessments not only help harden a facility but allow for the detection of potential bad actors. While good assessments are costly, he recommends high-risk organizations conduct them yearly. </p><p>"I may not be a threat this year, but I may be escalating toward becoming an actual threat, and the only way you’re going to find that out is to track these types of incidents or behaviors," Doss notes. "Active shootings never happen all at once, there’s always a building and progression--some type of behavioral issues prior to them committing the act. That’s where we have an opportunity to identify these behavioral characteristics and intercede."<br></p><p>For small businesses and houses of worship, there are a plethora of resources on how to conduct a threat assessment and make sure every employee receives basic active shooter training. "This problem is only getting worse, and we need to become more proactive from organizational side of things because we have a responsibility to provide safe workplace for employees," Doss says.​</p><p>The shooter had to be identified via facial recognition software because the fingerprint analysis system was taking too long. Police searched his home in Laurel, Maryland, about 30 minutes from the newsroom, and found evidence of the origination of the planning. He is being held without bail and has been charged with five counts of first-degree murder. Security at newsrooms across the country has been increased as a precaution. ​</p></div>
https://sm.asisonline.org/Pages/Multiple-People-Shot-in-Maryland-Newsroom.aspxMultiple People Shot in Maryland NewsroomGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><h4>​​what we know</h4><ul><li><p>​Alleged gunman Jarrod W. Ramos opened fire with a pump-action shotgun at <em>The Capital Gazette </em>newsroom in Annapolis, Maryland.</p></li><li><p>Five employees were killed: <a href="http://www.capitalgazette.com/news/annapolis/bs-md-rob-hiaasen-20180628-story.html" target="_blank">Rob Hiaasen,</a><a href="http://www.capitalgazette.com/news/annapolis/bs-md-wendi-winters-20180628-story.html" target="_blank"> Wendi Winters,</a><a href="http://www.capitalgazette.com/news/annapolis/bs-md-john-mcnamara-20180628-story.html" target="_blank"> John McNamara,</a> <a href="http://www.capitalgazette.com/news/annapolis/bs-md-gerald-fischman-20180628-story.html" target="_blank">Gerald Fischman,</a> and<a href="http://www.capitalgazette.com/news/annapolis/bs-md-ar-rebecca-smith-20180628-story.html" target="_blank"> Rebecca Smith​</a>. Click on each of their names to read more about these individuals as written by their former colleagues.</p></li><li><p>Ramos is in custody and has been charged with five counts of first-degree murder.</p></li><li><p>Ramos had a history of grievances with <em>The Capital Gazette, </em>including a defamation lawsuit that was dismissed in 2012.</p></li><li><p>ASIS International has made available <a href="https://www.asisonline.org/publications--resources/security-topics/active-shooter/" target="_blank">soft target and active shooter resources</a> for security professionals.<br></p></li><li><p><em>Security Management </em>will continue to update this post as more information is confirmed. </p></li></ul><h4>Shooting demonstrates vulnerabilities of run. hide. fight. response</h4><p><strong>UPDATE 5:00 p.m., June 29, 2018</strong></p><p><em>The Capital Gazette, </em><strong></strong><em></em>like many newsrooms and office spaces, has an entirely open floorplan, with glass windows all around the room, reporters working at desks in the middle, and half-walls along one side for editors' offices. </p><p><em>Security Management </em><em></em>spoke to two security experts about how organizations can take into account their office plans when conducting active shooter response training. </p><p>"Look at your workspace from a survival capability," says Kevin Doss, CPP, PSP, CEO at Level 4 Security. "If it was all open space, there are very few places to hide."</p><p><a href="/Pages/Newsroom%20Shooting%20Demonstrates%20Vulnerabilities%20Of%20Run%20Hide%20Fight%20Response.aspx" target="_blank">Read the full article here.​​</a></p><h4>More details emerge on shooting<br></h4><p><strong>UPDATE 1:40 p.m., June 29, 2018</strong><br></p><p>​Alleged gunman Jarrod W. Ramos <a href="https://www.nytimes.com/2018/06/29/us/capital-gazette-shooting-suspect.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=second-column-region&region=top-news&WT.nav=top-news" target="_blank">appeared in court this morning </a>via a livestream feed where he was ordered held while facing five charges of first-degree murder. Ramos has not entered a plea.<br></p><p>Ramos was identified late Thursday night using a facial recognition system after a fingerprint identification system took too long to analyze the results.</p><p>In a press conference after Ramos's court appearance, Anne Arundel County state's attorney, Wes Adams, shared additional information about the incident. <em>The New York Times</em> reports that Adams told reporters that the gunman barricaded the back door to the newsroom to prevent people from fleeing. One of the victims attempted to escape through that door.</p><h4>5:08 p.m. UPDATe</h4><p>​​The suspected shooter that was taken into custody is not cooperating with officials,<a href="https://www.cnn.com/us/live-news/maryland-newspaper-shooting/index.html" target="_blank"> according to CNN</a>. The shooter was found with no ID or identifying information on him. Five people were killed, and several are gravely wounded after the shooter opened fire with a shotgun. Police arrived at the newsroom about 60 seconds after the shooting began, according to CNN sources, and were able to interrupt the shooter and end the massacre. Law enforcement is also present at the <em>​Baltimore Sun </em>out of precaution, although there have been no direct threats to that newsroom. </p><p>Maryland Governor Larry Hogan and President Donald Trump have responded to the shooting, praising law enforcement response and offered thoughts and prayers to the victims and their families. ​</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read e1222d2a-afdc-4e2c-a8f7-1ff4e09536e3" id="div_e1222d2a-afdc-4e2c-a8f7-1ff4e09536e3"></div><div id="vid_e1222d2a-afdc-4e2c-a8f7-1ff4e09536e3" style="display:none;"></div></div>​<div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 43a3148d-bc79-465e-8037-53827cef6f79" id="div_43a3148d-bc79-465e-8037-53827cef6f79"></div><div id="vid_43a3148d-bc79-465e-8037-53827cef6f79" style="display:none;"></div></div>​​<h4></h4><h4>​</h4><h4>4:45 p.m. Update</h4><p>Anne Arundel County executive Steve Schuh announces that several people were killed in the shooting. "Those fatalities are so sad and I don't know what to say except our thoughts and prayers are with them and their families and we take comfort knowing they're in God's embrace," he said.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read e6ac6c4d-dfe4-48d8-a2b3-3d7ca8dc837a" id="div_e6ac6c4d-dfe4-48d8-a2b3-3d7ca8dc837a"></div><div id="vid_e6ac6c4d-dfe4-48d8-a2b3-3d7ca8dc837a" style="display:none;"></div></div><p>​​​</p><div></div><div></div><h4>Original Story</h4><p>Multiple people were killed in a shooting at the Capital Gazette newsroom in Annapolis, Maryland this afternoon. Anne Arundel police responded to the shooting, and one person has been taken into custody. The Bureau of Alcohol, Tobacco, Firearms and Explosives also responded to the incident. The building is being searched and officials are evacuating employees and reuniting them with their families. The number of casualties is unclear, but Capital Gazette crime reporter Phil Davis tweeted that he was in the newsroom when a single gunman shot through the glass door to the office and at multiple employees. He said he heard the gunman reload his weapon in the middle of the attack, and also reports that some of his colleagues are dead.<a href="http://www.baltimoresun.com/news/maryland/crime/bs-md-gazette-shooting-20180628-story.html" target="_blank"> In an additional interview with<em> ​The Baltimore Sun</em>, Davis said he and his colleagues were still hiding under their desks when the gunman stopped firing, at which point police were able to arrest him. “I don’t know why. I don’t know why he stopped,” Davis told the Sun.​</a></p><p>​</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read e9178eb8-7f08-475c-8745-24330260f40f" id="div_e9178eb8-7f08-475c-8745-24330260f40f"></div><div id="vid_e9178eb8-7f08-475c-8745-24330260f40f" style="display:none;"></div></div>​<p>​<em>The Balitmore Sun</em> reports that Anne Arundel County police spokesman Lt. Ryan Frashure would not confirm the number of injuries or fatalities until the building is secured. A spokesperson for the University of Maryland Medical Center <a href="https://www.cnn.com/us/live-news/maryland-newspaper-shooting/index.html" target="_blank">told CNN</a> that one patient was taken to the hospital. ​</p>
https://sm.asisonline.org/Pages/VIDEO-Charleston-International-Airport-Modernizes-Security-with-Pivot3.aspxVideo: Charleston International Airport Modernizes Security with Pivot3GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p> </p><p> </p><p> </p><p>Charleston International Airport is the second-fastest growing airport in the United States, with passenger counts jumping 70 percent since 2010. The airport recently completed a $200 million upgrade to its terminal to modernize and meet increased passenger demand. Along with this modernization, it wanted to invest in a new state of the art IT system to support operational efficiencies, including for its security, surveillance, and access control systems. That’s when it turned to the Hyperconverged Infrastructure solution from Pivot3. <em>Security Management</em>'s Holly Gilbert Stowell interviews Ira Campbell, director of IT and security at CHS.​​​  ​</p>
https://sm.asisonline.org/Pages/How-the-“Artificial-Intelligence-of-Things”-is-Transforming-Video-Security.aspxHow the “Artificial Intelligence of Things” is Transforming Video SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>The creation of the Internet is rightfully seen as revolutionary for its wholesale transformation of how we use and share information around the world. Many now look to the Internet of Things (IoT) in a similar way. That's because—as a vast cyber-scape of data from electronic sensors and other machine-generated sources —the IoT is now indexing our world with unprecedented granularity for remarkable new levels of visibility, efficiency, and decision support. </p><p>IoT includes everything from environmental gauges and telemetry from industrial machines, to wearable fitness monitors and inventory sensors on grocery shelves. Impressive as these and other examples may be, however, the IoT is best understood less as a revolution in and of itself—and more as a transition toward an even greater revolution that we call the Artificial Intelligence of Things, or AIoT. </p><p>Indeed, this article will propose that AIoT—the infusion of AI and machine learning throughout the IoT ecosystem for new levels of automation and performance—is a revolution on a par with the Internet itself or the sequencing of the human genome. In short, that AIoT is a paradigm shift where digital capabilities develop a kind of consciousness; where intelligent systems distributed across the IoT become self-learning and self-decisioning. Against this backdrop, the article will examine how AIoT is redefining what's possible for video security.<br></p><p><strong>AI and Machine Learning </strong></p><p>In the nearly two decades since the term "Internet of Things" was coined, sensors, actuators and networked intelligence have made their way into every corner of society—from homes and cities to industry, energy exploration and environmental monitoring. It's no surprise, then, that <a href="https://www.gartner.com/newsroom/id/3482617">Gartner</a> forecasts IoT growth at some 26 billion units, more than $300 billion in revenue and $1.9 trillion in global economic value by 2020. By the following year, Gartner <a href="https://www.gartner.com/newsroom/id/3482617">predicts that new IoT devices will be sold</a> at a rate of one million every hour. As another measure, ID​C shows sensor signals from embedded systems—a major IoT component—<a href="https://www.emc.com/leadership/digital-universe/2014iview/internet-of-things.htm">will make up 10 percent of the entire digital universe</a> by the end of the decade. </p><p>The progress is nonstop, with eye-popping innovation examples from the early days (such as chip-enabled light bulbs for remote activation) quickly becoming eclipsed by more advanced IoT applications (such as modern, smart LED street lights networked together to let municipal managers see, hear, and sense conditions across an entire city).</p><p>Especially at scale, IoT-driven efficiency ​gains of even one-percent can have major impacts over time—big data generated by planes can save $30 billion worth of jet fuel over 15 years, for example, according to a<a href="https://www.ge.com/reports/big-data-industrial-internet-can-help-southwest-save-100-million-fuel/" target="_blank"> March 2015 report by GE. ​</a></p><p>However, the vast majority of IoT applications remain focused on gathering data and decision support. What if the vast IoT network could be leveraged for more than that? What if advances in machine learning and AI could be overlaid onto the IoT for distributed systems that become more predictive, self-learning and even self-decisioning? That's the definition of AIoT, and it's already happening to some extent today. </p><p>For example, the global engineering giant <a href="https://www.oreilly.com/ideas/how-trains-are-becoming-data-driven">Siemens</a> employs an intelligent sensor network embedded in locomotive engines that can anticipate and predict a part failure before it happens. Machine learning helps identify false positives and give a clear prediction of actual part failures. All of this happens in real time and at scale (the sensor data from just one fleet of trains can fill 100 billion lines of code). Reliability is such that the system allows one rail line between Barcelona and Madrid to offer full refunds to any traveler delayed more than 15 minutes. </p><p>Sharp has also developed an <a href="https://asia.nikkei.com/Business/Companies/Sharp-eyes-steep-increase-in-smart-appliance-sales-in-Japan">AIoT augmented kitchen</a> that talks and consults with users about preferred cooking methods, and educates itself by learning a family's preferred cooking routines and food preferences. Neither of these examples would be possible just with AI or just with IoT alone. It's when the intelligence and self-learning of AI is combined with the connectivity and sensory power of IoT that the transformational capabilities of AIoT emerge. These and other advances in AIoT are tailor-made for some of the most daunting challenges faced by the security industry. </p><p><strong>The Challenge of Scale </strong></p><p>More than anything, the security video sector is suffering from a crisis of scale, as an avalanche of content outpaces the human ability to monitor all the data. Unfortunately, the gold standard of one screen to one person is a fantasy for most cost-conscious security centers. And in fast moving environments like casinos or nightclubs, a person can reach cognitive overload at just five screens. Against those human limitations is the exploding growth of data: Today, more than billions of hours of security video are recorded each day. The stark reality is that much of that footage is essentially ignored until something – some disaster or accident – occurs.  </p><p>The IoT has made various "intelligent video systems" possible, but the vast majority of such systems aren't intelligent enough to contend with the deluge of data or get proactive enough to make a difference. Visual recognition, for instance, is a constant struggle. Part of the problem involves the complex and data-rich nature of security video. To get a sense of this, just convert the amount of information a human processes visually into digital terms. <a href="http://discovermagazine.com/1993/jun/thevisionthingma227" target="_blank">About 30 percent of cortex neurons in the brain are devoted to visual processing</a> (compared with eight percent for touch and just three percent for hearing), according to<em> Discover Magazin</em>e. When you consider how any security video system must approximate this level of performance, you begin to understand the challenge.  </p><p>Particularly troublesome are the false alarms that might be triggered by something as simple as blowing wind or a camera tremor. Unfortunately, as a decision support tool for operators, these limited IoT-driven systems trigger so many false alarms that the most frequent decision made by the operator is to simply turn the system off. </p><p>Thankfully, just as AIoT and machine learning minimized the false alarms for Siemens, AIoT can weed out false alarms and add nuanced understanding to both real-time and historical video security. It's just one of many advantages AIoT can bring to our industry through the ability to learn from experience and constantly improve performance with little to no human intervention.</p><p><strong>Self-Learning AIoT Systems</strong></p><p>Let's take a closer look at AIoT and how it can address some of the video security sector's toughest challenges. Given how humans quickly get overloaded watching multiple screens, AIoT can give a much-needed assist – detecting accurately, and in real time, suspicious activity like unauthorized entry, physical violence, loitering and wall-scaling.</p><p>AI derives its power from algorithms and processes that replicate human intelligence, judgment and learning; and perhaps the greatest AI approach is machine learning. Machine learning techniques can be applied to secuirty video through what's known as a convolutional neural network ("CNN") involving advanced deep learning algorithms that work with learning cameras to handle object detection, image classification, visual tracking and action recognition.</p><p>The most simple CNNs are good at answering straightforward yes-or-no questions, i.e., "Is there a person in the video?" But advanced machine learning can take the analysis even further, identifying everything in the photo and creating probability maps about behaviors. Such probability maps are what power advanced video capabilities like human intrusion alerts, fight detection, object recognition and people-counting.</p><p>Assuming IoT infrastructure, graphics, and cloud capabilities are powerful enough, machine learning can analyze large amounts of visual information to learn from examples, programmed configurations and historical data. This self-learning happens as the computer examines many examples of behavior and builds models to identify those behaviors more accurately and quickly in the future. </p><p>As new examples and data come in, the system gets better at recognizing nuances in those behaviors. Those nuances may come in the form of discerning a false alarm from a real threat (a cat scaling the wall instead of a cat burglar, for example). They can also improve established security video capabilities. For instance, consider object detection: Most commercial systems today are fairly adept at detecting objects at a fairly close range of 20 feet. But what about at longer distances, say 150 feet away? If one has data from the highest resolution camera available, long-range object detection is made easier by applying machine learning to that data to pick out appearance and movement subtleties. </p><p>As another example, machine learning can apply experience and context to identify specific behaviors with remarkable accuracy. Consider the fight detection function mentioned earlier: It's one thing for a security video system to detect aggressive behavior in an otherwise sedate setting, such as a disruptive person at a church service or seated concert. But what if one is monitoring the mosh pit of a punk rock concert? How can you distinguish the dancing from something truly destructive or dangerous? AIoT and the right machine learning capabilities could make all the difference in such situations. </p><p><strong>The Future of AIoT</strong><br></p><p>The previous examples illustrate how AIoT can revolutionize video security performance to operate more proactively at scale. But whatever the AIoT application may be, success relies on several important factors:<br> <br><strong><em>Data quantity and quality</em></strong> are crucial. Machine learning models rely on the quantity and quality of the data flowing into them in order to deliver the fastest and most accurate performance. It helps if the system is optimized—from camera to cloud—for compatibility, so that performance isn't affected by confusing anomalies and differences in a stream, image size, or other parameter that might negatively impact performance. <br><em> </em><br><strong><em>Processing power</em></strong> is another important ingredient. Consider the example of self-driving cars: Even if the key systems of perception, prediction and motion planning for autonomous drive are well-designed, processing power can make the difference between the car being able to drive itself at five miles per hour versus 50 miles per hour. Similarly, AIoT detection of events in real-time and at scale relies on high-speed processing systems that can support that level of performance. Indeed, processing power is often the difference between a proof of concept in a research lab and commercially available systems for use in the real world.<br><br><strong> <em>Workforce expertise</em></strong> is a third ingredient to consider; and finding the right people to design and operate AIoT systems may be harder than you think. Some estimates put the number of people with adequate AI skills and training at less than <a href="https://www.bloomberg.com/news/articles/2018-02-07/just-how-shallow-is-the-artificial-intelligence-talent-pool" target="_blank">10,000 worldwide</a>, according to startup Element AI Inc. That means top talent will be in high-demand.  <br><br><strong><em>Connectivity between capabilities</em></strong>, systems and databases will have a transformative effect on what can be achieved in security video systems with AIoT. We mentioned object detection earlier. Imagine that object is a man, and imagine that your system is able to detect that person from far away. Now imagine connecting that image with facial recognition systems, which then could be tied to a missing persons database. You begin to see how AIoT-driven security video might be a life-saving, real-time tool to thwart an abduction.  <br><br>The above examples demonstrate that AIoT is more than just one capability or innovation. It is instead the result of numerous innovations and resources that—taken together—are the building blocks for powerful systems that will transform the security video industry. It's also clear that AIoT security video is more than just a cost-saving measure to augment what humans can do. Instead, the technology is advancing our industry and will continue to unlock new capabilities and use cases that the world has yet to imagine. <br><br><em>Shawn Guan is CEO of Umbo Computer Vision. ​</em></p>
https://sm.asisonline.org/Pages/CUATRO-DESAFÍOS-PARA-LA-SEGURIDAD-DE-LA-AVIACIÓN.aspxCuatro Desafíos Para La Seguridad de La AviaciónGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<em style="text-align:justify;">Anthony McGinty, CPP, es un Analista Senior de Inteligencia en CSRA Inc, contratado por el Aeropuerto Internacional de Los Angeles. Es un miembro del Consejo de ASIS sobre Terrorismo Global, Inestabilidad Política y Crimen Internacional.</em></p><p style="text-align:justify;"><strong>1. Aeropuertos como ciudades. </strong>Los problemas tradicionales de las ciudades están encontrando su camino hacia los aeropuertos: la indigencia, los problemas mentales, el abuso de drogas, los delitos menores y complejos, y la desobediencia civil. Para las agencias de seguridad y policiales, el desafío es llevar a cabo las labores del primer respondiente al mismo tiempo que se identifican amenazas de grandes consecuencias para las operaciones de aviación. Ambas funciones requieren de conjuntos de habilidades específicos y diferenciados. Los directores de seguridad tienen que balancear activos, personal y operaciones para mitigar los riesgos tanto de disturbios públicos como para la seguridad nacional.</p><p style="text-align:justify;"><strong>2. Terrorismo internacional. </strong>La aviación comercial se mantendrá como un objetivo atractivo para grupos militantes y extremistas. El lado público de los aeropuertos, bordeando la revisión de seguridad, es vulnerable a un surtido de ataques terroristas, incluyendo tiroteos indiscriminados, equipaje conteniendo explosivos, drones hechos armas, y embestimientos con vehículos. Miles de militantes técnicamente competentes e ideológicamente motivados que están retirándose del califato en caída del ISIS podrían reagruparse bajo nuevas banderas, unirse a afiliados de Al Qaeda, o actuar de forma independiente.</p><p style="text-align:justify;"><strong>3. Perturbaciones en vuelo. </strong>Semanalmente, los informes de los medios y videos de Internet exhiben las más recientes atrocidades dentro de las cabinas de las aeronaves: riñas, diatribas influidas por el alcohol, agresiones sexuales, y resistencia a las instrucciones de los auxiliares de vuelo. Esta tendencia de disputas y violencia durante vuelos a 30.000 pies (10.000 metros) de altura es potencialmente peligrosa. De no alcanzar con colocar un agente de seguridad a bordo, las soluciones pueden incluir cambios institucionales en la relación entre la tripulación y los pasajeros. Por ejemplo, algunas instancias de tráfico de personas utilizando aerolíneas comerciales son tan comunes que ahora las tripulaciones están siendo entrenadas para identificar los indicadores y actuar. Éste es un ejemplo más del cambio de rol de la tripulación, de facilitadores de la comodidad a responsables del cumplimiento de las normas y leyes.</p><p style="text-align:justify;"><strong>4. Amenazas Internas. </strong>Los grupos terroristas podrían enlistar empleados aeropuertarios para eludir las revisiones de seguridad, especialmente empleados con acceso directo a las aeronaves. Algunos empleados también han contrabandeado drogas, armas, y otros elementos. Con tan sólo un empleado radicalizado o descontento ya se puede cometer un acto que lleve a un incidente catastrófico, lo que hace que lidiar con las amenazas internas sea una prioridad. Los aeropuertos y las aerolíneas están implementando sus propias estrategias para mitigar estas amenazas. Mayormente, este esfuerzo ha involucrado investigaciones de seguridad para todos los empleados, o algunos grupos selectos, previas al ingreso a zonas restringidas. La tecnología también puede ser de apoyo en estos esfuerzos. Las nuevas capacidades analíticas embebidas en los sistemas de video y control de accesos ahora pueden proveer una herramienta sofisticada de vigilancia. Asimismo, las políticas propias con rigurosos esfuerzos internos de "Si ves algo, dí algo" son esenciales.</p><p style="text-align:justify;"><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Managemen<em>t is not responsible for errors in translation. Readers can refer to the</em><a href="/Pages/Employee-Theft.aspx" target="_blank"><em> </em></a><a href="/Pages/Four-Challenges-Facing-Aviation-Security.aspx" target="_blank"><em>original English version here​.</em></a>​<br></p>
https://sm.asisonline.org/Pages/June-2018-ASIS-News.aspxJune 2018 ASIS NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​GSX Program Unveiled</h4><p>In April, ASIS revealed a jampacked education lineup for Global Security Exchange (GSX), formerly the ASIS International Annual Seminar and Exhibits. Featuring a record 300-plus sessions led by subject matter experts from ASIS, InfraGard, and Information Systems Security Association (ISSA), the education covers the most pressing issues facing security professionals today. </p><p>The learning covers a diverse range of topics from "Security for Events and Mass Gatherings" and "Digital Data in the Age of Breaches and Theft" to "Selling Security Requirements to the C-Suite." </p><p>Building on the exciting changes launched in 2017, the sessions will be delivered in more modern formats including immersive small group workshops, deep dives, and simulation formats, as well as traditional lectures and panels.</p><p>"With the different tracks GSX offers, it allows you to really hone in on the areas you're interested in," says longtime attendee Brian Reich, CPP, senior vice president and head of global security and investigations, TD Bank. "There are so many options and learning levels that it allows practitioners at every stage of their career to focus in on specific areas of interest and learn something new to better their organization. Combine that with walking around the show floor, and you have new insight into the products and services you're looking for."</p><p>The education continues beyond the classroom. In addition to Career Center and Impact Learning Sessions held directly on the show floor, the GSX exhibit hall doubles as a learning lab environment. Demonstrating innovation in action, more than 550 of the industry's leading solutions providers will showcase new and emerging technologies, such as immersive reality, machine learning, robotics, and drones. In addition, three interactive learning theaters will feature a series of fast-paced presentations that focus on the past (lessons learned), the present (threat analysis, best practices, and benchmarking), and the future (anticipating what's to come). </p><p>GSX takes place September 23-27 in Las Vegas, Nevada. Save up to $200 on the All-Access Pass when you register before June 29. For the complete list of sessions and to view registration packages, visit GSX.org.​</p><h4>WILL I SEE YOU THERE?</h4><p>A personal perspective on GSX18</p><p>By Jeffrey A. Slotnick, CPP, PSP</p><p>"Global Security Exchange (GSX) is coming soon to Las Vegas. Will I see you there?" An interesting question that I often receive from colleagues. I attended my first annual event in 2003 and I have not missed one since. "Why?" you might ask. What motivates me to make the financial investment to attend year after year?</p><p>Simply, it is the personal and professional relationships that continue to grow. It is the new products on the show floor, the great conversations as I travel from one event to the other, the keynote speakers who always motivate me to do better, and the fun! It's a lot of fun!</p><p>But let's take a deeper dive. I have made long-lasting friendships with colleagues from all over the world. I have come to know some of the most knowledgeable and influential people in the industry—who provide perspective from Africa, Central America, South America, the Middle East, and Europe. I do not need to know everything, I just need to know someone who knows what I need. At GSX, I get to confer with 20,000 or more colleagues. Many of these friendships have also led to business because we all want to do business with someone we know and trust.</p><p>I know the vendors of products I use and recommend for my clients. Some of my vendor contacts are relationships I first made in 2003 on the show floor or in a training session or coffee break, and they now work at the executive level in their organization. Now, if I need to know about a product or a new offering, I can simply call the person who is the subject matter expert on that product and receive direct information from design engineers, or even the company's vice president.</p><p>Fun! Did I mention fun? The President's Reception, professional lounges, Foundation activities, golfing, motorcycles, cigars with friends, vendor events, and, yes, the occasional adult beverage.</p><p>So, this is my personal perspective and why I continue to invest in GSX year after year. My budget does not allow me to attend every industry conference. I get the most out of my investment at GSX, from educational opportunities, vendor information, professional development, and friendships. I find it all in one place for five very intense days—and I always return motivated, optimistic, happy, and occasionally with a new project.</p><p>Please feel free to reach out to me on the ASIS Connects community platform to continue the conversation.​</p><h4>WHITE PAPERS</h4><p>Two councils published white papers in the first half of 2018—the Information Technology Security Council's Security on the Internet of Things: An ESRM Perspective and the Cultural Properties Council's Hostile Surveillance Detection for Houses of Worship.</p><p><strong>Internet of Things: An ESRM Perspective</strong></p><p>The idea behind the Internet of Things (IoT) is that we have come to expect our technology to be readily accessible from anywhere via any interface we choose. We want to start our cars from our phone, lock our front door from our computer, or turn on the crockpot from a tablet. To do that, all those devices must be able to communicate with us, with the outside world, and with each other.</p><p>According to the paper, the IoT brings a new level of mobile management to every aspect of consumer and business activities. However, it also provides convenient access for criminals who want to exploit those things. "More access points provide more opportunities for attackers to get in. More communication provides more online traffic to siphon information from. More control provides more ability to hijack that control."</p><p><strong>Surveillance Detection for Houses of Worship</strong></p><p>Terrorists often gather significant pieces of information from open sources such as Google Maps and social media postings. They collect a lot of data about their target of interest and eventually they will conduct physical surveillance. Physical surveillance allows them to study the location, focusing on how they will attack, how they will escape, when the attack will create the most devastation, and what form of attack will be most effective.</p><p>So, how do you know if someone is watching your facility?</p><p>This paper provides tips on what to look for and actionable steps to take to identify and counter surveillance detection of a facility. Although the practices are tailored to houses of worship, the document serves as a valuable guide for all facilities, especially soft targets, that are trying to understand, identify, and mitigate hostile surveillance.</p><p>Both white papers can be found on the ASIS website. Search "Understanding IoT" and "Hostile Surveillance."</p><h4>ASIS EUROPE 2018</h4><p>Rotterdam, The Netherlands, was the site of ASIS Europe 2018, held April 18-20. Themed "Blurred Boundaries—Clear Risks," the conference drew 775 registrants from 52 countries for two days of networking, exploring the exhibit floor, and sampling the 70 educational sessions that discussed issues facing security professionals today and tomorrow. </p><p>Attendees navigated a broad sweep of risks—from the malicious use of the latest emerging technologies to the dangers of low-tech attacks, particularly on soft targets in public spaces. Other topics included the human factor and the insider threat, and ever-present responsibilities like travel risk management and duty of care.</p><p>Two featured speakers—Tom Raftery, global vice president, futurist, and innovation evangelist at SAP, and Scott Klososky, founding partner at Future Point of View—examined the security landscape of our connected, digital future.</p><p>"Terms like Internet of Things and connected devices will soon disappear, because everything being connected will simply become the new normal," says Eduard Emde, CPP, ASIS Europe 2018 conference chair. "We heard that technology is very much the jugular vein of organizations, confirming that for security practitioners, the bottom line is that enterprise security risk management approaches—which cover the full sweep of human, cyber, and physical assets—are essential for supporting our organizations through partnerships and shared strategic objectives."</p><p>On the exhibit floor, innovations ranged from the latest integrated access control and surveillance technology to self-learning cyber defenses and mass communications platforms. Knowledge-driven solutions were also strongly represented, from intelligence and risk analysis to executive protection and workforce training programs.</p><p>ASIS Europe 2019 will take place in Rotterdam March 27-29, 2019. Visit www.asiseurope.org to learn more.</p><h4>CPP STUDY MANUAL</h4><p>ASIS has begun to develop a new study manual for the Certified Protection Professional® (CPP) exam. </p><p>The Society has received a significant amount of feedback relating to the recommended reading materials and the need for content organized in a way that better supports the certification domains. ASIS recognizes the need to address this gap and to provide security practitioners with the tools necessary to facilitate exam preparations and promote professional development and advancement. The project is led by volunteers and staff and launched in May with a call for experts. Stay tuned for updates in the coming months.</p><h4>ASIS TV</h4><p>ASIS is partnering with Chuck Harold of Security Guy Radio/TV to livestream interviews with ASIS members and industry thought leaders throughout 2018, expanding content delivered on ASIS TV via the ASIS Livestream channel. Harold will further showcase member expertise by representing ASIS at select industry tradeshows across the United States.</p><p>"Chuck Harold has decades of security experience and has built a reputation for helping security professionals across the globe make more informed decisions," says Ron Rosenbaum, ASIS chief global marketing and business development officer. "This partnership is an exciting step forward for ASIS as we diversify how we provide information and resources to the profession. These ASIS TV broadcasts offer expanded access to security best practices, engage new audiences, and ensure that industry professionals are able to stay ahead of the security curve."</p><p>In 2018, Harold will broadcast on behalf of ASIS TV from Black Hat USA this August and will conduct interviews from the ASIS booth at the IACP Conference. ASIS TV coverage at Global Security Exchange (GSX) will include livestreaming from the expo floor, key education sessions, and networking events throughout the week.</p><p>"This is a terrific opportunity to showcase the depth and breadth of our industry—the career paths, subject matter expertise, as well as the technical and service innovations that help protect our people, property and information assets," says Harold. "I am excited, honored, and proud to partner with ASIS, and look forward to engaging with the industry in this new capacity." </p><p>View security expert videos at asisonline.org/ASISTV.​</p><h4>ASIS LIFE MEMBERS</h4><p>ASIS congratulates Cheryl D. Elliott, CPP, PCI; James B. Princehorn, CPP; and Harvey M. Stevens, CPP, who have been granted lifetime membership to ASIS.</p><p>Elliott has been a dedicated member of ASIS and the Greater Atlanta Chapter for 20 years. She served on the Professional Certification Board for many of those years, and she is now a member of the Investigations Standards Committee.</p><p>Princehorn, an ASIS member for 28 years, is a member of the Fire and Life Safety Council. He also served the Rochester, New York Chapter as chapter chair and in other leadership positions. Princehorn has also volunteered as a regional vice president, assistant regional vice president, and member of the Awards Committee.</p><p>Stevens served ASIS many years as a member of the Physical Security Council. He spoke at 10 ASIS educational programs during his 32 years as an ASIS member and a member of the New York City Chapter. ​</p><p> </p><h4>Member Book Review</h4><p><em>Security Surveillance Centers: Design, Implementation, and Operation<br></em>By Anthony V. DiSalvatore, CPP, PCI, PSP. CRC Press; crcpress.com;<br>204 pages; $79.95.</p><p>Author Anthony V. DiSalvatore believes that the particular topic of surveillance centers has not gotten the attention it deserves. In<em> Security Surveillance Centers: Design, Implementation, and Operation</em>, he creates a complete resource on the subject in a compact, easy-to-understand format.</p><p>The author offers a history of security surveillance centers. In the beginning, they were usually divided into a security office proper and a monitoring room or dispatch center. For a variety of reasons, among them economics, safety issues, and synergy, they have largely become one. Two points of value emerge in combining them: the economics of avoiding redundancy in the security department and the opportunity for professional development of the monitoring employees, who are given more responsibility and feel more important to the team. </p><p>DiSalvatore lays out exactly what is required for a security surveillance center so that it can be budgeted for accordingly. Among these budget items are design, installation, operation, technology requirements, maintenance, and replacement. He further explains who should be included in the creation of a surveillance center, such as the IT department to not only help develop the system but to partner with security to improve efficiency and trust. </p><p>Besides the budget, the center's incorporation into the overall security plan is important. Various duties, such as key control, monitoring alarms, organizing patrols, and other routine tasks must be accounted for. Managers must prioritize procedures to include what to monitor and how, evacuations, and even fire command, depending on the size and scope of the center. The author winds down with the addition of chapters on ethics, legal issues, auditing of the center, training, and policy. A relevant checklist of potential duties involving a center, test questions, a glossary, and types of forms complete the work. </p><p>Educational, relevant, and easy to understand, this book is a worthwhile read for any mid- to upper-level security manager as well as those who work in security design. </p><p>Reviewer: William F. Eardley IV, M.L.S. (Master of Liberal Studies), has 31 years of experience in security and corrections. He is a member of ASIS International.</p>