More Headlines Survey on Active Shooter Preparation OpensGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Everbridge, in conjunction with <em>Security Management</em> magazine, is <a href="" target="_blank">conducting research</a> to uncover trends in active shooter incident preparation. Specifically, the research will be used to:</p><ul><li><p>Assess trends in active shooter preparations across various businesses and sectors.</p></li><li><p>Benchmark organizational emergency communications capabilities.</p></li><li><p>Identify vulnerabilities in the level of preparedness for active shooter incidents.</p></li></ul><p>This joint research project provides a unique opportunity to leverage the knowledge and experience of <em>Security Management </em>readers, as well as others in the security field to provide a snapshot of trends and practice in this important security area. Only aggregate data will be reported; your participation in the 2018 Active Shooter Preparedness Survey is greatly appreciated. </p><p>To take the survey, <a href="" target="_blank">click here.</a></p> Fraudster Down the HallGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Employees are stealing from their own companies, and they are taking much more than just paper clips and Post-it Notes. Occupational fraud—sometimes called internal fraud—is globally costing businesses the equivalent of billions of dollars annually, according to a new global report.</p><p>The methods used by the culprits vary. Some skim cash from the reserves or walk away with inventory. Some alter numbers on payroll checks. And some pull off various embezzlement schemes, such as reporting false expenses or changing financial statements. The one commonality is that it is the organization's own employees who are perpetuating the misdeeds. Sometimes they act in collusion with each other, and sometimes they act alone.  </p><p>The findings come from Report to the Nations, an extensive study issued in April by the Association of Certified Fraud Examiners (ACFE). The study looked at 2,690 cases of fraud spanning 23 industries in 125 countries between January 2016 and October 2017. It is the tenth edition of the report, which ACFE issues every two years. </p><p>All told, the 2,690 cases of fraud resulted in losses that exceeded $7.1 billion. But the "true global cost of fraud is likely magnitudes higher," the report's authors write. ACFE estimates that 5 percent of worldwide business revenue is lost to fraud, which would come out to roughly $4 trillion annually. </p><p>"It's safe to say the problem remains huge," says John Warren, vice president and general counsel of ACFE and one of the authors of the report. </p><p>Given the magnitude of the losses, it's not surprising that another report, this one focused on the United Kingdom and issued last year by Bottomline Technologies, finds that executive concern about internal fraud spiked in just one year's time. </p><p>In the Bottomline report, UK Business Payments Barometer 2017, the percentage of study respondents who cited internal fraud as something they were concerned about jumped from 13 percent in 2016 to 31 percent in 2017, "a staggering 138 percent relative year-on-year increase," the authors write.</p><p>"There appear to be heightened levels of apprehension amongst financial decisionmakers," according to the report. "Equally as concerning is that almost 60 percent of financial decisionmakers simply did not know whether they had been impacted by [internal] fraud or not."</p><p>Occupational fraud, experts say, is an egalitarian crime; the culprit is just as likely to be a top executive as an obscure low-level employee. </p><p>"A fraudster doesn't look like a fraudster," Warren explains. "They look like everybody else. It legitimately could be anyone. It's not the person who looks sketchy. It could be the person who comes over to your house for dinner on the weekend." </p><p>When a fraudster is caught, coworkers are frequently shocked.</p><p>Historically, occupational fraud has been looked at as an accounting problem—numbers that don't add up tip off company leaders that something is wrong, Warren says. But ACFE's report shows otherwise. </p><p>"Part of our message is that it's not really an accounting problem, it's a behavior problem," Warren says. </p><p>In every edition of the report, ACFE has surveyed 17 different "red flag" behavioral indicators that tend to be associated with fraudsters. "What's fascinating is, every time we do the study, the same six rank highest," Warren says. </p><p>Those six red flag behavioral indicators are: living beyond one's means, financial difficulties, unusually close association with a vendor or customer, control issues and an unwillingness to share duties, divorce or other family problems, and a "wheeler-dealer" attitude or cultivated self-image. In at least 85 percent of the cases examined in the report, the fraudster displayed at least one of these red flags; in 50 percent of cases, he or she displayed multiple red flags. </p><p>Both male and female fraudsters exhibit these behavioral indicators, but often in different proportions, experts say. </p><p>"Studies in the past have shown that male perpetrators were more likely to be the wheeler-dealer-living-beyond-their-means type, whereas the women found themselves in some sort of financial distress and decided this was their easiest, or only, path for relief," says Shannon Walker, a fraud expert who is founder and CEO of WhistleBlower Security Inc. </p><p>ACFE's report bears out Walker's view. For female fraudsters, the most common red flag by far is financial difficulties; it occurs in 40 percent of cases, compared with only 24 percent of cases for males. And for males, the wheeler-dealer red flag was present in 16 percent of cases, compared with only 6 percent of cases for females. </p><p>"It does look like there are differences in the reasons why women steal, as opposed to men," Warren says. In addition, on average women commit smaller frauds than men do; losses tend to be 80 to 100 percent greater with men, he adds.  </p><p>Experts also say that security efforts to prevent occupational fraud can benefit from an understanding of the motivations and conditions underlying the crimes. </p><p>"Very few wake up in the morning and decide to rob their organization," Walker says. "Many have pressures to perform at work, pressures at home, or are suffering from various addictions that inform their decisionmaking processes."</p><p>Warren uses the "fraud triangle" model to explain the three conditions that are often present in occupational fraud incidents. </p><p>First, the employee is under financial pressure. Second, he or she is given an opportunity to commit fraud, such as access to company resources. Third, the employee rationalizes the theft to him or herself. </p><p>"They may think, 'I was borrowing it, I was going to pay it back,'" Warren says. Or, employees may feel the company owes them because they deserved a promotion and never received it.  </p><p>And if employees are on the verge of stealing, poor internal controls can help push them over the edge, Walker explains. </p><p>"Certainly, lack of controls or oversight contribute to the opportunity for those at risk to take that first step and steal," she says. "Once that wedge has been crossed, it becomes much easier for the fraudster to escalate."</p><p>In fact, the ACFE study found that nearly half of frauds examined in the report occurred because of internal control weaknesses. </p><p>For organizations that want to strengthen internal controls, Walker recommends maintaining consistent employee background checks before hiring; ensuring that sensitive duties are entrusted to more than one employee; implementing spot audit programs and conducting random audits on particularly vulnerable areas; and training employees about fraud prevention and the red flags they should be aware of.  </p><p>The other key to occupational fraud prevention lies in organizational culture, experts say.</p><p>Here, the tone is set at the top, Warren says. Organizational managers who always act ethically and treat all employees respectfully are leading by example; employees will often follow suit. </p><p>"But if leadership is pushing the boundaries, and wading into that ethical grey area, people will take cues from that," Warren says.</p><p>Walker agrees and says that some organizational leaders are taking steps to preempt bad situations by openly supporting a company code of conduct and ethics. </p><p>"Complacency and lack of a strong tone from the top are two of the most key indicators as to whether you are at risk," she says. "When management is seen as unengaged, unappreciative or apathetic, it creates an opportunity for a fraudster or potential fraudster to strike." ​</p> in for SafetyGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A penny can go a long way. This concept that many small contributions add up to a big sum was the inspiration for a one-cent sales tax in Georgia, known as the Education Special Purpose Local Option Sales Tax (ESPLOST).</p><p>The public funding effort has helped further an environment of safety and security at local schools, says Mike Sholl, director of operations for the Catoosa County Public Schools.</p><p>Catoosa County Public Schools, made up of 17 elementary, middle, and high schools, plus a performance learning center, is currently in the fifth phase of the ESPLOST funding. Sholl explains that community members were polled on how they would like to see the public education dollars spent.</p><p>"We have townhall meetings and we do surveys, and the number one priority for parents is the safety of our schools," he tells Security Management. "So when we started ESPLOST V, that led us to implement all the safety initiatives we have." </p><p>Those initiatives include collaborating with local law enforcement to prepare for emergency response, and a variety of technological solutions to support security. "We have door buzzing systems, we've added cameras to our schools, so we've spent a lot of time and money on making our schools as safe as we possibly can," Sholl says.<img src="/ASIS%20SM%20Callout%20Images/0818%20CS%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:550px;" /></p><p>The local sheriff's office works closely with the district. There are plans to add live monitoring capabilities for police, allowing them to view events as they happen via campus cameras and provide dispatch. In addition, the district employs several school resource officers who either work full-time on a campus or divide their time among the schools. </p><p>Among Catoosa County's top concerns is the possibility of an active assailant situation at its schools. It wanted to be able to quickly notify law enforcement and provide teachers and students with the ability to quickly react, all while following policies and procedures. The district knew investing in this type of solution would aid in all types of hazardous situations, including medical emergencies, natural disasters, and other incidents. </p><p>At a regional school safety conference in 2015, Catoosa discovered SIELOX CLASS (crisis lockdown alert status system), a daily incident and crisis reporting tool. The district chose Tiger Creek Elementary, one of its 10 elementary schools, as its test case for the product, and installed it in early 2016.   </p><p>SIELOX CLASS operates via a Web or mobile interface that provides teachers or administrators with several customized options for sending different alerts, so it can be pulled up on any mobile device or computer. A dashboard with customized alerts allows teachers and administrators to perform a variety of tasks. Colored buttons make it easy to distinguish what type of incident is being reported, from a medical alert for the nurse's office to a 911 call in a life-threatening situation.  </p><p>"Our playgrounds are a good distance away from the school building. So—say a child gets injured on the playground, and could break a leg or an arm or hit his head or her head—that teacher can initiate the blue medical alert and get someone on the way out there," Sholl notes.</p><p>Teachers use CLASS daily for their morning check-in to let administrators know that they and their students are in the building. In the event of an incident, a chat box will pop up for all CLASS users where communication can take place. </p><p>"An important part of bringing in SIELOX was communication, and the ability to check-in," says David Beard, principal at Tiger Creek. "Each of the individual classrooms is represented by a different color and a different square, and we know the status of those rooms based on the color system that SIELOX uses." </p><p>CLASS also gives first responders and administrators a clear picture of where students and teachers are at any given moment. "If teachers leave the building or take students off campus, they will use SIELOX CLASS to let us know that they are no longer on the premises," says Braden Moreland, assistant principal at Ringgold Elementary, adding that it would help responders to know that they are not on campus in the event of an emergency. </p><p>The district also tied SIELOX CLASS to its cameras throughout the building, setting up an alert that would notify users of motion detection in a lockdown situation. </p><p>"We decided that we would like to use CLASS to detect motion in the building, so that if we did go into a hard lockdown there would be no traffic in the halls," Beard says. "If everybody else is locked down and out of the building, the sheriff's office has a good idea of where that perpetrator would be." </p><p>The district regularly conducts drills for all types of hazardous scenarios, including its dangerous situation protocol, known as "Run, Hide, Survive." With a panic button on the app, any teacher can initiate a lockdown at the school. </p><p>For enhanced situational awareness, the district incorporated camera views into the lockdown feature of CLASS. "The teacher gets the popup that says 'lockdown' and gets a bullet list of instructions on what to do, as well as two camera views of the hallway outside their classroom," Beard explains. "So, if he or she wants to do the run part of Run, Hide, Survive, he or she can see if there's any danger outside the doorway, and then make that decision to run with the children. So that's another layer we've added with SIELOX, and it works very well." </p><p> The district notes that, thankfully, no lockdown procedure has ever been necessary outside of a drill. However, an accidental activation of the lockdown feature by a receptionist at an elementary school proved the value of the product. </p><p>"She was trying to log out and she accidentally hit the lockdown icon, and of course I immediately received a text and I was on the phone calling the principal," Sholl says. "He went and found out that it was a false alarm, and within two minutes, the sheriff's deputy had pulled into the campus, because he had been notified and dispatched to that school." </p><p>The district plans to have SIELOX CLASS deployed at all 17 schools by the end of the 2017–2018 school year.</p><p>"CLASS provides a very quick response and gets the word out very quickly to lots of people," Sholl says. "The accidental lockdown just proved to us that it's very efficient and works how we want it to work." </p><p><em>For more information: Karen Evans, </em><a href=""><em></em></a><em>, </em><a href=""><em></em></a><em>, 856.861.4568. ​</em></p> Goals: Past DueGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​On May 15, 2018, the U.S. Department of Homeland Security (DHS) released its cybersecurity strategy for the next five years.</p><p>"The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," said DHS Secretary Kirstjen Nielsen in a statement on the strategy's release. "Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself."</p><p>Between 2006 and 2015, the number of cyber incidents on U.S. federal government systems that were reported to DHS increased more than tenfold—including the massive Office of Personnel Management breach that compromised the records of more than 4 million U.S. federal employees and affected 22 million people.</p><p>"The growing interconnection of cyber and physical systems within critical infrastructure also creates the potential risk for malicious cyber activity to result in direct physical consequences," according to DHS. "For example, the December 2015 overriding of controls in the Ukrainian electric grid resulted in widespread loss of power."</p><p>More recent incidents, such as WannaCry and NotPetya, have also demonstrated the threat of using the Internet of Things to conduct cyberattacks with far-reaching consequences.</p><p>Because of this, Nielsen said DHS is "rethinking its approach" to cybersecurity to confront systemic risks by issuing its strategy guide. The guide was a requirement under the National Defense Authorization Act of 2017 and lays out a five-part approach to manage national cyber risk: identifying risk, reducing vulnerability, reducing threat, mitigating consequences, and enabling cybersecurity outcomes.</p><p>"Through our efforts to accomplish seven identified goals across these five pillars, we work to ensure the availability of critical national functions and to foster efficiency, innovation, trustworthy communication, and economic prosperity in ways consistent with our national values and that protect privacy and civil liberties," DHS said.</p><p>To understand the cybersecurity landscape and its risks, and address vulnerabilities, threats, and consequences of DHS's cybersecurity activities, the department must first be able to identify risks. </p><p>The department's first goal in this pillar of its strategy is to assess cybersecurity risks so it understands the "evolving national cybersecurity risk posture to inform and prioritize risk management activities," according to the strategy.</p><p>To do this, DHS said it plans to work with stakeholders—sector-specific agencies, nonfederal cybersecurity firms, and others—to understand trends in threats, vulnerabilities, interdependencies, and potential consequences so the department can prioritize its activities and budget accordingly.</p><p>"DHS must also take stock of gaps in national analytic capabilities and risk management efforts to ensure a robust understanding of the effectiveness of cybersecurity efforts," the strategy explained. "We must anticipate the changes that future technological innovation will bring, ensure long-term preparedness, and prevent a 'failure of imagination.'"</p><p>As part of this goal, DHS has set specific objectives, including identifying evolving cybersecurity risks that affect economic security, public health, and national security; identifying and creating plans to address gaps in analytic capabilities; and developing plans and scenarios for future technology deployments that could be disruptive.</p><p>Another pillar of DHS's strategy is to reduce the vulnerability of U.S. federal agencies across the board. </p><p>"DHS leads the effort to secure the federal enterprise and must use all available mechanisms to ensure that every agency maintains an adequate level of cybersecurity, commensurate with its own risks and with those of the larger enterprise," according to the strategy.</p><p>To assist the rest of the U.S. federal government, DHS will work with the Office of Management and Budget (OMB) to address systemic risks and interdependencies between agencies. </p><p>"DHS must also support agency efforts to reduce their vulnerabilities to cyber threats by providing tailored capabilities, tools, and services to protect legacy systems, as well as cloud and shared infrastructure," the strategy explained. "Within its own systems, DHS must continue to adopt new technologies and serve as a model for other agencies in the implementation of cybersecurity best practices."</p><p>As part of this pillar, DHS laid out sub-objectives to more clearly define how it will achieve this goal. These include developing and implementing a clear governance model for U.S. federal cybersecurity; issuing new or revised policies and recommendations to ensure adequate cybersecurity across the enterprise; and providing agencies with integrated and operationally relevant information necessary to understand and manage their cyber risk.</p><p>One example of this in action prior to the release of the strategy was DHS's binding operational directive 18-01, which required U.S. federal agencies to increase their email and Web security. Specifically, DHS mandated that agencies implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) for their email systems. (See "Spoofing the CEO," Security Management, October 2016.)</p><p>Another goal of this pillar of the strategy is to protect critical infrastructure by partnering with stakeholders to ensure national cybersecurity risks are managed. This partnership is key because a majority of the critical infrastructure in the United States is owned and operated by the private sector.</p><p>"DHS must partner with key stakeholders, including sector specific agencies and the private sector, to drive better cybersecurity by promoting the development and adoption of best practices and international standards, by providing services like risk assessments and other technical offerings, and by improving engagement efforts to advance cybersecurity risk management efforts," the strategy stated. </p><p>An example of this in action was DHS's response to the 2017 WannaCry ransomware attack. During the attack, DHS's National Protection and Programs Directorate partnered with other agencies and the private sector to help U.S. hospitals—a major target of WannaCry—ensure their systems were not vulnerable to the malware. It also released an unclassified technical alert to help defenders defeat the malware and prevent is spread.</p><p>In addition to reducing vulnerability, DHS's strategy also outlines a goal to reduce threats in cyberspace overall. </p><p>"In partnership with other law enforcement agencies, DHS must prevent cyber crime and disrupt criminals and criminal organizations who use cyberspace to carry out their illicit activities and leverage identified threat activity and trends to inform national risk management efforts," the strategy explained.</p><p>To do this, DHS will create investigative priorities related to illicit cyber activity, identify and conduct high-impact investigations of cybercrimes by transnational criminal organizations, disrupt online marketplaces for malicious cyber activity, and develop options to disrupt, counter, and deter transnational criminal organizations.</p><p>The final portions of the DHS strategy are to mitigate consequences and enable cybersecurity outcomes. </p><p>With the rise of cybercrime and illicit cyberactivity, DHS must have a role in limiting the impact of significant cyber incidents, the department said. </p><p>"Many cyber incidents do not require a national response," the strategy explained. "But when they do, DHS plays a unique role in responding to cyber incidents to mitigate potential consequences by providing technical assistance to affected entities and other assets that are at risk and investigating the underlying crimes."</p><p>DHS took this role, for example, in July 2017 when the U.S. Secret Service—part of DHS—worked with international law enforcement to arrest a Russian national who allegedly operated BTC-e.</p><p>"From 2011 to 2017, BTC-e is alleged with facilitating over $4 billion worth of Bitcoin transactions worldwide for cyber criminals engaging in computer hacking, identity theft, ransomware, public corruption, and narcotics distribution," DHS said. "Researchers estimate approximately 95 percent of ransomware payments were laundered through BTC-e."</p><p>While the strategy is an important framework for the U.S. federal government, it has been met with criticism. </p><p>Ray DeMeo, chief operating officer of Virsec, says the DHS strategy is high-level and is missing an implementation plan.</p><p>"One of the document's guiding principles is to foster innovation and agility—this is a big ask, where existing time horizons must be reduced from years down to months," DeMeo says. "We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happening daily, if we are going to change the asymmetric nature of today's threat landscape."</p><p>DeMeo also says he will be looking for more information from DHS—a department with a domestic mandate—about how it intends to address cybersecurity globally.</p><p>"The reality is that a large portion of Internet crime is driven from the international Wild West, from areas with lax law enforcement or actional nation-state sponsorship," he explains. "This problem is as much diplomatic as it is technological."</p><p>Two of the most vocal critics have been U.S. Representative Bennie G. Thompson (D-MS), ranking member of the House Homeland Security Committee, and U.S. Representative Cedric L. Richmond (D-LA), ranking member of the Cybersecurity and Infrastructure Protection Subcommittee and author of the legislation that originally mandated the strategy.</p><p>In a joint statement, Thompson and Richmond said the strategy is overly focused on policies and procedures that DHS needs to develop further. </p><p>"It also fails to mention—at any point—one of the most pressing cybersecurity challenges of the moment: election security," they said. "The fact is, because of the department's failure to adhere to the statutorily-mandated deadline, it lost time and missed opportunities to make progress maturing its cybersecurity posture and capabilities."</p><p>The congressmen added that they hoped to see more information about how DHS plans to implement its strategy in another report, which is due to Congress by August 15, 2018.</p><p>"In particular, we expect it will provide greater detail on the roles and responsibilities that components will undertake, a description of any new authorities it needs to fulfill its mission to secure federal networks, as well as an explanation of what resources the department will need," Thompson and Richmond said.</p><p>As of <em>Security Management</em>'s press time, DHS had not submitted an implementation plan to Congress. ​</p> the Green LightGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The current administration in the U.S. White House has raised concerns about the national security threat posed by the immigration system, which sparked a crackdown on foreigners residing both legally and illegally in the United States. An increase in arrests of illegal immigrants during U.S. President Donald Trump's first year in office, combined with the deadly fall 2017 truck attack in New York by an ISIS-inspired green card holder, raises questions about what it takes to live in the United States legally, and just how secure that process is.</p><p>A recent series of federal reports reveals that the process for granting permanent residence to foreign nationals—commonly known as issuing a green card—is inefficient and stuck in the 20th century. The largely paper-based application process is riddled with inaccurate information, and the time it takes for an application to be processed is more than twice the U.S. Department of Homeland Security's (DHS's) stated goal time.</p><p>U.S. Citizenship and Immigration Services (USCIS), which operates under DHS, oversees the processing of more than 50 types of foreign national benefits, including green cards. An April 2018 USCIS report documenting the issuance of green cards to legal immigrant workers sponsored by their employers paints a grim picture: immigrants from India with advanced degrees, for example, have a projected wait of 151 years to receive their green cards.<img src="/ASIS%20SM%20Callout%20Images/0818%20NS%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:352px;" /> </p><p>Not all waits for green cards are so long—several factors affect the quantity and frequency of green card dispersion, including the category of visa through which immigrants apply, their country of origin, their family, employment or education status, and more. According to a March 2018 DHS Office of the Inspector General (OIG) report, USCIS field offices have an average completion time of more than seven months. The department's goal completion time is four months, which is achieved in fewer than 3 percent of cases, according to the OIG report. </p><p>"Lawmakers, immigration advocates, and the public have raised concerns about how long USCIS takes to adjudicate green card applications," the OIG report notes.</p><p>In addition, USCIS posts inaccurate green card application completion times on its website, which causes confusion for applicants and within the department itself. The OIG report found that the calculated date of when a decision will be made on an application is already six weeks out of date once it is posted on the website because it takes time to collect internal data. </p><p>"The information is confusing, unhelpful, and makes it very difficult to determine how long applicants can realistically wait for a decision," the OIG report states.</p><p>The website can also skew a field office's perceived rate of productivity. If a field office's number of pending applications rises suddenly, it can move the calculated decision date backwards. </p><p>"This apparent lengthening in processing time may make a field office appear inefficient when the reality may be quite different," the report states.</p><p>One example cited involved the Reno, Nevada, field office, which on the USCIS website appeared to have slow processing times—but was actually completing applications more quickly than the national average. Due to the office's efficiency, USCIS shifted more applications from other offices to Reno, which caused the website processing time to spike and display an inaccurate calculation—for a while, Reno was showed to take an average of 518 days to complete applications, when it actually completed them in about 184 days. </p><p>The overall delay in processing applications may be a matter of perception as well, according to the OIG. Because the application process consistently takes twice as long as the USCIS goal time, the report states that it is unrealistic and should be reassessed. In efforts to meet the current goal processing time, the department has spent $42.5 million in a five-year span for inspection service officers to work overtime to clear the backlog.</p><p>"USCIS has used temporary staffing assignments and overtime to keep processing times low, but it currently takes, on average, more than twice the amount of time," the OIG report notes. "We believe USCIS is not meeting its 120-day goal because the goal itself is unrealistic given the complexity of adjudications and factors beyond USCIS' control that affect the timeline. A goal that does not reflect operational realities contributes to unmet customer expectations and reduces trust in USCIS."</p><p>The OIG wasn't the only federal entity to investigate the green card application process. In a 2017 report, the U.S. Government Accountability Office (GAO) investigated just what is taking so long when it comes to processing green card applications—and whether the system ensures the integrity of the immigration process.</p><p>USCIS has been trying since 2006 to transform its current paper-based system into an electronic one but has faced management and development challenges—GAO notes that over the last 10 years, it has made 30 recommendations to address weaknesses in the program, 18 of which USCIS has complied with.</p><p>The so-called transformation program to create a software platform to process green card applications has experienced "significant cost increases and schedule delays," GAO reports. The program's most recent baseline indicates that it will cost up to $3.1 billion and be fully deployed by March 2019—that's an increase of $1 billion and four years longer than previously thought. The program has been operating in breach—without a DHS-approved acquisition strategy and baseline due to exceeding a previous baseline—off and on since 2013. </p><p>"The program did not complete deployment of system functionality associated with its Citizenship line of business by its September 2016 deadline, resulting in another schedule breach," says Carol Harris, director of information technology acquisition management issues at GAO. "Since then, we have reported that the program remains in breach. Until the program re-baselines, it is unclear whether USCIS still intends to fully deploy by March 2019."</p><p>After the September 2016 breach, USCIS had planned to re-baseline the program in February 2017, but GAO reports that in December 2016, DHS leadership instructed the department to stop development on the project and instead develop a remediation plan. "DHS leadership elected to continue with the program's pause in new development following program reviews in March 2017, July 2017, and October 2017," GAO noted in a recent update. The program's office also underwent a reorganization in January 2017. When asked if the pause in development was due to the new White House administration, Harris says that GAO did not investigate or report on the reason for revising the remediation plan.</p><p>The continual delays in deploying a fully electronic application system are impacting the ability of USCIS to realize the cost savings and benefits of the eventual transformation, GAO notes. Currently, legacy systems must remain operational until the electronic system is fully deployed. Even in 2014, GAO notes, it cost USCIS an extra $71 million to maintain both systems. And a previous software system that the department spent eight years and $475 million to develop was decommissioned in 2016 due to its instability.</p><p>There are still serious questions about whether the new software—if or when it's fully deployed—will solve the department's backlog woes. GAO notes that by operating in breach status for so long and not addressing key practices for software development, USCIS risks deploying a system that does not meet its cost, schedule, or performance needs.</p><p>"It is more important than ever that USCIS consistently follow key practices associated with software development, systems integration and testing, and contract management and execute effective program oversight and governance," the GAO report states.</p><p>OIG notes that a larger percentage of foreign nationals may be subject to interviews in the future, further lengthening the amount of time it will take to complete the green card application process. That report recommended that USCIS update its website to more accurately reflect the length of the application process and to reassess the current goal of 120 days, and the department concurred, noting that it will monitor processing times over the next year and consider a new goal time. </p><p>"The integrity of the citizenship process depends on careful adjudication of green card applications," the OIG report states. "Given their responsibility and the consequences of their decisions, [information service officers] should continue to be given time to thoroughly vet applicants, especially if adjudicating green card applications becomes more complex." ​</p> to Implement ESRMGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​International Paper (IP) is one of the world's leading producers of fiber-based packaging, pulp, and paper. Headquartered in Memphis, Tennessee, IP employs approximately 52,000 people worldwide and has operations in more than 24 countries serving customers around the globe. </p><h4>The Challenge</h4><p>When IP's director of security announced his retirement, the IP team—Deon Vaughan, vice president, deputy general counsel, chief ethics and compliance officer; Casey Yanero, HR manager, corporate staff groups; and Jennifer Carsley, director, legal operations—recognized it was time to transform corporate security to an enterprise level function.  </p><p>The ever-changing threat landscape and IP's core values of "Safety, Ethics and Stewardship" underscored the need for IP to transition to a proactive security posture. To lead this transition, IP hired Art Fierro, CPP, in February 2017 to fill the newly created chief security officer (CSO) role.</p><h4>ESRM Solution</h4><p>Enterprise security risk management (ESRM) links security activities to an enterprise's mission and business goals through risk management methods. </p><p>The CSO's role in ESRM is to manage risks to enterprise people and assets in partnership with the business leaders. ESRM involves collaborating with business leaders on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, and then implementing the strategy in line with accepted levels of business risk tolerance.</p><p>Fierro's background is rooted in ESRM in both the government (FBI) and the corporate space. To move IP from a traditional security organization to an ESRM enterprise model, Fierro conducted an extensive security analysis to identify where the organization excelled and where the data showed opportunities for improvement.  </p><p>The analysis included conversations across business groups and corporate partners. It served as the foundation for IP's ESRM strategy and helped create its vision statement: "To protect IP people, information, products, and the corporate brand in support of business objectives and enterprise success."</p><p>IP's new enterprise security strategy is grounded in the principles of security mitigation steps based on risk and using cost-benefit analysis to ensure a return on security investment. The strategy also aligned with IP business operations and is designed to help achieve business objectives—meaning security would not just be a cost center but also a business enabler.</p><h4>Partnerships</h4><p>Sharon Ryan, senior vice president, general counsel, and corporate secretary, embraced ESRM as IP's new enterprise security strategy, because the strategy was aligned with IP's core values and business strategy.  </p><p>"We recognize that by adopting the latest risk management strategies in enterprise security and bringing on experienced security professionals, not only are we helping protect our people and property, we are also reducing the risk of negative exposure related to our brand and reputation," she says. </p><p>Ryan supported the strategy by rebranding IP Corporate Security to Enterprise Security Management and creating three new positions reporting to Fierro and designed to address IP's enterprise risks: global threat manager, global physical security manager, and global investigations manager. The three functional roles cover the spectrum of enterprise risk and each has a deployment roadmap, which ties into the larger Enterprise Security Management global strategy.</p><p>Vaughan also supported the effort by endorsing a campaign for Enterprise Security Management to build partnerships across business lines, such as IP's Environmental Health and Safety (EHS) department, and to partner on initiatives to protect IP's employees—one of Enterprise Security Management's strategic objectives.</p><h4>Outcomes</h4><p> With the endorsement of ESRM at the leadership level, Fierro was able to work with partners to create a risk-based security program to focus security resources on identified risks. The program also provides the operating manual for vulnerability and risk assessments, so IP can make informed business decisions about its risk tolerance.</p><p>Enterprise Security Management created a new concept, a virtual operations center, which produces a global threat picture that helps it identify and address emerging global threats to IP employees and facilities. The virtual operations center is outsourced to leverage economies of scale, leading edge technology, and professional threat analysts and operators, while providing an excellent return on security spend.</p><p>Over the past year, Enterprise Security Management focused on a number of strategic initiatives. One is the geospatial traveler-tracking program for IP's traveling employees. </p><p>The program provides real-time mobile device GPS monitoring, on a voluntary basis, with a panic button for emergencies. The program is monitored  at all times by the virtual operations center.  </p><p>Another initiative is the corporate campus security capital improvement project. Enterprise Security Management is leading a security improvement project for IP's corporate headquarters based on ASIS International physical security standards and guidelines, as well as geographic risk demographics and the return on security spend. </p><p>Enterprise Security Management also launched its first national security guard force contract to consolidate and standardize guard force operations across certain U.S.-based facilities. The consolidated operations agreement helps ensure consistency and reduce cost.  </p><p>Enterprise Security Management is also working with EHS to add a security aspect to the current field assessment process to identify actual risk at IP's global locations. Assessment results will be used to develop security recommendations, including leveraging security technology.      </p><p>Additionally, Enterprise Security Management created a new active shooter response training program for employees. The training included Virginia Tech shooting survivor Kristina Anderson, who shared a survivor's perspective, as well as the Memphis Police Department, which provided training for employees on Run. Hide. Fight. The active shooter plan is also available on IP's internal website for employees to reference.</p><p>Working across business groups and with critical internal partners, Enterprise Security Management developed new crisis communications reporting, dissemination, and functional requirements that include mass communications features for a unified enterprise response to manmade or natural disasters.  </p><p><em><strong>Art Fierro, CPP,</strong> is CSO at International Paper. He formerly served as CEO of Ronin Option - Cyber; executive vice president at Resilient Integrated Systems; and vice president at 20th Century Fox Film Corporation. He is a member of ASIS International. ​</em></p> SmartsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>In the hit 1999 movie The Matrix, people go about their daily lives unaware they are in a simulated, alternate reality being controlled by greater powers. In one scene, the main character Neo, played by Keanu Reeves, sees a black cat walk past a doorway. A few moments later, the same cat walks by again.</p><p>"Déjà vu," he says aloud. His comrades, who know they live in the Matrix, are disturbed by the claim and press him on what he saw. When he says he observed the same black cat walk by—twice—they spring into action, explaining that a déjà vu demarcates a glitch or change in their synthetic world.  </p><p>A similar concept exists in the field of countersurveillance, referred to as the déjà vu effect. While traveling in a foreign place, if the same person or vehicle appears twice, it is likely not a coincidence. Someone could be following the traveler, scoping him or her out as a potential target for crime. I learned to rely on this principle during my time as a CIA case officer, traveling to some of the most dangerous parts of the globe to collect intelligence. </p><p>However, one does not have to be in a war zone or third-world country to encounter threats. Much like the Matrix, even a seemingly normal setting can quickly turn upside down and require quick thinking. Simple observation of one's surroundings, like being on the lookout for the déjà vu effect, will greatly help solo travelers maintain their personal security. </p><p>Similar to a corporate travel security program that tracks executives or employees while on business, individuals can protect themselves by adopting a portable set of principles and concepts that they can take them with them wherever they go. </p><p>There are three key concepts that must be in place for a personal travel security program to work. Just like a physical security or cybersecurity program at a large corporation, a personal travel security plan must first be effective to protect the individual. If a building has a fence that is not properly maintained or a camera system that is broken, the physical security program is considered ineffective. If someone relies on a personal security program that he or she cannot recall from memory and put into action, it will be unsuccessful. </p><p>The second aspect of a personal security program is the concept of risk. In enterprise security, there are assets, threats, vulnerabilities, and countermeasures. In personal security, the asset being protected is oneself. The threats are usually external to the traveler, but vulnerability—weakness—is a unique element of personal security risk. Vulnerabilities can exist both outside or within the individual. Understanding this unique aspect of personal security risk is crucial. The countermeasures to mitigate risk can be learned and taken with the traveler to stay safe.</p><p>The third element in a personal travel security program is timing. You make your own luck in personal security, and if your timing is off, it could make the difference between avoiding being kidnapped or sitting in captivity.​</p><h4>Personal Security Principles</h4><p>Understanding these three concepts—effectiveness, risk, and timing—will allow the traveler to grasp the five foundational principles to the personal security program. These principles can be easily recalled from memory and applied in even the most stressful of circumstances. </p><p><strong>Preparation. </strong>The first and most important principle behind an effective personal security program is preparation. Effective preparation diminishes doubt and mitigates the fear of the unknown. Note that eliminating fear is never the goal. When harnessed properly, healthy fear can be helpful rather than harmful. Advance preparation also gives one the confidence of knowing that unexpected circumstances can be dealt with, no matter how little one knows the local language or culture.</p><p>Travelers should research the area they are traveling to and familiarize themselves with the location geographically. Use the Internet and other means before arriving, but also conduct a mental site survey once you arrive on-site. In the Middle East, for example, few streets have names. Take note of major landmarks, roadways, and other characteristics that stand out in case you may have to remember where you were at any point in time. </p><p>Planning in advance for potential physical and mental health needs is another element of preparation. It is best to be a "walking pharmacy," and travel with several drugs for common ailments and illnesses. If the traveler or a comrade should become ill, it can be a major handicap. </p><p>Mental health is often overlooked when preparing for a trip. Attempt to have your affairs in order before leaving home. There are three elements to "engineering" peace of mind: electronic communications and backup, enlisting a point-of-contact that can make decisions on your behalf, and duress plans—a way to discreetly convey you are in trouble. Having a will, bills paid, and accounts in order are also important. When relationships with loved ones, friends, or coworkers are at loose ends, it can truly eat away at a person who finds him or herself in captivity, or an otherwise distressing travel situation. </p><p>Packing light is advisable, only bring one carry-on bag so that arms and hands are as free as possible. Documentation and money are two key areas that should be taken care of in advance. Essential documents, including passport and any travel visas, should be kept close to one's person and not put in checked luggage, as well as important credit cards. </p><p>Normally, bringing roughly $300 to $500 in U.S. currency should suffice, but be sure to work out how much cash you may need over the course of the trip. Small U.S. bills are handy, and something of value that everyone recognizes—the U.S. dollar is often an acceptable form of currency in a pinch. The traveler should break down the total amount into $20 bills and divide that roughly in half between checked luggage and the important items to be carried on.</p><p>Small bills also allow the traveler to find and pay cash for personal transportation upon arriving at the destination. When you do not have the luxury of prearranged travel by a corporate security program, choosing your own transport on-site is critical, versus having it solicited or having someone else choose it. </p><p>In some high-risk locales, drivers for hire typically wait outside airports, bus stations, and train stations, and are on call. It is advisable to be deliberate and maintain control of how you choose transportation. Look first for kiosks with taxis for hire or hotels with shuttle transport. If none are available, ask an airline representative what transport can be trusted. The last resort is to look for marked taxis outside and choose one—do not let it be chosen for you.</p><p> Keeping and maintaining the element of unpredictability is important to your security. If the driver you hire is reliable, it is worthwhile to keep the same driver to take you from place to place throughout the duration of your trip. This allows you to build a relationship with that person and have someone you trust to get you around the area. </p><p><strong>Detection.</strong> The second principle to a personal security program is detection. It's imperative for the traveler not just to see what is around him or her, but to observe it. Observing is intelligent detection and keeps you in the present moment. </p><p>Such skills can be important in preventing crimes such as pickpocketing. Travelers who are preoccupied, even mentally, make themselves a vulnerable target. Take off the ear buds or headphones, stay alert, and keep your mental focus on the here and now. </p><p>London's Piccadilly Circus, for example, is an infamous place for pickpockets. These crews target travelers who are distracted, whether it be window shopping, talking on cell phones, or sightseeing. Pickpockets work in teams, with one person designated to distract the victim, another to take the item, and a third to move it away from the crime scene. Someone on this team may have already scoped out where important effects are kept without the individual's awareness.</p><p>The déjà vu effect discussed earlier comes into play in the element of detection. If you are walking down the street toward an ATM, for example, and someone seems to be following or keeping pace with you, pay attention to that. Being aware of this allows you to assess it, and take proactive action. Most often, petty thieves move on to easier targets once they realize they have been spotted.   </p><p><strong>Deterrence.</strong> The third principle to an effective personal security program is deterrence. Deterrence is how you look and behave. Blending in with your environment helps eliminate the possibility that someone will see you as a target, but this is not just achieved by the clothes you wear. </p><p>While a subtle wardrobe is an essential element to maintaining personal security, so is a sense of confidence in the traveler's gait as he or she goes from point A to point B. </p><p>Keep smartphones and other valuable items tucked away in a bag. Be discreet when accessing them in a public place. Threat actors look for low-hanging fruit, so part of deterrence is making oneself appear less vulnerable to assault. The goal is to make it harder for the bad guys to go after the traveler in any way. </p><p>Deterrence can apply to the type of car you use when renting a vehicle. For example, while with the CIA and afterwards in the international consulting world, I took trips into Mexico, Yemen, Africa, and elsewhere in the developing world. I consistently looked for cars that were worn and unattractive. I drove through the first mud puddle I could find, and did not wash the vehicle over the course of the trip. The more dented and dirty, the better. It blends.  </p><p>The last two principles of a personal security program—delay and defense—are a last resort and should not come into play if the first three principles are aptly applied. The traveler should deploy the last two principles to survive and escape threats with as little harm as possible.</p><p><strong>Delay.</strong> The fourth element, delay, comes into play when you have been targeted, particularly on the street. Putting space between yourself and the threat buys you time—time to run, or time to prepare to defend yourself. </p><p>While traveling, I carry decoy items with me to create delay in a mugging situation. One is a throwaway wallet, stuffed with fake credit cards and petty cash sticking out of the sides. Tossing this to the threat creates enough time to get away without losing items of real value. I also wear a cheap watch that looks expensive. In Central America, I once used such a decoy watch to get away from a thief, who ended up with a cheap fake Rolex. </p><p>Carrying a whistle is also advisable, because it adds the element of surprise and draws attention to the scene—not normally an adversary's desire. With delay, one is creating distance between oneself and the threat. The greater the distance, the greater the chance of survival. </p><p><strong>Defense.</strong> The final principle is defense. What does the traveler do if his or her options are being mugged, injured, or killed—or fighting back? No matter a person's age or level of physical fitness, there are certain defensive tactics that can increase one's margin for survival and potentially limit the amount of harm done. Consulting a self-defense expert on tips and techniques, whether they are hand-to-hand combat, or firearms training, is certainly advisable. However, if the adversary has a weapon—particularly a firearm—it is wise to go along with his or her demands.</p><p><strong>Captivity.</strong> Should you be abducted, if you are able, make a scene—yell and scream as loud as possible. Doing so creates witnesses, which can help when a search is conducted. One former U.S. drug enforcement agent did just this while being kidnapped in Mexico, and witnesses helped police in the search that eventually led to his rescue. </p><p>In the rare circumstance that you are kidnapped, once you're physically controlled, stop struggling physically. The last thing you want is to go into captivity with a broken nose or broken bone. Part of a personal security program is staying alive, so be prepared for the possibility of this circumstance. Have one or two key phone numbers memorized, so that if you are unexpectedly released in an unfamiliar place you can make a call to someone who will answer. </p><p>Communicate with the captors and let them know if medication or other physical care is needed. Try to build a relationship with the people who are responsible for you so that they are inclined to hesitate before harming you. </p><p>Kidnaps for ransom have become increasingly commonplace in countries like Mexico and Colombia. Travelers should have a plan in place before leaving home for a lawyer or third party to help negotiate release. A loved one should not be responsible for negotiations, because they can bring too many emotions into the transaction.  </p><p>One area where your family or loved ones can help, is having a prepared list of "signs of life" questions for those aiding in the release or rescue; statements or facts that only you and that person know. These can be communicated by the captors to the loved one so that they know the person is, in fact, alive. Duress phrases, such as, "make sure you water the garden," (when, in fact, you might not have a garden) that signal safety or distress without the captor's knowledge can be useful.</p><p>Finally, in a rescue operation, you should know that law enforcement or the military might not immediately recognize you as the victim. Let the operation unfold, keep low, and keep your hands visible so that you're not inadvertently harmed in the cross fire.  </p><p><strong>Skills for life. </strong>While working as a CIA officer abroad, I traveled and worked for decades without a badge or weapon and learned to bring the aforementioned skills to bear to keep myself and those for whom I was responsible safe. With or without the support of an executive protection program, traveling solo requires a person to rely primarily on himself or herself for basic security. </p><p>The five elements of a personal travel security program—preparation, detection, deterrence, delay, and defense—should be thought of as mental pegs. Take the details that go under each concept and hang them on those five pegs. Then you can quickly and effectively grab the tools needed in high-risk situations and environments. Internalizing these skills will help build good instincts, increase your awareness, and ultimately provide life-saving protection.</p><p><em><strong>Charles Goslin, CPP,</strong> Principal & Owner, CG Security Associates, LLC, is a retired CIA operations officer and veteran of U.S. Army Intelligence with 35 years of experience. He is a member of the ASIS International Houston Chapter and serves on the Book of the Year Award Committee. He is the author of the book Understanding Personal Security and Risk: A Guide for Business Travelers. ​</em></p> Not-So-Easy PiecesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Alignment is in. Many cities, municipalities, corporations, and school systems are taking steps to align their physical security systems so that security programs across locations will be fully integrated.</p><p>The benefits of such a move are numerous. Uniformity across systems makes it easier for end users, and converged systems are easier to manage from operation centers. Moreover, having only one system makes maintenance and upgrades easier, and this can help provide long-term stability. </p><p>But achieving alignment is no easy feat. Navigating a physical security installation across several facilities can be a difficult undertaking; often, such a project includes wrangling a mish-mash of individual products to get them to function under one cohesive system. Alternatively, some take the approach of completely redesigning the physical security system so that it reflects current best practice design standards. Both paths can be difficult.  </p><p>In addition, the potential pitfalls of attempting a unification project are numerous. What is the installation environment in each facility? Which key players need to be involved at each facility, and at what level of involvement? What type of network infrastructure must be in place to integrate the systems? </p><p>In hopes of avoiding pitfalls, many organizations will hire project managers and consultants to spearhead alignment projects. This type of management, however, is usually complex and unpredictable work. Thus, one of the most useful attributes a security practitioner can have is experience in project management.</p><p>Although there is no one roadmap for successful project completion, and despite all the caveats, most projects can be broken down into five stages. The main purpose of this article is to walk the reader through these stages, which experts sometimes refer to as "process groups." The five process groups are initiating, planning, executing, monitoring and controlling, and closing. For our purposes, the second process, planning, can be considered the design process, and the third process, executing, can be considered the installation process. </p><p>Although these stages will remain consistent, the role and scope of a project manager's responsibilities will change from project to project. And, there may be many project managers on a single project: one for the design team, one representing the owner, one who serves as an installation project manager in the field, and others. Each will have different responsibilities.   </p><p>Primarily, this article is written from the point of view of the project manager who is outside of the org­anization and is hired by an owner to design and manage a project that will be installed by a third-party contractor, either through a public bid or the solicitation of proposals. Typically, this type of manager would be a consultant who works on a project-by-project basis with different teams and organizations, for the procurement and installation of a multi-facility physical security system.</p><p>However, the concepts and best practice guidance offered here could be applied to almost anyone involved with the management or supervision of physical security projects, whether that person is inside or outside the organization.​</p><h4>Initiating</h4><p>As a project kicks off, the act of project management is often the act of discovery. The project may be ill-defined, just a blurry picture of the needs and goals of the project's owner. But an ill-defined project cannot be effectively managed, so it is often the project manager's task to focus the project with the owner into a clear and actionable roadmap.</p><p>For the project manager, one of the main goals of the initiating process is to get up to speed with the requirements, history, and expectations of the project. This includes understanding who the project stakeholders are and determining the project's requirements, constraints, and assumptions.  </p><p>Physical security projects can be sponsored by a range of departments in an organization, including security, facilities, IT, finance, and general management. But these departments may have different levels of familiarity with physical security systems, so the project manager must gain an understanding of how well the owner's team knows physical security. This understanding should then inform the project manager's general approach, including the process of assembling the design team. </p><p>This understanding can be gained during the meetings that take place during the initiating process. For example, the design or project management teams may be akin to experts—they will design and demonstrate how the systems work and function together and explain design best practices. In another project, the design team may merely be documenting the project for an owner who already has a strong grasp and understanding of physical security best practices and the needs of each facility. </p><p>Another key task of the initiating process is to learn the requirements and goals of the project. What is the general scope? What physical protection systems will be affected? Will this be a replacement project, or will it integrate with existing systems? Is there a deadline for installation completion? If grant money is involved, is there a deadline for spending funds? Each answer is part of the roadmap.</p><p>Once the initially hazy picture has come into focus, the project manager may take the next steps. These include developing a rough estimate of how many days will need to be spent in the field documenting existing conditions and systems, and how many designers should be hired to create design documents. Other decisions involve who will sit on the project stakeholder's team, whether the owner will require manufacturer demonstrations, and what a reasonable cost for the project looks like. </p><p>During this stage, the project manager may discover that the existing team of stakeholders is inadequate. In this case, the project manager should try to ensure that all decision makers are included, and that, if applicable, teams not directly associated with security are also represented, or at a minimum made aware of the project. Other stakeholders, for example, could include facility directors, senior management, service providers, IT teams, and grant funding representatives. If the project is for a municipal, city, or public organization, the owner may prefer to involve law enforcement in the early stages and throughout the process.</p><p>By the end of this first stage, all stakeholders should understand their roles within the project, what will be expected of them, and the type of work that will be performed on their systems or the facilities they manage. Accomplishing this early is important. It is never a good idea to inform an IT director of an IP video surveillance project a week before the network electronics are scheduled to be installed.​</p><h4>Design</h4><p>The greatest indicator of a well-executed project is a well-executed design process. The overall objective of this process is to create a complete set of project documents that a third-party contractor or integrator can then use to create a proposal or bid. </p><p>These documents, typically referred to collectively as the project manual, will typically include plan drawings, wiring diagrams, and riser and elevation drawings. They also include specifications explaining the scope, the installation standards, the configurations of various systems, and other pertinent information. Front-end documents in the manual often describe the nature of the project and any general requirements that the bidding contractor must adhere to. </p><p> To create a thorough project manual, it is important for the project manager to assemble a qualified design team. Physical security projects can be derailed by subpar designs that do not consider each facet of each system's requirements. The design team must be able to accurately document the correct configuration requirements among systems; all installation best practices and requirements; the code requirements and testing parameters; and the closeout tasks such as training.</p><p>Once the design team is assembled, the project manager begins the process of creating progressively more detailed designs and reviewing them periodically with the owner. A good guide is to review the design documents at 50 percent completion, 75 percent, 98 percent, and 100 percent. At each review, it should be conveyed to the owner what was refined, changed, omitted, or added from the last review. </p><p>The overall cost and the installation schedule should also be reviewed at those junctures. Most likely, the project will have a specific budget and installation schedule that the design team must adhere to. At each design milestone, the project manager must ensure that the owner understands the budget and schedule. Any major design change should be reviewed with the owner.</p><p>If the project does not have a predetermined budget, the project manager should have a usable estimated cost range after project initiation. At the halfway point, an estimate within a few percentage points of the actual cost should be completed and reviewed with the owner. It is also important the owner understands how any future requests will affect the budget and installation schedule. </p><p>Ideally, the project should leave 10 percent of the total budget in contingency to cover unforeseen costs. For example, for a project with a budget of $1 million, the design team should allocate up to $900,000 and leave $100,000 for contingencies. Aside from this practice, some projects also contain a management contingency designed to cover changes in project scope directed by management. However, this contingency may or may not be shared with the project manager, and it may not be included in the total project budget. </p><p>When it comes time to estimate individual costs, the environment and condition of existing facilities should be kept in mind. Areas likely to add surprise costs to the project should be reviewed. Take ceilings, for example. If the facility has open ceilings, will the low-voltage cabling need to be run in conduit? If so, how much cost will that add? Or, consider data closets. Is there adequate wall space to mount patch panels, switches, and servers? Is there wall space to mount security panels? Other areas that should be reviewed for cost impact include power requirements, configuration fees for integrating systems, and software fees for updating out-of-date systems, among other items.</p><p>Taken together, the overall goal of the planning and design process is to create a project manual that is fair to both the owner's needs for attaining the project goals, as well as the contractor's needs to correctly price the project. </p><p>Many potential headaches that could occur during the installation process can be mitigated by giving the contractor a realistic schedule for procurement and installation of the systems, and by ensuring that the project comes in at or under budget. This is done by informing the owner early and often of the realistic requirements that the scope of the project will require. All cost-saving measures should be considered during the design process when at all possible.</p><p>Throughout the design process, the project manager and design team should constantly ask themselves, "If I were a contractor, would I be able to properly price this project based on the project manual documents without adding change orders in the field?" Many projects are soured by an incomplete project manual that puts the contractor in the disadvantaged position of having to constantly submit change orders to correct their fee. ​</p><h4>Executing</h4><p>If the goals of the planning process were accomplished—including properly and completely documenting the physical security systems, their installation requirements, and all responsibilities required by the installation contractor—then the executing process should run relatively smoothly.</p><p>During the executing process, the contractor who was awarded the project proceeds with installing and testing the systems. Sometimes the project manager and design team stay on to manage the schedule and invoices, review the installation and test results, and generally ensure that that the project is being installed to the quality standards documented in the project manual on behalf of the owner. </p><p>The relationships among designers, consultants, project managers, and contractors should be built on teamwork and based on the shared goal of providing the owner with a well-executed project and physical security system. The best projects are those where a mutual respect and a spirit of genuine collaboration are exhibited by all parties and where the project manager has the best interest of all parties in mind.</p><p> Although, careful initial documentation of exactly what is expected of the installation will help avoid oversights and miscommunications, it is still prudent, and often mandatory, for the project manager to review and approve the work being completed. During this process, the manager's best strategy for ensuring that the project is executed well is to stay vigilant in correcting all possible holdups.</p><p>If the overall budget fails to capture all installation costs, change orders can occur during the installation process, after the project has been awarded to a contractor. A change order is a claim to a change in scope that usually comes with an associated cost. It is used by the contractor to seek fees for the change. Change orders can be owner directed or project directed, and they can be legitimate or illegitimate. </p><p>Here's an example of a legitimate, owner-directed change order. After a project manual went out to bid and the project was awarded to a contractor, the owner requested to add access control hardware to a door. This hardware was not included in the design, so the contractor was not allowed to give a cost associated with it. Seeking a fee to now include that door in the installation was a legitimate change order. </p><p>Here's an example of a legitimate project-directed change order. The contractor discovered that 100 feet of conduit was needed to mount a video surveillance camera in an open-ceiling mechanical space. The project manual did not clearly document that the contractor would need conduit at this location, so the contractor sought to submit a change order for the cost of procuring and installing the conduit.</p><p>Illegitimate change orders occur when a contractor seeks fees for a task or product that was clearly documented in the project manual and, therefore, should have been included in the proposal or bid. It should be noted that legitimate or illegitimate status will not determine if the change order will be accepted by the project. Change order acceptance or rejection is determined by the project manager, owner, and other applicable stakeholders.</p><p>One benchmark of success for the project is the number and scope of change orders. In other words, how close was the executed project to the agreed upon budget and original design?​</p><h4>Monitoring and Controlling</h4><p>If the project manager's responsibility is to review and sign off on the installation, it is best to do so early and often. The goal is to correct minor issues before they grow into major issues. </p><p>For example, let's assume a contractor completes a 200-door access control project across 20 different facilities, but does not properly secure the cabling above the ceiling grid as designed. The longer the project manager waits to get on site and review the work, the more difficult it will be to fix this mistake. If the cabling contractor is a subcontractor of the prime contractor and is finished with the scope of work, by the time the project manager is on site to review the work, it may be impossible to correct these mistakes.</p><p>The project manager should be on site to review, at a minimum, the first few devices that are installed to ensure that the installation is clean and to specification. Indeed, many contractors prefer this method of installation kickoff because it will ensure that the installation is on the right track. </p><p>Common installation mistakes found on physical security projects can include sloppy or exposed cabling to devices; installation of sensors, cameras, and other devices that are not plumb or properly secured; low-voltage cabling strung across the ceiling grid and not on cabling support; failure to firestop applicable penetrations; and poor cable management and cable terminations in the data closets and control panels, among other things.</p><p>All site visits, communications between owner and contractor, issuances of work that need to be fixed, and approvals of work done correctly should always be formally documented and distributed to the entire team in field reports and punch lists. In turn, the contractor must document any corrections or installation requirements that are completed. </p><p>Requests for information from the field, product submittals, invoice submittals, and general project housekeeping should be reviewed and answered by the project manager in a timely matter to ensure that the project is not delayed due to lack of direction for the contractor or owner.  </p><p>Sometimes, the biggest roadblocks to completing a project on schedule are the tasks that must be completed by the owner. It is important that the project manager also manage this side of the project. He or she should inform the owner early and often when tasks will be due and should sometimes advise them on how they can be best completed. These tasks may include providing IP addresses for cameras, printing and issuing badges for new access control systems in time for system cutovers, providing configuration on network electronics if required, and configuring and relaying information related to VLANs, among other things. </p><p>Often, contractors are only allowed to invoice for work completed or for devices that were purchased and delivered to the facility. If the project manager is tasked with reviewing invoices, it should be easy to approve or reject fees based on work completed because the project manager has periodically seen and reviewed the work in person.</p><p>Most projects will require that the project hold a retainer against the contractor's fee until the project is 100 percent complete. This retainer is held until the end of the project, after all the installation and miscellaneous responsibilities of the contractor have been met. Each project may have specific requirements in terms of payment and proof of work for payment that should be reviewed and adhered to by all parties.  ​</p><h4>Closing</h4><p>The closing process can be initiated when 10 percent of the project is left to complete. Common tasks to be completed during the closeout process include administering training, delivering operation and maintenance manuals, final testing of systems, reviewing the system test results, reviewing cabling test results, and handing over the systems to the owner. </p><p>It is a good idea to start closeout tasks when the project is around 75 percent complete. However, getting the owner and relevant stakeholders together for training and close-out meetings can be a difficult task depending on their schedules. If the project is being completed in a school district, for example, training may need to wait for a professional development day, so it is best to book training as soon as the trainer is available. </p><p>Depending on the owner's level of expertise, it may also be beneficial to include additional training in the project manual two to six months after the project is handed over to the owner. This will allow the owner to schedule refresher training if desired. </p><p>Once the project manager and design team accept the final installation; all closeout deliverables are finalized; and all final fees, contingencies, and invoices are paid; the project is handed over to the owner and the project is considered complete. </p><p>Successful project completion requires improvisation, teamwork, thoroughness, and foresight. All are skills that are developed over time and through hands-on experience on projects of different sizes and types. The best project managers are those who learn from their mistakes, document their lessons learned, and share those insights with the project management and security management communities.  </p><p><em><strong>Nicholas D'Agostino, </strong>PSP, PMP, is a senior manager of system design for D'Agostino & Associates, a technology consulting firm. He has spearheaded multiple city-wide physical security upgrade projects throughout the Northeast. He can be reached at D'Agostino is a member of ASIS International.</em></p> Screening MinefieldGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Drug use by American workers is the highest it's been in more than a decade, and some companies and states are changing their preemployment screening processes to account for the shift. More than half of U.S. states have legalized the use of cannabis either medically or recreationally. This shift, combined with a strong economy that makes finding quality job candidates more challenging, is compelling some organizations to adapt.</p><h4> Nationwide Trends</h4><p>Quest Diagnostics, a leading provider of drug screening services, recently released its annual Drug Testing Index, an analysis of national workplace drug positivity trends derived from its lab analysis. Its 2017 statistics show that 4.2 percent of employees screened for drug use tested positive last year—the highest positivity rate in more than a decade. Rates of cocaine use among tested employees rose, as did methamphetamine use in the Midwest and South United States.</p><p>One statistic is sure to catch the attention of employers—the rate of employees testing positive for marijuana has continued a five-year increase, but increases were most striking in states that have legalized the recreational use of marijuana. This is true for both the general U.S. workforce, as well as the federally mandated, safety-sensitive workforce—rail, bus, and truck drivers; pilots; and workers in nuclear power plants, as mandated by the U.S. Department of Transportation (DOT). </p><p>"These increases are similar to the increases we observed after recreational marijuana use statutes were passed in Washington and Colorado," said Barry Sample, senior director of science and technology for Quest Diagnostics, in a statement. "While it is too early to tell if this is a trend, our data suggests that the recreational use of marijuana is spilling into the workforce, including among individuals most responsible for keeping our communities safe. We encourage policy analysts to track these trends closely to determine whether a correlation between the state legalization of marijuana and increased workforce drug use, as suggested by our data, bears out in other research."</p><p>As the legalization of medical and recreational cannabis continues to spread throughout the United States, it's becoming clear that the employment challenges it poses are not going away any time soon. In 2017, researchers saw a slight decline in testing for marijuana in the workplace—98.4 percent of tests screened for marijuana, compared to 99 percent in 2016. About 70 percent of drug tests in the workplace are for preemployment screening, according to Quest.</p><p>Several nationwide organizations have already taken steps to ease zero-tolerance policies, including AutoNation, Inc., which employs 26,000 people across the country. </p><p>Below is a selection of how employers across the country are adapting.Birnbaum explains. ​</p><h4>Nevada</h4><p>Recreational use of marijuana was legalized in late 2016, but the market was not launched until last July—and took off from there. Forbes reported that in just four months, Nevada sold $37.9 million in cannabis products—that's compared to the $22.56 million that Colorado made in the first four months of its legalization. </p><p>The popularity of recreational marijuana is reflected in the Drug Testing Index, which found a 43 percent jump in employees who tested positive for marijuana in the last six months of 2017 alone. That also includes a 39 percent increase in marijuana positivity in safety-sensitive workers. </p><p>And less than a year after Nevada residents could start legally buying marijuana, companies are responding. Caesar's Entertainment Corporation—owner of Caesar's Palace in Las Vegas—announced in May that it would no longer screen job candidates for marijuana use. The organization has stated that it was missing out on quality candidates due to "counterproductive" marijuana prescreening policies. The company will continue to prescreen safety-sensitive positions, as mandated by the DOT, and will test employees who are believed to be impaired at work. No other gaming employers have publicly altered their prescreening policies as of press time.​</p><h4>Maine</h4><p>In 2017, citizens of Maine approved a new law that not only legalized recreational marijuana use but made it illegal for employers to prescreen job applicants for marijuana use. While retail shops aren't expected to open until next year, employers had to cease drug screening starting in February of this year. The law also states that employers cannot refuse to employ someone 21 or older who uses marijuana outside of the workplace. However, a previous mandate that employers could not discipline employees who tested positive for marijuana—because they may have used it outside of the workplace—was revised in May.</p><p>The law "does not affect the ability of employers to enact and enforce workplace policies restricting the use of marijuana by employees or to discipline employees who are under the influence of marijuana in the workplace." </p><p>Organizations that employ DOT-designated safety-sensitive workers—who, under federal law, must be tested for marijuana use—face a gray area in the contrasting state and federal laws. Those organizations are still federally required to drug test designated workers but are not exempt from the state's rules on punishing employees who use marijuana outside of work. So, if a job applicant or employee in a safety-sensitive position tests positive for marijuana use, Maine employers might not be able to take any adverse action against them, beyond stopping the employee from performing safety-sensitive functions. </p><p>The antidiscrimination law was revised in May and now allows employers to discipline workers who are under the influence of marijuana in the workplace in accordance with the employer's policy on marijuana. It remains to be seen whether Maine's conflicting nondiscrimination provisions will be enforced by the courts, or how the revised disciplinary rule will play out in the workplace.​</p><h4>New York</h4><p>While some employers may be quietly removing marijuana testing from their preemployment process, others may choose to enforce existing regulations more loosely. That appears to be the case with the New York Fire Department (FDNY), where reports have emerged that more than two dozen firefighters have returned to work after testing positive for drugs. The current FDNY manual describes a zero-tolerance policy, but more recently firefighters have been telling reporters that employees who fail a drug test are instead sent to an eight-week rehabilitation program and must acquire a dozen character references to rejoin the forces—albeit at a different firehouse.</p><h4>Rhode Island</h4><p>While some employers may be quietly removing marijuana testing from their preemployment process, others may choose to enforce existing regulations more loosely. That appears to be the case with the New York Fire Department (FDNY), where reports have emerged that more than two dozen firefighters have returned to work after testing positive for drugs. The current FDNY manual describes a zero-tolerance policy, but more recently firefighters have been telling reporters that employees who fail a drug test are instead sent to an eight-week rehabilitation program and must acquire a dozen character references to rejoin the forces—albeit at a different firehouse. ​</p>,-Individual-Wellness.aspxOrganizational Health, Individual WellnessGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The Texas Medical Center is the largest medical complex in the world. More than 60 institutions operate within its 2.1-square-mile footprint in Houston, including The University of Texas Health Science Center, which produces the most healthcare graduates in the state, and the MD Anderson Cancer Center, a joint academic institution and cancer treatment and research center.</p><p>It's up to the University of Texas Police at Houston (UTP-H) to protect the 25,000-plus employees, 5,000 students, and 135,000 patients treated annually at the two institutions and across multiple cities—a Texas-sized job that requires the efforts of sworn officers, public safety officers, and civilians. The unique organization, which combines police and security operations under the same umbrella, serves a disparate community of patients, teachers, students, and healthcare workers. And a few years ago, the need for the ability to adapt and respond to an increasingly complex threat profile became apparent to UTP-H leadership.</p><p>"Don't get me wrong—we really did a great job of responding and mitigating threats, but we were response-</p><p>oriented," says UTP-H Chief of Police and Chief Security Officer William Adcox. "Frankly, we weren't able to take a systematic focus across the entire risk spectrum on an institutionwide basis."</p><p>To do so, UTP-H took inspiration from the industry it serves. "Prevention has always been a major tenet of healthcare, and we wanted to look at opportunities where we could contribute to the prevention piece within security," Adcox explains. "We saw the organizational value in shifting to looking at prevention, integration, and near-miss opportunities, to the point where we even looked at our traditional planning cycle and how we could become more agile and adaptive to the threats."</p><p>The department embarked on a three-year process to overhaul its operations to become a more adaptable, responsive force with a shared purpose of prevention, protection, and preparedness. </p><p>"We wanted to try and get upstream of harm—prevent incidents before they occur, and be prepared to deal with what is occurring," says Raymond Gerwitz, director of risk strategy and operational excellence at UTP-H. "We created a shared purpose around prevention, preparedness, and protection and are engaging everyone in the idea. It's no longer enough to protect and serve—we want to prevent too."​</p><h4>Building an Operations Center</h4><p>When approaching the department's overhaul, leaders adopted a business state of mind. Most of UTP-H's senior leaders hold MBAs and have been trained in business principles, and Gerwitz says that mindset—an unusual one for security organizations—has gone a long way to inform the department's operational strategy.</p><p>"We ask, 'How can we operate more like a business rather than a security group?'" Gerwitz says. "We looked at the strategies of communities we serve, took those principles, and adapted them to our environment. You won't find many police departments or security groups that have a strategy map—it's not a thing they think about. We took that from corporate America and blended it into how we do things."</p><p>UTP-H began its overhaul with an internal value analysis that assessed operations at a day-to-day level to determine whether they aligned with the department's updated goals.</p><p>"We look at different groupings of employees, every single task that they perform—how much time does it take, and what resources, and why they do it. Because there's a law or regulation? Or because there's an organizational policy? Or because it's historically done? Or because there's an executive directive?" Adcox says. "You break it out and that gives you a good picture of your internal value analysis so that you can look at those tasks that you can effectively quit doing and see what bandwidth you can pick up."</p><p>One result of the analysis was the transition from a traditional police and security dispatch center into a more forward-facing risk operations center. </p><p>"In the call center's case, there were opportunities there to retire some misaligned tasks and insert new responsibilities that bring the value we're looking to provide to the organization," Gerwitz explains. "In essence it becomes a mathematical formula—I can retire tasks that are limited in value and repurpose the staff to increase value without adding headcount." </p><p>Adcox says that it is important for employees to have both security training and a business mindset. "We really started placing priority on identifying members of our organization and people we would be bringing in that had a business acumen and were able to help lead us in new directions," he says. "We've been fortunate and able to recruit capable individuals who bought into the vision. It all starts with your people, and that's what's critical. Getting the right people in the right roles and then ensuring that there's a shared purpose—that's how we approached it."</p><p>The new department structure includes five service lines—healthcare security, investigative services, police services, risk management, and threat management—which often work together to respond to an incident. </p><p>"For the longest time, the face of the department was police services—the individual who wore the uniform, but now we have these five major service lines—the groups that set us on this journey of prevention," Gerwitz explains. "A big part of being engaged is understanding everyone's contribution—everyone has a role to play, even if it's in the background."  </p><p>Gerwitz notes that the approach has paid off. Thanks to a combination of training and monitoring how calls are addressed, the percentage of calls handled by a single team member has increased. These percentages are tracked monthly and shared with staff, encouraging open conversations about how calls are managed and keeping team members engaged.​</p><h4>Data-Informed Operations</h4><p>The switch in response protocol illustrates how UTP-H is achieving its goal of predictive policing by focusing more on analyzing calls and encounters. Adcox says that previously, as in many organizations, analysts would log the data of the encounter but not use it.</p><p>"That was our response—we'd handle it, log it, and move on," Adcox says. "We didn't know the basis for the suspicious person—what's the story? Now, we analyze and take data that comes in from multiple calls and visualize the data, and that better informs our officers of any trends, repeat offenders, potential threats that were averted, and what to look for. We now have an extended prevention opportunity on behalf of the communities we serve."</p><p>For example, the operations center team is now encouraged to handle call loads on their own without passing them along to another section to streamline the process. </p><p>"If they take care of a call on their own, they receive credit from a performance perspective on that," Gerwitz says. "If they hand it off to someone else downstream, then they don't. We monitor the percentage of things they are doing on their own on behalf of the organization without handing it off, because that generates efficiencies for us. And it empowers that group to try to handle things without having to go to others to get it done."</p><p>If a call comes in about a suspicious person on campus, the operator can look at surveillance footage and recognize that person as an employee. Operators may reach out to that employee's manager and ask why that person is in that area, but they don't send a resource out to respond because they know it's an authorized person who is perhaps in that area for a reason. </p><p>Gerwitz emphasizes how data visualization informs all aspects of the combined protection model.</p><p>"How do we want to go about creating a new shared purpose and engage the shift towards prevention? Let's find data we need," Gerwitz says. "We know the narrative, so what's the data that supports it? Now we have that data, so we create visuals to enlighten our staff and get them engaged in what we're all trying to do. For a long time, this information was kept in databases and didn't resonate with our managers."​</p><h4>Shared Purpose</h4><p>Part of any organizational restructuring often includes developing a strategic plan, but once changes become the new normal it can be hard to measure whether operations are still true to that plan. Adcox and Gerwitz say the department constantly checks whether the department's efforts point to its guiding principles.</p><p>"Three years ago, when we started this process, strategic planning was viewed as a necessary evil," Gerwitz says. "There's this perception that our efforts were a waste of time because we wouldn't really use it. We had to change that mindset and educate everyone that some of what we're trying to do will be unrealized, some will be impacted by emergent needs, or executive mandates, or in response to particular threats. It's okay not to do everything as planned, but there is value in planning."</p><p>Data analysis and visualization play a big part in both sticking to the plan and adapting where needed. UTP-H does not shy away from recalibrating or retiring components in the department if they do not show added value. </p><p>"Putting all these things in place is good but validating and proving that they are providing value intended is the most significant piece," Gerwitz says. "How do you show people that you're doing the things you say? Or, if you need to, how do you recalibrate your organization to do something more valuable? In today's security field you have to adapt to threats coming, you can't lay back and rely on the same strategies. We don't spend a lot of time on traditional analysis. We let the current predict the future."</p><p>All calls, incidents, and interactions are meticulously documented in a robust, interactive database that can be accessed by employees and managers alike. In a demonstration, Gerwitz was able to assess all slip and fall incidents that occurred in May—27 instances—and in a few clicks could drill down and view when and where the incidents occurred, who was the responding officer, and the final outcome.</p><p>"To be able to see this type of detail is very powerful for supervisors and managers, we ask them to go in and conduct management by visualization," Gerwitz explains. "It's easy for them to see what's going on in their teams, and they can adapt their strategies based on what they're hearing from the outside—if there are lots of vehicle and pedestrian hazards in a certain area, they can look and see whether we're in those areas or we need to adapt our patrol tactics."</p><p>Near misses are of particular interest to the department, because they signal both a looming threat and an area where predictive policing can be used.</p><p>"We're almost fanatical about failure or near misses," Adcox explains. "We're not interested in numbers—how many doors we check that have to be secured, that kind of thing. What we are interested in are the doors that should have been secured that were found unsecured, or individuals in a certain part of the hospital who don't belong or are lost—those are near misses. We'll see how often that's occurring or if it's the same individuals. We have got to get in front of something happening."</p><p>UTP-H relies on metrics to inform its tactics and mitigate negative trends before they affect the community.</p><p>"It might be how we view and put together video feeds, or we might put together a specific covert operation or put cameras in certain areas," Adcox explains. "It might be working within a specific group of employees, asking them to watch for certain activity and report a certain way. It's very proactive."​</p><h4>Empowering Employees</h4><p>All employees have access to performance and value visualization tools in the spirit of transparency and to understand the operations of the entire department and the impact their teams have in keeping the institutions safe. Gerwitz says that most employees don't view the information every day, but they are alerted when new resources are added. There has been a lot of thought put into how the data is accessed—the department is on its second iteration of the visualization tool, he notes.</p><p>"It's now much more graphic and in line with how people want to consume information," Gerwitz says. </p><p>Managers will also put together visualization boards specific to their teams, and in the case of groups like security officers who aren't often in front of computers, they will print them off and review them during meetings.</p><p>"It has been helpful in allowing people to straightforwardly show their value," Gerwitz explains. "Before we put this in place, it was hard for people when they were stopped to tell me how your team benefits what we're trying to do—it was hard for them to articulate that in a way that made sense to people. This program makes it easy. I think that's the biggest benefit to the department—now managers are able to adapt and show value at any moment based on what teams are doing. From an organizational perspective, the feedback we get from senior executives who use these processes themselves brings a lot of credibility to our team."​</p><h4>Connecting with Communities</h4><p>Adcox has worked with UT Health and MD Anderson for 14 years and is aware of the challenges of protecting the esteemed educational and healthcare facilities. Part of UTP-H's transition included opening more dialogue between the department and the institutions to ensure they are working towards the same goals.</p><p>"We bring in leaders from the institutions and walk them through our process and spend time on things they value," Gerwitz says. "If we bring in the clinical team, we'll spend a lot more time on issues they deal with in the clinics and how we adapt our training, versus meeting with the finance folks, where we validate our programs and show value."</p><p>One example of partnership between UTP-H and the institutions it serves is the approach to people experiencing a mental crisis. Beyond developing a trusted response protocol, the UTP-H threat management team strives to work with the school and hospital to predict potential personnel issues before they come to fruition.  </p><p>"You bring all these pieces of information together, so they can present to you a real picture of what the situation is," Adcox explains. "You're able to get people help in advance of losing their jobs or harming themselves or someone else. It's been very effective, and we have progressive data and use data visualization to show that."</p><p>If an employee, patient, or visitor is actively in mental crisis, the threat management team is trained on how to respond and follow up. Gerwitz says that 98 percent of UTP-H responders are certified mental health officers due to the unique stresses of the joint education and healthcare environment—most other law enforcement departments in Texas provide less than 10 percent of their officers such training, he says.</p><p>"That employee in crisis will be assessed using tools we have been trained on to screen for the person's mental state," Gerwitz explains. "So, say on a scale of one to 10, I'm an eight—I'm in a bad place, and the responders apply a strategy to bring me down. Following that event, through peer review or interacting with me as they continue to monitor my status, they reassess me, and now I'm a five—they measure that delta."</p><p>The team has a calculated goal for an average reduction of the intervention score and, using data visualization tools, can track how successful different intervention methods are and adapt intervention tactics based on those statistics across a variety of populations. </p><p>"It's a team effort across the institutions—there are others participating in this effort, such as human resources, employee health programs, supervisors, and we can track who all handled each case and its outcome," Gerwitz explains.  </p><p>Being able to map out the outcomes of police interactions with people in crisis has been impactful in promoting relations between the institutions and UTP-H, Gerwitz adds. Of the 98 threat intervention cases he mapped out, only two resulted in arrest. This statistic goes a long way in garnering trust with hospital employees who might be wary of involving police in a mental crisis.</p><p> "For a long time while implementing this, we had to break down the walls of thought that if you call the police, someone is going to get arrested," Gerwitz says, adding that the outcome statistic was well received by clinicians. "To me, this is the more high-level analytical, value-driven style, compared to performance monitoring that goes on in typical security operations."</p><p>Adcox agrees, noting that such data illustrates UTP-H's thoughtful approach to conflict in such a sensitive environment.</p><p>"In our business, our whole approach is an organizational health, individual wellness method," Adcox says. "It is not in any way a prosecutorial or criminal justice approach. Because we have a police component, you have that extra tool in your toolbelt if you need to bring a situation under control."​</p><h4>Partners in Business and Purpose</h4><p>Gerwitz says that another important culture shift has been thinking about the business success of the organizations UTP-H serves, not just its own success. </p><p> "Not only are these healthcare institutions and educators, they are also businesses," he says. "Part of the value we've been able to distill from all of this is that if you act like a business partner and are treated like a business partner, you can do better with your allocated resources and meeting the goals of the organization."</p><p>Adcox explains that UTP-H has assessed where its operations overlap with UT Health and MD Anderson and partners with them to share knowledge and training. In areas such as investigations and crisis training, the department can step in and share its own resources for the benefit of the entire organization.</p><p>"I cannot stress enough the importance of going into each of these places that perform these critical functions for these organizations and working with them," Adcox says. "Have a joint training, let us explain what we do and what our expertise is, and they'll teach you what's important to them, and then you have the trust factor and can start talking about how to integrate and help each other."</p><p>Since UTP-H is known for its high level of conflict resolution training, it has partnered with UT Health to train nursing students on handling people in mental crisis—everything from body language in the hospital room to handling a patient's family to deescalating conflict. Adcox says UTP-H also trains clinicians, physicians, and nurses working at the facilities in the same practices.</p><p>"We're able to bring that into play because of the expertise we've had to develop in being effective in our organization," Adcox says. "We also have an immersive simulation center so that you actually have practical, holistic experiences and not just the classroom. This technology is for the entire organization, not just us."</p><p>By aligning UTP-H with UT Health and MD Anderson's enterprise goals and overarching missions, the department is now seen as an equal and valuable partner—in business and protection alike.</p><p>"The struggle we have on the security and law enforcement side is that we're not accepted as legitimate business partners, we're a cost center that's a necessary evil," Gerwitz says. "You have to hold yourself to the same accountability and integrity and commitment to the organization as any other business unit. You're no different from the other teams working on behalf of the organization. This business approach is aimed at making sure we're being good stewards of the resources provided. When people believe you're doing that, they'll support you."  ​</p> to Analyze Trends in Executive ProtectionGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>​Security Management </em>magazine, with partner Groundwork, has <a href="" target="_blank">commissioned a survey</a> to examine current trends and challenges in executive protection planning and practice. Specifically, the research will be used to:</p><ul style="list-style-type:disc;"><li><p>Offer a perspective on the current state of industry practice today</p></li><li><p>Identify common challenges and key success factors</p></li><li><p>Establish the context around the priority of C-suite protection</p></li><li><p>Begin to define best practices on how to capitalize on current trends and identify emerging risks</p></li></ul><p><em>Security Management </em>research remains a unique opportunity to leverage the strength and breadth of the ASIS International membership to the benefit of those members and the security of everything they protect.</p><p>The survey will take approximately eight minutes to complete. Only aggregate data will be reported and your participation will remain confidential. To participate in the survey, <a href="" target="_blank">click here.​</a></p> The Future CSOGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​CSO roles are becoming more prevalent in corporations while evolving to address security challenges. Scott Klososky, founding partner of Future Point of View, shares how.</p><p><strong><em> Q. </em></strong><em>What do you think the CSO role will look like in five years? ​</em></p><p><strong>A. </strong>The CSO role will have complete responsibility for integrated security across physical, electronic, and cyber. CSOs will report directly to the board in many cases and will have a long list of specific dangers they are charged with preventing. They will be responsible for things like stopping employee theft of data, preventing employees  from giving up passwords or compromising systems, and drone defense. They will be heavily involved in the organization's risk management system and will have a say in the insurance that is purchased to offset risk in specific threat areas. Another responsibility will be providing personal protection and intelligence in regard to travel for senior executives, board members, and their families. That will include social media scrubbing for the company, as well as for senior executives and board members.</p><p><strong><em>Q</em></strong><em>. What will the reporting structure to CSOs look like in the future?</em></p><p><strong>A.</strong> CSOs will have a VP of cyber, VP of physical, and VP of electronic security reporting to them. They will have specific people who are dedicated to the three different areas of security: the company, access control and surveillance systems, and cybersecurity. They will also be more closely aligned with HR because the human firewall is becoming such a problem. There is no way to protect an organization properly if the CSO does not have control over all aspects of security defense. Today, it is broken up across organizations and is too far removed from HR to be completely effective. The threats we are defending against will require this level of integration and collaboration.</p><p><strong><em>Q.</em></strong><em> Will the dynamic between security and the rest of the organization shift?</em></p><p><strong>A. </strong>To do security well, the CSO will have to develop strong collaboration with HR, IT, and operations. Then the CSO will have to participate in areas like risk and insurance. I see a future where a strong CSO is well-known and well-liked by all leadership. The CSO will be involved in lots of departmental meetings across the organization to determine new threat vectors and to build the relationships necessary to put up a solid defense. Today, CSOs can hide behind the scenes, and that needs to stop. They need to be out front with relationships across the organization, so they are looked at as a necessary element in the strategy of the organization.</p><p><strong><em>Q. </em></strong><em>What about smaller businesses and organizations? How will they keep pace with emerging security threats?</em></p><p><strong>A. </strong>There is only one real answer and that is to use contractors and vendors. Small and medium-sized organizations cannot pay for a full-time CSO in many cases, yet they need a smaller version of an integrated security model. They can rent the talent for a price they can afford by using local and regional security firms who are used to dealing with smaller clients. I suspect that security firms will build processes and systems to better handle these customers, so they are not left out in the cold.   </p> ReturnedGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The fall of Raqqa, ISIS's last and most symbolic stronghold, to Syria last fall granted a moment of relief worldwide and to the forces that had spent years doggedly eradicating the extremist group from the region. ISIS's so-called caliphate—a physical manifestation of its jihadist tenets—had finally been vanquished, and many thousands of its fighters had been killed or captured. Those who were left retreated to pockets of Syria.</p><p>But along with the tactical victory came the threat that national security experts had been warning of for years: the return of foreign fighters—and their extremist beliefs and training—to their countries of origin. Some 38,000 foreigners from 120 countries traveled to Iraq and Syria during ISIS's reign to aid the group in achieving its goal of building a caliphate. An estimated 7,000 of those foreign terrorist fighters (FTFs) died on the battlefield, and almost 15,000 left the conflict zones. Of those who left, about a third have been imprisoned and almost half—more than 6,800 people—have returned home without entering the criminal justice system.</p><p>"The fate and location of a sizeable proportion of FTFs appears to be uncertain," notes a March United Nations (UN) report on returning fighters. "Identifying and locating these remaining FTFs remains a critical priority for the international community."</p><p>Another challenge is determining whether returnees are defectors from ISIS, are merely supporters who have nowhere to go, or were sent home to continue their work. </p><p>While foreign fighters have not returned to their countries of origin in large numbers, as expected, they continue to trickle in—travelers turning up at an embassy in Turkey claiming they have lost their passport and wishing to return home, or a young family with expertly forged documents that allowed them back into a country that might otherwise turn them away.</p><p>Countries must figure out how to address such situations, and the approaches taken vary considerably. The process so far has been strewn with pitfalls, from an inability to prosecute foreign fighters over a lack of evidence to differentiating between ISIS defectors and jihadists to reintegrating children that were brought to the war zone or were born there. Several wide-ranging studies are looking at the makeup of the foreign fighters and the challenges countries may face in accepting them back into their borders.</p><p>While there have been many waves of foreign fighters for different causes over the years, the current group of ISIS foreign fighters is larger, more global, and more diverse in terms of age, gender, and experience in conflict zones, according to the UN report. They are also "the most operationally experienced, lethally skilled, and highly networked group of FTFs to date," the report notes.</p><p>The actual threat of these returning fighters has not yet been realized, but the UN report notes that foreign fighters have been involved in European terrorist attacks from 2014 to 2017.</p><p>"Although only 18 percent of attackers were known FTFs, the attacks they carried out were among the most lethal," the report states. "Most foreign fighters do not prove a threat on return, but those who do are highly dangerous and have been involved in a substantial proportion of the domestic plots in the West."</p><p>Another report written by the nonprofit research organization Soufan Center acknowledges that there is a range of returnees, from those who were only briefly with ISIS and came home after realizing it was not what they expected to those who were dispatched to return home and continue their efforts. </p><p>"These trained terrorists are not so much returnees as fighters dispatched to operate outside the caliphate," the report states. Due to the difference in threats these two groups cause, they should be dealt with differently.</p><p>Defectors should undergo close psychological and police assessment. "Terrorism is as much emotional as ideological, and even those who returned disillusioned or revolted by what they saw, or simply mentally or physically exhausted, may over time look back on the caliphate more positively and blame outsiders for its failures," the Soufan Center report says.</p><p>A study of returned fighters by psychologists for the Homeland Security Affairs Journal encourages countries to look carefully into the motivations and vulnerabilities of those who traveled to join ISIS. </p><p>"It will be incumbent on Western states to find adequate ways of determining who among returnees is a security risk at present, who may become one in the future, specifically by returning their allegiance to this violent group, and who can be safely reintegrated into society for the long term," the journal article states. </p><p>Resorting to imprisoning the worst offenders—if not all returning fighters—may seem like the best option, but it could make matters worse. Prisons are known to encourage and spread jihadist ideals. But, if managed well, prison can be a place for rehabilitation—which is especially important because those charged with terrorist offenses in the European Union spend an average of five years behind bars. </p><p>"Prison, or the threat of it, also appears to be a major stressor driving some back into the arms of ISIS," the journal article explains. "There is a tension in all societies between repressive measures against those involved in terrorism and rehabilitative measures that may put society at increased risk."</p><p>"Prison authorities are divided on the merits of segregating prisoners convicted of terrorism from the general prison population as the risk that an extremist prisoner will exert malign influence on his fellows, rather than become deradicalized through their influence, depends on too many variables to be easily calculated," the Soufan Center report finds. "At the same time, if extremists are grouped together, their views are likely to harden and they will form close bonds."</p><p>In its report, the UN reminds countries that a hardline response to returning foreign fighters may not be the most effective—especially since former jihadis will continue to return to their countries of origin for years to come.</p><p>"Returning and relocating FTFs are likely to remain a significant long-term challenge, requiring Member States to balance repressive and 'soft' responses," the UN report notes. "Many states have struggled to secure criminal convictions for FTFs, while imprisonment may delay, but not necessarily reduce, the threat they pose."</p><p>Britain. Home to notorious foreign fighters including teenage runaways and Jihadi John—a now-deceased member of the murderous quartet dubbed the ISIS Beatles—Britain is dealing with the aftermath of some 850 citizens who traveled to join ISIS. The capture of two members of the ISIS Beatles, who were responsible for the beheading of 27 foreigners, illustrates the challenges the country faces in prosecuting its citizens for involvement in ISIS. </p><p>The two Brits were captured by the United States-backed Syrian Democratic Forces (SDF) in January and remain held in Syria, where they have been continuously interrogated by U.S. forces under an agreement with the SDF. The United Kingdom stripped the men of their citizenship—an increasingly common practice in Britain—leaving them in legal limbo. </p><p>This is not an isolated scenario—the United States is urging countries to take responsibility for the hundreds of foreign fighters held by the SDF, but most do not want to repatriate citizens-turned-jihadi fighters.</p><p>Nobody has made moves to bring a case against the two men due to a lack of evidence needed to convict them of war crimes. The British jihadis mocked the situation in a recent interview with CNN, noting that accusations of their involvement in dozens of murders for ISIS were merely allegations. "I am not a democratic person, but I am being subjected to democratic law," one of the men said in the interview. "So it is only right for those who claim to uphold this to fully uphold it."</p><p>Canada. With about 180 Canadian foreign fighters in Syria and Iraq—including 60 that have already returned—Canada has implemented programs aimed at monitoring and deradicalization. Prime Minister Justin Trudeau has stated that returning fighters will be prosecuted where evidence exists, but rehabilitation should take priority so they do not pose a longer-term threat to the public.</p><p>The Canada Centre for Community Engagement and Prevention of Violence is tasked with countering radicalization and violence at an individual level, but focuses on research and does not directly interact with radicalized people. Quebec's Centre for the Prevention of Radicalization Leading to Violence has conducted 199 interventions of jihadist radicals—however, it has not yet worked with returnees.</p><p>France. France had one of the larger contingents of foreign fighters, with more than 1,000 citizens journeying to Iraq and Syria to join ISIS. An estimated 300 were killed and about 250 have returned to France, where they have either been imprisoned or placed on house arrest. France has determined that any ISIS fighters captured by the SDF will not be repatriated and should face justice in Syria. </p><p>France's criminal division recently released a report on jihadi women based on the court hearings of returning French women. Although jihadist ideology states that women cannot fight, some testified that they were given operational roles in ISIS that included recruiting, policing, and enforcing punishment. </p><p>"Although several French women were forced into joining the Islamic State by their husbands, most of the female recruits interviewed on their return to France expressed an attachment to the jihadist project," French newspaper Le Monde reports the memo as saying. The discovery has caused France to rethink its approach to returning female fighters, changing its policy to automatically arrest female returnees and monitor them more closely. Of the 72 women who have returned to France, 26 have been indicted, 15 have been arrested awaiting trial, and six have been tried.</p><p>Reintegration efforts in France are faltering, and the country's first center for deradicalization of young people closed due to a lack of use.</p><p>United States. With less than 100 citizens successfully traveling to Iraq and Syria to join ISIS, the United States is dealing with the return of 12 foreign fighters—nine of which have been arrested and charged with terrorism-related offenses, and three that have not yet faced criminal charges. Unlike many countries, the U.S. had an existing law against jihadist travel before the flood of foreign fighters journeyed to join ISIS. Under that law it has charged some 153 citizens who attempted to join ISIS or plotted ISIS-inspired schemes. </p><p>And a report by George Washington University's Program on Extremism notes that due to the difficulties of gathering evidence of a traveler's activities in Syria or Iraq that is admissible in a court of law, prosecutors often have to charge the returned fighters with lesser offenses.</p><p>"While the average prison sentence for individuals who attempted (but failed) to travel to Syria and Iraq is approximately 14 years, the seven successful travelers that have been convicted from 2011 to 2017 received an average sentence of 10 years in prison," the report states.</p><p>While deradicalization and reintegration resources have been reduced under U.S. President Donald Trump, the report notes that such programs will be necessary once the returned jihadists are released from prison. There are currently no deradicalization or rehabilitation programs for jihadist inmates in the U.S. federal prison system.</p><p>"Without these programs, incarcerated travelers have few incentives to renege on their beliefs and may attempt to build networks in prison or radicalize other prisoners," the report states. ​</p> on DeliveryGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The city of Austin, the warm and colorful Texas capital—known for its Tex-Mex cuisine, live music, and popular grassroots slogan "Keep Austin Weird"—was set completely on edge in March 2018 by an unusual and most unwelcome threat: a package bomber.</p><p>From March 2 through March 20, Mark Anthony Conditt perpetrated five bomb attacks before blowing himself up. In each of his first three attacks, Conditt dropped off a conventional-looking delivery package at three different residences in the city. All three packages contained pipe bombs that exploded when opened. The first two recipients were killed; the third was badly injured. These three doorstep bombs were followed by a tripwire bomb Conditt left on the side of a road. It injured two nearby pedestrians when it detonated.<img src="/ASIS%20SM%20Callout%20Images/0718%20NT%20Chart.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:225px;" /></p><p>But on March 20, the bomber changed his modus operandi (M.O.). He sent his next package through the Federal Express (FedEx) delivery system; it exploded on a conveyor belt at a FedEx facility in Schertz, Texas, a town outside of San Antonio. One employee was injured. About six hours after the Schertz explosion, Austin police received a call about another suspicious package at a FedEx facility in southeast Austin, not far from the airport. That package was disrupted by law enforcement, and no injuries were reported. A day later the b​omber blew himself up inside his vehicle after he was pulled over by police, injuring one law enforcement officer in the process. </p><p>That switch in M.O. from dropping off bombs at houses and roads to shipping them is somewhat unusual for a bomber, says Fred Burton, an Austin-based chief security officer for Stratfor who followed the events closely.  </p><p>"The change seemed predicated on adjustments he made due to the news media coverage surrounding the events that were taking place. There was tremendous local and national news coverage, press conferences, and everything," Burton explains.</p><p>Had the bomber stuck to his original approach of doorstep bombing, he likely would have been able to wreak havoc for even longer than he did, Burton says. Instead, when he started using FedEx, his bombs entered an efficient, tightly tracked supply chain that leaves a lot of digital bread crumbs. "That was a big plus for the investigation," Burton explains. </p><p>The unsettling events in Austin also put a spotlight on the issue of postal and shipping security. Burton, who was a counterterrorism agent for the U.S. Department of State from 1985 to 1999, remembers the Pan Am Flight 103 bombing in 1988, where a suitcase bomb placed in the luggage cargo area of the plane exploded over Lockerbie, Scotland.</p><p>Since that incident, package security has improved by leaps and bounds, with vast improvements in screening device technology and explosive detection instruments, Burton explains. In the United States, the anthrax attacks of 2001 spurred many advances in postal security: "You have had so many drastic changes since the anthrax scare," Burton says. </p><p>Indeed, the anthrax episode did lead U.S. officials to beef up postal security. The U.S. Postal Inspection Service (USPIS), the security arm of the U.S. Postal Service (USPS), enhanced its Dangerous Mail Investigation program to deal with the threat. And since then, authorities have established the National Postal Model for the Delivery of Medical Countermeasures, a contingency program under which medical countermeasures can be delivered in case of a catastrophic event such as an anthrax attack. </p><p>Currently, packages sent through the U.S. mail face several layers of security, according to Pamela Cichon, CPP, a program manager and postal inspector with the Security and Crime Prevention Group at USPIS. "Postal employees are trained to identify suspicious parcels and are provided standard operating procedures to follow when they encounter a suspicious parcel," says Cichon. "Specially trained postal inspectors recognize the common characteristics of suspicious mail."</p><p>In addition, retail clerks ask customers questions about the contents of an item being mailed, Cichon explains. But beyond those generalities, the USPIS does not discuss specific operating procedures regarding suspicious packages. "We do not comment publicly on our security measures, in order to prevent attempts to compromise or minimize their effectiveness," she says.</p><p>Since the USPS is typically the final delivery point for UPS and FedEx packages, the agency has collaborative relationships with both services. "We collaborate on best practices and also work joint investigations," she explains. </p><p>Collaboration also occurs between U.S. federal postal authorities and law enforcement agencies, in cases of potential security breaches or fraud. For example, in March 2017, the FBI announced that it was conducting a joint investigation with the USPIS regarding packages that contained potential destructive devices which were sent to U.S. military sites.</p><p>Such collaborations are "not an uncommon event," Cichon says: "The Inspection Service conducts joint investigations with all federal and state law enforcement partners frequently. When the mail system or USPS employees are at risk or being used to further criminal activity, the Inspection Service responds and investigates."</p><p>But officials, postal workers, and law enforcement officers are not the only ones responsible for postal and package security, Burton says. Demand for services like Amazon have spiked, and this has led to a sharp increase in "the sheer volume of packages on any given day around the whole world, and the United States," he explains. "What the Austin bombing did is remind all of us in this business the importance of mail and package handling." </p><p>For the services that work with packages, having a well-trained workforce with sharp observational skills is critical. But consumers must also play their part. "If you come home from work and there's an unexpected package, be careful. Don't touch it unless you are expecting something," Burton advises. </p><p>It's best not to move the package, he adds. And the consumer should try to do a little due diligence through observation, and consider: Who is it specifically addressed to? Is the sender's name blank? What is on the return address?  </p><p>These tips may seem simple, but they can be a challenge to follow, because they work against a common human impulse: the enticing feeling of possibility, or delight, embodied by an anonymous package, which may contain an unexpected gift or something equally wonderful. "You want to see what's hidden behind Door Number Three," Burton says. "But you may not want to know."  </p><p>Another challenge is the diminishing situational awareness of contemporary life. "Most people are multitasking all the time, and they are not very aware of their surroundings," Burton says. So, they may be checking email messages on their smartphone while they absentmindedly pick up a package with one hand and drag it into the house.</p><p>"I think it boils down to common sense and situational awareness," Burton says. "Is that package addressed to you? If not, why are you opening it? There has to be a little common sense to security at times." </p><p>In that respect, the bombing episode held some valuable security lessons. But "the one fearful part," Burton explains, is that it could serve as an unwitting demonstration to a militant group like the Islamic State (ISIS) on how to create chaos: "I worry about the copycat terrorism ramifications." </p><p>And this concern stems in part from the fact that the Austin-based Burton felt firsthand the waves of fear that swept through the streets as the bomber remained at large for days on end. "Oh my gosh," he says, "it quasi-paralyzed the city." ​</p> to the FutureGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Since the end of the Cold War, the U.S. Department of Defense (DoD) has been attempting to realign and increase the efficiency of military agencies with its ongoing Base Realignment and Closure (BRAC) process. Hundreds of military installations have been closed in five separate BRAC rounds, which began in 1988.</p><p>The most recent realignment round, BRAC 2005, was a massive undertaking, the costliest and most complicated to date. In contrast to previous rounds, which focused on reducing infrastructure, the goals for BRAC 2005 included an ambitious transformation of military operations. More than a dozen major installations were scheduled for closure, including the Navy Supply Corps School, Fort Gillem, and Fort McPherson, all in the U.S. state of Georgia. </p><p>Although there has not been another round since 2005 (largely due to funding issues), the BRAC process will continue, officials say. And so, the U.S. Government Accountability Office (GAO) was asked by Congress to review DoD's performance during BRAC 2005, so that DoD could improve future BRAC rounds. </p><p>The report, Military Bases: DOD Should Address Challenges with Communication and Mission Changes to Improve Future Base Realignment and Closure Rounds, examines to what extent the DoD has measured the achievement of its BRAC 2005 goals, and whether DoD is in a good position to measure the goal achievement of any future BRAC rounds. It also examines whether DoD has yet implemented previous GAO recommendations on the BRAC process, which were aimed at addressing potential challenges to improving performance of future BRAC rounds.</p><p>The report's findings were somewhat disquieting. In general, DoD did not measure the achievement level of the BRAC 2005 goals of reducing excess military infrastructure, transforming operations, and promoting joint activities among the different departments.</p><p>"Air Force officials stated that they did not measure the achievement of goals but that it would have been helpful to have metrics to measure success, especially because DoD had requested from Congress another BRAC round," the report found. </p><p>U.S. Army, Navy, and Marine Corps officials also said that they did not track performance measures or otherwise measure BRAC 2005 goal achievement. </p><p>In response, DoD officials argued that the agency should not be required to measure the achievement of its BRAC goals, and so there are no current plans to do so. And officials from the Army, Navy, and Air Force all stated that, although they did not measure goal achievement, they did measure the savings produced as a result of BRAC 2005 moves. </p><p>Still, the GAO argued that measuring savings is not enough. "Measuring savings did not allow DoD to know whether it achieved the goal of reducing excess infrastructure," the report states. </p><p>The report makes a plea to Congress: require metrics to increase the chances of future BRAC success. "If Congress would like to increase its oversight for any future BRAC round, requiring DoD to identify appropriate measures of effectiveness and track achievement of its goals would provide it with improved visibility over the expected outcomes," the report says. ​</p> for Higher StandardsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The cannabis industry is full of contradictions. Although more than half of the United States has legalized—and therefore legitimized—some form of cannabis commerce and usage, it remains illegal under federal law. The drug's stringent controlled substance label prevents it from being researched, and banks take a risk if they accept money from cannabis companies.</p><p>The industry's strict state-by-state regulations mix policy, political influence, and borrowed best practices to create detailed rules that vary vastly by location and can be difficult to interpret and implement, and a lack of overarching guidance can leave organizations vulnerable. </p><p>And where the security industry falls into all of this—with its reliance on metrics, experience, and best practices—is still being explored. The challenge of protecting a product that just years ago was considered criminal cannot be ignored. And, as each U.S. state implements different regulations that are enforced by different entities, it's difficult to compare notes with other security practitioners trying to navigate the nascent industry.​</p><h4>A Growing Industry</h4><p>Tim Sutton, CPP, was working as a senior systems engineer for a security integrator in 2013 when his company received a call from someone who was going to apply for a cultivation center permit. Medical cannabis legalization in Illinois was going into effect at the start of 2014, and the caller needed someone to write a security plan—one that would set the standard for cultivation center security in Illinois.</p><p>The task fell to Sutton, who used his experience with creating security plans for other industries to outline a proposal to win the contract. He integrated foundational security principles, including asset identification, threat assessment, hazard vulnerability analysis, and physical security measures, into the proposal. The plan also took other factors into consideration, such as geographical, architectural, and operational elements, as well as electronic security systems and policies and procedures. </p><p>His firm won the job, and that's when the real work began, Sutton says.</p><p>"There really aren't too many resources available for security plans in general, let alone within the medical cannabis industry," Sutton explains. "As much as security principles remain constant, the application of these security principles must remain variable to be effective."</p><p>Site security plans had to follow the newly outlined laws, which differ from state to state and range from vague to incredibly detailed—and, at times, confusing, Sutton says.</p><p>"Many of the requirements under the law really made me wonder how in the world they were included, but the security plan had to meet all of the requirements," he says. "The security plans are generally considered for between 20 to 30 percent of the total score for the application depending upon the particular state, and many times the score of the security plan is used as a tie-breaker in the awarding of a permit."</p><p>Sutton was able to tour established cultivation centers and dispensaries in another state to better understand how they worked, what security measures were in place, and how those compared to what Illinois would require. "This also allowed me to see many things that I wanted to be sure to avoid or improve upon when writing plans for other organizations," he adds.</p><p>The application Sutton created was approved, and the cannabis company was able to open two cultivation centers. "That was huge," Sutton says. "Illinois is very highly regulated."</p><p>Sutton went on to work with another cannabis company, won three dispensary permits for them, and suddenly found himself an expert in the industry's security. "That's the way it was," he says. "You win one permit in Illinois and that means something. I didn't realize how important that was."</p><p>Since then, Sutton has helped cannabis organizations all over the country apply for dispensary and cultivation center permits and now works as the director of security for Grassroots Cannabis, where he's responsible for security at sites in several states, including Illinois, Pennsylvania, and Maryland. Many cannabis organizations are consolidating, since it takes a lot of money—and expertise—to successfully open and run a dispensary or cultivation center. </p><p>"Nobody knows what they are doing," Sutton notes. "I've never grown marijuana and not many people have ever even seen it. These organizations are consolidating and trying to branch out to other states."​</p><h4>Varied Governance</h4><p>The path a state takes to legalize medical or recreational cannabis—and who is involved in that process—is one of the biggest indicators of what the law looks like and how it's regulated, says Bob Morgan, special counsel for Much Shelist and former statewide project coordinator for Illinois' medical cannabis pilot program. Morgan was involved in crafting the legislation and framework for the program and managed its implementation once the law was enacted in January 2014. </p><p>"Every state that develops a medical cannabis program creates it in its own image, which reflects the political, cultural, and administrative structure of its respected law," Morgan tells Security Management. "Illinois was no different. It had multiple agencies that were responsible for implementing the program—the Illinois State Police and the Departments of Agriculture, Public Health, and Financial and Professional Regulation (IDFPR). Those agencies collectively were responsible for establishing security measures and regulations for the industry, from start to finish."</p><p>Ultimately, each state will model the cannabis industry after another existing industry—often based on what agencies are responsible for its implementation, Morgan notes.</p><p>"Colorado's medical cannabis program was overseen by its Department of Revenue," Morgan says. "So, the culture and process and structure of the Department of Revenue has laid the groundwork for the subsequent medical, and now recreational, marijuana industry. In Illinois, our agencies here all put a significant imprint of their agency culture on the program we have now. In a state like Florida, the Department of Health is overseeing implementation of the medical marijuana program. That determines whether a state will treat the cannabis industry like a pharmacy, or a bank, or a casino."</p><p>Sutton has experienced firsthand the challenges of the differing approaches to the industry. Despite being proficient at writing security plans for the cannabis industry in Illinois—a notoriously highly regulated state—he says navigating security specifics in many states can be daunting for an unexperienced practitioner. "I always read the rules and the law, and every part of the law," he says.</p><p>For example, Sutton was tasked with developing a security plan for a cannabis organization in Hawaii. Its permitting rules are broken down into sections, including one for security, which dictates that, among other things, an organization must retain 30 days of video in its archives.</p><p> "An inexperienced person would design a system that retains 30 days of footage and feel like they're doing what they should do," Sutton says. "But, if you read the rest of the rules and the section on records retention, there's a retention requirement of a year for you to keep inventory reports, employment files, and electronic video archives. If you didn't read that whole rule, you'd never know that and would design the system for 30 days and it would be 12 times too small. It's terrible. That's how I attack it—I read the whole rule, not just the security section."</p><h4>Regulations vs. Best Practices</h4><p>To overcome the challenge of crafting Illinois' medical cannabis regulations in 2014 without national guidance, Morgan created a listserv of state cannabis program directors from around the country to share best practices. He also pulled ideas from the rules in place for pharmacies and casinos in the states.</p><p>"We weren't really recreating the wheel, we were taking the best ideas and security measures we could find and incorporating that into the industry as we shaped it," Morgan explains. "Part of this is driven by the problem of the federal government's prohibition, which requires each state to do this in a haphazard way."</p><p>Some states—including Illinois—may have "gone overboard" with regulating the nascent industry due to a lack of national best practices, Morgan notes. For instance, Illinois is the only state that requires patients to be fingerprinted to get a medical cannabis card. </p><p>"That was a political consideration—it had nothing to do with policy or security, it was politics, unfortunately," Morgan says. "Almost every state has some variation of that."</p><p>Sutton agrees, noting that he has had to comply with head-scratching security requirements in both Illinois and other states. Illinois' Department of Agriculture oversees regulation at cultivation centers, while distribution centers answer to the IDFPR. The two departments wrote the regulations for their respective facilities, meaning that an organization trying to open both cultivation and distribution centers may need to abide by two separate sets of rules. And sometimes those rules don't align with overarching best practices in the security industry, Sutton says.</p><p>"For cultivation centers I record on motion, at five frames per second, even though the rules require three frames per second on an alarm—that's it," Sutton says. The video surveillance rules for dispensaries were initially vague, and Sutton says most security directors defaulted to using security industry best practices and designed their systems to record on motion. However, IDFPR later clarified that dispensaries would require constant recording, not motion-based.</p><p> "Now you jump up about three or four times the storage and processing power, just to satisfy that," Sutton says. "And then they went and arbitrarily pulled this number out of their back pocket that we would need to record at seven frames per second—I have no idea where that came from."</p><p>Sutton has run into similar challenges in several states. </p><p>"There are a lot of things written that don't make sense with why they were done—it depends on who contributed to writing the law," Sutton says. "They all think they are very secure and are writing the best plans, but there are some really big variants out there. Some do not have many requirements at all and leave them written pretty vaguely and open for interpretation, which has its own pitfalls, and a lot of others are so extremely specific, and I don't know where they get this stuff. They've got a lot of old technology and use terminology that's really outdated."</p><p>Morgan says this type of experience is not unusual. "With cannabis, it's still such a new industry and so heavily influenced by politics that we result in these kinds of sometimes unnecessary regulations," he notes. "The political pressures and ideology drives ridiculous regulation and laws that are based on fear as opposed to pragmatic security measures."</p><p>Regulation enforcement is a regular part of the cannabis industry, even after an organization is approved for a license. In Illinois, the state police enforce the state's regulations, while one of the two designated departments makes sure each facility is adhering to its permit specifications. Sutton says that while the inspections help prevent people from skirting regulations, they can also focus on the wrong problems. </p><p>"The Illinois Department of Agriculture comes every week and audits us against our security plan that we submitted," Sutton says. "All they care about is what we said we'd do in our application. If I said in my plan that all my cameras are going to be three megapixels and that I will have 200 days of archives, they'll come inspect those things every week. The Illinois State Police come in and audit to the actual law. They're going to make sure you have a video system that meets whatever the law says. They don't care how you're using it or that you're being effective and proactive."</p><h4>Above and Beyond</h4><p>These challenges were apparent to a group of people who last year started the National Association of Cannabis Businesses (NACB), the first and only self-regulatory organization in the cannabis industry. NACB President Andrew Kline, a former federal prosecutor and White House advisor, says that the organization establishes industry best practices that help cannabis businesses transcend varying state regulations and hold themselves to a higher standard.</p><p>"Professional organizations like banks and insurance companies had no idea who to do business with," Kline says. "The idea was to start a self-regulatory organization where we would vet our members and then develop national standards and use those standards as rules for our member companies. We want to demonstrate that these companies meant business, that they were trying to go above and beyond what they were required to do at the state level in terms of compliance requirements, and signal to professional entities that these businesses can be trusted, because it's a new industry and there are some actors who aren't as trustworthy."</p><p>NACB is also setting its sights to a future where the cannabis industry would be federally recognized, and a set of national guidelines would be needed. Kline says that when the organization started, it positioned itself to create best practices in line with the Obama Administration's priorities, but with the rescission of the Cole memo—which culled enforcement of the federal marijuana prohibition—and the Trump Administration, there is less clarity of national priorities.</p><p>In fact—despite the vague or overregulation issues Sutton and Morgan experienced—Attorney General Jeff Sessions suggests that many of the individual states' regulations that are on the books today are not sufficient to protect the public interest, Kline notes.</p><p>"The national standards that we're looking to build are in alignment with federal priorities for public health and safety, and as we develop them with our members, in many cases we will be more rigorous than state law to show just how serious these members' businesses are in demonstrating they are good actors," Kline says. "We're baking into our standards what we believe the federal government should care about, but there isn't as much clarity today as there was a few months ago."</p><p>The current environment of regulatory uncertainty—both at the state and federal levels—can be a hindrance to cannabis organizations, and the NACB's approach is especially useful for organizations that operate in several states with disparate regulations.</p><p>For instance, Nevada's regulations do not permit fruit imagery on cannabis product packaging, while Colorado—which has more liberal regulations than Nevada—does allow fruit imagery, Klein explains. In such a case, NACB would create a standard that would be more akin to Nevada's rules than Colorado's.</p><p>Well-researched best practices are especially important when it comes to security, since dispensaries have products and financial assets that are lucrative to criminals (see Security Management's May 2018 News and Trends department for more on how banks and cannabis businesses interact).</p><p>"Security becomes even more complicated when you're dealing with people who are taking in large amounts of cash and don't necessarily have a good place to put it," Kline says. "It's costly, particularly for companies who are operating in more than one state."</p><p>Sutton agrees that overarching guidance is needed in the cannabis industry, especially when it comes to the nuanced role of security. Those who want to start a cannabis-based organization may not know what to look for in a security director, Sutton notes, and operational security personnel may be reluctant to work for an industry that remains taboo. The cannabis industry needs experienced operational security practitioners to continue paving the way, and Sutton says he would like to see more security directors become board-certified through ASIS or similar organizations.  </p><p>"I refuse to be siloed and just be the guy who is worried about video and access control," Sutton says. "I worry about it and I love it; however, there are so many other things you have to make sure you're following that do involve security. It touches everything. Security has to be at the table in deciding how you're going to operate, it's more than just your physical systems."</p><p>Morgan says he has seen a shift in the role security and law enforcement are playing in the cannabis industry. Initially, he says the Illinois State Police and local law enforcement were opposed to medical cannabis programs, but today his successor who runs the program at the state level is a former sheriff who changed his way of thinking. "He has seen the way the program works and can articulate how it's safe," Morgan notes.</p><p>"Everyone who knew me beforehand was shocked to hear that I was writing security plans for the medical cannabis industry," Sutton says. "I was the no-fun guy who was very much anti-drug and, for the most part, toed the line when it came to abiding the law. I rationalized it as making sure these companies were tight when it came to security and felt that as it was not illegal, I had no problem with it.... The turning point for me was the passion of the people in the industry and the fact that I wasn't dealing with hippies growing pot in their basement or garage. I was working with people who genuinely believed in their cause and truly considered cannabis as medicinal."  </p><p>Morgan continues to help governments and businesses create medical cannabis programs and says he hopes Illinois—which renewed its medical cannabis program through 2020—will revisit some of its more stringent regulations.</p><p>"It would absolutely be fair to say that Illinois has more than enough data points to show that our regulations can be scaled back in some areas where they were overly politicized," Morgan says. "Regulations such as fingerprinting patients and the extent of security measures each facility has to have in terms of the number of cameras and other requirements. This was an experiment to see how it was working and what wasn't working well, and to improve it. And that's what's happening throughout the country."  </p> Conversations: Checking In & Coaching UpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The management revolution in the U.S. workplace has gained momentum. Performance management is out. Performance motivation is in.</p><p>The dreaded annual review process—bureaucratic, form-heavy, often dreaded by both managers and employees—is out. Performance conversations—frequent, agile, light on formality but heavy on coaching and two-way feedback—are in.   </p><p>With all this in mind, Security Management explores the roots and reasons for this trend and asks management experts to provide best practice guidance and principles on how security mangers may conduct effective and engaging performance conversations.​</p><h4>Annual Review Issues</h4><p>Many managers first became aware of significant changes in performance reviews around 2012, when the digital media company Adobe publicly announced that it was abolishing the traditional annual review process. </p><p>As a result, Adobe's voluntary turnover was reduced by 30 percent, according to a Deloitte report, and other firms began following its lead.</p><p>In late 2016, the movement received another big boost when one of the largest companies in the world, Accenture, announced that it was joining the revolt. </p><p>"Imagine, for a company of 330,000 people, changing the performance management process—it's huge," Accenture CEO Pierre Nanterme told The Washington Post. "We're going to get rid of probably 90 percent of what we did in the past." </p><p>Meanwhile, smaller organizations have taken their cue from these corporations. "People management practices tend to be a follow-the-leader game," says Phil Haussler, an HR expert at Quantum Workplace who studies workplace and management issues. </p><p>In one sense, the changes were understandable, given that so many workers on different levels—from front line employees to senior management executives—have expressed concerns about the annual review process. </p><p>"I think the revolution is at least acknowledging the underlying problems of performance reviews—such as that everyone hates them, and they are not that useful," says Jordan Birnbaum, the chief behavioral economist for ADP.  </p><p>Moreover, many of these concerns are supported by research, adds Birnbaum, a behavioral economist who is familiar with studies in his field (as is Haussler) that have shown that the annual review practice can be problematic.</p><p> For example, research shows that the common annual review process of linking a performance evaluation to a pay raise largely destroys the development aspect of the assessment. When this linkage is present, it is natural for an employee to switch into an impression management mindset, rather than focus on how the information can assist in professional growth. </p><p>"For the employee, it can become more about posturing, making sure that I show my best self," Haussler explains. </p><p>Another undermining effect of this linkage is that it negatively affects motivation. Research has shown that intrinsic motivation (doing something because it has inherent value) is a much more powerful and productive driver than extrinsic motivation (doing something in exchange for a tangible reward). </p><p>One study, for example, looked at children enthusiastically playing a game. When study supervisors told the children that they would receive a prize if they won, the children quickly lost interest, Birnbaum explains.   </p><p> It's also difficult to ensure that the annual review is based on sound, accurate data. Studies show that if managers or employees know that their performance feedback will be read by others, they are likely to inflate it, by a fairly large standard deviation, Birnbaum explains. </p><p>One reason for this is that it is often in the manager's best interest to give a glowing review—it can help the department look good in the eyes of senior management. Similarly, if the employee knows that senior management will read the review, he or she may not be honest with their criticism of a manager, for fear that it will cause a rift in their relationship.  </p><p>The other big issue that plagues the annual process is bias, which in this context researchers call the "idiosyncratic rater effect." </p><p>"We are all terribly biased," Birnbaum says. Studies show that in performance reviews, one behavior, good or bad, can have undue influence on the entire evaluation. </p><p>For instance, take an employee who is always late to meetings who has a manager that hates lateness. The employee may find that the manager's strong feeling about lack of punctuality may bleed into other unrelated areas of the evaluation, causing a lower-then-deserved ranking. </p><p>"The feedback is more about the person who's providing it, than about the person who's receiving it," Birnbaum explains. </p><h4>Transitioning</h4><p>Given these problems, the traditional annual review may now be "on life support," as Haussler says. But is not completely dead. Some companies are retaining the annual review but changing its evaluation methods and process in hopes of improving it.</p><p>But many companies that are retaining the annual review in some form are still making use of more frequent one-on-one performance conversations between managers and employees. These conversations range widely and include anything from once-a-month (or even once-a-week) casual check-in conversations to more structured quarterly meetings that incorporate two-way feedback, coaching, professional development guidance, brainstorming, and career advice.  </p><p>"There's not one single practice that we are seeing everyone move to—it's all on a spectrum, and each organization decides for itself how far it wants to move on the spectrum," Haussler says. ​</p><h4>Five Principles, Four Questions</h4><p>How can security managers adopt the practice of regular performance conversations? Leadership and workplace communications expert Skip Weisman provides some best practice guidance that may help in implementation. </p><p>First, Weisman lays out five keys to effective performance appraisals: Begin with clear expectations; have regular conversations; capture and log performance; provide "feedforward;" and focus on helping. </p><p>Second, Weisman suggests that one-on-one meetings themselves can be designed around four basic questions for the employee: What do you think you did well this month? What is something you feel you need to get better at? What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?</p><p>Although brief, the four-question format makes the structure of the meeting clear to both the manager and the employee. It also provides an opportunity for an open, fruitful two-way discussion. </p><p>For example, let's say the employee thought his or her performance on a certain task was outstanding, but the manager believed it was subpar. Discussing this discrepancy gives the manager the opportunity to clarify task expectation, and it gives the employee an opportunity to explain what his or her day-to-day is like in the trenches.  </p><p>"In the workplace environment, the employee is seeing things and experiencing things from their own perspective," Weisman says. "The manager should be asking about this and be open to hearing it."  </p><p>This two-way concept is key, Haussler agrees, and it should apply from the beginning of the process because the manager should not dictate what will be discussed. The employee should be the primary driver of the agenda. </p><p>"The employee owns their career, and the employee earns their conversation," Haussler says. The process may work even better if both participants have a chance to confer days before the meeting and decide what will be discussed, he adds. This gives both the time to consider the points they would like to make, instead of "just showing up with a pad and pencil."</p><p>In terms of the frequency of the meetings, Weisman advises (under his second principle) that the conversations be frequent—at least quarterly, if not once a month. Haussler agrees, and adds that research his firm has conducted on employee engagement has found that the most engaged employees have meaningful performance conversations at least once a month, if not more frequently.</p><p>Another benefit of frequent meetings is that it can help transform managers into coaches, a common organizational goal. "A coach would never give performance feedback only once a year," Haussler says. </p><p>And some organizations are going all-in on this transformation by offering coaching training and resources to their managers, to help them move toward a continuous coaching practice that improves employee engagement. </p><p>Of course, in cases where a manager has a large staff, the manager may be concerned that having a performance conversation with 10 direct reports once a month will be too burdensome timewise. </p><p>But Haussler says that this time issue should be put into perspective. By one standard, an effective manager invests roughly 200 hours per year into coaching staff, which breaks down to roughly 16 hours per month. If the manager has 10 direct reports, a 20-minute monthly meeting with each of them should consume roughly four hours of coaching time every month. That should be workable; if the manager sees that as too burdensome, then "maybe they ought not to be a manager," Haussler says. ​</p><h4>Start Positive </h4><p>Under Weisman's four-question model, the conversation begins with a recognition of positive accomplishment. This is critical for a few reasons, experts say. </p><p>One is that many busy workplaces fall under a kind of unspoken rule: if employees are doing things well, they don't need to be recognized; feedback is only needed to point out and correct mistakes. "Typically, a lot of employees don't get a lot of positive feedback," Weisman says.</p><p>But this can lead to problems, such as employees who feel undervalued. Moreover, studies show that negative feedback is best processed and learned from when it comes with five to seven bits of positive feedback, Birnbaum says. </p><p>One 2004 study of teams, for example, found that the highest performing teams received 5.6 positive statements for every negative statement. Without these positives, the employee feels the feedback isn't fair because positive accomplishments are not recognized. </p><p>"Human beings' psyches are fragile. It's very tricky to provide feedback that is useful and not harmful," Birnbaum explains. </p><p>Thus, starting out the conversation with what was done well allows managers to recognize accomplishments, and explain how they matter to the organization's success, which bolsters employee engagement and helps trigger intrinsic motivations, experts say.</p><p>When the second question of "What is something you feel you need to get better at?" is discussed, Weisman recommends that managers use the "feedforward" approach, a concept attributed to management expert Marshall Goldsmith. </p><p>For example, if the employee brings up a task that he or she failed at, the manager should direct the conversation forward and focus on the coachable moment of how performance of the task could be improved in the future. </p><p>Brief summaries of the discussion of both these questions can be recorded by both manager and employee as part of an ongoing effort to capture and log performance. So, if the one-on-one meetings are monthly, and the company is retaining its annual review process, the 12 months of summary notes will make the end-of-year review paperwork much easier for both parties, allowing both to avoid trying to document a year-long evaluation in one review.    ​</p><h4>Two-Way Street  </h4><p>The last two questions of the performance conversation model—"What obstacle or obstacles got in your way and hindered your performance? Where do you need help, and what can I do to help you?"—are critical, because they reinforce the open and two-way nature of the conversation, Weisman says. </p><p>One common employee criticism of the traditional annual review is that it can turn into a one-way grilling of the mistakes the employee has made throughout the year. However, the third question gives the manager an opportunity to walk a mile in the employee's shoes, and better understand what challenges he or she is facing, the overall working conditions, and the factors that impact his or her performance. </p><p>Building on this concept, the fourth question of "Where do you need help, and what can I do to help you?" keeps the focus on the employee's perspective and allows the employee to provide feedforward to explore how a process could be changed, or what a manager could do differently in the future. </p><p>For example, say an employee feels he or she is fighting burnout due to a heavy workload. This can lead to a discussion where the manager and employee go through tasks and decide which could possibly be minimized, jettisoned, or outsourced.</p><p>Such discussions fulfill Weisman's final principle of a focus on helping. They also reinforce perhaps the most important message of the performance conversation—it is a two-way street in which both parties try to help each other improve, regardless of rank or position in the company.</p><p>"No one stops learning. No one stops growing," Weisman says.  ​</p> Precious PropertyGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In late 2011, Ricardo Sanz Marcos received a disturbing phone call. As a consultant with the cultural properties firm PROARPA Security Asset Protection and Cultural Heritage, he was used to receiving security inquiries about cultural properties, but he dreaded this type of news the most. An ancient Roman villa known as the Villa of Santa Cruz, in the province of Burgos, Spain, had been robbed.</p><p>Thieves had carelessly removed tiles from a centuries-old mosaic, called "The Return of Bacchus of India," situated in the middle of the house. The 5th century floor mosaic, which depicted a Roman god, was one of the largest and best preserved in Europe and was rare for its size of 66 square meters. </p><p>"The mosaic was destroyed when they stole it," Sanz Marcos recalls. "It was a pity because it was a beautiful mosaic." </p><p>Normally, art thieves who rob archaeological sites are careful to preserve the works they steal, but Sanz Marcos notes that the economic crisis in Spain has left many thieves desperate to make off with precious artifacts. </p><p>Thankfully, the artwork was restored to match the original as closely as possible. "Now there is a replica of the mosaic at the site," he notes. "The art technicians are very talented." </p><p>After the incident, which occurred in December 2011, Sanz Marcos was called to evaluate security measures at the Roman villa and assess how they could be improved. He says that visit was when he "fell in love" with an ancient archaeological site in Spain, known as the site of Colonia Clunia Sulpicia, not far from the villa. </p><p>Just a few years later, Sanz Marcos and a fellow cultural properties expert would complete a comprehensive site and survey risk assessment for the ancient archaeological site, one of only a few such assessments ever conducted.  ​</p><h4>Cultural Properties</h4><p>For ASIS Cultural Properties Council member James Clark, CPP, bringing value to the international membership around cultural properties security was a challenge he wanted to solve. "We were trying to increase our own knowledge base and our own body of knowledge, because we really needed that," he says of the council. "Things are going on in Europe that haven't been going on in the United States—there's the whole business of terrorism at sites in Syria, and a few years ago in Iran." </p><p>Threats. Clark, managing partner of Clark Security Group, LLC, an independent security consultancy in Cleveland, Ohio, notes that terrorism has had a destructive effect on cultural properties worldwide. Many headlines have been dedicated to Syria, where the Islamic State has purposefully destroyed countless ruins and artifacts.</p><p>But warfare is not the only threat to these historic sites. People who simply pick up relics, not understanding or knowing their value, can be a major threat to site preservation, he says. Lack of preventative measures, such as onsite security and technology systems, puts cultural properties at risk as well. </p><p>"My experience in South America and Central America—in Mexico in particular—is that there are varying degrees of security," he says. "There are some really fabulous sites in Mexico where there is no security. There are sites all over Central America—even Machu Picchu in Peru—that have periodic security. It's a challenge in all these places." </p><p>So, when Clark met fellow council member Ricardo Sanz Marcos, they immediately connected over their joint desire to bring more recognition and security to international cultural properties. </p><p>"We hit it off pretty quickly, and we started talking about how we could bring benefit to what he's been practicing in Europe, and particularly in Spain," Clark says. </p><p><strong>CRISP Grant.</strong> Sanz Marcos was passionate about creating a standard of protection for smaller cultural properties around the world that didn't draw the same level of attention as larger sites like the Mayan Ruins, or other locations designated as World Heritage Sites by the United Nations Educational, Scientific, and Cultural Organization (UNESCO). </p><p>"South of the Mexican border, down to South America, the south of Africa, the southwest of Asia—they are developing countries and they don't have the same level of industry or economy as developed nations, but they have cultural properties in the middle of the jungle or the middle of the desert," Sanz Marcos says. "That was the cornerstone of the Clunia report, to make a standard of protection for cultural properties in developing countries."</p><p>He and Clark worked with then council chair Robert Carotenuto, CPP, PCI, PSP, associate vice president of security at the New York Botanical Garden, to write a CRISP (Connecting Research in Security to Practice) grant proposal to the ASIS International Foundation. Carotenuto says that he hoped the grant would give the council a way to produce a document of critical significance for the field and international members. </p><p>Carotenuto credits former ASIS Foundation Board member Dr. Arthur Kingsbury, CPP, who had extensive experience in archaeological security, and Gary Miville, another former Cultural Properties Council chair, with helping them put together the grant. </p><p>After submitting the proposal, they were awarded the CRISP grant, and chose to do several site surveys and a security risk assessment at the place near and dear to Sanz Marcos's heart—Clunia. </p><p>"The grant was helpful because it gave us the ability to pick a topic, a subject, and a location that were nonthreatening," Clark says, referring to the lack of terroristic threat in Spain. "But there were some challenges because it was in a remote location, it's a huge property, and nobody was really taking care of it to a great degree." They began their research in November 2016, and published their findings in a CRISP report in January 2018. </p><p>Clark and Sanz Marcos conducted a four-day site survey, assessed the threats and risks to the property, and provided recommendations for increasing security at Clunia. They paid visits to nearby historic sites as well, and conducted meetings with stakeholders, including employees working on-site, cultural ministries, mayors of surrounding towns, and a security advisor in charge of the site's contract with Securitas. </p><p>Based on their findings, the authors provided detailed recommendations to the stakeholders, which they hoped would increase tourism, community involvement, and overall prosperity at Clunia. </p><h4>Challenges</h4><p>Clunia is situated on a plateau in the Province of Burgos in the Castilla y León region of North Central Spain, approximately 150 miles north of Madrid. The location is all but remote, nestled next to the town of Peñalba de Castro, which has a population of fewer than 85 people. Excavation of the site began in 1915, and archeologists found over the following decades that the colony was once a significant Roman city of the Iberian Peninsula, known as Hispania. </p><p>Clunia, which dates to the first century BC, is believed by scholars to be "the most representative of all the archaeological ruins that have been found from the Roman period in the Northern Iberian Peninsula," according to the site survey. The site includes a forum with a basilica, a temple, Roman baths, an aqueduct, and one of the largest theaters on the peninsula. Pottery, mosaics, sculptures, Roman coins, glass, and pieces of jewelry have been discovered at the site, as well as Christian symbols that indicate one of the first Christian communities in Hispania may have lived in Clunia. </p><p>The inhabitants were skilled, Clark says, as evidenced by the colony's remains. "They had farms, they had grain, they grew grapes, they made wine, they had hot and cold running water, and they were phenomenal engineers," he notes. "They could do whatever they wanted because they had those skills."</p><p>Still, only about 15,000 visitors a year come to see Clunia. Limited financial resources were found to be a major factor contributing to the site's poor security, with most funds coming from public administration budgets.</p><p><strong>Threats.</strong> Clunia's remote location, Clark explains, contributes to the property's security challenges. "The police response is an hour away," Clark notes, based on information he received from the Spanish Ministry of Culture. He adds that the threat of fire, as well as fire response, is another obstacle. The area is mostly dry grassland, making it prone to brushfires, and departments have limited resources to fight blazes in large remote areas. </p><p>"Those are the primary issues: fire, theft, and then just damage to the site," Clark notes. "When the grasslands are destroyed, the rains just wash away the soil which takes away the protection of the yet-to-be uncovered ruins." </p><p>While terrorism was not found to be a significant risk to Clunia, one of the biggest challenges was theft of material over time from the site. Security around the 6-kilometer (3.5 mile) perimeter and within the site was severely limited, leaving precious artifacts exposed to potential theft and the fragile ruins unguarded. </p><p>"The town right next to the site has homes and buildings adorned with all kinds of artifacts from Clunia, and anybody can go to the site and pick something up," Clark says. "Fortune seekers who bring their metal detectors in are able to find Roman coins and other objects that were obviously not excavated." </p><p>With limited security patrols, intruders were often able to dig large numbers of holes in search of artifacts. "On a single day in 2015, site personnel discovered more than 165 holes dug into the ground by unknown intruders who had sufficient time to render such destruction without discovery," they write in the report. "It is unknown what, if anything, was removed during these incidents."</p><p>While there was a lock on the gate that guarded the site entrance, several keys had been given out to members of the community, and to shepherds who needed to pass through with their flocks to graze.</p><p><strong>Resources.</strong> Clark and Sanz Marcos found in their assessment that security personnel and technologies at Clunia were severely limited. During public hours, a staff member who sold tickets at the gate and a guide who explained the history of the site were the only people consistently on the property. Additionally, a contract guard worked between 11:00 p.m. and 6:15 a.m., but the guard had no patrol vehicle to make tours. </p><p>The visitor center and artifact building, plus specific high-value artifacts inside, had alarm systems, but no one was monitoring video in real time. And with slow law enforcement response times, even if an alarm was triggered, the bad actors would have time to get away. ​</p><h4>Recommendations</h4><p>Based on their assessment, Clark and Sanz Marcos made several recommendations to increase both security and community involvement at Clunia. Their final recommendation was a holistic security approach with three components. The approach aimed to get the community on board with a sense of ownership of Clunia, provide policies and practices that complement the security technology and officers in place, and provide those officers with tools and technology that allow them to deter or stop bad actors from accessing the site. </p><p><strong>Intrusion detection.</strong> The authors recommended several security technologies, providing a detailed summary of costs for each specific purchase, such as re-keying the perimeter gates, adding thermal cameras, and purchasing an all-weather, all-terrain vehicle for the security guard. </p><p>Re-keying the gate would solve the issue of several missing keys that had been given out over the years. But the authors recommended that shepherds could continue grazing on the property, because it turned out the sheep helped prevent fire outbreaks by eating the dry brush. </p><p>Strategically placed cameras would notify security staff when someone penetrates the fence or trespasses on the site. "One of the technologies that we recommended were thermal imaging cameras mounted on poles, which can detect movement or motions up to a mile," Clark says. "We recommended four or five of those on the site."</p><p>Establishing a full-time security presence during all hours Clunia is closed to the public was suggested, which would include two officers: one to staff a control center within the visitor center, and another to perform patrols.</p><p>Clark adds that a new visitors center currently under construction could house a new video monitoring location and would serve as a further deterrent to people trying to desecrate the site. "This would allow people to park their vehicles, go through a pedestrian gate, go through the visitors center, pass a small museum there, then go up on the site," he says. "They wouldn't be able to bring metal detectors and shovels—and things of that nature—where they could desecrate the site." </p><p><strong>Community awareness.</strong> Because the Spanish Cultural Ministry has limited financial resources, Clark and Sanz Marcos determined that increasing community buy-in around Clunia could generate more revenue for protecting it. By educating surrounding communities about the history and significance of the site, the authors indicated the value that Clunia could bring to restaurants, hotels, and other nearby merchants. </p><p>"This process should begin by first working with community leaders such as mayors, legislative representatives, and business people, followed by focused community meetings, informational brochures, and regular communications from the cultural ministry," they write in the report. </p><p>They suggested a training program to educate schools, neighborhood associations, and other institutions about Clunia, and recommended a marketing strategy in conjunction with nearby properties to draw tourism. </p><p>Sanz Marcos iterates the importance of community buy-in for the success of any historic site. "If you transform the cultural property into a sustainable industry that creates jobs, health, wealth, and a better life for the population around it, you can preserve the property," Sanz Marcos notes. "We have to leave our cultural properties for our children in better condition than we received them."</p><p>While Clunia was Clark's first archaeological site survey, he has performed risk assessments at museums, libraries, and other cultural properties throughout his career. He says he found that the basic principles of effective physical security applied to Clunia. "The biggest surprise to me was how relatively simple the solutions are," he says. "You really need to do vulnerability assessments on all these sites. There's a lot of common ground here. but there are also a lot of idiosyncrasies about each individual site."</p><p>Carotenuto echoes the importance of paying attention to the uniqueness of each cultural property and says it's a best practice for any risk assessment. "As security professionals, we don't just go in and tell someone, 'Well, this is what you need,'" he says. "It has to be tailored to that environment, it has to fit with the culture of that place, and that to me is the most interesting thing about the Clunia report—they realized they needed to embrace the culture of that site." </p> WorldsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Effective security professionals are great innovators by nature. Continually forced to do more with less, security managers create new ideas in an ever-changing industry.</p><p>However, in the security field, the ways in which value is created are changing all the time. So are the strategies required to protect that value. For security managers, the challenge is to be the type of leader who understands how the value creation process is changing, and to then lead the security department so that it best leverages its value for success. </p><p>This type of leadership works best through collaboration. Kevin Kruse, the founder and CEO of, de­scribes leadership as "a process of social influence which maximizes the efforts of oth­ers towards the achievement of a goal." Undoubtedly, the process of social influence is key for security leaders, who typically do not have the authority to tell every­one in the organization what to do and have them comply.</p><p>Moreover, the environment that today's security manager is trying to lead in is filled with rapid change. These changes include massive shifts in technology in both software and hardware, as well as vast changes in the compliance landscape. For security leaders who are not experts in cybersecurity, such as physical security managers, these developments can be daunting to understand and get a handle on. But avoiding them and staying completely within one's silo or area of expertise can make collaboration difficult, and it will lessen the likelihood of effective social influence. </p><p>On the other hand, physical security managers who make the effort to gain an understanding of the effects of these technology and compliance changes, and how their effects can be harnessed to bolster the security of the overall enterprise, can then build bridges between different sections of the security world. These bridges break down silos, and they increase the social influence of the security manager and the chances of successful collaboration. </p><p>With that in mind, this article will discuss a few current technology and compliance developments, and the impact they might have on enterprise security.  ​</p><h4>DevOps</h4><p>DevOps, a software engineering culture and practice aimed at unifying software development (Dev) and software operation (Ops), is changing the way that digital experiences are being created in software.</p><p>One of the main characteristics of the DevOps movement is a push to automate and monitor all steps of software construction, including integration, testing, and deployment. As a result, some of the aims of Dev­Ops are shorter development cycles, in­creased deployment frequency, and releases that are closely aligned with business objectives. </p><p>DevOps specialists John Willis and Damon Edwards have used four terms to define the movement—culture, automation, measurement, and sharing. Under this approach, which is radically different from the traditional one, software is delivered continuously. Teams that had previously worked in silos come together to achieve common goals. As soon as someone comes up with an idea for a new digital experience, a cross-functional team can quickly turn it into reality.</p><p>The DevOps movement is catching on. Currently, 27 percent of surveyed organizations are using a DevOps methodology, according to the latest version of the annual report, The State of DevOps, published by software services company Puppet in 2017. Clearly, the use of DevOps is on the rise, and it is something that security managers should be up to speed on. </p><p>Compare the execution of some security functions in a DevOps versus a pre-DevOps world. In the pre-DevOps world, organizations built technologies in private data centers, and security professionals focused on protecting the perimeter of those centers. Similarly, the traditional brand of waterfall software development (where progress flows in only one direction—down—like a waterfall) takes time, enough time for lengthy cybersecurity reviews and approvals to take place. During this painstaking process, there is a strong focus on preventing breaches from occurring.</p><p>In the DevOps world, use of cloud infrastructure and automation transforms technology infrastructure so that it is now managed as software via application programming interfaces (APIs). The focus is on application and API security, instead of the traditional focus on host and network security. In this world, almost every software company is both a vendor to other software companies and a customer. </p><p>The connected ecosystem of the DevOps world pushes enterprise security away from its previous commonly assumed role as a cost center and pushes it toward the clear position of business driver. It is explicitly requested during the sales process—usually in the form of a vendor security questionnaire. A DevOps world assumes that security incidents are happening all the time and acts accordingly.</p><p>But security managers should know that buying a DevOps product can be different from buying a more traditional enterprise IT product that is installed in a private data center. </p><p>The purchase of the traditional product often meant building a long-term, old-school relationship that required significant investment by both parties. This eventually built trust, if both parties acted in good faith. </p><p>In contrast, Cloud, Security as a Service (SaaS), and other DevOps solutions have been described as "easy come, easy go," and they are often acquired in a low-friction transaction environment, over a shorter time frame. The quality, security, and regulatory compliance of these solutions must be expressed to the security manager in a more explicit way.</p><p>To illustrate, consider the following example. A DevOps vendor has begun to close a deal with its first big enterprise client. Now that the enterprise client has decided that it is interested in purchasing the DevOps vendor's product, it's time for the enterprise client's security team to get involved (just as the legal and purchasing departments will get involved regarding the contract and payment components of the transaction). </p><p>The enterprise security team sends the DevOps vendor a security questionnaire, which typically contains many questions. In some cases, receiving these types of security questionnaires can be intimidating to a DevOps vendor. In other cases, it can inspire the vendor to help drive and continue to mature the security program. </p><p>But no matter what the DevOps vendor's initial reaction is, the role of security has been transformed. It's an obvious and crucial part of completing the sale, from the point of view of both the vendor and the enterprise organization. Thus, the perception of security here is as an explicit business driver, which was not necessarily the case in the traditional IT product world. </p><p>Of course, physical security managers do not need to become technical experts on software development. However, understanding how DevOps changes the transaction process and the perception of security could become valuable knowledge for security managers of all types, including physical security managers. </p><p>Moving forward, the potential commercial advantages of the DevOps approach will likely make the software development trend an attractive one for many more organizations. Physical security managers who can meet this trend with a basic understanding of its potential impact will be well-positioned to collaborate with technology managers, for the benefit of the enterprise's overall security. ​ </p><h4>IoT Security</h4><p>In a recent survey by Business Insider Intelligence, executives were asked various questions about the Internet of Things (IoT). Security was found to be one of the most consistent concerns, chosen by 39 percent of survey respondents, well ahead of other concerns like questionable ROI, lack of a use case, and price. The security concern, in a nutshell, is that increased adoption of IoT technology may expose organizations to new, more prevalent hacks.</p><p>In the past few years, security ex­perts have executed, for demonstration purposes, alarming hacks on connected vehicles (2015), sniper rifles (2015), and cardiac devices (2017). Technically, many of the security vulnerabilities exploited in these hacks are similar to those of more conventional technologies such as servers, but the methods for detecting and addressing vulnerabilities in a connected web of smaller and less capable devices can be much more complex. </p><p>"Paradoxically, the very principle that makes the IoT so powerful—the ability to share data with everyone and everything—creates a huge cybersecurity threat," write Christopher J. Rezendes and W. David Stephenson in a recent Harvard Business Review article, "Cyber Security in the Internet of Things." As with any software product, the best approach for reducing the risk of software-connected vehicles and other types of systems is to assess and monitor security during the product development lifecycle. </p><p>Security managers should evaluate IoT systems with misuse and abuse cases in mind, considering how IoT features might be unintentionally misused or intentionally abused. In this way, the approach to reviewing an IoT system is not much different from the approach that has been commonly used for years to assess software security.</p><p>The methodology is called threat modeling, and this can be done either by an internal security team or outsourced to a third party that specializes in this type of analysis. The first step in creating a threat model is to identify the assets, security controls, threat agents, and threats within the system. The next step is to estimate the likelihood and impact of each threat within the system. Then, an associated mitigation plan for each potential flaw is developed.  </p><p>It is also critical for security managers to ensure that security fundamentals remain in place when working with the IoT environment. One of the founding principles of IoT security is that access should always be shut down where it's not necessary.</p><p>In addition, because IoT devices are primarily consumer facing, it's also important for security leaders to ensure that consumers are aware of and actively implementing cybersecurity basics such as the use of strong passwords and software updates.</p><p>Like DevOps, IoT systems are very likely to become more widespread in the next few years. Familiarity with the threat modeling process and other means of evaluation and sustaining bedrock principles will be valuable tools for security leaders, including physical security specialists, to possess. In addition, managers who supervise enterprise security risk management (ESRM) programs will find that IoT threat models often complement the overall ESRM program. This is because both take the same approach of using risk management principles to identify potential threats and their likelihood, and then strategically allocating resources to fight the threats.  ​</p><h4>GDPR</h4><p>For the past decade and a half, security professionals have been navigating a changing regulatory environment. To date, many regulatory compliance frameworks have been applicable to only one specific industry. Payment Card Industry (PCI) standards apply to financial services, the Health Insurance Portability and Accountability Act (HIPAA) applies to the medical field, and the Sarbanes–Oxley Act (SOX) applies to public companies. </p><p>Additionally, each set of rules and regulations has different enforcement mechanisms. PCI, for example, applies differently to various tiers of an organization, and the actual fines that have been paid by noncompliant organizations have been fairly limited. </p><p>But all of that changes with the General Data Protection Regulation (GDPR). GDPR enforcement officially began in May 2018, and it applies to organizations located within the European Union (EU) and to organizations located outside of the EU that offer goods or services to, or monitor the behavior of, EU citizens. Organizations that do not comply with GDPR requirements can be fined up to 4 percent of annual global revenue or up to €20 million (roughly $24 million), whichever is greater.</p><p>While the focus is on consumer privacy, GDPR has a lot to say about processes and procedures surrounding data breaches, vendor security, and data protection in general. At a high level, the regulation requires organizations to develop a data inventory and continuously track how data is processed, stored, and transferred. </p><p>Given this, many proactive security leaders will be developing plans for how to proceed when it comes to either providing vendor services or leveraging a vendor for data processing, storage, or transfer. Many will also develop plans for responding to an incident that takes into consideration what action is required by GDPR in the case of a breach. A physical security manager who has sufficient working knowledge of GDPR can be a valuable asset as a participant in this plan development, and the enterprise at large will benefit from the fact that the plan was a collaborative effort between different security specialists.</p><p>For more information, the full GDPR document is available publicly. There are also many guides, runbooks, and "do's and don'ts" online that professionals can review to learn how others are interpreting the information. ​</p><h4>Bridging Worlds in Person</h4><p>DevOps, IoT security, and GDPR comp­liance are all rapidly changing areas within the overall technology and regulatory landscape, and they all offer opportunities for security managers who are not cybersecurity specialists to build bridges into the worlds of technology and information compliance. </p><p>Physical security managers who had educated themselves on the basics of these topics can then learn more when meeting with technology specialists. Such meetings often proceed more smoothly if the physical security manager goes into the meeting with a productive eager-to-learn attitude.    </p><p>So, when meeting with technology and compliance experts, ask questions and save your demands. Spend twice as much time listening as talking. The more curious you are, the more likely you are to learn something that will benefit you as you put together an approach toward improving overall enterprise security.</p><p>Some important questions for a physical security manager to ask a technology manager or engineer might include: What's important to you? What are your top priorities this quarter? What worries do you have about getting your job done? This information can be used to align security goals with technology goals. It can also provide context, and a more accurate answer, for a security manager who is mulling over the question of why security tasks do not seem to receive the time or resource allocations that they should. </p><p>A similar approach will also benefit physical security managers who want to build bridges with the organization's business leaders. Before meeting with these leaders, security managers should spend time learning about the business side of the organization. Then, they can dive into specifics during the meeting, using the same types of open-ended questions used with technology leaders. </p><p>Astute security leaders know that they cannot approach business and technology teams and order them to work in a certain way. If security managers do not spend time and effort learning about how other specialists work, what their priorities are, and what risks matter to them, trust will be hard to build. When was the last time you listened to the advice of someone you didn't trust?    </p><p><em>Caroline Wong, vice president of security strategy at, has held executive security and management positions at eBay, Symantec, Cigital, and Zynga. ​</em></p> on the High LifeGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Nestled in downtown Austin, Texas, The Bowie is a high-rise apartment tower that offers luxury amenities to its residents. "We have the highest price per square foot in all of Texas," notes Timothy Colgan, former general manager at The Bowie. "It's the small touches that set us apart."</p><p>The Bowie opened in 2015, and one of its not-so-small touches is the rooftop infinity pool atop the 36th floor. But with high-rise glamour comes the need for heightened security, leading property management to invest in video, Colgan says. That's why when he took over as general manager in the spring of 2017, his first question was whether he could manage the existing video system from his mobile device. </p><p><img src="/ASIS%20SM%20Callout%20Images/0718%20CS%20Stats%20Box.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:311px;" /> While there were options for mobile access, he found the existing video management system (VMS) difficult to use, and it was burdensome to pull up previously recorded video. "It was an extremely complicated software to navigate, even to go back to view video footage," Colgan tells Security Management. </p><p>"It's important to be able to go back and retrieve camera footage if and when it is required, to give you some insight into the before and after," he explains.</p><p>Besides having a vested interest in protecting its residents, The Bowie has commercial space on the eighth and ninth floors, so management was concerned about monitoring the nonresidential activity taking place inside the building. </p><p>"From a risk management standpoint, probably the most helpful thing you could possibly ask for is camera footage, especially in the event you're filling out an incident report," Colgan notes. "Sometimes bad things do happen and having them on camera, especially elevator footage or pool footage—it can make a world of difference." </p><p>The president of Eagle Eye Networks, Ken Francis, was a resident at The Bowie and approached Colgan about possibly installing his company's Eagle Eye Cloud Security Camera VMS. The company manufactures cameras that come equipped with VMS software, which allows users to manage and record video completely in the cloud. Customers have the option to purchase hardware if they want to perform local recording. </p><p>For Colgan, having the ability to easily manage the VMS from any smart device appealed to him, as did the quality of the high-definition cameras, which can capture facial details and detect motion.</p><p>Several Eagle Eye cameras were strategically installed in and around the property, including at the infinity pool, the parking garage, and the 10th floor rooftop terrace dog park. Users can manage the cameras and footage from an app available on smart devices, as well as from any desktop computer. With the click of a button, users can turn cameras on or off, email videos, adjust camera settings, and manage how long cameras retain video. </p><p>"I use that app all day every day, even during my time away from the office," Colgan says, adding that he can grant or restrict access to the platform for employees. "A team member may give me a call and say, 'Hey, take a look at what's happening on the 31st floor—is this a get together that you would like us to break up?'"</p><p>The quality of the cameras allows management to clearly make out facial or license plate details and identify persons or vehicles of interest. "One new camera is inside the parking garage, which allows me to see high definition of exiting cars and faces of individuals coming into the garage," Colgan says, adding that he can look up license plate numbers in the property management system. If the vehicle is unauthorized, the towing company is contacted.</p><p>From a liability standpoint, key incidents the property wants to capture are slips, trips, and falls, which can happen at any time. "We had a fall incident that took place on the property in an amenities space," he says. When filing the subsequent incident report and insurance claim, he says that having clear video of the event helped prove that the building was not at fault.  </p><p>"Being able to identify fault is extremely important from a risk management standpoint," Colgan explains. "The camera that witnessed the incident…had recently been replaced by Eagle Eye, and gave us a clear enough shot in the dark to see what actually happened." </p><p>Residents at The Bowie have high expectations not for only their security, but also for their privacy, and management uses the Cloud Security Camera VMS to improve their quality of life. Colgan explains that this makes documenting incidents throughout the property even more critical. </p><p>"In the elevators, you're in a confined space and unfortunately people don't always behave as you would expect," he notes. "Now we're able to not only see what happens on the elevator, but on the floor to which people are exiting, which helps us to narrow down who the particular person is." </p><p>In addition to the elevators, keeping track of activity at the dog park has become a point of concern. "One of the big projects that Eagle Eye helped with was installing three very large dome cameras in the dog park," he says. "We were having trouble with people not picking up after their pets, and we wanted the ability to hold people accountable." </p><p>With the dome cameras, everything that transpires in the dog park is captured, and repeat offenders who fail to clean up after their pets are easily identified. The Eagle Eye VMS software has an algorithm that can be programmed to pick up on specific actions, and Colgan says The Bowie will eventually take advantage of that feature to automatically alert when someone doesn't pick up after their dog. </p><p>Even for luxury living, security is never a guarantee. But Colgan says having the Eagle Eye Cloud Security Camera VMS gives the residents peace of mind that they're being watched over.</p><p>"Crime does not have an address," Colgan says. "But at the end of the day, we have tools in place to try to assist when things do come up. When people come in the building, they can see we have that technology there." </p><p><em>For more information: Deborah Demarchi, </em><a href=""><em></em></a><em>,, 949.813.6223. ​</em></p> BuzzGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The year was 1960. And Charles W. Bachman was unsatisfied with computers. They were supposed to revolutionize the way companies did business but accessing vital information and making changes was a time consuming—and frustrating—process.</p><p>Bachman, then a software engineer at General Electric, and his team came up with a solution to the problem. He created the Integrated Data Store (IDS), the first direct-access database management system, which would allow businesses to link data sets and make changes to them with greater ease.</p><p>IDS would change the future of computing, and databases and their management systems are now used in millions of applications around the world for inventory control, employment records, and transactions.</p><p>"IDS and its derivative systems are still in use today, supporting a thousand mainframe installations," Bachman wrote in an article for IEEE Annals of the History of Computing in October 2009.</p><p>Around the same time that Bachman wrote his article, another piece of technology was invented that is now changing computing in a similar way: the blockchain.</p><p>"A blockchain is similar to a database, but rather than being stored in one place and governed by one company or one set of people who run it and administer it, a blockchain is simultaneously run by thousands—or millions—of people around the world," says Michael Perklin, chief information security officer at and board member of the CryptoCurrency Certification Consortium and The Bitcoin Foundation. "There is no real, geographic home."</p><p>And blockchain technology is poised for a bright future. Research and advisory firm Gartner predicts that the business value-add of blockchain will reach $176 billion by 2025 and be more than $3.1 trillion by 2030.</p><p>What is a blockchain? In October 2008, Satoshi Nakamoto created the cryptocurrency known as Bitcoin. To keep track of Bitcoin transactions and verify them, Nakamoto also created another technology—a blockchain. </p><p>A blockchain is a database system that allows peers to validate changes made to the system, rather than relying on central authority. One of the easiest ways to explain how a blockchain works is to discuss it in terms of a transaction. </p><p>For example, Alice requests that Bob pay her 15 Bitcoins. Her request is broadcast to a network of computers—called nodes. Using cryptography, the nodes make sure the transaction is valid. If it's valid, a new block is added to existing blocks associated with Alice's account to create a chain. Built into these blocks are digital hashes, which make it evident if anyone attempts to alter a block in the chain. </p><p>"With a database, it's possible to falsify a record without leaving any trace because, by default, most databases don't have these tamper-evident capabilities—but blockchains do," Perklin says. "So, if I try to alter my balance and say I have 1,000 Bitcoins. I send this update to the world through the replication mechanism; as every other computer in the world starts receiving this message from me, they take a look at the tamper-evident seal on it, and they realize immediately that this is not a valid update and ignore it." </p><p>Most other systems, including databases, lack this validation factor.</p><p>"By default, databases don't do any checking at all because it's assumed that you have access to that database," Perklin says. "You have an account, you have permission to make a change, it assumed that change is valid, and if you have permission to make it, it'll make it for you."</p><p>By contrast, there are no user accounts associated with blockchains. Nodes on the network act as validators, conducting integrity checks to make sure that false information is not added to the blockchain. And this validation process happens within nanoseconds. </p><p>Beyond validation, there are other benefits to blockchain technology. For instance, it is more resilient than relying on a central authority.</p><p>"The data simultaneously exists on thousands or millions of computers around the world at the same time," Perklin explains. "If one server were to go down, the data is still available to everyone else in the world. By contrast, if something like PayPal were to go offline, nobody can use PayPal until PayPal comes back online."</p><p>If one server, or several went out due to a massive Internet outage, a blockchain would continue to work using servers located elsewhere. </p><p>How are they used? Blockchains were initially created to facilitate Bitcoin and have also been used to support other cryptocurrencies. Since then, blockchains have been applied to other projects but the technology is still in the early phases of adoption. </p><p>One use case is for document validation. Users can employ block-chain technology to verify the integrity of a document to ensure that it has not be altered. </p><p>For instance, publicly traded companies release certain financial records to the public every month. If a malicious insider who stole from the company wanted to alter the documents to cover up the crime, the insider could do that after the chief financial officer prepared the documents.</p><p>Using software that uses blockchain technology, a chief financial officer could add a time stamp to the prepared financials that would appear in the blockchain. </p><p>"This adds a tamper-evident seal that lives in the…blockchain that can attest that at this time and on this day, this was the exact state of the financial affairs," Perklin says. "Now a few days later when bad guys take these financials, alter them, and publish them to the world, if somebody wanted to check the validity they can compare it to what the CFO put in…they will see it has been altered."</p><p>This type of timestamping authenticator can also be used to verify video recordings, Perklin says, such as a recording of a police officer using excessive force against a protestor.</p><p>"A few months later when they are in court and the recorder is accused of photoshopping the video, they can say, 'No, this time stamp proves that this existed on the day at exactly 3:30 in the afternoon—the time this really happened,'" he explains.</p><p>These are just some initial use cases for blockchain and more will come, but one area Perklin says he does not think blockchain technology will be used for is anything involving private information.</p><p>"The nature of blockchain is that all the information is public, and every one of those thousands or millions of computers around the world, they can read all the information, so they can validate all the information," Perklin adds. "Now I've lost my privacy. Anything that has a privacy component is not a good fit for a blockchain application."</p><p>Others are also skeptical of the potential security use for blockchain technology, including Ron Rivest, institute professor at the Massachusetts Institute of Technology and one of the inventors of the RSA algorithm.</p><p>Speaking at the RSA Conference in San Francisco in April 2018, Rivest said that blockchains are being viewed as "security pixie dust" with developers promising that any application will "be made better by blockchain properties."</p><p>This is not accurate, Rivest said, citing the example of using blockchain technology for election security in the United States. </p><p>"In voting, it would be a bad idea because of the private ballot—and it needs to be centralized," he said, adding that the centralized system is needed to ensure that votes are counted but that the identity of who cast them would remain private.</p><p>"Blockchains have limited security properties that may or may not fit what you need," Rivest said.</p><p>The U.S. Securities and Exchange Commission (SEC) has also stepped up recently to crack down on companies that are adding blockchain to their name to raise their stock price.</p><p>"The SEC is looking closely at the disclosures of public companies that shift their business models to capitalize on the perceived promise of distributed ledger technology and whether the disclosures comply with the securities laws, particularly in the case of an offering," said SEC Chairman Jay Clayton in a statement. </p><p>All of this is part of a technology that's just in its beginning phases, similar to what the world saw with the introduction of computers and databases. </p><p>"It took decades for people to apply interesting features to that dumb wire between boxes," Perklin says. "I'm sure that in 20 years, we're going to look back at all the different ways companies started using blockchain and think...this was the future." ​</p><p> </p> 2018 Industry NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​</h4><h4>A NEW BALL GAME</h4><p>When the Great American Ball Park, home of the Cincinnati Reds, needed to upgrade its visual systems, it turned to integrator Nor-Com. The state-of-the-art video distribution system would enable the ball park to distribute HD video to a range of sources throughout the venue. Nor-Com outfitted the ballpark with the intelligent Ultra HD Over IP platform from Just Add Power (J+P).</p><p>The platform has kept pace with changing video distribution requirements, progressing through the extensive upgrades around the stadium. As a result, new video spaces continue to be brought online and updated for a seamless video experience. Most recently, Nor-Com used J+P's 2G and 3G transmitters and receivers within the redesigned Scouts Club, Champions Club, HandleBar, and Reds Connect Zone. The team can distribute transmissions from multiple sources throughout the facility, including HD tuners for the game feed, Blu-ray players, the scoreboard feed, laptop and PC inputs for digital signage, social media feeds, and a press feed. </p><p>In each space, users can control and switch any source via an iPad, with minimal training. The modular approach to video distribution allows the team to build upon its existing infrastructure and keep pace with evolving video content requirements and standards.​</p><h4>PARTNERSHIPS AND DEALS​</h4><p>ASSA ABLOY announced partnerships </p><p>with Averics, BluB0X, Dot Origin, Identiv, and Viscount. Also, AccessNsite, Lenel, Open Options, and RS2 are the first partners to integrate with ASSA ABLOY's PIV-enabled solutions. </p><p>Anchore and stackArmor announced a strategic partnership to deliver enhanced container security and compliance solutions. </p><p>Integrating Arteco Video Event Management Software with Paxton's access control platform gives users insights into potential risks or incidents.  </p><p>Auth0 was selected by National </p><p>Geographic Partners, LLC, to centralize identity for its properties around the world.</p><p>BlackRidge Technology International, Inc., is collaborating with Marist College to develop a blockchain application to eliminate fraud from philanthropic contributions. </p><p>Bold Technologies integrated its ManitouNEO with the CHeKT video monitoring platform to enable alarm-based video.</p><p>The Cambridge Pixel Video Security Display system was selected for a military mobile protection program in the Middle East, partner Defense Integrated Solutions Security Systems.</p><p>Captis Intelligence signed a national dealer agreement with NAVCO. </p><p>FST Biometrics installed its In-Motion Identification solution at the Wellington College Health & Fitness Club in the United Kingdom.</p><p>A surveillance system provided by Hikvision Canada Inc. was installed by Off Grid Surveillance Platforms for Ajax Hyundai in Ontario, Canada.</p><p>Invixium is working with integration partners Galaxy Control Systems, RS2 Technologies, Honeywell, Genetec, Gallagher Security, Paxton Access, Siemens, Remsdaq, and S2 Security.</p><p>Interactive and home automation features from can now be controlled by iotega.</p><p>JCB Co. Ltd. is testing its latest JCB Biometrics Card with fingerprint authentication. The payment solution is provided by IDEMIA, and Toppan Printing is personalizing the cards.</p><p>Kentec Electronics Ltd. supplied its Taktis fire detection and alarm technology to Scotland's Dumfries Baptist Church.</p><p>Manything signed on three new distribution partners: Brooklyn Low Voltage Supply, DSG Distributors, and Tristate Telecom.</p><p>Milestone Systems' open platform IP video management software is helping Carrasco Lakes in Uruguay provide better security control. The networked solution, executed by Foxsys, allows ongoing expansions, including more than 30 new cameras from Hikvision and Arecont Vision.</p><p>MOBOTIX is partnering with ClearSite Communications, Inc., to provide a platform that allows cameras and sensors to be deployed at remote locations. </p><p>The National Fire Protection Association and ASTM International created a joint working group to create "use-case scenarios" for law enforcement and first responders using drones in operations. </p><p>NETSHIELD Corporation is partnering with ZON Digital Insurance to include cyber insurance coverage bundled with its suite of cybersecurity solutions for small and medium enterprises.</p><p>Nozomi Networks Inc. and SecureLink are working together to broaden SecureLink Germany's delivery of services to customers across Germany, Austria, and Switzerland. </p><p>Nuvias signed a pan-European distribution agreement with FireEye.</p><p>Overland-Tandberg announced that ABP Tech now offers its SnapServer Network Attached Storage integrated with ABP Tech's Mx-MSP remote video surveillance monitoring software.</p><p>The Quantum video surveillance storage portfolio is now available through Convergint Technologies.</p><p>Transition Networks partnered with ScanSource, Inc., to expand delivery of its edge connectivity solutions with a focus on physical security networks.</p><p>TrapX Security is collaborating with Check Point Software Technologies Ltd. to provide a real-time visibility, threat detection, and rapid threat containment solution.</p><p>TÜV Rheinland and SecurityMatters announced a strategic partnership to help worldwide industrial services clients detect and remediate cybersecurity threats.</p><p>Virsec entered into an alliance with Raytheon to help defend government and critical infrastructure entities from advanced cyberattacks.​</p><h4>GOVERNMENT CONTRACTS</h4><p>Kent Police and Essex Police will deploy Axon cameras, along with licenses on</p><p>Dedrone announced a partnership with Defense Innovation Unit Experimental, a U.S. Department of Defense organization, to experiment with technology for assessing, measuring, and responding to adversarial unmanned aircraft systems.</p><p>Ellipse Global will supply mobile base camps to support field operations under a contract with the U.S. General Services Administration. </p><p>ESO announced that its Electronic Health Record and Fire Incidents software platforms were chosen by the Indianapolis Fire Department to collect and analyze data and comply with reporting requirements for the National Emergency Medical Services Information System and the National Fire Incident Reporting System.</p><p>Uruguay's Ministry of the Interior worked with the Uruguayan Football Association and H&O Tecnología to implement Herta facial recognition technology for three major football venues. </p><p>The U.S. Department of Homeland Security Science and Technology Directorate's Silicon Valley Innovation Program awarded a contract to iProov to help U.S. Customs and Border Protection improve the passenger entry operation process.</p><p>MSA Safety Incorporated will provide G1 self-contained breathing apparatus and accessories to the Metropolitan Fire Brigade and Country Fire Authority in Victoria, Australia.</p><p>NC4 announced that the Lansing Police Department chose the NC4 Street Smart solution to support community-based, problem-oriented, and data-driven policing strategy.</p><p>Neurotechnology completed a multibiometric voter registration deduplication project for the Democratic Republic of the Congo, working directly with the Independent National Electoral Commission. It compared 46.5 million multibiometric facial and fingerprint voter records in less than two months and identified more than 5.3 million duplicates.</p><p>The United Kingdom's Serious Fraud Office is using OpenText Axcelerate to expedite its investigations by automating document analysis.</p><p>QinetiQ North America was selected for the engineering and manufacturing development phase of the U.S. Department of Defense Common Robotic System (Individual) program. </p><p>A Sielox layered security solution is securing New Jersey's Upper Township School District.</p><p>Israel Police selected Siklu wireless links to secure the Gay Pride Parade in the City of Jerusalem.</p><p>The U.S. Transportation Security Administration chose Unisys to secure, operate, maintain, and protect screening equipment in U.S. airports.</p><p>VirTra, Inc., received a purchase order for its training simulators under a contract with the U.S. Department of State.</p><p>WidePoint Corporation received an award from U.S. Customs and Border Protection for cellular wireless managed services.</p><p>Spokane Valley City Hall in Washington has integrated video surveillance, access control, and intrusion systems, specified by Coffman Engineers and configured and installed by EVCO Sound & Electronics.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>Mission 500 presented its Corporate Social Responsibility Award to Altronix Corporation. </p><p>Amika Mobile announced that its Amika Mobility Server platform for critical and emergency communication was selected as the Best Emergency Communication Solution by Security Products and Security Today Magazine for the fourth year in a row.</p><p>Attivo Networks and Exabeam were among the 2018 Best Places to Work listed by the San Francisco Business Times and the Silicon Valley Business Journal. </p><p>Bates Security won a SAMMY award for Integrated Installation of the Year for a school security project. The project involved Sonitrol of Lexington, Bates Security, and 3xLOGIC collaborating on an advanced access control system for Frederick Douglass High School in Lexington, Kentucky.</p><p>Camden Door Controls received UL 294 listing for its new electric strikes.</p><p>The Texas Committee for Employer Support of the Guard and Reserve recognized Delta Risk with the Pro Patria Award in the Small Business category.</p><p>Essence Smart Care was awarded the 2018 SilverEco & Ageing Well International Award for its Care@Home Smart Alerting solutions. </p><p>HGH Infrared Systems won the SECONA Shield 2018 Award in the category Innovative Product of the Year - Hardware CCTV.</p><p>Middle Atlantic Products was recognized with two Stellar Service Awards by the readers of Systems Contractor News for its Middle Atlantic website and design services.</p><p>Milestone Systems announced that Soko Aoki won its Milestone Community Kickstarter Contest 2018 for integrating XProtect VMS with 360-degree enabled cameras and a head-mounted display.</p><p>Pivot3 won multiple technology awards for the latest version of its critical video surveillance software platform. The honors include a 2018 MVP Award from Security Sales & Integration, a 2018 Government Security Award from Security Today, and a 2018 Secure Campus Award from Campus Security and Life Safety. </p><p>Safe-T Group Ltd. announced that its Reverse-Access Technology was granted a patent from the U.S. Patent and Trademark Office.</p><p>Sectra's encrypted smartphone was approved by the European Union for the communication of information at the RESTRICTED security level. </p><p>The Security Industry Association (SIA) announced winners of the SIA New Product Showcase Awards Program. IPConfigure was recognized with the Best New Product award for its Orchid Core VMS for AXIS Camera Application Platform. The Judges' Choice Award was presented to Allegion for its Von Duprin Remote Undogging and Monitoring Kit. The judges presented awards in a total of 29 product and service categories. Find the full list of winners at </p><p>Security Innovation won eight Info Security Product Guide Global Excellence Awards, including a Grand Trophy prize.</p><p>Securonix announced that its Next Gen SIEM solution was recognized as the top security information and event management solution in the 2018 SC Magazine Trust Award for the Best SIEM Solution.</p><p>Sielox LLC named Milsk Company Inc. as its 2017 manufacturer's representative firm of the year. </p><p>Trillium Secure, Inc., took home the grand prize at CyberTech Asia 2018 for its SecureIoT cybersecurity suite and cybersecurity as a service business model.</p><p>The University of Ryerson granted Privacy By Design Certification to the Vision-Box Identity Management Platform Orchestra. </p><p>VITEC announced that its EZ TV video wall processor won the Best of Show Award at the 2018 NAB Show from Sound & Video Contractor magazine.​</p><h4>ANNOUNCEMENTS</h4><p>Ben-Gurion University of the Negev and University of Washington researchers have developed a new method to detect fake accounts on most types of social networks, including Facebook and Twitter.</p><p>Bold Technologies introduced its new learning and training platform, BoldU.</p><p>Camden Door Controls launched an enhanced switch-selection wizard on its website.</p><p>Clery Center and StopHazing partnered to develop a data-driven Hazing Prevention Framework based on principles of prevention science and findings from the Hazing Prevention Consortium. The partners released the Hazing Prevention Toolkit for Campus Professionals.</p><p>Corporate Investigative Services is celebrating 30 years in business.</p><p>Critical Start completed the acquisition of Advanced Threat Analytics.</p><p>Datavant acquired Universal Patient Key, a provider of HIPAA-compliant de-identification services for healthcare data.</p><p>Memphis-based Electronic Security Specialists purchased required commercial fire alarm accounts from neighboring Frase Protection. </p><p>The Gaming Standards Association launched its new Blockchain Committee.</p><p>The California Hotel and Lodging Association partnered with Guardian Group to provide all hotel members with the Guardian Seal Recognition and Response Training to prevent human trafficking.</p><p>Honeywell opened an industrial cybersecurity center of excellence in Asia, with the support of the Singapore Economic Development Board.</p><p>InfoArmor, Inc., unveiled a new brand identity, with a redesigned website, an updated logo, and an improved user experience.</p><p>KPMG acquired cybersecurity firm Egyde to help clients with cybersecurity risks.</p><p>Mavin Technologies is offering Mavin Prime, a free edition of Mavin's Security Management Platform that supports up to eight readers.</p><p>NuState Energy Holdings, Inc., changed its name to Visium Technologies, Inc., to reflect the company's primary focus on technology and cybersecurity. </p><p>OnSSI released The Hardening Guide for Networked Video Surveillance Systems. The free downloadable guide provides specific recommendations for applying cybersecurity measures to protect systems from potential threats.</p><p> released free security software utility PDF Page Lock, which enables users to lock or hide selected pages of a PDF document with a password encryption.</p><p>PeopleFacts and SNH Capital Partners I, LP, acquired TRAK-1 to create a leading competitor in the U.S. background screening market.</p><p>Polaris Alpha recently opened a new laboratory designed to help federal agencies understand the impact of the Federal Communications Commission's auctioning of communications spectrum.</p><p>Qualys, Inc., acquired the software assets of 1Mobility of Singapore.</p><p>RapidDeploy installed its computer-assisted dispatch platform in the testing laboratory at the Internet2 Technology Evaluation Center at Texas A&M University.</p><p>ShotSpotter published the 2017 National Gunfire Index.</p><p>Spearfish West Africa opened in Abuja, Nigeria, as a subsidiary of Spearfish Security. </p><p>Tourism Malaysia announced the launch of My Tourist Assist, a mobile app to support safe travel for tourists in the country. The app was developed by UST Global and managed by Jana Tiga Holdings Sdn Bhd.</p><p>VirtualArmour International Inc. established the VirtualArmour Academy, a new institution for cybersecurity education and training.</p><p>VOTI Detection opened new global headquarters in Montreal to produce leading-edge x-ray security scanning systems. ​</p> Shooting Demonstrates Vulnerabilities Of Run Hide Fight Response.aspxNewsroom Shooting Highlights Challenges of Securing Open OfficesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A 38-year-old Maryland native allegedly opened fire on an Annapolis-based newsroom​, killing five people and providing a grim reminder that security best practices are not one-size-fits-all. </p><p>The suspected shooter, Jarrod W. Ramos, had a longstanding grievance with <em>The Capital Gazette</em> stemming from the paper's 2011 coverage of a harassment charge against him. He pursued—and prolongated—legal action against the reporter, publisher, and judge involved. He also started a website and several Twitter accounts berating the newspaper.  ​</p><p>In 2013, the paper and one of the targeted reporters contacted police to discuss filing a restraining order or misdemeanor charges due to the prolonged harassment but ultimately decided to not follow through for fear of further antagonizing him, <a href="" target="_blank">the <em>Baltimore Sun</em> reports</a>.  </p><p>The reporter and the publisher involved in the legal proceedings from more than seven years no longer work at <em>The Capital Gazette.</em></p><p>"If you fire somebody or have an incident with them, it's typical to feel that their retaliation is going to be in the near future, but that's not necessarily true," says Michael Crane, CPP, security consultant and attorney at Securisks. "You hear stories where people come back after a year or two—and in this case, it was after five or more years."</p><p>Crane—who is also the chair of the ASIS Active Assailant Working Group—notes it appears that the paper followed security best practices after the threats escalated in 2013.</p><p>"Between his lawsuit and the threats that he made, that certainly should have given them an increased sense of surveillance or security," Crane says. "What you want to do in that type of situation is conduct an assessment to harden your facility. I'm assuming that part of the newspaper contacting the police was putting in access control on a locked front door so nobody could just walk in without being buzzed in."</p><p><em>The Capital Gazette</em> shares a building with several other commercial tenants. The shooter entered through the building's rear entrance and, despite closed access to the newsroom, was able to enter by shooting through a glass door or window. <em>The Capital Gazette</em>—like many newsrooms and office spaces—has an entirely open floorplan, with glass windows all around the room, reporters working at desks in the middle, and half-walls along one side for editors' offices, <a href="">according to CNN</a>.</p><p>As the gunman proceeded to systematically fire his 12-gauge pump-action shotgun along the room, some employees ran to the back door. However, before entering the building, the gunman had barricaded the door. One man who tried to force the door open was shot and killed. </p><p>The rest of the employees hid as best they could under desks and behind filing cabinets. After less than two minutes of shooting, police arrived and the shooter ceased his attack to hide under a desk, before being captured by responders.</p><p>"The police were there in 60 to 90 seconds—that's absolutely tremendous and should be applauded," <span style="background-color:#ffffff;">says </span><span style="background-color:#ffffff;">Kevin Doss, CPP, PSP, CEO at Level 4 Security. </span>"However, five people were killed in less than 90 seconds. These happen quickly, so performing a threat assessment, hardening facilities, planning procedures, and training are all critical—you're only going to have a split second to react."<br></p><p>Building a training program based on an organization's specific needs and threat points--and that implements both physical security measures and procedures--is imperative for success, Doss explains. Media organizations, for example, are higher-risk targets because they publish news that is bound to cause grievances. </p><p>"You can take a basic program, and then we talk about site specifics, and that’s where a risk assessment is critical," says Doss. "You can’t use a cookie-cutter approach to an asymmetrical threat like active shooter because that threat can change characteristics. People are going to have a plan of attack before they show up, and this guy did—he had a plan to lock people in."</p><p>Doss has trained U.S. federal agencies using the U.S. Department of Homeland Security's Run. Hide. Fight. active shooter protocol and now uses a similar approach when training organizations. He notes that he is working with more companies that have open offices—often featuring open workspaces and glass instead of walls and doors. Active shooter training must account for this increasingly-popular type of workspace, he tells <em>Security Management.</em></p><p>"Look at your workspace from a survival capability," Doss says. "If it was all open space, there are very few places to hide. At that point train yourself--what could I do if a shooter gets here? If door is barricaded, look at breaking a window or looking at another method. That’s where training comes into play because you don’t want to figure that out during an emergency. You want a planned course of action to train on. If you’re not trained on it, you won’t know to do it."</p><p>Crane agrees, noting that even open office environments should ensure that there are safe places to hide, such as bathrooms or conference rooms with locked doors. Doss points out that while glazing is common in many offices and allows for natural surveillance, it's also the weakest barrier. Hardening that vulnerability by using polycarbonate or bulletproof glass, or adding a shatterproof film, can help in such instances. </p><div><p>Crane discusses the challenge of assessing the true danger of a person—either an insider or someone in the community—with a longstanding grudge. Threat assessment teams are helpful in keeping track of terminated employees or customers or people who have been making threats.</p><p>"You have to look at active assailant as a subset of a workplace violence incident, which has been going on for years," Crane explains. "The majority of our workplace violence incidents are domestic related and can spill into the workplace. However, as rare as it is, active assailants do happen. Recognizing behavior and doing something about that behavior, contacting the police, increasing security, limiting access into your facilities, training as to run-hide-fight, those are the only things you can really do."</p><p>Doss says threat assessments not only help harden a facility but allow for the detection of potential bad actors. While good assessments are costly, he recommends high-risk organizations conduct them yearly. </p><p>"I may not be a threat this year, but I may be escalating toward becoming an actual threat, and the only way you’re going to find that out is to track these types of incidents or behaviors," Doss notes. "Active shootings never happen all at once, there’s always a building and progression--some type of behavioral issues prior to them committing the act. That’s where we have an opportunity to identify these behavioral characteristics and intercede."<br></p><p>For small businesses and houses of worship, there are a plethora of resources on how to conduct a threat assessment and make sure every employee receives basic active shooter training. "This problem is only getting worse, and we need to become more proactive from organizational side of things because we have a responsibility to provide safe workplace for employees," Doss says.​</p><p>The shooter had to be identified via facial recognition software because the fingerprint analysis system was taking too long. Police searched his home in Laurel, Maryland, about 30 minutes from the newsroom, and found evidence of the origination of the planning. He is being held without bail and has been charged with five counts of first-degree murder. Security at newsrooms across the country has been increased as a precaution. ​</p></div> People Shot in Maryland NewsroomGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><h4>​​what we know</h4><ul><li><p>​Alleged gunman Jarrod W. Ramos opened fire with a pump-action shotgun at <em>The Capital Gazette </em>newsroom in Annapolis, Maryland.</p></li><li><p>Five employees were killed: <a href="" target="_blank">Rob Hiaasen,</a><a href="" target="_blank"> Wendi Winters,</a><a href="" target="_blank"> John McNamara,</a> <a href="" target="_blank">Gerald Fischman,</a> and<a href="" target="_blank"> Rebecca Smith​</a>. Click on each of their names to read more about these individuals as written by their former colleagues.</p></li><li><p>Ramos is in custody and has been charged with five counts of first-degree murder.</p></li><li><p>Ramos had a history of grievances with <em>The Capital Gazette, </em>including a defamation lawsuit that was dismissed in 2012.</p></li><li><p>ASIS International has made available <a href="" target="_blank">soft target and active shooter resources</a> for security professionals.<br></p></li><li><p><em>Security Management </em>will continue to update this post as more information is confirmed. </p></li></ul><h4>Shooting demonstrates vulnerabilities of run. hide. fight. response</h4><p><strong>UPDATE 5:00 p.m., June 29, 2018</strong></p><p><em>The Capital Gazette, </em><strong></strong><em></em>like many newsrooms and office spaces, has an entirely open floorplan, with glass windows all around the room, reporters working at desks in the middle, and half-walls along one side for editors' offices. </p><p><em>Security Management </em><em></em>spoke to two security experts about how organizations can take into account their office plans when conducting active shooter response training. </p><p>"Look at your workspace from a survival capability," says Kevin Doss, CPP, PSP, CEO at Level 4 Security. "If it was all open space, there are very few places to hide."</p><p><a href="/Pages/Newsroom%20Shooting%20Demonstrates%20Vulnerabilities%20Of%20Run%20Hide%20Fight%20Response.aspx" target="_blank">Read the full article here.​​</a></p><h4>More details emerge on shooting<br></h4><p><strong>UPDATE 1:40 p.m., June 29, 2018</strong><br></p><p>​Alleged gunman Jarrod W. Ramos <a href="" target="_blank">appeared in court this morning </a>via a livestream feed where he was ordered held while facing five charges of first-degree murder. Ramos has not entered a plea.<br></p><p>Ramos was identified late Thursday night using a facial recognition system after a fingerprint identification system took too long to analyze the results.</p><p>In a press conference after Ramos's court appearance, Anne Arundel County state's attorney, Wes Adams, shared additional information about the incident. <em>The New York Times</em> reports that Adams told reporters that the gunman barricaded the back door to the newsroom to prevent people from fleeing. One of the victims attempted to escape through that door.</p><h4>5:08 p.m. UPDATe</h4><p>​​The suspected shooter that was taken into custody is not cooperating with officials,<a href="" target="_blank"> according to CNN</a>. The shooter was found with no ID or identifying information on him. Five people were killed, and several are gravely wounded after the shooter opened fire with a shotgun. Police arrived at the newsroom about 60 seconds after the shooting began, according to CNN sources, and were able to interrupt the shooter and end the massacre. Law enforcement is also present at the <em>​Baltimore Sun </em>out of precaution, although there have been no direct threats to that newsroom. </p><p>Maryland Governor Larry Hogan and President Donald Trump have responded to the shooting, praising law enforcement response and offered thoughts and prayers to the victims and their families. ​</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read e1222d2a-afdc-4e2c-a8f7-1ff4e09536e3" id="div_e1222d2a-afdc-4e2c-a8f7-1ff4e09536e3"></div><div id="vid_e1222d2a-afdc-4e2c-a8f7-1ff4e09536e3" style="display:none;"></div></div>​<div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 43a3148d-bc79-465e-8037-53827cef6f79" id="div_43a3148d-bc79-465e-8037-53827cef6f79"></div><div id="vid_43a3148d-bc79-465e-8037-53827cef6f79" style="display:none;"></div></div>​​<h4></h4><h4>​</h4><h4>4:45 p.m. Update</h4><p>Anne Arundel County executive Steve Schuh announces that several people were killed in the shooting. "Those fatalities are so sad and I don't know what to say except our thoughts and prayers are with them and their families and we take comfort knowing they're in God's embrace," he said.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read e6ac6c4d-dfe4-48d8-a2b3-3d7ca8dc837a" id="div_e6ac6c4d-dfe4-48d8-a2b3-3d7ca8dc837a"></div><div id="vid_e6ac6c4d-dfe4-48d8-a2b3-3d7ca8dc837a" style="display:none;"></div></div><p>​​​</p><div></div><div></div><h4>Original Story</h4><p>Multiple people were killed in a shooting at the Capital Gazette newsroom in Annapolis, Maryland this afternoon. Anne Arundel police responded to the shooting, and one person has been taken into custody. The Bureau of Alcohol, Tobacco, Firearms and Explosives also responded to the incident. The building is being searched and officials are evacuating employees and reuniting them with their families. The number of casualties is unclear, but Capital Gazette crime reporter Phil Davis tweeted that he was in the newsroom when a single gunman shot through the glass door to the office and at multiple employees. He said he heard the gunman reload his weapon in the middle of the attack, and also reports that some of his colleagues are dead.<a href="" target="_blank"> In an additional interview with<em> ​The Baltimore Sun</em>, Davis said he and his colleagues were still hiding under their desks when the gunman stopped firing, at which point police were able to arrest him. “I don’t know why. I don’t know why he stopped,” Davis told the Sun.​</a></p><p>​</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read e9178eb8-7f08-475c-8745-24330260f40f" id="div_e9178eb8-7f08-475c-8745-24330260f40f"></div><div id="vid_e9178eb8-7f08-475c-8745-24330260f40f" style="display:none;"></div></div>​<p>​<em>The Balitmore Sun</em> reports that Anne Arundel County police spokesman Lt. Ryan Frashure would not confirm the number of injuries or fatalities until the building is secured. A spokesperson for the University of Maryland Medical Center <a href="" target="_blank">told CNN</a> that one patient was taken to the hospital. ​</p> Charleston International Airport Modernizes Security with Pivot3GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p> </p><p> </p><p> </p><p>Charleston International Airport is the second-fastest growing airport in the United States, with passenger counts jumping 70 percent since 2010. The airport recently completed a $200 million upgrade to its terminal to modernize and meet increased passenger demand. Along with this modernization, it wanted to invest in a new state of the art IT system to support operational efficiencies, including for its security, surveillance, and access control systems. That’s when it turned to the Hyperconverged Infrastructure solution from Pivot3. <em>Security Management</em>'s Holly Gilbert Stowell interviews Ira Campbell, director of IT and security at CHS.​​​  ​</p>“Artificial-Intelligence-of-Things”-is-Transforming-Video-Security.aspxHow the “Artificial Intelligence of Things” is Transforming Video SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>The creation of the Internet is rightfully seen as revolutionary for its wholesale transformation of how we use and share information around the world. Many now look to the Internet of Things (IoT) in a similar way. That's because—as a vast cyber-scape of data from electronic sensors and other machine-generated sources —the IoT is now indexing our world with unprecedented granularity for remarkable new levels of visibility, efficiency, and decision support. </p><p>IoT includes everything from environmental gauges and telemetry from industrial machines, to wearable fitness monitors and inventory sensors on grocery shelves. Impressive as these and other examples may be, however, the IoT is best understood less as a revolution in and of itself—and more as a transition toward an even greater revolution that we call the Artificial Intelligence of Things, or AIoT. </p><p>Indeed, this article will propose that AIoT—the infusion of AI and machine learning throughout the IoT ecosystem for new levels of automation and performance—is a revolution on a par with the Internet itself or the sequencing of the human genome. In short, that AIoT is a paradigm shift where digital capabilities develop a kind of consciousness; where intelligent systems distributed across the IoT become self-learning and self-decisioning. Against this backdrop, the article will examine how AIoT is redefining what's possible for video security.<br></p><p><strong>AI and Machine Learning </strong></p><p>In the nearly two decades since the term "Internet of Things" was coined, sensors, actuators and networked intelligence have made their way into every corner of society—from homes and cities to industry, energy exploration and environmental monitoring. It's no surprise, then, that <a href="">Gartner</a> forecasts IoT growth at some 26 billion units, more than $300 billion in revenue and $1.9 trillion in global economic value by 2020. By the following year, Gartner <a href="">predicts that new IoT devices will be sold</a> at a rate of one million every hour. As another measure, ID​C shows sensor signals from embedded systems—a major IoT component—<a href="">will make up 10 percent of the entire digital universe</a> by the end of the decade. </p><p>The progress is nonstop, with eye-popping innovation examples from the early days (such as chip-enabled light bulbs for remote activation) quickly becoming eclipsed by more advanced IoT applications (such as modern, smart LED street lights networked together to let municipal managers see, hear, and sense conditions across an entire city).</p><p>Especially at scale, IoT-driven efficiency ​gains of even one-percent can have major impacts over time—big data generated by planes can save $30 billion worth of jet fuel over 15 years, for example, according to a<a href="" target="_blank"> March 2015 report by GE. ​</a></p><p>However, the vast majority of IoT applications remain focused on gathering data and decision support. What if the vast IoT network could be leveraged for more than that? What if advances in machine learning and AI could be overlaid onto the IoT for distributed systems that become more predictive, self-learning and even self-decisioning? That's the definition of AIoT, and it's already happening to some extent today. </p><p>For example, the global engineering giant <a href="">Siemens</a> employs an intelligent sensor network embedded in locomotive engines that can anticipate and predict a part failure before it happens. Machine learning helps identify false positives and give a clear prediction of actual part failures. All of this happens in real time and at scale (the sensor data from just one fleet of trains can fill 100 billion lines of code). Reliability is such that the system allows one rail line between Barcelona and Madrid to offer full refunds to any traveler delayed more than 15 minutes. </p><p>Sharp has also developed an <a href="">AIoT augmented kitchen</a> that talks and consults with users about preferred cooking methods, and educates itself by learning a family's preferred cooking routines and food preferences. Neither of these examples would be possible just with AI or just with IoT alone. It's when the intelligence and self-learning of AI is combined with the connectivity and sensory power of IoT that the transformational capabilities of AIoT emerge. These and other advances in AIoT are tailor-made for some of the most daunting challenges faced by the security industry. </p><p><strong>The Challenge of Scale </strong></p><p>More than anything, the security video sector is suffering from a crisis of scale, as an avalanche of content outpaces the human ability to monitor all the data. Unfortunately, the gold standard of one screen to one person is a fantasy for most cost-conscious security centers. And in fast moving environments like casinos or nightclubs, a person can reach cognitive overload at just five screens. Against those human limitations is the exploding growth of data: Today, more than billions of hours of security video are recorded each day. The stark reality is that much of that footage is essentially ignored until something – some disaster or accident – occurs.  </p><p>The IoT has made various "intelligent video systems" possible, but the vast majority of such systems aren't intelligent enough to contend with the deluge of data or get proactive enough to make a difference. Visual recognition, for instance, is a constant struggle. Part of the problem involves the complex and data-rich nature of security video. To get a sense of this, just convert the amount of information a human processes visually into digital terms. <a href="" target="_blank">About 30 percent of cortex neurons in the brain are devoted to visual processing</a> (compared with eight percent for touch and just three percent for hearing), according to<em> Discover Magazin</em>e. When you consider how any security video system must approximate this level of performance, you begin to understand the challenge.  </p><p>Particularly troublesome are the false alarms that might be triggered by something as simple as blowing wind or a camera tremor. Unfortunately, as a decision support tool for operators, these limited IoT-driven systems trigger so many false alarms that the most frequent decision made by the operator is to simply turn the system off. </p><p>Thankfully, just as AIoT and machine learning minimized the false alarms for Siemens, AIoT can weed out false alarms and add nuanced understanding to both real-time and historical video security. It's just one of many advantages AIoT can bring to our industry through the ability to learn from experience and constantly improve performance with little to no human intervention.</p><p><strong>Self-Learning AIoT Systems</strong></p><p>Let's take a closer look at AIoT and how it can address some of the video security sector's toughest challenges. Given how humans quickly get overloaded watching multiple screens, AIoT can give a much-needed assist – detecting accurately, and in real time, suspicious activity like unauthorized entry, physical violence, loitering and wall-scaling.</p><p>AI derives its power from algorithms and processes that replicate human intelligence, judgment and learning; and perhaps the greatest AI approach is machine learning. Machine learning techniques can be applied to secuirty video through what's known as a convolutional neural network ("CNN") involving advanced deep learning algorithms that work with learning cameras to handle object detection, image classification, visual tracking and action recognition.</p><p>The most simple CNNs are good at answering straightforward yes-or-no questions, i.e., "Is there a person in the video?" But advanced machine learning can take the analysis even further, identifying everything in the photo and creating probability maps about behaviors. Such probability maps are what power advanced video capabilities like human intrusion alerts, fight detection, object recognition and people-counting.</p><p>Assuming IoT infrastructure, graphics, and cloud capabilities are powerful enough, machine learning can analyze large amounts of visual information to learn from examples, programmed configurations and historical data. This self-learning happens as the computer examines many examples of behavior and builds models to identify those behaviors more accurately and quickly in the future. </p><p>As new examples and data come in, the system gets better at recognizing nuances in those behaviors. Those nuances may come in the form of discerning a false alarm from a real threat (a cat scaling the wall instead of a cat burglar, for example). They can also improve established security video capabilities. For instance, consider object detection: Most commercial systems today are fairly adept at detecting objects at a fairly close range of 20 feet. But what about at longer distances, say 150 feet away? If one has data from the highest resolution camera available, long-range object detection is made easier by applying machine learning to that data to pick out appearance and movement subtleties. </p><p>As another example, machine learning can apply experience and context to identify specific behaviors with remarkable accuracy. Consider the fight detection function mentioned earlier: It's one thing for a security video system to detect aggressive behavior in an otherwise sedate setting, such as a disruptive person at a church service or seated concert. But what if one is monitoring the mosh pit of a punk rock concert? How can you distinguish the dancing from something truly destructive or dangerous? AIoT and the right machine learning capabilities could make all the difference in such situations. </p><p><strong>The Future of AIoT</strong><br></p><p>The previous examples illustrate how AIoT can revolutionize video security performance to operate more proactively at scale. But whatever the AIoT application may be, success relies on several important factors:<br> <br><strong><em>Data quantity and quality</em></strong> are crucial. Machine learning models rely on the quantity and quality of the data flowing into them in order to deliver the fastest and most accurate performance. It helps if the system is optimized—from camera to cloud—for compatibility, so that performance isn't affected by confusing anomalies and differences in a stream, image size, or other parameter that might negatively impact performance. <br><em> </em><br><strong><em>Processing power</em></strong> is another important ingredient. Consider the example of self-driving cars: Even if the key systems of perception, prediction and motion planning for autonomous drive are well-designed, processing power can make the difference between the car being able to drive itself at five miles per hour versus 50 miles per hour. Similarly, AIoT detection of events in real-time and at scale relies on high-speed processing systems that can support that level of performance. Indeed, processing power is often the difference between a proof of concept in a research lab and commercially available systems for use in the real world.<br><br><strong> <em>Workforce expertise</em></strong> is a third ingredient to consider; and finding the right people to design and operate AIoT systems may be harder than you think. Some estimates put the number of people with adequate AI skills and training at less than <a href="" target="_blank">10,000 worldwide</a>, according to startup Element AI Inc. That means top talent will be in high-demand.  <br><br><strong><em>Connectivity between capabilities</em></strong>, systems and databases will have a transformative effect on what can be achieved in security video systems with AIoT. We mentioned object detection earlier. Imagine that object is a man, and imagine that your system is able to detect that person from far away. Now imagine connecting that image with facial recognition systems, which then could be tied to a missing persons database. You begin to see how AIoT-driven security video might be a life-saving, real-time tool to thwart an abduction.  <br><br>The above examples demonstrate that AIoT is more than just one capability or innovation. It is instead the result of numerous innovations and resources that—taken together—are the building blocks for powerful systems that will transform the security video industry. It's also clear that AIoT security video is more than just a cost-saving measure to augment what humans can do. Instead, the technology is advancing our industry and will continue to unlock new capabilities and use cases that the world has yet to imagine. <br><br><em>Shawn Guan is CEO of Umbo Computer Vision. ​</em></p>ÍOS-PARA-LA-SEGURIDAD-DE-LA-AVIACIÓN.aspxCuatro Desafíos Para La Seguridad de La AviaciónGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<em style="text-align:justify;">Anthony McGinty, CPP, es un Analista Senior de Inteligencia en CSRA Inc, contratado por el Aeropuerto Internacional de Los Angeles. Es un miembro del Consejo de ASIS sobre Terrorismo Global, Inestabilidad Política y Crimen Internacional.</em></p><p style="text-align:justify;"><strong>1. Aeropuertos como ciudades. </strong>Los problemas tradicionales de las ciudades están encontrando su camino hacia los aeropuertos: la indigencia, los problemas mentales, el abuso de drogas, los delitos menores y complejos, y la desobediencia civil. Para las agencias de seguridad y policiales, el desafío es llevar a cabo las labores del primer respondiente al mismo tiempo que se identifican amenazas de grandes consecuencias para las operaciones de aviación. Ambas funciones requieren de conjuntos de habilidades específicos y diferenciados. Los directores de seguridad tienen que balancear activos, personal y operaciones para mitigar los riesgos tanto de disturbios públicos como para la seguridad nacional.</p><p style="text-align:justify;"><strong>2. Terrorismo internacional. </strong>La aviación comercial se mantendrá como un objetivo atractivo para grupos militantes y extremistas. El lado público de los aeropuertos, bordeando la revisión de seguridad, es vulnerable a un surtido de ataques terroristas, incluyendo tiroteos indiscriminados, equipaje conteniendo explosivos, drones hechos armas, y embestimientos con vehículos. Miles de militantes técnicamente competentes e ideológicamente motivados que están retirándose del califato en caída del ISIS podrían reagruparse bajo nuevas banderas, unirse a afiliados de Al Qaeda, o actuar de forma independiente.</p><p style="text-align:justify;"><strong>3. Perturbaciones en vuelo. </strong>Semanalmente, los informes de los medios y videos de Internet exhiben las más recientes atrocidades dentro de las cabinas de las aeronaves: riñas, diatribas influidas por el alcohol, agresiones sexuales, y resistencia a las instrucciones de los auxiliares de vuelo. Esta tendencia de disputas y violencia durante vuelos a 30.000 pies (10.000 metros) de altura es potencialmente peligrosa. De no alcanzar con colocar un agente de seguridad a bordo, las soluciones pueden incluir cambios institucionales en la relación entre la tripulación y los pasajeros. Por ejemplo, algunas instancias de tráfico de personas utilizando aerolíneas comerciales son tan comunes que ahora las tripulaciones están siendo entrenadas para identificar los indicadores y actuar. Éste es un ejemplo más del cambio de rol de la tripulación, de facilitadores de la comodidad a responsables del cumplimiento de las normas y leyes.</p><p style="text-align:justify;"><strong>4. Amenazas Internas. </strong>Los grupos terroristas podrían enlistar empleados aeropuertarios para eludir las revisiones de seguridad, especialmente empleados con acceso directo a las aeronaves. Algunos empleados también han contrabandeado drogas, armas, y otros elementos. Con tan sólo un empleado radicalizado o descontento ya se puede cometer un acto que lleve a un incidente catastrófico, lo que hace que lidiar con las amenazas internas sea una prioridad. Los aeropuertos y las aerolíneas están implementando sus propias estrategias para mitigar estas amenazas. Mayormente, este esfuerzo ha involucrado investigaciones de seguridad para todos los empleados, o algunos grupos selectos, previas al ingreso a zonas restringidas. La tecnología también puede ser de apoyo en estos esfuerzos. Las nuevas capacidades analíticas embebidas en los sistemas de video y control de accesos ahora pueden proveer una herramienta sofisticada de vigilancia. Asimismo, las políticas propias con rigurosos esfuerzos internos de "Si ves algo, dí algo" son esenciales.</p><p style="text-align:justify;"><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Managemen<em>t is not responsible for errors in translation. Readers can refer to the</em><a href="/Pages/Employee-Theft.aspx" target="_blank"><em> </em></a><a href="/Pages/Four-Challenges-Facing-Aviation-Security.aspx" target="_blank"><em>original English version here​.</em></a>​<br></p> 2018 ASIS NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​GSX Program Unveiled</h4><p>In April, ASIS revealed a jampacked education lineup for Global Security Exchange (GSX), formerly the ASIS International Annual Seminar and Exhibits. Featuring a record 300-plus sessions led by subject matter experts from ASIS, InfraGard, and Information Systems Security Association (ISSA), the education covers the most pressing issues facing security professionals today. </p><p>The learning covers a diverse range of topics from "Security for Events and Mass Gatherings" and "Digital Data in the Age of Breaches and Theft" to "Selling Security Requirements to the C-Suite." </p><p>Building on the exciting changes launched in 2017, the sessions will be delivered in more modern formats including immersive small group workshops, deep dives, and simulation formats, as well as traditional lectures and panels.</p><p>"With the different tracks GSX offers, it allows you to really hone in on the areas you're interested in," says longtime attendee Brian Reich, CPP, senior vice president and head of global security and investigations, TD Bank. "There are so many options and learning levels that it allows practitioners at every stage of their career to focus in on specific areas of interest and learn something new to better their organization. Combine that with walking around the show floor, and you have new insight into the products and services you're looking for."</p><p>The education continues beyond the classroom. In addition to Career Center and Impact Learning Sessions held directly on the show floor, the GSX exhibit hall doubles as a learning lab environment. Demonstrating innovation in action, more than 550 of the industry's leading solutions providers will showcase new and emerging technologies, such as immersive reality, machine learning, robotics, and drones. In addition, three interactive learning theaters will feature a series of fast-paced presentations that focus on the past (lessons learned), the present (threat analysis, best practices, and benchmarking), and the future (anticipating what's to come). </p><p>GSX takes place September 23-27 in Las Vegas, Nevada. Save up to $200 on the All-Access Pass when you register before June 29. For the complete list of sessions and to view registration packages, visit​</p><h4>WILL I SEE YOU THERE?</h4><p>A personal perspective on GSX18</p><p>By Jeffrey A. Slotnick, CPP, PSP</p><p>"Global Security Exchange (GSX) is coming soon to Las Vegas. Will I see you there?" An interesting question that I often receive from colleagues. I attended my first annual event in 2003 and I have not missed one since. "Why?" you might ask. What motivates me to make the financial investment to attend year after year?</p><p>Simply, it is the personal and professional relationships that continue to grow. It is the new products on the show floor, the great conversations as I travel from one event to the other, the keynote speakers who always motivate me to do better, and the fun! It's a lot of fun!</p><p>But let's take a deeper dive. I have made long-lasting friendships with colleagues from all over the world. I have come to know some of the most knowledgeable and influential people in the industry—who provide perspective from Africa, Central America, South America, the Middle East, and Europe. I do not need to know everything, I just need to know someone who knows what I need. At GSX, I get to confer with 20,000 or more colleagues. Many of these friendships have also led to business because we all want to do business with someone we know and trust.</p><p>I know the vendors of products I use and recommend for my clients. Some of my vendor contacts are relationships I first made in 2003 on the show floor or in a training session or coffee break, and they now work at the executive level in their organization. Now, if I need to know about a product or a new offering, I can simply call the person who is the subject matter expert on that product and receive direct information from design engineers, or even the company's vice president.</p><p>Fun! Did I mention fun? The President's Reception, professional lounges, Foundation activities, golfing, motorcycles, cigars with friends, vendor events, and, yes, the occasional adult beverage.</p><p>So, this is my personal perspective and why I continue to invest in GSX year after year. My budget does not allow me to attend every industry conference. I get the most out of my investment at GSX, from educational opportunities, vendor information, professional development, and friendships. I find it all in one place for five very intense days—and I always return motivated, optimistic, happy, and occasionally with a new project.</p><p>Please feel free to reach out to me on the ASIS Connects community platform to continue the conversation.​</p><h4>WHITE PAPERS</h4><p>Two councils published white papers in the first half of 2018—the Information Technology Security Council's Security on the Internet of Things: An ESRM Perspective and the Cultural Properties Council's Hostile Surveillance Detection for Houses of Worship.</p><p><strong>Internet of Things: An ESRM Perspective</strong></p><p>The idea behind the Internet of Things (IoT) is that we have come to expect our technology to be readily accessible from anywhere via any interface we choose. We want to start our cars from our phone, lock our front door from our computer, or turn on the crockpot from a tablet. To do that, all those devices must be able to communicate with us, with the outside world, and with each other.</p><p>According to the paper, the IoT brings a new level of mobile management to every aspect of consumer and business activities. However, it also provides convenient access for criminals who want to exploit those things. "More access points provide more opportunities for attackers to get in. More communication provides more online traffic to siphon information from. More control provides more ability to hijack that control."</p><p><strong>Surveillance Detection for Houses of Worship</strong></p><p>Terrorists often gather significant pieces of information from open sources such as Google Maps and social media postings. They collect a lot of data about their target of interest and eventually they will conduct physical surveillance. Physical surveillance allows them to study the location, focusing on how they will attack, how they will escape, when the attack will create the most devastation, and what form of attack will be most effective.</p><p>So, how do you know if someone is watching your facility?</p><p>This paper provides tips on what to look for and actionable steps to take to identify and counter surveillance detection of a facility. Although the practices are tailored to houses of worship, the document serves as a valuable guide for all facilities, especially soft targets, that are trying to understand, identify, and mitigate hostile surveillance.</p><p>Both white papers can be found on the ASIS website. Search "Understanding IoT" and "Hostile Surveillance."</p><h4>ASIS EUROPE 2018</h4><p>Rotterdam, The Netherlands, was the site of ASIS Europe 2018, held April 18-20. Themed "Blurred Boundaries—Clear Risks," the conference drew 775 registrants from 52 countries for two days of networking, exploring the exhibit floor, and sampling the 70 educational sessions that discussed issues facing security professionals today and tomorrow. </p><p>Attendees navigated a broad sweep of risks—from the malicious use of the latest emerging technologies to the dangers of low-tech attacks, particularly on soft targets in public spaces. Other topics included the human factor and the insider threat, and ever-present responsibilities like travel risk management and duty of care.</p><p>Two featured speakers—Tom Raftery, global vice president, futurist, and innovation evangelist at SAP, and Scott Klososky, founding partner at Future Point of View—examined the security landscape of our connected, digital future.</p><p>"Terms like Internet of Things and connected devices will soon disappear, because everything being connected will simply become the new normal," says Eduard Emde, CPP, ASIS Europe 2018 conference chair. "We heard that technology is very much the jugular vein of organizations, confirming that for security practitioners, the bottom line is that enterprise security risk management approaches—which cover the full sweep of human, cyber, and physical assets—are essential for supporting our organizations through partnerships and shared strategic objectives."</p><p>On the exhibit floor, innovations ranged from the latest integrated access control and surveillance technology to self-learning cyber defenses and mass communications platforms. Knowledge-driven solutions were also strongly represented, from intelligence and risk analysis to executive protection and workforce training programs.</p><p>ASIS Europe 2019 will take place in Rotterdam March 27-29, 2019. Visit to learn more.</p><h4>CPP STUDY MANUAL</h4><p>ASIS has begun to develop a new study manual for the Certified Protection Professional® (CPP) exam. </p><p>The Society has received a significant amount of feedback relating to the recommended reading materials and the need for content organized in a way that better supports the certification domains. ASIS recognizes the need to address this gap and to provide security practitioners with the tools necessary to facilitate exam preparations and promote professional development and advancement. The project is led by volunteers and staff and launched in May with a call for experts. Stay tuned for updates in the coming months.</p><h4>ASIS TV</h4><p>ASIS is partnering with Chuck Harold of Security Guy Radio/TV to livestream interviews with ASIS members and industry thought leaders throughout 2018, expanding content delivered on ASIS TV via the ASIS Livestream channel. Harold will further showcase member expertise by representing ASIS at select industry tradeshows across the United States.</p><p>"Chuck Harold has decades of security experience and has built a reputation for helping security professionals across the globe make more informed decisions," says Ron Rosenbaum, ASIS chief global marketing and business development officer. "This partnership is an exciting step forward for ASIS as we diversify how we provide information and resources to the profession. These ASIS TV broadcasts offer expanded access to security best practices, engage new audiences, and ensure that industry professionals are able to stay ahead of the security curve."</p><p>In 2018, Harold will broadcast on behalf of ASIS TV from Black Hat USA this August and will conduct interviews from the ASIS booth at the IACP Conference. ASIS TV coverage at Global Security Exchange (GSX) will include livestreaming from the expo floor, key education sessions, and networking events throughout the week.</p><p>"This is a terrific opportunity to showcase the depth and breadth of our industry—the career paths, subject matter expertise, as well as the technical and service innovations that help protect our people, property and information assets," says Harold. "I am excited, honored, and proud to partner with ASIS, and look forward to engaging with the industry in this new capacity." </p><p>View security expert videos at​</p><h4>ASIS LIFE MEMBERS</h4><p>ASIS congratulates Cheryl D. Elliott, CPP, PCI; James B. Princehorn, CPP; and Harvey M. Stevens, CPP, who have been granted lifetime membership to ASIS.</p><p>Elliott has been a dedicated member of ASIS and the Greater Atlanta Chapter for 20 years. She served on the Professional Certification Board for many of those years, and she is now a member of the Investigations Standards Committee.</p><p>Princehorn, an ASIS member for 28 years, is a member of the Fire and Life Safety Council. He also served the Rochester, New York Chapter as chapter chair and in other leadership positions. Princehorn has also volunteered as a regional vice president, assistant regional vice president, and member of the Awards Committee.</p><p>Stevens served ASIS many years as a member of the Physical Security Council. He spoke at 10 ASIS educational programs during his 32 years as an ASIS member and a member of the New York City Chapter. ​</p><p> </p><h4>Member Book Review</h4><p><em>Security Surveillance Centers: Design, Implementation, and Operation<br></em>By Anthony V. DiSalvatore, CPP, PCI, PSP. CRC Press;;<br>204 pages; $79.95.</p><p>Author Anthony V. DiSalvatore believes that the particular topic of surveillance centers has not gotten the attention it deserves. In<em> Security Surveillance Centers: Design, Implementation, and Operation</em>, he creates a complete resource on the subject in a compact, easy-to-understand format.</p><p>The author offers a history of security surveillance centers. In the beginning, they were usually divided into a security office proper and a monitoring room or dispatch center. For a variety of reasons, among them economics, safety issues, and synergy, they have largely become one. Two points of value emerge in combining them: the economics of avoiding redundancy in the security department and the opportunity for professional development of the monitoring employees, who are given more responsibility and feel more important to the team. </p><p>DiSalvatore lays out exactly what is required for a security surveillance center so that it can be budgeted for accordingly. Among these budget items are design, installation, operation, technology requirements, maintenance, and replacement. He further explains who should be included in the creation of a surveillance center, such as the IT department to not only help develop the system but to partner with security to improve efficiency and trust. </p><p>Besides the budget, the center's incorporation into the overall security plan is important. Various duties, such as key control, monitoring alarms, organizing patrols, and other routine tasks must be accounted for. Managers must prioritize procedures to include what to monitor and how, evacuations, and even fire command, depending on the size and scope of the center. The author winds down with the addition of chapters on ethics, legal issues, auditing of the center, training, and policy. A relevant checklist of potential duties involving a center, test questions, a glossary, and types of forms complete the work. </p><p>Educational, relevant, and easy to understand, this book is a worthwhile read for any mid- to upper-level security manager as well as those who work in security design. </p><p>Reviewer: William F. Eardley IV, M.L.S. (Master of Liberal Studies), has 31 years of experience in security and corrections. He is a member of ASIS International.</p> the SchoolyardGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Relationships between students and campus law enforcement have been key to establishing an environment of safety and security at Delaware Valley School District, which encompasses 200 square miles in northeastern Pennsylvania.</p><p>"Kids have come to the police officers…and told them about potential threats that we've been able to curtail before they've happened," says Christopher Lordi, director of administrative services for the district.</p><p>About eight years ago, the rural district decided to employ its own sworn police force and hired five officers, including a chief of police. It has since added a sixth.</p><p>"Having a police force not only gives us a presence of an armed person to counteract any issues that we may have, but it also allows us to create relationships with students," Lordi says.  </p><p>The officers are a presence on the three campuses that make up the district. They may be found teaching and conducting Internet safety classes and anti-drug programs. </p><p>"Not only are they our first line of defense, but they're also relationship builders, and they create positive environments where kids will feel comfortable to come and tell them things," Lordi says.​<img src="/ASIS%20SM%20Callout%20Images/0618%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:246px;" /> </p><p>Still, the officers and faculty can't be everywhere at once when incidents do occur, which is why the district installed a camera and video management system (VMS) about 10 years ago. </p><p>"It doesn't matter how many administrators you have, how many teachers you have, how many officers you have," Lordi notes. "They can't be everywhere at once, so the cameras allow us to be in those places when somebody can't." </p><p>As the original cameras and VMS were becoming outdated, Delaware Valley's board was supportive of purchasing a new system. The district worked with integrator Guyette Communications of Plymouth, Pennsylvania, and chose the Vicon Valerus VMS system, as well as approximately 400 cameras, also from Vicon. Installation began in March 2017 and ended just before the new school year began in August. </p><p>The cameras, the majority of which are the 3 megapixel IQeye Alliance dome model, were installed inside and outside of the district's eight buildings. The Vicon Cruiser domes with 30x optical zoom were purchased for the parking lots to better read license plate numbers. Campus police have access to a license plate database, so no license plate recognition software is needed, but Vicon does integrate with such software should customers need that feature. </p><p>In addition to feeding into a central video server at a district-wide monitoring station, each building has its own local recording capability and stores video for a set number of days. </p><p>Delaware Valley is expanding a career and technical education wing, which includes 25,000 square feet of classrooms and workspace. The school plans to install more cameras there.  </p><p>The district police force is responsible for managing the VMS, and each officer has a hardwired PC monitoring station to view video feeds. Campus police also have access to footage via iPhones purchased by the district and use them to see what's going on at their campuses. </p><p>"When we need to view something quickly our officers can go right on their iPhones and view it right from there, which is handy if you don't have the ability to get back to your computer," Lordi says. </p><p>Giving all officers access to the entire district's camera feeds was also crucial. "We did that for backup purposes," he says. "If anything were to happen on one of the campuses, all of the officers—after they secure their buildings—can go on and be the eyes and ears for our officers on those other campuses."</p><p>Soon after the cameras were installed, the new system led to the capture of a thief. In the spring of 2017, when a laptop went missing, the video was reviewed in the general time frame that the incident occurred. It revealed an employee going into an administrative office with a garbage bag, then coming back out. </p><p>"We could zoom in, and you could see that the bag was significantly larger when the employee came out," Lordi notes, adding that the old camera system would not have been clear enough to identify the culprit. The footage was turned over to local police, who apprehended the employee. That person has since resigned. </p><p>The detail captured by the cameras also helped solve an incident in the parking lot. Lordi notes that the main campus is in a high-traffic area, which can attract unwanted activity. </p><p>"We were able to pull the license plate from one person that had an incident on campus...and track the person down," Lordi explains. "It just provides another layer of security, so we know who's on the campus and what time they leave the campus."</p><p>While the district currently hands footage over to law enforcement after the fact, it's working on a memorandum of understanding with local police and hopes to establish a network that allows police to view video from the campuses live. "We're currently working on a strategy to get them involved beforehand," Lordi says. </p><p>With the combination of its police force and the camera system, Delaware Valley has seen a significant reduction in incidents on campus. </p><p>"When our officers first started we had something like 200 to 250 incidents that our administrators were dealing with; I think last year we had 36," he says. </p><p>The Valerus VMS and cameras give campus police and administrators peace of mind about their ability to solve incidents, and ultimately keep students safe. </p><p>"It allows us to feel secure knowing that it's going to be on camera if someone doesn't view or witness it live," Lordi says. "We can always view it on the cameras later."  </p><p><em>For more information: Dee Wellisch,,, 631.952.2288. ​</em></p> on the RecordGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was, in the opinion of some experts, a long overdue action. But it finally came. On March 15, 2018, the U.S. federal government issued sanctions against Russia for its interference in the 2016 U.S. elections and malicious cyberattacks on critical infrastructure.</p><p>"The administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyberattacks, and intrusions targeting critical infrastructure," said U.S. Treasury Secretary Steven T. Mnuchin in a statement. "These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia."</p><p>The sanctions targeted five entities and 19 individuals for their roles in these activities and prohibit U.S. persons from engaging in transactions with them. Mnuchin also said that the department intends to impose additional Countering America's Adversaries Through Sanctions Act (CAATSA) sanctions to hold Russian government officials and oligarchs accountable.</p><p>The economic penalties are an attempt to punish Russians for their role in various forms of cyberactivity, including the NotPetya attack, which the White House and the British government have attributed to the Russian military.</p><p>NotPetya "was the most destructive and costly cyberattack in history," Mnuchin said. "The attack resulted in billions of dollars in damage across Europe, Asia, and the United States, and significantly disrupted global shipping, trade, and the production of medicines. Additionally, several hospitals in the United States were unable to create electronic records for more than a week."</p><p>The sanctions were also in response to the efforts of Russian government cyber actors in targeting U.S. government entities and critical infrastructure—including energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors—since at least March 2016. </p><p>Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, says that the United States should be "very concerned" about these attacks.</p><p>"For one, they could cause prolonged electrical outages and blackouts because our electrical grid infrastructure lacks sufficient redundancy to sustain these attacks," Bilogorskiy explains. "In the worst-case scenario, cyberattacks on nuclear power plants could cause them to explode and cost human lives."</p><p>One example of a near-worst-case scenario was the recent incident targeting Schneider's Triconex controllers at Saudi Arabia's power plants. A cyberattack hit its systems, Bilogorskiy says. It was intended to cause an explosion, but an error in the attack's computer code  caused it to fail.</p><p>To educate network defenders on how they can reduce the risk of similar malicious activity in their networks, the U.S. Department of Homeland Security (DHS) and the FBI released a joint technical alert detailing Russia's campaigns to target critical infrastructure. </p><p>"DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks," the alert said. "After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to industrial control systems (ICS)."</p><p>The alert split Russia's activity into two categories for victims: intended targets and staged targets. Russia targeted peripheral organizations, such as trusted third-party suppliers with less-secure networks, that the alert calls staging targets.</p><p>"The threat actors used the staging targets' networks as pivot points and malware repositories when targeting their final intended victims," the alert explained. DHS and the FBI "judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the 'intended target.'"</p><p>Compromising these networks involved conducting reconnaissance, beginning with publicly available information on the intended targets that could be used to conduct spear phishing campaigns.</p><p>"In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information," the alert said. "As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background."</p><p>After obtaining information through reconnaissance, the threat actors weaponized that information to launch spear phishing campaigns against their targets that referred to control systems or process control systems. These campaigns tended to use a contract agreement theme that included the subject "AGREEMENT & Confidential," as well as PDFs labeled "document.pdf."</p><p>"The PDF was not malicious and did not contain any active code," the alert said. "The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password."</p><p>The phishing emails also often referenced industrial control equipment and protocols and used malicious Microsoft Word attachments—like résumés and curricula vitae for industrial control systems personnel—to entice recipients to open them.</p><p>Additionally, the hackers used watering holes to compromise the infrastructure of trusted organizations to reach their intended targets.</p><p>"Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure," the alert said. "Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content."</p><p>The threat actors were then able to collect users' credentials that would allow them to log in to their profiles elsewhere. They also used this access to compromise victims' networks where they were not using multifactor authentication.</p><p>"To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets," according to the alert.</p><p>Once the attackers had gained access to their intended targets, they used that access to infiltrate workstations and servers on corporate networks that contained data on control systems within energy generation facilities. The attackers also copied profile and configuration information for accessing ICS systems. </p><p>This method of compromise is not new and has been demonstrated in cyberattacks on the corporate sector over the past few years, says Tom Patterson, chief trust officer at Unisys.</p><p>"Just as with the Target cyber breach several years ago, they first attacked supply chain partners, which are often less protected, and then used their access to compromise the actual target company," Patterson explains.</p><p>The level of access the attackers were able to gain is concerning, Patterson adds, because it could potentially give them the ability to disrupt functions of critical infrastructure, such as providing heat in the winter. </p><p>"Since many of these ICS devices are connected to corporate networks in today's enterprise, and oftentimes they are older devices built on insecure operating systems, this gives the threat actors and their political or economic masters the ability to disrupt or destroy systems at the push of a button," Patterson says.</p><p>Brian Harrell, CPP, former operations director of the Electricity Information Sharing and Analysis Center and director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC), agrees with Patterson that these kinds of attacks are not new.</p><p>What is new, says Harrell—now president and CSO of the Cutlass Security Group—is that the United States is choosing to acknowledge and attribute the activity, publicly, to Russia. </p><p>"While attribution is often difficult, nation-state actors like Russia likely have the most interest in compromising industrial control networks, not to necessarily take anything, but to prove they can access our systems and cause us to feel unsettled," he explains. </p><p>While the U.S. government has taken the approach to name and shame, Harrell says he thinks its unlikely that the public actions will deter Russia's behavior.</p><p>"Unfortunately, the current DHS alert, legal indictments, sanctions, or public shaming will not have any effect on Russian cyber intrusions," he adds. "However, we must continue to increase pressure until they change their behavior and become a responsible member of the international community."</p><p>In the meantime, the FBI and DHS recommend that network administrators review their IP addresses, domain names, file hashes, and other signatures that were provided in their alert. The agencies also recommended adding certain IP addresses cited in the alert to their watch lists.</p><p>"Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity," according to the alert. </p><p>The two agencies also compiled a list of 28 actions for network administrators to take in response to Russia's activity, including monitoring virtual private networks for abnormal activity, deploying Web and email filters, and segmenting critical networks and control systems from business systems and networks.</p><p>"What DHS is recommending, at the end of the day, are properly built ICS networks, monitored so organizations can detect attacks and are plugged into external threat intelligence, with incident response plans and board-level strategic roadmaps," Patterson says.</p> 911GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Overall, 2017 was a landmark year for catastrophic natural disasters in the United States, leading to dozens of deaths and revealing weaknesses in emergency response systems. Two regions were hit particularly hard—the Houston, Texas, area where more than 80 people were killed during a hurricane in August, and northern California where wildfires were responsible for more than 40 deaths in October.</p><p>These multiday disasters were far-reaching and overwhelming—for both citizens and first responders. During the Houston floods, overloaded 911 dispatch centers led hundreds of people to turn to social media for help, and kayak-paddling citizens pitched in to help rescue efforts. Criticism of emergency response during the California wildfires was swift—evacuation warnings during the rapidly evolving blaze were either delayed or nonexistent, and emergency lines were constantly tied up.</p><p>After-action reports by state and local officials are still being conducted, but the emergency communications failures have left citizens, law enforcement, and legislators looking for solutions.</p><p>The question of how people can seamlessly use their phones for a myriad of activities yet not use that same technology when calling 911 has been asked for years as mobile devices have become the standard—more than 80 percent of 911 calls are made from wireless devices. There is a mobile-friendly solution—albeit one that has not been widely adopted. Known as Next Generation 911 (NG911), the program is IP-based and would allow citizens to call, text, and send multimedia transmissions to dispatch centers, which would have enhanced response capabilities. </p><p>Many of the problems experienced during the Texas and California disasters—especially overloaded phone lines—could be avoided with such a system. NG911's enhanced location capabilities and ability to reroute calls to other dispatch centers would allow for more seamless emergency response, especially during high-volume call times.</p><p>While potential for such emergency communications technology improvements has been discussed for almost a decade, there is no federal requirement for dispatch centers to upgrade 911 technology, and it's up to states and localities to implement—and pay for—the new system. Legislation was passed in 2012 that outlines the federal role in helping communities transition to NG911 and calls on the U.S. National Highway Traffic Safety Administration (NHTSA) to coordinate efforts among U.S. federal, state, and local stakeholders. The overarching goal of the legislation is to connect the more than 6,000 independently operating systems in the United States into a nationwide interconnected system with modernized capabilities. </p><p>The U.S. Government Accountability Office (GAO) reviewed these federal efforts—known as the National 911 Program—and found that key challenges include addressing funding, governance, and interoperability and technology concerns. This year, NHTSA is planning to implement a $115 million grant program and outline a roadmap dictating national-level efforts to encourage NG911 adoption at the state and local levels.</p><p>"Collaborating with the appropriate federal agencies to determine federal roles and responsibilities to carry out the roadmap's national-level tasks could reduce barriers to agencies effectively working together to achieve those tasks," the GAO report states. "Furthermore, developing an implementation plan that details how the roadmap's tasks will be achieved would place the National 911 Program in a better position to effectively lead interagency efforts to implement NG911 nationwide."</p><p>At the end of the day, however, it's still up to each of the country's almost 6,000 dispatch centers to make the upgrade, if they choose. A U.S. Federal Communications Commission (FCC) congressional report released at the end of 2017 surveyed almost all states on their NG911 implementation efforts, finding that many were taking some steps to pave the way for the upgrades but they face funding challenges. </p><p>The FCC report details how dispatch centers are raising money to implement NG911 capabilities—a huge hurdle for localities, experts say. The National 911 Program commissioned a study last year assessing the cost of nationwide NG911 implementation, but it has been under review for months and has not been released publicly. However, some officials estimate it will cost $10 billion to implement across the country.</p><p>Officials at each state and locality are taking a different approach to raising money—often a combination of state funding and increased fees for phone subscribers. However, not all money raised so far is dedicated to upgrading 911 services. In 2016, states raised more than $2.7 billion in 911 fees, but only 7 percent of that money was spent on NG911 efforts versus maintaining legacy systems. Additionally, about 5 percent of the money collected was diverted to nonpublic safety uses, the report notes.</p><p>Localities also face challenges collecting subscriber fees. It's up to telecommunications companies to collect the fees and give them to the states and localities that have implemented them, but 20 states lack the ability to audit the companies to make sure they are collecting fees from all applicable subscribers. It's a common concern—counties are required to notify telecom companies of the fee increase and trust they will pay up.</p><p>One county in Nevada—one of the states that is unable to audit telecom companies—has one of 12 emergency communications systems in the United States that is three generations old. In trying to upgrade its system to NG911, the county implemented an increased subscriber fee in 2016 but has not received the expected amount of money due to sporadic telecom payments. The county expected to collect $150,000 for NG911 by now but has only received about $46,000.</p><p>Many localities are waiting for the NHTSA grants to become available, but experts agree that $115 million across almost 6,000 dispatch centers will not go far. In March, representatives of emergency communications organizations requested that Congress consider funding its own grant program for NG911.</p><p>"Without significant federal funding, we are concerned that 911 networks across the country, including in rural and urban areas, will not be upgraded quickly and efficiently," the letter notes.</p><p>"The grants will not cover it all—there will need to be significant local funding," says Andrew Huddleston, an assistant director at the GAO who worked on the NG911 report. "The grants are there to provide financial assistance—that's why we highlighted funding as a key challenge area for the states, because it can be a significant cost."</p><p>Huddleston says he visited several dispatch centers and saw how funding was a challenge for small and large communities alike.</p><p>"It can be more challenging for local governments that might have a smaller tax base, and even for larger ones because they have more infrastructure," Huddleston explains. "We visited a fairly large call center in an urban area that would seem like they had more resources than average, but they did talk about how during the transition time they would have to maintain their legacy 911 system as well as bring the NG911 system online—so basically paying for both while they are transitioning. That's hard from a money perspective."</p><p>Other challenges to nationwide NG911 implementation include interoperability and technology challenges. Thirteen states have deployed IP networks for local emergency services to use, but most dispatch centers remain on legacy networks, the report notes. An estimated 1,800 centers can receive text messages, but there is no data on how often citizens text instead of call emergency services. One Houston emergency operations center reported that it only received a handful of texts during the height of the floods, compared to tens of thousands of calls and hundreds of posts on social media. </p><p>While being NG911, compliant requires a set list of capabilities—securely using additional data for routing and answering calls, processing all types of calls and multimedia, and transferring calls with added data to other call centers or first responders—there are several ways to implement the upgrades. Even if two neighboring states are NG911 compliant, they may not have seamless interoperability if they are using different equipment or software solutions, the GAO report notes.</p><p>"The systems are supposed to be all interconnected—if you call one call center and it's overloaded, that call can be transferred to the next center seamlessly, and they can answer the call, so you still get emergency response and not put on hold," Huddleston says. "To be able to do those things you have to have interoperability. There are multiple software solutions that could be employed for NG911, so that's definitely something state and local governments will need to be willing to consider."</p><p>An IP-based emergency communications system will have to address cybersecurity challenges as well. The FCC report notes that in 2016, just eleven states and the District of Columbia had spent money on cybersecurity for their dispatch centers. Additionally, the GAO report discusses the federal government's role in assisting dispatch centers in strengthening their cybersecurity when switching to the new system. The U.S. Department of Homeland Security (DHS) issued a guide outlining cybersecurity risks of NG911 and what centers could do to mitigate them, the report notes.</p><p>"We talked about cyber risk because we're moving to an IT system, and that opens potential for different kinds of attacks than you'd have with the traditional 911 system," Huddleston explains. </p><p>Indeed, Baltimore's computer-based 911 system experienced outages in March due to a ransomware attack. The program that the city uses automatically populates the caller's location and dispatches the emergency responders closest to the caller, but the attack shut down the system for about 24 hours, requiring call centers to manually dispatch first responders.</p><p>Another challenge facing dispatch centers is setting up technology and guidelines for dealing with photos and videos sent through NG911. None of the states that GAO spoke with were processing multimedia through their 911 systems due to concerns related to privacy, liability, and the ability to store and manage the data.</p><p>"We highlighted multimedia as a challenge, since one of the intentions of NG911 is to allow not just voice calls but also video or images to be part of what citizens can share when they're trying to contact 911," Huddleston says. "But that creates challenges on the end of the 911 call centers—what do they do with the video? They have protocol for phone calls, but video is a different beast in terms of what to look for if there are privacy concerns." ​</p> Distant ClearingsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​To all those looking to obtain a U.S. federal security clearance, you may have a bit of waiting to do. There are approximately 704,000 people ahead of you in the queue.  </p><p>Executive branch agencies are unable to investigate and process personnel security clearances in a timely manner, says the U.S. Government Accountability Office (GAO), which found that, by September 2017, there was a backlog of more than 700,000 cases. Clearance expert Evan Lesser, president of, put the backlog number at around 704,000.</p><p>"The backlog is a huge issue. It is a national security concern, without a doubt," Lesser tells Security Management.  </p><p>Others agree with Lesser. In January, the GAO added the governmentwide security clearance process to its "high-risk list" of government programs. Although the agency plans to do a regular update of the risk list in early 2019, in this case it decided to announce a special early addition, given the importance of the clearance process. According to U.S. Comptroller General Gene Dodaro, the process is crucial in minimizing the likelihood of classified information disclosures, and also in ensuring that information about individuals with questionable behavior is identified and assessed.</p><p>Security clearance reform is not a new subject in Washington. Roughly a decade ago, the GAO put the Personnel Security Clearance Program (then administered by the U.S. Department of Defense) on its risk list, in large part because the time frame to receive a clearance was averaging 128 days. But by 2010, after clearance time was reduced to about 49 days, the GAO removed the high-risk designation. </p><p>But processing times have been rising steadily. In 2012, 73 percent of U.S. federal agencies did not meet clearance timeliness objectives. In 2016, that number rose to 98 percent, the GAO found. </p><p>Now, for the first quarter of 2018, processing times for Top Secret security clearances were 534 days, and 221 days for Secret and Confidential security clearances. "That's one of the main reasons for the 700,000 backlog," Lesser says. "Companies are throwing their hands up. They can't wait [534] days. It's truly a mess."</p><p>The process can also be frustrating for the applicant, especially a first-timer. There is no real feedback loop in the process, so many applicants wait with no idea of how long it will ultimately take. "A lot of them don't want to wait around for the clearance to finish, and they wind up exiting that process," Lesser says. And some applicants "get spooked" that the interminable delays must mean that the government has found out something dark and disturbing about their background.</p><p>"It's a big, big problem. It gives the government a black eye, so to speak. It's a bit of a public relations issue," Lesser says.</p><p>Besides the backlog and the processing delays, GAO also identified several other problems with the current clearance process: a lack of long-term goals for increasing investigator capacity to address the backlog; a failure to identify milestones for establishing government­wide performance measures to ensure quality background investigations; delays in completing key clearance reform initiatives; and concerns about a new information technology system for the personnel security clearance process.</p><p>One of the big reasons for clearance delays is that the investigation and adjudication processes are spread out across the government. Currently, the National Background Investigation Bureau (NBIB), the main investigative arm of the government, provides 95 percent of the investigations; the FBI conducts background investigations for White House staff. </p><p>But once investigations are complete, the NBIB turns over the file to the requesting agency, which then makes the decision on the clearance. Although the adjudication guidelines are similar for all agencies, the criteria are applied differently. So, an applicant may apply for an intelligence community clearance with the CIA and be denied, but afterwards apply for a similar position with the Department of Energy, and have the clearance granted.</p><p>For at least a few decades, DoD has used interim clearances as a temporary measure, so that new personnel can start working without having to wait until full clearance is granted. But with the recent delays, some employees have been working under interim clearances for a year or more. "That is not good," Lesser says. "That's a bit of a risk."</p><p>This potential risk involved in interim clearance situations came into focus for many in February, after former White House Staff Secretary Rob Porter resigned under fire after domestic abuse allegations by two former wives became public. When Porter resigned, he had been working in his position (which gave him access to some classified materials) for a year and had not yet been granted full clearance. </p><p>Episodes such as this have spurred some lawmakers on Capitol Hill to push harder for legislation aimed at bolstering the clearance reform process. In mid-March, the U.S. Senate passed the Securely Expediting Clearances Through Reporting Transparency (SECRET) Act, which is aimed at addressing problems in the security clearance process to ensure both classified information protection and reasonable clearance times. </p><p>The legislation is an expanded version of a bill that passed the U.S. House last year. If the House now approves the Senate's expanded version, it will then go to President Trump to be signed into law.  </p><p>"This [clearance] backlog can hurt our local economy and is a threat to our national security. In addition, recent reports of individuals in the Executive Office of the President holding security clearances when they shouldn't have are very concerning," U.S. Rep. Steve Knight (R-CA), the bill's sponsor, said in a statement. "The SECRET Act addresses both of these concerns by improving accountability and encouraging more responsive processing of clearances."</p><p>Meanwhile, other reform efforts at federal agencies will likely continue. In an interview, Lesser singled out a few endeavors that he believes could make a significant difference. Although hiring more background investigators will never solve the problem by itself, it could at least be part of a broader solution, he explains. Moreover, investigators are now allowed to use social media information in their investigations, and this new source could speed up investigations, he adds. </p><p>Lesser also argues for deploying a better prioritization system on the backlog of 700,000-plus clearances. For example, clearances for positions with the greatest national security impact should be moved to the front of the line. In addition, having more reciprocity of clearance among agencies, so each branch would not have to do a separate adjudication of each investigation, could also help. </p><p>And a reform effort that involves a form of continuous evaluation may also hold promise, Lesser explains. The idea here is to keep loose tabs on clearance holders, so that potentially disturbing activities could be detected in near-real time, rather than conducting entire reinvestigations every time a clearance needs to be renewed. </p><p>Finally, many have pushed for IT modernization, and this could also help. Some of the security clearance process is "stuck in the 1950s," with investigators driving to-and-fro for face-to-face interviews, and generating reams of pen-and-ink notes. </p><p>"You'd be shocked," Lesser says.</p> in TransitGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was a busy morning in Dec­ember 2017 as a woman board­­ed the Lond­on Under­­ground's Central Line service. While she was on the train, Malcolm Schwartz, 19, also boarded. He approach­ed her and ex­posed himself, press­ing into her.</p><p>The next month, Schwartz board­­ed the Underground again and assaulted two women, touching and pressing himself against them inappropriately. Later in Jan­uary, Schwartz once again rode the Underground and stood closely behind a woman, touching her inappropriately as the train traveled through London.</p><p>All four women reported their experiences to the police, and the British Transport Police's Sexual Offences Unit was able to use their reports to trace Schwartz. He was apprehended and pleaded guilty to four counts of sexual assault. </p><p>"Schwartz's behavior was perverse," said DC Thomas O'Regan from the police's Sexual Offences Unit in a press release. "Over a two-month period of time, he traveled on busy Central Line trains assaulting women for his own sexual gratification. His conduct was outrageous, and I am pleased we were able to catch him."</p><p>As part of the punishment for his crimes, Schwartz is now banned from using the London Underground and Docklands Light Railway network and prohibited from sitting next to women traveling alone that he does not know.</p><p>"This complex case demonstrates the true value in reporting unwanted sexual behavior to police," O'Regan said. "The victims each provided us with clear accounts of what happened, enabling us to clearly identify Schwartz as the perpetrator. Reports such as theirs help us catch offenders and ensure that justice is delivered."</p><p>But just a few years earlier, those reports might not have been made. A 2013 survey by Transport for London (TfL)—London's transit authority—found that one in 10 of its customers experienced unwanted sexual behavior while using the system. Yet, 90 percent of those individuals did not report the incidents to the police.</p><p>TfL's findings mirrored a wider trend in transit security—that unwanted sexual behavior is pervasive, and few victims ever report the incidents to the authorities. These incidents can also act as barriers for women who want to use public transit but feel unsafe doing so.</p><p>"The lack of personal security, or the inability to use public transport without the fear of being victimized—whether on public transport, walking to or from a transit facility or stop, or waiting at a bus, transit stop, or station platform—can substantially decrease the attractiveness and thus the use of public transit," according to the Global Mobility Report, published by the World Bank partnership Sustainable Mobility for All in 2017. </p><p><em>Security Management</em> took a look at how two major transportation systems are addressing sexual harassment and unwanted sexual behavior in their systems in an effort to increase reporting and catch perpetrators.</p><h4>The London Approach</h4><p>TfL is responsible for the daily operations of London's transportation network and managing London's main roads. Its system includes the London Underground, London Buses, Docklands Light Railway, London Overground, TfL Rail, London Trams, London River Services, London Dial-a-Ride, Victoria Coach Station, Santander Cycles, and the Emirates Air Line.</p><p>The system serves more than 8.8 million people, according to its most recent annual report, with 31 million services provided. It has more than 12,000 CCTV cameras and 3,000 officers from the British Transport Police and Metropolitan Police Service that are dedicated to policing its network to keep customers safe. </p><p>Additionally, its frontline police officers and TfL on-street enforcement officers have received training and briefing on tackling unwanted sexual behavior on public transportation.</p><p>Senior Operational Policy Manager of Compliance, Policing, and On-Street Services Mandy McGregor says TfL knew that sexual offences were widely underreported in society in general and thought this might also be the case for public transportation in London.</p><p>In 2013, Tfl conducted its first safety and security survey, which asked people if they had experienced unwanted sexual behavior in the past and if they reported it. Unwanted sexual behavior included staring, groping, rubbing, masturbating, ejaculating, flashing, and taking up-skirt photos with covert cameras.</p><p>"Unwanted sexual behavior is anything that makes you uncomfortable," McGregor says. "You don't have to prove that it was a criminal offense or intentional to report it, we can investigate that for you."</p><p>After the survey was conducted and analyzed, TfL found that one in 10 people had experienced unwanted sexual behavior, but of those victims 90 percent did not report it to authorities.</p><p>To better understand why people weren't reporting these incidents, TfL conducted further research into the survey and discovered four main barriers to reporting.</p><p>The first was normalization, McGregor says, explaining that "some of these behaviors have become so prevalent in society that they have become normalized and are often seen as a social nuisance rather than a more serious problem."</p><p>The second barrier was internalization, a coping mechanism that can be used both in the moment and after an incident occurs.</p><p>"The experience is unpleasant, but threat of escalation often means that people don't respond in the moment; they either ignore it or pretend not to hear it," she explains.</p><p>The other barriers were lack of awareness of the reporting process and a lack of credibility, McGregor says.</p><p>"Very few people believed that reporting an unwanted sexual behavior will result in justice, as they perceived there to be a low chance of the perpetrator being caught," she explains.</p><p>Using these insights, TfL crafted a campaign designed to overcome these barriers to reporting by showing that reports matter and will be investigated. The campaign, called "Report it to Stop it," was rolled out on posters, social media, videos, and case studies. It encourages people to report instances of unwanted sexual behavior on public transport through a variety of means, including calling a dedicated criminal reporting line, texting 61016, or speaking directly to a police officer or TfL staff.</p><p>Since its release in April 2015, the campaign films and case studies have been watched more than 35 million times on YouTube. McGregor says the campaign has also reached young people through educational sessions in schools and universities.</p><p>"In its first year in the market, the campaign had a 59 percent recognition rate amongst its target audience and 64 percent of people agree that they are likely to consider reporting," she adds. </p><p>Since the campaign was implemented, TfL has seen a "significant increase" in reports of unwanted sexual behavior in the system. For instance, roughly one year after the campaign was released, TfL saw a 36 percent increase in the number of reported instances.</p><p>"Between April and December 2015, 1,603 reports were made to the police, compared to 1,117 in the same period in 2014," TfL said in a press release. "These reports resulted in a 40 percent increase in arrests for offenses, including rubbing, groping, masturbation, leering, sexual comments, indecent acts, or the taking of photographs without consent."</p><p>"It's also helped trigger a national dialogue on sexual harassment—raising awareness that unwanted sexual behavior should never be accepted as part of the everyday lives of women and girls," McGregor says. </p><p>TfL continues to use the "Report it to Stop it" campaign, which McGregor says will continue to evolve until TfL feels that unwanted sexual behavior has been "stamped out" of the network.</p><p>"Every report the police receive helps to build a picture of the offender, so they can be caught and brought to justice," she explains. "Since we launched the 'Report it to Stop it' campaign, we've seen a large increase in the number of people feeling confident to report and, in turn, higher numbers of reports, arrests, and conviction rates."</p><h4>The D.C. Approach</h4><p>In 1976, an interstate compact created the Washington Metropolitan Area Transit Authority (Metro) to develop a regional transportation system that would serve the Washington, D.C., area. </p><p>Metro now has 91 stations across 117 miles of track, and 1,500 Metro­buses that serve a population of ap­proximately 4 million people in a 1,500-square mile jurisdiction spread across Maryland, Virginia, and Washington, D.C.</p><p>Metro also has a sworn police force that investigates crimes, including sexual harassment, that occur on the transit system. Personnel are aided by a robust camera system. Transit police and frontline staff receive special training to handle reports of sexual harassment in the system. </p><p>"Frontline employees are the ones that interact most with the customers, and typically if an officer is not around, we encourage people to report an incident to a Metro employee," says Sherri Ly, spokesperson for Metro. "It's important that our frontline employees also have that training and understanding, when they are dealing with customers reporting incidents of harassment."</p><p>In 2015, Metro—like TfL before it—began to suspect that instances of sexual harassment were underreported on its system. To assess the situation, it partnered with Collective Action DC and Stop Street Harassment to conduct its first comprehensive transit safety survey.</p><p>Metro wanted to find out "how do reports of harassment on our system compare to other public transportation?" Ly says. "And what we found was that it's comparable to what we see nationwide."</p><p>Through the effort, Metro found that roughly 20 percent of surveyed people had experienced sexual harassment on public transportation—women were three times more likely than men to experience sexual harassment. Of those incidents, 77 percent of people never reported them.</p><p>Metro also found that 41 percent of survey participants were familiar with its antiharassment awareness campaign at the time. Those who were familiar with it were twice as likely to report an incident of harassment.</p><p>Taking these findings into account, Metro once again partnered with Collective Action DC and Stop Street Harassment to create a new sexual harassment awareness campaign for its system. The new campaign uses the slogans "You have a right to speak up" and "You deserve to be treated with respect."</p><p>The idea behind the campaign is that everyone who rides Metro deserves to be treated with respect, Ly says. "And we want people to know that anyone who feels that they've been the victim of harassment should report that incident."</p><p>The campaign also features a di­verse group of individuals, designed to reflect Metro's diverse ridership—men, women, and members of the LGBTQ community, from various ethnic backgrounds.</p><p>"We wanted to be inclusive," Ly explains. "Harassment doesn't just impact one race, one gender. Everyone, regardless of what your background is, deserves to ride the system and be treated with respect."</p><p>In addition to creating a new awareness campaign, Metro also created the option for individuals to report sexual harassment incidents and remain anonymous.</p><p>"With harassment and sexual harassment, a lot of times people might be uncomfortable reporting those and having to give their name, so this is a way for someone who wants to remain anonymous to report through our portal, and we will still investigate those claims," Ly adds.</p><p>Individuals can now report incidents via Metro's Web portal, email, text, or in person at a Metro station to any frontline employee or police officer. </p><p>Following the rollout of the campaign in 2017, Ly says Metro has seen an increase in the number of sexual harassment incidents reported. There were 61 reported incidents to its sexual harassment portals in 2017, compared to just 37 the previous year, according to Metro's Semi-Annual Security Report. Of those incidents, 34 were harassment, 16 were criminal nonsexual incidents, and 11 criminal incidents—down from 16 in 2016.</p><p>"We think it's a good thing that we are seeing more and more people reporting, but at the same time you're seeing the number of incidents that rise to the level of criminal declining because we're also sending a message to those that might think about doing some like this that it's not okay," Ly says. "We're putting them on notice—that we take these things seriously, and that if a crime has occurred, we will investigate and hopefully find the person responsible."  ​</p> OffGP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The year 2016 marked a surge in excitement surrounding how unmanned aerial vehicles (UAVs), or drones, could be used commercially. Amazon had just made its first product delivery by drone. Countries began passing drone regulation measures in response to the availability of UAVs and in anticipation of continued industry growth. Re- search institutes predicted spending on drones to double by 2020; the security industry was expected to be one of the top adopters of drone technology.</p><p>But, despite the hype, security practitioners have been hesitant to adopt the technology and fully integrate it into their security programs.</p><p>"Interest level is off the charts," says Lew Pincus, senior vice president of system solutions at Hoverfly. "There's a lot of new technology, but also that doubt when it's new—security directors tend to be averse to new technology and taking on new risks that are unknown."</p><p>A combination of the seemingly endless possibilities of drone technology, the overwhelming task of acquiring a drone, gaining buy-in, creating operating procedures, and following federal regulations may be giving the security industry pause.</p><p>There's also a lingering perception that UAVs are intimidating, futuristic technology that's meant to take the place of security officers and more traditional security technology. Pincus encourages security managers to consider drones not as an automated instrument meant to replace personnel, but as another tool in their security toolbox, much like cameras or video analytics.</p><p>"I really see it in all sorts of applications, but not replacing security guards as much as augmenting them," Pincus explains. "You still need a response component."</p><p>And, just like any other piece of equipment in the workplace, training is imperative for a successful—and efficient—rollout of a new program, says Josh Olds, cofounder and vice president of operations at the Unmanned Safety Institute. This is especially true for drones flown in the United States, where the U.S.</p><p>Federal Aviation Administration (FAA) has a longstanding set of regulations dictating how aircraft are flown.</p><p>"In this particular industry, it's not just a piece of equipment, it's being flown in the national airspace, which is regulated by the FAA and presents a whole new complexity to the operation," Olds says. "If for some reason an individual isn't properly trained and improperly uses the technology, you can be looking at serious injury, or privacy and ethics violations."</p><p>Olds has a background as a commercial pilot and uses that knowledge to train organizations on how to use drones and properly merge the technology into their operations. Like Pincus, he has seen some hesitation from the security industry to embrace drones.</p><p>"I think a lot of the hesitation comes from the reality that there is a new liability that is being taken on," Olds says. "There's a big facet of this industry that is worried about the risks that come with operating unmanned aircraft. When you're talking about the ability to fly an aircraft that weighs 55 pounds—that's a significant system. If that were to fall out of the sky, it poses a major hazard."</p><p>Despite such concerns, Olds and Pincus agree that the benefits outweigh the challenges of integrating drones into a security organization.</p><p>"The ability to see and get actionable intelligence in the air above where security is being done is very exciting and new to the industry," Pincus says. "And with respect to the active shooter threats at concerts and events—I think the Las Vegas shooting put the spotlight on how vulnerable outdoor events and spectator sports are. Having an eye in the sky has become important for public safety."</p><p>Olds says that the key to successfully integrating a drone into an existing safety ecosystem is establishing a strong foundation.</p><p>"If you build the right foundation from the start, a program becomes easily scalable," Olds says. "In the security sector, there are a lot of different aircraft that meet different needs. It's important to understand the business use case, what you're going to use the equipment for, and being able to scale from that."      </p><p>Pincus agrees, noting that planning for how to integrate a drone into a security program should begin before the vehicle is purchased.</p><p>"Setting up a program requires putting all the pieces together of purchasing the right kind of drone—do you need a free-flying drone or a tethered one?" Pincus says. "What is the overall goal, what are you trying to do with a drone? You need to do a review of your site security plan and figure out where UAVs fit into that plan by assessing the threatscape."</p><p>Pincus recommends using case management reports, crime statistics, and other data to determine what kind of drone is needed, whether it's a free-flying drone that can be used periodically along a perimeter to check for anomalies, or a static, persistent aerial view for long stretches of time. Whether or not the drone can be integrated into the existing security operations center should also be considered, he says.</p><p> Another aspect of building a strong program foundation involves in-depth training, which covers far more than just how to operate the equipment, Olds notes.</p><p>"We look at training from an aviation perspective—it's like ground school, you get them educated on airspace, weather, and different facets that affect the operations of the aircraft," Olds explains. "But then you have to train them on the ability to use their crew, the ability to make decisions while in flight—what are the emergency procedures? Education is key to implementation—and that's not even talking about the physical, hands- on training."</p><p>Once a security program has purchased the drone that best fits their needs and has undergone training, the next hurdle is becoming FAA compliant. The agency enacted regulations for drones that include obtaining certificates of authorization to operate the drone. An organization may need to obtain waivers from the FAA, including allowances to fly at night, beyond line of sight, or near airports.</p><p>Olds acknowledges that being FAA compliant may feel restricting to security managers who want to use them in those situations that require waivers.</p><p>"The true business use of this application of technology is beyond line of sight or other situations that require waivers. and all the FAA is trying to do is make sure that if a company is implementing this technology in a more complex way—which brings on more risks and hazards—that they are doing it in as safe a way as possible," Olds says.</p><p>Olds urges security directors to consider FAA's larger role in maintaining the national airspace, and the challenges that come with creating regulations for a rapidly growing industry with a wide array of applications and technology.</p><p>"What the FAA has done is take a stairstep approach to regulations in the industry," Olds explains. "The waiver process that is in place to ensure that when an organization says they're going to fly at night, or beyond line of sight, FAA is able to say, 'How are we going to ensure the safety of manned traffic that is already existing in that airspace?'"</p><p>Pincus says he believes federal UAV regulations will continue to evolve as more industries adopt the technology. Tools such as video analytics, facial recognition, and data collection that are currently used in integrated surveillance systems could be placed onboard the drone, allowing it to analyze situations—and sound the alarm—in real time.</p><p>"There's some of that type of soft- ware available, but it will become more important to tie it in to video management systems and security operations or alarm centers," Pincus explains. "That's where I see the industry going." ​ ​</p> vs the CloudGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Facilities across all industries face an increasing number of security threats, from theft and vandalism, to violent crime, to terrorism. Whether a healthcare provider, school, university, or Fortune 500 business, it's critical to constantly seek new and inventive ways to improve security.  </p><p>In recent years, the cloud has transformed how physical security systems are controlled and managed. Storing security data off-site in centralized data centers delivers several advantages, including automatic data backup and redundancy, robust cybersecurity protections, and automatic software updates without significant up-front capital investment. For mission-critical security functions like access control, these advantages alone are extremely attractive on many levels.</p><p>However, while many end users are embracing cloud-based access control solutions, there is a large percentage who still want an on-premise access control solution. What is the difference between a cloud-based and on-premise access control solution? What are the benefits and challenges with each solution? And is there a benefit to implementing some combination of both?</p><p><strong>On-Site Access Control </strong></p><p>Traditionally, access control software platforms are implemented locally, employing on-site servers that are managed daily by internal security, IT personnel, or both. While this option does provide direct control over access control operations in terms of management and control, it does require the internal adoption of the platform as part of the user's responsibility for regular maintenance.</p><p>In many cases, a security integrator will provide scheduled maintenance and updates via on-site visits or remote access to your server, which involves additional costs, but are often well worth the investment. There's no doubt that this traditional on-site access control model is proven to be a highly effective physical security solution and will continue to fulfill a core security objective for users around the world. However, it involves capital investment for software and hardware, as well as third party costs for ad-hoc or contracted services, which can put high performance on-site access control solutions out of reach for many organizations that need it. </p><p><strong>Cloud-Based Access Control</strong></p><p>Deploying access control via the cloud represents an increasingly important alternative to traditional on-premise access control solutions based on its overall cost and performance benefits. It is also flexible in terms of deployment options.</p><p>Option one is an on-site, user-managed, cloud-based system. The customer purchases or leases the equipment from an authorized reseller or integrator who installs the system and provides training. This option also typically includes a service and maintenance contract with the installing reseller or integrator as part of the hardware sale or lease. The end-user's security team is responsible for all programming activity on a dedicated PC (or multiple PCs), including entering, deleting, or modifying names; scheduling; generating reports; and running backup and software updates. The list of functions can also include ID badging as part of the cloud software offering.</p><p>Option two is a remote cloud-based, user-managed integrated system where the equipment is purchased or leased from a reseller or integrator who installs the hardware and provides training. The access control software is in the cloud, and is managed, along with the supporting infrastructure by the installing reseller or integrator. All backup, software upgrades, system monitoring, programming, scheduled door locking and unlocking, report generation, and other vital access control actions are performed remotely by the reseller or integrator around the clock. In this scenario, the user typically only manages the simple day-to-day functions of entering, deleting, or modifying names, and sometimes badging, through a Web portal that can be accessed remotely. </p><p>In option three, the user still purchases or leases the necessary hardware from reseller or integrator who also installs the system and provides training. The software resides in the cloud and is completely administered and managed directly from the access control solution provider or manufacturer who maintains the system remotely. </p><p>Both user-managed options above may work well if the user has limited or no IT personnel, as often is the case with franchise locations, smaller retail stores, K-12 schools, or property management sites. With these user-managed options, each location can handle the day to day functions, but reports, applying patches and updates, backup, and other group functions are all handled in the cloud by the host. These cloud-based solutions can also be accessed at any time and from any device by the user's security team. </p><p>One of the distinct advantages of cloud-based access control is that it requires limited, if any, initial capital investment. When implemented using leased hardware and software, all system costs are amortized over the duration of the contract, which eliminates many of the budgeting obstacles faced by both large and small organizations. Additionally, the low cost of entry allows companies with limited physical security budgets and resources to deploy highly sophisticated access control solutions that would otherwise not be affordable. </p><p><strong>A Hybrid System</strong></p><p>There are many security end users who are embracing a mixture of several solutions, deploying a hybrid access control solution that combines on-premise and cloud-based access control solutions. These solutions can be either remote or user managed and allow the integration of new or legacy hardware. There are several operational and cost benefits with this scenario because a hybrid solution offers the ability to keep costs low while transitioning from legacy systems to new access control solutions. A hybrid access control solution also provides opportunities for integrations with related systems such as alarm monitoring, intrusion detection, elevator control, badging, video verification, time and attendance, and more. </p><p>So which access control option is best for you? There is no one answer. The versatility of these new access control choices means you select what you need based on your terms. </p><p><em>Lukas Le is director of cloud services for Galaxy Control Systems.</em>​</p> Fatalities in Texas School ShootingGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​what we know<br></h4><ul><li><p>​​A shooter opened fire at Santa Fe High School in Santa Fe, Texas, at approximately 7:45 a.m. Friday morning.<br></p></li><li><p>Ten people were killed and 10 were injured in the shooting.</p></li><li><p>Police have a suspect in custody. He has been identified as Dimitrios Pagourtzis, 17.</p></li><li><p>The shooter was armed with a shotgun and a .38 revolver.</p></li><li><p>Explosive devices were found in the high school and the surrounding community. Local authorities are urging community members to report "suspicious packages" by calling 911.<br>​<br></p></li></ul><h4>Death toll rises to 10, Texas Governor Abbott Confirms</h4><p><strong>UPDATE 3:25 p.m. ET, May 18, 2018</strong></p><p>Ten people were killed and ten more injured in the Santa Fe High School shooting on Friday, Texas Governor Greg Abbott confirmed in a press conference this afternoon.</p><p>"We grieve for the victims who lost their lives at Santa Fe High School and we pray for the families that are suffering and the families that will continue to suffer in the days to come," Abbott said. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read a7bd421a-4909-4cec-8cb4-303485e118ec" id="div_a7bd421a-4909-4cec-8cb4-303485e118ec"></div><div id="vid_a7bd421a-4909-4cec-8cb4-303485e118ec" style="display:none;"></div></div><p>He also confirmed more information about the suspected shooter, Dimitrios Pagourtzis, including that authorities have discovered evidence on his computer, phone, and in a notebook that he intended to carry out a shooting and commit suicide. Before he was able to commit suicide, however, Pagourtzis allegedly turned himself over to the authorities and was taken into custody.</p><p>To carry out the shooting, the gunman was armed with a shotgun and a .38 revolver. Abbott said the shooter took these firearms from his father, who had obtained them legally. There was no evidence at the time of the press conference that the father knew his son had taken the weapons.</p><p>Abbott also said that authorities were interviewing two people of interest, but declined to release any additional identifying information about them. </p><p>While those interviews are ongoing, authorities are continuing to sweep Santa Fe High School for explosive devices and are searching two residences and a vehicle associated with the gunman. Law enforcement is proceeding with caution, Abbott said, due to the risk of discovering additional explosive devices that could pose harm to investigators.</p><p>In addition to conducting a full investigation into the shooting--with the goal of prosecuting the gunman--Abbott said he will be working with the Texas legislature and other state officials to set up roundtable discussions. They will discuss "swift solutions to prevent tragedies like this from ever happening again," he explained. </p><p>Future actions could include taking legal action to keep guns out of the hands of those that pose an immediate danger, enhancing background checks, increasing resources for school security, and funding initiatives to address mental illness and gun violence. </p><p>Abbott said his goal is to work together to create laws that "protect Second Amendment rights but ensure that our communities, and our schools, are safer."</p><h4>Suspect in custody identified </h4><p><strong>UPDATE 2:55 p.m. ET, May 18, 2018</strong></p><p>An official briefed on the investigation <a href="" target="_blank">told USA TODAY </a>that the suspect in custody for the Santa Fe High School shooting is 17-year-old Dimitrios Pagourtzis. </p><p>"The suspect was armed with at least one rifle or shotgun, but the first official cautioned that there could be other weapons related to the incident, though not yet recovered," according to USA TODAY.</p><p>Authorities have detained another individual as they continue to investigate the shooting. However, more information about who that individual is has not been confirmed. </p><h4>explosive devices found near high school, surrounding area</h4><p><strong>UPDATE </strong>1:00 p.m. ET, May 18, 2018</p><p>The Santa Fe Independent School District announced that explosive devices were found in Santa Fe High School and the surrounding area.</p><p>"Because of the threat of explsive items, community members should be on the look-out for suspicious packages and anything that looks out of place," the district said via a statement to Twitter.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 9a07da69-b1fe-43c3-b3ad-03bc8d525366" id="div_9a07da69-b1fe-43c3-b3ad-03bc8d525366"></div><div id="vid_9a07da69-b1fe-43c3-b3ad-03bc8d525366" style="display:none;"></div></div><p>The district is urging anyone who sees something suspicious to call 911 and wait for authorities to respond. </p><p>Multiple authorities, including the FBI, ATF, Texas Department of Public Safety, and local law enforcement are on the ground responding to the situation.</p><h4>Trump Gives a statement on shooting</h4><p><strong>UPDATE 12:20 p.m. ET, May 18, 2018</strong></p><p>In an appearance at the White House this morning, U.S. President Donald Trump said he is monitoring the situation in Santa Fe, Texas, and reiterated that school safety is a top priority.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read dafcca1a-ccdf-44fb-a8de-f6305bf275b7" id="div_dafcca1a-ccdf-44fb-a8de-f6305bf275b7"></div><div id="vid_dafcca1a-ccdf-44fb-a8de-f6305bf275b7" style="display:none;"></div></div><p>"My administration is determined to do everything in our power to protect our students, secure our schools, and keep weapons out of the hands of those who pose a threat to themselvs and to others," Trump said. "Everyone must work together at every level of government to keep our children safe."</p><h4>Multiple fatalities texas school shooting</h4><p><strong>UPDATE 11:30 a.m. ET, May 18, 2018</strong></p><p><br>A shooter at a Texas high school killed at least eight people and injured multiple others on Friday morning. Authorities have a suspect in custody, and said it is no longer an active shooter situation.</p><p> Police responded to shots fired at Santa Fe High School in Santa Fe, Texas, after a gunman opened fire around 7:45 a.m. when the school day was beginning. </p><p> “Witnesses described students running from the school as they heard gunshots; they also described hearing an alarm at the school, though the sequence of events wasn’t immediately clear,” <a href="">according to CNN.</a></p><p> Authorities have not released the identity of the suspect in custody or of any of the victims. However, <em>The New York Times</em> reports that an officer working for the Santa Fe school district as a school resource officer was <a href="" target="_blank">injured during the shooting. </a></p><p> The shooting is the third school shooting in the past week, and the 22nd mass shooting in the United States since the beginning of 2018, CNN said.</p><p> Both the U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives, and the Harris County Sheriff’s Office are on the scene to investigate the incident. Security Management will continue to update this post as more information is confirmed.</p><p> In response to the incident, ASIS International has made soft target and active shooter <a href="" target="_blank">resources available for security professionals.</a> They include white papers, webinars, book excerpts, and recorded conference sessions designed to help deter, prevent, and minimize future attacks.</p><p><br> </p> Bosses Can Inflict More Damage with Negative ReferencesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Employees trying to escape a bullying boss, and even those who have managed to land a new position, may be surprised to learn that their workplace nemesis is causing further damage by providing negative job references.</p><p>HR departments similarly may not realize that supervisors are disregarding company policies against giving references that go beyond confirming job titles and employment dates.</p><p>With prospective employers often bypassing human resources and calling supervisors for references, bully bosses can and do impair employees' future job prospects, experts say.</p><p>"In the good old days, the references were HR, and in many cases, in many companies, HR still is the traditional venue. But we've seen a marked shift of interest in calling the former supervisors," said Jeff Shane, president of reference-checking firm Allison & Taylor. "Hiring managers have long since figured out that supervisors tend to be far more talkative."</p><p>Job seekers often wrongly believe that their current or former employers will say nothing negative and do no more than confirm employment, Shane said.</p><p>Many supervisors, however, never receive company training on how to respond to employee reference checks, while many others forget or ignore the policy, he added. His Rochester, Mich.-based firm checks references on behalf of job seekers, compiles reports on responses from former employers, and, if necessary, sends cease-and-desist letters to companies violating policies or even laws by supplying negative references that cross the line into misrepresentations or lies and that could be construed as defamation.</p><p>"We call a great many supervisors as references for individuals. The vast majority of the time, the supervisor has something to say" beyond titles and employment dates; their reviews, even if sincere, often are less than optimal. "In many instances, they know exactly what they're doing" and that the employee is unlikely to ever find out if the negative review caused a missed opportunity, Shane said.</p><p>Nearly half of all reference checks that Allison & Taylor conducts contain some degree of negativity, he said. Even a supervisor who gives an employee a positive letter of recommendation will sometimes go "180 degrees in another direction" when called for a reference, he said.</p><p>Smart firms wanting to avoid litigation coach bosses to give only employment dates, said Gary Namie, Ph.D., co-founder of the Workplace Bullying Institute, which refers bullying targets to Allison & Taylor to learn about feedback from a current or former employer. Often the news confirms a candidate's fear, and "a great many of our clients are totally shocked and devastated" by what is found.</p><p>Job seekers may try to avoid a supervisor's risky review by asking co-workers or others to vouch for them, but people checking references typically believe, incorrectly, that a boss is the most trustworthy source of information on an applicant, Namie said.</p><p>"The person who was bullied doesn't stand a chance if the bully boss is loose-lipped," he added. "These supervisors who are bullies because of their own narcissism are eager to talk and tear this person down." Workplace bullies have reason to lie about their own actions, he added.</p><p>Some vindictive bullies even go so far as to track a bully target who leaves the company and to spread negative comments about the worker to new supervisors, according to Namie and Shane.</p><p>"They can continue to make that person's life very difficult," Shane said.</p><p>Namie's institute considers workplace bullying—repeated mistreatment and abusive conduct—a national epidemic, with 60.4 million Americans affected. Namie says employers are failing to take responsibility for preventing and eliminating it.</p><p>Bosses account for more than 60 percent of workplace bullies, the organization's 2017 survey found.</p><p>Even a supervisor who doesn't provide an overtly negative review can use meaningful pauses and tone to convey a damaging opinion. "Many times, the tone of voice of the reference will speak volumes about their level of enthusiasm or lack thereof for the person we are calling on behalf of," Shane said.</p><p>Online reference-check provider SkillSurvey aims to eliminate both the "tone" problem and situations where references go off the record to unfairly harm a job seeker's chances through its software-based rating system.</p><p>Job applicants must enter more than two references, who then rate applicants in several areas, with all responses kept in confidence and provided to the hiring organization in a report that averages all of the references' ratings. Five is the norm, often with a mix of supervisors and colleagues, according to SkillSurvey CEO Ray Bixler. The references are all provided online—with names removed, ratings averaged and no calls made.</p><p>If four of five references give glowing reviews while a fifth gives lower ratings, the prospective employer might call the applicant in and ask about it, Bixler said. "At least at the very minimum, the client is able to start making decisions of whether it was a rogue reference."</p><p>Many applicants enter more than five references, which can further reduce the damage a bullying boss might inflict, Bixler said. </p><p><em>Dinah Wisenberg Brin is a freelance writer based in Philadelphia covering workplace issues, entrepreneurs, health care, personal finance and logistics.<br><em>© 2018, SHRM. This article is reprinted from <a href="" target="_blank">​</a> with permission from SHRM. All rights reserved. ​​ ​​ ​</em><br></em></p> Science of Organizing SecurityGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Open any publication, blog, newscast, or other media today and expect to be inundated with developments in technology. Artificial intelligence, machine learning, and computing power are propelling a tsunami of changes to the work environment and to society. Marketing wizards will use euphemisms like big data, IoT and other witticisms to describe complex technologies in simple terms. Yet we know that technology advances will drive unique evolutions, most assuredly in the security of things.<br></p><p>Guarding, fraud detection, cyber security, facial recognition, and many other areas will see significant advancements in the short-term. However, one critical success factor to advancing asset protection in large corporations is what I call the "technology" of organizing to secure a company's people, critical information and business strategy. </p><p><span style="background-color:#ffffff;"><strong>Cognitive </strong></span><span style="background-color:#ffffff;"></span><span style="background-color:#ffffff;"><strong>Convergence</strong></span><span style="background-color:#ffffff;"><strong>™</strong></span><br>Take, for example, the cyber war that rages across the Internet every day—stealthy, ubiquitous, and deadly silent in attempts to steal governmental secrets and relentlessly target American corporations. The many publicized losses are staggering.<br></p><p>Companies talk about converging cyber and physical security, but I believe Cognitive Convergence™​ is even more important. Fighting the cyber war necessitates that companies know how to organize to properly defend themselves from current and emerging risks. Instead, many companies' enterprise security roles and responsibilities are diffused among various departments, where IT may be focused on technology costs, while HR is looking after background checks or exit interviews. Security is handling investigations and legal, audit, and environmental health and safety are accountable for other aspects of security.</p><p><br>Sometimes chief information officers are not equipped to fully understand cyber risks and are ill prepared to work with law enforcement agencies without a gaggle of lawyers to direct almost every step. Often, the lawyers require a quick remedial training course on cybersecurity themselves and fear (with some justification) that turning over information to the U.S. government during an attack may come back and bite them.<br><br>In one company, for example, an internal audit fraud investigation was underway targeting an individual who was actually an insider planted in the corporation to develop intelligence on the best way to attack that company's network. This same person was simultaneously being investigated by the security organization, which suspected he was stealing proprietary information. Neither department knew of the other's activity until the employee was fired. </p><p>Cognitive <span style="background-color:#ffffff;">Convergence</span><span style="background-color:#ffffff;">™</span><span style="background-color:#ffffff;">​</span>​ ends these obstacles to cybersecurity. It means bringing together the intellectual horsepower of numerous departments and business units and assimilating the right intelligence for risk-aware decision making and unified security across the enterprise. Having a comprehensive written strategy that details who has accountability for various aspects of protecting enterprise assets and how these professionals are going to collaborate for end-to-end, proactive risk management is fundamental to building this culture.</p><p><strong>Partnerships and Best Practices</strong><br>Another imperative is having the United States government partner effectively with the private-sector, which owns and operates 85 percent of the critical infrastructure and resources of the United States according to the Federal Government in its Information Sharing Environment. When a crisis happens, it's simply too complex, cumbersome, and time-consuming for companies to reach out to the FBI, U.S. Department of Defense, U.S. Department of Homeland Security, or other agencies, without having a preestablished contact person. Instead, companies need a safe harbor, single point of contact for liaison with the U.S. government regarding cyber intrusion matters.<br><br>Law enforcement and intelligence agencies also try to improve the country's cybersecurity position, but they too must work through huge bureaucracies and often don't understand how to bridge their knowledge with the corporate world. They are cautious, as they should be, about sharing classified information—even when security or legal staff need it for business-savvy consultation to senior management.<br><br>At the same time, the security industry should consider adding more business risk managers to corporate roles to balance the experience of second career professionals from law enforcement agencies who may be trained to chase the crime rather than remediate the business risk. Security associations can create a coalition that provides American companies with nontechnical advice that board members and business leaders can rely on to act quickly and decisively. Software providers, too, can partner with companies to improve IT hygiene that detects vulnerabilities faster and more reliably. More and more, bringing together security and technology professionals with governmental entities, law enforcement, and business leaders will become essential to building platforms and cybersecurity regulations based on best practices and collegial understandings that are truly effective in fighting this war.</p><p><strong>Pay It Forward</strong><br>At the same time, each of us has a responsibility to help prepare the next generation. Let's bring people together in trade or industrial associations, educational institutions, and other ways to promote soft skills such as communications and teamwork. Kudos to ASIS International for launching a publication specific to educating security leaders about the risks and rewards of cybersecurity and other technologies. I equally welcome a companion theme for security professionals to become business-savvy collaborators and mentors, serving as catalysts within their own organizations and among future generations. </p><p>It's like building an airplane in flight and winning the cyber war in the United States will demand: </p><ul><li><p>A clear directive to U.S. public-private boards of directors and government agencies that mandates respective roles and responsibilities and assures one safe harbor for American companies who seek support when breaches occur. <br></p></li><li><p>That American corporations that influence Washington and impose corporate mandates to ensure taking up the fight responsibly. <br></p></li><li><p>Corporate leaders who organize around different departmental priorities, leadership styles and cultures to combat and mitigate cyber risks that have the capacity to undo them all. <br></p></li></ul><p>To win this war, each of us must master the technology of organizing vertically, horizontally, and sometimes sideways in landing this plane safely. <br></p><p><em>Tim Williams, CPP, MBA is vice chairman, Pinkerton, a global provider of corporate risk management services and solutions. He has served in Fortune 50 corporations for more than 36 years as chief security officer or in consulting roles, managing enterprise security risk. He is a past president of ASIS International and founding member of the </em><a href="" target="_blank"><span style="text-decoration:underline;"><em>Global Security Risk Management Alliance</em></span></a><em>.​</em><br></p> Explosive Act: Assessing the Safety of Chemical FacilitiesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Just before Hurricane Harvey made landfall on Friday, August 25, 2017, chemical manufacturer Arkema made the decision to shut down its plant in Crosby, Texas, to brace for the storm. The plant soon lost power and received almost 40 inches of rain by Monday afternoon, causing heavy flooding that inundated its backup generators. A small crew of 11 people remained on site to monitor the storm damage and the safety of the organic peroxides that were stored at the plant.</p><p>These chemicals needed to be stored at a low temperature. But after the plant's backup generators were flooded, refrigeration failed. So, the crew transferred the chemicals from their current storage in warehouses into diesel-powered refrigerated containers and continued to monitor the situation—which worsened as the rain continued to pour down.</p><p>With the water continuing to rise, Arkema was forced to make another difficult decision: evacuate the plant and the 1.5-mile radius around it.</p><p>"Arkema is limited in what it can do to address the site conditions until the storm abates," the company said in a press release. "We are monitoring the temperature of each refrigeration container remotely. At this time, while we do not believe there is any imminent danger, the potential for a chemical reaction leading to a fire and/or explosion within the site confines is real."</p><p>To reduce the threat of an explosion injuring others, Arkema worked with the U.S. Department of Homeland Security (DHS) and the State of Texas to continue to monitor the situation. They soon realized that while the chemicals were not fully igniting as they began to warm up, they were beginning to degrade. To address the threat, Arkema decided to ignite the containers the chemicals were housed in to eliminate the threat of an uncontrolled blast.</p><p> "This decision was made by Arkema Inc. in full coordination with unified command," the company said. "These measures do not pose any additional risk to the community, and both Arkema and members of the unified command believe this is the safest approach."</p><p>While the situation in Crosby was not ideal, it showed how facilities that manufacture, store, and transport chemicals in the United States are embracing a new mindset towards security and planning how to handle the worst-case scenario when it happens—whether it is a power outage or a terror attack.</p><p>One effort that's helping to spearhead this mindset is DHS's Chemical Facility Anti-Terrorism Standards (CFATS) program, which has sought to address and mitigate the threat of chemicals since its inception in 2007. </p><p> "In 2007, chemical security was fairly new and people weren't really sure what it meant," says CFATS Acting Director Amy Graydon. "We've since been able to foster this environment of chemical security."</p><p>But that environment could be in danger if Congress does not reauthorize the CFATS program, which is set to expire in January 2019. </p><p>"We think that reauthorization is the key to reducing the threat of terrorists using chemicals," Graydon explains. "We think that the program has really reduced the risks and is an important element of making the country more secure."</p><h4>CFATS Basics</h4><p>In the 2007 DHS Approp­riations Act, Congress required the agency to create regulations that established risk-based performance standards for chemical facilities that present high levels of risk. DHS was also mandated to subject these facilities to vulnerability assessments and require them to develop and implement site security plans.</p><p>To do this, DHS worked with industry to create the CFATS program—which is part of its Infrastructure Security Compliance Division (ISCD). The program identifies and regulates facilities that possess chemicals of interest at specific concentrations and quantities.</p><p>These concentrations and quantities are listed in what's referred to as Appendix A of the CFATS regulation. More than 300 chemicals are included, along with their screening threshold quantities. The chemicals are also categorized into three groups depending on the potential security threat of the substances: release, theft or diversion, and sabotage.</p><p>Facilities that meet or exceed the screening threshold quantities for chemicals of interest listed in Appendix A are required to report their possessions to DHS via a questionnaire called a Top-Screen.</p><p>ISCD then reviews that Top-Screen and notifies facilities if they are considered high risk and ranks them into Tier 1, 2, 3, or 4—with Tier 1 the highest. As of February 2018, ISCD had received Top-Screens from more than 40,000 facilities and determined that roughly 3,500 of those are high risk and must comply with CFATS.</p><p>Facilities that are tiered then must submit a Security Vulnerability Assessment and a Site Security Plan, or an Alternative Security Plan, that meets risk-based performance standards detailed in the CFATS regulation. These standards address factors such as perimeter security, access control, personnel security, and cybersecurity. The stringency of the requirements varies based on what tier a facility falls into, and facilities can create their own security plans—rather than having CFATS create a prescriptive security plan for them.</p><p>Once the plans have been submitted, ISCD inspectors perform a facilities inspection before approving the plans for implementation. </p><p>This process has proved beneficial to facility operators, says Jennifer Gibson, vice president of regulatory affairs for the National Association of Chemical Distributors.</p><p>"Those visits, while cumbersome, allowed for a lot of back and forth, getting clarity on what the agency was looking for," Gibson explains. "Usually it turned out that a facility would make changes to its plan, based on that inspection."</p><p>After inspectors approve the plans, facilities are expected to implement them. If they do not, they can be ordered to cease operations or issued a civil fine, with a maximum penalty of $33,333 per day per violation, as of February 2018.</p><p>Facilities are also required to resubmit their Top-Screen if they have a change in holdings, such as using new chemicals of interest for business processes.</p><p>"It could be that they may need some other security measures because we look at the type of chemical and its risks," Graydon says. "So, for theft and diversion, we're worried that a terrorist could be intentionally trying to either steal or divert the chemical for misuse; whereas for release, it's that the terrorist would be coming to the facility to cause a release."</p><p>During its first five years, CFATS did not approve a single facility site security plan. But since then, it has made major strides and completely eliminated its backlog to move into the compliance phase of the program. Now, approximately 140 inspectors are visiting sites based on risk—there is no mandated requirement for how often inspections occur.</p><p>"We have the compliance inspection index, and it takes into consideration a facility's tier, the number of planned measures that a facility has, and the amount of time since the last inspection," Graydon says. "So, we can get to folks in an appropriate manner." </p><h4>CFATS Changes</h4><p>After CFATS was up and running, some members of Congress and the chemical sector expressed concerns about the program. Primarily, concerns centered around the "administrative burden associated with the development of facility security plans and the pace of DHS efforts to process and approve them," according to a U.S. Government Accountability Office (GAO) report. </p><p>Congress addressed these concerns by passing the Protecting and Securing Chemical Facilities from Terrorists Attacks Act in 2014. It reauthorized the CFATS program and created an Expedited Approval Program (EAP), a voluntary option for Tier 3 and 4 facilities regulated under CFATS.</p><p>The EAP allows DHS to identify specific security measures that meet the risk-based performance standards of CFATS that facilities must implement to be compliant. </p><p>For example, release facilities would have to certify that their emergency equipment included at least one of the following: a redundant radio system that's interoperable with law enforcement and first responders, at least one backup communications system, an emergency notification system, an automated control system or process safeguards to place critical assets in a "safe and stable condition," or emergency safe-shutdown procedures.</p><p>"The EAP is expected to reduce the time and burden on smaller chemical companies, which may lack the compliance infrastructure and resources of large chemical facilities," GAO said. </p><p>CFATS implemented the EAP in June 2015. But as of April 2017, GAO found that only two organizations of 2,496 eligible facilities had used the EAP. </p><p>"Officials representing the two EAP chemical facilities told us that their companies involve small operations that store a single chemical of interest on site and do not have staff with extensive experience or expertise in chemical security," GAO reported. </p><p>Representatives from the two facilities also said they used the EAP because it helped them reduce the time and cost to prepare and submit their site security plans.</p><p>"For example, the contractor who prepared the site security plan for one of the two EAP facilities said that the facility probably saved $2,500 to $3,500 in consulting fees by using the EAP instead of a standard security plan."</p><p>Ultimately, only one of these organizations followed through with the EAP process because the other was later re-tiered and no longer considered a high-risk facility subject to CFATS.</p><p>Since the GAO report was issued, 16 facilities have used the EAP and Graydon says she is optimistic that more facilities will use the program moving forward.</p><p>"We think that only two facilities might have taken advantage of the EAP program because of where all facilities were in the process already by the time it rolled out," she adds. "Most facilities had already completed their site security plans or their alternative security programs."</p><p>Graydon's sentiments echo GAO's analysis, which found that the timing of EAP's implementation, its prescriptive nature, the lack of an authorization inspection, and a certification form requirement may have initially hindered participation in the program.</p><p>"DHS conducts in-person authorization inspections to confirm that security plans address risks under the standard process, but does not conduct them under the expedited program," GAO said. "DHS officials noted that some facilities may prefer having this inspection because it provides them useful information."</p><p>Since the EAP's rollout, CFATS has made other changes to the program that might also affect participation. For instance, DHS updated the online tool that facilities use to send data to ISCD for their Top-Screen to make it a much more streamlined process.</p><p>"We really took the opportunity to streamline and bring it up into the 21st century so we were using smart tools with logic," Graydon says. "We were able to reduce some duplicative questions, reducing the time it would take people by 50 percent—down to six hours."</p><p>This streamlining effort cascaded throughout CFATS data collection processes, dropping the time it took to complete a security vulnerability assessment from 65 hours to 2.5 hours, and site security plans from 225 hours to 20 hours.</p><p>"We were able to do that because the reauthorization had given us the stability to move forward," Graydon says. "The reauthorization gave not only industry the stability it needed to make capital investments…it gave us the opportunity to make some internal changes as well."</p><p>CFATS also launched a re-tiering effort looking at 27,000 facilities' initial Top-Screens from 2007 and 2008, and asking them to resubmit. It then re-tiered some facilities by incorporating threat and vulnerability into the overall tiering methodology, which is not public.</p><p>"We refined what we were looking at, particularly for facilities for theft and diversion," Graydon says. "We were able to incorporate some inherent vulnerability in that." For instance, Graydon gave the example of looking at the portability of chemicals and taking that into account when determining the risk level for a facility.</p><p>"It would be easier to steal a vial than a big tank; we were able to model the actual amount of the chemicals…," and include them in the tiering methodology, Graydon adds.</p><p>In a recent hearing before the U.S. House Homeland Security Subcommittee on Cybersecurity & Infrastructure Protection, Chet Thompson—president of the American Fuel and Petrochemical Manufacturers—said the re-tiering effort was an improvement on the old system.</p><p>"Folks believe risks are being better assessed, and a number of our facilities have been re-tiered," he explained. </p><p>However, Kirsten Meskill, director of corporate security for BASF Corporation, testifying on behalf of the American Chemistry Council (ACC), said that while ACC has seen a reduction in higher-risk facilities under the re-tiering, there's still a lack of transparency in the process.</p><p>"We don't know how these risk tierings were applied to the general sites," she said, adding that—from her perspective—there was no way to know whether the new method is addressing "real risks out there."</p><p>To address this, panelists at the hearing suggested that the GAO be brought in to review the new CFATS tiering methodology and issue a report on its effectiveness.​</p><h4>Future of CFATS</h4><p>Despite some complaints about lack of transparency, all the panelists at the subcommittee hearing were in favor of reauthorizing the CFATS program. </p><p>"Any lapse in the program would be a serious concern to us," said Pete Mutschler, environment, health, and safety director for CHS Inc., adding that it would be "highly disruptive to both the industry and the regulated community" if CFATS were allowed to lapse and then be reinstated.</p><p>Mutschler said he was in favor of a multiyear reauthorization for CFATS to provide certainty to the regulated community so it can make "long-term investments" in security to comply with the program.</p><p>Doug Leigh, who serves as manager of legislative affairs for the National Association of Chemical Distributors, says that his members are also in favor of a lengthy reauthorization for the CFATS program. </p><p>"The last thing we want to see is a three-month reauthorization," Leigh says. "It would be going backwards instead of going forwards."</p><p>Graydon says she is optimistic about CFATS being reauthorized by Congress, due to its track record over the past several years in improving processes and reducing risk.</p><p>"We feel that we have demonstrated that we are a smart regulatory program—that we look for efficiencies," Graydon explains. "We are able to incorporate lessons learned, and we would like permanent or long-term reauthorization to make sure we have continued stability for industry and the program to continue to make efficiencies."</p><p>As of <em>Security Management'</em>s press time, no member of Congress had introduced a bill to reauthorize the CFATS program. </p> to Lead a Diverse Security WorkforceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​We live in a time of increasing conflict and tension. The clash of civilizations, a frequent topic in college classrooms, seems to be playing out in vivid high definition on news channels across the globe. In nations around the world, citizens are verbally squaring off against friends and neighbors over political, racial, and social differences.</p><p>Security and public safety organizations are tasked with keeping the peace in our tumultuous societies. And these organizations are becoming as diverse as the communities they represent. As a result, many of these organizations' leaders—such as security managers—find themselves in the challenging situation of motivating and leading teams comprising individuals from an array of different racial, cultural, and ideological backgrounds. </p><p>This type of leadership is difficult. It often takes place in an environment unsettled by nearly constant and instantaneous communication. And in many workplaces, tension and the potential for conflict are increasing, for several reasons. </p><p>For one, the country's changing demographics and economic challenges mean that there are four generations of workers sharing offices today. This leads to a diverse pool of employees with widely varying generational morals, behaviors, and values. </p><p>In addition, nearly half of all Millennials come from ethnic minority groups. Given their diverse cultural backgrounds, these younger individuals may have differing views on sensitive workplace issues compared to their older and more traditional Baby Boomer colleagues, or even members of Generation X. </p><p>To some extent, each member of the team will view these issues through their own cultural identity. And so, issues involving whether or not they support or oppose recent shifts in societal norms can spur differences in opinion, which may create tension. Even worse, the manager may inadvertently trigger a conflict by taking a side. After all, managers too belong to a specific culture, ethnicity, or generational identity.  </p><p>With that in mind, what follows are some suggested best practices to help security managers lead a diverse workforce in today's chaotic environment. Of course, when sensitive issues arise in the workplace, there are no magic solutions or actions that guarantee successful resolution. However, keeping these principles in mind will help managers maintain self-awareness, fairness, and diplomacy. They will also help managers to be mindful of common human biases that can creep into actions and how to steer clear of them through honest self-examination.    ​</p><h4>Respect Differences</h4><p>I've known my best friend since we were freshmen in college, and we agree on most issues. Furthermore, when we do disagree, we've never fought over it. That has held true in the almost two decades we have known each other.</p><p>However, soon after last year's controversial rally in Charlottesville ended in the death of a civilian and two police officers, we found ourselves in a debate over the preservation of Civil War monuments and the broader national crisis between law enforcement and communities of color. </p><p>Prior to that debate, the racially related differences between us had ranged from invisible to comical. But as the discussion heated up, I found that even two close friends who stood as best men at each other's weddings could still stumble into a perilous debate over their own cultural identities. I found that a Russian-Jewish immigrant and an African-American Jew could have widely divergent perspectives on the same events, despite significant similarities in our affinities, beliefs, and value systems.   </p><p>My experience is applicable to workplace relationships. The viewpoint of your employees is as real to them as yours is to you; ignoring or demeaning their perspective can lead to deteriorating relationships. My best friend and I pushed through our disagreement in a few days, due to the history of trust and mutual respect that we had built together. Imagine the damage that could be done between people who barely know each other, or between managers and new team members who are complete strangers.</p><p>Thus, security leaders should be careful in these situations. When potentially sensitive cultural or political matters arise, managers should be mindful not to express opinions in a way that implies that those with differing opinions are stupid or lazy. Conversely, managers who find ways to express that they respect differing views, and find them legitimate, are often rewarded with stronger and more respectful relationships with staff.  </p><p>We can learn a lot about how to respect differing viewpoints from good security educators. Students will often interject personal feelings into discussions, especially on use-of-force topics, and these feelings may vary from student to student, which presents a challenging situation for the instructor. A good security educator might respond by accepting the feeling of the student, and then providing additional information about an alternate explanation.</p><p>Thus, the teacher may respond as follows. "Sure, I can see how it may seem that the officer's actions were inappropriate in this incident. However, if you consider legal precedence for cases like this, the officer's actions, while perhaps not ideal, were nonetheless legal."  ​</p><h4>Focus on Actions</h4><p>We must accept that the world is changing, and that our workplace employs a variety of people from a multitude of backgrounds. We will encounter people in the workplace who are different from us—different formative experiences, different cultural mores, different outlooks and perspectives on what is happening around them. </p><p>Being different is neither good nor bad, it just is. Managers should not prejudge their employees based on how they look or dress, where they came from, or what they seem to value in life. All that is important is their performance in the workplace and whether they are a productive member of the team.</p><p>Don't think of someone as a bad employee or a good employee. Focus on their actions and whether the actions are productive or disruptive to the organization. Keep evaluating these actions fairly, and do not allow yourself to fall back on lazy stereotyping.   </p><p>Here is an illustrative example. In my work as a security manager in the public sector, we worked with a community center that had some gang violence issues, such as fights on the basketball court, and similar altercations. As a result, we began looking for an athletic young man to hire as a security officer for the facility, because everyone assumed that's what it would take to control those patrons. </p><p>As it happened, our most effective security officer was an older female, who acted like a compassionate parental figure to the teens and young adults in the facility. She earned their respect, and they followed her instructions without question.  ​</p><h4>Foil Favoritism </h4><p>Allowing emotions to cloud your judgment is a dangerous trap for any manager. Managers may believe that a team member is underperforming when the underlying issue is not poor performance, but disagreement on certain issues. Conversely, I have watched poorly performing team members receive red carpet treatment because of their friendship with the boss. </p><p>This can be especially troubling when the manager shares demographic characteristics with the favored team member—whether that be religion, race, or cultural background—or shows favoritism to an employee who is of the opposite sex. Even if there is no tangible preferential treatment, the perception of special treatment may be damaging to a manager's credibility. The recent spike in media attention to matters of race and gender relations has made this an even more sensitive, and potentially fraught, issue. And any actual discrimination based on a protected class could violate company policies and federal Title IX laws in the United States.</p><p>Management decisions must be made with the clarity of rational reasoning and unbiased performance evaluations. This is impossible to achieve when emotions are clouding judgment. Good managers try to combat this in themselves. They assign work based on the strengths of the employees and judge their employees based on the results that they have produced.  </p><p><strong>Equal access.</strong> Everyone wants to be "cool with their boss," and it is almost a status symbol when someone can say that they get regular time with the boss to pitch their ideas. It takes patience and an open mind to maintain an open-door policy, but the benefits can be tremendous. As a security manager, I have avoided potentially catastrophic employee relations issues because someone walked into my office and said, "hey sir, I just wanted to talk to you about something that kind of bothers me…"  </p><p>However, it is only human for people to prefer spending time with people like themselves. Security managers are not immune to these biases, and some employees may get more and longer meetings with the boss than others. This can cause resentment and discord among staff. Thus, its important for managers to remember that, no matter how enjoyable it is to talk to particular employees, everyone on the team is unique and they all bring valuable perspectives to the organization. </p><p><strong>Opinion sharing.</strong> With generational and cultural diversity comes a greater diversity of opinion. Members of your team may have varying views on prominent issues in the news, be it immigration, gun rights, gay marriage, and performance evaluations of political leaders. In general, the security workplace should not be a venue for discussing, arguing, or advocating these opinions.  </p><p>An employee's right to have an opinion about cultural or political topics conflicts with another employee's right not to have to listen to it while at work. Managers who want to avoid confrontations over these sensitive topics should refrain from discussing them at work and strive to maintain a comfortable atmosphere in the workplace. This can occasionally require some sort of intervening action. </p><p>I remember coming into our security dispatch center the morning after Barack Obama was elected U.S. president to find two of my dispatchers in a debate over whether the country was now better or worse. One officer, a former union boss from New York, was expressing his view that he could now die peacefully because he had lived to see the first black president of the United States. The other officer was terrified that his world as he had known it was over, and that the country was on the verge of collapse. </p><p>Quickly, their disagreement spiraled into a heated argument on the issue of racism—whether it had contributed to the election result or whether it would now spike given the victor. Because the conversation potentially affected not only the relationship of the two officers but also the safety of our operations, I decided to move one officer to another part of the facility for the rest of the shift, to ensure a cool-down period.  </p><p>The broader lesson from that experience was the need for clear HR policies that discourage employees from engaging in potentially volatile nonwork-related conversations. Such policies should not focus on topics of conversation as much as on the potential for disruption, reduced performance, or discriminatory behavior. </p><p>For example, the policy should not prohibit discussions of a specific issue or election, but should prohibit any behavior that leads to disruption and loss of employee productivity. Thus, two coworkers can have a polite conversation about a political topic and not violate policy, but should their conversation dissolve into rude or inappropriate behavior, management has the policy to support shutting it down.​</p><h4>Toggle the Fun Switch</h4><p>Security can be a stressful and emotionally draining profession. Officers in the field may deal with hours of boredom interrupted by moments of potentially life-threatening terror. Those based in the office may stress over risk management, scheduling snafus, and broken contracts. In any workplace, there must be an opportunity for people to blow off stress, recharge, and to get back to work. </p><p>This can include interactions when it is okay to be silly and activities that let people have fun. Managers should be able to flip that switch in a way that is recognizable and comfortable for employees. That also means that managers can allow lighter discussions and playful arguments, as long as it is clear they are respectful and that sensitivities are not being trampled. Security managers must also know when to stop such interactions if they become inappropriate or contested.     </p><p>For example, allowing employees to banter about their favorite sports teams and last night's game, or the merits of recent movies and performers, can be a natural way to build comradery and make collaboration in the workplace more natural. The manager can participate in the fun, but at the same time be ready to stop the discussion if conversations dissolve into anger or otherwise become unprofessional. For example, a manager should never allow friendly bantering to turn to conversations that include name-calling, racial slurs, sexist expressions, or other language that may be offensive to any team member. Employees may have different standards of offensiveness, so the manager should ensure that the language is appropriate for all.  </p><p>Sometimes, employees try to encourage their manager to offer opinions in debates. This can be an attempt to seek validation by the boss. This can be a tricky situation that should be approached cautiously. No matter which side you pick, you may alienate someone. In a friendly debate over favorite sports teams or favorite foods, this is not a big deal. But in a civil, experience-based discussion that involves issues like discrimination, taking a side could have lasting consequences on your relationship with those on the other side. Sometimes, it is wisest to defer, based on the sensitivity of the issue.  </p><p>Finally, a small percentage of employees are drawn to conflict and drama and politics in the workplace for different reasons. In these cases, the manager should be careful of being lured into a debate by an employee with an agenda, such as a desire to undermine the supervisor's credibility with the rest of the team.</p><p><strong>Consider Gender Issues</strong></p><p>Accepting responsibility is a key tenet of leadership. A good manager remains humble and accepts that no one is perfect and all make mistakes. Mistakes that involve office diversity and inclusion can be costly, and the longer they are allowed to fester, the worse the consequences will be. </p><p>For example, when I was an ROTC unit commander, I was conducting a uniform inspection on a unit of about a dozen cadets. I stopped in front of the third or fourth cadet in the line, and, as always, I inspected from top to bottom. Although I was standing in front of the cadet, I called out the chin hair that needed to be shaved off. The cadet then punched me in chest and stormed out of formation. </p><p>I had not realized the cadet was a female until after I made the comment; I was so focused on avoiding favoritism that I was deliberately not paying attention to the gender of the cadet I was inspecting. My immediate reaction was indignation that she had punched me, and then had left my formation. It took several hours for me to come to the realization that her actions were the result of mine. I had insulted a cadet in front of her peers.</p><p>It took the better part of a week for me to apologize and receive forgiveness from her. The damage that I incurred with the rest of her unit lasted much longer. Some of her peers who thought I had done this on purpose started losing respect for me altogether.</p><p>The possibility for similar unintentional mistakes exists in the security workplace setting.  </p><p>Consider what would happen if a manager who routinely referred to their employees by Mr. and Ms., or sir and ma'am, was assigned an employee who identified as gender neutral, or was undergoing gender reassignment at the time of employment. Would that employee feel discriminated against if they were the only one who was referred to by their name only? How would the team feel if the manager started referring to everyone by their first name, due to the arrival of that one new employee?</p><p>The solution to scenarios like these often lies in cutting through any miscommunications and going directly to the source. In my case, I had to accept responsibility for my mistake, and when I approached the cadet I both apologized and explained what had happened. Once she forgave me, she became the person that helped others understand that this was an honest mistake. In the workplace, as part of the onboarding process, the manager should consult the employee on how they would like to be addressed. The employee's validation of the manager's approach will be visible to the other employees in the office, and miscommunication may be avoided. </p><p><strong>Catch Up to the Future</strong></p><p>Societal norms are being reevaluated and changed so rapidly that some people have not had time to realize that their actions or words in the workplace might not be appropriate. Moreover, the widespread availability of video-capable technology and the speed with which video can be spread have created an environment where management's actions or inactions can be immediately evaluated and judged by their own employees and the media, leading to more serious consequences for those who cannot find a way to work together with their diverse team.  </p><p>Diversity, while challenging, is the source of a great team's strength, because it provides multiple unique perspectives, skill sets, and strengths to the organization at large. Those managers who can accept and encourage diversity, and are willing to make the effort to maintain an environment in which all team members can comfortably thrive, will find their units to be stronger and more successful than their competition.</p><p><em>Yan Byalik, CPP, is the security administrator for the City of Newport News, Virginia, and has been working in the security industry in both public and private sectors since 2001.</em></p> FlightGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In rural Grant County, Washington, public utility security personnel don't just protect remote substations—they help respond to the community's emergency calls. However, after one concerning encounter, it was clear something had to change—and security managers looked to the sky for solutions.</p><p>The Grant County Public Utilities Department (PUD) security leadership team gathered last March to review a disturbing incident from the previous night: a PUD security officer had responded to reports of a man seemingly under the influence firing a weapon indiscriminately in a nearby town. It's not unusual for PUD security personnel to respond to calls that do not pertain to the utilities because of the rural location and geography of the area, and that night the unarmed officer arrived at the scene of the disturbance before law enforcement. Fortunately, he was able to keep the man calm until police arrived, and the event ended without incident. Upon review, however, it was clear that the security officer could have been in harm's way.</p><p>"We have issues with people being on a substance, or domestic violence calls that we are first responders to, because law enforcement is a long way away," says Nick Weber, ​CPP, PSP, security manager for Grant County PUD. "We've had the patrol vehicle dented when residents kicked it, someone firing off weapons, and we just thought, 'how could we do this better?'" The team discussed solutions and initially joked about using a drone to mitigate problems. However, with more consideration, Weber said the idea began to gain traction. Using an off-the-shelf drone, the PUD could train its contract security officers to scope out a potentially perilous situation before endangering themselves, reducing response time. The drone could even be used for preemptive security assessments of the county's critical infrastructure.</p><p>"We had issues dealing with having unarmed security forces being placed into harm's way in order to solve issues related to the human environment, as well as looking for ways to better use our time and resources to conduct security assessments of substations, dams, and other critical buildings," says then physical security supervisor Brady Phelps, CPP, PSP. "We wanted to explore the challenges and opportunities that drones could present." Phelps—who now works as an auditor for the Western Electricity Coordinating Council—along with Weber and contract guard services account manager George Hainer began to flesh out the plan.​</p><h4>In the Industry</h4><p>The use of drones for security purposes is steadily picking up steam. As of summer 2016, more than 2,000 organizations had applied for commercial exemptions through the U.S. Federal Aviation Administration (FAA) to use drones for emergency management, security, or risk management, according to the Association for Unmanned Vehicle Systems International. And an IFSEC Global report notes that the international security market for drones will grow to $10 billion by 2020. </p><p>But applications for commercial exemptions don't lead to drone programs overnight, and Grant County PUD's security team was unaware of any other electric utility companies that used drones for emergency response augmentation. The Grant County Sheriff's Department had been using drones for investigations for about six months, and the PUD was able to turn to it for licensing advice later in the process, but first had to outline a program—and get buy-in.</p><p>"We were concerned about the optics that the security department is buying toys—other departments could complain because some of the things we do in security are cool and there's some jealousy," Hainer explains. "There were also concerns about wasting money. We talked with our boss and agreed we'd create strict usage policies, as well as safety and security standards, and went ahead with our budget to buy three hobby-level drones as a test."</p><p>While the potential for drones seems endless, Phelps stresses the importance of fully understanding their capabilities and limits to explain possibilities to those granting approval without making unrealistic promises. And while the drones were primarily going to be used for security operations, PUD wanted to share the wealth with other critical infrastructure departments in the county.</p><p>"Establishing that firm understanding of the drones' capability helped us go to other departments that have needs," Phelps explains. "We wanted to see how the line department could use it, how the dam could use it, so we went to their leadership and said that we have this tool and we want to share it. It eliminated those internal optics by showing that this is a tool for business and we'd like to help you solve problems. That went a long way to get buy-in from the whole organization."</p><p>As part of a demonstration, the PUD team worked with the county's dam department to conduct an assessment of an embankment via drone. What would normally take three or four hours and involve exposing workers to dangerous conditions took seven minutes and captured clear 4K video that allowed for easy assessment. ​</p><h4>Regulations and Beyond</h4><p>Before the PUD could begin deploying its drones regularly, it had to meet several criteria imposed by the U.S. government. Unlike individual hobbyists, organizations or public entities have to apply for commercial exemptions through the FAA. Additionally, PUD wanted the ability to fly the drones out of its line of sight and at night, which also required waivers. Another challenge was determining who was going to fly the drones—all operators must be certified by the FAA, which could be time consuming and would reduce the pool of people who could use the technology. "It's a big problem for some guards with no clue about airplanes and passing that test," Hainer notes.</p><p>After consulting with the Grant County Sheriff's Department, Hainer—who has previously held a private pilot's license—began the process to become FAA certified as the pilot in command for the team, allowing him to conduct flights and train others. PUD is still waiting on another FAA certificate that would allow the team to certify its own pilots. </p><p>During the extensive certifications process, another unforeseen challenge came up—the PUD contract security officers who typically respond to emergencies filed a grievance through their union that the drone program would take their work away. To address this issue, the PUD security team agreed that, in addition to Hainer, about 14 contract guards would be trained to operate the drones. "There's a great chance that they are going to need the drones more often than one of us internally," Hainer notes.</p><p>Weber detailed the team's efforts to assure executives that the program wouldn't be misused—one of the drones' greatest use cases might be one of its greatest challenges. One of PUD's key patrol zones is the land along either side of the Columbia River—a 50-mile stretch with only one public crossing.</p><p>"Murphy's Law tends to hold true in that patrol zone with reported incidents inordinately happening on the opposite side of the river from our patrol officer, making one or two miles away a 30-plus minute response time by vehicle," Weber notes. Responding to a call with a drone would allow security to gain situational awareness within 10 minutes and understand what kind of additional response might be needed. "Do we need to go and pick up trash or is it a violent felony?" he says.</p><p>However, one executive raised concerns about using the drones along the river during the high-volume summer months when they are most needed—what happens if a security officer decides to use a drone to follow around a boatful of teenage girls in bikinis?</p><p>"That's a valid concern," Hainer says. "There will be strict requirements for what kind of event would launch the drone, the creation of a flight plan, coordinating with Security Operations Center—especially near critical infrastructure. Every flight is going to have a lot of paperwork to make sure it's never misused." </p><p>PUD agreed to tightly restrict usage to situations where the drone would be significantly more efficient or keep personnel out of harm's way, Weber says. When a call comes in to the Security Operations Center, officials would need to document justification and a flight plan before dispatching a drone, as well as notify utilities if the flight path is within 400 meters of a power plant, transmission line, or substation. "These controls provide reasonable assurance to our senior leadership that the drones will only be operated by trained personnel and have a documented business purpose for each flight," Weber notes.</p><p>While the drone emergency response program is still in the early stages—PUD is waiting on the rest of the FAA certifications and waivers, and Hainer is training the guards on drone operation—the team has already begun to conduct safety assessments for itself and other departments, such as the dam assessment. </p><p>"Right now, we're using imagery via Google Earth for threat assessments and there's a lag on what's accurate—a couple areas don't have up-to-date imagery, and some others are low quality," Hainer notes. "We'd be launching the drone, using a program that compiles the aerial imagery for use in response plans and threat assessments, and it's much more accurate and higher quality."</p><p>Weber says that the team is most excited about the reduced response time and potential to keep security personnel safe, but the drone program will have more practical uses too. PUD plans on using drones to keep tabs on remote substations and transmission lines, instead of relying on costly cameras or roving vehicle surveillance. Phelps points out that drones can also be used to make sure that the sites remain compliant. </p><p>"We're one of the first groups in the electric industry to do this, and there's no roadmap," Weber says. "The sheriff's department has been a great help because they're six months ahead of us with their program, and our risk department that is in charge of insurance is comfortable with it because of all the benefits."</p><p>The team says it is pleased that the program will be launched in time for the busy summer months along the river, and staff members are looking forward to discovering what other applications drones have for both security and critical infrastructure.</p><p>"The limitations will be set not by the FAA, but by imagination," Hainer says. "Drones will provide a lot more opportunity than threat." </p> 2018 ASIS NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Big Event Coming to the Big Apple</h4><p>More than 2,200 security and law enforcement professionals will convene in New York City for the ASIS International 28th New York City Security Conference and Expo May 16-17 at the Jacob K. Javits Convention Center.</p><p>The conference will open Wednesday at 8:00 a.m. with a keynote address from Scott Morrison, head of global crisis management and command centers for JPMorgan Chase & Co. He will share his thoughts on emerging trends from terror attacks to kidnapping, and from cybersecurity to intellectual theft.</p><p>Two days of peer-developed education will address some of today's most pressing security challenges, including a full day of learning focused on active assailant prevention and response. Conference sessions include:​</p><p><strong>Drone Technology</strong></p><p>Take a closer look at the current state of drone technology and explore industry trends from all angles.</p><p><strong>Get Your Seat at the Table</strong></p><p>Through the lens of enterprise security risk management (ESRM), security becomes an organization's roadmap for meaningful, effective risk management.</p><p><strong>Securing an Open Office</strong> </p><p>Facebook Chief Global Security Officer Nick Lovrien will explain how Facebook developed a collaborative open office environment while attempting to mitigate risk. </p><p><strong>Active Threat and Culture</strong></p><p>This session examines the cultural differences between an organization that values the "spend" vs. those that look at security as an expense that needs to be slashed.</p><p><strong>Vehicle Attacks</strong></p><p>No community is immune from vehicular terrorist attacks, which have recently caused 204 deaths and 861 injuries in the U.S. and abroad. How can they be deterred?</p><p>Besides paid conference registration, attendees can choose a free expo-only pass that includes access to the exhibit hall on both days, daily receptions and coffee breaks on the exhibit floor, and career coaching services.</p><p>The ASIS New York City Chapter will honor His Eminence Timothy Cardinal Dolan, Archbishop of New York, as the NYC Chapter Person of the Year. Dolan, whose career in the Catholic Church spans more than 40 years, will be honored for his dedication to the people of New York. Always a popular event, the Person of the Year Luncheon will be held at noon on Thursday, May 17. Tickets to this event are included with conference registration. To learn more, go to​</p><h4>Globalization Update</h4><p>In April, ASIS International members received an update about the work underway in support of the Society's globalization initiative and the impact of this work on 2018 Board elections. President Richard E. Chase, CPP, PCI, PSP, sent the following letter to members last month.</p><p>Fellow members,</p><p>I am pleased to provide an update on the progress made to fully globalize ASIS International. Our 2017-2021 strategic plan identified improving the ASIS Global Network as one of five key priorities. It's understood that the future success of ASIS is dependent on our ability to be relevant to members around the globe, across all markets, and at every step of the career ladder. This can only be done by employing innovative solutions that foster collaboration and easy sharing of information locally, regionally, and worldwide.</p><p>In 2017,  the Globalization Task Force, composed of a diverse cross section of volunteer leaders, was established to evaluate common practices of other global nonprofit organization management models and identify changes we could make to our organizational structure. Led by 2018 Board Treasurer Godfried Hendriks, CPP, this important work, which included reviewing and redefining roles and responsibilities for our chapter and regions, council, and regional advisory council leaders with an aim to "flatten" our leadership structure, will allow the Society to be more deliberate and nimble in how we deliver our products and services. And most importantly, to create an inclusive volunteer leadership structure that truly reflects the diversity of our membership.</p><p>Through this undertaking, it became clear that we needed to not only rethink our volunteer structure, but also how we select our governing leadership positions—specifically, the ASIS International Board of Directors. </p><p>In March, a Presidential Governance Task Force was established to reevaluate the ASIS board nominations process and overall board governance with an eye towards global diversity, inclusion, and selection criteria, which targets a proportionate representation of the association's members and the overall depth of experience of directors' backgrounds. </p><p>Co-chaired by President-Elect Christina Duffey, CPP, and 2018 Board Secretary John Petruzzi, CPP, this task force is working under an expedited timeline, with a goal of delivering recommendations—including director job descriptions and creation of a governance committee—by January 2019. As such, the Board passed a motion to forgo Board elections in 2018. This will provide an opportunity for the task force to complete its work and to ensure the Board of Directors reflects the global membership it represents in 2019 and beyond. </p><p>Later this summer, we will be providing more details on the Globalization Task Force recommendations. This is an exciting time for the Society as we continue to implement our member-driven strategic objectives. As always, we encourage you to email to share your feedback.</p><p> </p><h4>ASIS Brings Top Business Education to Spain</h4><p><em>Effective Management for Security Professionals 2-5 July, 2018 Madrid, Spain</em></p><p> Looking to take the next step in developing your business acumen? Security executives are invited to attend a four-day executive education program in Madrid, Spain. The theme is Establishing the Security Role as an Enabler for Business Success.</p><p>Presented by IE Business School in collaboration with ASIS International, this course provides an opportunity for mid-career to senior security managers to take a deep dive into the central areas of management, enhancing their effectiveness in the corporate environment and enabling them to align their expertise with the organization's security requirements. It focuses on:</p><p>•             Leading in Uncertainty</p><p>•             Creating a Strategic Mindset</p><p>•             Applying Financial Information</p><p>•             Negotiation</p><p> Prior to the program, registrants will be granted access to the IE Online Campus to prepare classwork and readings and facilitate their campus learning experience. Once on site, the class will participate in interactive lectures, debates, group work, case studies, and role play.</p><p>"Today, companies and organizations are looking for professionals who are highly trained not only in enterprise security risk management, but also in business," says program director Juan Muñoz, CPP, ASIS Spain Chapter chair. "For years now, the role of chief security officer has been progressively evolving. It is precisely in this context where the Effective Management for Security Professionals course reaches its main added value as a business executive education tool."</p><p>ASIS members save significantly on their registration fees. Additionally, registrants will receive 40 CPEs for their participation. New this year: Members of the CSO Center receive an additional 5 percent discount off the member fee. See details at  ​</p><h4>International Buyer Program Delivers Global to GSX</h4><p>Security professionals outside North America who are looking to participate in the most anticipated security event of the year can start planning their travel now.</p><p>Global Security Exchange (GSX), formerly the ASIS International Annual Seminar and Exhibits, is proud to once again participate in the U.S. Department of Commerce's International Buyer Program (IBP). </p><p>The IBP is a government–industry partnership that brings global buyers to the United States for business-to-business opportunities with U.S. firms at major industry trade shows. GSX's participation in this event demonstrates the importance of the event to the security industry worldwide. </p><p>According to the department's website, "every year, the IBP results in approximately a billion dollars in new business for U.S. companies, and increased international attendance for participating U.S. trade show organizers."</p><p>International attendees are encouraged to join an IBP delegation and take advantage of special registration rates and benefits—available only to participants. To register with an official IBP delegation, contact the commercial service specialist at your local U.S. Embassy or Consulate to discuss attending GSX 2018 and receive a special registration code. To learn more about the International Buyer Program, visit <a href=""></a>.​</p><h4>Executive Protection Council Spotlight</h4><p>Launched in 2015, the Executive Protection Council is one of the newest ASIS councils. In the years since its creation, the council has more than doubled in size, with 40 members representing organizations as diverse as Northrop Grumman, Facebook, McDonald's, Time Warner Cable, and PayPal, to name a few. Each member is driven to share expertise and affirm executive protection's place in the security profession. </p><p>Executive protection (EP) is a specialized field of security that Council Chair Bob Oatman, CPP, says has grown dramatically in recent years: "The profession itself has existed in government since the days of Lincoln—Secret Service, security details for mayors and governors, and the like. The private sector is where big change is taking place. Hollywood A-listers, corporate executives, and their families—they're recognizing the need for what we do. We wouldn't have a standing council if companies weren't engaged in having EP as part of their security program. We're business enablers. We protect the brand. We help people in the C-suite get where they need to go."</p><p>Oatman has been conducting a two-day EP classroom training with ASIS since 1998. When the Society launched a certificate for the program in 2013, the council's founding members saw it as a significant validation that EP has a place in the broader security community. They approached ASIS about forming a council, and now enjoy an increased reach to share EP best practices.</p><p>The council will sponsor an education session this September at Global Security Exchange (GSX), formerly the ASIS International Annual Seminar and Exhibits, where it has sponsored sessions each of the last three years. At this year's session, in a simulation titled "The Trilogy of Executive Protection—Making the Case," council members will present attendees with an EP problem. In groups, attendees will workshop and develop a pitch to sell their EP solution to mock executives.</p><p>In addition to its classroom program, the council has also produced a webinar, contributed an article to Security Management, and developed a proposal for the potential development of an ASIS standard or guideline around executive protection.</p><p>The council also engages in outreach to keep ASIS members up to date on its initiatives. Its biannual newsletter, which shares council updates and touches upon important EP themes, is available in both English and Spanish. The latest issue, available within ASIS Connects, includes articles on the unique rewards and challenges of working in EP and the council's proposed standard or guideline. The council has also appointed liaisons to the Young Professionals, Women in Security, Transitions Ad Hoc Council, and Critical Infrastructure Working Group. </p><p>To learn more about executive protection or to engage with council members or find their latest newsletter, visit ASIS Connects and search for Executive Protection.​</p><h4>Life Members</h4><p>Raymond L. Dean, Sultan H. Alzahrani, and Herbert M. Kaltz, CPP, have been granted lifetime membership to ASIS. </p><p>Dean has been a member of the New York City Chapter since 1981, and he served as the chapter's chair, vice chair, and secretary. In 2011, Dean was awarded the Presidential Award of Merit by ASIS. He is a two-time recipient of the Eugene Casey Award for dedicated service to the NYC Chapter, plus he won the chapter's Joseph Spillane Lifetime Achievement Award in 2017. </p><p>Alzahrani joined ASIS more than 30 years ago and has been an active member of the Dhahran, Saudi Arabia Chapter, serving as its chair multiple times. He has also been a regional vice president and assistant regional vice president for many years. </p><p>Kaltz has been a dedicated member of ASIS for more than 32 years. He provided service to the ASIS Detroit Chapter as a chapter chair, vice chair, secretary, and communications chair. ​</p><p> </p><h4>ESRM in Action</h4><p>In 2016, ASIS made enterprise security risk management (ESRM) an organizational priority and has begun infusing this management philosophy into all the Society's programs and services. In the months ahead, we will provide updates, as well as showcase how members are implementing ESRM in their organizations.</p><p><em>By Jon Harris, CPP, PSP</em></p><p>Our "aha" moment came during the ESRM tabletop exercise at the ASIS conference in Dallas last year. My colleague and I realized we were omitting critical components from our risk evaluation process, and therefore missing an opportunity to add significant value to our company. We had a business continuity program, emergency response processes, workplace violence prevention program, and facility risk assessments—the miss was that they were not connected and were too focused on the security aspects of our organization.</p><p>By taking a step back and reframing our entire program within the structure of ESRM, we were able to focus our efforts towards the areas of greatest operational risk, using the existing programs we had in place and providing valuable intelligence to the business. Additionally, we broadened the purview of our assessment to the entire organization—from the supply chain, to operating facilities, and through our service organizations.</p><p>Here are our recommendations:</p><p><strong>Get started</strong>. Taking too much time to analyze and come up with the perfect approach will stall your efforts. The process is organic and will evolve over time; continuous improvement is a critical facet of the program and must be embraced. </p><p><strong>Invite everyone to the party.</strong> The greatest value will come with the broadest inclusion and participation. </p><p><strong>Make it simple. </strong>We distilled our mission down to four words: Keep the doors open. At the end of the day, that was our focus and being successful in all the components of our program would deliver that output. The simplicity of the message allowed for an easy delivery to all levels of the organization.</p><p>While the program is still in its infancy, we are excited about our progress to date and the long-term prospects. ESRM has been transformative for how we proactively approach our security program and visibly increase its value to the organization.</p><h4>Member Book Review</h4><p><em>Can I See Your Hands: A Guide to Situational Awareness, Personal Risk Management, Resilience and Security.</em> By Gav Schneider, CPP. Universal Publishers;; 226 pages; $27.95. </p><p>Dr. Gav Schneider is a South African martial artist who teaches security workshops. His new book <em>Can I See Your Hands </em>stands on the shoulders of well-known legends in the violence prevention and threat assessment arenas, including police response trainer Dave Grossman (who wrote the Foreword) and Hollywood security guru Gavin de Becker.</p><p>Schneider starts with the familiar concept that there are three groups in the world: sheep, wolves, and shepherds. This book is definitely for the latter. Creating awareness of violent situations and developing personal risk management skills are his overarching themes. He uses models and acronyms to remind readers to avoid denial and to create and train for survival strategies.</p><p>He goes back in time to reference Jeff Cooper's color codes: Conditions White, Yellow, Orange, and Red (and Black in actual war-time combat). He has created his own model, the "Three Point Check System" (3PC-S), which focuses on scanning the Place, the People in the area, and Planned incident actions and Contingency plans. </p><p>The author espouses the use of the Run. Hide. Fight. concept for active assailants as a doable contingency plan. But during a violent attack, you must be able to activate what he calls "Adrenal Response Management." This means controlling stress through repetitive physical and mental training for protection, awareness, and to manage the stress response that can paralyze people in life-threatening situations.</p><p>While most content is familiar, the final chapter, which gives new information on the consequences of having to use physical or deadly force against someone, is the most valuable part of the book. The mental fallout of using force is not often discussed, and it's a vital part of surviving the encounter.</p><p>The slim book is easy to understand, with a useful summary at the end of each chapter. The appendix offers information for protection at home, away from home, and in cyberspace. An index would have been helpful, and adding workplace protection concepts would have been useful. All in all, readers who want to ramp up their pre-attack awareness will learn how to do it. </p><p>Reviewer: ASIS member Dr. Steve Albrecht, CPP, is a Colorado Springs-based author, trainer, and threat management consultant.</p> Security CreditGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​With 47 branches, 570,000 members, and more than 220 ATM locations, VyStar Credit Union is the 19th largest credit union in the United States. As a growing business, the bank—headquartered in Jacksonville, Florida—must grapple with physical security concerns, as well as the ever-present threat of fraud, says James McDonald, CPP, security operations manager for VyStar. "Information is just as valuable, or more valuable, than anything someone can physically take from the branch," he notes.</p><p>Video is a critical component of financial fraud investigations. If a transaction is determined to be fraudulent, having video evidence that captures the face and actions of the perpetrator is paramount. To aid in this process, the credit union upgraded all its cameras from analog to IP but was still searching for a more robust video surveillance and storage solution as it expanded its footprint. McDonald was especially interested in 360-degree camera models but found the cost prohibitive. </p><p> In addition, VyStar wanted cameras that could capture teller transactions from beginning to end and correlate the video with data from the transaction. This streamlines activity for the fraud department when investigating cases. "It's important for us to have something to match with the transaction; a camera that allows you to watch a perpetrator's movements from the time they get in to the time they get out," McDonald says. </p><p>The credit union ultimately chose a 360-degree camera model from OnCam Grandeye, the EVO-05, which integrates with a video management system (VMS) from Verint Systems Inc. Beginning in January 2017, VyStar installed the cameras at its present locations and migrated existing video to the new server. VyStar chose the Evolution 05 Mini model for indoors, which is less noticeable. On building exteriors, it installed the larger model, along with a sunshield and casing that protects the camera from the elements.<img src="/ASIS%20SM%20Callout%20Images/0518%20Case%20Study%20Stats.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:630px;height:237px;" /> </p><p>Existing branches are in the process of being converted to the new systems, and all newly constructed branches are built with the technologies. "Right now, we have converted almost half of our branches to Verint and OnCam," McDonald says.  </p><p>The cameras have motion detection capability to monitor threats after business hours. A motion detection alert is also sent through the VMS to operators in a monitoring location. </p><p>VyStar strategically placed the cameras where they can capture transactions at the various branch locations, as well as keep a close eye on ATM activity. "If we have someone that's just standing there from a distance, looking for a vulnerable target, we get an alert on that right through the VMS system," McDonald notes.</p><p>With the 360-degree cameras, McDonald says the bank gets more coverage than regular fixed cameras, which only have a 60-degree field of view. The bank replaced 200 existing cameras with just 52 OnCam devices.</p><p>"By placing an outdoor 360-degree camera on the corner of a building that has an ATM, you have one camera that covers all avenues of approach," he says. "We're also able to look out for our members when incidents happen in the parking lot away from the ATM."</p><p>The cameras and any incoming alerts are monitored from one of three VyStar campus locations via Verint's VMS, Vid-Center. Branch management has access to its local cameras as well. Using Evidence Center from Verint, the camera captures the entire customer-teller transaction, and integrates with VyStar's IT system to match it to the transaction data. "We map every single transaction that happens in VyStar, and it's tied directly to a camera," McDonald says. </p><p>Last year alone, VyStar captured more than 10 million transactions using the cameras and VMS. The fraud department recently told McDonald that its efficiency had improved by 80 percent since Verint and OnCam products were installed.</p><p>"We know we aren't going to prevent every instance of fraud; the criminals are always going to be thinking of new ways, and the biggest thing we can do is deny the perpetrator time," McDonald says. "Verint and Oncam allow us to deny them that time." </p><p>A map feature within Vid-Center allows the customer to add a blueprint of its locations and match cameras to their positions. The VMS can also integrate with access control systems to capture video as customers and employees come and go. </p><p>VyStar has a seven-day retention period for all raw video. McDonald says he keeps any video that was triggered by a motion sensor past those seven days and retains bank transactions video for more than a year. </p><p>The branch DVR recorders retain video at the local level, which makes handing footage over to law enforcement simple. In case of a network outage, no footage is lost, which McDonald says is crucial for the financial sector. While the VyStar system can manage all cameras from a single location and push updates and patches to the cameras, it can also allow branches to control their cameras individually. "In a large environment like an airport, it's perfectly feasible to pipe all your cameras back to a server and manage them from a single location," he notes. "When you're someone like us, spread out geographically, having that edge DVR that acts like a mini-server at each branch is a valuable tool." </p><p>VyStar plans to have its existing branches 100 percent converted to the OnCam and Verint technologies by the end of 2019. </p><p>"From an end user standpoint, when you have limited budget and limited resources, and you have one camera that can do the job of three," McDonald says, "it saves bandwidth, time, and maintenance, and it gives an overall picture of the scene that you just can't get with one conventional camera."  </p><p><em>For more information: David Wedel,, 612.325.6259, Matthew Hubbard,,, 443.722.9611</em></p> as StatecraftGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​As organizers prepared to kick off the 2018 Winter Olympics with an opening ceremony in Pyeongchang, South Korea, featuring performers and thousands of athletes from around the world, security personnel were also hard at work behind the scenes.</p><p>Specifically, the cybersecurity team, which was responding to a cyberattack that would ultimately cause the official Winter Olympics website to be taken offline and disrupt TV and Internet systems for 12 hours. </p><p>The cyber team was able to mitigate and eventually stop the attack, which Cisco's Talos Intelligence blog assessed was designed to disrupt one of the most globally anticipated events of the year. "During destructive attacks like these there often has to be a thought given to the nature of the attack," according to Talos' analysis. "Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony."</p><p>A post-incident investigation would later claim that Russia was behind the cyberattack, which was designed to appear to originate in North Korea. Some speculated that Russia targeted the Olympics because it was banned from participating in the 2018 games due to a major doping scandal involving its athletes and drug testing facilities.</p><p>The hack demonstrates a new threat era where world powers are increasingly using cyber means to further their goals or punish others for their actions. "The use of cyberattacks as a foreign policy tool outside of military conflict has been mostly limited to sporadic lower-level attacks," said U.S. Director of National Intelligence Daniel R. Coats in the annual Worldwide Threat Assessment of the U.S. Intelligence Community. "Russia, Iran, and North Korea, however, are testing more aggressive cyberattacks that pose growing threats to the United States and U.S. partners."</p><p>The assessment found that the "risk of interstate conflict" is now higher than at any time since the end of the Cold War, and that actors will use any means necessary—including cyber—to influence and shape outcomes. </p><p>"The risk is growing that some adversaries will conduct cyberattacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war," Coats wrote.</p><p>Adversaries that pose the greatest risk to the United States and its allies on the cyber front are Russia, China, Iran, and North Korea. </p><p>"These states are using cyber operations as a low-cost tool of statecraft, and we assess that they will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations," according to Coats' analysis.</p><p>Russia. At the forefront of the intelligence community's list is Russia, which Coats said would likely conduct "bolder and more disruptive" cyber operations in 2018, using Ukraine as a testing ground. </p><p>The intelligence community has also expressed concern about Russia's efforts to influence or interfere with elections in the United States, France, Germany, and the United Kingdom. In a hearing before the U.S. Senate Intelligence Committee, all six U.S. intelligence agencies said they view Russia as a threat to the 2018 midterm elections. </p><p>"We have seen Russian activity and intentions to have an impact on the next election cycle," said CIA Director Mike Pompeo in his testimony, and Coats added that he has not seen a change in Russia's behavior since the 2016 election cycle when it engaged in a social media influence campaign (See Security Management "Cyber War Games," April 2017).</p><p>Following the U.S. presidential election in 2016, France and Germany saw Russia engage in similar social media efforts in an attempt to influence the outcomes of their elections.</p><p>Despite this threat, U.S. President Donald Trump has not directed National Security Agency (NSA) and Cyber Command Director Admiral Mike Rogers to prevent these kinds of attacks. However, some agencies have begun working in that direction. "Based on the authority that I have as a commander, I've directed the national mission force to begin some specific work…using the authorities I retain as a mission commander in this space," Rogers said, adding that he could only go into more detail in a classified setting.</p><p>In addition to its activity around elections, Coats also said Russia is likely to continue its activities in Ukraine, including disrupting its energy-distribution networks, hack-and-leak influence operations, distributed denial of service attacks, and false flag operations.</p><p>"In the next year, Russian intelligence and security services will continue to probe U.S. and allied critical infrastructures, as well as target the United States, NATO, and allies for insights into U.S. policy," Coats said in his assessment.</p><p>China. Along with the threat from Russia, Coats also said that China will likely use cyber espionage to support its national security priorities. </p><p>"Most detected Chinese cyber operations against U.S. private industry are focused on cleared defense contractors or IT and communications firms whose products and services support government and private sector networks worldwide," Coats wrote. "China since 2015 has been advancing its cyber attack capabilities by integrating its military cyberattack and espionage resources in the Strategic Support Force (SSF), which it established in 2015."</p><p>While many details about the SSF are unknown, research by the RAND Corporation found that it was designed to integrate China's space program and cyber and electronic warfare capabilities.  </p><p>"…the creation of the SSF suggests that information warfare, including space warfare, long identified by [China's] analysts as a critical element of future military operations, appears to have entered a new phase of development…one in which an emphasis on space and information warfare, long-range precision strikes, and the requirements associated with conducting operations at greater distances from China has necessitated the establishment of a new and different type of organization," it said in its recent report, The Creation of the PLA Strategic Support Force and Its Implications for Chinese Military Space Operations.</p><p>Iran. While Iran has not been publicly linked to any major cyberattacks, the U.S. intelligence community predicts that it will continue to engage in cyber activity. Specifically, Coats' assessment said Iran will focus on penetrating U.S. and allied networks to position itself for future attacks.</p><p>"Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations, despite Iran's recent restraint from conducting cyberattacks on the United States or Western allies," Coats wrote. "Iran's cyberattacks against Saudi Arabia in late 2016 and 2017 involved data deletion on dozens of networks across government and the private sector."</p><p>Those attacks, for instance, were on Saudi Aramco and used malware to manipulate corporate safety systems and cause physical damage to company sites, according to analysis by cyber firm FireEye.</p><p>"The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors," FireEye said in a blog post about the incident. "Intrusions of this nature do not necessarily indicate an immediate threat to disrupt targeted systems and may be preparation for a contingency."</p><p>North Korea. As of <em>Security Managemen</em>t's press time, U.S. President Trump had agreed to meet with North Korean Leader Kim Jong-un to discuss denuclearization efforts. However, the intelligence community continues to view the North Korean regime as a threat.</p><p>In its analysis, it said that North Korea would likely use cyber means to raise funds and gather intelligence, or launch attacks on South Korea and the United States. </p><p>For instance, several nations—including the United States—have accused North Korea of developing and launching the WannaCry ransomware attack that spread across the globe, hitting scores of organizations and the healthcare sector. </p><p>"Pyongyang probably has a number of techniques and tools it can use to achieve a range of offensive effects with little or no warning, including distributed denial of service attacks, data deletion, and deployment of ransomware," Coats said in his analysis.</p><p>Other actors. Along with nation-state actors, Coats also expressed concerns about terrorist groups using cyber means to organize, recruit, spread propaganda, raise money, and coordinate operations. ​</p><p>"Given their current capabilities, cyber operations by terrorist groups most likely would result in personally identifiable information disclosures, website defacements, and denial-of-service attacks against poorly protected networks," Coats said.</p><p>Additionally, Coats said that criminals will continue to provide services for hire to enable cybercrime. One recent example of this was Russia's tactic of hiring threat actors to act as trolls to spread propaganda on social media in an effort to influence Western elections.</p><p>"We expect the line between criminal and nation-state activity to become increasingly blurred as states view cyber criminal tools as a relatively inexpensive and deniable means to enable their operations," declared Coats in the threat assessment.</p> 2018 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​OUTDOOR SURVEILLANCE</h4><p>The Musical Instrument Museum (MIM) in Phoenix, Arizona, displays instruments collected from around the world and offers concerts and performances in addition to its conventional and interactive installations.</p><p>To enhance the security of its exterior spaces, the museum recently worked with integrator IES Communications to upgrade its outdoor surveillance system. MIM implemented a variety of Bosch cameras to provide high-quality images of the museum's outdoor areas, which include two parking lots, a courtyard at the main entrance, an additional courtyard at the student entry, an outdoor café, and a seating area. The video system also monitors outdoor special events. Supported by new exterior LED lights, cameras produce full-color images throughout the night. Built-in video analytics alert the museum's security operators to possible risks, such as objects left behind or the gathering of large crowds that may create congestion in an area.</p><p>The museum selected Altronix Pace Ethernet solutions for video transmission over existing cabling and Security Center from Genetec for management and monitoring.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Ted's Pawn in Norwood, Ohio, is using video verification technology from 3xLOGIC, Inc., to reduce false alarms and catch intruders.</p><p>Auth0 was selected by Coinsource to provide authentication for its ATMs.</p><p>Dallmeier security technology is protecting drivers and goods at premium parking areas of Euro Rastpark to combat the theft of vehicles, cargo, and fuel.</p><p>Delta Scientific barriers have been installed at Atlanta's new stadium, home to the Atlanta Falcons. The barriers were installed by Tusco.</p><p>Detection Technology announced that its x-ray detectors helped provide security at the Olympics in Pyeong­chang, South Korea. </p><p>NASCAR named Digital Ally Inc. a Preferred Technology Provider. With this new designation, Digital Ally will provide cameras to enhance security, safety, and the officiating process.</p><p>The ScotRail Alliance purchased Edesix body-worn cameras for frontline staff.</p><p>Honeywell announced that its Xtralis VCA suite of security software is integrated into the Axis Camera Application Platform from Axis Communications Inc.</p><p>Australian law firm Clayton Utz selected the Intapp business acceptance solution as part of its risk management and compliance programs.</p><p>Integrated Biometrics announced that Grupo Neoyama will serve as its primary distributor for Brazil.</p><p>Florida Atlantic University selected the Software House C•CURE 9000 security and event management platform from Johnson Controls. The platform will be used to secure the university's Charles E. Schmidt College of Medicine.</p><p>OnSSI appointed Warren Associates as its manufacturer's representative for northern California and northern and central Nevada.</p><p>Pelco by Schneider Electric and Ipsotek integrated their products to create a solution for managing video and analytics.</p><p>ProSource added two vendors, ICE Cable Systems and MantelMount; the company added Centricity as a group exclusive service partner.</p><p>Guardian Protection Services selected the Qolsys IQ Panel 2 as its next-generation platform following a one-year evaluation period.</p><p>Rackspace collaborated with Cisco to provide advanced protection against evolving threats in the multicloud environment.</p><p>A new partnership between SALTO Systems and Phunware will provide integrated mobile access control platforms with applications for multifamily residential properties.</p><p>Rubicon Labs joined the open source EdgeX Foundry project to unify the IoT market.</p><p>SmartMetric, Inc., appointed Hogier Gartner CIA S.A. as distributor for its biometric security cards within South America.</p><p>Speco Technologies integrated its IP cameras into Synology's Surveillance Station.</p><p>TagMaster North America, Inc., installed readers and hang tags in conjunction with ATS Traffic parking barriers and equipment for the VIP parking at Grey Eagle Casino in Calgary, Alberta, Canada.</p><p>Tangent Academy announced a Pro Partnership with 5.11 Tactical, in which 5.11 Tactical will become the official apparel of Tangent Academy.</p><p>Tech Electronics is partnering with Blue Line Technology to provide threat detection, access control, and concierge applications.</p><p>Transition Networks, Inc., partnered with Milestone Systems to integrate its switches with software into the Milestone Systems XProtect VMS.</p><p>Xtera completed interoperability testing with Infinera, a provider of Intelligent Transport Networks.​</p><h4>GOVERNMENT CONTRACTS</h4><p>Axon Public Safety Australia sold 11,000 Axon Body 2 cameras to the Victoria Police in Australia. </p><p>Drone Aviation Holding Corp. delivered its multi-mission capable tactical Winch Aerostat Small Platform to the U.S. Army.</p><p>The U.S. Coast Guard has conducted approximately 100,000 search-and-rescue operations since 2006 with support from the Rescue 21 Coastal system built by General Dynamics Mission Systems.  </p><p>IndraSoft, Inc., was awarded a multiyear task order by the U.S. Census Bureau to conduct end-to-end fingerprinting and identity proofing of selectees.</p><p>InstantEye Robotics received an order from PMA-263, the U.S. Navy and Marine Corps Small Tactical Unmanned Aircraft Systems Program Office, for additional systems to support deployed Marine infantry squads.</p><p>Mt. Vernon School District in Indiana is deploying the Security Alert Messaging system from iSIGN Media Solutions Inc.</p><p>J&S Franklin's DefenCell products were installed in two separate areas in South Australia for environmental applications including ground stabilization, flood protection, and erosion control.</p><p>Gallant Technologies Inc. successfully transitioned the technology for a non-detonable explosives training aid developed and licensed from the Johns Hopkins University Applied Physics Laboratory under funding from the U.S. Department of Homeland Security Science and Technology Directorate.</p><p>Vicente López, one of the 135 districts that make up the Buenos Aires province, is using cameras made by Pelco, Bosch, and Axis Communications, as well as Milestone XProtect Professional video management software, as part of its surveillance system, which was integrated by Exanet S.A.</p><p>NAPCO Security Technologies, Inc., announced that its Continental Access division products are being used in a project for the Albany County Schools in Wyoming.</p><p>Optim LLC was awarded a five-year, sole-source contract to supply its FreedomView Videoscope to U.S. Customs and Border Patrol to search for illegal contraband hidden in vehicles, containers, and other conveyances. </p><p>Canada granted funds from its Community Resilience Fund to support a Ryerson University research initiative working to evaluate approaches to countering radicalization to violence in Canada.</p><p>The Republic of Kosovo is rolling out a nationwide mobile driver's license solution based on the VeriGO DriveID platform from Veridos.</p><p>VSTEP delivered NAUTIS simulators to the Royal Bahamas Defense Force in cooperation with DAMEN and Alphatron.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>AFL received patent awards for developing products and technologies within the accessories, optical connectivity, and fusion splicing divisions.</p><p>Akoustis Technologies, Inc., announced that its headquarters facility received ISO 9001:2015 certification, completing certification for all company facilities.</p><p>Allot Communications Ltd. was awarded Best Mobile Security Solution in the 2018 Cybersecurity Excellence Awards. </p><p>CNH Industrial's Ulm plant in Germany has achieved Bronze level certification in the World Class Manufacturing program.</p><p>Crestwood Technology Group earned the Counterfeit Avoidance Accreditation Program accreditation AC7402 for supply chain management.</p><p>At Mobile World Congress 2018, Evolved Intelligence was named best supplier of mobile network security solutions.</p><p>G4S announced that its North America Training Institute won three Training and Leadership Awards from and Leadership Excellence and Development.</p><p>Genetec Inc. was named one of the top employers in Montreal, Canada, by the editors of Mediacorp Canada Inc., for the eleventh consecutive year.</p><p>Just Add Power earned a Top New Technology Award for Video Wall Solutions at ISE 2018 in Amsterdam. </p><p>Jumio announced that its Netverify solution was named the gold winner in the Best Fraud Protection category by the 2018 Cybersecurity Excellence Awards. </p><p>MacAulay-Brown, Inc., renewed and updated its Quality Management System certification for ISO 9001:2015.</p><p>Oncam completed the retesting and documentation of its 360-degree solutions with Milestone XProtect open-platform IP video management software.</p><p>Securonix won multiple awards in multiple categories at this year's Cybersecurity Excellent Awards, including Most Innovative Cybersecurity Company and Best UEBA Product.</p><p>Sielox LLC recognized MCM Integrated Systems as National Business Partner of the Year.​</p><h4>ANNOUNCEMENTS</h4><p>Anixter Inc. is expanding the footprint of its North American flagship distribution Center in Illinois with 30 to 40 percent more storage capacity and new automation technology.</p><p>ASSA ABLOY acquired Phoniro to further develop verticals and scale solutions internationally.</p><p>A group of leading companies launched the Better Identity Coalition to develop policy initiatives that promote the adoption of better solutions for identity verification and authentication. Founding members include Aetna, Bank of America, IDEMIA, JPMorgan Chase, Kabbage, Mastercard, Onfido, PNC Bank, Symantec, US Bank, and Visa.</p><p>BGN Technologies announced that researchers at Ben-Gurion University of the Negev developed a new Light Invariant Video Imaging software technology that can significantly improve picture clarity of cameras in sub-optimal lighting.</p><p>Bosch Security Systems changed its name to Bosch Building Technologies to reflect greater portfolio breadth.</p><p>Bravatek Solutions, Inc., acquired HelpComm, Inc.</p><p>Broco Rankin acquired long-time client Chamberlain Security.</p><p>Camden Door Controls celebrates its 30th anniversary in 2018 with a new rebranding look, spanning a new logo, website, and design of product guides and other collaterals.</p><p>The Cloud Security Alliance released Using Blockchain Technology to Secure Internet of Things, a white paper that explores the capabilities of blockchain technology in facilitating and improving the security of the Internet of Things. </p><p>In support of the #MeToo movement, Continuum GRC is allowing organizations to create a free custom anti-­harassment policy using its IT Audit Machine GRC software.</p><p>Erin Harrington Communications launched a new website at </p><p>The Florida Center for Cybersecurity (FC2), launched the Florida CyberHub, a virtual environment and shared cybersecurity resource center to support cybersecurity education, workforce development, information sharing, and research across the state.</p><p>Galaxy Integrated Technologies announced that it will provide complimentary, no-charge security assessments for all schools in its service area in New England, New York, and New Jersey. </p><p>The Gaming Standards Association and Gaming Standards Association Europe created a new Technical Committee dedicated to blockchain use. </p><p>Idesco Corp. is celebrating the 75th anniversary of the company. </p><p> launched a new STEM Scholarship Program in 2018 to help shape the leaders of tomorrow.</p><p>IEC Electronics will open a new state-of-the-art manufacturing facility in Newark, New York.</p><p>Iron Mountain Incorporated opened a secure, state-of-the-art federal records center in Suitland, Maryland.</p><p>Konica Minolta Business Solutions U.S.A., Inc., acquired VioPoint, Inc., a company specializing in intelligent cybersecurity. </p><p>In 2017, Legrand employees volunteered more than 2,000 hours of their time, as part of the company's Better Communities program.</p><p>Miami-Dade Aviation Department and U.S. Customs and Border Protection hosted a ceremony to celebrate Miami International Airport's newly renovated Concourse E federal inspection facility for international arrivals. The facility provides expedited passport screening via facial recognition. </p><p>Nortek Security & Control introduced a Technician Certification Training Program for dealers, technicians, and integrators.</p><p>The Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalization. Initial signers of the charter are NXP, Siemens, the Munich Security Conference, Airbus, Allianz, Daimler Group, IBM, SGS, and Deutsche Telekom.</p><p>Speco Technologies added new videos to its website regarding its Digital Deterrent.</p><p>TEAM Software, Inc., launched a new Volunteer Time Off program to encourage its employee owners to give back to the community.</p><p>Viakoo joined Spiceworks and is sponsoring the Physical Security Group. </p><p>Vigilant Solutions, announced that a law enforcement agency used its facial recognition and license plate recognition technology in a kidnapping case that helped to locate the missing person and get her to safety. ​</p> JamGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Much of the western United States was put on notice earlier this year when the U.S. Air Force announced that it would be blocking GPS signals on its base south of Las Vegas, Nevada. The tactic—which occurred during an annual month-long military training exercise—could cause air traffic disruption and potentially require flight rerouting due to inconsistent GPS, the notice stated. While the Air Force would not confirm that the GPS disruption was a part of its yearly exercises, experts believe that the military is training its pilots to fly in conditions where GPS signals are inaccurate or nonexistent—a scenario that has become increasingly common.</p><p>Thirty-one satellites currently orbiting the earth transmit signals to civilian and military terrestrial receivers, essentially using time signals to run location-based devices and activities and syncing networks around the world. The satellites—called the GPS constellation—are owned by the United States and operated by the Air Force. Since 1978, the satellites have provided location, navigation, and timing capabilities to the military, and an unencrypted version became available for public use in the 1980s. Over the years, the signals from the GPS constellation have become critical for a variety of applications, including communications, precise time measurements, and critical infrastructure technologies—in addition to its military uses of navigation, target tracking, and missile guidance. </p><p>However, the signal—which is inherently weak—is susce​ptible to outside interference. Anything from space weather to malfunctioning machinery to malicious actors can cause problems with GPS, including blocking the signal—called jamming—and sending false signals, known as spoofing. Even small interferences can cause big headaches.<img src="/ASIS%20SM%20Callout%20Images/0518%20NS%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:466px;" /> </p><p>For example, a man who drove a company car purchased a GPS jammer to keep his boss from knowing his whereabouts, but when he passed near Newark airport in New Jersey, the jammer blocked signals from reaching the air traffic controller system. Although the sale and use of jammers is illegal in the United States, they can be purchased online for less than $50 and can successfully hide a vehicle's location.</p><p>In January 2016, a routine equipment switch caused a series of 13-microsecond timing errors in half of the GPS constellation satellites, which triggered about 12 hours of confusion for computers, networks, and timing devices around the world. </p><p>The U.S. government has referred to GPS as a single point of failure for critical infrastructure and, in 2004, called for the U.S. Department of Transportation to acquire a backup capability for GPS. However, an alternative has never come to fruition. </p><p>U.S. President Donald Trump reemphasized the need for redundancy by including a section in the 2018 National Defense Authorization Act that requires the U.S. Departments of Defense, Transportation, and Homeland Security to demonstrate a GPS backup capability within the next 18 months.</p><p>"We were concerned that the federal government was not doing all of the things it said it would do in order to protect GPS signals, which are being interfered with on a regular basis," says Dana Goward, the president of the Resilient Navigation and Timing Foundation (RNTF). He established the nonprofit in 2013 to protect, toughen, and augment GPS signals. "Since we started, over the last five years, GPS has been interfered with more and more," he notes.</p><p>Goward and other members of RNTF are also members of the National Space-Based Positioning, Navigation, and Timing (PNT) Advisory Board, which has existed since the call for a GPS backup capability was issued in 2004. </p><p>It's hard to tell exactly how big an impact a widespread GPS outage would have on critical infrastructure sectors around the world, but Goward notes that glitches such as the January 2016 blip can foreshadow what systems might be affected. "The implementation and use of GPS signals is so widely spread for so many different things it was never intended to be used for that it's really impossible to outline all the bad things that would happen and the sequence in which they would occur," he says. "But there are some things we do know." </p><p>Say a terrorist plants a high-powered GPS jammer hidden in a suitcase in the middle of a city. Transportation will probably be the first system visibly affected, which could quickly impact an entire metropolitan area, Goward says. Traffic lights will become desynchronized and GPS-based apps will no longer function, creating distracted and dangerous driving conditions. Airplanes and other forms of mass transportation will have to slow down or alter routes to stay in contact with people who can keep them on course. Package delivery routes as well as land, sea, and air-based supply chain operations will be disrupted. "All forms of transportation will be forced to carry less capacity in the area," Goward notes.</p><p>Countless systems that rely on GPS's perfectly synchronized timing—including data networks, financial activities, the electric grid, and other utilities—will slowly become out of sync, causing system failures. </p><p>"When the networks start to fall apart, it's hard to tell how much of a cascading failure you're going to see," Goward notes. "Networks depend on each other. It's really such a vast and hyper complex system, the structures of which are not known and may not be knowable."</p><p>Preventing GPS glitches is a multifaceted challenge. The GPS satellites themselves are fairly resilient—they are replaced on a rotating basis depending on their estimated operational life. Still, mechanical glitches like the one that caused the January 2016 blip are possible. The signals transmitted from the satellites are even weaker than cosmic background noise, and Goward notes that even upgraded equipment won't substantially change the strength.</p><p>"The basic problem is fundamental physics," Goward says. "Satellites are 12,500 miles up in space and powered by solar panels and transmitting all the time—unlike other satellites that can store up their solar power, GPS satellites have to transmit all the time. They will always be really weak and easy to interfere with."</p><p>An inherent area of weakness is the equipment used to receive the GPS signal sent by the satellites—anything from cell phones to networks to military ground stations that encrypt the signal.</p><p>"Most GPS receivers in use right now are very vulnerable to jamming and spoofing," Goward notes. "The technology in terms of antennas and software is available to make them much less susceptible to jamming and spoofing, but it costs a little extra and users don't feel motivated to incorporate anti-jamming and spoofing technology into their receivers and systems, even when they involve and support critical infrastructure like phone and IT networks."</p><p>RNTF is working with the government to establish guidance or best practices to improve GPS receiver security.While a fix is relatively simple, Goward says he doubts most companies will make the upgrade unless they are told to do so or they experience a GPS-induced crisis. "We think that for critical infrastructure applications there's a government role there to advocate for, encourage, and perhaps require users to have the latest anti-jamming and spoofing technology."</p><p>Military-level encrypted GPS signals aren't exempt from jamming or spoofing, either. While the use of a secured ground system to control the broadcast of an encrypted signal, along with military-grade receivers, provides an inherent level of protection, it's not foolproof—and it only works when it's used properly.</p><p>"Because of the encryption, that makes military receivers as a practical matter more difficult to use, so we had seen any number of photographs of military folks in the field with GPS receivers they bought at Walmart strapped to their arms and using them instead of military receivers," Goward notes. Encrypted equipment tends to be stored under lock and key—and is usually unwieldy—making it more cumbersome to use. </p><p>It's suspected that the infamous straying of a U.S. naval ship into Iranian waters in 2016 was a result of the sailors using unencrypted receivers that allowed Iran to spoof the signal and direct them into the country's territory. And headlines were made when the movements of U.S. military personnel at several overseas bases could be tracked via a GPS-based fitness app—no jamming or spoofing required.  </p><p>The U.S. Department of Defense (DoD) is in the middle of upgrading the military ground systems and replacing the current GPS constellation—which is near the end of its intended operational life—but the efforts have faced a series of setbacks. The new generation of satellites, called GPS III, are expected to provide a stronger signal that is more resistant to spoofing and jamming and will permit interoperability with other global navigation systems. But, according to the U.S. Government Accountability Office (GAO), the acquisition and timeline of deploying the new satellites has run into several roadblocks, delaying the launch of the new equipment. </p><p>For example, the first GPS III satellite built, which is slated to become operational in 2019, includes energy storage devices that had not been appropriately tested by the subcontractor. When the Air Force discovered the failure to test the equipment, it made the subcontractor remove the devices from the second and third satellites currently being built, but "decided to accept the first satellite and launch it 'as is' with the questionable capacitors installed," the GAO reports. The rest of the GPS III satellites are expected to be launched and operational—replacing the current devices—by 2021.</p><p>Three components of the upgrade—the new ground control systems, GPS III satellites, and contingency operations programs—are expected to face "numerous challenges" over the next 18 months, GAO notes. "If any of the three programs cannot resolve their challenges, the operation of the first GPS III satellite—and constellation sustainment—may be delayed."</p><p>Meanwhile, Goward and the RNTF are continuing to encourage the government to promote more secure GPS receiver technology and build a backup capability when—not if—the GPS signal fails. </p><p>"We are concerned that the federal government does not have a central point of accountability for protecting GPS," Goward explains. "It's possible that this lack of responsibility and governance will mean that nothing is going to happen until the nation has suffered substantial damage because of the failure to protect, toughen, and augment GPS." ​</p> Balk on BudGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When seasoned security manager and longtime ASIS International member Brian Gouin started working as a consultant and virtual security manager for a medical marijuana production facility in Maryland, he certainly had some questions about the security challenges that the new gig might pose.  </p><p>Would external theft be a problem?  He had no experience in this sector, and dark visions of criminal cartels stormtrooping the facility to steal product occasionally crossed his mind. Luckily, that never happened.</p><p>"External theft has really not been a big problem. Surprisingly, there has not been a lot of that," says Gouin, who has spent nearly 30 years in the security industry and is currently owner of Strategic Design Services, a firm specializing in security design and project management services.</p><p>Still, the marijuana production facility did employ armed guards, because it held product that was worth at least $5 million. "That's more dollar value than 99 percent of banks in the state," Gouin explains. And since marijuana is so easy to sell, that product can be considered almost the equivalent of cash, he adds.   </p><p>But unlike external theft, internal theft was a problem. Employees sometimes helped themselves to a bit of product "to go" when leaving the facility for the day. Finding ways to screen workers on the way out was difficult. Complicating this matter is that keeping track of the on-hand marijuana supply can be a complex task. "You can't inventory it the way you inventory other products. You have to dry the plant; when you dry the plant, it loses weight," Gouin explains.  </p><p>And working with certain company employees was an unusual experience, even for a veteran security consultant well-accustomed to adjusting to different types of office cultures.  "It's so unique because of the type of person working there. Most of these people five years ago were running from the cops and making this stuff in their basement," Gouin says. "They are naturally distrusting of security."  </p><p>Overall, many of the facility's biggest security challenges stemmed from the fact that it is a nearly all-cash business. The ramifications of this are many. For instance, cash at a thriving marijuana business can accumulate quickly; but when it comes time to deposit the money earned, banks generally do not want to accept huge currency bundles, which can result in scrutiny from federal regulators, Gouin explains.</p><p>Given this, many marijuana businesses are forced to keep significant cash on hand. Some outgoing expenses, like compensation for day workers and certain bills, can be paid in cash, Gouin explains. Much of the rest can be deposited in smaller amounts that are spread out, so the bank will accept them. Of course, transiting large amounts of cash can also be risky, so the operation bought and used an armored vehicle, described by Gouin as "a small vanny-type thing."</p><p>Still, in one way the business that Gouin works for is lucky—it found a local bank that will take its money.  </p><p>Because U.S. federal law still includes marijuana on its Schedule I list of illegal substances, no large "tier one" bank will do business with cannabis companies now, says Joshua Laterman, CEO and founder, National Association of Cannabis Businesses (NACB). This is the "black letter of the law" that means that banks can be charged with crimes like money laundering if funds they have accepted from cannabis companies are mixed with other funds and enter the U.S. federal wire deposit system. This could lead to a federal indictment. </p><p>"No tier one bank enters the sector unless the law changes or some type of [exception] is put into place, like a safe harbor," Laterman says. "There is no cure, full stop."</p><p>This is a significant problem, given the growth and revenue-generating power of the cannabis industry. Going into 2018, nine states and Washington, D.C., had legalized marijuana outright; for medical purposes, marijuana is legal in 29 states and D.C. This year, at least 12 states are poised to consider marijuana legalization; Vermont already did so in January. On the whole, the industry generated $7 billion in revenue in the last 12 months, and this figure is expected to rise to $10 billion this year, according to NACB.</p><p>Given this revenue generation, some local banks (like the one working with Gouin's facility) and credit unions have tried to step in and fill in the vacuum. "It's the only show in town right now," Laterman says. These local banks often charge an extra compliance fee, and they usually just provide an account and some checks, without offering more involved services like credit cards. On the whole, these banks believe that the potential reward is worth the potential risk, and that working with local business is "in service of their mission." </p><p>"It's all very hyper-local," Laterman says. "They do it in a very personal way."</p><p>Nonetheless, these local banks usually cap the amount of deposited funds at $250,000, the limit that the Federal Deposit Insurance Corporation (FDIC) will insure. All things considered, there are not nearly enough of these smaller banks willing to accommodate all the revenue. "It's like trying to handle a two-liter soda with a Dixie cup," Laterman says.  </p><p>Across the northern border, no such problem exists. Canada has legalized marijuana for medicinal purposes throughout the country, and banks and other financial institutions have no problem working in the industry. "You're seeing investment banks, you're seeing accounting firms, and you're seeing law firms who will not do any transactions in the United States, but they are doing a lot in Canada," Laterman explains.</p><p>However, back in the United States, it is possible that there will be some movement on the legal issue in the near future. Some analysts have said that if more states continue to legalize marijuana, it will simply not be tenable for the country to have two sets of applicable law. Congress will have to act and change the banking laws to allow for an exception, so that a licensed marijuana distributor can use the banking system.</p><p>Moreover, what may help drive an effort for a solution is the U.S. government's realization that an industry generating billions in revenue without a banking and finance structure to support it could turn into a security nightmare. </p><p>"The money needs a place to be put, and there's not enough places to put it in. That's a growing public safety risk," Laterman says. California, he adds, holds some promise as a potential solution driver. As part of that state's legalization effort, officials set up a high-powered working group to address the legal issues. "It's a great effort; they are getting great people around the table," Laterman says.</p><p>He adds that NACB, which describes itself as the only self-regulatory organization (SRO) in U.S. cannabis, will continue its work of professionalizing the industry with credentialing, licensing, education, and other such programs. "We need to address the trust and information gaps, and better understand who the players are," Laterman explains. </p><p>Meanwhile, security managers who are curious about what it is like to work in the U.S. cannabis industry may want to check out The Marijuana Project, a novel published by Gouin (under the pen name Brian Laslow) that was in part inspired by his experiences in the industry. </p><p>In the book, security expert Sam Burnett, a conservative family man who runs a security program at a medical marijuana production facility, wrestles with the moral issues of working with the drug while he navigates the dangerous plot twists and turns that the thriller storyline takes him through. Although the book is fiction, the various industry issues and scenarios that the main character, a security expert, is involved with may be of educational value.</p><p>As for the real-life Gouin, who initially wondered if working in the cannabis sector would tarnish his professional reputation, he now says his experience was a positive one for his business: "It gave me another niche." And so his advice for fellow security managers who are interested in following his lead is "go for it"—as long as they do their due diligence beforehand.</p><p>"You have to understand the quirks of the industry," he says. ​</p> to Article: “Evolving Biothreats”GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was with great interest that I read the article "Evolving Biothreats" in the January 2018 edition of <em>Security Management. </em>This particular subject has obviously taken a back seat of late, but it does indeed remain a critical priority issue both in the United States and internationally. In the years since the Anthrax attacks in 2001, the topic of coordinating a biodefense strategy has been studied, analyzed, and presented to the U.S. Congress and the three previous presidential administrations, resulting in very little attention or progress in regards to developing a comprehensive biodefense plan to meet the multiple and diverse threats that we face on a daily basis.  </p><p>The GAO study mentioned in the article appears to clearly highlight some of the critical vulnerabilities within the current configuration of responsibilities. The sheer number of federal, state and local agencies that have individual or overlapping cognizance for the variety of incidents that could present themselves results in the potential of tardiness of action, duplicate accountabilities, and difficulties with basic communication and coordination issues. The number of studies completed since 2001 also highlight these same vulnerabilities. Subsequently, one common recommendation has been to establish an executive (White House) level position that would administer and coordinate the efforts among all the departments and agencies involved in the biodefense strategic plan.  </p><p>One specific study, released in 2011, the Graham-Talent Report Card, focused on the United States' posture relative to the ability to respond and recover from a multitude of biological-related events. The final analysis contained within the study revealed a sobering view of our capabilities and abilities to adequately respond and recover from any of a number of accidental, naturally occurring disease outbreaks and any nefarious acts. Little progress has been made since this landmark study was released.  Anyone having an interest in reading the entire report can find it via the Internet.</p><p>Creating and administering an effective and efficient biodefense strategic plan is exceedingly complex requiring high level government commitment, support, and adequate resources. The high-altitude model for beginning the process is represented in the following diagram.</p><p>Figure 1 Bio-defense strategic planning matrix</p><p>Provided with permission from<span style="text-decoration:underline;">, Applied Laboratory Biorisk and Biosecurity Management Guide; </span>AlphaGraphics, 2015, Kirk R. Wilhelm, 297 pages.​<img src="/ASIS%20SM%20Article%20Images/bio.jpg" alt="" style="margin:5px;" /></p><p>Each discipline obviously has its own unique mission(s), but all will need to communicate and coordinate with other mission responsible partners for intel acquisition and analysis of all known risks, threats, and vulnerabilities, essentially a Biorisk Assessment, which identifies the roadmap for developing all the countermeasures required for operations, biosafety, biosecurity, emergency responses, and recovery. In addition, all the communications and coordination elements must be addressed with agencies and departments required to fulfill the requirements of the overall plan. Obviously, the plan must include state, local, and medical facilities. A significant training and education program needs to be included and implemented for all concerned. </p><p>The herculean effort needed to create and administer a biodefense plan for a country the size of the United States may have contributed to the reluctance of congress and presidential administrations to create a positive action plan. The significant difference remains, that biothreats in all categories within the chart of potential sources have the potential to invoke catastrophic consequences for people, livestock, plants, and our economic prosperity. A biodefense plan must have equal attention to its sister plans for chemical and nuclear threats. The significant differentiation is that biological pathogens are living organisms, constantly mutating and changing virulent characteristics. These pathogens know no boundaries, nor do they possess any political or ideological alliances. I agree completely with the premise of the article and stress the importance that action is required in the near term. </p><p><em>Kirk R. Wilhelm, CPP, is a consultant and subject matter expert in biorisk and biosecurity. He retired from MRIGlobal, where he was senior biosecurity manager.</em></p><p><strong>To read the original article, "Evolving Biothreats,"<a href="/Pages/Evolving-Biothreats.aspx"> click here.</a></strong></p> Toronto Vehicle Attack: What we KnowGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p><strong>What we know so far:</strong></p><p></p><p></p><p></p><ul><li><p>​Ten people died and 15 were injured on Monday when a man deliberately drove a van onto a sidewalk crowded with pedestrians in Toronto. The attack occurred around 1:30 p.m. local time</p></li><li><p>Police say the suspect is 25 year-old Alek Minassian, who was arrested after an intense standoff with officers in the minutes following the attack. He was seen pointing an object at law enforcement, but no shots were fired during the arrest.</p></li><li><p>Canadian news source CBC says the<a href="" target="_blank"> attack is not part of a larger threat to national security</a>, according to the country's Public Safety Minister Ralph Goodale. </p></li><li><p>Car rental company<a href="" target="_blank"> Ryder System Inc. confirmed that one of the company's rental vehicles​</a> had been involved in the attack, Reuters reports. Ryder spokeswoman Claudia Panfil said that the company was cooperating with authorities.​</p></li><li><p>Toronto Deputy Police Chief Peter Yuen said there would be <a href="" target="_blank">"a long investigation" following the attack</a>, according to the BBC, and said that hotlines had been set up for victims' families and for witnesses. He has asked for any additional witnesses who have not come forward to contact law enforcement.</p></li></ul><p></p><p></p><p><strong>Vehicle Attacks on the Rise</strong></p><p>Deadly vehicle attacks have been used by terrorists in recent years, and USA Today has<a href="" target="_blank"> published a list ​</a>of some of these incidents over the last four years. </p><p></p><p></p><div></div><div></div><div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:25%;"><strong>Location</strong></td><td class="ms-rteTable-default" style="width:25%;"><strong>Killed</strong></td><td class="ms-rteTable-default" style="width:25%;"><strong>Injured</strong></td><td class="ms-rteTable-default" style="width:25%;"><strong>Date</strong></td></tr><tr><td class="ms-rteTable-default">Houston</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">3</td><td class="ms-rteTable-default">March 2018</td></tr><tr><td class="ms-rteTable-default">NYC Hookah Bar</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">7</td><td class="ms-rteTable-default">December 2017</td></tr><tr><td class="ms-rteTable-default">Barcelona, Spain</td><td class="ms-rteTable-default">14</td><td class="ms-rteTable-default">100</td><td class="ms-rteTable-default">August 2017</td></tr><tr><td class="ms-rteTable-default">Times Square, NYC</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">22</td><td class="ms-rteTable-default">May 2017</td></tr><tr><td class="ms-rteTable-default">London Bridge, U.K. </td><td class="ms-rteTable-default">8</td><td class="ms-rteTable-default">48</td><td class="ms-rteTable-default">June 2017</td></tr><tr><td class="ms-rteTable-default">Westminister Bridge, U.K. </td><td class="ms-rteTable-default">5</td><td class="ms-rteTable-default">50</td><td class="ms-rteTable-default">March 2017</td></tr><tr><td class="ms-rteTable-default">Berlin, Germany</td><td class="ms-rteTable-default">12</td><td class="ms-rteTable-default">50</td><td class="ms-rteTable-default">December 2016</td></tr><tr><td class="ms-rteTable-default">Ohio</td><td class="ms-rteTable-default">-</td><td class="ms-rteTable-default">14</td><td class="ms-rteTable-default">November 2016</td></tr><tr><td class="ms-rteTable-default">Nice, France</td><td class="ms-rteTable-default">86</td><td class="ms-rteTable-default">Several Hundred</td><td class="ms-rteTable-default">June 2016</td></tr><tr><td class="ms-rteTable-default">Valence, France</td><td class="ms-rteTable-default">-</td><td class="ms-rteTable-default">2</td><td class="ms-rteTable-default">January 2016</td></tr><tr><td class="ms-rteTable-default">Quebec</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">October 2014</td></tr></tbody></table></div> Control for Healthcare and Nursing FacilitiesGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Access control within the healthcare industry—particularly in hospitals and nursing homes—requires a unique approach, encompassing not only main entrance doors, but also internal entrances and exits based on location and access level. And more than that, these facilities must manage large quantities of data, making data management a critical component of a comprehensive security plan.  </p><p>Security managers can work to secure these components by seamlessly integrating systems together. For example, various doors and locks can be programmed to activate at specific times and rules can be applied based on time of day, shift changes, specific department access, and more. Healthcare facilities also look for the ability to control access remotely through mobile applications, confirm identity quickly and easily, and program varying levels of access for visitors, patients, doctors, and staff. These facilities also require oversight 24 hours a day, seven days a week, which can be a challenge for security directors. </p><p>Similarly, nursing homes require robust access control to protect patients and high-value assets, such as medical equipment and prescription medications, from internal and external theft. Additionally, some nursing home patients require more robust monitoring, meaning that access control points and video surveillance must work together to enable administrators to monitor incoming and outgoing patients, visitors, and staff. </p><p>Both kinds of facilities must be careful with sensitive materials, such as narcotics and sterile environments, that require added protection and protocols. Medical files and controlled substances must be protected by electronic access-controlled cabinet locks to provide hospitals and administrators with the required audit trail in case of a breach. </p><p>Video surveillance in nursing homes is a critical component of a comprehensive security solution. Its usefulness centers around operational efficiencies such as managing deliveries of important goods, monitoring food preparation, ensuring proper care of patients, and overseeing the constant flow of people coming in and out of a facility. Video also becomes important in the event of an incident for investigative purposes. </p><p><strong>Putting it All Together</strong></p><p>A large healthcare organization must take the safety and security of patients—and their personal information—seriously. Implementing a security management system (SMS) can integrate a facility's access control technologies, digital video, and alarm monitoring systems into a single, streamlined solution. </p><p>Going even further, in many large enterprise organizations, multiple databases can be incorporated into an SMS, including a human resources software program. The result is the ability to streamline data input with the push of a button. For example, when an employee is terminated, access is automatically revoked when an HR manager changes the person's employment from "active" to "inactive." This means the integration of data requires only a single update to control access across the campus. </p><p>The need for integration will continue to drive innovation in access control, not only for security systems, but also for human resources, directory software tools, and event management programs. Busy facilities and their administrators require the ability to grant permissions in a way that not only saves time and energy on manual input, but also makes changing permissions easy and efficient.  </p><p>Also important to a healthcare facility is the protection of personal information from prying eyes and hackers, which means access to records must be heavily protected. In many facilities, biometrics are being used—via iris or fingerprint scanners—to protect important information from would-be hackers. This way, only authorized users have access to the information. Additionally, IT departments within these facilities are working closely with security leaders to ensure that networks are as secure as possible to protect from ransomware attacks, which have plagued the healthcare industry in the last few years.  </p><p><strong>Locking Down </strong></p><p>Lockdown capabilities are paramount within today's healthcare settings, driving access control manufacturers to provide solutions that make it easy for security directors to control access quickly and efficiently in the event of an emergency. End users are also looking for mobility, and having a mobile application to help grant access, freeze access, or change permissions easily is important in this vertical market, along with the ability for security teams and professionals to move freely throughout the facility.  </p><p>One area where this is critical is in nursing homes. These entities must provide loved ones with the knowledge and peace of mind that their family members are safe while balancing freedom with security. In some instances, patients with dementia or Alzheimer's require additional, around-the-clock care that can be extended to the entrances and exits of a facility. In turn, nursing homes must invest in the ability to lock down a facility to keep patients from exiting without notifying staff, while also providing the welcoming environment that facilities hope to foster. Certain access control systems allow caregivers within a nursing home facility to let visitors in and out with the touch of a button, while keeping at-risk patients from exiting the facility.  </p><p>Healthcare facilities must provide safety and security for visitors, patients, staff, and assets. The ability to lock down portions of a hospital or an entire facility is crucial to its ongoing operations. Additionally, having a system in place that allows security officials to communicate these rules quickly and efficiently through an easy-to-use interface is key to adhering to the rules and regulations that govern healthcare facilities. Access control is critical to the success of security programs, and being able to integrate with data management platforms can make this task easier than ever before.  </p><p><em>Kim Loy is director of Technology and Communications at Vanderbilt Industries.</em></p>