More Headlines

 

 

https://sm.asisonline.org/Pages/What's-New-in-Access-Control.aspxWhat's New in Access Control?GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Innovation in access control is quietly heating up. The industry is ready to implement innovations on a broad scale that have been just out of reach. Demand for virtual credentials is growing, facial recognition technology is both technically and economically feasible, and migration to the cloud is increasing—and increasingly beneficial. Over the next few years, market adoption of these advances will transform the ways security professionals operate and organizations benefit from their access control systems. </p><p><strong>Virtual credentials and mobile access technology</strong></p><p>The demand for virtual credentials and mobile access is intensifying, driven in part by younger members of the workforce who never go anywhere without their smartphones. Suffice to say, most employees wouldn't turn their cars around for a forgotten physical credential, but they'll certainly restart their commutes to collect forgotten smartphones. </p><p>The benefits are simple: convenience, compliance, and satisfaction of workforce demand. Everyone carries their phone, security professionals enhance their management capabilities, and employees can stay on the move. By including the credential in a mobile device, embedded in an app, organizations can also provide novel security capabilities, such as threat reporting and virtual photo ID. </p><p>The good news is that virtual credentials and mobile access technology have progressed to the point that they are easier to implement. Migration is straightforward, and implementation does not need to be all-or-nothing. Instead it can be taken in phases leading to an interim hybrid approach that includes physical and virtual credentials. </p><p><strong>Facial recognition</strong></p><p>Facial recognition offers the advantage of using existing access control rules, while reducing the friction of the user experience. </p><p>Picture a busy New York City high-rise office building with turnstiles that control access to an elevator lobby. There are always a few employees who have to search their pockets or backpacks to fish out a physical credential. Implementing facial recognition eliminates that bottleneck. The software scans people as they approach the turnstile and transmits a virtual credential to the access control system. Where a line might otherwise have formed, authorized employees now pass through turnstiles efficiently. </p><p>Facial recognition access control is no longer out of reach. Today's computing power can be combined with increasingly high-definition cameras and advanced recognition algorithms to bring the costs of implementation way down. </p><p><strong>Access control in the cloud</strong></p><p>The access control server is the nerve center of an access control system, but it no longer needs to physically exist. The increasing prevalence of the cloud eliminates that necessity. </p><p>Rather than dealing with the maintenance of a physical server, the speed and convenience of the cloud can handle everything a hardware box used to. This advance allows for increased scalability. And it provides flexibility in how security professionals purchase and use access control servers. Now the integrator or manufacturer can reduce end user burden and cost by ensuring that systems are backed up and updated remotely.<strong> </strong></p><p><strong>What's next?</strong></p><p><strong></strong>Innovations in access control systems will drive the industry over the coming years. Novel credentials, such as mobile access and face recognition technology, combined with cloud-based servers will deliver an altogether improved experience. </p><p><em>John L. Moss is CEO of S2 Security.</em></p>
https://sm.asisonline.org/Pages/GridEx-IV-Tests-The-North-American-Power-Grid.aspxGridEx IV Tests The North American Power GridGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The North American power grid is completing its largest biennial exercise today, called GridEx, with its highest number of participants since it was launched in 2011 by the North American Electric Reliability Corporation (NERC).</p><p>More than 5,000 electric utilities; regional and federal government agencies in law enforcement, first response, and intelligence community functions; critical infrastructure cross-sector partners; and supply chain stakeholders participated in GridEx IV, a biennial exercise designed to simulate a cyber/physical attack on electric and other critical infrastructure across North America.</p><p>The exercise promotes a strong learning environment and collaboration between industry and the public sector to "enhance the security, reliability, and resiliency" of the bulk power system, said Charlie Baradesco, CEO of NERC.</p><p>Exact details of the exercise are not released due to security concerns. But it is similar to the other GridEx exercises in that it has participants work through their incident response plans, practice their local and regional response, engage interdependent sectors, improve communication skills, engage senior leadership, and compile lessons learned. The exercise, however, has no impact on the real electric grid.</p><p>GridEx IV is a "series of escalating scenarios in which the system is stressed continually further," says Tom Fanning, Electricity Subsector Coordinating Council cochair and chairman, president and CEO of Southern Company. "Consider the joint effects of a cyber and kinetic attack that,​ as time goes by, creates greater consequences to our ability to undertake commerce…what we're looking for are the potential friction points or breaks in the system. That's how we learn."</p><p>Also new this year is an emphasis on communication with the public, incorporating social media response and fake news mitigation​ says Marcus Sachs, CSO of NERC. On the first day of the exercise, participants uploaded photographs of simulated damage, explosions, and news stories to test how that information would play out. </p><p>"Allowing that to play out in an exercise space…shows how the simulation is a good replication of real world problems that we face," Sachs says.</p><p>The exercise also pulls in other industry stakeholders outside of the utilities sector, such as finance and telecom, because the utility sector is dependent on these to get the grid back up and running should an incident occur.</p><p>"We're taking the Russian nesting doll approach to preserving our system when it's under duress," Fanning adds. "We're dependent on telecom—we've got to be able to talk to our people in the field."</p><p>While a cyberattack has never turned off the power in North America, stakeholders must remain vigilant, Baradesco added in a call with reporters on Thursday. GridEx helps ensure "we remain as prepared as possible."</p><p>More than 400 executives—from government and the private sector—are also involved in this year's GridEx, participating in tabletop exercises to work through how they would handle an attack on the grid. </p><p>This participation is critical, Sachs says, because "security starts at the top."</p><p>And this commitment to getting those at the top involved in the exercise sets GridEx apart from other exercise scenarios, says Brian Harrell, CPP, vice president of security at AlertEnterprise. </p><p>"While federal partners have often incorporated losing critical grid components within their exercise scenarios, GridEx is the only event that has industry CEOs, trade associations, government partners, academia, and utility subject matter experts responding to a grid reliability scenario," Harrell says.</p><p>Harrell is the former operations director of the Electricity ISAC and director of critical infrastructure protection programs at NERC. He helped launch the first GridEx in 2011 because, as the largest machine on the planet, the North American power grid requires constant maintenance, monitoring, and continuous learning.</p><p>"Exercises are a key component of national preparedness—a well-designed exercise provides a low-risk environment to test capabilities, familiarize personnel with security policies, and foster interaction and communication across organizations," Harrell adds.</p><p>Participation in GridEx is voluntary, but Harrell says there is value for utilities to participate—even if in a limited capacity. </p><p>"Reviewing the security response to the grid's critical components, such as generators, large substations, and transmission lines during a disruptive, coordinated attack on the grid will help industry understand how to make the system more secure," he says.</p><p>Other industries—both those inside and outside the United States—run exercises to test specific response plans, policies, and procedures. But these exercises tend to focus on reliability issues, as a result of supply shortages, natural disasters, and catastrophic failure, Harrell explains.</p><p>"Very few exercises incorporate a coordinated physical and cyberattack scenario designed to destroy critical infrastructure components," Harrell says.</p><p>This has become all the more important after the cyberattack on Ukraine's electric grid in December 2015, which resulted in the first known loss of power due to a cyberattack. </p><p>"The United States has never experienced a massive cyberattack-related power outage, but there have been direct cyber events in recent years against energy infrastructure, including intrusions into energy management systems, targeted malware,, and advanced persistent threats (APTs) left behind on computers by phishing attacks," Harrell says. "The perception that cyber risks are low because only a few and limited attacks have occurred on industrial control systems is not just ignorant, but highly dangerous."</p><p>Once GridEx IV is completed, participants will begin to share lessons learned which NERC will compile into an after-action report. That report, according to officials on Thursday's call, is expected to be released in March 2018.</p>
https://sm.asisonline.org/Pages/School-Lockdown-Procedure-Prevented-Tragedy-in-Rancho-Tehama.aspxSchool Lockdown Procedure Prevented Tragedy in Rancho TehamaGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Students were running around on the playground and parents were dropping their children off at Rancho Tehama Elementary School Tuesday morning when the school secretary heard the first gunshots fired by Kevin Neal up the road. Without delay, the administrators started a reverse evacuation and lockdown procedure, whisking children and parents alike into the elementary school. By the time Neal—who was on a shooting rampage throughout the small town—arrived at the campus, two-thirds of the school’s 100 students were inside, said district superintendent Richard Fitzpatrick. </p><p> The school’s head custodian saw Neal crash his truck into the school’s gate and begin walking toward the facility, so the custodian stepped out and distracted him while the rest of the students were ushered into safety. Neal began firing but his gun jammed, providing essential seconds for the custodian to escape.</p><p>"The custodian's actions in diverting the attention from the shooter at that time gave us the much-needed seconds to complete the (lockdown) process," Fitzpatrick said in a Wednesday press conference. "That amount of seconds was critical."</p><p>Through surveillance video, Neal can then be seen going from door to door trying to find an entry, and when he failed, he began shooting through the school’s walls, windows, and doors. One child received gunshots in his chest and right foot while crouching under a table inside the classroom and is in fair condition at a local hospital.</p><p>Neal was unable to find an unlocked door to access the students, parents, and staff in the school, so he left the campus and was shot and killed by police a short time later. Fitzpatrick acknowledged that while one student was seriously injured, the incident could have ended much worse.</p><p>"The reason that I'm standing here today and I'm able to speak to you without breaking down and crying is because of the heroic efforts of our school staff," Fitzpatrick said.</p><p>Paul Timm, PSP, vice president at Facility Engineering Associates and a member of the ASIS School Safety and Security Council, says that the school’s straightforward and efficient lockdown procedure was the result of a heightened level of awareness.</p><p>“We are in a time of heightened awareness,” he tells <em>Security Management</em>. “This is following the events of Las Vegas, New York, and Texas. While only one of those involved a school, at the forefront of our minds is that there could be some kind of violence that takes place in our communities. One was a concert, one was a church, and one was right during dismissal time near a bike path before a parade. I think that helps everybody because we’re thinking, ‘how would I respond, what would I do, are we prepared?’ And that had to help them.”</p><p>Timm encourages school officials to always err on the side of caution when it comes to enacting lockdown or evacuation procedures—he notes that Rancho Tehama administrators began lockdown procedures before seeing the threat or being alerted by law enforcement. </p><p>“Not many of us really know, genuinely, what gunshots will sound like, and in Rancho Tehama they were able to just say, ‘I’m not going to assess whether that’s a real gunshot or not, we’re just getting in motion,’” Timm notes. “I think that erring on the side of caution is always the best thing to do. We can always say ‘whoops’ if someone got excited over a balloon popping and went into lockdown, but you’d much rather see them err on that side than someone investigating and finding out we’re not where we should be and we’re in big trouble.”</p><p>Timm has been in the school security industry since before the Columbine High School shooting, and says that, despite the relative regularity of incidents at schools, he often hears that people don’t want to increase school security. “Sometimes people say to me that it’s a shame that we have to live in a time where these things happen and we have to keep schools locked down,” he says. “I like to equate it to vehicle safety—In the 70s you could buy a car that didn’t have seatbelts and car seats were nonexistent. That doesn’t mean it was better back then—it wasn’t. It might be less comfortable, but let’s face it, it’s safer to wear a seatbelt, to have kids in car seats. Whenever schools are questioning whether or not basic access control, emergency preparedness, and communication systems and capabilities are necessary, I don’t think it’s sad—I think the safer way to go is generally the better way, as long as we can keep perspective. I don’t want schools to look like Fort Knox either, but I do want them to be safer than they are today.”</p><p><em>For free school security resources compiled by ASIS, visit <a href="https://www.asisonline.org/Membership/Member-Center/Security-Spotlight/Pages/Spotlight-on-School-Security.aspx" target="_blank">https://www.asisonline.org/Membership/Member-Center/Security-Spotlight/Pages/Spotlight-on-School-Security.aspx</a>.</em><br></p>
https://sm.asisonline.org/Pages/Securing-Service--How-Security-Is-Helping-The-Children-Of-Camden-County.aspxSecuring Service: How Security Is Helping Camden County’s ChildrenGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The environment in which children grow up can shape their behaviors and influence their health, studies show. The social and economic features of a community can have major implications on mortality, general health status, disabilities, birth outcomes, mental health, injuries, violence, and other important health signs, according to a brief published by the Robert Wood Johnson Foundation Commission to Build a Healthier America.​</p><p>Camden City in Camden County, New Jersey, is directly across the Delaware River from Philadelphia, Pennsylvania. Although it is surrounded by some of the wealthiest communities in New Jersey, it’s ranked the poorest and most crime-ridden city in New Jersey. Neighborhood Scout—an online research group—ranked Camden City as the fourth most dangerous city in 2017. </p><p>This is because with a population of 70,309 people, Camden City had 1,895 violent crimes in 2014—meaning the city averaged 25.66 violent crimes per 1,000 residents. That rate is six times higher than the national average of 3.8.</p><p>Additionally, Camden City is among the poorest cities in the nation. The unemployment rate is 30 to 40 percent, with a median household income of $26,000. In 2011, a <em>Rolling Stone</em> report found that a quarter of a billion dollars was being made in revenue from about 175 open-air drug markets, but the annual tax income was only $24 million.</p><p>Virtua is a large healthcare system serving southern New Jersey that provides care through three hospitals (Virtua Marlton, Virtua Memorial, and Virtua Voorhees), three health and wellness centers, two long term care and rehab centers, three medically-based fitness centers, 16 mobile intensive care units, and a variety of outpatient health services. Virtua also has two satellite emergency departments.</p><p>The healthcare system’s mission supports health, wellness, and accessibility to all. Beginning in late 2013, Virtua began making strides to promote the health and well-being of the children in Camden City when the Early Intervention Program (EIP) became a comprehensive agency in Camden County.</p><p>EIP provides a variety of therapeutic and support services to help infants and toddlers with developmental issues. As part of the program, practitioners—including physical therapists, occupational therapists, speech-language pathologists, social workers, special education teachers, behaviorists, and teachers—help children from birth to age three overcome delays.</p><p>During 2011, 2012, and most of 2013, most of those in Camden City who were eligible for EIP had difficulty receiving timely services. Services are considered timely when they start within 30 days of a plan being written. Camden City’s national reputation as a high crime area made it difficult for healthcare providers to ensure their own safety, limiting their ability to respond to requests for services through EIP.</p><p>In 2013, more than 200 children in Camden County waited more than 30 days for their services to start—waiting an average of 48.39 days with a longest wait of 121 days. This not only affected families in Camden County, but also held up other children on the list for services because if the first child on the waitlist was from Camden City, he or she had to receive services before other children further down the list could receive services. With no practitioners available, the number of children served decreased over time while the wait time for services increased.</p><p>The security department of 19 full-time employees and several part-time employees assigned to the Virtua Camden campus provides routine and emergency services to the entire campus, as well other services: producing ID badges, managing beepers, managing the lost and found, receiving package delivers, handling patient belongings and valuables, and providing nuclear medicine escorts and vehicle assistance.</p><p>When the notion of providing security escorts to EIP staff was proposed, the security department rose to the challenge. Each officer volunteered to be available for patient visits, realizing how important it was for young children in Camden to receive the EIP services.</p><p>To set up a security escort, EIP staff would call the security department—at least two days before the service was needed but no more than five days in advance—and provide the date the service was needed, the pick-up time, and the drop-off time. EIP staff also shared their cellphone number so they could be reached.</p><p>The security department then logged the information into an Early Intervention & Home Care Security Escort Form that included the practitioner’s name, cell phone number, and estimated start and end times. Then, from a list of available officers, the department would contact officers to fill the security escort—preference was given to non-overtime per diem, part time, and pool officers. If a security officer was not available, the department would contact the EIP manager. </p><p>When practitioners arrived on campus, the assigned security officer would travel with the practitioner—in his or her personal vehicle—to the appointment location. The officer then stationed themselves outside the location, unless specifically invited to enter, to respond to any signs of distress and protect the practitioner’s vehicle. </p><p>The value and success of the security escort program continued the EIP’s growth. Within a few months, the security escort service expanded as the department became critical in supporting the EIP. In December 2013, the department provided 20.75 hours of security escorts per month and the average wait time for children waiting for services dropped from 48 days to 12.</p><p>By October 2014, the service had expanded to provide 83.50 hours per month, and continued to grow. A mother and her child were also invited to share their experience with the EIP at a holiday staff meeting and the difference the service made to her family.</p><p>The mother explained that children only have a small window of time to receive early intervention services because when they reach 36 months of age, they are no longer eligible to receive services. By reducing the wait time for services, the security department was able to ensure more children were reached, and their needs were identified and addressed.</p><p>In 2015, the security department saw a decrease in the number of calls it was receiving for escort services. Department leadership contacted the EIP leadership to discuss the decrease, and found that EIP staff had become more comfortable providing services within Camden City without a security presence. The EIP staff said they felt welcomed by the residents and that the residents knew they were providing valuable services to the children of Camden. </p><p>Meanwhile, the number of services that the EIP provides has continued to grow in Camden County—increasing from 284 in 2012, to 294 in 2013, 4,123 in 2014, 6,302 in 2015, and 7,978 in 2016.</p><p><em>Maria P. Emerson, MA, CCC-SLP, is the director of the Virtua Early Intervention Program. Maria Franchio, PT, is AVP of Virtua Rehabilitation Services. Dana Gussey is a public health major at Stockton University and an intern in the Virtua Safety Department. Paul Sarnese is the AVP of safety, security, and emergency management for the Virtua Safety Department. ​</em></p><p><br></p>
https://sm.asisonline.org/Pages/Highway-to-Hurt.aspxHighway to HurtGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Smuggling is a serious crime, but when the cargo being smuggled is human, the crime can go beyond serious, into the realm of the tragic.</p><p>A particularly horrid example of this came about last July, when authorities found the gruesome results of a criminal smuggling enterprise: 39 undocumented immigrants, nine dead (a tenth died later) and the rest needing hospitalization, lying in a tractor-trailer parked at a Walmart in San Antonio, Texas. The trailer had contained an estimated 70 to 200 illegal aliens total during its journey, according to court records.  </p><p>A few weeks later, U.S. Immigration and Customs Enforcement (ICE) officials reported that the San Antonio incident was only one of four that had occurred in nearby areas, all within a few weeks’ time. Although the other three did not involve loss of life, they were still disquieting; in one of the incidents in July, border agents in Laredo, Texas, found 72 people from Mexico, Ecuador, Guatemala, and El Salvador locked inside a trailer. Border security leaders pledged to fight the problem. </p><p>“This horrific crime…ranks as a stark reminder of why human smuggling networks must be pursued, caught and punished,” ICE Acting Director Thomas Homan said after the San Antonio incident. “[ICE] works year-round to identify, dismantle, and disrupt the transnational criminal networks that smuggle people into and throughout the United States. These networks have repeatedly shown a reckless disregard for those they smuggle.” </p><p>How do these human smuggling operations work? Often, the process begins a few months before the smuggling, in a country such as Mexico, Guatemala, or Honduras, where sizable numbers of people are looking to emigrate, according to an investigation and review of court documents by the Associated Press. Those seeking to cross the border get to the Mexican–U.S. border region, and then cross by foot or river raft. They are then picked up by a tractor trailer somewhere past the border. The stressful traveling conditions make them vulnerable—dehydration, hyperthermia, and asphyxiation have been among the causes of death in truck cases.</p><p>One analyst, the U.K.-based global risk firm Verisk Maplecroft, warns companies that an increase in human smuggling activity could have ramifications for supply chain security. “Under the Trump administration, businesses with supply chains that rely on low-skilled, temporary migrant labour will face increasing risks of modern slavery in their workforce,” the firm says in one of its risk reports for 2017.</p><p>Verisk Maplecroft outlines the risk involved as follows. The construction of a U.S.–Mexico border wall, or stricter enforcement of deportation rules, will not reduce the appeal of migration for thousands of Latin Americans. But it could increase trafficking costs and deepen migrant worker debt, making migrants more vulnerable to exploitation. Suppliers in agriculture, construction, manufacturing, hospitality, and transport would be most exposed to supply chain risk. </p><p>Emigration-related schemes are not the only form of human smuggling that ICE and its allies are fighting. Human trafficking for the purposes of coerced sex trade operations also continues—a practice that groups like Truckers Against Trafficking (TAT) are trying to help eradicate. </p><p>The group, a 501c(3) nonprofit, takes an all-hands-on-deck approach and partners with members of the trucking and truck stop industries, law enforcement officers, and trafficking survivors to fight human trafficking. The group’s educational efforts include a 36-minute video that offers an overview of the trafficking issue, as well as four-hour training sessions for law enforcement officers such as the state highway patrol, according to Kylla Lanier, deputy director and cofounder of TAT.</p><p>Included in this training are case studies from officers who stopped a truck for a violation, and then upon closer inspection detected a trafficking incident. In the case studies, officers give a breakdown of the indications that tipped them off, and offer advice and best practice guidance for other officers. </p><p>For example, the passengers in the truck may exhibit some telling signs and behaviors, Lanier explains. “If the passengers are young, are they afraid to look at you? Are they acting like normal kids, or are they looking really scared?” she says. Sometimes, the passengers may have branding tattoos or bruises from physical abuse, and may be carrying many hotel key cards. Officers who speak with the driver and passenger separately sometimes find out that their respective stories do not match, or even make much sense. </p><p>Traffickers also exploit locations as well as victims, she adds. They will look for rest stops and other areas that are not well lit, without visible security, and which have a captive audience of drivers rolling through. “That’s where they will bring their victims to,” she explains. TAT works with truck stop industry partners to help make their facilities more safe and secure. </p><p>TAT also works closely with sex trafficking survivors; the group has two on staff. Survivors are key in the antitrafficking movement, because they can change perceptions about the sex trade. </p><p>Prostitution is “a vicious evil system” that has been whitewashed as a victimless crime, Lanier says, in part through unrealistic portrayals like the movie Pretty Women. In reality, the vast majority of those in the trade are being prostituted against their will, in hotels, motels, and rest areas, and are “cruelly raped and beaten within an inch of their lives,” she explains.</p><p>“It’s not the oldest profession,” Lanier says, “it’s the oldest oppression.” One study found that the rate of post traumatic stress disorder among prostitutes is equal to that of war veterans, she adds. </p><p>Given this, having the survivor’s voice in the issue is vitally important, because they can discuss the victim’s experience and point of view and “what’s going on behind the scenes,” Lanier explains. So, when people assume the survivor turned to prostitution to support a drug habit, the survivor can tell them it was just the opposite—being forced into the sex trade made the victim turn to drugs and alcohol. </p><p>Such compelling stories from survivors have helped the antitrafficking cause spread awareness, and the cause has made inroads. And on the legislative front, other advocacy groups such as Polaris pressured the U.S. House of Representatives into reauthorizing the Trafficking Victims Protection Act, which was created in 2000, in July 2017. </p><p>But in the end, demand for prostitution needs to be reduced so that further inroads can be made, and that will take “a societal paradigm shift,” Lanier says. ​</p>
https://sm.asisonline.org/Pages/Slipping-Through-the-Cracks.aspxSlipping Through the CracksGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Federal, state, and local law enforcement agencies will soon have their pick of surplus U.S. military gear, including grenade launchers and high-caliber weapons, after U.S. President Donald Trump rolled back an Obama-era action curtailing the transfer of military equipment to police.</p><p>The U.S. Department of Defense (DoD) Law Enforcement Support Office (LESO) program was reined in by then President Obama in 2015 after a spate of killings by police sparked public outrage. </p><p>Law enforcement agencies could still acquire medical supplies, training devices, protective gear, and some lethal weapons through the reduced LESO program, but the full range of excess military equipment was unavailable.</p><p>The program has been fully reinstated. Concerns about the program’s ability to properly disseminate the military equipment were raised even before Trump expanded the policy. While investigating the LESO program, a congressional watchdog agency stumbled upon an “ineligible entity” that had categorized itself as a federal agency and successfully gained access to military equipment. The U.S. Government Accountability Office (GAO) notified DoD and learned that the case was already being investigated. </p><p>But at one point the entity had been approved to use the LESO program. So in late 2016, GAO decided to figure out how this happened by creating its own fraudulent federal agency and applying to the LESO program. The investigation ended up going much further than researchers initially expected.</p><p>“We noticed that one of the participants in the program had a somewhat unusual name, and we weren’t aware of a federal agency having that particular name,” explains Zina Merritt, director of GAO’s Defense Capabilities and Management Team. “We kept looking at the processes through which DoD provided this equipment to federal agencies, and we decided that it would be appropriate to task the internal controls through using our investigative capabilities to see how vulnerable the program potentially was.”</p><p>The Defense Logistics Agency (DLA) manages the LESO program, which has provided more than $6 billion in excess DoD property to more than 8,600 agencies since 1991. While GAO was investigating the program, before Trump expanded access to equipment, about 4 to 7 percent of the property was sensitive and could not be released to the public. GAO has studied the LESO program before, and upon the most recent review found that most policy enhancements had occurred at the state and local level; few had been made in regard to federal agencies.</p><p>GAO researchers submitted a fake application that included a fictitious agency name, number of employees, point of contact, and physical location. They were surprised when, in early 2017, the nonexistent agency was approved to participate in the LESO program. </p><p>“We thought they would have noticed that our Web address was not a .gov address,” Merritt says. “We thought they would probably call us and verify some of the information, and they did not—correspondence was mostly by email. They asked us for the statute that created our particular organization, and we sent them a bogus statute, but they didn’t catch that. We left them a lot of bread crumbs but we didn’t get caught, and we thought we would get caught along the way—we were hoping that we would get caught.”</p><p>The investigators were given access to the program’s online portal to request property and selected more than 100 items, including night vision goggles, simulated rifles, and pipe bomb trainers—items that could be made lethal if modified with commercially available items. </p><p>When researchers went to pick up the items from a disposition site, they were able to pass security checks and enter the warehouse—two of the three sites did not check the investigator’s identification. They also were given more items than they were approved to receive.</p><p>When Merritt and her team disclosed their investigation, she says DLA officials were surprised by the results. </p><p>“Not only could we gain access to the program, but, we identified other weaknesses at the disposition sites, such as people not checking IDs or people not counting the items we were provided,” she says. “You have to keep in mind that we could have gotten other items such as actual rifles, Humvees, and things like that—we just opted not to get those things. But once approved, you can get lethal items as well.”</p><p>Merritt notes that in the midst of the GAO investigation, however, DLA officials had already begun to strengthen the LESO application process. </p><p>“They were creating memorandums of understanding with the federal agencies applying; that’s something they didn’t have prior,” Merritt tells Security Management. “However, they just had not gone a step further to actually have federal coordinators for the federal participating agencies. That’s a step they did after we completed the review.”</p><p>Following the GAO report’s release in July, Merritt testified before a U.S. House of Representatives subcommittee about the findings and further recommendations, including revising procedures for approving applications, conducting a fraud risk assessment to mitigate risk, and ensuring that officials verify the identification of people picking up items as well as the number of items retrieved. Merritt has seen other improvements to the program already, including in-person visits to LESO-involved agencies and making sure applicants are eligible to take part in the program.</p><p>“I think now, at least with the process of applications, they are ensuring they’re legitimate agencies—that’s where the principal breakdown was,” Merritt explains. “The first step was at least having better oversight and processes to prevent entities that were not eligible to participate to gain access in the first place.”</p><p>The flow of military equipment isn’t just a problem in the United States. DoD runs another program that provides military equipment to Iraqi security forces, including the Kurdistan Regional Government forces, to fight ISIS. </p><p>Since 2015, about $2 billion in equipment, such as weapons and vehicles, was funded through the Iraq Train and Equip Fund (ITEF), sent overseas, and transferred to the governments. However, another GAO report found that the transfer of equipment has not been properly documented due to data reporting and interoperability issues.</p><p>The report, DoD Needs to Improve Visibility and Accountability Over Equipment Provided to Iraq’s Security Forces, looks at how DoD tracks the status of the equipment from acquisition through transfer to foreign governments. </p><p>Jessica Farb, director of internal affairs and trade at GAO, tells Security Management that personnel were not properly using the Security Cooperation Information Portal (SCIP), a Web-based tool that tracks the equipment flow.</p><p>“What we found was that by not using the SCIP, which is not just for Iraq but all cooperation matériel that we provide to partnered nations, DoD broadly could not have complete visibility and be able to account for everything that was going on because the system had missing information,” Farb says. </p><p>Of the 566 requisitions marked complete that GAO studied, fewer than half had the arrival date of the equipment at the point of departure in the United States recorded, and none had information on when the equipment was shipped from the United States, when it arrived in Kuwait or Iraq, or when it was transferred to the foreign governments. </p><p>Additionally, the report found missing documentation from equipment transfers to Iraq and Kurdistan governments—more than half of the forms were missing the date of transfer and case identifier information. Officials said they issued verbal orders requiring case identifier information to be included on the forms, but GAO noted that the program’s standard operating procedures do not include that requirement.</p><p>“By not capturing the transfer dates of ITEF-funded equipment..., DoD components’ visibility over the amount of ITEF-funded equipment transferred to the government of Iraq is limited,” the report explains. The missing transit information means that DoD cannot ensure that the equipment has reached its intended destination.</p><p>GAO didn’t issue any recommendations because it could not pin down why SCIP was not being used to document the transfer of equipment. The system itself may not be importing data correctly from other DoD data systems, but there is also a lack of clear procedures for reporting the data, the report notes. </p><p>“Essentially, that’s why we made a recommendation about DoD looking at the root causes, because it wasn’t easy for them or for us to identify what the single cause was,” Farb explains. “Was it people not entering information, or was it interoperability issues? We didn’t really come to the conclusion that one is the biggest or the single most important issue.”</p><p>Greg Schneider, CPP, president of security consultation company Battle Tested Solutions, LLC, says both reports demonstrate the lack of control measures in such military equipment supply chains. Transferring American-made weapons to foreign governments has been a quagmire for many decades, he says, because of how easily they can fall into the wrong hands.</p><p>“Sometimes weapons that are funded for one cause can get retasked and repurposed, or sometimes go missing, because sometimes no one wants to leave any traces if they want to get arms into the hands of other people,” Schneider notes. “In Iraq and Kurdistan, there are so many different parties at play, and you have other parties on the outside that are watching with great interest the whole process of the United States delivering weapons to the Kurds because maybe they don’t like the Kurds.” </p><p>Meanwhile, Farb says GAO will continue to help DoD figure out why transfer dates for ITEF-funded equipment aren’t being recorded. Current ITEF funding ends next fall, and Farb notes that the new administration has set up a program that would both equip and train Iraq and Syria to oppose adversaries. </p><p>As for the LESO program, Merritt says GAO does not take a position on the recent change in policy, but reaffirms that as long as the program continues, the agency will be paying close attention to DOD’s efforts to rectify the lapses in security. </p><p>“The way we view it is one item of this type getting into the wrong hands is one item too many,” she says. “We just can’t emphasize that enough.” </p><p>​ASIS International's <a href="https://www.asisonline.org/Standards-Guidelines/Documents/SCRM_Executive%20Summary.pdf" target="_blank">Supply Chain Risk Management Standard ​</a>helps organizations address operational risks in their supply chains, including risks to tangible and intangible assets, developed by a global, cross-disciplinary technical team and in partnership with the Supply Chain Security Council.  ​</p>
https://sm.asisonline.org/Pages/Subway-Surveillance.aspxSubway SurveillanceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​For small business profitability, it’s the little things that make a difference, and keeping tabs on employees can help prevent shrinkage. According to Subway franchise owner Kim Jordan, protecting her assets means that every bag of chips and loaf of bread must be accounted for. “The only way we can make money as a franchise is by keeping our labor expenses down…and by keeping our food costs down,” says Jordan, who owns six of the sandwich franchise stores in Alabama. </p><p>Because employees often work solo shifts in the store, Jordan has experienced food theft, which drives up business costs.  </p><p>“The greatest loss to my business is employee theft, whether it may be someone walking out the door with a case full of steak, stealing products, or giving away products,” she explains. </p><p>While Jordan knew that video surveillance would help, the infrastructure for individual security systems at each store would have been burdensome from a financial and management perspective, she says. That’s when she turned to Hokes Bluff, Alabama-based security integrator Lee Investment Consultants, LLC, to determine the best solution for preventing the theft and robbery plaguing the restaurant. <img src="/ASIS%20SM%20Callout%20Images/1117%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:430px;height:244px;" /></p><p>After evaluating a number of manufacturers, the decision was made to choose two camera models and a video management system from Hanwha Techwin America. With this system, the end user can view live video remotely or from individual store locations, and easily review recorded footage. </p><p>The install at the first store location was completed in May 2015, and over the next year and a half the other stores were outfitted. The last installation, at the store located inside a Walmart, was completed in November 2016. </p><p>To keep infrastructure costs down, the integrator provides long-term video storage at its hosting facility. It keeps footage for 30 days for the Subway stores before overwriting it. </p><p>Given the limited bandwidth Subway restaurants use mainly for their point of sale (POS) systems, local SD recording has been a major benefit of the system. For redundancy purposes, recording is performed right on the device using an SD card, and the video is uploaded overnight to the storage servers. </p><p>Most store locations have two cameras–one pointed at the sandwich line and register, and another pointed at the back portion of the store where the coolers are. One of the larger stores has three cameras, and the Walmart location only has one camera at the entrance. </p><p>“We’ve had problems where employees are voiding out transactions at the register,” Jordan says. “Once employees get clever with the computer system, they might void out an order they just transacted…and stuff that money in their pocket.” </p><p>Now the problem with employee theft at the register has gone down, Jordan says, because they can view the cameras which are pointed at the POS terminals. “We can go back and view the video at the time that void was made, so we can see if the transaction is legitimate or not.”</p><p>Many of her individual store managers have access to the camera feeds, and Jordan entrusts them with reporting any cases of theft or unwanted employee behavior.</p><p>For example, one of her managers performed an inventory check and realized several bags of sandwich sauce were missing. Suspecting one employee in particular as the culprit, that manager decided to watch a live video feed the next time that employee was working. </p><p>“She just sat there...and actually watched the employee sneaking out the front door with the sauces,” Jordan says. The employee was immediately fired. “If someone’s going to steal a bag of sweet onion teriyaki sauce, they’re not trustworthy.” </p><p>The cameras have also led to the arrest of employees in more serious incidents. “A few months ago a customer had come in and had left her wallet behind, so my manager put it in a filing cabinet and told an employee that was coming in it was there,” she explains. “And when the lady came to pick up her wallet, she had a credit card and cash that was missing.” </p><p>Video revealed that the employee who knew where the wallet was had stolen a credit card, and used it to buy a bag of chips in the store. The security integrator helped Jordan upload the footage onto a thumb drive to take to the police. “We got a warrant, and they arrested her for using that credit card,” Jordan tells Security Management. “We could not have proved it if it weren’t for the cameras.” </p><p>Even more recently, Jordan noticed about $5,000 was missing from the franchises’ bank deposits that a manager was supposed to be putting in the bank. “Our cameras provided the evidence that she did get the deposits out of the safe and walked out of the store with them,” Jordan says. The manager was arrested and charged with felony embezzlement.</p><p>“I never give someone a second chance to steal,” Jordan says. “To me if they steal a bag of chips or give a sandwich to a friend, then they’ll take home five sandwiches for themselves when they get the chance.” </p><p>The return on investment from a business perspective has also been huge, Jordan notes. “At one location, our food cost for months had been above 40 percent,” she notes. “After we got those cameras, within a week our food cost came down within the margin we needed.” </p><p>The cameras have also led to a greater sense of security among her workers. “I have had employees say they feel safer because of the cameras,” she notes. “Especially with some younger employees, 16 or 17 years old, it’s been a comfort to their parents having the cameras when their child is closing alone.”</p><p><em>For more information: Tom Cook, tom.cook@hanwha.com, www.hanwhasecurity.com, 201.325.2623 ​</em></p>
https://sm.asisonline.org/Pages/November-2017-ASIS-News.aspxNovember 2017 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Those We Cheer This Year</h4><p>ASIS presented MANY awards at the ASIS International 63rd Annual Seminar and Exhibits to celebrate members and partners with noteworthy accomplishments in 2017. These honored members and supporting organizations exemplify the determination and capability of all involved with the Society.</p><p>ASIS is pleased to recognize these outstanding accomplishments. The Don Walker Award for Enterprise Security Executive Leadership celebrates an individual who demonstrates a commitment to promoting security management education, certification, and standards. This year, it was presented to Raymond T. O’Hara, CPP. A former ASIS president, O’Hara currently serves as executive vice president at AS Solution. Throughout his career, he has supported lifelong learning, board certification, and the development of the next generation of security leaders.</p><p>The Presidential Award of Merit is presented to individuals who contribute to ASIS as exemplary volunteer leaders. The 2017 recipients of the award are Joseph N. Masciocco and Les Cole, CPP. Masciocco, president of Security Integrations, is a 33-year member of ASIS who is a senior regional vice president. He has been involved in ASIS volunteer leadership since 1995.</p><p>Cole, who passed away on September 15, 2017, was an ASIS member for 41 years, and served as a council vice president from 2011 to 2016. Don Knox, CPP, a fellow council vice president, accepted the award on behalf of Cole and his family.</p><p>The Certification Organization Award of Merit goes to entities that have made strides advancing the professionalism of the security field through board certification. The award was presented to Guidepost Solutions and Tech Systems.</p><p>In addition, the Certification Regional Award recognizes individuals who help advance ASIS board certification. Winners this year are Randolph C.D. Brooks, CPP, Region 6C; Mushtaq Khan, CPP, PCI, PSP, Region 13A; J.D. Killeen, CPP, Region 6B; Allan L. McDougall, CPP, PSP, Region 6B; Garfield A. Owen, PSP, Region 7B; Percy J. Ryberg, CPP, Region 8C; Jasvir Singh Saini, CPP, Region 13A; Gwee Khiang Tan, CPP, Region 13B; Larry D. Woods, CPP, PSP, Region 4A; and Richard J. Wright, PSP, Region 3C.</p><p>The I.B. Hale Chapter of the Year Award recognizes chapters of ASIS who excel in membership growth, educational programming, publications, and the advancement of the security profession. The chapters recognized in 2017 were the Mexico City Chapter and the National Capital Chapter. </p><p>The Roy N. Bordes Council Member Award of Excellence, presented to Doug Powell, CPP, PSP, distinguishes an ASIS council member who helps engage the next generation of security professionals through sharing their knowledge and expertise with ASIS educational programs and publications.</p><p>The E.J. Criscuoli, Jr., CPP Volunteer Leadership Award was presented to Dr. Rolf Sigg. This award acknowledges the contributions made by one member to ASIS’s chapter and regional levels over an extended period of time.</p><p>The Matthew Simeone P3 Excellence Award is administered by the ASIS Law Enforcement Liaison Council and recognizes programs that promote cooperation between public and private sectors. The 2017 award was presented to the Columbus Police Department’s Capital Crossroads and Discovery SID Program.</p><p>The Transitions Ad Hoc Council, with the support of the ASIS Foundation, confers three Council Certification Scholarships to individuals serving in law enforcement who are seeking ASIS board certification. In 2017, the scholarships were awarded to Lieutenant Chapin T. Jones of the Louisville (Kentucky) Metro Police Department, Officer Henry K.S. Chong of U.S. Customs and Border Protection, and Lieutenant Brian T. Woods of the Los Angeles Police Department.</p><p>The ASIS Foundation also supports the Military Liaison Council Certification Scholarships. The 2017 recipients of these scholarships are Lieutenant Colonel Robert Kwegyir Sagoe, who serves at Headquarters Northern Command in Ghana; Master Sergeant Liviu Ivan and Lieutenant Colonel Eric Minor, who both serve in the U.S. Army at the Mission Command Center in Ft. Leavenworth, Kansas; and Lieutenant Colonel Richard Cobba-Eshun, who serves in the Department of International Peace Support Operations for the Ghana Armed Forces.</p><p>This year is the 40th anniversary of the ASIS International Board Certification Program, initiated in 1977 with the Certified Protection Professional® (CPP) designation. Four individuals have been active CPPs since the program’s inception. They were recognized at the Opening Luncheon on Monday, September 25. They are Dr. James D. Calder, CPP, professor at University of Texas; Don W. Walker, CPP, chairman of Securitas Security Services USA, Inc.; Dr. Kenneth G. Fauth, CPP, senior consultant at K. Fauth, Inc.; and James P. Carino, Jr., CPP, senior consultant at Executive Security Consultants.</p><p>ASIS salutes all these award winners for their valuable contributions to the security profession.</p><h4>A Digital Transformation</h4><p>Remaining relevant in today’s on-demand, content-driven world means that associations must be data-driven, customer-obsessed, hyper-connected, and agile. The need for innovation has never been greater.</p><p>With a clear directive to transform the organization through the strategic use of technology, ASIS strives to remain at the vanguard of the evolving security profession. It is currently engaged in a broad range of innovative projects, including a major redesign of the primary website and the underlying technologies that support both rapid content creation and the online and mobile member experiences that users expect in the consumer world.</p><p>In early 2018, ASIS will launch phase one of a multi-year transformation project focused on improved and personalized content access, user-centric search and commerce, online community, and integrated systems for learning and certification.</p><p>Building on a world-class enterprise system for commerce and content management, the new website will use a taxonomy structure to drive better content organization. Users will enjoy an intuitive and dynamic navigation structure to browse the site, and they will be presented with streamlined, personalized content.</p><p>One of the key strategies is to create a powerful search function that will unify content from a variety of ASIS sources (Web, learning, Security Management, and events, for example). By creating a search-centric site that allows users to filter results, ASIS will be able to meet its goal of helping members in their “moment of need” by providing resources of all types in a single interface.</p><p>There will be a major facelift for the website, incorporating a more graphical and modern interface with relevant imagery, infographics, and videos to present content in a variety of ways on both desktop and mobile devices. </p><p>The “mobile first” initiative also ensures that all online experiences—from search to joining the organization—are simple and engaging on any device, regardless of size. In addition to the website overhaul, ASIS will be upgrading its membership database, including new functionality for engagement, certification, profile management, and data analytics.</p><p>The system will be tightly integrated with the website to ensure a positive user experience across platforms. ASIS will be asking members to fully update their online profiles, both to help drive online personalization and to comply with the EU General Data Protection Regulation, which takes effect in 2018.</p><p>Finally, ASIS will launch an online community platform aimed at providing its customers, members, and prospects with one secure location to interact and build value within the security profession. By providing an online home where members can network, share ideas, answer questions, and stay connected, ASIS will empower them to engage in real time with their peers, chapters, ASIS staff, and industry experts. The online community tools will also allow the Society to provide more engagement for committees, councils, and chapters, and serve as a dynamic online membership directory.</p><h4>Life Member</h4><p>Michael A. Khairallah, a member of the New Orleans Chapter since 1981, has been granted Life Member status. He has served ASIS as a regional vice president, assistant regional vice president, and chapter chair.</p><h4>​MEMBER BOOK REVIEW</h4><p><em>Implementing Physical Protection Systems: A Project Management Guide</em>. By David G. Patterson, CPP, PSP. CreateSpace Publishing; available from ASIS; item #2335; 330 pages; $58 (members); $63 (nonmembers).</p><p>Author David G. Patterson, CPP, PSP, drew on decades of experience in physical security project management to write <em>Implementing Physical Protection Systems: A Project Management Guide. </em>The book is a comprehensive guide to the processes involved in setting up various elements of physical security plans.</p><p>As a follow-up to the author’s prior text, Implementing Physical Protection Systems, this book is geared towards the project management aspects of any physical security endeavor. It provides a clear review of the many topics under the umbrella of physical security. While covering many of the basic elements of physical security (lighting, fencing, alarming, and cameras), it also goes into the more technical aspects of cabling and necessary support networks.</p><p>If you are not a physical security specialist, but aspects of the technology side of security still fit within your area of responsibility, this book may be appealing. The text is simple to understand and the more complex parts of these projects are explained in terms that most security generalists will be familiar with.</p><p>A longtime member of the ASIS Physical Security Council, Patterson compiled information and concepts from experts in the technology aspects of security, delineating steps of the project in easy-to-read references. From risk assessments to deliverables and all action steps in between, his book serves as a valuable guide. Borrowing from the simple explanations he provides may help security practitioners explain the processes to nonsecurity leaders. For example, there is a section on documenting effectiveness, which can easily translate to return on investment, a term that every business leader should understand.</p><p>Clearly not intended to be the definitive text on all technical aspects of implementing security projects, the book will serve well as a resource to pull off the shelf at the onset of a new physical security project.</p><p>[Note: Author David Patterson passed away September 2, 2017.]</p><p><em><strong>Reviewer: Michael D’Angelo, CPP,</strong> is the principal and lead consultant for Secure Direction Consulting, LLC, a Florida-based independent security consulting firm. He served on the South Miami, Florida, Police Department for more than 20 years, retiring as a major. He is an ASIS member and currently serves on both the Healthcare Security Council and the ASIS Transitions Ad Hoc Council. ​</em></p>
https://sm.asisonline.org/Pages/The-Zero-Day-Problem.aspxThe Zero Day ProblemGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In August 2017, FireEye released new threat research confirming with “moderate confidence” that the Russian hacking group APT28, also known as FancyBear, was using an exploit to install malware on hotel networks that then spread laterally to target travelers. </p><p>“Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,” FireEye said in a blog post. “No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.”</p><p>After APT28 accessed corporate and guest machines connected to the hotel Wi-Fi networks, it deployed a malware that then sent the victims’ usernames and hashed passwords to APT28-controlled machines.</p><p>“APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” FireEye explained. </p><p>This new method is worrisome for security experts because the exploit APT28 was using to infiltrate hotel networks in the first place was EternalBlue, the same vulnerability used to spread ransomware such as WannaCry and NotPetya. It was also allegedly stolen from the U.S. National Security Agency (NSA).</p><p>A group of hackers, dubbed the Shadow Brokers, posted the EternalBlue exploit online in April 2017 after claiming to have stolen it from the NSA. The leak was just one of many the group has made over the past year detailing NSA vulnerabilities that exploited Cisco Systems, Microsoft products, and others. </p><p>The leaks prompted renewed debate on whether the NSA should change its vulnerabilities equities process (VEP) to disclose cyber vulnerabilities to the private sector more frequently to prevent future cyberattacks.</p><p>Some of the harshest criticism came from Microsoft itself. In a blog post, President and Chief Legal Officer Brad Smith wrote that the WannaCry attack provided an example of why “stockpiling of vulnerabilities by governments” is a problem.</p><p>“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith explained. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world—nation-state action and organized criminal action.”</p><p>The VEP began to take form under the George W. Bush administration when then President Bush issued a directive instructing the director of national intelligence, the attorney general, and the secretaries of state, defense, and homeland security to create a “joint plan for the coordination and application of offensive capabilities to defend U.S. information systems.”</p><p>Based on this directive, the respective agencies recommended that the government create a VEP to coordinate the government’s “offensive and defensive mission interests,” according to a memo by the Congressional Research Service (CRS) in February 2017. </p><p>The Obama administration then created the current VEP, which became publicly known in 2014 in response to the Heartbleed vulnerability—a bug in the OpenSSL cryptographic software that allowed protected information to be compromised. </p><p>The VEP, as it is known to exist today, provides the process for how the U.S. government chooses whether to disclose vulnerabilities to the vendor community or retain those vulnerabilities for its own use.</p><p>“Vulnerabilities for this purpose may include software vulnerabilities (such as a flaw in the software which allows unauthorized code to run on a machine) or hardware vulnerabilities (such as a flaw in the design of a circuit board which allows an unauthorized party to determine the process running on the machine),” according to the CRS memo sent to U.S. Representative Ted Lieu (D-CA).</p><p>To be eligible for the VEP, however, a vulnerability must be new or not known to others. Vulnerabilities are referenced against the Common Vulnerabilities and Exposures Database to determine if they are new or unknown.</p><p>When choosing to disclose a vulnerability, there are no clear rules but the U.S. government considers several factors, according to a blog post by former White House Cybersecurity Coordinator Michael Daniel that was written in response to allegations that the NSA knew about the Heartbleed vulnerability prior to its disclosure online.</p><p>For instance, the government considers the extent of the vulnerable system’s use in the Internet’s infrastructure, the risks and harm that could be done if the vulnerability is not patched, whether the administration would know if another organization is exploiting the vulnerability, and whether the vulnerability is needed for the collection of intelligence.</p><p>The government also considers how likely it is that the vulnerability will be discovered by others, if the government can use the vulnerability before disclosing it, and if the vulnerability is, in fact, patchable, according to Daniel.</p><p>In the post, Daniel wrote that the government should not “completely forgo” its practice of collecting zero-day vulnerabilities because it provides a way to “better protect our country in the long run.”</p><p>And while the process allows the government to retain vulnerabilities for its own use, it has tended to disclose them instead. NSA Director Admiral Michael Rogers, for instance, testified to the U.S. Senate Armed Services Committee in September 2016 that the NSA has a VEP disclosure rate of 93 percent, according to the memo which found a discrepancy in the rate.</p><p>“The NSA offers that 91 percent of the vulnerabilities it discovers are reported to vendors for vulnerabilities in products made or used in the United States,” the memo said. “The remaining 9 percent are not disclosed because either the vendor patches it before the review process can be completed or the government chose to retain the vulnerability to exploit for national security purposes.”</p><p>Jonathan Couch, senior vice president of strategy at ThreatQuotient, says that the U.S. government should not be expected to disclose all of the vulnerabilities it leverages in its offensive cyber espionage operations.</p><p>“Our government, just like other governments out there, is reaching out and touching people when needed; they leverage tools and capabilities to do that,” says Couch, who prior to working in the private sector served in the U.S. Air Force at the NSA. “You don’t want to invest a ton of money into developing capabilities, just to end up publishing a patch and patching against it.”</p><p>However, Couch adds that more could be done by agencies—such as the U.S. Department of Homeland Security (DHS)—that work with the private sector to push out critical patches on vulnerabilities when needed.</p><p>“Right now, I think they are too noisy; DHS will pass along anything that it finds—it doesn’t help you prioritize at all,” Couch says. “If DHS could get a pattern of ‘Here’s what we need to patch against, based on what we know and are allowed to share,’ then push that out and allow organizations to act on that.”</p><p>Other critics have also recommended that the government be more transparent about the VEP by creating clear guidelines for disclosing vulnerabilities and to “default toward disclosure with retention being the rare exception,” the CRS explained.</p><p>One of those recommendations was published by the Harvard Kennedy School’s Belfer Center for Science and International Affairs in Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process. </p><p>The paper, written by Ari Schwartz, managing director of cybersecurity services for Venable LLP and former member of the White House National Security Council, and Rob Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations and former director for cybersecurity policy at the National Security Council, recommended the VEP be strengthened through formalization. </p><p>“By affirming existing policy in higher- level, unclassified governing principles, the government would add clarity to the process and help set a model for the world,” the authors explained. “If all the countries with capabilities to collect vulnerabilities had a policy of leaning toward disclosure, it would be valuable to the protection of critical infrastructure and consumers alike, as well as U.S. corporate interests.”</p><p>However, the authors cautioned that affirming this process does not mean that the government should publicize its disclosure decisions or deliberations.</p><p>“In many cases, it likely would not serve the interests of national security to make such information public,” according to Schwartz and Knake. “However, the principles guiding these decisions, as well as a high-level map of the process that will be used to make such decisions, can and should be public.”</p><p>U.S. lawmakers also agree that the VEP should be overhauled to boost transparency. In May, U.S. Senators Brian Schatz (D-HI), Ron Johnson (R-WI), and Cory Gardner (R-CO), and U.S. Representatives Ted Lieu (D-CA) and Blake Fernthold (R-TX) introduced legislation that would require a Vulnerabilities Equities Review Board comprising permanent members. These members would include the secretary of homeland security, the FBI director, the director of national intelligence, the CIA director, the NSA director, and the secretary of commerce. </p><p>Schatz said that the bill, called the Protecting Our Ability to Counter Hacking (PATCH) Act, strikes the correct balance between national security and cybersecurity.</p><p>“Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security,” he explained in a statement.</p><p>Additionally, the secretaries of state, treasury, and energy would be considered ad hoc members of the board. Any member of the National Security Council could also be requested by the board to participate, if they are approved by the president, according to the legislation.</p><p>The bill has not moved forward in Congress since its introduction, which suggests that many do not see a need for an overhaul of the current disclosure system. </p><p>“It’s just not realistic for NSA, CIA, or the military or other international governments to start disclosing these tools they’ve developed for cyber espionage,” Couch says. ​ ​</p>
https://sm.asisonline.org/Pages/Fake-News-Real-Threats.aspxFake News. Real ThreatsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In November 2016, a man armed himself with an assault rifle and drove six hours from North Carolina to Washington, D.C. His goal was to storm Comet Ping Pong, a D.C. pizza restaurant, and rescue children being held captive and abused by Hillary Clinton. Once inside, the man fired on the restaurant, but no one was hurt. </p><p>The Comet Ping Pong story was one of many deliberately false news stories circulating in 2016. After the story was exposed as a hoax, “a post on Twitter by Representative Steven Smith of the 15th District of Georgia—not a real lawmaker and not a real district—warned that what was fake was the information being peddled by the mainstream media. It was retweeted dozens of times,” according to The New York Times.</p><p>The concept of fake news entered the popular vocabulary during the U.S. presidential election in 2016. While intentionally spreading false news reports for financial, political, or psychological reasons is not a new phenomenon, the practice has expanded significantly in the last year. During the particularly divisive U.S. election, numerous hyper-partisan blogs and websites posted a wide range of rumors, conspiracy theories, and fabrications, which have collectively been labeled fake news. Far from its original meaning—articles that are blatantly untrue—the term fake news has been embraced by all sides of the political divide to denigrate reporting that they feel is biased or incomplete.</p><p>While primarily political in nature, fake news has been used against various organizations and poses a real and increasing threat to private sector organizations of all sizes. It is important for security professionals to explore the relationship between fake news and corporate security, and determine how they can begin to address the threats posed by the release of false news and information.</p><h4>Transmission<br></h4><p>There has been an explosion in the creation and distribution of fake news through various online channels, including blogs, websites, discussion forums, and especially social media platforms. According to a 2017 survey, A Real Plague: Fake News, conducted by Weber Shandwick, Powell Tate, and KRC Research, approximately 7 in 10 American adults reported having read a fake news story in 2016. Research conducted by Hunt Allcott and Matthew Gentzkow and published in the spring 2017 edition of The Journal of Economic Perspectives also found that a database of 38 million shares of fake news stories on social media translated to about 760 million instances of clicking on, and reading, fake news stories. </p><p>The subject matter of these stories has run the gamut from political conspiracies to alleged criminal conduct by high-profile individuals to allegations of corporate political bias. A unique aspect of the current situation is that these stories are shared more widely, and more quickly, than ever before due to the ubiquity of social media. According to Allcott and Gentzkow, the list of fake news websites compiled by Stanford University received 159 million visits during the month of the election, while some 41.8 percent of individuals reported that they were exposed to fake news via social media.</p><p>Another important aspect of the current situation is that many of these fake news stories have gained a level of credibility among segments of the population that is surprising considering the sometimes bizarre nature of the claims made. In a study by Ipsos Public Affairs for BuzzFeed, 75 percent of respondents who reported remembering a fake news headline believed it to be accurate. In the study by KRC Research, 74 percent of individuals surveyed reported that it is difficult to determine what news is real and what is not.</p><p>The increased acceptance of baseless rumors and extreme conspiracy theories is due in no small part to a widespread decline in trust in media, government, academia, and most other forms of traditional authority. The falling levels of trust in media have been well documented by Gallup, Pew Research, and the Edelman Trust Barometer. This collapse of trust has led to the increased importance of the “people like me” category as a trusted source of news and information. according to Edelman’s 2017 global report. Because of these developments, sources such as Reddit, personal blogs, Facebook accounts, and quasi-official websites have gained credibility, while trust in traditional news media and government sources has declined. The fact that these fake news stories are rebroadcast many times, through cross-links and reposts on social media, further adds to the illusion of credibility. </p><p>If fake news were limited to stories about Area 51 or the JFK assassination, it would represent an interesting sociological case, but with limited relevance to corporate security. However, both the subject matter and the intensity of emotion elicited make fake news a real threat to corporations in terms of potential financial losses, reputational damage, and the physical security of facilities and personnel. This enhanced threat environment will require adaptation by corporate security professionals and the incorporation of new defensive and offensive capabilities to existing corporate security plans.</p><p>The increasingly widespread use of false or misleading information to cause confusion or harm to an individual or organization is not likely to disappear in the near term. The efficiency of this technique has been clearly demonstrated and the tools facilitating it are becoming ever more powerful, accessible, and easy to use. It is also difficult to imagine a significant increase in trust in traditional authority figures in the near future. </p><p>For corporations, some of the most serious fake news risks relate to stock manipulation, reputational damage, and the related loss of business—through boycotts for example—and direct threats to staff and property.</p><h4>Stock Manipulation</h4><p>At the macro level, fake news has been used to move entire stock exchanges. This was the case in April 2013 when a tweet that appeared to come from the Associated Press (AP) Twitter account reported that there had been an explosion at the White House and that U.S. President Barack Obama was injured. The Dow Jones Index lost 145 points in two minutes, while the S&P lost $136.5 billion. The news was quickly disproved and the market corrected within minutes, but the potential for large-scale disruption was demonstrated. In this instance, the fake news attack was claimed by the Syrian Electronic Army, according to The Washington Post.</p><p>In October 2009, the Stock Exchange of Thailand (SET) fell 7.2 percent because of an online rumor related to the health of the Thai king. The market made up about half of the loss within the next trading day, and the Thai police made several arrests related to the case later that month, as reported by Reuters.</p><p>Fake news has been used to manipulate the shares of individual companies as well. In May 2015, a fake offer to purchase Avon Products led to a surge in trading and a significant increase in the share price, according to The New York Times. Then in November 2016, a fake offer to acquire Fitbit shares led to a spike in activity, and a temporary halt to the trade in Fitbit stocks as reported by The Financial Times. In 2013, a fake press release was posted claiming the Swedish company Fingerprint Cards AB would be acquired by Samsung. Company shares surged until trading was halted. </p><p>In the United States, the Securities and Exchange Commission (SEC) has taken an increasingly aggressive stance in combating this threat to market integrity. It has filed enforcement actions against 27 companies and individuals involved in “alleged stock promotion schemes that left investors with the impression they were reading independent, unbiased analyses on investing websites while writers were being secretly compensated for touting company stocks,” according to an SEC statement.​</p><h4>Reputation</h4><p>False stories, rumors, or statements taken out of context have led to both reputational harm, as well as to threats to corporate personnel and property. In this type of threat, a corporate statement or action that would be innocuous under normal circumstances has taken on an increased risk due to hyper-sensitive stakeholders.</p><p>A case in point was New Balance, when Matthew LeBretton, vice president for public affairs said, “The Obama administration turned a deaf ear to us and frankly, with President-elect Trump, we feel things are going to move in the right direction,” during an interview with The Wall Street Journal. The statement related specifically to President Trump’s plan to withdraw from the TransPacific Partnership (TPP), but was widely misinterpreted. This caused a twofold issue for New Balance. First, anti-Trump individuals saw the statement as an endorsement of the candidate and everything he was purported to believe. This in turn led to calls for a boycott, and many social media posts depicting the destruction of New Balance products as reported by CNBC. A few days later the same statement led Andrew Anglin, a blogger associated with the white supremacist movement, to write on his popular Daily Stormer blog that New Balance shoes were the “Official Shoes of White People.” New Balance was blindsided by the intensity of reactions to a single statement related to a proposed international trade agreement and was forced into reactive positions throughout the crisis.</p><p>Another executive statement that was taken out of context and twisted to fit a partisan narrative was made by Indra Nooyi, CEO of PepsiCo in her interview with Andrew Sorkin of The New York Times on November 9, 2016. Her statement included congratulations to President-elect Trump on his victory, while also indicating that some of her employees expressed concerns about their safety as a result of the election. Numerous fake media outlets exaggerated the statement by claiming that she and her employees were “terrified” of Donald Trump and his supporters. This led to a firestorm of social media protests against Pepsi, including calls for a boycott and threats against the company.</p><h4>Direct Threats</h4><p>As noted above, one of the most serious cases of threats to an organization based on fake news were the reports of child abuse allegedly masterminded by Hillary Clinton and carried out at a D.C. pizza parlor. While the story was repeatedly debunked, it nevertheless continued to circulate and was supported by Michael Flynn, Jr., son of then National Security Director General Michael Flynn, according to The Washington Post. The shooter was arrested immediately after leaving the pizzeria, where he found no evidence of any abuse. He later pled guilty to the interstate transportation of ammunition and a firearm, a federal charge, in addition to a D.C. charge of assault with a dangerous weapon, according to The Hill.</p><p>This case indicates that even the most ridiculous story, if repeated often enough, will find an audience that believes it, and possibly someone who is willing to take action based on its claims. It is possible that a less extreme story focusing on a corporate executive or brand would lead to similar examples of direct action.​</p><h4>Countermeasures</h4><p>Countering fake news is difficult when the target audience finds it easy to discount facts and the usual sources of information are distrusted. However, there are a number of actions that corporate security teams can take to mitigate the risks posed by this new threat.</p><p><strong>Risk assessment. </strong>As with any threat to corporate security, the place to start is with a detailed risk assessment. The corporate security team needs to look at both internal and external factors to determine both the level of risk, as well as the most likely points of attack. Internal factors include employee demographics, employee morale, and computer use policies. The external factors include the competitive environment, the current perception of the organization and its management, the level of openness and transparency, and the nature of current conversations about the organization. With this information, corporate security will be in a much stronger position to establish policies and procedures to mitigate the risks from fake news attacks.</p><p>A white paper by Accenture focusing on social media compliance and risk in the international financial industry highlights the importance of identifying areas where an institution has vulnerabilities and incorporating the findings into its risk mitigation plans. A survey of executives cited in the white paper, A Comprehensive Approach to Managing Social Media Risk and Compliance, found that 59 percent of respondents reported having no social media risk assessments in place, while only 36 percent reported being offered any training on social media risk mitigation.</p><p><strong>Monitoring. </strong>To have any hope of effectively countering fake news, the corporate security team needs to have as close to real-time visibility of its appearance as possible. This points to the requirement for a comprehensive monitoring program that builds on any existing media or social media monitoring capability the organization already possesses.</p><p>It is important that this monitoring program specifically focus on channels that are outside the organization’s norm. These channels may be antithetical to the values of the organization, targeted to a demographic that is generally not associated with the company, or linked to apparently phony information sources. It is also important to look specifically for negative references to the organization.</p><p>After experiencing a number of negative stories driven by news and social media, Dell Computer adopted an “everyone is listening” approach to social media monitoring. A Framework for Social Analytics by Susan Etlinger of the Altimeter Group discusses Dell’s hybrid model for media monitoring, which gives a large number of its 100,000 plus workforce some responsibility for monitoring social media channels related to their lines of business. The company also has a Social Media Listening Command Center, which employs sophisticated social media monitoring software to complement its traditional media monitoring program.  </p><p>A company’s monitoring system should also include an analysis component that helps vet the material, determining how it should be classified and its importance from a risk management perspective. This component would then ensure that any important material is routed to the key decision makers for immediate action.</p><p>Finance, investment, and hedge fund companies have been taking a lead in the area of monitoring and identifying fake news stories. The growth of organizations that can deploy multiple content generators focusing on specific companies poses a significant risk to stock market investors. According to reporting in Forbes, companies are also seeking to develop algorithms that can sort through large quantities of content and identify malicious fake news campaigns. One such company that has been widely cited in this regard is Houston-based Indexer LLC.​</p><h4>Response Plans</h4><p>Based on the results of the risk audit, the most likely fake news scenarios should be identified and used to create detailed response protocols that can be activated in the event of an actual fake news situation. At a minimum, these plans should include contact information for all crisis team members, checklists for key actions, prepared statement templates to be used with internal and external stakeholders, and escalation metrics in the event that the fake news situation is not immediately contained.</p><p>The importance of incorporating the social media environment into a robust crisis response system is shown in the Nuclear Energy Institute’s Implementing and Operating a Joint Information System planning document. The plan covers the importance of preassignment of roles and responsibilities, training and readiness exercises, and media monitoring and engagement. The last item includes specific information on the importance of ensuring that information on social media regarding nuclear facilities and incidents is accurate, and that rumors and falsehoods are flagged and corrected.​</p><h4>Training</h4><p>The weaponization of news represents an evolving threat for many organizations and is not often included in corporate crisis management plans or training programs. As examples of fake news incidents increase, corporate security professionals should build this new threat into security training that is offered in conjunction with the corporate communications and human resources functions. Members of the senior leadership team should also be involved in any fake news response training.</p><p>Countering fake news requires fast decision making and decisive action on the part of the organization. To be able to execute effectively, the relevant personnel should be exposed to these scenarios in a simulated environment.</p><p>The communications function at DePaul University in Chicago, recognized the importance of building a mix of true and false information on social media into its crisis response training program. The result was a multi-party simulation exercise involving real-time interactions with traditional media, Twitter, and Facebook, as well as direct stakeholder communications. One of the key challenges in this type of training is sorting through incoming information quickly while still ensuring that key facts are not overlooked.​</p><h4>Cross-Functional Teams</h4><p>By its nature, the threat posed by fake news needs to be met by a comprehensive organizational response. This implies a cross-functional approach to fake news management. While corporate security may take point, the expertise and resources available to the corporate communications, human resources, and legal teams will prove critical.</p><p>An executive from an international bank reported to Accenture that it was important for all key functions to participate in risk management planning, especially when it concerns social media. “However, it is always important to have a representative from risk sitting at the table—someone from compliance, someone from legal, and so forth, to provide guidance to the business and make sure what the company is doing is sound,” notes the Accenture white paper.</p><p>Because fake news is still a type of news, the communication and media relations skills of the corporate communication function will be needed to analyze the content and develop and distribute counter messages to all fake news reports. This function may also be the appropriate host for the monitoring program because it is a logical extension to standard corporate media monitoring activities.  </p><p>Employees are a critical audience for fake news and an important distribution channel for counter messaging. This being the case, the human resources department needs to be involved in the creation and execution of corporate security strategy with regards to fake news.  </p><p>To ensure that the organization’s rights are fully protected, and that it does not itself cross the line in terms of libel, the corporate legal team should be involved in the fake news strategy, and have a role in vetting counter messages.​</p><h4>Communications</h4><p>Because of the potentially serious morale and operational ramifications fake news can have on an organization, it is vital that employees are provided with clear and accurate facts and count­er messages as quickly as possible.</p><p>Beyond reacting to a fake news incident, the organization should seek to inoculate its staff against its effects by undertaking a comprehensive internal communications and employee engagement program. This can be incorporated into the concept of encouraging employees to be brand ambassadors.</p><p>Organizations that are most vulnerable to fake news are those about which little is known. Without a base of preexisting knowledge, stakeholders who are exposed to fake news cannot immediately discount it, which is where the seeds of doubt take root. It is thus important that the organization be as transparent as possible, which includes regular proactive external communications. Corporate actions and policies should be communicated, explained, and contextualized to establish the reality of the situation before a fake news story can present a false narrative.  </p><p>It is especially important to get in front of any bad news stories and ensure that the organization is seen as working to resolve the issue, rather than hiding it. The idea of a first mover advantage with releasing properly contextualized negative information is a central tenet of contemporary public relations practice, and it can help thwart attempts to create a scandal by fake news outlets. ​</p><h4>Trust</h4><p>While a full discussion of trust-based relationships is beyond the scope of this article, it should be noted that the establishment of trust with key stakeholders is one of the best defenses against fake news attacks. Creating trust goes beyond simply telling the truth. It involves a range of factors including organizational reliability, competence, and benevolence, along with honesty and transparency. Because trust building involves all aspects of organizational behavior, it must be seen as a strategic initiative and be driven by senior management. Trust’s relationship to fake news defense is likely to be a collateral benefit rather than a primary driver of the initiative.  </p><p>The use of intentionally false or misleading information distributed through online and social media channels to disrupt or harm organizations is likely to increase dramatically in the years ahead. These actions are increasingly easy and cheap to execute, and take advantage of current weaknesses in organizational capabilities and the fact that societal trust in most traditional authority figures is at a historically low level. It is thus imperative that responsible corporate security professionals develop the internal capabilities and protocols to deal with this new threat environment before they are faced with a fake news attack. The good news is that most of the necessary resources already exist to some degree within the organizational structure and only need to be oriented around the fake news threat. This will include proactive measures such as audits, monitoring, training, and proactive communications, as well as moving quickly to react to the emergence of damaging fake news to contain it and neutralize its ability to damage the organization.  </p><p>In today’s hyperconnected global information environment no organization is safe from a fake news attack. We have had ample warnings that the threat is real and is likely to get worse.  There is no time to waste in hardening the organization against this new type of assault.  </p><p><em>Jeremy E. Plotnick, Ph.D., is founder of CriCom LLC. He has worked in international communications consulting, public affairs, and public relations for more than 20 years. ​ ​ ​</em><br></p>
https://sm.asisonline.org/Pages/November-2017-Industry-News.aspxNovember 2017 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​VIKINGS STADIUM OPENS DOORS</h4><p>The new U.S. Bank Stadium—home of the Minnesota Vikings—hosted more than 66,000 fans at the first Monday night game of the 2017 season. Completed last year, the 1.5 million-square-foot stadium campus is flexible enough to serve as a true multipurpose stadium that can host football, soccer, baseball, basketball, motorsports, major concerts, and other events.</p><p>ASSA ABLOY was tapped to provide more than 1,500 doors and openings for the state-of-the-art stadium. A truncated construction timeframe provided the impetus for using preassembled openings. The ready-to-install openings improved onsite management of multiple components and saved time through a streamlined installation process.</p><p>The openings included products from ASSA ABLOY Architectural Door Accessories, including McKinney hinges, Pemko accessories, and Rockwood door trim, as well as Curries hollow metal doors and frames; Sargent locks, exit devices, and door closers; Medeco high-security cylinders and keys; and Securitron access control components.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Dahua Technology is partnering with Anixter International to market Dahua products throughout the United States and Canada.</p><p>Anomali and NSS Labs, Inc., announced a strategic partnership that provides enterprise customers with a unified view of unmitigated threats and empirical data regarding the effectiveness of security controls.</p><p>Bold Technologies completed the integration of ManitouNEO with innoVi from Agent Video Intelligence to provide monitoring centers with a video intrusion system. </p><p>Boon Edam product data and customized specifications for the Americas are available through the ARCOM software platform to architects, engineers, and design professionals.</p><p>Brady announced that its Brand Protection business partnered with Kezzler and Honeywell to bring product authentication labeling and tracking to Genetron 134, a refrigerant. </p><p>ByteGrid Holdings LLC announced an agreement with Empowerment through Technology and Education to provide greater compliance and control of hosted business-critical data.</p><p>Baltimore Cyber Range LLC and Cyberbit Ltd. announced the opening of the new Baltimore Cyber Range cybersecurity training and simulation center in Baltimore, Maryland.</p><p>Camden Door Controls retained manufacturer’s representative JClemente & Associates to service its southern California territory.</p><p>Cellebrite is joining the National Center for Missing & Exploited Children and Project VIC in the global fight against child exploitation. </p><p>Claroty and Schneider Electric are partnering to address safety and cybersecurity challenges for the industrial infrastructure sector.</p><p>Conformance Technologies announced that Pivotal Payments selected its solutions to enhance business effectiveness and protection of its North American merchant portfolio. </p><p>The addition of deverus, Inc., background checking software to the iCIMS partner ecosystem will provide cost savings and improved speed to customers.</p><p>EventTracker announced that its SIEM platform was implemented at OneBlood, Inc.</p><p>Exabeam and ThreatConnect, Inc., announced a product integration designed to improve overall cybersecurity and incident response.</p><p>EyeLock LLC entered into a partnership with CSD (Central Security Distribution) to deliver EyeLock’s product suite in Australia. EyeLock is also developing iris authentication solutions to work with Qualcomm Mobile Security. </p><p>Farpointe Data helped Secure Our City, Inc., improve security access for a parking garage.</p><p>Galaxy Control Systems completed an integration with IP-enabled solutions from ASSA ABLOY. </p><p>Genetec and Alutel Mobility partnered to offer extended access control capabilities to open areas without having to rely on physical readers or installations.</p><p>Hikvision Canada Inc., provided cameras for the JPPS Children’s Centre in Montreal that were installed by integrator Alarme Sentinelle. Petite Echelle Centre in Montreal worked with integrator Intelgest to upgrade its security system with Hikvision.</p><p>Honeywell and eDist Security expanded their relationship around the Genesis Series Cable product line. </p><p>Huttig Building Products selected TierPoint to provide colocation and data center migration services.</p><p>Imagination Technologies and Sierraware are collaborating to make Sierraware’s SierraTEE available for devices based on Imagination’s MIPS CPUs.</p><p>ISONAS Inc. announced that Transportation Impact selected the ISONAS Pure IP access control solution to secure its corporate headquarters.</p><p>Johnson Controls announced that its American Dynamics victor Video Management Software integrates with the Guardian Indoor Active Shooter Detection System from Shooter Detection Systems.</p><p>Karamba Security joined the Automotive Grade Linux (AGL) Project and The Linux Foundation to help develop its cybersecurity best practices.</p><p>The Legrand On-Q Digital Audio System has been integrated with Alarm.com.</p><p>Netwrix Corporation announced that its Netwrix Auditor empowers Guadalupe Valley Electric Cooperative to minimize insider threats and improve database security.</p><p>OnSSI and Seagate teamed up to provide a robust recording solution designed for more efficient system expansion and scalability.</p><p>Ever and Pinn formed a technology partnership to integrate Ever’s facial recognition into Pinn’s secure attribution platform.</p><p>Enterprise Performance Consulting joined the PSA Business Solutions Program to offer business consulting and operations team training programs to PSA integrators. </p><p>Point Blank Enterprises and Special Ops Bunker made an exclusive global marketing agreement to offer Special Ops Bunker products through the Point Blank global network.</p><p>Golden Lion Marbella, a casino in Panama, selected Qognify VisionHub to upgrade its security, safety, and operations.</p><p>RapidSOS is partnering with WiseWear, Fusar, Kairos, Lumenus, and ROAR for Good to provide a rich data link to 911 from wearable products, so users can connect to 911 by pushing a panic button or by detection from a wearable device during a crash or medical emergency.</p><p>Sky and Cisco have a multi-year digital security agreement to support the expansion of Sky video services across any screen.</p><p>Suprema announced that its BioSign mobile fingerprint authentication algorithm was selected by Samsung for two smartphone models.</p><p>Traka UK joined forces with Edesix, to ensure that equipment used across the U.K. Prison Service is safely stored and managed.</p><p>TruTag Technologies’ signature authentication solution will be used by Hongyang Biotechnology Co. to protect the livestock supply chain from counterfeiting and diversion.</p><p>Visual Management Systems Ltd. was invited to join the Airports Centre of Excellence, which aims to improve the passenger experience.</p><p>Vodafone Group joined the prpl Foundation to focus on enabling the security and interoperability of embedded devices.</p><p>VTT Technical Research Centre of Finland Ltd. and ITS Russia signed a partnership agreement concerning the development of intelligent transport systems for border crossings. </p><p>Watermark Risk Management International, LLC, and TEAM Software, Inc., created a strategic partnership where Watermark will be a preferred provider of consulting services on TEAM software solutions.</p><p>WestJet Airlines realized improved efficiency and streamlined communication by partnering with Send Word Now.​</p><h4>GOVERNMENT CONTRACTS</h4><p>AirMap and the Kansas Department of Transportation will deploy Unmanned Traffic Management technology across Kansas to support the growth of the state’s drone economy and ensure safer skies.</p><p>ATS Armor LLC received an order from Miami-Dade Police Department for 1,500 active shooter kits, enough for every patrol car.</p><p>Canon U.S.A., Inc., received two BLI PaceSetter Awards in the Document Imaging Security and Mobile Print categories from Keypoint Intelligence.</p><p>Cardiac Science announced that Boston Public Schools will purchase Powerheart G5 automated external defibrillators.</p><p>The State of Louisiana is working with CA Technologies to enable citizens to securely access information across government services through the Louisiana Enterprise Architecture Project.</p><p>An Elbit Systems of America Integrated Fixed Tower border security system passed U.S. Customs and Border Protection systems acceptance testing.</p><p>The city of Troy, Alabama, selected Extreme Networks software-driven networking technology to provide reliable, fast, and secure connectivity across 70 locations.</p><p>FirstNet and AT&T will deliver a specialized wireless broadband network to Arizona’s public safety community.</p><p>Sherburne County Sheriff’s Office in Minnesota will use GUARDIAN RFID technology to mitigate risk and improve operational efficiency in the Sherburne County Jail. </p><p>IPVideo Corporation was selected by the San Jose Police Department to help improve and upgrade its interview recording platform. </p><p>Janus Global Operations will clear areas of Mosul, Iraq, of ISIS-placed booby traps and other explosives under an agreement with the U.S. Department of State’s Office of Weapons Removal and Abatement.</p><p>Milestone Systems completed a security surveillance solution for Goyang City in South Korea.</p><p>NEC Corporation provided a facial recognition system for South Wales Police in the United Kingdom through NEC Europe Ltd.</p><p>Scott Safety was selected to provide technology and equipment to the California Department of Forestry and Fire Protection.</p><p>Southern Linc entered into a partnership with the City of Huntsville and Madison County Alabama’s 911 dispatch center to add LTE wireless data transmission equipment to connect first responders to the new network. </p><p>Agencies, including the U.S. General Services Administration, the U.S. Joint Chiefs of Staff, and the U.S. Army, have used eSignLive from VASCO Data Security for secure and compliant electronic signing of documents using Personal Identity Verification cards or Common Access Cards.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>Atomic Data attained SOC 3 certification for the seventh year in a row from the American Institute of Certified Public Accountants.</p><p>Conduent Incorporated was awarded a U.S. patent for technology that automatically recognizes facial expressions using images from low-resolution cameras.</p><p>Consolidated Communications Holdings, Inc., achieved MEF CE 2.0 certification for carrier grade, interoperable Ethernet services. </p><p>Day & Zimmermann earned a ranking of 188 on the Forbes America’s Largest Private Companies list. It is also on the Defense News Top 100 List.</p><p>Everest Technologies received ISO 27001:2013 accreditation for its information security management system.</p><p>Fornetix, LLC, gained a U.S. patent that covers breakthrough solutions for the management of encryption keys and other security objects.</p><p>Hesco was placed in the Commander’s Choice category and recognized as a Superior Supplier to the U.S. Defense Logistics Agency.</p><p>Frost & Sullivan recognized IriTech, Inc., with the 2017 North American Frost & Sullivan Award for New Product Innovation.</p><p>StoneLock is the winner of the annual Government Security News Airport, Seaport, Border Security Awards Program for Best Facial Recognition Technology.</p><p>TEAM Software, Inc., is the winner of the Web.com 2017 Small Business of the Tournament Award for Nebraska.</p><p>Vinson Guard Service, Inc., gained national certification as a Women’s Business Enterprise by WBEC South, a regional certifying partner of the Women’s Business Enterprise National Council. </p><p>Zentera Systems, Inc., was awarded Best of Show for Best Security or Privacy Solution at IoT Evolution Expo.​</p><h4>ANNOUNCEMENTS</h4><p>AngelTrax relocated all operations into a renovated facility that serves as its new headquarters and manufacturing, inventory, and distribution centers.</p><p>ASSA ABLOY acquired SMI (Shree Mahavir Metalcraft), a leading OEM manufacturer of architectural hardware in India.</p><p>The Association of Public-Safety Communications Officials (APCO) International and IBM announced that APCO International’s new guide card software will use IBM Watson Speech-to-Text and Watson Analytics.</p><p>CEDIA and The Electronic Security Association announced a strategic reciprocal training relationship that will expand the educational opportunities for members of both associations.</p><p>Columbus State University received a grant from the U.S. National Security Agency to develop a new tool for rapid cybersecurity training and curriculum development. </p><p>EventTracker introduced the EventTracker Partner Program. </p><p>EY opened its advanced cybersecurity center in Dallas, Texas, to help clients stay ahead of emerging threats.</p><p>Lantronix, Inc., joined the Kepware IoT Alliance Program.</p><p>Marks USA, a division of NAPCO, launched a new website at marksusa.com.</p><p>NXP Semiconductors N.V. is expanding its operations in the United States, enabling its U.S. facilities to manufacture security chips for government applications.</p><p>ONVIF announced the final release of Profile A for broader access control configuration and the Release Candidate for Profile T, a draft specification with advanced streaming capabilities that adds in support for H.265 video compression.</p><p>Proficio expanded into Hong Kong to broaden its presence in the Asia-Pacific region.</p><p>PSA is working with Matterhorn Consulting to enable PSA members to hire military veterans.</p><p>Stanley Black & Decker opened a new Breakthrough Innovation center in Boston dedicated to advancing technological innovation in its security business.</p><p>The Protection Bureau awarded scholarships to 10 children of company employees.</p><p>ThetaRay opened its first U.K. office in London.</p><p>Top Notch Distributors updated its website at topnotchinc.com.</p><p>Toshiba Surveillance & IP Video Products Group launched its Safe Scholar program to help schools reduce the total cost of video surveillance system ownership. </p><p>WatchGuard Technologies acquired Datablink, a provider of advanced authentication solutions. </p><p>Webroot acquired the assets of Securecast, a security awareness training platform, and launched Webroot Security Awareness Training as a beta program.</p><p> ​</p>
https://sm.asisonline.org/Pages/The-Unseen-Threat.aspxThe Unseen ThreatGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Traditionally, factory security assessments have been directed towards the inside of the factory or plant and not to the more exposed perimeter, including the perimeter wall of the factory structure and the fence line. Similarly, assessors often look at the factory’s cyber network and examine the configuration of servers, switches, and human-machine interfaces, but may pay less attention to the outside of the facility walls and physical grounds because they tend to fall outside the classic cyber and physical security boundaries. </p><p>However, with the increased awareness of the security weaknesses that industrial control systems face, there has been a growth in requests to security and consulting companies for combined cyber and physical security assessments of factories and critical infrastructure. The North American Electric Reliability Corporation (NERC) puts out Critical Infrastructure Protection (CIP) standards that strengthen the cybersecurity of North American electric grid operations, and recent updates emphasize the importance of strengthening both physical and electronic security perimeters. </p><p>A shift in the industry toward enterprise security risk management (ESRM)—which focuses on using risk assessments to inform an organization’s security approach—moves beyond assessing physical security. However, this can be a difficult shift for facilities that do not have a clear risk profile.</p><p>This gap in the security assessment process offers an opportunity for plant managers to take an ESRM-inspired approach and better understand their security and infrastructure vulnerabilities to both physical and cyber threats.​</p><h4>DRAWING THE LINES</h4><p>Two security concepts raised in the NERC CIP are related to electronic security perimeters (ESPs) and physical security perimeters (PSPs). The ESP is an imaginary perimeter drawn around a set of critical cyber assets and is usually defined by the location of perimeter access points such as firewalls and modems. The PSP is typically defined as a six-sided border that surrounds critical assets. In the NERC model, the border is intended to totally enclose the ESP. </p><p>Although the ESP is a logical, imaginary depiction, it gives a sense of the electronic traffic flowing into and out of a critical set of digital assets as well as the physical plant. This assessment is normally performed by evaluating network topology diagrams, walking down network systems looking for telephone and wireless infrastructure, and conducting interviews with plant operations technology staff. If done thoroughly, the assessors are also looking at wireless traffic such as cellular, LAN network, or Wi-Fi connectivity flowing across the ESP.</p><p>A PSP is more readily determined and tangible. Here, security is literally walking along the perimeter of a room or building that is enclosing the ESP. Security is normally looking for any means of physical penetration such as doors, ventilation louvers, or an opening under the wall or fence. A PSP determination is more natural and can be readily performed by a skilled physical security professional.​</p><h4>ELECTRONIC PERIMETERS</h4><p>A structured but more unusual way to approach a facility assessment is to start with the ESP and PSP concepts in mind and to apply them to the footprint of the facility being examined.  </p><p>Begin with an overhead view of the facility and the corresponding fence line if possible. One technique is to obtain the satellite view of the facility from an online mapping tool such as Google Earth. Alternatively, a plan view drawing of the facility and surrounding grounds obtained from the facility service manager may be used.</p><p>Using this overhead view, draw a border around the facility perimeter with an optional border at the fence line. Once the analysis boundary has been identified, pinpoint both tangible and invisible services and activities, including underground, airborne, or surface vectors. Consider services that cross this boundary and place them on the map where they enter the facility.</p><p>Infrastructure to consider includes electric power feeds from substation or emergency generators, natural gas or propane, water, sewer, enterprise and public fiber connections, telephone and cable television lines, and other commercial services. Inbound services such as product feeds from other facilities and deliveries like mail or packages, as well as outbound shipments, should also be taken into consideration.</p><p>Electronic signals that cross in and out of the facility include Wi-Fi, cellular, radio, and satellite communications, and these should be included on the risk map. For example, while performing an assessment of a client’s facility, including a wireless security inspection, Wi-Fi service was detected but was not owned or provided by the enterprise. The investigation revealed that the signal was from a nearby house and was not secured, allowing employees and visitors at the factory to connect to the rogue Wi-Fi. Such a connection could contaminate the individual’s laptop or mobile phone, as well as other Wi-Fi–equipped devices, with a worm, virus, or ransomware from the unknown and uncontrolled Wi-Fi.</p><p>A similar vulnerability was discovered at another power plant: a contractor’s trailer adjacent to the plant fence line had an insecure Wi-Fi set up, which was available inside the power plant.</p><p>Depending on the age and type of property, identifying these services may be a challenge. Older facilities may not have the necessary drawings, infrastructure diagrams, or employee knowledge to identify where the underground lines are for some of these services. Older facilities also suffer from abandoned equipment and systems that tend to be ignored because they are no longer in service. If the client has recently purchased the property, it may not know where these services enter or exit the plant.</p><p>An additional complication is that some services have dual feeds from separate locations. For instance, a data center will normally have redundant power and communications at different perimeter locations. These should be reflected on the analysis mapping.</p><p>Once these various activities and services have been identified and listed, begin looking at the vulnerabilities each poses to the plant and to the availability of the facility operations. </p><p>The perimeter assessment should be more holistic than simply walking down a fence line or the perimeter of a building. For example, while performing this analysis for a client, a problem was identified with the underground water feed into the plant. The plant had only one line entering the plant supplying potable water, service water, and fire protection/sprinkler water. The line ran under the fence, across a large field between the fence and the factory itself, and then into the building with some feeders going to the fire pumps located outside the factory in a field. The line could be subject to backhoe or digging damage because it was not effectively marked, but the larger problem was outside of the fence.</p><p>Beyond the fence line was the water service building—a small, unmarked wooden structure that contained the tap into the local city water supply, as well as several isolation valves and a flow meter for billing and volume calculations. The inspector discovered the building open and unoccupied—the door padlock was hanging open on the hasp. This would have allowed an attacker to shut the water supply valves and take advantage of the unlocked padlock to either lock the valves or close and lock the building door, thus delaying emergency responders to reopen the valves. Such an attack would have posed serious consequences for the factory because closing these valves would have shut off all water to the facility.</p><p>The inspector needs to look at all telltale signs and artifacts—many of which are prominently placed—that could tell an attacker where a softer and more vulnerable service feeding the plant is located. For example, site and facility architects use underground vault covers that explicitly label the service. That practice can be helpful for maintenance and emergency response but it also provides an easy target for criminals. </p><p>Similarly, the way these vault covers are secured could be problematic. The covers should be locked, but an added layer of security includes using tamper-resistant fasteners or proprietary screw heads and bolts.</p><p>Conducting an integrated, ESRM-based analysis helps bring awareness of what crosses facility boundaries, whether it be in electronic or physical form. It encourages plant managers to document underground infrastructure and fill gaps in knowledge, and provides enhanced planning for both physical and wireless attacks from modes ranging from surface injections to airborne threats. By mapping out both the physical and electronic perimeters, a facility’s security approach can be based on what can and cannot be seen.  </p><p><em>Ernie Hayden, PSP, Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), SANS Global Industrial Cyber Security Professional (GICSP), is the ICS cybersecurity lead at BBA, a Canadian engineering company. He is a member of ASIS. ​</em></p>
https://sm.asisonline.org/Pages/The-Future-is-Flexible.aspxThe Future is FlexibleGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Mention teleworking, and some managers immediately feel at sea. How can I supervise employees I can’t see? Will staffers be sending check-in emails while watching Netflix? Can professionalism be maintained in pajamas?</p><p>Yet behind these fears lay opportunities. Teleworking, if planned and managed successfully, can be thought of as an opportunity for an organization to build trust and productivity among employees. It can also be employed as a strategic talent management initiative that improves employee attraction, engagement, and retention while reducing costs for both the firm and the workers. </p><p>In the security field, there are some jobs that are not conducive to telework, such as physical security positions that require an on-site presence. But others are more location flexible, and some positions have elements of both–they require on-site availability on some days, but they also include duties that can be conducted at home, such as report writing, security officer scheduling, or customer service interactions that take place over email and phone. Security managers who dismiss telecommuting because not every position in their department is telework-friendly may be losing out on the broader organizational benefits of telework. </p><p>The aim of this article is twofold. It will offer some best practice guidance, mined from expert opinion and recent research, for managing teleworkers. It will also explore how a telework program can be used by a manager so that it plays a key role in the organization’s talent management strategies. ​</p><h4>Growing Trend</h4><p>About 43 percent of U.S. workers work remotely in some capacity, even if that means telecommuting only once a week or less, according to the 2017 version of Gallup’s annual report, The State of the American Workplace. That percentage is up from 39 percent in 2012, which indicates a moderate but steady increase in teleworking.</p><p>As telecommuting becomes more popular, the average amount of time each teleworker spends at home or in another remote location increases. The percentage of U.S. teleworking employees who spend 80 percent or more of their time (equivalent to four days per week or more) working remotely has increased from 24 percent in 2012 to 31 percent in 2016. The number of employees who work remotely 40 to 80 percent of the time has also slightly increased, while the number of employees working remotely less than 20 percent of the time has decreased.</p><p>In addition, in more than half of the largest U.S. metro areas, telecommuting beats public transportation as the preferred commuting option, according to another report, 2017 State of Telecommuting in the U.S. Employee Workforce. Telecommuting has grown far faster than any other commuting mode, according to the study, which was issued by FlexJobs and Global Workplace. </p><p>One of the drivers of the growth of telework has been the U.S. federal government. In 2010, the U.S. Telework Enhancement Act became law, and it required the head of each executive agency to establish and implement a policy under which employees could be authorized to telework. The U.S. General Services Administration (GSA) serves as the lead agency for the government’s initiative; in its latest annual report to Congress, GSA said that federal teleworking continues to increase, with participation growing from 39 percent to 46 percent of eligible employees from 2013 to 2015. </p><p>Another telework driver is the increasing pressure from younger workers for more work options. “The millennial generation, which values flexible work, has risen to prominence in the workforce. They are influencing and encouraging remote work policies,” says Robert Arnold, a principal with management consultancy Frost & Sullivan’s Digital Transformation-Connected Work Industry practice. With developments like advanced cloud services, technology continues to evolve and offer more reliable support for remote work, Arnold adds. </p><p>Nonetheless, barriers remain. “Federal agencies have made considerable progress (in teleworking), but they also continue to report challenges such as management resistance, outdated cultural norms, and technology limitations,” the GSA said in its latest annual report to Congress. </p><p>Often, this management resistance simply boils down to lack of trust, says Kate Lister, president of Global Workplace Analytics. “Some managers have this attitude–if they’re not looking at [workers] in the office, they’re at home on the sofa eating bonbons,” she says. Ironically, she adds, being in sight does not always mean being productive; workplace studies show that the majority of both cat videos and pornography are viewed in the office during working hours.​</p><h4>Concentrative v. Collaborative</h4><p>One of the first tasks for those who plan to manage teleworkers is deciding who on staff may be eligible for telework. Overall, Gallup has found that a little over half of U.S. jobs, or about 55 percent, could allow for telecommuting, at least on a part-time basis. </p><p>Security jobs that require a daily on-site presence are generally not eligible for telework. And some employees, regardless of position requirements, simply do not want to telecommute. “Many people already know this about themselves—given the choice, they will opt to go into an office every day for the companionship, sense of purpose, or because they don’t trust themselves to be productive at home,” say consultants from Frost & Sullivan in their report, Best Practices for Managing Teleworkers: Changing Attitudes, Changing Ways.</p><p>However, those holding jobs with part-time on-site requirements may be eligible. Lister cites the example of a group of park rangers she worked with. Although they spent much time patrolling the park, they also had administrative responsibilities such as report writing, allowing many to successfully telecommute part time.</p><p>For guidance, some organizations use the model of concentrative versus collaborative work, Lister explains. Concentrative work, which is best conducted alone and without interruptions, can be done well remotely; collaborative work, such as meetings and group projects, is often best tackled in the firm’s office, with other team members present.​</p><h4>Best Practices</h4><p>Once it is decided who might be working remotely, teleworking managers should keep in mind the following best practices, which come from various experts, including those quoted above, and from program guidance offered by GSA. </p><p>Co-create. A teleworking policy should be developed by the entire team. To set the tone and foster confidence before a new teleworking program begins, managers should engage in dialogue with their teams and address any questions about teleworking. Asking team members to discuss and achieve consensus on solutions to these questions can help the team become more invested in making a teleworking initiative a success.</p><p>While the specific answers will differ for each organization, managers should be prepared for questions such as: </p><p>• How will we connect with each other?</p><p>• How will teleworking affect my performance evaluations and the way my work is assessed?</p><p>• What are the procedures for coordinating team projects?</p><p>• Will teleworking affect my career path?</p><p>• How can we manage customer expectations while teleworking?</p><p>• How can we use technology to help us telework better?</p><p>• Can we create a sense of workplace and community when we are working away from the office?</p><p>Teamwork. If more than one employee is telecommuting, treat telework as a team activity rather than an individual one, whenever possible. Develop a team schedule, rather than an independent schedule, and a teleworking system that is consistent with the needs of the department and organization. This may mean that if an important team meeting needs to be held in person, employees normally scheduled to telework that day may have to come to the office on a scheduled telework day.</p><p><strong>Virtual presence. </strong>Instant messaging systems can be used by team members to check in each morning, and change status when they will be away from the computer for more than a few minutes. Using a rotating system, one team member can also lead a virtual water cooler chat with a question or comment for team members to respond to once or twice a day. Transparent communication tools like shared calendars can also be useful.</p><p>In addition, advanced collaboration tools like video conferencing may also be considered. “They help to bridge the gap by building trust and intimacy that is conveyed by eye contact, body language, and other nonverbal communication cues,” Arnold says. </p><p><strong>Customer service.</strong> If your team members interact with customers, make sure service-level support requirements in communicating with customers are clearly defined. All team members need to agree to meet the same service levels to ensure transparency to the customer. Commit with each other to an acceptable response period for email inquiries or phone calls.</p><p><strong>IT support. </strong>A common reason for teleworking dissatisfaction is IT failure. Teleworkers are dependent on fast, reliable, consistent connections. Work with your IT group to ensure the technology is effective, efficient, operates consistently, and provides excellent customer service. IT department involvement and support is critical to your success.</p><p><strong>Trust. </strong>In talking with teleworkers on the phone, managers should avoid comments like, “Hey, I hear a washing machine. Are you doing your laundry, or working?” Instead, managers should use telework as an opportunity to foster trust between employees and management. Established daily check-ins can be useful, but rigid micro-monitoring of daily activities hinders productivity and creates an environment of distrust.</p><p><strong>Get together.</strong> The value of in-person community office time increases when working in a mobile environment. Collectively decide what types of events and activities will build a sense of cohesion and community. A regular social event might be included. </p><p><strong>Office space options. </strong>In some organizations, teleworkers are encouraged to share their space while teleworking, and relinquish their in-office space when working in the office. This will require coordination with other employees, and sometimes the development of shared space protocols. Hoteling software, which can help administrators keep track of space booking and scheduling, can also assist in this process. </p><p><strong>Manage by results. </strong>For managers used to passing offices where employees are working away, telework can be disconcerting. But apparent worker activity should not be confused with the results those activities produce. Establish a clear definition of objectives and performance indicators, and keep track of those indicators. </p><p><strong>Monitor performance measures. </strong>One measure might be team sick days and absenteeism—have they decreased as your teleworking program progresses? Customer satisfaction might be another measure —has the needle moved in any direction since some team members started teleworking? </p><p><strong>Keep evolving. </strong>Managers should think of a telework program as a continual work in progress. Teams are unlikely to get all arrangements right the first time. Evolving work groups and projects may also force changes in the original arrangements, regardless of how successful they may have been. Remain flexible, evaluate frequently, and adjust the arrangements as needed.​</p><h4>Telework as Strategic Initiative </h4><p>The potential value of a well-managed teleworking program becomes even more clear when it is contextualized in the broader state of the current workplace. And as Gallup’s The State of the American Workplace finds, “the modern workforce knows what’s important to them and isn’t going to settle.” More than half of U.S. employees (51 percent) are searching for new jobs or watching for openings, and 47 percent say now is a good time to find a quality job.</p><p>But in this environment, teleworking options can boost an organization’s employee retention efforts. “Gallup consistently has found that flexible scheduling and work-from-home opportunities play a major role in an employee’s decision to take or leave a job,” the report says. </p><p>GSA has found that teleworking can have a positive impact, in various ways, on the worker. In research comparing teleworkers with nonteleworkers, GSA found that teleworkers report more job satisfaction and higher engagement levels. They are also less likely to want to leave their current organization than nonteleworkers. </p><p>Private sector experts have found similar effects. “We do find that job satisfaction and loyalty continue to be positively impacted by remote work. Work-life balance is a big emphasis by employers in many sectors that wish to recruit and retain top talent and employees with increasingly scarce skill sets,” Arnold says.</p><p>Indeed, when it comes to employee engagement, the Gallup report showed that the most engaged workers were those who spent 60 to 80 percent of their week—or roughly three to four days—working from home. While four days out of the office may be a bit extreme for some organizations, Lister says that many employers are finding two to three days a week as the telecommuting “sweet spot,” with workers benefitting from both in-office camaraderie and out-of-office concentrative sessions. And Gallup has found that workers who say they have privacy when they need it are 1.7 times more likely to be engaged than workers who do not have that luxury.</p><p>Organizations are also finding other benefits to telework. Some organizations have combined an increase in telework with a transition to a smaller office space, thus reducing overhead costs. </p><p>And the 2017 State of Telecommuting in the U.S. Employee Workforce report found that employers, on average, save roughly $11,000 per half-time telecommuter per year. In addition, firms are often getting more out of their telecommuters. A half-time teleworker gains back an average of 11 days a year in commuting time, and will devote about 60 percent of that gained time toward work, Lister says. </p><p>Finally, as the benefits of teleworking become apparent to more employees and more organizations, they are also forcing change, Gallup finds. Organizations are being forced to reconsider how to best manage and optimize performance. Even the basic idea of when and where people work is evolving. </p><p>“The workplace is changing,” Gallup says, “at unprecedented speed.”  ​</p>
https://sm.asisonline.org/Pages/Officials-Say-New-York-Attacker-Acted-in-the-Name-of-ISIS.aspxOfficials Say New York Attacker Acted in the Name of ISISGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Sayfullo Saipov, the man accused of killing eight people by mowing down pedestrians and cyclists on a Manhattan bike path, plotted for weeks and then carried out the attack in the name of the Islamic State (ISIS), officials said Wednesday. </p><p>Saipov is a legal permanent resident of the United States who arrived from Uzbekistan in 2010 through a diversity visa program. Officials said Saipov was influenced by ISIS after coming to the United States. He left notes pledging his allegiance to the group, authorities said, though more direct connections between Saipov and ISIS have not been identified.</p><p>The notes were handwritten in Arabic, and essentially said that the Islamic State would endure forever, according to John Miller, deputy New York police commissioner for intelligence and counterterrorism, who spoke to reporters at a briefing on Wednesday. ISIS has urged its followers to use vehicles to carry out attacks.</p><p>"He did this in the name of ISIS," Miller said. "He appears to have followed almost exactly to a T the instructions that ISIS has put out in its social media channels before with instructions to their followers on how to carry out such an attack."</p><p>The new details came as authorities continued to explore the violent rampage that tore through a stretch of Lower Manhattan and became New York's deadliest terrorist attack since Sept. 11, 2001.</p><p>Police say Saipov climbed into a rental truck on Tuesday afternoon and careened down a bike path along the Hudson River, slamming into numerous people before he was wounded by police and taken into custody. He drove southbound on the path "at a high rate of speed" and appeared to specifically target cyclists and pedestrians, Miller said.</p>
https://sm.asisonline.org/Pages/Houston-Secures-the-World-Series.aspxHouston Takes Measures to Secure World SeriesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>The city of Houston, Texas, is gearing up for an <a href="https://www.click2houston.com/news/houston-police-prepare-for-world-series" target="_blank">influx of tens of thousands of fans at the 2017 Major League Baseball World Series</a>, set to take place this week between the Los Angeles Dodgers and Houston Astros. The city is no stranger to protecting such large gatherings, as it recently played host to Superbowl LI and the American League Championship Series. "We'll have plenty of resources on hand, and we will have resources both seen and unseen to protect the public," Executive Assistant Police Chief Matt Slinkard said in a news conference Monday at the police department's downtown headquarters. "You can always learn something from each and every major event that you host." </p><p>Police are working with the Harris County Sherriff's Office and federal law enforcement to<a href="http://www.houstonchronicle.com/news/houston-texas/houston/article/Law-enforcement-beefs-up-security-for-World-Series-12300524.php%20%E2%80%8B" target="_blank"> gather threat intelligence leading up to the game</a>, and will utilize those partnerships to secure the more than 40,000 fans inside Minute Maid Stadium. He remarked that the various locations where the game can be viewed, including bars and block parties, add to the complexity of providing security. "Fortunately, we went through this drill for the Super Bowl, so we're applying lessons learned and tweaking them–but we're used to working together, [and we are] already doing that now," Slinkard noted.</p><p>The faceoff between the Houston Astros and Los Angeles Dodgers will begin in Los Angeles, and games three and four in the series will be at Minute Maid Stadium (and five, if needed). For a possible game six and seven, the series returns to Los Angeles.  </p><p>Officials will deploy measures both on the ground and above to secure the best-of-seven series. Aviation measures are in place, as federal officials enact a limited no-fly zone during the games. In addition, two SkyWatch platforms, mobile surveillance systems that allow deputies to view the game from high above, will be deployed at the stadium. </p><p>Slinkard added that fans can expect additional traffic safety measures around the city, including DWI enforcement. The city is also encouraging baseball fans to be the eyes and ears of security while attending the series, and FBI Spokeswoman Christina Garza urged citizens to take it upon themselves to look out for suspicious behavior. "We constantly remind the public to be aware of their surroundings and report anyone or anything that might seem suspicious to law enforcement," she told the <em>Houston Chronicle</em>.  ​</p>
https://sm.asisonline.org/Pages/Harden-Soft-Targets-with-PSIM.aspxHarden Soft Targets with PSIMGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Soft targets—those that are readily accessible to the public, like shopping malls, hotels, and hospitals—are especially vulnerable to attack by terrorists, criminals, and other bad actors. Recent attacks around the globe have raised awareness of the need to protect these spaces. Security practitioners must keep in mind that the duty of care for enterprises extends beyond just a company's employees to anyone who sets foot on the property.  </p><p>In these locations, typical physical security solutions include clear separation between public and staff-only areas, controlled access to sensitive areas to prevent unauthorized entry, and limited access to the facility during nonbusiness hours. These measures rely heavily on implementing and managing varying levels of access permissions for each area using a mix of security technologies. And even the best deployments of these systems do not eliminate risk; rather they help security to contain the threat.   </p><p>With many diverse systems, this becomes a complex task that could quickly overwhelm security staff who are also tasked with monitoring, identifying, and responding to events. For multi-use facilities, physical security information management (PSIM) solutions simplify these complicated procedures with automated, intelligent alerts and response actions, along with greatly improved situational awareness. </p><p><strong>Alerting</strong></p><p>Any time an unauthorized individual enters a private or sensitive area, organizations should treat that incident as suspicious unless and until they learn there is a valid reason for the entry. And with every security breach—whether intentional or unintentional, malicious or harmless—time is of the essence. This underscores the vital need for operators and other security staff to know about the situation as soon as possible. With automation and the ability to seamlessly integrate multiple systems into a single interface, PSIM solutions can speed the alerting process to improve awareness and response.</p><p>​For example, integrated access control and surveillance systems with video analytics could be deployed to alert staff when individuals enter a restricted area, such as a data center, after hours. When an alert comes in from the access control system, the PSIM solution can automatically call up surveillance video associated with the event, providing operators with direct visibility into the situation. </p><p>Another alert could be triggered by an initial report or description submitted by a mobile user. In this case, the PSIM could correlate with nearby video and other systems. Regardless of the source of the alert, the solution ensures that operators have instant access to valuable information and insight, allowing them to quickly assess the situation and initiate the appropriate response based on a full understanding of an incident. </p><p><strong>Response</strong></p><p>Once an alert has been generated, established actions must be in place to help staff determine the appropriate course of action to resolve an issue as quickly as possible. In many cases, no response is necessary. For instance, if an individual holds a door open for a few seconds, the access control system may generate a door-prop alert. Using video associated with the action, an operator can determine in seconds whether this was to allow unauthorized entry or if the person entering simply paused to read an email or text on a cell phone. Without the video capability, a guard would need to be dispatched to assess the situation—not the most efficient use of time and resources.</p><p>Given the large number of nonactionable alerts operators receive throughout their shifts, they may not be prepared for an event that does require action, regardless of how well they have been trained. This can cause confusion and stress, which can complicate the situation and lead to chaos. Having well-defined standard operating procedures (SOPs) in place to guide operators and others through each process reduces the potential for stress, panic, or confusion, all of which contribute to a high potential for human error. However, complicated or difficult-to-locate SOPs will do nothing to reduce this likelihood. </p><p>PSIM can automate many of the more mundane and basic steps to simplify processes and allow operators to focus only on the most critical tasks that require human intervention, such as determining whether a person seen on video represents a potential threat. This enables security staff to quickly assess the situation and determine the most appropriate response. </p><p><strong>Real-Time Situational Awareness</strong></p><p>When responding to an incident, it is important for guards, first responders and others to have the most complete information to ensure the most effective and efficient response. </p><p>​Integrated systems improve this awareness by providing large amounts of data from various systems that can be combined to evaluate an incident. While searching myriad systems to gather and sort through this information manually is not feasible, automated PSIM solutions put all the relevant information at operators' fingertips. This allows security staff to make quick, accurate decisions based on a complete picture of an event and easily share information in real time with appropriate responders and coordinate response among all parties involved. This collaboration provides critical situational awareness to those responders, who can then make faster, more informed decisions that enable swift response to help prevent an incident from unfolding.</p><p>A wide variety of challenges arise when securing facilities and campuses with multiple levels of access privileges. By deploying a PSIM to aggregate crucial information, organizations can overcome the many challenges they face while also increasing safety and security for these potentially complex applications.</p><p><em>Simon Morgan is chief technology officer for SureView Systems. ​</em></p>
https://sm.asisonline.org/Pages/Why-Companies-Should-Hire-People-Not-Resumes.aspxWhy Companies Should Hire People, Not ResumesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>Security Management</em> has partnered with the Society for Human Resource Management (SHRM) to bring you relevant articles on key management topics and strategies​. This article by Erin Binney ​discusse​s the value of hiring the underdog.<br></p><p>--​</p><p>​BOSTON—Two resumes lie side by side on a recruiter's desk. Candidate A has an Ivy League education, a 4.0 GPA and a slew of impressive internships. Candidate B graduated from a state school with a 3.4 GPA and once worked as a singing waitress. Which candidate is more likely to add value to the organization?</p><p>Regina Hartley, a vice president of HR at UPS, argues that it just might be Candidate B, and she explained why during her closing keynote presentation at the Human Capital Institute's 2017 Strategic Talent Acquisition Conference.</p><p>If the recruiter were to do a little digging, Hartley said, he or she might discover that Candidate B is a "scrapper"—someone who has faced adversity and succeeded in overcoming obstacles.</p><p>Attendance at a less prestigious educational institution may have been the result of financial limitations, not a lack of intelligence, for example, and an uneven work history might mean that the person had to take time off to care for a loved one.</p><p>But through these experiences, Candidate B may have become incredibly resilient or developed superior problem-solving skills. She can bring those and other desirable qualities to your organization—but only if you're willing to take a chance on her.</p><p>"There are people out there who can transform your organization," Hartley said, "but they're getting filtered out through the recruitment and selection process."</p><h4>Who Are Scrappers?​</h4><p>Hartley referred to a concept called "post-traumatic growth" and cited a study of 698 children who grew up in less-than-ideal circumstances. One-third of them went on to lead healthy, productive, successful lives.</p><p>Steve Jobs is an example of a scrapper, she said. He struggled with his feelings about being placed for adoption, was diagnosed with dyslexia and dropped out of college before founding Apple.</p><p>Kat Cole might consider herself a scrapper, as well. Cole experienced what she describes as a "Jerry Springer" childhood. She was raised by a single mother, worked as a Hooters waitress when she was a teenager and dropped out of college. Now, she's group president of FOCUS Brands, the franchisor and operator of Cinnabon, Carvel, Moe's Southwest Grill and other restaurants.</p><p>Cole recently told HR Magazine that her work ethic "came from watching my mom, who worked three jobs while she was single and taking care of us. In many ways, I grew up as a normal kid. But I also had to look after my sisters, so I had to develop a great work ethic early in life."</p><p>In many cases, Hartley said, scrappers succeed not in spite of their circumstances but because of them. In fact, many of these people "attribute their success to adversity," she said.</p><p>Hartley urged attendees to read between the lines on a resume. "Struggle is a great indicator of resilience, creativity and critical thinking," she said.</p><p>Scrappers also tend to:</p><ul><li>Be self-reliant.<br></li><li>Have a sense of purpose.<br></li><li>Be problem-solvers.<br></li><li>Refuse to give up.<br></li><li>Take personal responsibility for difficulties.<br></li></ul><div><br></div><h4>'Be the Gateway'​</h4><p>For talent acquisition professionals who are ready to introduce scrappers into their organizations, Hartley had this advice: Don't rely exclusively on technology. It's easy to let tech solutions whittle down your applicant pool, but doing so may not yield the best candidates. Screening systems may reject applicants whose resumes don't contain the right keywords or don't check certain predetermined—and often irrelevant—boxes.</p><p>"The resume tells me what a person did, but it doesn't tell me who you are," Hartley said. Remember, she told the audience, "you're hiring people, not resumes."</p><p>Use innovative recruiting methods. Companies can hold events that give scrappers a chance to show what they can do in a real-world setting. If your organization is hiring for entry-level IT positions, she suggested, sponsor a hackathon where prospective employees can showcase their coding skills. You may discover that the best performers aren't the university recruits with the best pedigrees.<br></p><p>Educate hiring managers. Hiring managers may be skeptical of scrappers' value. The best way to educate them, Hartley said, is to identify a scrapper who has already proven himself or herself at the organization. Find that person who started in the mailroom, worked her way up the company ranks and is now known as someone who helps drive the business.<br></p><p>Talent acquisition professionals have a lot of influence over which candidates get passed along to hiring managers and which ones are chosen for interviews, Hartley said. "Don't be the gatekeeper. Be the gateway."<br></p><p><em>© 2017, SHRM. This article is reprinted from https://shrm.org with permission from SHRM. All rights reserved. ​​ ​​</em><br></p>
https://sm.asisonline.org/Pages/Building-a-Professional-Guard-Force.aspxBuilding a Professional Guard ForceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>In today's environment of heightened security in all areas, security departments are struggling to attract and retain high-quality guards. Now more than ever, it's vital to examine how security guards are evaluated, trained, and compensated.</p><p>All entities, including corporations and government facilities, understand the importance of a top-notch security force. However, not all of them recognize the elements needed to create such a force.</p><p>Security managers may presume that a security guard who passed the preemployment screening and successfully completed training when hired will perform the required duties well. And that may be true. But human nature allows people to become complacent, cut corners, and get too comfortable. Continuing education, regularly scheduled evaluations, and enhanced training can improve the team's performance.</p><p>On March 1, 2016, at Escuela Campo Alegre, Caracas, Venezuela, we initiated a new method of recruitment and selection for incoming loss prevention and control analysts (LPCAs). At that time, we chose to enhance our program by hiring 10 people with bachelor's or associate degrees in engineering, economics, administration, education, and other related fields.</p><p>We developed a screening and training program for candidates hoping to join our security team as LPCAs. In addition, we created a regimen of close supervision and daily evaluation of the security force to reinforce the training. </p><p>Here are the elements that led to success in creating excellent employees for our school's protection, from the first job application to seasoned protection professional.</p><p><strong>SCREENING AND TRAINING</strong></p><p><strong>Detailed job description. </strong>Experience has taught me the importance of a detailed and clearly stated job description. Candidates for the position of LPCA receive a precise explanation of the duties and expectations. This is presented first so that potential candidates fully understand the duties and responsibilities of the position. If the job description isn't something the candidate wants to do, we have saved everyone a lot of time.</p><p><strong>Required qualifications. </strong>Every security force has necessary requirements when seeking team members such as age, place of residence, experience, physical abilities, criminal background, and computer skills. Education, of course, is taken into consideration, and at Escuela Campo Alegre we look for higher education, from associate degree to bachelor's degree and up, for LPCA candidates.</p><p><strong>Testing potential candidates. </strong>LPCAs must have certain abilities from the beginning.</p><p><em>Observation.</em> The candidate must be attentive and aware at all times of the general appearance of people, placement of objects, locations, colors, vehicles, and location of security equipment.</p><p><em>Oral communication.</em> The candidate must be able to respond in detail when relaying and explaining the facts of a situation. The candidate must also be able to delegate duties to a third party using clear directions.  </p><p><em>Written communication: </em>The candidate must be able to write a report using correct grammar and vocabulary. An excellent memory is needed to write a complete report. Also, the candidate must be computer literate to produce the report.</p><p>During the interview process, we determine if the candidate has the qualifications listed above. We evaluate the ability to give directions properly to a third party. Observation skills are also evaluated. Reporting skills are tested by having the candidate read and summarize a paragraph using a computer.</p><p><strong>Introduction to private surveillance. </strong>A candidate who passes the initial interview process is invited to attend an eight-hour training presentation the next day. This introduction exposes the candidate to the basic requirements of private security. Among the topics addressed are the expectations of a security officer, the organizational mission, legal aspects, visitor management, keys and locks, and guard tours.</p><p>After the presentation, the candidate undergoes a test, which requires 17 points to pass. If successful, the candidate is invited to come the following day to read the operations manual. </p><p><strong>Operations manual. </strong>This next step is important. We determined that it requires five business days to read, analyze, and understand the school's operations manual. We administer an evaluation at the end of each day to determine whether the candidate has understood the reading for the day. This helps to clarify questions or misunderstandings the candidate may have. If the candidate does not reach the minimum score during the first evaluation, the average of the first and second tests must be a passing score. Candidates who do not receive the required score are no longer considered, but those who pass the evaluation are invited to the induction program.</p><p><strong>Induction program. </strong>This phase of our program provides detailed descriptions of the jobs to be performed. Candidates learn that they will rotate throughout the facility and understand that there are multiple and varying tasks at each location. They receive on-the-job exposure to the work by staying at our institution during four day shifts and two night shifts.</p><p>The candidate is evaluated each day, and the minimum passing grade is 17 out of 20 points. Once again, candidates who do not receive a passing grade will no longer be considered for a position.</p><p><strong>Final evaluation. </strong>After passing the induction program, the candidate will meet with the security manager for the final assessment. This assessment includes topics such as employee identification, addresses of various locations, location of safety equipment, knowledge of the operations manual, recognition of patrol routes, and disciplinary code.</p><p><strong>Assignment to a guard group. </strong>Candidates who advance through the final evaluation receive the rank of Officer I and are assigned to a regular working group. Together with the supervisor, the officer will put into practice all theoretical and practical knowledge achieved through training. The officer will work as an auxiliary for 90 days and will perform day-shift and night-shift tasks in conjunction with the assigned group. </p><p>During this trial period, the officer will be guided and instructed by the supervisor regarding the responsibilities of the log book; closing and opening of facilities; operation of lighting; vehicle fleets; entry and exit of students; entrance of drivers, chauffeurs, and caregivers; Escuela Campo Alegre staff, contractors, tutors, substitutes, trainers, and frequent visitors; entry and exit materials; fire alarm system; evacuation drill; and many other activities. </p><p><strong>Completing the probationary period</strong>. Once Officer I completes the probationary period, we administer an evaluation to demonstrate readiness to assume multiple responsibilities. If the officer does not pass the evaluation, an additional 15 days as an auxiliary allows for more instruction, followed by another evaluation. When this evaluation is passed, the individual is promoted to Officer II.</p><p><strong>Certification as Loss Prevention and Control Analyst. </strong>An Officer II will work for nine continuous months at the new job, demonstrating knowledge of establishing priorities, situation analysis, decision making, safety, conflict management, investigations, and first aid. Depending on performance and the results of monthly assessments, it can be determined that the officer has a clear understanding of what constitutes the work of the supervisor. The officer is now eligible to be certified as an LPCA. A further evaluation involves a series of cases and situations and requires a passing score to become a certified LPCA.</p><p>Out of 120 people who apply for a position as an LPCA, only about 10 successfully reach this point.</p><p><strong>EMPLOYEE DEVELOPMENT</strong></p><p><strong>Training updates. </strong>In our organization, we believe that providing continuous training enhances the performance of each member of the group. Daily training is provided to each member of the guard force for 15 minutes prior to the day shift and the night shift. This training is different every day and covers more than 40 areas related to the fulfillment of security tasks. The training aims to strengthen the knowledge and ability to perform required tasks.</p><p><strong>Daily evaluations. </strong>From the first moment the candidate joins our ranks, we stress the importance of maintaining our organization with a spirit of healthy competition within the groups. This interest and enthusiasm in our organization fosters respect, pride, and knowledge about the organization.</p><p>The daily evaluation is a practical application that consists of the exchange of files and questions that the coordinator of vigilance presents to each member of the group. Officers must demonstrate their ability to recognize the faces of employees, know the geographical location of any room on campus, know the exact location of the security equipment, provide detailed information of the operations manual, run the courses correctly, and honor the disciplinary code. This daily evaluation keeps officers on their toes and objectively assesses their knowledge.</p><p><strong>Monthly evaluations. </strong>At the end of each month, the scores from the daily assessments are reviewed, allowing us to determine who has been an outstanding analyst and who may need more supervision and additional training. Officers who come up short three times during the school year are reassigned to jobs outside of Escuela Campo Alegre. </p><p><strong>LPCA lectures. </strong>Each LPCA of Campo Alegre School, as part of ongoing professional development, must present a lecture about security once a year. Each 20-minute lecture is followed by a 10-minute question-and-answer session. The topic of the lecture is assigned by management. </p><p><strong>Annual research presentation. </strong>For further professional development, each LPCA at Escuela Campo Alegre must research and propose new tools, criteria, or procedures to make the job function better and more efficiently. This improves the LPCA's skills while helping management meet its objectives.</p><p><strong>Interpersonal communications with management. </strong>Once a week, an off-duty analyst will attend an hour-long meeting with management. The parties discuss topics not related to work, such as sports, hobbies, and leisure pursuits. Management gains an appreciation of the social, cultural, and familial environment of the analyst, and both participants strengthen their communication. </p><p><strong>Disciplinary court. </strong>If any officer is involved in a disciplinary action, that officer seeks a member of his group to act as his "lawyer." The lawyer will represent the officer and help to clarify the situation. Likewise, management will choose an officer to act as "prosecutor" to argue the case of the disciplinary action. This interaction allows each party a fair chance to present facts. </p><p><strong>LPCA authors. </strong>Every member of the security team is required to write an article about campus security. The article is published in our digital magazine and is shared with the Campo Alegre community, including parents, students, teachers, employees, and contractors.</p><p><strong>LPCA of the month. </strong>Each month, an officer who has successfully met all objectives is awarded LPCA of the month. The objectives include staff identification, detailed knowledge of the campus, analytical prowess with regard to the operations manual, location of safety equipment, completion of duties, and adherence to the disciplinary code. The officer must demonstrate clear concise communication and common sense.</p><p><strong>LPCA of the year. </strong>This honor is awarded to the LPCA who has received the greatest number of monthly awards.</p><p><strong>Compensation. </strong>In addition to careful training, we know that humans respond well to a good salary and benefits. They feel appreciated for a job well done. We are proud to say that our LPCAs are the best paid in the country. In addition, they receive a stipend for being a university graduate, a stipend for transportation, and bonuses for work performance. The Escuela Campo Alegre community also shows appreciation through thank you notes and personal gratitude. That goes a long way in making our team feel appreciated.</p><p><strong>RESULTS</strong></p><p>Since Escuela Campo Alegre began this program of recruitment, training, supervision, daily evaluations, and professional development of analysts, management has observed both positive and negative behaviors: distractibility, obscurity, lack of discipline, lack of confidence to perform duties, inequality when working in groups, selfishness, and lying, as well as professionalism, fairness, honesty, transparency, and overall pride in the work and the institution. </p><p>Our evaluation system contributes greatly toward a successful program. A Google Doc is available so that every person on the task force can monitor his behavior and improve in areas of operation, manual details, face recognition, geographic location on campus, security equipment location on campus and security rounds. With this information available at any time, they can self-motivate and improve. The same Google Doc can show them where they stand as far as positioning and they can see what salary increase they may expect on their next evaluation. The disciplinary system tracks all mistakes made by the analyst on duty. This provides the analyst the opportunity to correct mistakes and advance in the program.</p><p>Our turnover is very low because of our evaluation system. It not only helps those who wish to advance, but it also allows others to realize, on their own, that their job performance is too low to continue.</p><p>The analysts take pride in their work and, because they can see what other analysts are achieving, they can collaborate and ask questions of those higher achievers. There are fewer missed shifts. Because the analysts work so closely together and respect each other, they are more willing to cover for a team member.</p><p>It has been arduous work that involves a great deal of discipline, ethics and morals, teaching, and faith in what we are doing. We are proud of our successful program and will continue to refine and improve it in the future.</p><p><em>Guillermo Guevara Penso was security manager at Escuela Campo Alegre in Caracas, Venezuela, until July 2017 when he elected to seek other security related opportunities in Chile. He has more than 30 years of experience in the security field.</em></p>
https://sm.asisonline.org/Pages/Bag-Checks-At-Hotels-Unlikely-To-Become-New-Normal,-Expert-Says.aspxBag Checks At Hotels Unlikely To Become New Normal, Expert SaysGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In the aftermath of the Las Vegas shooting that killed 59 people and wounded more than 500 others, many are wondering if hotels will change their security policies and procedures. </p><p>One area of concern is if hotels will begin implementing bag checks because gunman Stephen Paddock was able to smuggle 23 firearms, along with other equipment, into his suite at Mandalay Bay to carry out Sunday’s massacre.<br></p><p>The Wynn resort in Las Vegas—located on the opposite end of the Vegas Strip from the Mandalay Bay resort—introduced security guards on Monday afternoon to screen visitors with metal-detector wands. It also implemented a bag check, which created a 10-minute wait to get inside the facility. <br></p><p>This is unlikely to become the new normal for hotel security in the near future, however, says Russell Kolins, CEO of the Kolins Security Group and chair of the ASIS International Hospitality, Entertainment, and Tourism Security council.<br></p><p>“Hotels are in the business of selling privacy—they’re offering hospitality and selling privacy,” Kolins explains, adding that hotels would likely start to lose business if they began checking bags—especially in locations like Las Vegas. <br></p><p>“In Vegas especially, what happens in Vegas stays in Vegas,” Kolins says. “People bring items they don’t want other people to see.”<br></p><p>At airports, travelers are subject to bag searches—as well as body scans—because they are a different kind of target than a hotel. Travelers also have no expectation of privacy while on a plane, except for in the bathroom, unlike in a hotel where travelers expect privacy within their room, Kolins says.<br></p><p>One policy that might need to be revisited following the shooting, however, is how hotels handle checking rooms that have a “Do Not Disturb” sign on the door. <br></p><p>Paddock checked into the Mandalay Bay on Thursday and kept a “Do Not Disturb” sign on his hotel door throughout his stay. This meant hotel cleaning staff did not enter his room, <a href="https://www.nytimes.com/2017/10/03/us/las-vegas-gunman.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=a-lede-package-region&region=top-news&WT.nav=top-news&_r=0" target="_blank">according to a hotel worker who spoke to The New York Times,​</a> because housekeeping is only allowed to enter a room with such a sign on it if a security guard is present.<br></p><p>Requiring a security guard be present to enter rooms with privacy signs is the right move, Kolins says, but hotels should consider changing their policies to require room checks every other day.<br></p><p>“That’s an arbitrary period of time, but I think a policy should be instilled to at least check on the rooms,” Kolins says, adding that hotels would have to make patrons aware of the policy. But such a policy could, potentially, prevent an individual from using a hotel room for an extended period of time to plot a criminal act.<br></p><p>Kolins leads a team of court-certified security experts at his firm. He says he thinks it’s unlikely that Mandalay Bay will be sued for negligence for the shooting because to sue for negligence, plaintiffs must be able to show foreseeability. <br></p><p>“This is unprecedented—nothing like this has ever happened,” Kolins explains. “If something happens the first time, it’s not foreseeable.”<br></p><p>Now that such an attack has happened, though, if a similar attack happens plaintiffs could potentially bring a lawsuit saying it was foreseeable. In response, Kolins says he expects the hotel security industry to begin having seminars and tabletop meetings to determine how they would handle a similar case.<br></p><p>“I think what this has done is show that the slogan ‘expect the unexpected’ is again proven to be true,” Kolins says. “It wasn’t foreseeable because it was unprecedented.”​<br></p>
https://sm.asisonline.org/Pages/LIVE-UPDATES-LAS-VEGAS-SHOOTING.aspxLIVE UPDATES: Las Vegas ShootingGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​​<span style="color:#222222;text-transform:uppercase;font-family:novecentosanswide-bold, sans-serif;font-size:1.1em;">WHAT WE KNOW</span></p><ul><li><span style="line-height:1.5em;">​​​</span><span style="line-height:1.5em;">​58 people were killed and 500 injured in a shooting on the Las Vegas Strip at 10:08 p.m. Sunday (1:08 a.m. ET Monday)</span></li><li><span style="line-height:1.5em;">The gunman, 64-year-old Stephen Paddock, fired shots from a window in the Mandalay Bay Resort and Casino onto the strip below.</span></li><li><span style="line-height:1.5em;">Shooting happened during Jason ​Aldean concert, part of ​​Route 91 Harvest Country Musi​c Festival​​.</span></li><li><span style="line-height:1.5em;"> ​​</span>The massacre has surpassed the Pulse Nightclub tragedy in Orlando as the worst mass shooting in modern U.S. history.</li><li><span style="line-height:1.5em;">Las Vegas Sheriff Joe Lombardo says Paddock he was killed in a standoff with police in his hotel room; he had at least​ 10 rifles on him.</span></li><li><span style="line-height:1.5em;">U.S. official says t​here are currently no known links to terrorism or motives for the shooting, according to CNN.​</span></li><li><span style="line-height:1.5em;">Marilou Danley​ was previously reported as having a possible link to the shooting, but police now say they have made contact with her and she is no longer a person of interest. ​</span></li><li><span style="line-height:1.5em;">Two Las Vegas police officers are hospitalized; one is in critical condition, while ​the other sustained minor injuries.</span></li></ul><h4><br> </h4><h4>Investigators Questioning Gunman's GIrlfriend, and exploring shooter's attack plans</h4><p>​​<strong>​Update, 5:03 p.m. E.T., 4 October 2017</strong></p><p>Marilou Danley, the girlfriend of the Las Vegas gunman, was at the FBI's building in Los Angeles for questioning on Wednesday, according to a law enforcement official. Authorities are seeking her insight into what prompted a man with no evident criminal history to become a mass murderer, the <em>New York Times </em>reported. </p><p>The FBI bureau is trying to reconstruct the actions of the gunman, including finding and interviewing "everyone and anyone who crossed his path in recent weeks," Andrew G. McCabe, the deputy director of the F.B.I., said at a cybersecurity conference in Boston.</p><p>The killer, Stephen Paddock, "is an individual who was not on our radar or anyone's radar prior to the event," Mr. McCabe said in an interview with CNBC outside the conference. "So we really have a challenging bit of detective work to do here, to kind of put the pieces back together after the fact."</p><p>Meanwhile, investigators are exploring whether Las Vegas suspected shooter Stephen Paddock sought a hotel room overlooking another outdoor concert in Las Vegas in late September that featured Chance the Rapper and Lorde, sources told <em>ABC News.</em></p><p>Paddock allegedly rented multiple condos at The Ogden complex in downtown Las Vegas, which overlooked the location of the Life is Beautiful Festival. A spokeswoman for The Ogden referred questions to Las Vegas police.</p><p>At a press conference on Tuesday, authorities were asked if there was any indication Paddock was planning an earlier attack. "No. I'm not prepared to speak about that, but that is part of our investigation," they replied.</p><h4> </h4><h4>bag checks at hotels unlikely to become the new normal, expert says</h4><p><strong>Update, 3:20 p.m. E.T., 4 October 2017</strong><br></p><p>In the aftermath of the Las Vegas shooting that killed 59 people and wounded more than 500 others, many are wondering if hotels will change their security policies and procedures.<br></p><p><em>Security Management </em>reached out to Russell Kolins, CEO of the Kolins Security Group and chair of the ASIS International Hospitality, Entertainment, and Tourism Security Council for his thoughts on the future of hotel security. ​<a href="/Pages/Bag-Checks-At-Hotels-Unlikely-To-Become-New-Normal,-Expert-Says.aspx" target="_blank">Read our analysis here.​</a><br></p><h4>​Live Entertainment Promoters Rethinking Security</h4><p>​​<strong>​Update, 3:00 p.m. E.T., 3 October 2017</strong><br></p><p>Concert and music festival planners are taking a closer look at security protocols following the Las Vegas shooting—which is just the latest attack on a public entertainment venue. Last year’s terrorist attack on the Bataclan theater in Paris, where the Eagles of Death Metal were playing, and the attack earlier this year on the Ariana Grande concert in Manchester show that concerts are tantalizing targets due to their publicity and the large amount of people that flock to them. </p><p>Damon Zumwalt, CEO of the company that provided about 200 security personnel for the Route 91 Harvest music festival, <a href="https://www.cnbc.com/2017/10/02/there-are-bodies-lying-everywhere-security-ceo-from-doomed-vegas-concert-talks-about-getting-the-call.html" target="_blank">described to CNBC</a> the moment he received the call from one of his managers about the shooting. Zumwalt’s company, Contemporary Services, works with law enforcement and runs active shooter drills but at a certain point there is nothing that can be done.</p><p>"We plan for practically everything, but you don't plan for something you can't control, like a guy off-property," Zumwalt said. "That's pretty devastating, and there's just no real reason for that kind of insanity."​</p><p>Following the trend of soft target attacks, many music venues have increased their security. However, experts note that securing an indoor venue is far easier than an outdoor festival—officials can more easily control who enters an indoor space and what they bring with them. Experts agree that there is very little that Route 91 Harvest could have done to prevent Sunday night’s tragedy. </p><p>Going forward, festival organizers will have to be more mindful of event locations and the areas surrounding the festival’s footprint, according to Waco Hoover, CEO of XLIVE, which provides best practices for the industry. Event organizers will have to balance the need for an increased security presence—perhaps changes similar to what airports experienced following 9/11—while allowing the freedom to enjoy recreational activities that festivals foster. </p><p>"If you look at the scenario, this (security) is not a festival issue," <a href="http://www.desertsun.com/story/life/entertainment/music/coachella/2017/10/02/las-vegas-shooting-could-change-festival-security-coachella-and-around-world/724617001/" target="_blank">Hoover told the <em>Desert Sun.</em></a> "This is not a Live Nation or Goldenvoice disclosing their security plans. They’re already working very, very closely with the city and the appropriate authorities to do those types of things. This is something which the producing entity has no control over.”</p><h4><br></h4><h4>Twenty-Three firearms found in gunman's suite as investigation progresses</h4><p><strong>Update, 12:45 p.m. E.T., 3 October 2017</strong><br></p><p>Officials are still investigating the events that led up to the horrific shooting in Las Vegas earlier this week, but did release information confirming they found 23 guns in the gunman's suite.<br></p><p>Las Vegas Metropolitan Police Department Sheriff Joseph Lombardo also told <em><a href="https://www.nytimes.com/2017/10/02/us/las-vegas-shooting-live-updates.html?_r=0" target="_blank">The New York Times</a></em> that when Stephen Paddock's home was searched, they found 19 firearms, "some explosives, and several thousand rounds of ammo."</p><p>Some of the rifles found in Paddock's hotel room at Mandalay Bay may have been modified to make them fully automatic. </p><p>"Automatic rifles, which fire multiple rounds with a squeeze of a trigger, are highly regulated, and on videos posted online by witnesses, the rapid-fire sound indicated that at least one weapon was fully automatic," according to the Times.</p><p><a href="https://lasvegassun.com/news/2017/oct/03/las-vegas-gunman-had-device-turning-weapon-into-au/">In a report by <em>The Las Vegas Sun,</em></a><em> </em>officials said Paddock had two "bump-stocks" that could have converted the firearms into​ fully automatic weapons. </p><p>Officials are currently investigating whether those stocks were used to modify weapons Paddock ultimately used to carry out the massacre.</p><p>The shooting has also raised questions about hotel security and if there are measures that could have detected the ​firearms as they were brought into Mandalay Bay.</p><p><a href="https://www.nytimes.com/2017/10/02/business/hotel-security-las-vegas.html" target="_blank">In an interview with the Times,</a> Mac Segal, consultant at AS Solution, said hotel guests in the United States and Europe place a premium on their privacy, so X-ray machines and explosive scanners are unlikely to appear at hotels anytime soon. ​</p><h4>ASIS condemns vegas shooting, releases resources on soft target security</h4><p>​<strong>Update, 10:45 a.m. E.T., 3 October 2017</strong><br></p><p>​ASIS International<a href="https://www.asisonline.org/News/Press-Room/Press-Releases/2016/Pages/ASIS-Statement-on-Las-Vegas-Tragedy.aspx" target="_blank"> released a statement​</a> condemning the "horrific massacre of Las Vegas concertgoers" and pledging its support to the security community.<br></p><p>"This senseless violence follows an all-too common pattern of lone wolf attacks targeting citizens where they live, work, and play," ASIS said. "Our members, 35,000 strong, stand united against this evil."</p><p>ASIS has also made resources on soft targets and active shooters available, free of charge, to assist the Las Vegas community and security professionals.</p><p>"We will continue to bring our resources to bear to help deter, prevent, and minimize future attacks," ASIS said. "In the days ahead, we will work with our Las Vegas chapter to help the area and its citizens recover and gather best practices to help make our communities more resilient."</p><p><br> </p><h4>ASIS international linkedin discussion of shooting</h4><p><strong>Update, 10:44 a.m. E.T., 3 October 2017</strong></p><p>Any ASIS member who wants to comment or discuss the Las Vegas shooting and reponse may do so on the ASIS International LinkedIn group page. The discussion space can be found at the link below: </p><p><a href="https://www.linkedin.com/groups/38907/38907-6321006327405572098">https://www.linkedin.com/groups/38907/38907-6321006327405572098</a></p><h4></h4><p> </p><h4></h4><h4>ASIS MEMBER OFFERS EXPERT Q&A TO SECURITY MANAGEMENT </h4><p><strong>Update, 1:35 p.m. E.T., 2 October 2017 </strong></p><p><img src="/ASIS%20SM%20Article%20Images/slotnick.JPG" alt="" style="margin:5px;width:300px;height:329px;" /><br> </p><p>Jeffrey A. Slotnick, CPP, PSP, is president of Setracon Enterprise Security Risk Management Services. He is an ASIS Senior Regional Vice President and past chair of the Physical Security Council. <em>Security Management </em>spoke to Slotnick about the deadly shootings in Las Vegas and the event's significance for active shooter preparedness and physical security​. <a href="/Pages/Vegas-Shooting-What-We-Know-Q-and-A-with-Jeffrey-Slotnick.aspx" target="_blank">Read the transcript of th​​e​ convers​ation here. </a><br></p><p><br> </p><h4>PADDOCK'S FATHER WAS ON FBI MOST-WANTED LIST​</h4><p>Update, 4:40 p.m. E.T., 2 October 2017</p><p>Shooter Stephen Paddock's father, Benjamin Hoskins Paddock, was <a href="http://www.cnn.com/2017/10/02/us/las-vegas-attack-stephen-paddock-trnd/index.html" target="_blank">on the FBI's​ most-wanted list​</a> for bank robbery from June 10, 1969 until May 5, 1977, CNN reports. The father escaped from prison in 1969 and was arrested in Oregon in 1978. He died a few years ago.​</p><p><br> </p><h4>BROTHER OF SHOOTER SPEAKS TO FBI​</h4><p><strong>Update, 12:48 p.m. E.T., 2 October 2017<br></strong><b><br></b>The <a href="https://www.washingtonpost.com/news/post-nation/wp/2017/10/02/las-vegas-gunman-liked-to-gamble-listened-to-country-music-lived-quiet-retired-life-before-massacre/?hpid=hp_rhp-top-table-main_paddock-1050am-winner:homepage/story&utm_term=.965714d4ef9f%20%E2%80%8B" target="_blank">brother of Las Vegas shooter Stephen Paddock spoke out​</a> about his relative who took the lives of at least 58 people, saying there is "no reason he did this," the <em>Washington Post</em> reports. Eric Paddock gave a brief interview to the FBI outside his Orlando home. "He's just a guy who played video poker and took cruises and ate burritos at Taco Bell. There's no political affiliation that we know of. There's no religious affiliation that we know of," he said.</p><p>Neighbors from a retirement community in Reno, Nevada, called Paddock "extremely standoffish" and "reclusive." They added that he was a professional gambler, and would often take long absences from the neighborhood with his girlfriend, Marilou Danley. </p><p><br> </p><h4>NUMBER OF KILLED, INJURED RISES</h4><p><strong>Update, 12:21 p.m. E.T., 2 October 2017</strong></p><p><span style="line-height:1.5em;"><span style="line-height:1.5em;">Las Vegas Sheriff Joe Lombardo reports the number of killed in the Las Vegas shooting massacre has risen to 58; the number of injured exceeds 500. <br></span></span></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 6d28a80b-9134-4377-b608-edba443ffa9d" id="div_6d28a80b-9134-4377-b608-edba443ffa9d" unselectable="on"></div><div id="vid_6d28a80b-9134-4377-b608-edba443ffa9d" unselectable="on" style="display:none;"></div></div><h4><br>PRESIDENT TRUMP CALLS VEGAS SHOOTINGS "ACT OF PURE EVIL"</h4><p><strong>Update, 11:11 a.m. E.T., 2 October 2017</strong></p><p>In his first televised statement on the massacre, President Donald Trump called the Las Vegas shootings "an act of pure evil,"  and called upon Americans' "common humanity" to bring the nation together.</p><p>Trump said the FBI and the U.S. Department of Homeland Security are working closely with local authorities on the investigation and that the agencies will provide ongoing updates. He did not mention the shooter by name or the possibility of terrorism.</p><p>Trump praised police efforts in response to the shooting, and said their swift action helped prevent further loss of life. "I want to thank the Las Vegas Metropolitan Police Department and all of the first responders for their courageous efforts and for helping to save the lives of so many," he said, calling the speed with which they acted "miraculous." He added their response is "what true professionalism is all about."</p><p>The president shared words of solace for the victims and their families, and spoke of a nation united by its shared values and common humanity. "Scripture teaches us the Lord is close to the broken-hearted, and saves those who are crushed," he said. "Our unity cannot be shattered by evil, our bonds cannot be broken by violence; and though we feel great anger at the senseless murder of our fellow citizens, it is our love that defines us today and always will forever."</p><p>Trump said he will be visiting Las Vegas on Wednesday to meet with law enforcement, first responders, and families of the victims, and said he has directed the American flag to be flown at half-staff. </p><div><h4><br>PRESIDENT TRUMP TO SPEAK ON VEGAS SHOOTINGS</h4><strong>Update, 10:36 a.m. E.T., 2 October 2017</strong><br><br>U.S. President Donald Trump is scheduled to address the deadly Las Vegas Shootings from the White House.<br><br></div><div><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read e4e9c8d9-0288-473e-868b-781668132fc1" id="div_e4e9c8d9-0288-473e-868b-781668132fc1" unselectable="on"></div><div id="vid_e4e9c8d9-0288-473e-868b-781668132fc1" unselectable="on" style="display:none;"></div></div></div><p><span></span>  Earlier today, Trump took to Twitter to offer his condolensces to the victims and all those affected. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 1fd74a90-421b-4905-90d3-5b24e00e7a4c" id="div_1fd74a90-421b-4905-90d3-5b24e00e7a4c" unselectable="on"></div><div id="vid_1fd74a90-421b-4905-90d3-5b24e00e7a4c" unselectable="on" style="display:none;"></div></div><div><h4>CITY OF LAS VEGAS SHARES PHONE NUMBER FOR PEOPLE SEARCHING FOR LOVED ONES </h4><p><strong>Update, 9:55 a.m. ET, 2 October 2017</strong><br></p><div class="stream-item-header" style="color:#14171a;font-family:"segoe ui", arial, sans-serif;font-size:14px;background-color:#ffffff;"><div class="ProfileTweet-action ProfileTweet-action--more js-more-ProfileTweet-actions" style="margin:-2px -9px 0px 0px;float:right;display:inline-block;min-width:0px;"><div class="dropdown"><div title="More" class="IconContainer js-tooltip" style="line-height:0;vertical-align:middle;display:inline-block;"><span class="Icon Icon--caretDownLight Icon--small" style="background:none;line-height:15px;vertical-align:baseline;display:inline-block;"></span><span class="u-hiddenVisually" style="padding:0px !important;border:0px currentcolor !important;width:1px !important;height:1px !important;overflow:hidden !important;font-size:1px !important;clip:rect(1px, 1px, 1px, 1px) !important;">More</span></div></div></div></div><div><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 04997363-3fda-46fd-a4c9-4be635953931" id="div_04997363-3fda-46fd-a4c9-4be635953931" unselectable="on"></div><div id="vid_04997363-3fda-46fd-a4c9-4be635953931" unselectable="on" style="display:none;"></div></div>​<p><strong>UPDATE 10:10 a.m. ET, 2 October 201​7</strong></p><p>More than 50 people are dead and 400 injured in a Las Vegas massacre that began late Sunday night during an open-air country music festival. CNN reports 64 year-old gunman Stephen Paddock opened fire on the crowded strip from the 32nd floor of the Mandalay Bay Resort and Casino as victims below scrambled for cover. Las Vegas Sheriff Joe Lombardo says law enforcement used explosives to break down his hotel room door; Paddock shot himself as the SWAT team entered. In his room they found ​found at least 10 rifles, including one automatic. The event is the deadliest mass shooting in modern U.S. history </p><p><em>Security Management </em>will provide ongoing coverage of the aftermath and investigation of the event. For more information and resources, ASIS International has provided <a href="https://www.asisonline.org/About-ASIS/Who-We-Are/Whats-New/Pages/Soft-Target-and-Active-Shooter-Resources.aspx">resources on soft targets and active shooter events​</a>. </p></div></div>
https://sm.asisonline.org/Pages/Vegas-Shooting-What-We-Know-Q-and-A-with-Jeffrey-Slotnick.aspxLas Vegas Shootings: What it Means for SecurityGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Jeffrey A. Slotnick, CPP, PSP, is president of Setracon Enterprise Security Risk Management Services. He is an ASIS Senior Regional Vice President and past chair of the Physical Security Council. </p><p><em>Security Management </em>spoke to Slotnick about the deadly shootings in Las Vegas and the event's significance for active shooter preparedness and physical security. Their conversation has been lightly edited for clarity.​</p><p><strong>Stowell: Besides what we're seeing in the news, what other details can you share with us about the shootings in Las Vegas?</strong> </p><p>Slotnick: The shooter was located from the smoke alarm going off in his room…not by tracking shots. I listened to the YouTube video [of the shooting]; he had more than eight guns in the room, two shooting tables with loaded magazines. My gut feeling, from the sound of the gunfire, is that it was probably an AR-15 style rifle but the military version of it. It was a full auto rifle. I think from the sound of it, it was suppressed. He had a silencer on it which would create additional smoke in the room and, of course, trigger the alarm. He had to be very wealthy, the gentleman was a man of means–he's not your typical [guy]. </p><p>He owned aircraft, he was a licensed pilot, he owned homes in several different locations. And just a single rifle like that, you're talking about a suppresser that costs twelve-hundred dollars, and a rifle that has a price of twelve to fifteen-thousand dollars, plus all the tax stamp and licensing to obtain it, which is significant. </p><p>I think this story is going to be rapidly changing through the day because you now have a full team of investigators on the ground including FBI, ATF, and local law enforcement, and they're tracing this guy's patterns. </p><p><strong>Stowell: The shooter fired from the 32nd floor of a high-rise building. Are there any similar active shooter events we can compare this to?</strong> </p><p>The Aurora, Colorado movie theatre shooting is the closest. This guy [Paddock]–he was not aiming his shots. The shot pattern was ranging 20 to 100 yards. But for a trained sniper to shoot from 450 feet away, 125 yards at a down-angle, 32 floors up–it's a difficult shot for a sniper. If you listen to the rapidity of the fire, he was basically just shooting into the crowd. The only time he paused was to change magazines. So those were not aimed shots. He was depressing the trigger and emptying a magazine. </p><p><strong>Stowell: Would you classify this shooting as a soft-target attack?</strong></p><p>Slotnick: Absolutely it's a soft target [attack]. This gentleman displayed a high level of intelligence in planning. He had to choose the room he was in, he had been on the ground since Thursday; he'd had the room since Thursday. I'm sure they're going to find if they retrace his steps he was actually at the venue. He chose his room very carefully. He of course brought in a number of weapons over a period of time; those things were all there.</p><p>Technologies exist that would not have prevented this, but could have significantly minimized the effectiveness and impact of this person. He could have been located a whole lot quicker. There was a technology on the show floor at ASIS in Dallas. It's a shot-spotting technology that integrates with other physical security systems, identifies with high rates of accuracy the location of the shooter, and then with integration into other physical security systems rapidly turns cameras toward the source of gunfire. </p><p><strong>Stowell: What are the barriers that have prevented organizations from investing in this type of technology and integrating it into their physical security systems? </strong> </p><p>Slotnick: That's the big question–showing value for security. People are reticent to invest in technologies that they don't know about, or they find out about, and want to make sure it's not the latest flavor of the day. And our ability as security professionals to make the business case. Look at the expense Mandalay Bay [Resort and Casino] is going through now. I don't know what the cost of these shot-spotting units are, but they're Wi-Fi enabled, they're integrated. I imagine it would have been significantly less than what the hotel is having to spend presently. </p><p><strong>Stowell: There have been so many mass shootings in the United States. How will the conversation in the aftermath of this massacre be different than others?</strong> </p><p>Slotnick: I think the conversation is going to wrap around, what can we do to prevent things like this? Obviously, [Paddock] walked into a hotel at some point in time with eight to 10 firearms. So what processes do we have to have people go through screening? We had the same thing when you think about the Aurora, Colorado, shooting, and movie theatres look at things totally different now. They've integrated physical security systems, or metal screening at the doors depending upon the neighborhood and community, and plans, policies and procedures specifically for active shooter-type events. I would imagine post-event, we're going to see some increases in security programs at hotels and different procedures for checking in. </p><p><strong>Stowell: We focus a lot on helping businesses prepare for active shooter events, but what are the lessons here about personal safety and awareness of surroundings?</strong> </p><p>Slotnick: It's just good knowledge to have, whether you're on foreign travel or whether you're in Las Vegas, knowing how to respond to a disaster, knowing what you're going to do during a disaster, having a personal preparedness plan, and the ability to communicate with people outside of the venue. We tend to think of cell phones as a singular device. There's Twitter, there's LinkedIn, there's Facebook Messenger, there's live feeds, there's FaceTime. There are all kinds of ways to communicate. But having a plan, especially if you're with your family at a location and having a place to congregate; being aware of your surroundings when you go into a venue, and knowing where you're going to go should something happen. Whether it's a natural disaster like an earthquake or whether it's an active shooter event, you must be aware that these things do occur and just have a plan in your mind of where you can go and what you can do. </p>
https://sm.asisonline.org/Pages/The-Unique-Threat-of-Insiders.aspxThe Unique Threat of InsidersGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It’s perhaps the most infamous incident of an insider threat in modern times. During the spring and summer of 2013, then-National Security Agency (NSA) contractor and Sharepoint administrator Edward Snowden downloaded thousands of documents about the NSA’s telephone metadata mass surveillance program onto USB drives, booked a flight to Hong Kong, and leaked those documents to the media.</p><p>An international manhunt was launched, Snowden fled to Moscow, hearings were held in the U.S. Congress, and new policies were created to prevent another insider breach. The damage a trusted insider can do to an organization became painfully obvious.</p><p>“If you’d asked me in the spring of 2013…what’s the state of your defense of the business proposition as it validates the technology, people, and procedures? I would have said, ‘Good. Not perfect,’” said Chris Inglis, former deputy director and senior civilian leader of the NSA during the Snowden leaks, in a presentation at the 2017 RSA Conference in San Francisco.</p><p>“I would have said that ‘we believe, given our origins and foundations, and folks from information assurance, that that’s a necessary accommodation,” he explained. “We make it such that this architecture—people, procedure, and technology—is defensible.”</p><p>Inglis also would have said that the NSA vetted insiders to ensure trustworthiness, gave them authority to conduct their jobs, and followed up with them if they exceeded that authority—intentionally or unintentionally—to remediate it. </p><p>“We made a critical mistake. We assumed that outsider external threats were different in kind than insider threats,” Inglis said. “My view today is they are exactly the same. All of those are the exercise of privilege.”</p><p>Inglis’ perspective mirrors similar findings from the recent SANS survey Defending Against the Wrong Enemy: 2017 Sans Insider Threat Survey by Eric Cole, SANS faculty fellow and former CTO of McAfee and chief scientist at Lockheed Martin.</p><p>The SANS survey of organizations with 100 to 100,000 employees found that it can be easy to conclude that external attacks should be the main focus for organizations. </p><p>“This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage,” Cole wrote. “Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.”​</p><h4>Insider Threat Programs</h4><p>Incidents like the Snowden leaks and the more recent case of Harold Thomas Martin III, an NSA contractor accused of taking top secret information home with him, along with other incidents of economic espionage have raised awareness of the impact insider threats can have. However, many organizations have not adjusted their security posture to mitigate those threats.</p><p>In its survey, SANS found that organizations recognize insider threat as the “most potentially damaging component of their individual threat environments,” according to the survey. “Interestingly, there is little indication that most organizations have realigned budgets and staff to coincide with that recognition.”</p><p>Of the organizations surveyed, 49 percent said they are in the process of creating an insider threat program, but 31 percent still do not have a plan and are not addressing insider threats through such a plan. </p><p>“Unfortunately, organizations that lack effective insider threat programs are also unable to detect attacks in a timely manner, which makes the connection difficult to quantify,” SANS found. “From experience, however, there is a direct correlation between entities that ignore the problem and those that have major incidents.”</p><p>Additionally, because many are not monitoring for insider threats, most organizations claim that they have never experienced an insider threat. “More than 60 percent of the respondents claim they have never experienced an insider threat attack,” Cole wrote. “This result is very misleading. It is important to note that 38 percent of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening.”</p><p>The survey also found that the losses from insider threats are relatively unknown because they are not monitored or detected. Due to this, organizations cannot put losses from insider threats into financial terms and may not devote resources to addressing the issue, making it difficult or impossible to determine the cost of an insider attack.</p><p>For instance, an insider could steal intellectual property and product plans and sell them to a competitor without being detected.</p><p>“Subsequent failure of that product might be attributed to market conditions or other factors, rather than someone ‘stealing it,’” Cole wrote. “Many organizations, in my experience, are likely to blame external factors and only discover after detailed investigation that the true cause is linked back to an insider.”</p><p>And when organizations do discover that an insider attack has occurred, most have no formal internal incident response plan to address it.</p><p>“Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20 percent of respondents reported having a formal incident response plan that deals with insider threat,” according to the SANS survey. </p><p>Instead, most incident response plans are focused on external threats, Cole wrote, which may explain why companies struggle to respond to insider threats.</p><p>Organizations are also struggling to deal with both malicious and accidental insider threats—a legitimate user whose credentials were stolen or who has been manipulated into giving an external attacker access to the organization. “Unintentional insider involvement can pose a greater risk, and considerably more damage, by allowing adversaries to sneak into a network undetected,” the survey found. “Lack of visibility and monitoring capability are possible explanations for the emphasis on malicious insiders.</p><p>To begin to address these vulnerabilities, SANS recommends that organizations identify their most critical data, determine who has access to that data, and restrict access to only those who need it. Then, organizations should focus on increasing visibility into users’ behavior to be proactive about insider threats. </p><p>“We were surprised to see 60 percent of respondents say they had not experienced an insider attack,” said Cole in a press release. “While the confidence is great, the rest of our survey data illustrates organizations are still not quite effective at proactively detecting insider threats, and that increased focus on individuals’ behaviors will result in better early detection and remediation.”​</p><h4>Trusted People</h4><p>When the NSA recruits and hires people, it vets them thoroughly to ensure their trustworthiness, according to Inglis.</p><p>“We ultimately want to bring some­body into the enterprise who we can trust, give them some authority to operate within an envelope that doesn’t monitor their tests item by item,” he explained. “Why? Because it’s within that envelope that they can exceed your expectations and the adversary’s expectations, your competitors’ expectations, and hope­fully the customers’ expectations. </p><p>You want them to be agile, creative, and innovative.”</p><p>To do this, the NSA would go to great lengths to find people with technical ability and possible trustworthiness. Then it or a third party would vet them, looking at their finances and their background, conducting interviews with people who knew them, and requiring polygraph examinations.</p><p>After the Snowden leaks, the U.S. federal government examined the work of its contract background screening firm—United States Investigations Services (USIS). USIS had cleared both Snowden and the Washington Navy Yard shooter Aaron Alexis. The government decided to reduce its contracted work with the company.</p><p>USIS later agreed to pay $30 million to settle U.S. federal fraud charges, forgoing payments that it was owed by the U.S. Office of Personnel Management for conducting background checks. The charges included carrying out a plot to “flush” or “dump” individual cases that it deemed to be low level to meet internal USIS goals, according to The Hill’s coverage of the case.</p><p>“Shortcuts taken by any company that we have entrusted to conduct background investigations of future and current federal employees are unacceptable,” said Benjamin Mizer, then head of the U.S. Department of Justice’s Civil Division, in a statement. “The Justice Department will ensure that those who do business with the government provide all of the services for which we bargained.”</p><p>This part of the process—vetting potential employees and conducting background checks—is where many private companies go wrong, according to Sandra Stibbards, owner and president of Camelot Investigations and chair of the ASIS International Investigations Council.</p><p>“What I’ve come across many times is companies are not doing thorough backgrounds, even if they think they are doing a background check—they are not doing it properly,” she says. </p><p>For instance, many companies will hire a background screening agency to do a check on a prospective employee. The agency, Stibbards says, will often say it’s doing a national criminal search when really it’s just running a name through a database that has access to U.S. state and county criminal and court records that are online.</p><p>“But the majority of counties and states don’t have their criminal records accessible online,” she adds. “To really be aware of the people that you’re getting and the problem with the human element, you need to have somebody who specializes and you need to…invest the money in doing proper background checks.”</p><p>To do this, a company should have prospective employees sign a waiver that informs them that it will be conducting a background check on them. This check, Stibbards says, should involve looking at criminal records in every county and state the individual has lived in, many of which will need to be visited in person.</p><p>She also recommends looking into any excessive federal court filings the prospective employee may have made.</p><p>“I’ll look for civil litigation, especially in the federal court because you get people that are listed as a plaintiff and they are filing suits against companies for civil rights discrimination, or something like that, so they can burn the company and get money out of it,” Stibbards adds.</p><p>Additionally, Stibbards suggests looking for judgments, tax liens, and bankruptcies, because that gives her perspective on whether a person is reliable and dependable.</p><p>“It’s not necessarily a case break­er, but you want to have the full perspect­ive of if this person is capable of managing themselves, because if they are not capable of managing themselves, they may not make the greatest employee,” she says.</p><p>Companies should ensure that their background screenings also investigate the publicly available social media presence of potential employees. Companies can include information about this part of the process in the waiver that applicants sign agreeing to a background check to avoid legal complications later on. </p><p>“I’m going to be going online to see if I see chatter about them, or if they chat a lot, make comments on posts that maybe are inappropriate, if they maintain Facebook, LinkedIn, and Twitter,” Stibbards says. </p><p>Posting frequently to social media might be a red flag. “If you find somebody on Facebook that’s posting seven, eight, nine, or 10 times a day, this is a trigger point because social media is more important to them than anything else they are doing,” Stibbards adds.</p><p>And just because a prospective employee is hired doesn’t mean that the company should discontinue monitoring his or her social media. While ongoing review is typically a routine measure, it can lead to disciplinary action for an employee who made it through the initial vetting process. For instance, Stibbards was hired by a firm to investigate an employee after the company had some misgivings about certain behaviors.</p><p>“Not only did we find criminal records that weren’t reported, but we then found social media that indicated that the employee was basically a gang member—pictures of guns and the whole bit,” Stibbards says.</p><p>It’s also critical, once a new employee has been brought on board, to introduce him or her to the culture of the organization—an aspect that was missing in Snowden’s onboarding process, Inglis said. This is because, as a contractor working for the NSA, regulations prohibited the U.S. government from training him. </p><p>“You show up as a commodity on whatever day you show up, and you’re supposed to sit down, do your work—sit down, shut up, and color within the lines,” Inglis explained.</p><p>So on Snowden’s first day at the NSA, he was not taken to the NSA Museum like other employees and taught about the agency’s history, the meaning of the oath new employees take, and the contributions the NSA makes to the United States.</p><p>“Hopefully there are no dry eyes at that moment in time, having had a history lesson laying out the sense of the vitality and importance of this organization going forward,” Inglis explained. “We don’t do that with contractors. We just assume that they already got that lesson.”</p><p>If companies fail to introduce contractors and other employees to the mission of the organization and its culture, those employees will not feel that they are part of the organization.​</p><h4>Trusted Technology</h4><p>Once trusted people are onboarded, companies need to evaluate their data—who has access to it, what controls are placed on it to prevent unwarranted access, and how that access is monitored across the network.</p><p>“The one thing I always recommend to any company is to have a monitoring system for all of their networks; that is one of the biggest ways to avoid having issues,” Stibbards says. “Whether it’s five people working for you or 100, if you let everybody know and they are aware when they are hired that all systems—whether they are laptops or whatever on the network—are all monitored by the company, then you have a much better chance of them not doing anything inappropriate or…taking information.”</p><p>These systems can be set up to flag when certain data is accessed or if an unusual file type is emailed out of the network to another address. </p><p>Simon Gibson, fellow security architect at Gigamon and former CISO at Bloomberg LP, had a system like this set up at Bloomberg, which alerted security staff to an email sent out with an Adobe PDF of an executive’s signature.</p><p>“He’s a guy who could write a check for a few billion dollars,” Gibson explains. “His signature was detected in an email being sent in an Adobe PDF, and it was just his signature…of course the only reason you would do that is to forge it, right?”</p><p>So, the security team alerted the business unit to the potential fraud. But after a quick discussion, the team found that the executive’s signature was being sent by a contractor to create welcome letters for new employees.</p><p>“From an insider perspective, we didn’t know if this was good or bad,” Gibson says. “We just knew that this guy’s signature probably ought not be flying in an email unless there’s a really good reason for it.”</p><p>Thankfully, Bloomberg had a system designed to detect when that kind of activity was taking place in its network and was able to quickly determine whether it was malicious. Not all companies are in the same position, says Brian Vecci, technical evangelist at Varonis, an enterprise data security provider.</p><p>In his role as a security advocate, Vecci goes out to companies and conducts risk assessments to look at what kinds of sensitive data they have. Forty-seven percent of companies he’s looked at have had more than 1,000 sensitive data files that were open to everyone on their network. “I think 22 percent had more than 10,000 or 12,000 files that were open to everybody,” Vecci explains. “The controls are just broken because there’s so much data and it’s so complex.”</p><p>To begin to address the problem, companies need to identify what their most sensitive data is and do a risk assessment to understand what level of risk the organization is exposed to. “You can’t put a plan into place for reducing risk unless you know what you’ve got, where it is, and start to put some metrics or get your arms around what is the risk associated to this data,” Vecci says. </p><p>Then, companies need to evaluate who should have access to what kinds of data, and create controls to enforce that level of access. </p><p>This is one area that allowed Snowden to gain access to the thousands of documents that he was then able to leak. Snowden was a Sharepoint administrator who populated a server so thousands of analysts could use that information to chase threats. His job was to understand how the NSA collects, processes, stores, queries, and produces information.</p><p>“That’s a pretty rich, dangerous set of information, which we now know,” Inglis said. “And the controls were relatively low on that—not missing—but low because we wanted that crowd to run at that speed, to exceed their expectations.”</p><p>Following the leaks, the NSA realized that it needed to place more controls on data access because, while a major leak like Snowden’s had a low probability of happening, when it did happen the consequences were extremely high. </p><p>“Is performance less sufficient than it was before these maneuvers? Absolutely,” Inglis explained. “But is it a necessary alignment of those two great goods—trust and capability? Absolutely.”</p><p>Additionally, companies should have a system in place to monitor employees’ physical access at work to detect anomalies in behavior. For instance, if a system administrator who normally comes to work at 8:00 a.m. and leaves at 5:00 p.m. every day, suddenly comes into the office at 2:00 a.m. or shows up at a workplace with a data storage unit that’s not in his normal rotation, his activity should be a red flag.</p><p>“That ought to be a clue, but if you’re not connecting the dots, you’re going to miss that,” Inglis said.  ​</p><h4>Trusted Processes</h4><p>To truly enable the technology in place to monitor network traffic, however, companies need to have processes to respond to anomalies. This is especially critical because often the security team is not completely aware of what business units in the company are doing, Gibson says.</p><p>While at Bloomberg, his team would occasionally get alerts that someone had sent software—such as a document marked confidential—to a private email address. “When the alert would fire, it would hit the security team’s office and my team would be the first people to open it and look at it and try analyze it,” Gibson explains. “The problem is, the security team has no way of knowing what’s proprietary and valuable, and what isn’t.”</p><p>To gather this information, the security team needs to have a healthy relationship with the rest of the organization, so it can reach out to others in the company—when necessary—to quickly determine if an alert is a true threat or legitimate business, like the signature email. </p><p>Companies also need to have a process in place to determine when an employee uses his or her credentials to inappropriately access data on the network, or whether those credentials were compromised and used by a malicious actor. </p><p>Gibson says this is one of the main threats he examines at Gigamon from an insider threat perspective because most attacks are carried out using people’s credentials. “For the most part, on the network, everything looks like an insider threat,” he adds. “Take our IT administrator—someone used his username and password to login to a domain controller and steal some data…I’m not looking at the action taken on the network, which may or may not be a bad thing, I’m actually looking to decide, are these credentials being used properly?”</p><p>The security team also needs to work with the human resources department to be aware of potential problem employees who might have exceptional access to corporate data, such as a system administrator like Snowden.</p><p>For instance, Inglis said that Snowden was involved in a workplace incident that might have changed the way he felt about his work at the NSA. As a systems administrator with incredible access to the NSA’s systems, Inglis said it would have made sense to put a closer watch on him after that incident in 2012, because the consequences if Snowden attacked the NSA’s network were high.</p><p>“You cannot treat HR, information technology, and physical systems as three discrete domains that are not somehow connected,” Inglis said.</p><p>Taking all of these actions to ensure that companies are hiring trusted people, using network monitoring technology, and using procedures to respond to alerts, can help prevent insider threats. But, as Inglis knows, there is no guarantee.</p><p>“Hindsight is 20/20. You have to look and say, ‘Would I theoretically catch the nuances from this?’”   ​</p>
https://sm.asisonline.org/Pages/Empowered-International-Teams.aspxEmpowered International TeamsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Diverse work teams are smarter than homogenous ones, according to a recent Harvard Business Review study. In “Why Diverse Teams Are Smarter,” authors David Rock and Heidi Grant found that such teams are smarter for three main reasons: they focus more on the facts, they process those facts more carefully, and they are more innovative. Working with people who are different from you, the authors found, challenges your brain to overcome rote ways of thinking and sharpens its performance.</p><p>I know these findings to be true, based on my own experience managing international teams in the information security field. I’ve also learned that teams are most effective when they are managed in a way that empowers each individual member. </p><p>Empowerment is a management practice of sharing information, rewards, and power with employees, so that they can take initiative </p><p>and improve their services and performance. It is based on the idea that developing employees’ skills; giving them resources, authority, opportunity, and motivation. and holding them responsible and accountable for their actions will all contribute to their competence and satisfaction.</p><p>But empowering international teams is not always easy. Language barriers, cultural differences, and inconvenient time zones can interfere with even the most capable of teams. It is literally impossible to stop by someone’s desk to ask a question or clarify a decision if team members are stationed around the world.</p><p>Given these challenges, this article offers some guidance and best practices on how security managers can lead efficiently and effectively by applying the principles of business empowerment to international teams. Much of this guidance is based on my management experiences in the field, with companies such as eBay and Symantec. This guidance applies right from the beginning, when the team is first being established, and continues through the different stages of the team’s operations. ​</p><h4>Local Managers</h4><p>Sometimes security managers are tasked with building a team from scratch. Other times, a manager is charged with working with an existing team. Either way, the first step toward effectively empowering a team is to ensure that the team’s structure matches the team’s business objectives. A structure–objectives match will serve as the foundation for empowerment, because it will make for efficient and effective use of resources. </p><p>In the case of international teams, common drivers for members at different locations around the globe are cost, time-zone coverage, around-the-clock service availability, and skill sets that need to be divided by geographic locations. For example, when we were building the Global Information Security team at eBay, we carefully crafted our strategy for offshore and outsourced work by evaluating how potential team members’ skills should align with the company’s business and security objectives.</p><p>For example, it was critical that we demonstrate the value of information security activities to the business. We gathered data from a variety of different security tools and populated a dashboard that we shared with company executives. When we were staffing our security metrics team, we looked for individuals with coding and statistics skills. It didn’t matter where in the world this person was located, as long as he or she had the right background to perform the function. Other issues that we considered in this process were cost and cultural factors.</p><p>After interviewing candidates in more than five countries, we decided to focus our international hiring in Israel, Romania, and China. Our core team was based on the west coast of the United States, so having international team members in these three countries gave us adequate “follow the sun” capabilities. </p><p>“Follow the sun” basically means that when team members in one area of the world are finishing their workday, team members in another are just waking up and going into the office. You can go home after work and when you wake up in the morning, several tasks may have been completed by team members in a different time zone. Then you can pick up where they left off. In this way, the overall team can function around the clock, as long as information is effectively handed off between team members. This model is particularly useful for urgent items that must be completed quickly, or when an organization needs to support customers or a service in many different time zones. It also allowed us to staff all functions. </p><p>In each offshore region, a local manager was assigned, and then empowered in several ways. He or she was given authority to make decisions as needed to run the local team. These managers were also empowered with information and clear objectives to focus their work. The local managers were included in management meetings to ensure they would have access to the same information that was being shared within the core team at headquarters. The local managers were also held responsible and accountable for their actions, which increased both their impact and their professional satisfaction.</p><p>Once established, the Global Information Security team continued to grow. During my tenure at eBay, we built out the team from around 24 to around 60 members in about a year. As the team grew, it also changed in nature, going from a relatively small group of generalists to a much larger group of specialists.</p><p>During this growth, it was critical for everyone to stay on the same page when it came to our team’s mission and vision. So, the CISO led our management team in a formal exercise to define these factors for the team. This method is often referred to by business leaders as identifying a North Star. This common mission set the tone and gave the team purpose.</p><p>With a clear purpose and vision, every individual on the team was empowered to take the initiative and make decisions to solve day-to-day problems without having to come together and rehash the team’s overall objectives time and time again. This shared information prevented specialized teams from organically splitting away from the overall team goals. </p><p>This alignment and prioritizing is key, because security, and especially information security, is a complex function in most organizations. There are countless dimensions to the field—from physical and network security to host and application security, and from governance and risk and compliance to technical assessment and incident response. Additionally, there is always so much work to do. The harsh reality of limited time, budgets, and resources requires teams to make tough decisions about what activities to prioritize. Whether they do this explicitly or not—deciding not to make a decision is a decision itself—they must live with the outcome. It’s an amateur mistake to rank every issue as critical.​</p><h4>Accountability</h4><p>Virtually every team finds clarity of process empowering. When roles and responsibilities are clear, and the step-by-step work flow is understood, a team can work efficiently and maximize its potential.</p><p>Effective managers have a key role to play in this regard. Depending on the situation, they may decide to develop new processes with clear roles and responsibilities. Or, they may decide to conduct a process evaluation that breaks down an existing process into discrete steps, with defined criteria for when work should be handed off to another team member to advance the process.</p><p>In evaluating a process, defining and documenting the roles and responsibilities for team members is often a valuable exercise. For example, asking different team members to enumerate the actual steps in a process, and to name who is responsible for what at different phases along the way, can be illuminating. Sometimes, the accounts of different team members do not match. </p><p>One particularly useful tool that we leveraged during my time at both eBay and Zynga was the RACI model, or the Responsibility Assignment Matrix (RACI Matrix). The RACI model maps out who is Responsible, who is Accountable, who must be Consulted, and who shall stay Informed. For management, it illustrates clearly and concisely the individual roles within a team.</p><p>Moreover, the A in the RACI Matrix—accountability—deserves special mention here, given its effectiveness as an empowerment tool. As mentioned above, at eBay local managers around the world were empowered with authority to make decisions as needed. Outside of my eBay experience, I have seen the effectiveness of this throughout my career. This is particularly important when it comes to international teams. If a team’s managers are in location A and the team members executing the work are in location B, misinterpretations of risks and requirements are more likely to happen. But in these situations, I have observed greater success where a team located far away from headquarters includes a decisionmaking leader who understands the immediate reality of what the executing team is facing, and can facilitate communication between leadership at headquarters and the local team performing the work. Teams are more likely to engage fully in their work and put in that extra bit of energy and effort when they feel that they have a real seat at the table.​</p><h4>Communication</h4><p>“Communicate, communicate, communicate” is an appropriate message for most team managers. For managers of international teams, a corollary could be added: “communicate some more.”</p><p>Sometimes, a management decision is made that affects multiple members of an international team. If word of the decision reaches only some team members, it’s likely that the uninformed members will unwittingly steer in the wrong direction. A few errant steps can be easily corrected, but if this behavior continues with­out any means for correction, the results may be wasteful at best and devastating at worst. </p><p>One of the most effective and empowering communication practices used by our product management team at Symantec was a biweekly cross-functional team call. This call included many different stakeholder groups related to, but not limited to, my international team of direct reports. In addition to product management team members, it included representatives from sales, marketing, support, and engineering. </p><p>I led these calls in a structured but flexible manner; each team was allowed to share recent accomplishments, next steps, issues, and risks. We briefly reviewed each team’s status, leaving enough time to dive deep into one or two issue areas. These deep dive sessions might be initiated by a team member’s question or presenting a problem to the larger team. They always resulted in engaging dialogue, because different individuals offered different ways of thinking and different perspectives. </p><p>Together, we would share information and brainstorm approaches to gather more information, perform analysis, make decisions, and execute on solutions. Management decisions were clearly communicated and discussed, enhancing transparency and trust across the international team and empowering individuals with the information that would affect their daily work. The result was aligned improvements to the team’s products and services. </p><p>To mitigate any information lost in translation due to different levels of mastery of the English language, meeting participants documented their status in a PowerPoint deck that was shared with the cross-functional team before and during the meeting. Additionally, we ran an ongoing Skype chat so that if anyone missed or misunderstood something on the call, they could type a question and receive a written answer to clarify exactly what was being said. </p><p>One final communication tip for team managers: get in the habit of writing down and sharing any information on issues, risks, roadblocks, or anything else that may affect a team member’s work, even if the information seems obvious. What is obvious to you may be clarifying to team members, and it may keep incorrect information from spreading. Disinformation is disempowering.   ​</p><h4>Building Trust</h4><p>In 2012, Google launched an initiative to study hundreds of the company’s teams and assess the differences between high-performing teams and the rest. In his book Smarter Faster Better: The Secrets of Being Productive in Life and Business, Charles Duhigg writes about the key scenario comparison that illuminated the initiative’s main finding—psychological safety, more than anything else, is critical to making a team work.</p><p>What it all came down to, Duhigg found, is trust. Work is a part of life, which is highly imperfect and impossible to control. Managers who purposefully create an environment where team members feel comfortable sharing information about what’s going on in their lives build important if invisible communication channels that can break down walls created by secrecy and anxiety. </p><p>And what happens in our personal lives matters in the workplace to the extent that our work is affected. Building trust builds an empowering environment, because the comfort level team members feel with each other will rub off and help create a high level of comfort in sharing and honestly discussing work-related ideas.  </p><p>Teams and the human conditions that affect their work are somewhat analogous to software and their security vulnerabilities. The imperfections will always be there, whether we acknowledge them or not. If you look for security vulnerabilities in software, then you will find out what they are, and can proceed accordingly. </p><p>Similarly, if you create space for people to be real in the workplace, then you will find out their imperfections, which you can also work with. It’s the difference between accepting imperfection and asking for perfection and then facing the consequences when it is inevitably not delivered. </p><p>Finally, one-to-one meetings are important. There are things that are more easily expressed in a private setting than a public one, and effective leaders know how to create a safe space and connect with their direct reports in a way that cultivates trust.</p><p>Make time for face time, if possible. There’s nothing like sharing a meal with a colleague that you talk to all the time on the phone and by email. It’s not always financially feasible to bring everyone together often, but if a manager can take the time to visit his or her international teams once a quarter or even once a year, it can make a huge difference. If you absolutely can’t meet in person, conduct video conference calls. ​</p><h4>Forecast Fulfilled</h4><p>In 2005, Thomas Friedman published his bestselling book The World is Flat. In it, he described the technological, cultural, and economic forces that would lead to an abundance of international teams. </p><p>More than 10 years later, his forecast has been fulfilled, it’s easy to see the tremendous benefits of diverse, geographically dispersed teams working together. This continues to shift as the gig economy evolves the workforce to a point where the most efficient and often most effective workforce strategy in certain markets may be to hire freelancers as needed—wherever they may be located—based on their skills, performance, and reputation.</p><p>Success in today’s work environment often requires a thorough understanding of how to best empower an international team. While it might sound intimidating at first, it’s been done before and can be learned again, with the benefits replicated. It’s a worthwhile investment.</p><p><em><strong>Caroline Wong</strong>, vice president of security strategy for <a href="http://www.cobalt.io/" target="_blank">Cobalt​</a>, was director of security initiatives at Cigital, director of global product management for Symantec, senior manager of Zynga’s security program, and global information security chief of staff and manager at eBay.</em></p>
https://sm.asisonline.org/Pages/Driving-a-Security-Transition.aspxDriving a Security TransitionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When Christopher Martini, CPP, took the wheel as Jaguar Land Rover North America’s regional manager for corporate security and business protection in 2013, he knew he had a long road ahead of him. He was the first person to serve in the role, which focused on keeping the British automotive company’s American and Canadian administrative facilities safe. Jaguar Land Rover North America had been previously owned by Ford, which provided general security functions but did not have an onsite security professional dedicated specifically to Jaguar Land Rover. After Ford sold the company, a few years passed without a leader to organize safety, security, or asset protection. “Security functions were under the stewardship of the site services facilities department but there was no functioning security department,” Martini notes.</p><p>Jaguar Land Rover North America has more than a dozen facilities, including service and sales training academies, regional offices, and driving experience centers throughout the United States and Canada. “We’re not the manufacturing company but we directly help facilitate the sale of our products and the ongoing use of our products through training dealer personnel, and importing vehicle parts and accessories,” Martini says.</p><p>After years without any organized security approach, Martini faced two distinct challenges: building a culture of security and equipping facilities with up-to-date access control and perimeter protection technology. </p><p>“It was a mature organization—people had been operating in a certain way without the influence of an organized security and safety and asset protection structure around them,” Martini explains. “Those behaviors were set because people had been here for a while, and there was a lot of organizational resistance to having a security professional start to change how people did things, even something as simple as accessing the building.”</p><p>Similarly, Jaguar Land Rover North America facilities were equipped with legacy security systems so out of date that facilities personnel had been buying spare parts from eBay because they were no longer produced or supported by the manufacturer. The access control system had an inaccessible database, so some employees had multiple access control cards in multiple formats. “It was exactly what you would imagine—it had been left to decay,” Martini notes.</p><h4>Technology Tune-Up</h4><p>Martini had a lot of work to do, and quickly. A brand new facility in Portland, Oregon, was scheduled to be built within six months of Martini’s arrival at the company—and he knew whatever security solution he chose would ultimately be used at other facilities, including the company’s regional headquarters in New Jersey. “What I didn’t want to do was deploy the solution that was currently in place at the other locations—it was out of date and not supported,” he says. He was familiar with S2 Security Corporation from visiting its booth at ASIS International seminar and exhibits, and he ultimately decided on its platform for regional security monitoring, administration, and operations management, as well as for standardizing access control and video. </p><p>“What really guided my selection was the fact that I knew that I wasn’t going to have a tremendous ability to call upon internal resources for maintenance, upkeep, or even operation of the system, so it had to be something that was easy to train people on—resilient and very reliable—and that didn’t require constant updates to stay current with desktop and operations software,” Martini explains. The S2 system is accessed via Internet browser and does not require any dedicated client software. Martini said it was the “perfect fit” for the Jaguar Land Rover North America environment.</p><p>The new, cutting-edge infrastructure—including HID access cards and Axis cameras that integrated with S2’s Enterprise access control and NetVR video management systems—was installed at the Portland location. After that successful deployment, the solution was installed in the Irvine, California, training office; the Mahwah, New Jersey, headquarters; and a new facility in Mississauga, Canada, that opened in 2016. The New Jersey facility has an enterprise-level system that allows for round-the-clock monitoring of the other three locations.</p><p>“We do all the administration here in New Jersey, and we do monitoring for those other locations,” Martini says. “I have 24-hour staff that is interacting with the system, and any alarm or information that comes back to us requiring a response gets escalated from here out to the location.”</p><p>Martini’s responsibility to protect Jaguar Land Rover’s American and Canadian facilities and fleet of more than 900 high-end vehicles was made easier with the new technology. “The most direct benefit that I get is I now know what’s happening at my facilities,” he notes. “Prior to having this technological capability, I had to rely on people in those locations to report issues and incidents to me as they occurred. Now I have more direct visibility to what’s happening to those sites in real time, which gives me a much better sense of situational awareness to what’s really happening.”</p><p>At the remote facilities, an intrusion panel—integrated with the S2 system—allows the first employee to arrive at the facility and the last to leave the ability to deactivate or activate the alarm system with a swipe of an access control badge. After the system is armed, it will dial out to a third-party monitoring company if an alarm is triggered, as well as alert the security officer on duty at the company’s New Jersey headquarters. </p><p>Martini explains that the local monitoring company will call headquarters to discuss what action to take. “The officer starts looking for video associated with that alarm, and the alarm company will call in and ask whether it should dispatch police,” he says. “The officer can see if it’s just the new housekeeper who forgot to use the control panel, or whether there is evidence of intrusion.” Then the officer can tell the company to send police. </p><p>The officer would then go through an escalation process, which could involve reaching out to staff at headquarters  or a local site contact, depending on the situation. “Officers have a detailed escalation list as to who they need to notify about the range of things they may notice or be called about for one of those remote locations,” Martini says.</p><p>This chain of response went according to plan when someone tried to break into the company’s Irvine location. The security officer on duty in New Jersey was watching the remote video feeds and noticed a man walking around the outside of the facility after hours, trying to open the doors. The officer was able to switch the view to pull up all feeds of the site to gain better situational awareness and observed the man trying to pry open one of the patio doors with a crowbar. </p><p>“Irvine is a regional office collocated with a training center,” Martini notes. “Training centers are like really nice, clean automotive garages where we bring service technicians and train them on our cars. The first level has a nice main lobby and a couple automotive bays and things like that, and the second level is basically office space. Likely what was drawing this guy was that there was a vintage Jaguar just inside those doors.”</p><p>The man had not triggered any alarms because he hadn’t yet managed to open the door, but the security officer contacted the local alarm company and had it call the police, who responded within a minute. </p><p>“It’s not a huge incident, but the quality of the video is so excellent and the ability for the officer to quickly switch and bring up everything associated with the site and get a better sense of where the guy was located and what his target was going to be is really quite interesting to see,” Martini says.</p><h4>Culture Change</h4><p>The changes at Jaguar Land Rover North America facilities haven’t just boosted situational awareness—they have helped change the employee culture as well. While Martini was upgrading the physical security, he was also striving to get employees on board with working together to create a more secure workplace. </p><p>“It’s really difficult, in my experience, to create a controls-based environment if the environment doesn’t have good controls,” Martini explains. “It’s one thing to tell people ‘It’s important that you wear your badge, you don’t leave doors propped open.’ If the system doesn’t provide you with the information necessary to know when those problems are happening, then it’s difficult to address the behaviors.”</p><p>Understanding that employees were not used to wearing access control badges, Martini solicited employee feedback and created a team to help design the look and feel of the new badges. As part of the rebadging strategy, employees were encouraged with contests and could take selfies to use as their badge photos.</p><p>“Rather than us taking your photo and making it like getting a driver’s license, people took their own, as long as they met the criteria—it was a really fun experience,” Martini says. “It allowed people to send me the photos they were the happiest with, and my opinion is that if I want you to wear the badge, then you should be happy with the photo.”</p><p>Once the S2 system was in place, it was easy for Martini’s officers to be alerted when doors were propped open or other security protocols were not followed and make a call to the facility and correct the behavior in real time. “It sends a subtle message, not that Big Brother is out there watching, but it reinforces the behaviors you’re expecting from your employees, and lets them know that as an organization we take it seriously,” Martini says. “The messaging has been augmented by the fact that we now have an environment and infrastructure that supports the application of administrative and policy controls. That’s a huge benefit.”</p><p>It’s been almost a year since the updated S2 solution was installed at the facility in Canada, and the organization is planning a second rollout to several facilities across North America. Martini says he considers the first deployment a success—both in tightening the physical security at the facilities, and in evolving company culture. Jaguar Land Rover North America conducts pulse surveys among its employees, and Martini says that during the last two years employees’ perception of health and safety has increased. He also notes that, anecdotally, false alarms greatly decreased because employees are following protocol. “It’s a good indicator that we’re on the right path and people understand the organization is making an effort, and what we’re doing is effective,” he notes.</p><p>When he started at Jaguar Land Rover North America, Martini approached security as an amenity to the business and hoped that a stronger physical security footprint would benefit company culture—and vice versa.</p><p>“We have really talented people and we hire you to apply your talent to the work, not to be worried about security or personal safety,” Martini says. “Your job is to come in and contribute all your talent and energy to the task at hand. Because the system is providing us with intelligence about what’s happening at our sites, we can let people know that our sites are secure and we’re taking security seriously. Employees feel more secure in the workspace, they have a better understanding of what their individual responsibility is to contribute to the security program, and that reinforces the kind of culture I was trying to build.” </p><p><em>(Editor's note: At press time, Martini began a new position as an area security and safety manager for PayPal.) ​</em></p>
https://sm.asisonline.org/Pages/Schoolhouse-Guardians.aspxSchoolhouse GuardiansGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Village Christian School, home to 1,100 students in grades K-12, is set in California’s Sun Valley in a quiet, residential neighborhood. “We’re off the beaten path,” says Mike Custer, director of facilities at Village Christian. </p><p>“That’s kind of nice….but that means there’s not much observation of the campus by the public either.”</p><p>With its large student body and more than 100 faculty members, the school’s top concern is providing a safe and secure learning environment. “The threat has always been trespassers, vandalism, and theft,” Custer says, noting that custodial staff goes home at about 11 p.m. at the latest, and staff shows up at about 6 a.m. in the mornings. “The challenge for us has always been, how do you protect the campus in a cost-effective way at 1 a.m., 2 a.m., 3 a.m.—at the times when there is literally no one on campus?” </p><p>These concerns are also reputational, because local residents are worried about any threats that the school may attract. “We operate under a conditional use permit which limits the use of our facilities to accommodate the neighbors,” he says. </p><p>The school has physical security measures, including a six-foot chain link fence to keep out trespassers, but Custer notes that they are easily ignored by anyone wishing to enter the campus. “You could go under or over the gates, or you could even walk in through the foothills if you knew the path to take,” he says. “It’s not much of a deterrent for someone who wants to come on campus.” </p><p>During the day, certain faculty are trained on security duties and act as campus supervisors, but Custer says that is only a minor component of their normal job function. </p><p>While the school had cameras in place on the perimeter of campus, that footage only proved valuable after an incident. “I would get up in the morning and check the cameras, but unless you happen to see something at the time it’s happening, it’s not a very good system,” he explains. </p><p>Often, the trespassing issues were petty incidents like painting graffiti and using the campus to film amateur movies, Custer says. “We had skateboarders and bicyclists that would come in and film movies and slide down ramps and things. They were causing damage, but they knew where our cameras were,” he explains. “So if they would go by them, they would just kind of cover their faces—they knew nobody was watching so it didn’t matter.” </p><p>But more serious incidents have occurred, including a theft in which valuable bus batteries were stolen. “Somebody actually came in the back of campus, spent about an hour going through all of the buses, disconnecting all of the batteries….they were career criminals,” Custer says. “We lost a couple thousand dollars in bus batteries.” </p><p>The school considered hiring an after-hours security guard to patrol the 16 buildings spread across its campus, but Custer explains that having one pair of eyes for the entire premises didn’t seem to be enough. </p><p>In late 2015, a parent at the school approached him about Elite Interactive, a remote security monitoring service. After presenting the product to the school board, the institution adopted the service and rolled it out in December. “Elite came in and looked at our campus, and added a few cameras to increase coverage, because we had several blind spots,” Custer says, noting that the company also recommended lighting increases to make dark spots more visible. </p><p>At a set time each night, human operators at one of Elite Interactive’s command center locations begin monitoring the 21 cameras on Village Christian’s campus. Motion detection alerts the operators to a human crossing a certain geofence that is predetermined. Elite’s video software also allows the system to differentiate between a human and a deer or coyote, for example.</p><p>Should someone enter the campus, Elite Interactive officers will talk over speakers strategically placed around the school’s buildings, warning intruders that they are trespassing. </p><p>If the unwanted visitors do not respond to the second or third voice warning, depending on the situation, Elite contacts law enforcement. Police have access to the campus through a lockbox, so no one from the school is required to respond after hours. Village Christian can export any footage and deliver it to law enforcement should the need arise. </p><p>One value of having human operators monitoring the campus is the fact that they can use discretion, Custer says, not always involving law enforcement if it doesn’t seem warranted. </p><p>“One time we had a transient jump the fence, and Elite tried to voice him down, but the guy had earbuds on,” he notes. “He was going around to the trashcans getting aluminum cans.” Elite determined the guy was likely harmless, and he eventually left the campus. In the daily email report it sends to the school of any activity that occurred overnight, Elite showed photos of the man and explained what happened. </p><p>“In the morning [the trespasser] came back, because he had dropped his cell phone when he leaped over the fence,” Custer says. “I was able to say to him, ‘I know you were here last night. I’m sorry for your plight, but you can’t be on campus.’” He notes the man was compliant, and said he would take the school off his aluminum can collection route.</p><p>The only challenge to the rollout, Custer adds, was getting staff to respect normal operating hours at the school, including teachers who preferred to work late at night, or staff members who left something behind during the day. “I don’t want a single individual alone on campus at 2 a.m. for all kinds of reasons; for their personal safety, or if they get injured,” Custer says. “We always staff with at least two people when we have to have people here.” </p><p>Since word has spread around the community that Village Christian has a remote security monitoring service, “everything has dropped to zero, as far as vagrants or transients or people coming onto the facility in the early morning hours,” Custer says. </p><p>The remote monitoring service helps the school uphold its values of being a welcoming environment while remaining secure, Custer adds. “We do want to be a light to the world, but we have responsibilities to the students and parents,” he says. “I sleep better at night knowing I’m not going to pull onto campus and find it in disarray.”</p><p><em>For more information: John Valdez, jvaldez@eliteisi.com, www.eliteisi.com, 877/435.4832 ​</em></p>
https://sm.asisonline.org/Pages/Driving-the-Business.aspxDriving the BusinessGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The top speed of a Model S Tesla is 155 miles per hour, which can be reached in approximately 29 seconds. It’s one of the fastest cars in the world, with one of the most powerful sets of brakes on the market. </p><p>“Tesla has a set of brakes on that car that are so oversized and overpowered, that they can stop the car cold even if the engine malfunctions and spikes at full throttle,” says Ryan LaSalle, security growth and strategy lead at Accenture. “The only reason you have a car that goes that fast is because you have a set of brakes that can control it. To be able to corner at speed, you need good controls. That’s supposed to be the partnership between security and innovation.” </p><p>The challenge for many companies, though, is how to develop this partnership so when the CEO goes to the board, he or she is effectively communicating what the cyber risks are to the business and how they are being addressed—ensuring that security is enabling the business to drive smoothly, and safely, towards its goals.</p><p>According to the National Association of Corporate Directors (NACD), only 15 percent of boards are satisfied with the information they are getting from executives on cyber risk management. This could be because many CEOs only recently began discussing cybersecurity regularly with their boards—within the last two years—and were initially unprepared for these important conversations. </p><p>To prepare for these conversations, CEOs turned to their CISOs or vice presidents of information security, but many of those experts struggled to explain cybersecurity in a way that the CEO could understand.</p><p>“Most security professionals have a hard time articulating and conveying not only risk, but also the benefit of what they are doing,” LaSalle says. “And if they continue to have a hard time articulating that, they will struggle to be relevant and be part of the strategic plan of the business.”</p><p>Matt Appler is now the CEO of Corsec Security Inc., which assists companies with security certification and validation processes, but he once was a software developer. When it came to learning how to communicate with executives about cybersecurity, Appler says it was not an easy process.</p><p>“Unfortunately, it was mostly through the school of hard knocks and finding ways to talk about security given that it’s already a subject that’s highly technical, which by its nature makes it extremely difficult to communicate with others about,” he explains. </p><p>The other aspect that made communicating to executives about cybersecurity difficult is that security is not an absolute. Appler compares it to the risks of getting in a car with airbags, seatbelts, and back-up cameras. </p><p>“But ultimately, you’re going to choose how you operate that car, how fast you drive…you’re making choices based on your perception of risk around you,” he says. “But all of us understand that we could be in an automobile accident. The same is true in information security. It’s not an absolute…the only way to eliminate the risk is to not get in the car.”</p><p>Focusing on risk and why that risk matters is the key to communicating with executives—and boards—about cybersecurity, Appler adds.</p><p>“I found very early on that it was more effective to explain why you would care about protecting information—why that would matter—than about the technology,” he says.</p><p>For instance, during the summer of 2017 the WannaCrypt ransomware attack hit companies that were running old or out-of-date operating systems, or unpatched systems. When companies were asked why they had not upgraded their systems, Appler says, many said they hadn’t taken action because it was too expensive.</p><p>“But when they suffered the problem, they were unable to provide service for potentially days. They took a financial hit, a brand hit, and a reputational hit,” Appler says. “I would question whether they truly understood what risk they were taking by not upgrading.”</p><p>To clearly communicate that risk, Appler says that CISOs should avoid reverting to “scary stories” to make boards fearfully invest in security. Instead, they should focus on quantifying risk in terms of dollars to allow the board and CEO to evaluate what they would pay to mitigate risk.</p><p>“There are many things you can do to mitigate that risk, but at the end of the day they are going to have a cost and the return is likely risk mitigation—not features or benefits directly to your company,” Appler adds.</p><p>LaSalle echoes these sentiments and says that CISOs need to prepare their CEOs about the risks the business is taking on in terms of cybersecurity, what needs to be done to address that risk before creating greater exposure, the potential costs of not taking action, and how addressing risks helps the business achieve its goals.</p><p>“That’s where, at the board level, when you’re telling stories around the biggest threats to what the business is trying to do, you’re using the language of business—not the language of hackers—when you talk about threats,” LaSalle says, “when you’re trying to talk about programs you have in place and how effective they are at managing those risks.”</p><p>For instance, a client that LaSalle works with put this into practice a few years ago just before the Sony hack occurred. The client had recognized through a threat intelligence function that destructive malware was one of the biggest threats to the business’s operational resiliency.</p><p>The client went through a process to examine how a destructive worm would impact the business. It then changed its investment portfolio, implemented a solution to create more operational resiliency and increase its defenses, and then briefed its board. </p><p>The client, LaSalle explains, told the board that it was tracking destructive malware because of the risk it posed to the business and explained how it was mitigating that risk. It also described past failures to mitigate that risk and the market indicators it was tracking that could change its perception of its readiness to handle the risk.</p><p>A few quarters later, during the Sony attack, the client went back to the board. The briefing included details on how IT would repel a similar attack, why those actions would be warranted, and what new threats were looming. </p><p>“That’s the kind of example I use to explain this because it had a tremendous business impact,” LaSalle says. “It demonstrates the effectiveness of the investment, and it provides clarity from a risk perspective, to a bunch of business owners who aren’t really worried about what the vulnerability is or how it propagates—but they are very worried about the business outcome.”</p><p>Taking this approach of regularly briefing the board and providing benchmarks of where the business is in addressing cyber risks is a best practice approach, says Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton & Williams LLP and former chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.</p><p>“Some of our clients are appearing before the board on a routine basis and using benchmarking as a way of showing where the company is today as compared with others in their industry sector, and then also showing benchmarking as compared with a point in time—say today versus where the company is two or three months from now,” she explains. “Benchmarking is very helpful in putting the evolution of the cybersecurity program into context.”</p><p>Having this regular dialogue helps build a base of understanding for board members and educates them on the company’s cybersecurity strategy. “The board wants to hear the overall strategy, but they are also going to want to hear about some of the more granular testing, like penetration tests and the results, risk analysis, data flow mapping exercises,” Sotto adds. “High level is very good, but with details waiting in the wings in case board members are interested in going into more detail.”</p><p>This is likely to happen as boards become increasingly interested in cybersecurity and more knowledgeable on the topic. They may also be required to become more knowledgable under new regulations or legislation making its way through the U.S. Congress.</p><p>For instance, U.S. Senators Mark Warner (D-VA), Jack Reed (D-RI), and Susan Collins (R-ME) introduced legislation, the Cybersecurity Disclosure Act (S. 536), that would require publicly traded companies to include information on whether any member of the company’s board of directors is a cybersecurity expert in their Securities and Exchange Commission disclosures to investors. If a company has no cybersecurity experts, it would be required to explain why a greater level of expertise was unnecessary.</p><p>“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process,” Senator Reed explained in a statement. “Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber risk oversight.”</p><p>S. 536 has been introduced and referred to the U.S. Senate Committee on Banking, Housing, and Urban Affairs, but has not advanced.</p><p>“The bill alone is interesting, and, even if the bill doesn’t pass, more efforts like this could have the effect of incentivizing boards to look for cyber savvy directors,” Sotto says.</p><p>And while many companies are struggling with connecting cybersecurity to the mission of the business and articulating the risks associated with it, CEOs are beginning to track the issue and invest in it.</p><p>“If we continue to improve and unlock more of the stories and the business value of what security is doing for the business, I think the population of [cyber-focused] CEOs will grow,” LaSalle says. “I don’t know if they will ever be the majority, but I do think that it will be a best practice for a CEO in five years to be not just interested and involved in the security of their organization, but really committed to it.”       ​</p>
https://sm.asisonline.org/Pages/Mobile-Mayhem.aspxMobile MayhemGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​Mobile device security organizations stepped up in a big way this summer to attempt to bring the U.S. federal government’s digital communications into the 21st century. </p><p>Companies such as BlackBerry—which last year stopped manufacturing cell phones—have been working with the government to create and disseminate software that protects mobile devices from eavesdropping or interception. </p><p>Between U.S. President Donald Trump’s issuance of the cybersecurity executive order that focuses on protecting federal networks and the U.S. National Security Agency’s (NSA) adoption of solutions like BlackBerry’s, the U.S. government is acknowledging the trend towards the mobile workplace—even when conducting classified business.</p><p>Trump caused headlines when he continued using his personal Android smartphone once he took office in January and, even after officially switching to a government-issued iPhone, gave his mobile number to world leaders. Experts agree that no mobile device can be completely secure, which is why sensitive phone calls have traditionally been conducted on secure phone lines in the White House or in the president’s private car. </p><p>Still, cell phones are undeniably ubiquitous, and the personnel in the upper echelon of the federal government are provided devices with expensive, cutting-edge technology to prevent intrusion, says ASIS International Defense and Intelligence Council Vice Chair Matthew Hollandsworth, CPP.</p><p>“As the technology and encryption capabilities get better and are reviewed and approved by NSA, there is a capability to talk on a cellular device at the top-secret level and get classified-level data,” Hollandsworth says. “It’s very uncommon right now because of the expense and the risk associated with it. If I have a cell phone in my pocket that I can talk classified on, and someone calls me and I’m on the train, I’ve got to watch what I say. Those are the types of risks that are associated with the mobile environment.”</p><p>While Trump undoubtedly has a team of experts monitoring his mobile device usage, the thousands of public sector employees and federal contractors who might deal with sensitive information via off-the-shelf mobile devices may pose a national security risk, notes Tony Anastasio, who does telecommunications work for the Defense Information Agency.</p><p>“Mobile phones, in my opinion, are very dangerous to anybody, especially government people, diplomatic officials, consulates, and embassies,” Anastasio tells Security Management. “There are so many vulnerabilities and exposures in these things.”</p><p>Anastasio has worked in the telecommunications industry around the world for more than 30 years and says there isn’t a good understanding of just how vulnerable mobile devices are to infiltration. </p><p>There are no federal requirements about what types of mobile devices can be used by federal employees and contractors or what they can be used for. The U.S. Department of Homeland Security (DHS) issued a report earlier this year assessing threats to the government’s use of mobile devices and noted, “DHS has no legal authority to require mobile carriers to assess risks relating to the security of mobile network infrastructure as it impacts the government’s use of mobile devices.” </p><p>Hollandsworth, who has managed IT security for federal agencies such as DHS as well as contractors, currently works as the director of corporate security at government contracting company American Systems. He says that in his 20 years in the industry, he has watched the evolution of how federal employees use mobile devices—and the dangers the changes have brought.</p><p>“It used to be that you had your cell phone and all it was was a phone,” Hollandsworth explains. “Nowadays, workers need to be more mobile, so you’ve got hot spots pulling up, wireless connectivity in just about every coffee shop around, and almost every federal employee, whether it’s a government contractor or staffer, has some sort of mobile equipment—a laptop, smartphone, tablet, or whatnot. When you start adding all of that up, you look at all the information now stored on those devices that are no longer in the direct control of the organization you’re working for…it does introduce quite a bit of additional risk.”</p><p>Both Hollandsworth and Anastasio say mobile device requirements for mobile employees run the gamut. As carrying around a personal cell phone all the time became the norm, some companies implemented bring-your-own-device policies that allowed employees to use their personal mobile devices for work as well. However, tensions over device privacy and ownership led most federal organizations to give employees government-issued devices to have more control over security.</p><p>“From a security perspective, people didn’t want to give up the access to their phones, they didn’t want things configured for them, they didn’t want people getting into their laptops—lots of privacy concerns there,” Hollandsworth explains. “From a company or government side, I think they want more control over the devices. If it’s a personal device, if something were to happen or information were to get on that device that needs to be cleaned, well there’s a concern—is it government owned or personally owned?”</p><p>Anastasio has experience with the issue. A company he worked for previously frowned upon his use of an Android device that he had rooted—a method allowing unfettered access to the device’s source code—but he says he pushed back. “I’d challenge them—they would say I couldn’t do that with my phone, but you’re going to control my personal phone? I don’t think so,” Anastasio explains. “These employees would say, ‘Hey, it’s my personal phone, I paid for it. Who has the right to tell me I can’t put my kid’s pictures on my phone?’ It’s a very personal thing.”</p><p>However, many government contractors—especially smaller startups that can’t afford a robust secure mobile device approach—have mobile requirements somewhere between issuing their own secure devices and demanding complete access to an employee’s personal device. </p><p>“We do enforce certain security standards no matter if it’s a personal device or we give it to them,” Hollandsworth says. “At my company, after we authorize you to connect up your laptop or smartphone we push down certain security settings so you have to change your password every so often. There’s a host of other settings we require for you to improve your connection.”</p><p>However, that might not be enough, Anastasio argues. “A lot of IT guys may not have a good understanding of mobile networks,” he notes. “They just breeze over, say that you can’t have Facebook or other generic apps, but they don’t always dig into the signaling side of the network.”</p><p>The reality of mobile device security is that regardless of whether it’s a locked-down, encrypted, government-issued device or an off-the-shelf consumer phone loaded with apps, it’s only as secure as the network it uses. Anastasio describes a myriad of ways networks can open phones to vulnerabilities, from Signalling System No. 7, which can allow phones to be hacked and render two-factor authentication useless, to fake cell towers that steal information when phones connect to them. </p><p>“Your mobile could be 100 percent clean with no software, malware, or apps, and you could just roam into a rogue cell site, and they can still collect your information,” Anastasio says.</p><p>The DHS mobile security report notes that the stakes for government employees using mobile devices are high. “Government mobile devices—despite being a minor share of the overall market—represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions,” the report states. Because the use of mobile devices by the government is “an almost insignificant market share,” changes to mobile device security must be accomplished through legislation and regulation, the DHS report states. “The typical use of the devices outside the agency’s traditional network boundaries requires a security approach that differs substantially from the protections developed for desktop workstations.”  </p><p>One regulation coming down the pipeline is a new U.S. National Institute of Standards and Technology (NIST) standard for protecting sensitive information in nonfederal information systems—including mobile devices. The standard was first published in December 2015, and U.S. Department of Defense contractors have until December 2017 to become compliant. </p><p>“Within the contracting community, whatever type of system you’re using, whether it be your laptop or cloud computing or a mobile device, the government is putting into their contracts that you have to have certain security requirements implemented within your networks,” Hollandsworth says. He says the requirement, NIST SP 800-171, has 109 controls that dictate everything from physical protection of systems to access control, and it will tighten how federal contractors can use mobile devices to store intelligence.</p><p>Anastasio points out that regulations such as NIST’s and rules enforced by individual agencies are only effective if they are thoroughly and consistently enforced. “Most companies don’t want to touch mobile security,” he says. “They give you guidelines, and unless they pay for that bill on your cell phone, you still have your own personal phone right next to the one your company gave you.” Consistent education about mobile vulnerabilities is important. </p><p>Employers also need to keep in mind that classified information shared over mobile devices can be compromised in an old-fashioned way—via in-person eavesdropping or leaks. Anastasio cautions that people discussing classified information on their phones in a coffee shop or in an airport are just as much a risk as someone using an insecure mobile device. And even transcripts of Trump’s classified policy phone calls with world leaders were leaked in August.</p><p>Hollandsworth is getting a doctorate in leadership and says learning about how today’s generation will continue to grow as a mobile workforce underlines the importance of implementing a strategy to safely conduct government work on mobile devices. “The risk can only increase,” he says. “The desire and the need is going to continue to increase with having mobility, more power in your hand with a phone, and with that there’s a technology risk aspect that needs to be addressed.”  ​ ​</p>
https://sm.asisonline.org/Pages/Stress-Test.aspxStress TestGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>It’s stressful being a first responder—that’s a statement that has been accepted as axiomatic for years. But just how stressful, the impact of the stress, and how the stress can be best treated are all issues that have been poorly understood. </p><p>“For too long, we—we being the general public, and we being the government on every level—did not recognize that impact (of stress and trauma) on first responders,” says Deborah Beidel, professor of psychology at the University of Central Florida (UCF) where she directs the UCF RESTORES Clinic, which uses virtual reality tools to treat victims of stress disorders. “There’s no Veteran's Affairs for first responders. This is a problem that each county and each state has to own up to and face.” </p><p>Now, recent research and programs like the one at UCF RESTORES are providing fresh insights into various types of stress and trauma experienced by different first responders, and which types of treatments are most effective. </p><p>Anastasia Miller has experienced first responder stress first-hand. For about five years, she worked as a firefighter and as an emergency medical service responder. She found the work stressful—at least at times, she says.  Later, as a graduate student, she decided to study this stress and its impacts.</p><p>At UCF, Miller devoted her doctoral dissertation to stress, burnout, and support strategies for first responders. Last month, her research was published in the International Journal of Police Science and Management. </p><p>In her research, Miller looked at four types of first responders working at state protective agencies in Florida—firefighters, law enforcement officers, emergency medical service providers, and dispatchers. </p><p>She included dispatchers in part because she had already interviewed many of them for a previous unpublished research project, and had found that they suffered symptoms of numbness, anger, and feeling haunted by incidents. “They were describing post-traumatic stress disorder (PTSD) symptoms,” she says. </p><p>In sum, Miller found that different types of responders can experience stress differently. For example, responders who either witness a traumatic event or help a victim overcome an event, but are not directly involved with the event itself, may experience secondary traumatic stress. Because they are not victims of the event itself, they do not have PTSD per se, but some of the symptoms of secondary stress are similar to PTSD symptoms. </p><p>This secondary traumatic stress was common, at least at some level, Miller found. About 60 percent of first responders displayed low levels of secondary traumatic stress, 39 percent displayed moderate levels, and 1 percent displayed high levels, according to her survey. </p><p>But of the four types of responders, dispatchers and EMS personnel were the most likely to experience high levels of secondary traumatic stress. And, as she gathered from her previous unpublished research, dispatchers were the responders who showed the most burnout and felt the least amount of support. </p><p>“I guess I was hoping that would not be the case, but it wasn’t a surprise,” she said of the finding. </p><p>In general, Miller says she is glad there has been more attention paid to first responders’ needs since 9/11, but progress in giving them better support seems slow and incomplete. </p><p>“It’s often blanket statements and blanket policies without much data,” she says, adding that when responders’ needs are addressed, dispatchers are often ignored. Further study is needed on the individual needs of different types of responders, and how programs could be better customized to support each role, she explains. </p><p>Like Miller, Beidel also recognizes the intense stress that dispatchers can undergo. In fact, it was a dispatcher who played a critical role in expanding UCF RESTORES treatment services for first responders. </p><p>Beidel and UCF RESTORES clinicians started working with combat veterans with PTSD in 2011. The results were promising. Beidel examined information about the first 100 patients of the clinic for a study later published in the Journal of Anxiety Disorders; the study found that 66 percent of the patients no longer had PTSD after three weeks of treatment.</p><p>Then in 2014, a UCF colleague named Clint Bowers was discussing this work with his sister, an emergency dispatcher. When the dispatcher heard about the PTSD suffered by combat veterans, she said, “PTSD? You ought to talk to me.”</p><p>This sparked the group to start working with first responders. As part of this work, they developed a peer support training program for fire departments. Through this program, the clinic developed ties with fire departments in the greater Orlando area, and when the Pulse nightclub shooting occurred last year, clinicians were called in to debrief firefighters on the morning after. </p><p>“It was quite stressful,” Beidel says. In those debriefings, she and her colleagues offered “psychological first aid.” </p><p>Since that time, the clinic has worked with firefighters, police officers, and emergency dispatchers. A few months ago, clinic officials received $5.5 million in U.S. federal and state grant funding to develop an entire virtual reality treatment system for first responders, which is scheduled to be up and running by the first quarter of 2019.</p><p>The clinic’s virtual reality treatment program uses sight, sounds, and smells to recreate conditions that cause the responder stress or trauma. It does so through the use of head-mounted viewers, earphones, and a scent machine that blows out the appropriate smells, such as burning or smoky odors.  </p><p>Patients may be treated five days a week for three weeks running; this is combined with group-therapy sessions on stress-related topics like anger management and depression.</p><p>“If you think about trauma, everything that’s associated with trauma is triggered by a remembering of trauma,” Beidel says. So, if a man in a red shirt is walking a mean dog that gets off his leash and attacks someone, the victim’s memories of that terrible event may later be triggered by a red shirt.</p><p>To treat such a victim, a virtual reality scenario might be created wherein the victim encounters a man in a red shirt walking a very friendly dog who stays on the leash. </p><p>“It creates new learning. It breaks those old connections,” she explains. “People are making new connections—neural connections—and they are developing new memories. We never erase the old memory, but that mem­ory loses the power to dictate one’s life.”</p><p>With the new grant funding, Beidel hopes that the clinic can increase its reach and treat more first responders. The need for treatment is pressing, she says, given the impact that stress can have. For example, the National Fallen Firefighters Foundation has found that firefighters are three times more likely to die by suicide than from a blaze. </p><p>And the problem is not just an American one; other organizations outside the United States have recognized the need for dealing with first responder stress. In Canada, Simon Fraser University (SFU) in Vancouver started a First Responders Trauma Prevention and Recovery certificate program designed to help responders mitigate the effects of stress and trauma. The SFU program was started in 2016 after the suicide rate for first responders in Canada increased, with 39 Canadian first responders taking their own lives in 2015. </p><p>“That’s the thing—this is something that can be treated,” Beidel says. “But we first have to recognize it.”   ​</p>
https://sm.asisonline.org/Pages/Embassy-Evacuations.aspxEmbassy EvacuationsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​There’s no shortage of security threats at the 307 U.S. embassies around the world. During the four-year period of fiscal 2013—2016, the U.S. State Department evacuated staff and their families from 23 overseas embassies due to episodes of civil unrest, terrorism, and natural disasters, according to a recent report by the U.S. Government Accountability Office (GAO). </p><p>Two of these 23 overseas posts were evacuated three times during this period—Adana, Turkey, and Bamako, Mali. Four were evacuated twice—Bujumbura, Burundi; Juba, South Sudan; Sana’a, Yemen; and Tripoli, Libya. The rest were evacuated once. </p><p>To prepare for these crises, the embassies are required to update an Emergency Action Plan (EAP) and conduct nine types of drills each fiscal year, including duck-and-cover, bomb threat, and chemical/biolog­ical response. </p><p>But these requirements are not always met, according to the report, Embassy Evacuations: State Department Should Take Steps to Improve Emergency Preparedness. “We found significant gaps in emergency preparedness,” the report says.</p><p>On average, overseas posts only completed about 52 percent of the required drills, the GAO found. And a GAO review of EAPs at 20 posts found that only two had updated the key sections of the plan. </p><p>“GAO also found that EAPs are viewed as lengthy and cumbersome documents that are not readily usable in emergency situations,”                     the report goes on to say. “Taken together, the gaps in State’s crisis and evacuation preparedness increase the risk that post staff are not sufficiently prepared to handle crisis and emergency situations.”   </p><p>Given these findings, GAO recommended that the U.S. secretary of state:</p><p>• Take additional steps to ensure that posts complete annual updates of their EAPs within required time frames, such as identifying posts that are late and following up until they comply. </p><p>• Establish a monitoring and tracking process to ensure that State reviews and documents the review of key sections of EAPs. </p><p>• Take steps to make the EAP more readily usable during emergency situations. For example, a more streamlined version of the EAP could be developed that could be used by overseas posts.</p><p>• Take steps to ensure that overseas posts complete and report completion of required drills within mandated time frames.</p><p>• Take steps to ensure that overseas posts complete and submit lessons learned reports, following evacuations, to State Department headquarters for analysis.   ​</p>
https://sm.asisonline.org/Pages/Employee-Theft.aspxEmployee TheftGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Marianna Perry, CPP, a security consultant with Loss Prevention and Safety Management, LLC, discusses how companies can prevent employee theft of digital and physical assets.</p><p><em><strong>Q. </strong>What steps can employers take to prevent employee theft? </em></p><p><strong>A. </strong>One of the major things that employers can do is hire the right people—honest employees. That sounds very simple, but many times corners are cut during the hiring process. In addition to more than one interview, employers should conduct thorough background investigations, which may include checking criminal records, references, and education. Personality tests can indicate whether the applicant is a good fit for the company. Every employer should have clear policies to deter theft, and employees should know that if they steal, they will be prosecuted. It’s also a good idea to have a hotline where employees can anonymously report suspicious behavior or theft by another employee.   </p><p><em><strong>Q. </strong>What about security best practices?</em></p><p><strong>A. </strong>Retailers have traditionally used common practices such as comparing physical inventory against receiving and sales records, auditing cash and payroll records, locking emergency exit doors, installing video surveillance systems, and using security devices to tag inventory. Training employees to recognize common behavior characteristics of thieves is also critical to deterring theft. Business policies and procedures need to be reevaluated on a regular basis and communicated to employees. Best practices include daily bank deposits made by two employees, audits of shipping and receiving records, inventory conducted by an outside firm, verifying time worked against payroll records, auditing cash bank deposits against daily cash receipts, and reconciling the monthly bank statement.</p><p><em><strong>Q. </strong>How can employers prevent personal information from being tampered with by an insider?</em></p><p><strong>A.</strong> A risk assessment may help identify potential vulnerabilities in the IT system, whether it’s theft from employees who are well aware of their access to the goldmine of personally identifiable information (PII) or an inadvertent theft that may be caused by a bring-your-own-device policy. Many employees can access PII with no evidence of intrusion in the company data systems. High turnover and employees that do not undergo effective vetting processes increase the likelihood of insider theft. Access to data files should be restricted and controls and tracking should be in place. Senior management should have current login information and passwords of all employees. Businesses need to have a holistic approach to security by integrating IT security and physical security.</p><p><em><strong>Q. </strong>Should a manager confront an employee about stealing? Are there any legal concerns?</em></p><p><strong>A.</strong> If an employee is confronted with theft, ensure that you have the evidence to support your suspicions. Entrapment techniques should never be used to entice an employee to steal. It’s important not to threaten the employee under suspicion and have a witness present—preferably, a member of management—while you are talking with the employee. Ask the employee to explain how the theft occurred, if other employees are involved, and if the money or company property can be returned. Every theft that occurs should be reported to law enforcement with supporting documentation from the business.   ​</p>
https://sm.asisonline.org/Pages/Say-Thanks--National-Security-Officer-Appreciation-Week-Kicks-Off-.aspxSay Thanks: National Security Officer Appreciation Week Kicks Off GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​September 17 to 24 marks the third annual National Security Officer Appreciation Week, an opportunity to say thanks to security officers working across the United States.</p><p>“We must all recognize and be grateful for the continual contributions of security professionals, who not only are often the first line of defense against natural disasters, civil unrest, violence, and terrorist attacks, but who can also provide a friendly face and welcoming gesture in a time of need,” wrote AlliedUniversal CEO Steve Jones in a blog post. <br></p><p>There are approximately 1.1 million security officers employed in the United States with a projected employment growth of 5 percent from 2014 to 2024, according to a U.S. Bureau of Labor Statistics analysis from May 2016. <br></p><p>“Our community protectors and guardians are sometimes put in high-risk situations as they confront and detain criminals engaged in theft, trespassing, gang activity, and other criminal activity,” Jones explained. “They also save countless lives by administering CPR…they offer peace of mind by finding your lost car key or ID that fell out of your pocket, or by simply delivering a ‘have a nice day,’ as you leave the office.”<br></p><p>To show its appreciation for the work these individuals do, AlliedUniversal created National Security Officer Appreciation Week in 2015 to encourage others to “say thank you” and recognize security officers’ contributions to maintaining safe and secure workplaces, schools, and communities.<br></p><p>“Security officers are hard-working, highly trained men and women who are our country’s first responders,” AlliedUniversal said in a press release. “These individuals deter crime, lead evacuations, provide information, work closely with local law enforcement, and are constantly vigilant in their efforts to keep us safe.”<br></p><p>To participate and show your appreciation for security officers this week, thank an officer in person and also on social media by using the hashtag #ThankYouSecurity.​<br></p>
https://sm.asisonline.org/Pages/Hiding-Body-Art-During-Interviews-Then-Revealing-It-on-the-Job.aspxIs Hiding Body Art During Interviews, Then Revealing It on the Job, Deceptive?GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>Security Management </em>has partnered with the Society for Human Resource Management (SHRM) to bring you relevant articles on key management topics and strategies​. This article by Michele Poacell​i​ discusse​s how organizations should approach communicating body modification expectations with potential employees.<br></p><p>--</p><p>​What should a company do if, after s​he is hired, an employee alters her physical presentation in such a way that the employer worries clients or customers might find it offensive? Is it misleading for an applicant to hide tattoos or piercings during a job interview, then reveal them on the job? What recourse does an employer have?</p><p>Body art is ubiquitous. According to a February 2016 survey from The Harris Poll, tattoos are especially prevalent among younger Americans, with nearly one-half of Millennials (47 percent) and over one-third of Generation X respondents (36 percent) saying they have at least one. People across diverse industries and regions boast colorful ink and nontraditional skin piercings.</p><p>As the popularity of tattoos and piercings has risen, has stigma in the workplace subsided?</p><p>That depends on the culture, image and values of the company.</p><p>For instance, Chase Bank's dress code states that "Appropriate dress and appearance increase the perception that Chase employees are professional, knowledgeable and capable of serving customer needs and maintaining responsible relationships." With the exception of having them for religious and certain health reasons, visible tattoos and piercings other than in the earlobes are not permitted.</p><p>When a corporate culture is built around its workers, however, there is more room for personal expression. In 2014, responding to demand from its young workforce, Starbucks began allowing employees to display their tattoos. Tattoos on the face and throat are still prohibited. Micha Solomon, a contributor to Forbes.com, suggested that the change had benefits for all parties. "Letting employees revel in their own style is a way to project how genuine you are as a brand to employees and to the customers they support," Solomon wrote.</p><h4> SHRM Members Debate Body Art</h4><p>In a recent discussion on the Society for Human Resource Management (SHRM) discussion forum—SHRM Connect—it became clear that HR professionals have different opinions on the subject.</p><p>One SHRM member wrote that the trend in body art will continue to influence corporate dress and appearance policies: "Many of our employees, including higher-ups (and myself) have tattoos and piercings," this member wrote. "Especially as you look to hire Millennials and the next generations, I think these policies [banning the display of body art] are going to quickly become outdated. We certainly removed them from our handbook."</p><p>Another HR professional wrote that "we also have customer-facing roles and do not allow visible tattoos, facial piercings or ear gauges. We are clear on this upfront, even if the person being interviewed does not show any. [A] manager needs to address this. And going forward, let your candidates know your expectations upfront."</p><p>Given that range of attitudes about tattoos and piercings in the workplace, job applicants may be uncertain about a company's position. Because many worry that their skills and abilities will be overlooked if body art is showing, they cover it up during the hiring process, some SHRM Connect commenters wrote.</p><p>Job search coach Ashley Robinson at Snagajob.com, an online job search engine based in Richmond, Va., recommends this. "Cover your tattoos as much as possible," she advises. "Wear clothing that will hide them or even use tattoo cover-up so they won't be visible. ... You want the interviewer to be focused on you and your qualifications, not your ink."</p><p>Once the job is secured, should the body art stay hidden?</p><h4>To Reveal … Or Not?​</h4><p>In the SHRM Connect discussion, one HR professional noted that a newly hired desk greeter at a medical office covered her tattoos and removed her piercings during job interviews, then displayed them once she started working there. The SHRM member who manages the office felt duped. "She hid the fact that she had tattoos up both arms and that she wears a very large tongue ring and nose ring," this member wrote. "[The tattoos and piercings] were not made [apparent] to us in any of the interviews we had with her."</p><p>Patients complained about the woman's appearance, the member wrote, but HR was worried about the ramifications of asking the woman to cover her tattoos and remove her piercings while at work.</p><p>Body modification can be considered an artistic, and in some cases religious, form of expression. Title VII of the Civil Rights Act of 1964 states that employers with 15 or more employees "must reasonably accommodate employees' sincerely held religious practices unless doing so would impose an undue hardship on the employer." Many states offer similar anti-discriminatory protections to employees working for businesses with fewer than 15 employees.</p><p>Brian Elzweig, assistant professor of business law at Texas A&M University-Corpus Christi, and Donna K. Peeples, the university's retired associate professor of management, cautioned in an e-mail that "Employers should take special care to familiarize themselves with Title VII cases, take claims of religious and other forms of discrimination seriously, know the implications of their dress code, and make employees understand the repercussions of violating the dress code."</p><p>Another HR professional participating in the SHRM Connect discussion urged proactive communication: "We need to share the policies in order for candidates and employees to know the policies. … Considering the popularity of tattoos [and other body art], it would be wise to address this with candidates during the interview process, across the board, and especially with [those occupying] a visible role."</p><p>Some companies communicate dress and appearance policies as early as the job posting. "When you have very specific job requirements or expectations, weed out non-compliance before anyone's time is wasted," one person in the SHRM Connect discussion suggested.</p><p>Tracy Perez, a benefits manager in Denver, told SHRM Online that it's best for an employer to communicate clear expectations for dress and appearance in a formal, written policy signed by the employee. "This becomes the condition for employment," Perez said. "If you can't adhere to it, you can't work here."</p><p>Perez's 16-year-old son is seeking summer employment in the restaurant industry. His hair is dyed a verdant shade of green. Perez said she thinks her son's unnatural hair color won't hurt his chances for a dishwashing or other kitchen position that's out of customers' view.</p><p>"But if he interviewed with brown hair for a maître d' position and showed up to work with green hair, there would be problems."</p><p><em>Michele Poacelli is a freelance writer based in Mercersburg, Pa. © 2017, SHRM. This article is reprinted from​ <a href="https://www.shrm.org/resourcesandtools/hr-topics/employee-relations/pages/is-hiding-body-art-during-job-interviews-deceptive.aspx">https://shrm.org </a>with permission from SHRM. All rights reserved. ​​ ​</em></p>
https://sm.asisonline.org/Pages/Less-is-More.-A-KISS-Approach-to-ESRM.aspxLess is More: A KISS Approach to ESRMGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p dir="ltr" style="text-align:left;">Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years, and ASIS International has identified it as a strategic focus. But a review of the literature, beginning with the <a href="https://cso.asisonline.org/esrm/Documents/CSORT_ESRM_whitepaper_%20pt%201.pdf">2010 CSO R​​oundtable paper<sup> </sup>on ESRM</a>, raises two issues that could make implementation difficult.</p><p dir="ltr" style="text-align:left;">First, the initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO). Appealing though it might be to have "Head of Risk Management" appended to one's job title, "I'm not busy" is NOT a common refrain among security managers. In many organizations, managing the risks across all security functions—that is, physical, cyber, and information—is already an enormous task, so operational and reputational risk should remain elsewhere. </p><p dir="ltr" style="text-align:left;">The idea that all responsibility for risk should fall to security seems to have tapered off somewhat since the first few papers on ESRM, but security managers will still be better served if they ensure that ESRM focuses on the "S" in the title, security.</p><p dir="ltr" style="text-align:left;">Second, there is often a tendency towards complexity and granularity in ESRM systems where simplicity is more appropriate. Risk management is an area where it is easy to quickly become bogged down in detail, and the drive for more and better data can stymie the process. If we consider the ISO definition of risk as "the effect of uncertainty on objectives" (<a href="https://www.iso.org/standard/44651.html">ISO 73</a>), trying to become more and more specific overlooks the baked-in nature of uncertainty. </p><p dir="ltr" style="text-align:left;">Moreover, when quality data is not available, as is often the case with security issues, trying to analyze risk at a more and more granular level can produce a less-accurate assessment. Granularity and massive amounts of information can be used in Big Data systems, but most organizations don't produce enough security-specific data for that kind of analysis. Even with large amounts of data this can still go wrong. As an example, tinkering at the micro level while assessing the risks in the U.S. mortgage bond markets back in 2008 gave the impression that things were fine, even though all the warning signs were visible (but largely ignored) at the macro level. </p><p dir="ltr" style="text-align:left;"><strong>Moving to ESRM with a KISS Approach</strong></p><p dir="ltr" style="text-align:left;">Although more complicated than a purely security-centric approach, a risk-led approach is an effective way to approach security. This directly links security activities to the organization's overall objectives and goals, integrating security risk with the organization's overall ERM system. This approach also helps bridge the gap with contingency planning, business continuity management, and crisis management, and it significantly improves response and post-event recovery. Moreover, ESRM helps the elements within the security function coordinate more effectively. </p><p dir="ltr" style="text-align:left;">Finally, a robust and effective risk management system also removes a great deal of subjectivity from planning and decision making, which enhances organizational efficiency. In many ways, risk is the common language of business and the sooner we all share that language, the more effective we will be. Investing time and effort into the ESRM system and moving towards a risk-led approach does pay off in the long run.</p><p dir="ltr" style="text-align:left;">So there are real benefits in implementing an ESRM system but these two issues—pushing security to take on a wider risk management role and a tendency towards complexity—could make implementation seem an impossible task and one that many CSOs would find daunting, deterring them from taking this course. However, an ESRM system does not have to be overly complex, nor something that disrupts day-to-day operations. In fact, for most security managers, a KISS approach—keep it simple, security folks—is the best way to tackle ESRM. This does not suggest that there aren't challenges in implementing an ESRM system or that additional work and change won't be necessary. But a KISS approach facilitates implementation and makes the ESRM system much more effective.</p><p dir="ltr" style="text-align:left;">But how can we do this and keep things simple?</p><p dir="ltr" style="text-align:left;">Four basic principles can assist with the implementation of a simple yet effective ESRM program: use a standard approach, start speaking risk, become objectives-led, and accept uncertainty. </p><p dir="ltr" style="text-align:left;"><strong>Use a standard approach to risk management, not one that is security-specific.</strong></p><p dir="ltr" style="text-align:left;">Each business or function will want a solution that is tailored to its needs, but this causes inefficiency when working in a cross-functional environment. Imagine for one second what would happen if every department used its own accounting processes: mayhem, and probably lawsuits, would ensue. This problem could even arise within the security function itself if cybersecurity tried to use one approach to risk management, and asset protection used a different one. </p><p dir="ltr" style="text-align:left;">A robust, comprehensive risk management system will allow room for adjustment at the functional level while still applying a standard approach that can be used across the entire organization. So, rather than finding a security-specific definition for risk, or processes tailored to the department, start with a basic approach to risk management. Ideally, this would mean adopting your organization's existing system and processes that you can adapt to fit the needs of the security team. In some instances, you might need to start from scratch—in that case I would recommend <a href="https://riskademy.co/twelve-core-elements-for-risk-management/" target="_blank">going back to basic, first principles</a> which can then be scaled up to integrate with a future ERM system.</p><p dir="ltr" style="text-align:left;"><strong>Learn to speak risk.</strong></p><p dir="ltr" style="text-align:left;"><a href="https://riskademy.co/what-do-you-mean-by-risk/" target="_blank">Risk provides organizations with a common language and mindset</a> that can be applied across departments and functions to help with discussions and decision making. Even within the security function itself, having cyber, information, and physical security teams use a common language will make life easier for the CSO. "Speaking risk" can be more complicated than it might first appear, because terms can be applied differently and <a href="https://riskademy.co/wdymb-risk-perception-and-risk-communication/" target="_blank">there are some complex influences that affect how we perceive risks.</a> At first, there will be a need for regular clarification on how terms are being used until the correct usage becomes commonplace. Adapting existing materials to suit the new lexicon will also take time, but the ERM system should define the key terms and concepts and these should be adopted as early in the ESRM process as possible. </p><p dir="ltr" style="text-align:left;"><strong>Become objectives-led, rather than assets-focused. </strong></p><p dir="ltr" style="text-align:left;">Using a risk vocabulary doesn't just help with discussions: it also helps change mind-sets and perspectives. If something akin to the ISO definition—that risk is "the effect of uncertainty on objectives"—is used, the focus on objectives should become second nature, which has multiple benefits:</p><ul><li>It allows individuals and teams to practice what the U.S. military calls disciplined initiative: leaders at all levels understand the commander's (in this case the organization's) overall intent and can shape their activities to support that without step-by-step direction.<br><br></li><li>Being objectives-led moves from a reactive to a proactive mindset. Instead of thinking, "<em>x</em> has happened, so we need to do <em>y</em>," organizations can consider "what effect could <em>x </em>have on our objectives?" and act accordingly.<br><br></li><li>Security can better support the organization when mitigation measures and contingency plans are developed with the organization's top-level objective in mind. This is best summed up by something an embassy regional security officer said while discussing security in a higher-risk country: "The best way to keep everyone safe here is to keep them inside [the embassy] but that's not my job. My job is to help them get out there and do their jobs as safely as possible."  ​<br><br></li></ul><p>Becoming objectives-led is not only applicable in day-to-day "peacetime." It is extremely important during the response to an event where a proactive, objectives-led stance will significantly improve the organization's chance of survival.</p><p><strong>Accept uncertainty and avoid over-specification. </strong> </p><p>We are awash with data, email alerts, and warnings that swamp us with information. That can quickly lead to analysis paralysis: if we are presented with every possible permutation, possibility, and outcome for a situation, how can we effectively decide what to do next? From an ESRM perspective, avoiding this paralysis requires two things. </p><p>First, the system should accept uncertainty and avoid trying to become too specific. Ultimately risk management is a decision-making tool that helps put risks into a comparative order, but it doesn't measure risk per se. Trying to measure risk to one or two decimal places is extremely difficult in all but the most well-documented, highly regular, technical systems. If you think about it, an asset assessment that gives you a loss expressed down to single dollars should be taking pocket change into account. However, day-to-day security management has neither that kind of stability nor the data, and there are simply too many variables for that kind of accuracy. The ESRM system should work in broader strokes than the CSO might initially be comfortable with, but that will help remove some of the uncertainty and simplify the assessment and reporting process while still producing useable results.</p><p>Second, information overload is not just something we can experience, it is also something to which we can contribute. Security should therefore avoid swamping the overall ERM system with too much data. Too much information from each department will overwhelm the ERM system and cause paralysis at the organizational level. The risk management system should specify where a departmental risk is severe enough to become an organizational risk and needs elevating, and this should be mirrored in the ESRM system. Again, using broad strokes will also help get the point across as to which risks are a priority without having to overwhelm the senior leadership with every possible security concern.</p><p>In both cases, technology can make things more efficient, but if care isn't taken when designing a technical solution, managing the risk management system can become a major task in its own right.  As mentioned earlier, security managers are not looking for more work to fill their time, so whatever systems are used must be robust, simple, and effective. Even with IT, KISS is still important.</p><p><strong>Summary</strong></p><p>ESRM is a welcome initiative that will embed security management more thoroughly into organizations, add much-needed objectivity to decision making, and improve resilience. However, a tendency towards making ESRM too specialized, or trying to have the CSO lead too much of the overall risk activity, will likely be counterproductive. However, taking a KISS approach will help achieve the overall aim of integrating security into the broader ERM framework while also avoiding these pitfalls. Even within the security function itself, a risk-led approach will provide much-needed coordination between security functions because it gives CSOs and their teams a common language. Although a highly complex, granular system may seem attractive, taking a KISS approach is going to be more straightforward to implement when CSOs and their teams are already working close to capacity. Once the basic ESRM system is in place, the tinkering can begin.</p><p>Whatever specific approach is taken, adhering to the four principles outlined above—use a standard approach, start speaking risk, become objectives-led, and accept uncertainty—<a href="https://riskademy.co/integrating-a-risk-management-system-into-your-organization/" target="_blank">will help implement an ESRM system</a> that allows the organization to better understand security risks, integrate these into the wider ERM program, and ensure that the security team takes a risk-led approach. </p><p><em>​Andrew Sheves has been a risk, crisis and security consultant for more than 15 years following several years in the military. Both careers have given him the opportunity to find out the hard way that a KISS approach is usually better. He runs the risk consulting firm Tarjuman LLC and operates the </em><a href="https://riskademy.co/" target="_blank"><em>Riskademy</em></a><em> online training school which contains additional information on many of the concepts and ideas outlined above and offers a free introductory course on risk management. He is a member of ASIS.​</em></p>
https://sm.asisonline.org/Pages/Hackers-Hit-Equifax,-Compromising-143-Million-Americans’-Data.aspxHackers Hit Equifax, Compromising 143 Million Americans’ DataGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Hackers breached a crown jewel of the U.S. financial institution this summer, potentially compromising 143 million Americans’ personally identifiable information (PII). </p><p><a href="http://www.equifax.com/about-equifax/" target="_blank">Consumer credit reporting agency Equifax</a> confirmed in a statement released late Thursday that hackers gained access to its systems and compromised consumer data, including Social Security numbers and driver’s license numbers. <br></p><p>“Criminals exploited a U.S. website application vulnerability to gain access to certain files,”<a href="https://www.equifaxsecurity2017.com/"> the statement said.</a> “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”<br></p><p>Along with consumers’ names, Social Security numbers, birth dates, and addresses, the hackers also stole 209,000 consumers’ credit card numbers and 128,000 consumers’ dispute documents.<br></p><p>“As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents,” the statement said. “Equifax will work with UK and Canadian regulators to determine appropriate next steps.”<br></p><p>Equifax became aware of the hackers’ intrusion on July 29, acted to stop the intrusion, and hired a cybersecurity firm to conduct a comprehensive forensic review to determine the scope of the intrusion. It also reported the intrusion to law enforcement. <br></p><p>“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Chairman and CEO Richard F. Smith in a statement. “I apologize to consumers and our business customers for their concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”<br></p><p>To help consumers determine if they have been impacted by the breach, Equifax created a website--<a href="http://www.equifaxsecurity2017/" target="_blank">www.equifaxsecurity2017</a>--to check their status and sign up for credit file monitoring and identity theft protection.<br></p><p>Critics, however, have cautioned consumers about checking their status with Equifax as doing so might waive any rights they have to sue the agency. <br></p><p>This is because in a disclaimer on the dedicated website includes the following statement: “By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claim where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.”<br></p><p>New York Attorney General Eric Schneiderman tweeted that this language is “unacceptable and unenforceable,” and that his staff has contacted Equifax to demand it be removed. He also announced that he’s launching an investigation into how the breach occurred.<br></p><p>“The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred,” <a href="https://twitter.com/AGSchneiderman/status/906197644841766912" target="_blank">Schneiderman said in a statement.</a> “I encourage all New Yorkers to immediately call Equifax to see if their data was compromised and to consider additional measures to protect themselves.”<br></p><p>While investigators work to determine the cause of the breach and who was responsible, it’s likely to have widespread ramifications given the number of consumers compromised and the data involved. <br></p><p>In a<a href="https://www.digitalshadows.com/blog-and-research/equifax-breach-the-impact-for-enterprises-and-consumers/" target="_blank"> blog post</a> for cybersecurity firm Digital Shadows, Vice President of Strategy Rick Holland detailed what’s most likely to happen next, including tax return fraud, benefits and medical care fraud, carding, resale of data, and enablement of nation state and hacktivist campaigns.<br></p><p>“There are a wide range of possibilities depending on the goals of the threat actor responsible for the Equifax intrusion,” Holland wrote. “Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks.”​<br></p>
https://sm.asisonline.org/Pages/Técnicas-Forenses-Defectuosas.aspxTécnicas Forenses DefectuosasGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​La existencia de evidencias científicamente sólidas es uno de los pillares fundamentales del sistema judicial de los Estados Unidos de América. Pero, recientemente, ciertas investigaciones llevadas a cabo por un comité presidencial de consulta cuestionaron la validez de algunas técnicas para la obtención de evidencias. Ésta es sólo una de las más recientes críticas a las prácticas de las ciencias forenses, que han enfrentado un llamado a la reforma desde algunos rincones.</p><p>La investigación más reciente tiene sus raíces en otro informe, el cual fue emitido en 2009 por el Consejo Nacional de Investigación (en inglés National Research Council), y analiza el estado actual de las ciencias forenses. Ese informe, realizado a la orden del Congreso de los U.S.A, era altamente crítico; entre varias cosas, encontró una carencia de protocolos y estándares sólidos para informar y analizar evidencia.</p><p>En respuesta a este informe, se emprendieron varias iniciativas de parte de diferentes agencias del gobierno de U.S.A. y así nació la Comisión Nacional de Ciencias Forenses (en inglés National Commission on Forensic Science), apuntada a elevar los estándares forenses. Además, en 2015, la administración de Obama le solicitó al Consejo Presidencial de Asesores en Ciencia y Tecnología (en inglés PCAST) que investigue pasos científicos adicionales que podrían ayudar a garantizar la validez de evidencias forenses utilizadas en asuntos judiciales.</p><p>El consejo de científicos e ingenieros designado por el presidente produjo, como se le solicitó, un informe llamado en español Ciencias Forenses en Cortes Penales: Asegurando la Validez Científica de los Métodos de Comparación de Características, el cual fue publicado hace varios meses.</p><p>El informe encontró dos lagunas de conocimiento existentes. El primer vacío fue la necesidad de mayor claridad respecto a los estándares científicos sosteniendo los métodos forenses válidos. El segundo vacío fue la necesidad de que ciertos métodos forenses específicos sean evaluados para demostrar su validez de una mejor manera.</p><p>Para ayudar a acortar estas brechas, el informe examinó siete métodos forenses de comparación de características, que son los usados para determinar si una muestra de evidencia está asociada con una potencial muestra tomada directamente de la fuente, como puede ser un sospechoso.</p><p>Los métodos evaluados fueron: análisis de ADN en muestras de una única fuente y de fuentes con mezclas simples; análisis de ADN en muestras con mezclas complejas; huellas de mordeduras; huellas dactilares latentes; identificación de armas de fuego; análisis de huellas de calzado; y análisis capilar.</p><p>Basado en su análisis, el PCAST recomendó que los jueces no deberían admitir en la corte cuatro de los métodos: huellas de mordeduras, identificación de armas de fuego, análisis de huellas de calzado, y análisis capilar.</p><p>El PCAST también sugirió que los jueces deben ser cautelosos al admitir evidencias basadas en ADN en muestras con mezclas complejas, y recomendó que los jurados sean advertidos sobre el alto índice de errores en el análisis de huellas dactilares.</p><p>Varios meses luego de la publicación del informe del PCAST, otro desarrollo significante tomó lugar: el Departamento de Justicia anunció que desmantelaría la Comisión Nacional de Ciencias Forenses. Algunos expertos ahora declaran que la ausencia de investigación y asesoramiento de parte de la comisión podría hacer que, en el futuro, la tarea de desafiar evidencias científicamente cuestionables en un juzgado sea aún más difícil.</p><p>“Incluso si los abogados defensores hacen lo imposible para quejarse sobre (evidencias cuestionables), no tendrán el poder una comisión nacional para apoyarlos”, le contó Erin Murphy, una profesora investigadora en la Escuela de Leyes de la Universidad de Nueva York, a Associated Press en Abril. “El status quo en este momento es admitir toda evidencia que se presente. El status quo es cómo las cosas seguramente permanezcan”.</p><p><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Management <em>i</em><em>s not responsible for errors in translation. Readers can refer to the original English version here: <a href="/Pages/Flawed-Forensics.aspx">https://sm.asisonline.org/Pages/Flawed-Forensics.aspx​.​</a></em><br></p>
https://sm.asisonline.org/Pages/Preparing-for-Protests-.aspxPreparing for ProtestsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Riots in Ferguson, Baltimore, and Berkeley. Disruptions at airports coast to coast. Pipeline site blockades and sabotage. Out-of-control town hall meetings and campus speeches.</p><p>These stories have been filling headlines and social media feeds at a seemingly constant pace. Less trumpeted, however, are the protests that fizzled out or were kept calm thanks to smart security planning. What makes the difference between a protest that boils over into violence and major disruption and a protest that is steered, subtly or boldly, toward a peaceful outcome?</p><p>A security director may not be able to determine in advance whether a protest will be peaceful or legal, but it is not his or her task to stop people from protesting. Therefore, when a company is targeted by protesters or is expected to be in their path, the security director should focus on traditional security concerns: protecting the company’s people, property, information, and reputation.  </p><p>In a protest or riot situation, the protective effort takes on special urgency and requires different methods from those employed during normal operations. Protests and riots are unstable, high-tension events that can have outcomes as serious as loss of life, severe personal injuries, major property damage, and complete stoppage of legitimate business activities.  </p><p>Some situations call for a high-visibility security profile designed to discourage protesters from harming the company’s employees and property. In other types of protests, a low-key, low-visibility approach takes the wind out of the protesters’ sails. In all cases, a disciplined, documented approach leads to the best outcomes—both on-site and in court. </p><p>It may be difficult to convince senior management to spend money on planning and preparation if a protest does not seem imminent. However, showing coverage of recent protests that got out of control may clarify the ramifications of being unprepared. Images of burning buildings, looters, broken windows, and injured people on stretchers may provide a reminder of what can happen when inadequate precautions are taken.</p><h4>Assessing Conflict</h4><p>Security is not law enforcement. The goal is not to arrest protesters but to prevent problems. To address an upcoming protest or riot, it is essential to assess the threat based on intelligence collection. After gaining an understanding of the threat, the security director can choose a protective approach that best fits the situation, applying various concepts designed to calm the event and prevent harm.</p><p>Intelligence gathering. A large company with a well-developed security department may have enough skilled personnel to perform its own intelligence gathering, while a smaller security department may need outside help through a risk assessment firm that specializes in addressing protests and riots. </p><p>Whoever performs the intelligence collection should attempt to learn as much as possible about the adversary, including its prior tactics and level of aggression. Conducting online research, looking at social media, interviewing law enforcement personnel, and speaking with other companies that have faced the group in the past can increase understanding. Viewing videos of past incidents can provide insight into the adversary’s strategies and practices in the hope of countering them. </p><p>In some cases, invisible countersurveillance may be appropriate. For example, before a major international economic summit, the author’s security firm determined that a famous, well-organized activist group wanted to embarrass a company that was headquartered in the city. To protect that company, the author’s company put the facility under covert surveillance before the summit. The goal was to detect odd behavior, such as a car passing by the site multiple times to conduct advance work for protesters, or someone walking past the site and taking pictures or notes, possibly for planning a protest. Surveillance was also designed to covertly determine the best places for protesters to hang banners. The company then took steps to make those locations unavailable. </p><p>Surveillance and countersurveillance are not foolproof. Dedicated protesters are aware of surveillance techniques and have published guides for detecting and eluding them. </p><p><strong>Planning.</strong> Intelligence collection should lead to some understanding of the adversary, which in turn should suggest an overall approach to protecting the site. However, finesse is required. In some cases, a high-visibility, high-security, high-deterrence approach is appropriate. If the protesters are known to be violent or the site is especially vulnerable, a strong approach may be called for. In many corporate settings, by contrast, a lower-profile, less-provocative approach is appropriate as a way to set expectations for peaceful behavior without doing anything to inflame the protesters. </p><p>Potential conflicts may be quelled through unpredictability. The company should generally not broadcast its security plans but should aim to keep protesters guessing. That way, they will not know what types of security measures to combat. For example, if there is a risk of insider collusion with the protest, the company can send workers home early, without any advance notice, to reduce opportunities for sabotage.  </p><p>Calm can also be preserved through disciplined behavior by security staff during the protest. They should not engage in arguments with protesters or return any abusive language. Protesters like to goad security officers into inappropriate responses. </p><p>Officers should control any urge to confront the protesters and instead calmly use deflection and redirection, with phrases like, “I hear and understand what you are saying, but...” Insulting protesters emboldens and empowers them, whereas keeping cool strengthens an officer’s control over the situation and increases safety.</p><p> Make the company a less attractive target by removing loose items that could be used as projectiles from the property and locking trash receptacles to decrease locations where protesters could plant bombs or set fires. Moving company trucks inside the security perimeter prevents vandalism against those vehicles, and locking up propane and oil tanks on-site keeps protesters from igniting those items.​</p><h4>Taking Action</h4><p>If the intelligence-based risk assessment suggests a significant risk, security directors should assess the site’s physical security strengths and vulnerabilities and develop a well-rounded security plan—long before a security response is required. A detailed plan is needed regardless of whether the company itself or an outside security firm will be providing security during the incident. </p><p><strong>Site assessment. </strong>Taking stock of a site’s strengths and vulnerabilities makes it possible to identify gaps that may need to be filled before the incident. Site strengths might include a high or isolated position, perimeter barriers, building access control, security video cameras and intrusion alarms, fire protection, emergency plans, and a security officer force. Vulnerabilities might include a low position, a lack of setback from the street, multiple routes in and out, and a location that is close to a riot’s point of origin.</p><p>Having completed the assessment, the company will have a better idea of what additional security measures are necessary to protect the site during the incident. For example, it might opt to strengthen key controls, establish an outer perimeter with a temporary chain link fence, increase protection of hazardous material areas, reposition security cameras, and trim foliage that could provide hiding places or help intruders scale fences.</p><p>The security director will likely need to work with senior management to make important policy decisions that will shape security operations during the incident. Issues to address include whether the business will continue to operate during the incident and whether security efforts will be high or low visibility. Management should also consider how to protect the company from the effects of the protest, including documenting illegal behavior by protesters, meeting legal obligations, protecting the corporate reputation, speaking with the media, and designating someone to address unexpected issues that arise during the protest or riot. </p><p><strong>Put it in writing.</strong> Protests and riots can create chaotic conditions, and a variety of support documents are needed to bolster decision making and protect against legal ramifications. For example, the security effort may require a list of employees and contractors authorized to enter the site during the incident; detailed emergency and contingency plans; written rules on access control during the incident; a list of on-site hazardous material and its location; detailed external and internal maps of the facility for fire and police units; and forms for reporting violence and other crimes that occur during the incident. </p><p>The plan should specify required security staffing levels, fixed and roving security officer posts, task assignments, shift schedules, supervision responsibilities, command center arrangements, and evidence management procedures.</p><p><strong>Education. </strong>The company needs a way to notify employees if an incident is underway or about to begin, as well as whether they should report to work and whom to contact for more information. It is also essential to establish communication channels with local law enforcement so the company will be informed of impending risks. In addition, the company may choose to contact distributors, customers, and vendors regarding whether business will continue during a protest or riot. </p><p>If the company’s usual security officers will be responsible for security during the incident, they will need training on how to act during the disturbance. Nonsecurity employees will also need training on how to conduct themselves and what to do if they show up to work and encounter a demonstration.</p><p><strong>Resources.</strong> A large-scale event will require additional equipment, materials, and services that address temporary needs. These include visible marking of property lines and “No Trespassing/No Parking” signs, and additional lighting and cameras. To prepare for disaster response, procure identification badges for special service providers during the incident, emergency medical supplies, fire and HAZMAT response equipment, and food and sleeping arrangements if security personnel will be required to stay on-site for long periods.</p><p>The plan should require employees to wear identification badges at all times and clarify any changes to work access hours and locations. It should also specify how employees should report security concerns and protester offenses. ​</p><h4>The Spectrum of Situations</h4><p>During a full-scale riot, a high-level, clearly visible deterrent posture to protect life and property is usually most effective. If people are moving through a city in large numbers, burning cars and buildings and looting stores, a low-key approach to security—such as clearly marked property lines and “No Trespassing” signs—will likely fail.</p><p>If a company’s intelligence effort suggests that a riot may follow an upcoming event, such as a controversial court decision or a campus speech, or a recent event such as a shooting by police, the company should use high-profile security measures to set an expectation, namely that rioters should move on and not attack the company’s facility. The author’s firm was tasked with protecting industrial facilities during the 2015 Baltimore riots following the death of Freddie Gray while he was in police custody. The firm’s approach was to deter attacks—not combat them—by prominently deploying security officers and cameras. </p><p>A different technique was required when the author’s firm was tasked with protecting television news crews as they went about the city. Because rioters were all around and the client was a soft target, the author’s company kept a low profile, standing only an arm’s length away from reporters, watching the surroundings carefully, and standing ready to carry out the evacuation plan.</p><p><strong>Disruptions at meetings.</strong> If protesters come to a town hall or annual shareholder meeting, the best approach is to send a positive message that event hosts expect the meeting to proceed in an orderly fashion. One approach is to mount temporary cameras on tripods or walls around the room. Mounting them makes them seem less aggressive than having a person hold each camera and point it at attendees. Large video monitors should be placed around the room, clearly showing participants that they are on camera, and a single local law enforcement officer should be visible on-site. Experience shows that difficult or disruptive people will not comply the first or second time they are asked to behave, but if the request is made properly, somewhere around the third or fourth time most people will comply.</p><p><strong>Mass protests at company sites.</strong> Some special techniques for events such as protests against the Dakota Access Pipeline and the Atlantic Coast Pipeline include using high locations for photography, perhaps capturing multiple angles from a roof. Employee training on reporting threats and safe practices for driving to and from the site should be reinforced—especially what to do if followed when leaving. For legal protection, clearly mark property lines and take video of the act of posting “No Trespassing” signs in case they are torn down.</p><p>Sometimes the best approach is to remove protesters’ targets—this approach can minimize risk for all concerned. The author’s firm was asked to protect a corporate headquarters where a large-scale labor protest was expected. Only 10 to 15 police officers would be available to help deal with more than 1,000 protesters. To reduce opportunities for trouble, the company sent all its headquarters staff home, without warning, four hours before the protest was expected to start, and removed trash cans that could be thrown. To reduce protesters’ hope of good photo opportunities, the company’s main headquarters sign was covered and company trucks bearing the firm’s name were moved out of sight. Photographers were posted on the roof to document the event. These protection measures kept key assets safe.</p><p><strong>Airport protests. </strong>Sometimes a disruptive protest can be prevented or dispersed by emphasizing its illegality. In January 2017, protesters opposed to federal immigration policy massed at numerous U.S. airports, blocking pedestrian and vehicle movement. Most airports allowed the protests to continue, but protesters who tried to assemble at Denver International Airport were turned away by police because they did not have a permit as required by airport regulations. Restrictions on speech activity at airports were upheld by the U.S. Supreme Court, which states that an airport can impose reasonable restrictions on protest activity.</p><p>The goal of security in an era of protests is a safe outcome—the avoidance of death, injury, destruction of property, the hindering of legitimate business activities, and damage to reputation. </p><p><em><strong>Martin Herman</strong> is president and CEO of Special Response Corporation. He is a member of ASIS International and a past ASIS chapter chairman. He serves on the board of directors for the National Association of Security Companies. ​</em></p>
https://sm.asisonline.org/Pages/ASIS-Awards-School-Security-Grant-and-More-ASIS-News.aspxASIS Awards School Security Grant & More ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>This month, the Dallas Independent School District opens the doors to its newest transformational school, which is designed specifically for high school students interested in architecture, urban planning, environmental science, and community development. CityLab High School will offer students the opportunity to leverage the city of Dallas as their own hands-on laboratory.</p><p>But this cutting-edge “best-fit-school” concept, part of the city's public school choice program, comes with a daunting challenge: ensuring a safe and secure environment in an urban city center, and doing so on a limited budget.</p><p>That’s where the School Security Grant Competition, started by ASIS International and the ASIS Foundation in 2003, plays a critical role. This year, in conjunction with the ASIS International 63rd Annual Seminar and Exhibits, ASIS is awarding CityLab High School a $22,000 grant to pay for upgrades to the school’s camera system, access control system, and classroom intercoms. Axis Communications is making an in-kind donation of cameras and other equipment.</p><p>ASIS 2017 Host Committee Chairman Martin Cramer, CPP, worked closely with the Dallas Independent School District Police Department to get the word out about the grant and to identify the school with the greatest need.</p><p>“CityLab really stood out,” said Cramer. “Parents had voiced concerns about the school’s proximity to downtown Dallas, a busy interstate highway, and a homeless shelter. But with most of the school’s budget going to new construction, renovations, and asbestos removal for the 1950s building, there was little more the school could afford to improve security. These funds will go a long way to provide students and staff a safe and secure learning environment.”</p><p>The school identified a number of needed security upgrades, including network improvements, new security cameras, access control devices, and classroom intercoms covering all five floors of the building. </p><p>“In a large urban school district with limited funds, the responsibility of campus safety falls within the school’s budget,” wrote CityLab High School Principal Tammy Underwood, in her grant competition application. “This grant is an amazing opportunity for CityLab students and staff to be in a safe environment so that they can focus on their highest educational goals.”</p><p>The School Security Grant Competition is just one of the many ways ASIS International pursues its mission to advance security management best practices and give back to the community hosting the Annual Seminar and Exhibits. </p><p>“Without a doubt, school safety contributes to academic success, and promotes innovation, inquiry, and risk taking in high-poverty, high-performing schools,” wrote Underwood. “Students who feel safe are more attentive and efficient in the classroom, and they also have fewer symptoms of depression. I want parents, students, staff, and visitors to be comfortable and confident coming to our building.”​</p><h4>A World of Opportunity at the ASIS 2017 Career Center </h4><p>As the premier education and technology event for security professionals worldwide, ASIS 2017 promises unparalleled networking and career development options. </p><p>Now in its sixth year, the Career Center will continue to offer unprecedented professional value. Free to all attendees, the Career Center offers résumé reviews, career coaching, networking opportunities with employers and peers, and access to career development tools and job postings—plus free professional headshots in the Headshot Studio.</p><p>The excitement starts on Tuesday, September 26, with a Coffee and Careers Networking Event sponsored by the Young Professionals Council, a perfect place for great networking. Attendees currently seeking jobs in the security field will want to return later for an interactive panel session, “What Security Employers Look For and What Makes Candidates Stand Out,” where senior security executives and hiring managers will share what elements in an applicant’s history impress employers, describe what they look for in interviews, and provide advice on how to stand out from the crowd. </p><p>The day culminates with a session for ambitious professionals who have set their eyes on the top and are looking for an answer to the question, “How do you become a CSO?” This is their opportunity to hear straight from senior executives how they reached the top, lessons learned along the way, and how attendees can benefit from their experiences. </p><p>On Wednesday, the Career Center will hold another Coffee and Careers Networking Event for those looking to transition into the security field to help them create new professional connections, foster ones already made, and take part in engaging discussions on career development. Afterwards, attendees will have a chance to further build on those discussions when they take part in the “Career Development in Security” session, which will offer young security professionals the tools and best practices they need to grow their security careers.</p><p>The Career Center wraps up with a bang on Thursday with two of its most impactful sessions. The first, “Mentoring: Guiding Tomorrow’s Leaders” will provide the next generation of security industry leaders with another avenue to hone their skills to achieve their career goals, whether it’s to embark on a new challenge or advance within their organization. Panelists will examine the importance of mentoring, as well as what to look for in a mentor, key factors in building an effective relationship, and the qualities of a successful mentee. </p><p>Attendees will continue examining the future of security with a convergence panel that will explore the ever-changing relationship between information technology and physical security. As threats around the globe become increasingly sophisticated, it is vital that security professionals in every focus area can collaborate and identify comprehensive solutions for the risks facing citizens, industry, and governments around the world.</p><p>Career Coaching and résumé reviews will take place during exhibit hours. Stop by to book an appointment. </p><p>“ASIS has been instrumental to my professional development and as cochair of the Young Professionals Council, it has been particularly rewarding to help shape the high-caliber programming. From CSO perspectives to employer hiring needs to mentorship best practices and leadership skills, ASIS 2017 will provide security professionals at every stage of their careers with the tools they need to succeed in today’s job environment,” says Angela Osborne, PCI, regional director for Guidepost Solutions. “I encourage security professionals across every sector to take advantage of the breadth of career-enhancing education, advice, and professional development that will be available.”</p><p>Whether attendees are new to the security field and looking for those first valuable connections, or seasoned veterans of the industry seeking to further their existing careers, the Career Center offers a world of opportunity ready to be explored.</p><h4>International Buyer Program Helps Expand ASIS 2017’s Global Footprint</h4><p>Attendees and exhibitors at ASIS 2017 will have the chance to expand the scope of their business opportunities to a global level. Thanks to the U.S. Department of Commerce International Buyer Program (IBP), a joint government-industry effort, hundreds of global buyers from multiple delegations will attend ASIS 2017 for business-to-business matchmaking with exhibitors and attendees. The buyers represent security professionals from around the world.  </p><p>“The International Buyer Program provides an excellent opportunity for security professionals globally to benefit from the collective wisdom of the 22,000 attendees and exhibitors at ASIS 2017,” says Godfried Hendriks, CPP, managing consultant at GOING Consultancy BV and secretary of the ASIS International Board of Directors. “In today’s threat environment, security professionals need a global community of peers they can turn to year-round for support, best practices, and information sharing. ASIS 2017 will help facilitate these relationships.” </p><p>Every year, the IBP generates approximately $1 billion in new business for U.S. companies, primarily through increased international attendance at participating U.S. trade shows. </p><p>ASIS 2017’s participation in the IBP provides attendees with access to a broad array of security professionals, qualified international buyers, representatives, and distributors. It also increases the chances of finding the right international business partner. Not only will attendees meet more global buyers, representatives, and distributors, but exhibitors’ products and services can be listed in the Export Interest Directory and distributed to all international visitors for additional awareness.</p><p>Once a potential partner is identified, attendees have complimentary use of the on-site International Trade Center, where companies can meet privately with prospective international buyers, prospective sales representatives, and other business partners.</p><p>To assist in facilitating conversations, international trade specialists will be available on-site in the International Trade Center to provide matching assistance and expert trade counseling to global delegates and U.S. exhibitors.</p><p>Don’t miss out on the chance to expand your global footprint. Stop by the International Trade Center on the expo floor to learn more. ​</p><h4>All the Hub-Bub</h4><p>ASIS 2017 promises a show floor filled with fantastic networking opportunities, groundbreaking security products and service solutions from industry-leading exhibitors, and second-to-none education opportunities. At the center of it all is the ASIS Hub, an enormous 1,600-square-foot presence on the show floor that is serving as the place for all things ASIS International. </p><p>The Hub is the primary location for meeting with ASIS staff and learning more about becoming a member, obtaining one of the three board certifications, and getting involved in one of the professional interest councils. It’s also the place to unwind and recharge—literally—in the lounge with several charging stations.</p><p>The Hub will function as the go-to space for everything related to ASIS councils, with council members standing by to answer questions and offer expertise. The 34 ASIS councils explore focus areas like Crime Prevention and Loss Prevention, Healthcare Security, Information Technology Security, Investigations, Physical Security, and much more. There is a council for security professionals in nearly every discipline and industry sector.</p><p>The staging point for multiple Fireside Chats, the Hub will provide attendees an opportunity to interact in small groups with speakers after select education sessions. Members can visit the Hub for updates on the certification programs and exhibitor press conferences. And this year, the prize booth is located inside the Hub, where, twice a day, lucky attendees will walk away with exciting prizes.</p><p>Members of ASIS International are part of the largest community of security professionals worldwide, all with the shared goal of advancing global security. Engaged in their local communities year-round, members are dedicated to the security mission and making all communities safer places to live. Additionally, ASIS certifications are recognized worldwide as the gold standard of excellence in security management. Offering Certified Protection Professional® (CPP), Professional Certified Investigator® (PCI), and Physical Security Professional® (PSP) accreditations that are transferable across all industry sectors and geographic borders, ASIS certifications are valuable investments in advancing a security career. </p><p>Those who stop by the Hub can gain insights and tools needed to further their careers, get more involved in the Society, and learn about the unmatched benefits of membership in ASIS International. ​</p><h4>LIFETIME CERTIFICATION</h4><p>Congratulations to the following members who have been named Lifetime Certificants.</p><p>• Thomas M. Prochaska, CPP</p><p>• W. David Rabern, CPP</p><p>• David O. Best, CPP</p><p>• Walter F. Bodner, CPP</p><p>• James M. Gill, CPP</p><p>• Peter Urbach, CPP, PCI, PSP</p><p>• Richard G. Steele, CPP</p><p>• Samuel E. Manto, CPP​</p><h4>LIFE MEMBER </h4><p>The ASIS Board of Directors has granted life membership to Bob Battani, CPP.</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Key to Keys: 5 Steps to Developing an Effective Access Control System</em>. By Randy Neely. CreateSpace Publishing; available from Amazon.com; 118 pages; $15.95.</p><p>While this book could more aptly be titled <em>Keys: A Memoir</em>, author Randy Neely does a sound job of highlighting a widespread challenge that everyone in the security business has experienced at one time or another—the effective control and accountability of key and access systems.</p><p>Neely employs first-person narrative to recount his professional history and how he invented key and access control systems, relying too much on personal description for a professional publication. </p><p>Nonetheless, the author does a superb job of bringing to life the adage that necessity is the mother of invention. After experiencing a series of expensive lost key episodes, he created a system to more effectively manage keys. Valuable first-hand stories help round out the problem-impact-solution triad. </p><p>Neely chronicles the financial and legal impacts that inadequate controls can bring. For example, a single set of lost master keys cost a university nearly $350,000. The impact doesn’t end with the bottom line, but it can also adversely affect legal documents and court cases, as well as an organization’s reputation.</p><p><em>The Key to Keys </em>has some instructive value to students of security management, but it goes too far in promoting the author’s products. Further, some of the photos, tables, and figures lack defining labels or captions, are presented out of focus, or do not adequately line up.  </p><p>The most valuable lesson from this book is that motivation and initiative can inspire an earnest practitioner to not only safeguard people and property, but also to take that next step and invent new and effective ways to help improve security practices.</p><p><em><strong>Reviewer: Terry Lee Wettig, CPP</strong>, is an independent security consultant. He was previously director of risk management with Brink’s Incorporated and a U.S. Air Force chief master sergeant. He is a doctoral candidate in organizational management and a member of ASIS. ​</em></p>
https://sm.asisonline.org/Pages/House-Rules.aspxQ&A: House RulesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><strong><em>​Q. How are gaming security professionals leveraging technology to protect their assets? </em></strong></p><p><strong>A. </strong>While the protection of gaming assets is important, what about the nongaming areas of the operation such as food and beverage outlets, nightclubs, bars, lounges, and retail outlets? Many security professionals believe the second most-observed area for surveillance personnel should be food and beverage. Data from Moody’s Investors Service from September 2016 said that nongaming revenue was 55 to 65 percent of the revenue of a gaming property, with food and beverage being the largest portion of that. So no matter what city or property patrons visit, of the disposable income that people bring to the gaming industry, it appears that the food and beverage revenue is becoming at least as important to casinos as the gaming revenue. </p><p>To more closely monitor losses and possible theft in the food and beverage departments, security teams can leverage an effective point-of-sale control solution that is integrated with a hotel and casino’s surveillance recording system, which identifies errors in procedures and theft.</p><p>With a point-of-sale (POS) terminal, you basically have a cashier device of some type, such as a register. That transmits data to the server, where the data is analyzed and stored. Depending on what the food and beverage management team wants and what their parameters are, the POS generates reports. For example, if you’re talking about a bar, you have data on who the employee is, the time of day, what drink was ordered, what drink was served, what food was ordered, and what food was served. The solution takes that data and overlays it with the video of that POS terminal. You can go back and see what the employee is actually ringing up, and what their actions are compared to what the electronic data is coming out of that POS–and hopefully they are going to match. If you see any anomalies in the data, then you can go back and watch what actually happened, which is very helpful in catching any improper actions, mistakes, or thefts.</p><p><br></p><p><strong><em>Q. Some thieves have learned to steal thousands of dollars by hacking and cheating slot machines. How can these incidents be avoided? </em></strong></p><p><strong>A. </strong>In 2009, virtually all gambling was outlawed in Russia, so the casinos there had to sell their slot machines to whoever would buy them. A lot of their machines wound up in organized crime groups. In 2011 the casinos in Europe started noticing certain brands of slot machines that were losing large amounts of money, but no physical cheating was noticed. That led to the theory that maybe the cheaters had figured out a way to predict slot machine behavior. </p><p>It was later discovered that cheaters were uploading footage of slot machines  to technical staff in Russia. Someone would analyze the video, calculate the machine’s spin pattern, somehow interfering with or being able to determine that slot machine model in their pseudo-random number generator, and send a reply back to the cheater. This information would set certain markers for their play, giving them a better-than-average idea of when the machines were going to hit. </p><p>In the United States, law enforcement investigations led to the arrest of one Russian national in California in a casino in July 2014 who was engaging in this sort of cheating. The FBI later indicted all four individuals involved in the ring. </p><p>To give you an idea of the potential losses, the Russian cheaters tried to limit their winnings to less than $1,000 per incident, but a four-person team working multiple casinos could earn upwards of a quarter of a million dollars a week. </p><p>While some responsibility falls on the slot machine manufacturing company, the basic protection effort is still on the casino surveillance and security personnel. It’s up to them to follow up with surveillance observations and review that slot machine play to see if there’s anything that does not match up with the daily slot exception reports, which highlight unusually large losses.  </p><p><br></p><p><strong><em>Q. We’ve seen armed robberies take place at gaming properties over the years, most recently at a casino in Manila where 36 people died. What is being done to combat those incidents? </em></strong></p><p><strong>A.</strong> Armed robberies in the industry are a concern; they don’t happen that frequently, but they are very troubling when they do. In June of this year in Gardena, California, two men followed a victim who had just won a large sum of money from a casino and rammed into the back of his vehicle to create an accident as he left the property. When he pulled into a gas station to look at the damage to his car, they robbed him of his cash winnings and shot him four times. Fortunately, the victim survived. </p><p>And then you have the shooting in Manila. It was an active shooter situation where 36 people died. The motive for that individual? Also robbery. How do we prevent things like that? It’s very difficult. Most of the robberies occur at night, and most of the casino hotels are so large they have multiple entrances and exits. </p><p>For cage [money-handling area] robberies, the training is, give the subjects the money, don’t cause any problems, and hit the holdup alarm when the robber leaves your window. And you want him to get away—you want him to get out of the property, especially if he is armed. We don’t want our security personnel to try to stop them. We notify law enforcement and let them handle it. </p><p>You need to look at the scheduling of your security staff during hours of darkness, and you may want to increase the external patrols during those times. If you have winners who have large amounts of winnings, you may want to encourage them to take a check rather than cash. If they decide to take cash, offer them an escort to their mode of transportation. Most of the time it’s their own personal vehicle, so offer them a security escort to their vehicle. </p><p>If properties don’t already do it, they may want to consider posting a security officer by the cage. A lot of casinos have security podiums for public relations and assistance for guests that are located by the cage and serve as a deterrent. And finally, you can use plainclothes officers to be on the lookout for any unusual activity.</p><p><br></p><p><strong><em>Q. How has the active shooter trend affected gaming security? Are more properties deciding to arm their guards? </em></strong></p><p><strong>A. </strong>One trend is that some gaming regulators are now requiring a copy of a licensee’s active shooter plan. The Mississippi Gaming Commission, for example, recently announced such a policy. Some casino companies are also considering arming some of their security force to be able to quickly react to an active shooter situation, if state law allows it. In many jurisdictions where gaming is a business, the state regulations do not allow security to be armed. </p><p>The approach has some pros and cons, and I would not disagree with any of my peers on what their decisions might be to protect their company. </p><p>Most active shooter situations are over in 11 minutes if it’s not a hostage situation, and in many cases first responders from law enforcement can’t get there that quickly. Sometimes they do, but if you had individuals on site, obviously their response would be much quicker. </p><p>Now your armed response team could contain and neutralize an active shooter, but they also have to be cognizant of what is lawful for a citizen’s reaction to such a violent situation. State laws pretty much dictate when deadly force can be used against an armed suspect. So if you’re going to arm these personnel, you have to be sure to operate within whatever your state law says about using deadly force on an individual.</p><p><br></p><p><strong>Q. What are the pros and cons of arming plainclothes officers?</strong></p><p><em>A. </em> If your armed security guards are in uniform, that could be a deterrent to an active shooter in and of itself. But if your armed officers are in plainclothes they can blend in with the customers, concealing the fact that they’re armed. One of the disadvantages of such a policy—and this is strictly my opinion—how are your law enforcement first responders going to be able to identify a plainclothes security officer as a friendly with a gun in his hand? For law enforcement personnel responding to an active shooter, their first goal is to neutralize that shooter. And if they come into a property and you’ve got one of your plainclothes security officers standing with a weapon, it’s quite possible they’re going to be neutralized by law enforcement, which is not good.</p><p>You also need to take a look at how your security personnel with weapons are trained to respond. This training has to be thorough, the policies and procedures must be able to withstand legal scrutiny. How are security personnel trained in the use of firearms? What’s the selection process for such officers? Are they retired or former law enforcement personnel, are they military personnel? Finally, what’s your lability if one of your security personnel accidentally shoots an innocent bystander in a situation like that? All these things must be considered when deciding whether to arm officers.   ​</p>
https://sm.asisonline.org/Pages/Safety-in-Shared-Spaces.aspxSafety in Shared SpacesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Coworking spaces  are on the rise around the globe. These flexible work settings allow people without a traditional office building to still enjoy many of the amenities that come along with having a dedicated work environment. </p><p><em>The 2017 Global Coworking Survey</em>, conducted by Deskmag, along with SocialWorkplaces.com, found that there are an estimated 13,800 active coworking spaces worldwide, hosting more than 1 million people. </p><p>This represents a major increase from five years ago, when just 2,070 coworking spaces were used by 81,000 people globally. COCO, a coworking company based in St. Paul, Minnesota, offers several different levels of membership and types of space, so clients are only paying for the amount of time they need and space they require, says Megan Dorn, director of operations at COCO. </p><p>“Our idea in doing that was to be with our clients as they grow—from the beginning of their business, to hiring employees, to maybe needing private offices—which we also have,” she says. “So that’s what makes us a little bit different than your typical coworking space.” </p><p>When the company started in 2010, it had to distribute physical keys to its members, “which is a nightmare as you’re trying to grow,” she notes, and a security concern if a key was ever lost. </p><p>Because COCO normally leases its space in a larger building, it needed a security solution that was as flexible as the working environment it provides. “We usually have to find ways—when we’re opening a space or acquiring a space—to work with the building to find ways to get our security system installed,” Dorn explains. </p><p>When COCO acquired a new space in Chicago last May, the existing security system was a door locked by a PIN code, which the building never changed. The PIN code was distributed to a large number of people.</p><p>“The space got broken into a week before we acquired it. Laptops were stolen, and people were really on edge,” she notes. “So as soon as we came in to the Chicago space, one of our top priorities was to get a really solid access and security system in place.” </p><p>COCO turned to Brivo’s OnAir, a cloud-based access control system that easily integrated into the company’s membership dashboard, called Bamboo. Using Brivo, COCO can easily distribute keycards to its clients and manage membership usage and levels. </p><p>To set up the system, Brivo representatives come to COCO’s space and add card readers to the appropriate doors. They also set up schedules and the different access levels for membership types.</p><p>COCO has one membership accountant who works out of the company’s headquarters and oversees assigning new members a keycard number through Brivo. “It’s all digital, so it can be done remotely,” she notes. </p><p>A community manager at the member’s location—the lead COCO employee for that site—can then log on to Brivo and see which card number has been assigned for that client, add the number to their member profile in Bamboo, and distribute it. </p><p>Changing, granting, and revoking access levels, as well as keeping track of when members come and go throughout the building, are all managed through the Brivo platform. </p><p>“Say you want to upgrade a member from part-time to full-time. We’re able to just go into Brivo and quickly change your access. It’s active the moment that you do it,” she notes. “That’s actually been really helpful for us, given we have all this variability in types of membership.” </p><p>When a member badges in, a wealth of information comes up on the Brivo dashboard for the community manager to see. “Their picture, their name, their membership level, how many times they’ve checked in already that month, it immediately shows up,” she says. “So it tells you in real time exactly who’s in your space and when.”</p><p>The business value of OnAir is immense for COCO, Dorn points out, because the company can tell how often members are actually using the space, and whether they have made payments, as soon as they present their access card to the door reader. </p><p>“Let’s say someone is delinquent on payment. As soon as the member checks in, there’s going to be big red circle with an exclamation point [on the dashboard]–you can’t miss it,” she says. “It’s definitely helped us lower the sheer amount of delinquent payments that we have, and receive that payment.”</p><p>When a member badges in, Brivo also alerts the community manager if that person hasn’t been in the space very often that month. </p><p>“If we can find a member who we consider at-risk, who hasn’t been using the space, and we’re alerted to that we can reach out to them, invite them to an event, or try whatever we can to reengage them,” Dorn says. </p><p>COCO is also in the initial stages of using Brivo MobilePass, which lets COCO staff remotely lock and unlock doors via a smart device, for members who want to access the space after-hours but forget their keycard. </p><p>Because of how easily it can deactivate and reactivate access, COCO also encourages members who leave the company to keep their keycards. </p><p>“The goal is to try to get the member to come back. So if you have that card and you come back, you’re already set up in our system, all we have to do is reactivate the card and then we’ll also waive any setup fees,” Dorn says. </p><p>She notes the combination of security and business insights from Brivo has been tremendous for COCO. </p><p>“Brivo as a security system has helped us go from being a group of people working out of a space to a full-fledged company,” she says. “It really helps us manage all of the different types of membership and the stages of business they’re in.” </p><p><em>For more information: Nicki Saffell, sales@brivo.com, www.brivo.com, 301.664.5242 ​</em></p>
https://sm.asisonline.org/Pages/AI-The-Force-Multiplier.aspxAI: The Force MultiplierGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Go is not just a game. It can also serve as an analogy for life, a method of mediation, an exercise in abstract reasoning, or even as insight into a player’s personality. The ancient board game from China is played by two players on a 19-by-19 gridded wooden board with black and white stones. The stones are used to surround other stones to capture them or to mark territory, with 10 to the power of 170 possible board configurations. </p><p>“There is no simple procedure to turn a clear lead into a victory—only continued good play,” according to the American Go Association. “The game rewards patience and balance over aggression and greed; the balance of influence and territory may shift many times in the course of a game, and a strong player must be prepared to be flexible but resolute.”</p><p>A typical game on a normal board can take 45 minutes to an hour to complete, but professionals can make games last for hours. Supercomputers are not even capable of predicting all the moves that could be made in a game.</p><p>This is why when Google’s Deep Mind artificial intelligence (AI) AlphaGo beat one of the best players of the past decade, it was an exciting moment for the future of technology. AlphaGo bested Lee Sedol, winner of 18 world titles, in four out of five games in a 2016 tournament.</p><p>“During the games, AlphaGo played a handful of highly inventive winning moves, several of which—including move 37 in game two—were so surprising they overturned hundreds of years of received wisdom, and have since been examined extensively by players of all levels,” Deep Mind said in a press release.</p><p>And then, AlphaGo won again in May 2017, marking the AI’s final match event. “The research team behind AlphaGo will now throw their energy into the next set of grand challenges, developing advanced general algorithms that could one day help scientists as they tackle some of our most complex problems, such as finding new cures for diseases, dramatically reducing energy consumption, or inventing revolutionary new materials,” Deep Mind said in a press release. “If AI systems prove they are able to unearth significant new knowledge and strategies in these domains too, the breakthroughs could be truly remarkable. We can’t wait to see what comes next.”</p><p>Neither can the rest of the world. The AI market is projected to reach $70 billion by 2020 and will impact consumers, enterprises, and governments, according to The Future of AI is Here, a PricewaterhouseCoopers (PwC) initiative. </p><p>“Some tech optimists believe AI could create a world where human abilities are amplified as machines help mankind process, analyze, and evaluate the abundance of data that creates today’s world, allowing humans to spend more time engaged in high-level thinking, creativity, and decision-making,” PwC said in a recent report, How AI is pushing man and machine closer together.</p><p>And this is where cybersecurity professionals and experts have shown the most interest in AI—in its ability to create a workforce of the future where AI works to amplify the human workforce, freeing it up to look at the bigger picture and handle problems that machines are not yet capable of.</p><p>“The goal of AI in cybersecurity is to make people more efficient, to be a force multiplier,” says Ely Kahn, cofounder and vice president of business development for threat hunting platform Sqrrl. “There’s a huge labor shortage in the cybersecurity industry. I think AI has the ability to help with that by making the existing cybersecurity analysts more productive.”</p><p>The basics. AI is defined as the development of computer systems to perform tasks that typically require human intelligence. The term was first used in a 1955 proposal for a Dartmouth summer research project on AI by J. McCarthy of Dartmouth, M. L. Minsky of Harvard, N. Rochester of IBM, and C.E. Shannon of Bell Telephone Laboratories. </p><p>The authors requested a two-month, 10-man study of AI to attempt to find out “how to make machines use language, form abstractions and concepts, solve kinds of problems now reserved for humans, and improve themselves,” according to the proposal.</p><p>Since then, AI has advanced, and there are now many broad areas that fit under the overall umbrella of AI, including deep learning, cognitive computing, data science, and machine learning, says Anand Rao, partner at PwC and global artificial intelligence lead. </p><p>Machine learning is one of the largest areas getting attention right now, Rao says. Machine learning is what its name describes—the science and engineering of making machines learn, according to PwC.</p><p>This is done by feeding a machine large amounts of data, then having it learn an algorithm to figure out what is considered normal and abnormal behavior. </p><p>“In machine learning, the idea is you don’t know exactly what the rules are, so you can’t write a program,” Rao explains. “Usually we get an input, we write specific instructions that produce an output; we can do that if we know what it is that we are trying to do. But when we don’t know that, it becomes hard.”</p><p>This is where the two subcategories of machine learning come into play: supervised and unsupervised learning.  </p><p>Unsupervised machine learning uses data to train the system to create algorithms and the machine is continuously learning, says Kahn, who is the former director of cybersecurity for the White House’s national security staff. Unsupervised machine learning algorithms are “continuously resetting, so they are learning what’s normal inside an organization and what’s abnormal inside the organization, and continuously learning based on the new data that’s fed into it,” he explains. </p><p>With supervised learning, humans train the system using training or labeled data to teach the system the algorithm to look for to identify certain types of patterns or anomalies. However, the two types of learning can be used in combination—they do not need to be kept separate.</p><p>For instance, supervised machine learning can be used to allow analysts to provide feedback for algorithms the system is using, “so if analysts see something that our unsupervised machine learning algorithms detect that is a false positive or a true positive, the analysts can flag it as such,” Kahn says. “That feedback is fed into our algorithms to power our supervised machine learning loop…you can think of it as two complementary loops reinforcing each other.”</p><p>Deep learning. One of the main fears that many people have about the increasing role AI will play in society is that it will replace jobs that humans now hold. While that might be the case for some positions, such as receptionists or customer service jobs, experts are skeptical that AI can replace humans in cybersecurity roles. </p><p>To make the kind of decisions cybersecurity analysts make, machines would need to use deep learning—a subcategory within supervised machine learning that powers Google’s Deep Mind products and IBM’s Watson. It uses neural network techniques that are designed to mimic the way the human brain works.</p><p>“I talked about supervised machine learning in the sense of using training data, to help educate algorithms about the different types of patterns they should look like,” Kahn says. “Deep learning is that on steroids, in that you’re typically taking huge amounts of training data and passing them through neural network algorithms to look for patterns that a simpler supervised machine learning algorithm would never be able to pick up on.”</p><p>The problem with deep learning, however, is that it requires vast amounts of training data to run through the neural network algorithms.</p><p>“Google, as you can imagine, has massive amounts of training data for that, so it can feed that training data at huge scale into these neural networks to power those deep learning algorithms,” Kahn says. “In cybersecurity, we don’t quite have that benefit. It’s why deep learning algorithms have been a little bit slower in terms of adoption. There are not pools of labeled cybersecurity data that can be used to power deep learning algorithms.”</p><p>For cybersecurity, ideally, there would be a huge inventory of labeled cybersecurity incidents that could be used to create deep learning algorithms; the inventory would have information about how a site was compromised and what exploit was used.</p><p>“In today’s environment, there is no massive clearinghouse of that information,” Kahn adds. “Companies generally don’t want to share that information with each other; it’s sensitive.”</p><p>This is holding back the cybersecurity industry in terms of taking the next step with AI, and Kahn says he doesn’t see companies’ unwillingness to share data changing any time soon. </p><p>“It’s going to be very hard—less from the technical reasons and more from the policy and legal reasons,” he says. “I don’t know if we’ll ever get to a point where companies are willing to share that level of detail with each other to power those types of deep learning algorithms.”</p><p>However, big companies who have vast amounts of data may be able to take advantage of deep learning in the future, Kahn says.</p><p>AI today. Numerous cybersecurity products are available today that market themselves as an AI product, or one that uses machine learning. These products tend to be used to understand patterns of threat actors and then look for abnormal behavior within the end users’ system, Rao says.</p><p>For instance, a product could be used to look at denial of service attacks, “how that happens, the frequency at which they are coming, and then developing patterns that you can start observing over a period of time,” he explains.</p><p>These patterns can help companies identify who is trying to infiltrate their systems because the behavior of hobbyist hackers, organized hacking groups, and nation-states differs. </p><p>“Once you start profiling, you start looking at how to prevent certain types of attacks from happening,” according to Rao. “Based on the types of profiling, you have various types of intervention.”</p><p>This blending of machines—using AI to identify patterns and humans to make decisions based on those identified patterns—is how AI will change the future of cybersecurity and help bolster the workforce, Kahn says.</p><p>“Optimally, we start seeing a very close blending of man and machine in that we’re reliant on relatively simple algorithms to detect anomalies. Those algorithms are advancing and getting more sophisticated using AI-type technology to reduce false positives and increase true positives,” he explains. “So, analysts are spending more time on the things that matter, as opposed to chasing dead ends.” ​ ​</p>
https://sm.asisonline.org/Pages/Protecting-Fine-Art-and-Other-Industry-News.aspxProtecting Fine Art and Other Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​PROTECTING FINE ART</h4><p>Thousands of visitors enter El Museo Thyssen-Bornemisza in Madrid each day to view the museum’s priceless masterpieces. To safeguard the precious art, the museum recently switched from analog video surveillance to an IP-based system. Bosch Security Systems helped the museum create a single integrated security system with a Bosch Video Management System and IP cameras that provide recording and storage of images, in addition to video analytics.</p><p>A special “museum mode” enables administrators to predefine a perimeter around an artwork, creating a virtual, invisible protective barrier. When the perimeter is breached by, say, an attempt to touch an artwork, an alarm is sent to the control center and security’s mobile devices, so personnel can quickly take action. This virtual barrier is a convenient alternative to conventional infrared barriers.</p><p>For those exhibits displayed in low-light conditions, the museum selected Bosch IP cameras with starlight technology. These cameras ensure that dimly lit areas can be properly monitored without additional lighting, and the museum need not compromise artistic concepts and ambience for security reasons.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>BriefCam video analytics embedded in Milestone’s video management platform are making efficient video investigation possible for Massachusetts General Hospital.</p><p>Bristow U.S. LLC won a contract from Hess Corporation for medevac services in the Gulf of Mexico.</p><p>Disaster recovery service provider Databarracks has announced that it is now a corporate partner of the Business Continuity Institute.</p><p>EyeLock LLC entered into a partnership with STANLEY Security to deliver EyeLock’s suite of access control solutions to North America.</p><p>Hikvision will help secure the iconic Holocaust Memorial Miami Beach.</p><p>BSE (formerly the Bombay Stock Exchange Ltd.) selected IBM Security to design, build, and manage a cybersecurity operations center.</p><p>IDSecurityOnline entered into an exclusive distribution agreement with ScreenCheck for its new line of durable ID card printers.</p><p>Lexmark International, Inc., announced that its Secure Document Monitor uses Intelligent ID’s Endpoint ID.</p><p>XProtect IP video management software from Milestone Systems was selected to protect a Picasso exhibit at the Tomie Ohtake Institute in São Paulo, Brazil.</p><p>Scania AB is using a Morse Watchmans key control and management system. </p><p>NAPCO Security Technologies, Inc., will supply Pepperdine University with its Trilogy Networx Locks for use on the Malibu, California, campus.</p><p>OnSSI is integrating its Ocularis 5.3 with S2 Security Corporation’s NetBox software.</p><p>Quantum Corp. announced that Zhejiang Uniview Technologies Co. Ltd., will become a Quantum value-added reseller and strategic alliance partner. </p><p>Razberi Technologies will embed CylancePROTECT software from Cylance in Razberi ServerSwitchIQ appliances.</p><p>Security Door Controls added Ascheman Marketing Group to its national family of security industry sales and support centers.</p><p>Siklu Inc. signed a distribution agreement with ALLNET, which will carry Siklu’s complete line of millimeter wave wireless radios.</p><p>TierPoint, LLC, is partnering with Compass Datacenters to build a new facility in Broken Arrow, Oklahoma.​</p><h4>GOVERNMENT CONTRACTS</h4><p>American Traffic Solutions won a contract from the Houston-Galveston Area Council for traffic control, enforcement, and signal pre-emption equipment.</p><p>ASPIDER-NGI and SURFnet, the Dutch National Research and Education Network, are partnering on eSIM to develop applications with an initial focus on identity management and authentication.</p><p>Axon announced that the Alameda County Sheriff’s Office in California purchased Axon Body 2 cameras and a five-year Evidence.com license.</p><p>An updated Disaster Resilience Scorecard was developed for the United Nations Office for Disaster Risk Reduction by AECOM and IBM with support from USAID and the European Commission.</p><p>Mosaic451 was awarded a contract for technology products and related services from the city of Charlotte, North Carolina.</p><p>The STRATTON U.S. Coast Guard cutter recently deployed with a small unmanned aerial system, the Insitu ScanEagle, which helped in four interdictions—seizing more than 1,676 kilograms of illicit contraband and apprehending 10 suspected drug traffickers.</p><p>Nextdoor social network for neighborhoods is partnering with the U.S. Federal Emergency Management Agency to support its mission to help communities prepare for and mitigate all hazards.</p><p>UL received a grant from the U.S. Defense Advanced Research Projects Agency for cybersecurity testing of Internet of Things (IoT) gateways for industrial control system applications to help mitigate security risks.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>Forbes named Allied Universal to its America’s Best Employers list for 2017.</p><p>ByteGrid Holdings LLC was awarded FedRAMP Ready status by the U.S. Federal Risk and Authorization Management Program.</p><p>ClearDATA was granted EU-U.S. Privacy Shield Certification.</p><p>Concurrent Technologies Corporation was recognized as a 2017 Best for Vets employer by Military Times.</p><p>Conformance Technologies announced that its InConRadar offering received the Electronic Transactions Association’s PayPal Tech Innovation Award for best risk solution.</p><p>Crowe Horwath has been designated as a HITRUST CSF Assessor by HITRUST. </p><p>At KuppingerCole’s recent European Identity & Cloud Conference in Munich, Germany, the Danfoss IoT security framework project was recognized with an award in the Best IoT Security Project category.</p><p>EventTracker announced that SC Magazine awarded EventTracker SIEMphonic with a perfect five-star rating in the 2017 UTM/SIEM/NGFW annual product Group Test review.</p><p>EyeLock LLC received a U.S. patent for enabling a single camera to acquire iris biometrics, as well as a face image, by providing suitable illumination for both.</p><p>FreeWave Technologies, Inc., announced that its ZumLink 900 Radio Series and Industrial IoT Programmable Radio were named bronze award winners by the American Business Awards and the IT World Awards, respectively.</p><p>G2’s Payment Laundering Detection was named a 2017 Pay Awards winner in the Fraud Fighter category. The selection was made by a panel of payment industry experts assembled by Paybefore.</p><p>The G4S North America Training Institute was named one of the best organizations for learning and development by Chief Learning Officer magazine for the fourth consecutive year.</p><p>Hikvision announced that its DS-2TD4035D-25 Bi-Spectrum PTZ Camera System was named the 2017 ESX Innovation Award winner in the video </p><p>surveillance category.</p><p>Hillard Heintze announced that it achieved ISO/IEC 27001:2013 information security certification from the BSI Group.</p><p>NAPCO Security Technologies announced that its StarLink Connect was awarded a 2017 ESX Innovation Award in the intrusion systems category.</p><p>OpSec Security gained ISO 14298 security standard accreditation for its Washington and Leicester facilities.</p><p>The Protection Bureau announced that The Monitoring Association renewed its TMA Five Diamond Monitoring Center designation.</p><p>Zenitel Group announced that TMC named Vingtor Stentofon’s TCIV-6 IP SIP Video Intercom a 2017 Unified Communications Product of the Year Award winner.​</p><h4>ANNOUNCEMENTS</h4><p>Boon Edam Inc. announced that a new production line for its Lifeline Optical Turnstiles is now operational at the company’s Lillington, North Carolina, factory.</p><p>Continental Access, a division of NAPCO, launched a newly revitalized website at www.cicaccess.com.</p><p>The Cross-Cultural Institute introduced Badges2Bridges, a new training program that helps police officers and law enforcement professionals work effectively with minority communities.</p><p>DataPath, Inc., expanded operations in the Washington, D.C., area to complement its existing Maryland office. </p><p>Detection Technology Plc. completed the expansion of its Beijing factory, with a larger production floor and new investments in automation and technology.</p><p>Frontier Services Group Limited acquired 25 percent of the International Security and Defense College in Beijing, becoming the largest private security training school in China.</p><p>F-Secure acquired Digital Assurance, a U.K.-based security consultancy firm.</p><p>The former Giesecke & Devrient Banknote business unit is now the Giesecke+Devrient Currency Technology independent subgroup.</p><p>Sheriff’s agencies will use the Lockheed Martin Indago quadrotor small unmanned aerial system to perform search-and-rescue operations as part of the Project Lifesaver International program that supports clients with autism, Down syndrome, and dementia.</p><p>The Master Lock Company relocated its headquarters to a newly renovated campus in Oak Creek, Wisconsin.</p><p>Point Blank Enterprises acquired Gould and Goodrich.</p><p>PSA Security Network acquired USAV, a team of audio-visual integrators, and its affiliate CI Edge. </p><p>The Security Industry Association (SIA) established the SIA Public Safety Working Group to develop recommendations to improve the safety, security, and sustainability of cities.</p><p>Security On-Demand Inc. acquired Infobright Approximate Query technology and intellectual property assets from Infobright Corporation.</p><p>Software Assurance Forum for Excellence in Code released two best practices documents to help combat growing security vulnerabilities. One is on threat modeling, and the other is about third-party components.</p><p>Tyco Security Products is partnering with the mayor of Boston and the Boston Women’s Workforce Council in a program designed to close the gender wage gap for women in the Boston area.</p><p>In a team-building exercise, Vector Security’s managers and senior executives constructed travel-version wheelchairs for donation to the Keystone Chapter of the Paralyzed Veterans of America.</p><p>Vision-Box reinforced its support to border control officials in Portugal, sponsoring the Conference “SEF and the Economy.” ​ ​</p>
https://sm.asisonline.org/Pages/Go-with-the-Flow.aspxGo with the FlowGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Somewhere in Syria, an Israeli espionage team was left scrambling after U.S. President Donald Trump passed along Israeli intelligence to Russian officials in May.</p><p>During a visit to the White House by the Russian foreign minister and ambassador, Trump revealed highly-classified information that was given to him by Israel about an ISIS plot—including the Syrian city in which the intelligence was gathered. The disclosure raised concerns that Russia—or ISIS—would be able to figure out who was collecting intelligence and how.</p><p>While Trump’s action was not illegal—the president is allowed to share classified information with whomever he sees fit—it could be seen as a political gaffe, according to experts. </p><p>In this case, Israel, which is known for its long-ranging espionage tactics, had explicitly asked that the information not be passed on without permission. </p><p>The impact of Trump’s disclosure to the Russians is yet to be seen, but it might manifest itself in ways not directly related to intelligence sharing, says James Igoe Walsh, professor of political science at University of North Carolina at Charlotte.</p><p>“On the one hand, that would be very troubling to other countries because they are sharing a lot of intelligence with the United States and it might be passed on in a similar spontaneous way,” Walsh tells Security Management. “Having said that, these are typically ongoing long-term relationships, so one episode is probably not going to be enough to upset that longer-run cooperation. In this case, Israel gets a lot from the United States in terms of intelligence, as well as a lot of other types of support. Maybe one mistake would not lead to a fundamental reassessment of that relationship.”</p><p>Walsh says he believes Trump’s decision to share the classified information was not planned; typically, countries share such information so they will receive something concrete in return, which was not the case with Russia. But regardless of the disclosure’s spontaneity, it almost certainly created headaches for the intelligence agents who initially obtained the information.</p><p>The flow of national security intelligence from one country to another can be fickle, Walsh notes. Alliances such as the North Atlantic Treaty Organization (NATO), the European Union (EU), the United Nations (UN), INTERPOL, and Five Eyes, an intelligence alliance made up of Australia, Canada, New Zealand, the United Kingdom, and the United States, foster structured intelligence sharing between nations. </p><p>But there are also countless complex connections, networks, and alliances between countries based on the sharing of not just intelligence but economic and military support. </p><p>“These narrow intelligence-sharing arrangements are embedded in larger arrangements,” Walsh explains. “If the U.S. becomes less predictable, that might be counterbalanced by other commitments, like military cooperation in Afghanistan or cooperation against terrorist threats.”</p><p>This is especially important for nontraditional intelligence-sharing partners. The United States depends on both traditional and new allies for counterterrorism intelligence sharing, according to a report in academic journal Global Security Studies. The global reach of terrorist groups has widened the circle of allies the United States has to rely on for intelligence from the trenches.</p><p>For example, “nontraditional relationships with Muslim nations like Saudi Arabia and Pakistan have been critical to the crackdown on terrorism financing and the ongoing operations against terrorists and insurgents in both Afghanistan and Pakistan’s federally administered tribal areas,” according to the report Challenges to International Counterterrorism Intelligence Sharing written by Anna-Katherine Staser McGill and David H. Gray.</p><p>While these newer relationships are bolstered by military support or a dependence on the oil trade, more traditional alliances are expected to last through thick and thin—although recent concerns based on leaks, personal data protection, and the increased flow of information can put a strain on the sharing relationships.</p><p>Just weeks after Trump passed on Israeli intelligence to Russia, the attack at an Ariana Grande concert in Manchester, United Kingdom, shocked the world. While British authorities were scrambling to track down the perpetrators, American news media published details of the ongoing investigation, including the name of the suspected attacker and photos of bomb fragments from the attack. </p><p>British intelligence officials immediately announced that they would no longer share information from the investigation with their American counterparts; Manchester Mayor Andy Burnham told newspaper reporters that the country couldn’t risk sharing any more information. </p><p>The change in policy upsets a history of open information sharing between the United Kingdom and the United States during crises, Walsh notes. </p><p>“They share this kind of intelligence on autopilot, and maybe with good reason,” he says. “They planned it in advance so that they could disseminate information to partners who may be able to help them with the investigation. The assumption would be that the recipient would not be sharing it with the media at all, or especially more or less immediately.”</p><p>The EU has its own intelligence-sharing challenges. Although Europol has established several means of intelligence sharing across Europe, it has continued to face problems connecting the dots. </p><p>“The recent terrorist attacks in Belgium and France have once again highlighted the contradiction between the seemingly free movement of terrorists across Europe and the lack of EU-wide intelligence sharing,” notes Oldrich Bureš in the policy journal European View. “Due to their earlier criminal activities, most perpetrators of the attacks in both Paris and Brussels were known to the various security agencies in several EU member states.”</p><p>Indeed, a man who gave logistical support to the terrorists who carried out the November 2015 Paris attacks had been investigated by both Belgian and Dutch police, but neither the EU nor French authorities were aware of the man. </p><p>While Europol has established multiple tools for reporting and collecting national security and terrorism intelligence, it cannot conduct its own investigations and instead facilitates the exchange of information. However, given the cultural and linguistic diversity of the 28 EU member states, as well as their differing political and judicial frameworks, sharing intelligence through Europol may not be as effective as more informal arrangements.</p><p>Likewise, the United Nations’ counterterrorism efforts lack coherence, according to an issue brief by the Council on Foreign Relations. The UN alone runs more than 30 agencies that conduct counterterrorism activity. </p><p>“Too often, these various elements are uncoordinated and even competing,” the report notes. A UN committee created a consolidated list of individuals subject to sanctions because of terrorist activity, but the report finds that the impact was negligible “given the lack of regular updates and expansion of the list, making it an inflexible mechanism,” especially as terrorist groups become less hierarchical.</p><p>Walsh points out that even successful intelligence-sharing relationships face larger philosophical concerns—determining when to share information, and whether the receiving country will treat that information appropriately.</p><p>“Typically, when you cooperate with another country, say on trade policy or an alliance, you want to be able to observe how they’re behaving to see if they’re living up to their commitments,” Walsh explains. “That’s exceptionally hard to do in the area of intelligence because it’s information and secrets.”</p><p>Nations also need to know whether it is necessary to share intelligence they have collected. After 9/11, intelligence agencies agreed to share secrets more freely with each other to prevent another large attack. However, the effort backfired when leaks through Edward Snowden and WikiLeaks made agencies scale back their sharing to need-to-know information.  </p><p>“It’s really hard to know when you actually have ironclad intelligence that something bad is going to happen,” Walsh explains. “You have so much intelligence that’s collected on individual people, like travel records, so the problem is connecting the dots. How do we even know that we should share that?”</p><p>Trust is essential to intelligence-sharing relationships, whether it’s trusting that the information is accurate or trusting that the receiving country will treat the information appropriately. </p><p>Despite Trump’s gaffe, Walsh points out that it takes a great deal to seriously damage an intelligence-sharing relationship—there were no significant changes to the United States–Germany relationship after it was revealed that the United States had been tapping German Chancellor Angela Merkel’s private phone. However, too many leaks and faux pas by the new administration could eventually take a toll.</p><p>“It’s troubling that the Manchester investigation leaks happened so shortly after the Israel episode,” Walsh says. “It might suggest to foreign governments that there’s a pattern, especially if that information was shared with the United States and it was leaked by the White House, in particular.”  ​</p>
https://sm.asisonline.org/Pages/Global-Water-Risk.aspxGlobal Water RiskGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​If, as biblical wisdom reveals, the meek shall inherit the earth, then perhaps it will be the dirty, not the pure, who help build a sustainable global future—at least when it comes to water, say scientists.</p><p>As an issue of global significance, water security has recently vaulted to prominence. Half of the world’s largest cities now experience water scarcity, and roughly two-thirds of the world’s populace face seasonal or annual water stress. </p><p>The future looks even drier. Demand for water is expected to exceed supply by 40 percent within 15 years, if current conditions continue. By 2025, absolute water scarcity will be a daily reality for an estimated 1.8 billion people, according to a United Nations (UN) estimate. Water scarcity can lead to instability and violence; the crisis in Syria was triggered by, among other factors, a historic drought from 2007 to 2010.</p><p>But water security is a complex issue, and scarcity is merely one of its components.</p><p>Most activities that require water produce wastewater. As water usage grows, so does the production of wastewater. And more than 80 percent of wastewater worldwide is released into the environment untreated according to some estimates. </p><p>This discharge can contribute to devastating consequences. In 2012, for example, more than 800,000 deaths worldwide were caused by contaminated drinking water, inadequate handwashing facilities, and insufficient sanitation services. </p><p>In the oceans and larger seas, wastewater discharge sometimes causes deoxygenated dead zones that harm an estimated 245,000 square kilometers of marine ecosystems, according to UN estimates.</p><p>But instead of being discharged, wastewater can be treated—and reused. And more officials and experts are realizing the benefits of this new approach. </p><p>“Wastewater is gaining momentum as a reliable alternative source of water,” says the recently released United Nations World Water Development Report for 2017: Wastewater, the Untapped Resource. </p><p>“Wastewater is no longer seen as a problem in need of a solution, rather it is part of the solution to challenges that societies are facing today,” the report finds. “Wastewater can also be a cost-efficient and sustainable source of energy, nutrients, organic matter, and other useful by-products.” </p><p>Given the skyrocketing demand for water, the positive effect that wastewater reuse could have on the global water crisis is “immense,” says Robert Glennon, a water policy expert at the University of Arizona and author of Unquenchable: America’s Water Crisis and What to Do About It.</p><p>“This is a very big deal,” Glennon tells Security Management. He cites the example of the state of Arizona, which has been active in reusing water for a few decades now. Facilities like golf courses and ballparks can consume large amounts of water, he says, so Arizona’s water reuse practices have been helpful. </p><p>Moreover, state officials have formed WateReuse Arizona, a group that assists communities in achieving sustainable water supplies through reuse. Among other things, the group offers scholarships for Arizona college students interested in specializing in water reuse and reclamation.</p><p>On the U.S. federal level, the U.S. Department of the Interior announced in May that it awarded $23.6 million to seven states for researching, planning, designing, and constructing water reuse projects. </p><p>Often, treating wastewater so that it can be reused for agricultural purposes is less expensive than purifying it to the level where it can be used as drinking water. Given this, countries are becoming more aggressive in their water reuse programs, according to the report. </p><p>For example, in 2013, 71 percent of the wastewater collected in the Arab states was safely treated, and 21 percent was being reused, mostly for irrigation and groundwater recharge.   </p><p>Other regions are realizing the potential benefits of wastewater reuse. In the Asia Pacific region, some countries have discovered that byproducts from domestic wastewater, such as nitrogen, phosphorous, and salt, have potential economic value. </p><p>For example, case studies in Southeast Asia have shown that revenues generated from wastewater byproducts, such as fertilizer, are significantly higher than the operational costs of treating the wastewater. That provides an economic incentive for water reuse, the report finds. </p><p>However, “more needs to be done across the region to support municipal and local governments in managing urban wastewater and capturing its resource benefits,” the report adds. </p><p>In Latin America and the Caribbean, urban wastewater treatment has almost doubled since the late 1990s, so that between 20 and 30 percent of wastewater collected in all sewer systems is now treated. </p><p>“Treated wastewater could be an important source of water supply in some cities, particularly those located in arid areas (such as Lima), or where long-distance transfers are required to meet growing demands, particularly during drought (such as São Paulo),” the report finds.   </p><p>While progress in reusing wastewater has been made in the United States and around the world, there are still constraining factors hindering even more progress, Glennon says. One is cost; some localities in developing countries struggle to afford construction of wastewater treatment plants.   </p><p>Another is that countries like China and India continue to use unsustainable practices when it comes to their water supply, such as “pumping groundwater with impunity.” India, for example, has yet to truly face up to its water shortage crisis and change its practices. “The rules of groundwater pumping remain so relaxed,” Glennon says. </p><p>And in places where water scarcity is currently not a huge issue, some officials have the attitude of, “Why should I bother to reuse water if I can just drill a well?” Glennon says. He compares this attitude to the mistaken belief that an unlimited number of straws can be placed in the same glass—eventually, all the liquid will be sucked out. </p><p>In addition, there are some security issues related to the practice of wastewater reuse, says Yves Duguay, CEO and founder of HCIWorld, who has had on-the-ground experience with audits of water works and other infrastructure systems. For example, systematic controls in the process are needed to ensure that health, safety, and security requirements are maintained. “Most of the time, my audits have shown a lack of oversight and controls, along with poor contract performance management. This can increase the risk for water reuse,” he says. </p><p>This is doubly important in areas where waste management operations, which can include water reuse, are linked to corruption and even organized crime. “How certain are we that waste, solid or liquid, is being disposed as expected and regulated?” he asks. </p><p>Still, developed countries like the United States and Canada can show leadership by developing a systematic approach to the recycle and reuse of wastewater, Duguay says. And since it is not an “in-your-face issue,” wastewater reuse needs more awareness and advocacy so it is not crowded out by more publicized political concerns. “There is little room on our governments’ agenda for such a topic, unless it is talked about and frequently communicated to the general public,” he explains.</p><p>Nonetheless, in areas of the world where water scarcity hits hardest, it will ultimately become a necessity to reuse treated wastewater, because supply will not hold out, Glennon says. “Some places will have to use that for drinking water—there is simply no alternative,” Glennon explains. Duguay echoes this view: “There is no doubt that we need to control our utilization of water; it’s a unique resource that is not infinite,” he says. </p><p>In the end, the UN report argues that, in a world where limited water resources are increasingly stressed by over-abstraction, pollution, and climate change, it is imperative for officials around the globe to focus on wastewater treatment and reuse.   </p><p>“Neglecting the opportunities arising from improved wastewater management,” the report concludes, “is nothing less than unthinkable.”  ​ ​</p>
https://sm.asisonline.org/Pages/Calm-in-the-Crucible.aspxCalm in the CrucibleGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​On July 12, 2006, fighting between the Israeli army and the Lebanese militant group Hezbollah suddenly erupted and started to spread. Hezbollah fired rockets and anti-tank missiles; Israel responded with airstrikes and artillery fire, and later launched a ground invasion of southern Lebanon. The 2006 Lebanon War raged on for 34 days before the United Nations brokered a ceasefire.</p><p>I received word of the fighting shortly before the news reports hit. I was GE’s divisional global security director at the time, based at the corporate headquarters building of General Electric (GE) Healthcare in Waukesha, Wisconsin. I was responsible for the security and wellbeing of employees at more than 600 properties around the world, including three sites in Israel and one in Lebanon. Calls were coming in from both sides of the battle; many employees were at risk of losing their lives. </p><p>However, as the war entered its tenth day, we had relocated more than 1,000 employees and family members out of harm’s way, with the help of our corporate executive team and several strategic partners. This wasn’t an easy task. We were able to continue basic operations with minimal losses in Israel, but all activity in Lebanon came to an abrupt stop. What further complicated matters was the U.S. government’s refusal, or inability, to assist with any form of safe passage from Lebanon. Still, we were able to complete relocations by using several dangerously remote and unpopulated routes to reach Jordan through Syria.  </p><p>An event of this magnitude—an actual war—is difficult to navigate, and can be wholly draining. While the war crisis proceeded, the company continued to operate, so long hours were a requirement. For three days after that first call, I didn’t get many chances to sleep.</p><p>Managing a serious crisis as a group leader can be stressful, both physically and emotionally. It is crucial to recognize that your effectiveness in successfully leading others will diminish if you openly demonstrate indecisiveness, emotional frailty, and operational ignorance during the event.</p><p>But it is also important to realize that crisis leadership begins long before the actual crisis occurs. The right preparation is essential for being an effective crisis leader, and for a security executive this groundwork can start from day one on the job. By focusing on preparation, and by consistently practicing certain management best practices, managers can greatly improve their chances of being an effective crisis leader. This article explores these practices and preparation, including building technical expertise, assessing situations, developing relationships with key stakeholders, and training for emergencies. </p><h4>Build Expertise</h4><p>Knowing the business you support is the most critical factor to your success as a crisis management leader. Thus, if you’re new to an organization, you should dedicate as much time as possible in your first three months to learning all you can about every facet of the business—from sales to production to market share—and meeting the people who are the driving forces in those areas. </p><p>In my career, I have had the opportunity to manage security programs for several companies in completely different vertical markets. Each market change required extended study time. There’s a huge variance in the operational methodologies of security programs at a hospital and a nuclear power plant, for example. Although the core principles of security can be applied to any industry, each line of business retains its own unique characteristics and regulatory framework.  </p><p>Besides operational knowledge, you must also develop relationships with most of the key process and resource owners who support the business’s primary missions. Once those relationships are established, you should then strive to understand the secondary and tertiary levels of operations, resources, and personnel necessary to keep the business going.</p><p>In addition, you should also learn some basic business continuity planning skills and conduct a few business impact assessments. These will allow you a fuller understanding of the potential vulnerabilities and the gaps that may exist in business operations, the contingency plans themselves, and the resource base that will be available when a crisis occurs. </p><p>However, conducting a business impact assessment of your company can be a daunting task if you attempt to assess the whole business in a single review. And it can be almost impossible to complete without the full cooperation of nearly everyone in your company. Instead, consider focusing on key revenue streams, products or services that define the company, and significant vulnerabilities that could interrupt these streams and services—such as the sudden loss of a single-sourced major component, a labor disruption, or a stoppage in distribution channels. Even if the assessment seems to have little to do with traditional security activities, it is a great way to learn about the inner workings of your company.  </p><p>For example, after the Great Tohoku Earthquake struck Japan on March 11, 2011, I was working as a security manager at Paramount Pictures. Due to the earthquake, almost all of the film industry’s specialized magnetic recording and video storage tape became unavailable. Sony, with its entire tape manufacturing business located in Japan, was the exclusive maker of such tape, and its production stopped cold. </p><p>This was a supply chain crisis for sure, and we at Paramount were scrambling for tapes. Fortunately, our security team had enough operational and business continuity knowledge to know where to look and who to call. By volunteering to help secure tapes for the many television productions on the lot, our team knew where to find hundreds of new and reusable tapes in dozens of secure storage locations. It was like an Easter egg hunt gone wild. Armed with this knowledge and with very little effort, the security department was able to secure dozens of the remaining tapes, which kept our production teams going until other recording methods were found.</p><p>Sometimes, it takes great effort to avoid being constrained into a departmental silo and stuck in the dark when it comes to internal business workings. But the effort is worth it. Get out there and mingle, don’t be afraid to ask questions and build relationships and alliances. Learn the business so you can contribute to its survival.    ​</p><h4>Assess Situations</h4><p>Another important component of crisis leadership preparation is staying current on domestic and international events, especially if your company is a global one. Third-party providers of intelligence and communications services can be useful here. Many of these providers even offer crisis forecasting by region and country to keep your team abreast of problem areas.  </p><p>This global understanding, combined with business knowledge, will allow you to see the big picture and anticipate which operations might be interrupted if a crisis starts to unfold.  </p><p>Moreover, demonstrating this knowledge improves your chances of being part of the inner circle at your business. For example, as a matter of practice, GE security leaders routinely gathered for periodic operational continuity development sessions. In these meetings, we shared intelligence derived from in-country leaders, paid global intelligence services, and geopolitical analysts. At the first signs of trouble—what we called “a smoldering issue”—the affected business units were identified, and key revenue processes were analyzed for potential impacts and vulnerabilities. </p><p>Often, a smoldering issue has the potential to challenge several exposed operational and distribution channels, and the material or human resources they contain. Thus, effective coordination and communication is critical during these initial stages. </p><h4>Develop Relationships</h4><p>With sufficient business knowledge and a global understanding, you will be in a position to advise the C-suite on events once a crisis starts to unfold and help your firm be active rather than reactive.  </p><p>However, this cannot happen if organizational leaders reject an inclusionary approach when it comes to crisis leadership. For example, early in my career, the company I worked for decided to move forward on a major acquisition—the purchase of a competitor’s remanufacturing division. In general, not all security departments are included in every C-suite function; some do not get much visibility into major corporate decisions. This held true in our particular case because the security team was not part of the company’s diligence support team. Furthermore, the security team was not included in the company’s crisis response team, which consisted mostly of legal and financial leadership, supported by communications and customer relations staff.</p><p>As a result, the security team was unable to flag any discrepancies that might have shown up in the due diligence process. The division that was purchased turned out to be a fraudulent shell company. When news of the bad purchase reached the press a few days later, our firm suffered a severe financial loss and some reputational damage to its brand.</p><p>The incident illustrates the im­por­tance of maintaining a wide representation of all business functions on a crisis management team. By emphasizing teamwork and relationship building, a manager can help develop and maintain collaborative channels that will be invaluable during a crisis. Moreover, a well-structured and collaborative crisis management team can incorporate the use of predictive tools, such as event forecasting and analysis, that maximize the chances of avoiding a crisis in the first place.  </p><p>Even so, if a crisis does occur, successful collaboration between many stakeholders is usually a prerequisite for formulating an acceptable and viable solution. An effective crisis management leader knows where to go to seek out advice from others when considering options to present to company leaders. While it is often necessary to quickly provide solution options during a crisis, it is also advisable for managers to carefully consider all security-based spending decisions, which can sometimes be driven more by fear than by reason after a major event</p><p>Once options have been considered and a response plan is approved, a manager needs strong interactive leadership skills to ensure that others buy in and follow the course laid out. As the example of the shell company purchase shows, a collaborative effort can be quickly derailed by preventing a single department, which might hold a critical part of the solution, from participating.  </p><h4>Train</h4><p>Good leaders make intelligent decisions; great leaders do so consistently. The combination of business operations knowledge and current event understanding will help a security leader make better decisions. </p><p>But in the final analysis, leadership is not about making the best decision possible in every instance, or about always being the smartest person in the room. It’s ultimately about your ability to earn the trust of others to the point where they will willingly follow you. Here, effective communication is vital. </p><p>In July 2005, four suicide bombers armed with rucksacks full of explosives detonated bombs on the London Underground that killed 52 people and injured hundreds more. Within four hours of the bombings, our security team at GE Healthcare was able to quickly identify—from a pool of roughly 45,000 employees —that 483 were confirmed or expected to be traveling in or about London that day for work. Using our mass communication system, we located all but nine employees on business travel that were in London or had passed through London within an eight-hour window of the bombings.</p><p>  By other means, we quickly confirmed that the remaining nine travelers were safe. Additionally, some of our employees on personal leave and vacation were traveling in London that day. Because those employees had included their private cell phone numbers in the company’s emergency notification system, we were able to receive confirmations that they, too, were safe.  </p><p>On the other hand, sometimes crisis pressure can lead to costly communication errors. Take for example, one of the most high-profile crisis situations in recent memory, the 9/11 terrorist attacks. After the planes hit the towers, one senior security manager of a major corporation in New York was overheard saying, “We’re being attacked!  I don’t think anyone’s gonna make it out of Manhattan!” The comment started a panic in the entire office building, which took hours to calm.  </p><p>The example shows that even accomplished managers can succumb to pressure. However, specialized crisis management leadership training can be invaluable in reducing the chances of this happening. Communication is often an important component of this type of training; many programs provide guidance on how bad news can be communicated without embellishment, panic, or fear, and how correct communication can provide stability and hope by demonstrating a confident resolve—indicating that something is being done immediately, or will be in the near future.</p><p> In addition, crisis training helps managers better understand the anatomy of a crisis, which is an essential element in remaining rational and functioning calmly. Drills can help build response memory, which in turn helps a leader avoid freezing or panicking. </p><p>In cases where in-house crisis training is unavailable, security managers should consider building their own training. With a little research online about crisis management planning, managers can first assemble the basics: contact sheets, resource directories, contingency plans, meeting schedules, and organizational charts. Then, with help from both the legal and human resource departments, the manager can coordinate partnerships with local emergency service and communication providers, and design some crisis training exercises. </p><p>Becoming skilled at anything takes practice, and crisis management leadership is no exception. If you ever find yourself in a room filled with managers trying to solve a major problem, don’t be shy; step up to the plate and share your knowledge and experience, and contribute something. This will build on your experience base, and allow you to practice being in crisis situations. </p><p>In the end, the best coaches are those who prepare, know the rules inside and out, and can lead their players strategically. Stopping in the middle of a crisis to learn more about the business, means you haven’t learned the business well enough and you aren’t prepared to lead. </p><p><em><strong>Clint Hilbert</strong> is the owner of Corporate Protection Tech­nologies, a North Carolina-based private investigation firm. He has served as a security executive for General Electric, Pacific Gas and Electric, and Paramount Pictures. Earlier in his career, he was a commander of protective services for the U.S. Delegation to NATO for the U.S. Army Criminal Investigation Command. ​</em></p>
https://sm.asisonline.org/Pages/Peer-2-Peer-Protection.aspxPeer 2 Peer ProtectionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Daisy Torres wants to pursue a career in law enforcement after she graduates from the University of Iowa in Iowa City, Iowa. So, when she was looking for student employment opportunities, she discovered that the university hired students to work in its public safety dispatch center.</p><p>She applied for a position, but wasn’t hired. That didn’t deter her, however, and during her sophomore year of college in 2016 she found out about another opportunity for undergraduates to work with the University’s Department of Public Safety: becoming a student security officer.</p><p>Torres filled out an application, interviewed, passed a background check, and was offered a position as an officer that fall, patrolling the campus and interacting with students.</p><p>“At first, the whole thing was intimidating, but the officers have been very helpful and supportive. They guide you,” Torres says. “They encourage you to ask questions to make sure you don’t mess up.”</p><p>The experience has also offered her a chance to see what a career in law enforcement might look like and gain a better understanding of how first responders interact with students and respond to incidents.</p><p>“As a regular person, you just see the ambulance come or you see the officer coming to take care of something—but going through the training you realize this is hard work,” she explains. “It definitely humanizes the process, so it’s really fun for me. It’s fun getting to know the people, the officers you are working with. You get to see the person behind the badge.”</p><p>That’s the goal of the Student Security Officer Program at the University of Iowa, which was created in the fall of 2016 when Assistant Vice President and Director of Public Safety Scott Beckner was hired to lead the Public Safety Department.</p><p>Beckner has spent more than 30 years in law enforcement, including 25 in higher education law enforcement with roles at Georgia College and State University in Milledgeville, Georgia; Shepherd University in Shepherdstown, West Virginia; and Michigan State University in East Lansing, Michigan. </p><p>“I believe in a community policing philosophy, meaning that our police and security officers need to go where the students are comfortable to build positive relationships with them, even if it’s not the environment in which the officers themselves are most comfortable,” Beckner says. “This enables both parties to establish meaningful communication and receive better feedback from both the law enforcement officers and the students.”​</p><h4>The Program</h4><p>The University of Iowa covers 1,880 acres that straddle the Iowa River. Approximately 33,000 students are enrolled each semester, and most freshman undergraduates live on campus.</p><p>Protecting the campus community is the University of Iowa Public Safety Department, which has two major divisions: the police division and the security division. The police division is made up of roughly 45 armed state-certified police officers who patrol campus around the clock. The security division is made up of nine full-time security officers.</p><p>The university also has a dispatch center, which is the main dispatch center for campus 911 calls and the back-up dispatch center for the county. </p><p>When Beckner came on board in 2016, the university hired students as dispatchers in the dispatch center and also as security staff at the University of Iowa Art Museum. Based on his experience at prior institutions, Beckner wanted to expand the university’s use of student employees for campus security positions.</p><p>“Hiring student security officers is another layer of our community policing approach,” Beckner says. “It gives our officers another opportunity to connect with students to get a pulse of what’s happening on campus from the student perspective.”</p><p>With this mind-set, Beckner instructed the department to create the Student Security Officer Program to hire students to be the eyes and ears of campus public safety.</p><p>“I’m not afraid to try new things, and I’m not afraid to fail,” Beckner explains. “I think it’s just as valuable to know what doesn’t work as what does work, and you don’t always know until you try. So many people in law enforcement are afraid to fail because of the spotlight we’re in, and we have to learn to get beyond that mind-set.”</p><p>To push the program forward, Security Supervisor Beau Hartsock was pulled off his regular assignment at the time—head of security at the University of Iowa Art Museum—and brought in to recruit students and interview them for officer positions.</p><p>To recruit students, Hartsock and others in the department used the university’s Hire a Hawk program that lists student employment opportunities and attended the campus job fair. They also went to Introduction to Criminology classes—the first core class in the Criminology, Law, and Justice major—to contact students who might be interested in the program. </p><p>“The Intro to Criminology is a prerequisite to the program that every student coming in has to go through,” Hartsock explains. “We go to those classes and do a 10-minute pitch of what we have to offer and tell them about the department. If they wish to apply, they can.”</p><p> Within one month, the program had 30 students on staff as security officers, with a peak in the middle of the academic year of 75 student officers. The students completed training conducted by full-time security staff on mandated issues, including radio operation, the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, bloodborne pathogens, and CPR. </p><p>The student officers were then trained for each of their particular assignments. These assignments included dorm patrol, building checks, the art museum, athletic events security, the campus transportation service called Nite Ride, and the Hawkeye Storage Lot.</p><p>“We don’t train everybody on everything; we train on an as-needed basis in accordance with whatever assignment they are working,” Hartsock says. </p><p>This is because each assignment has different requirements. For instance, students assigned to Nite Ride—a transportation service that provides rides for students between 7:00 p.m. and 6:00 a.m.—act as dispatchers, taking calls and managing the app that sends the vehicle out to pick students up.</p><p>Dorm patrol requires that students walk the dormitories, using a pipe check-in system from Guard1Plus to track their progress throughout the campus. “A student could potentially walk five or six miles a night, especially on the weekends, looking for any safety concerns, damage to property, and things like that,” Hartsock says.</p><p>Student officers have similar responsibilities when they are assigned to the libraries or the Voxman Music Building, which is a new building on campus that houses valuable musical equipment. </p><p>The art museum job is a“sought-after” assignment, Hartsock says, because students sit at a desk, greet people who come into the building, and keep an eye on the building’s video camera feeds, making it a relatively low-key assignment. </p><p>The other assignment for students is Hawkeye Storage Lot, which is vulnerable to thefts from parked cars because it is separated from the main campus, Hartsock says. </p><p>“We have students that also sit out there and do patrols every half hour in an electric car around the lot for about 10 minutes,” he explains.</p><p>Students on patrol wear yellow polos and black pants and have utility belts with pipes for the check-in system, masks for CPR, and radios to reach the dispatch office. If they notice suspicious activity or an incident unfolding, student officers are instructed to radio into the dispatch office and a police officer or security officer will be sent to their location to respond.</p><p>“First and foremost, students are trained to be the eyes and ears of the university only,” according to Hartsock. “In no way are they to physically or verbally intervene…we train them on what could potentially get them in danger, and to use their best judgment.” </p><p>So far, the university has had no incidents of harm to a student security officer while on duty, according to Hartsock. </p><p>“We have the benefit of our student security officers carrying radios—the same exact radios that our police officers and our full-time security officers carry—so they are literally a key click away from our dispatch,” he adds. “And a lot of times our police officers are scanning our student security officer channels, and they can start heading that way even before it is actually dispatched by a dispatcher.”​</p><h4>Campus Impact</h4><p>When Torres was initially hired, her friends and fellow students’ first question was: Do you get to carry a gun? Student security officers are not armed, but they are taken seriously by their peers and this support has helped them build relationships on campus.</p><p>“I’ve been the night dispatcher for Nite Ride and [my friends] don’t bother calling the phones because they know I’m working, so they’ll text me and say, ‘Is there a chance you could send a Nite Ride my way?’” Torres says. “They think it’s interesting because they get to see me in the dorm sometimes and say, ‘I know the security officer.’” </p><p>Building this sense of community helps give credibility to the campus police because the student security officers get to know police officers as real people, says Police Captain Mark Bullock. </p><p> “Kids, when they talk about these officers as people rather than as a profession, it takes away some of those barriers that may have previously been there,” he explains.</p><p>Another benefit to having the student security officers on patrol is that it can make reporting a sensitive crime, such as a sexual assault, easier for students because they are talking to a peer instead of a police officer.</p><p>“If it is a sensitive crime, and if you have a familiar face or a peer who is part of an organization like ours, we would hope that would make reporting that crime just a little bit easier,” Bullock says. “It’s a well-known thing that sexual assaults are underreported. We would like to do anything we can to make the occurrences go down—ideally eliminate them completely. But at least knowing about them is a step in the right direction.”</p><p>For less serious offenses, such as smoking in a dorm room, Bullock says students are much more likely to bring that up to a student security officer on dorm patrol than to a security officer.</p><p>Students are “not going to be as open to saying that to a police officer as they would to one of their peers,” he adds. “General quality of life issues within our campus have been easier to report by having a peer to talk to.”</p><p>And in instances like smoking in a prohibited space, student security officers have several options on how to handle the situation, including reporting it to the residence assistant on duty, the front desk of the building they are in, or dispatch for a police response, if necessary.</p><p>Student security officers are all equipped with a radio, "so it’s a direct line of access to the police so information is coming in in real time,” according to Bullock. “There’s nothing lost in translation.”​</p><h4>Future Plans</h4><p>The Student Security Officer Program has been viewed as a success so far, and the university plans to expand it during the fall of 2017 to hire approximately 125 student officers for the academic year.</p><p>“We’re actually getting ready to do a very large hiring surge of possibly 40 to 50 more students just to cover one assignment that’s in the works right now,” says Hartsock, who declined to provide more detail about what the assignment was.</p><p>The department itself is also making a push to have student security officers, police officers, and security staff be increasingly more involved with campus life in their off hours. One initiative is paying for staff to participate in intramural sports on campus. </p><p>“So you’re interacting with the university community, humanizing us in the sense that students get to know us personally, see a familiar face out of uniform as well as in uniform,” Hartsock explains. “Being more approachable and being looked at in a way that we’re really genuinely here to help.”</p><p>All of this goes back to Beckner’s focus of creating a community policing approach to campus security at the university.</p><p>“If University of Iowa officers can begin to know students on a personal level—when it’s not in the context of punitive action—I believe we’ll be able to solve more problems proactively,” he says. “One of my early goals was to begin to break down the barriers between students and campus police, and I think this program is helping us do that.”  ​</p>
https://sm.asisonline.org/Pages/A-Professional-Path.aspxA Professional PathGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Until recently, security has been considered a trade, with practitioners fighting for proper standing in the institutions they protect. But the industry is now at a crossroads.</p><p>Before us lie two paths. One is a continuation of the status quo. We may continue to glide down this road, but it is not a self-determined path. It has been chosen for us because we have not clearly defined security’s role. Given this failure to self-define, security has traditionally been defined by others by the task it performs, such as information security, investigations, physical security, or executive protection. This type of definition diminishes the value of the security function; our role is more than just our allocated tasks.</p><p>The second road is one of self-determination and opportunity. It offers a chance for the industry to advance from a trade to a fully respected profession. On this road, we can take control of the dialogue, shape the conversation surrounding our field, and make our own way forward. As an industry—with ASIS taking the lead—we can keep advancing until security is considered a profession.</p><p>How can we advance on this second road? First we need a clear definition of the role of security in the private sector. We also need a core base of knowledge that supports our understanding of that role, which can be taught—not only to college students, but to transitioning personnel coming into our industry and to our hiring managers. There also needs to be an established expectation that practitioners will share this knowledge of security’s role and the core competencies associated with it. </p><p>ASIS International has already started defining this role through the concept of enterprise security risk management (ESRM). With its embrace of ESRM, ASIS has positioned our industry to travel down the road of opportunity and self-determination, with ESRM as the guiding principle to help chart our course.  </p><p>Not everyone in the industry is ready for this journey, however. For some who may have heard of the concept but still find it vague, questions remain. Primarily: What exactly is ESRM and why is it needed?</p><h4>What is ESRM?</h4><p>At its core, ESRM is the practice of managing a security program through the use of risk principles. It’s a philosophy of management that can be applied to any area of security and any task that is performed by security, such as physical, cyber, information, and investigations. </p><p>The practice of ESRM is guided by long-standing internationally established risk management principles. These principles consist of fundamental concepts: What’s the asset? What’s the risk? How should you mitigate that risk? How should you respond if a risk becomes realized? What is your process for recovering from an event if a breach happens? Collectively, these principles form a thoughtful paradigm that guides the risk management thought process.</p><p>When pursued, these questions elicit valuable information, and they can be asked of every security-related task. For instance, investigations, forensics, and crisis management are all different security functions, but when they are discussed within the ESRM framework they are simply different types of incident response. </p><p>Similarly, every function of physical and information security, such as password and access management, encryption, and CCTV, is simply considered a mitigation effort within the ESRM paradigm. These may seem to be merely semantic differences, but they are important nuances. When we define these functions within the ESRM paradigm, we also start to define the role we play in the overall enterprise.</p><p>ESRM elevates the level at which the role of security management is defined. Instead of defining this role at task level, it defines the role at the higher, overarching level of risk management.  </p><p>By raising the level of security’s role, ESRM brings it closer to the C-suite, where executives are considering much more than individual tasks. And by defining the role through risk principles, it better positions the security function within the business world at large. Business executives in all fields understand risk; they make risk decisions every day. Using ESRM principles to guide our practice solidifies our place within the language of business while also defining the role we play within the business.</p><p>For example, consider a company with a warehouse and a server. In the warehouse, security is protecting widgets and in the server, security is protecting data. Under the common risk principles, we ask: What are the risks to the widgets and data?  How would we protect against those risks? Who owns the widgets, and who owns the data? </p><p>We may decide to put access control and alarms on the warehouse or a password and encryption on the data. In both instances, we’re protecting against intrusion. The goal is the same—protection. For each task, the skill set is different, just like skill sets differ in any other aspect of security: investigations, disaster response, information technology. But the risk paradigm is the same for each.</p><h4>Why We Need It</h4><p>We need ESRM to move beyond the tasks that security managers and their teams are assigned. For instance, if you manage physical security, your team is the physical security team. If you do investigations, you are an investigator. If you manage information security, your team is the information security team. </p><p>But these tasks merely define the scope of responsibility. Our roles are broader than our assigned tasks. Our responsibilities should be viewed not as standalone tasks, but as related components within our roles as security risk managers.   </p><p>Having a clear, consistent, self-defined role provides significant benefits. First, it preempts others from defining our role for us in a way that fails to adequately capture and communicate our value. </p><p>Second, it helps better position ourselves in the C-suite. C-level executives often struggle with what security managers do, and where to align us. This is often reflected in the frustrations expressed in some of our own conversations about needing a proverbial seat at the table. In one sense, this exclusion may seem justified: if we can’t define our role beyond describing our tasks, why would upper management charge us with higher-level leadership and strategy?</p><p>Third, it provides guidance to our industry. Greater use of ESRM will provide an always-maturing common base of knowledge, with consistent terms of use and clear expectations for success.  </p><p>This benefits not only practitioners in our industry, but also all other executives who may need to interact with the security practice or work with the security manager. This can be especially valuable during times of change, such as when a security manager switches companies or industries, or when new executives come into the security manager’s firm.</p><p>In those situations, security managers often feel that they are continually educating others on what they do. But this endless starting over process wouldn’t be necessary if there were a common understanding of what security’s role is, beyond the scope of its responsibilities.​</p><h4>Why Now?</h4><p>This industry at large has talked about ESRM for at least the last 10 years. But as relevant as the topic was a few years ago, the present moment is the right moment for ESRM because security risks now have the potential to become more disruptive to business than in the past.  </p><p>There are several reasons for this. The use of technology in the current economy has allowed businesses to centralize operations and practices. While this consolidation may have increased efficiency, it has also made those centralized operations more susceptible to disruption. When operations were more geographically dispersed, vulnerabilities were more spread out. Now, the concentrated risks may have a more serious negative impact to the business. </p><p>We are also moving beyond traditional information security and the protection of digitalized data. Now, cybersecurity risks pose threats of greater business disruption. For example, the threats within the cyber landscape to the Internet of Things (IoT) have the potential to cause more harm to businesses compared with the negative effects they suffered in the past due to loss of information.</p><p>Many executives understand the significance of these risks, and they are looking for answers beyond the typical siloed approach to security, in which physical security and information security are separately pursued. They realize that the rising cyber risks, in tandem with the increasing centralization of business operations, have caused a gap in security that needs to be closed. </p><p>Boards are also becoming more engaged, which means that senior management must also become engaged, and someone will have to step in and fill that gap. That could be a chief risk officer, a board-level committee, an internal audit unit…or security. Hopefully, it will be the latter, but to step up and meet this challenge, security professionals must be able to consistently define their role beyond simply defining their tasks. ​</p><h4>Making the Transition</h4><p>What we need is a roadmap toward professionalization.  </p><p>ASIS is leading the effort of defining security’s role through ESRM. At ASIS 2017 in Dallas, you will hear more conversation around ESRM as well as more maturity and consistency in that conversation.  As the leading security management professional organization, ASIS is best positioned to guide us through the roadmap from a trade to a profession. </p><p>The ASIS Board of Directors has made ESRM an essential component of its core mission. It has started incorporating ESRM principles into its strategic roadmap, which means that ASIS is starting to operationalize this philosophy—a critical step in building out this roadmap. Other steps will be needed; it is essential that volunteers, both seasoned and new to the field, embrace this shift towards professionalization for it to gain traction.</p><p>This transition will not occur with the flip of a switch. It will take dedication to challenge our own notions of how we perceive what we do, the language we use to communicate to our business partners, and our approach toward executing our functions.  It will take time and comprehensive reflection, and the ability to recognize when we don’t get it right. We may not be totally wrong either, but thoroughness in developing consistency is critical.</p><p>There are some core foundational elements that need to be in place for this ESRM transition to be successful. First, there needs to be a consistent base of knowledge for our industry to work from: a common lexicon and understanding of security’s role that is understood by practitioners and the business representatives we work with. </p><p>We also need both a top-down and bottom-up approach. New security practitioners entering the industry from business or academia, or transitioning from law enforcement or the military, need a comprehensive understanding of risk management principles and how a risk paradigm drives the security management thought process. There should be an expectation that these foundational skill sets are in place when someone enters the security field. Working from a common base of knowledge, these ESRM concepts should be incorporated into the security management curriculum, consistently established in every security certification, and inherent in job descriptions and hiring expectations at every level.  </p><p>We also need to build expectations regarding what security’s role is, and how it goes beyond its assigned tasks, from the top-down—among executives, boards, hiring managers, and business partners. A clear and common understanding of security’s role will make it easier to define success and the skill sets that are needed to be successful. Organizations like ASIS will assist in providing the wherewithal to support these leaders. </p><p>If we truly are security risk managers, then there must be an expectation of foundational and comprehensive risk skill sets when hiring decisions are made. There could be educational opportunities through ASIS, through global partnerships with universities, and through publications coordinated with organizations that reach the C-suite, such as the Conference Board of the National Association of Corporate Directors.</p><p>Clearly academia needs to play a role as well. College students interested in entering this dynamic industry will come in more prepared to assist security leaders and businesses with a solid knowledge base of security risk management fundamentals. And once a rigorous ESRM body of knowledge is established, ASIS has the clout, expertise, and standing to provide a certification for academic institutions that meet concepts in their curriculum, which would will provide for a more consistent understanding of security’s role.</p><p>ASIS has established ESRM as a global strategic priority and has formed an ESRM Commission to drive and implement this strategy. One of the commission’s first steps is developing a toolkit comprising a primer and a maturity model.</p><h4>Benefits to ASIS Members</h4><p>There is a question I ask of every can­didate I interview: “Tell me about a time when you’ve been frustrated in this industry.” </p><p>Every answer comes down to one of two issues. One, we do not know and cannot clearly define our role. Two, our business partners cannot clearly define our role. Both of these frustrations are manageable, and both are our fault as an industry for not establishing clarity.  This leads to strained relationships with our business partners in how we are perceived and how likely our expert guidance is to be accepted.</p><p>Having a clearly defined security role through ESRM helps build a foundation for a more satisfying career in the security industry. It would provide us with proper standing in our enterprises, and better positioning for us to have a seat at the table for the right reasons, ones that executives understand and can support.</p><p>For the practitioner, a consistent security program through ESRM provides a framework to bring together security mitigation tasks under one proper umbrella: physical, investigations, cyber, information, business continuity, brand protection, and more. </p><p>The human resources industry has professionalized over the last decade or so. We see this through their standing within business, their seat at the table, and their upgrades in title and pay. Now, with the rise in threats and potential business disrupters, our industry has an opportunity. Business leaders and boards are looking for answers.  We have the necessary skill sets and a dedicated and supportive professional association in ASIS to take the lead.</p><p>We are at a crossroads.  It is time to choose the path of self-determination, take control of this conversation, and make the transition from trade to profession.</p><p><em>Brian J. Allen, Esq., CPP, is the former Chief Security Officer for Time Warner Cable, a former member of the ASIS Board of Directors, and a current member of the ASIS ESRM Commission. ​</em><br></p>
https://sm.asisonline.org/Pages/FEMA,-CSOs-Assess-Dynamic-Situation-in-Houston.aspxFEMA, CSOs Assess Dynamic Situation in HoustonGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Updated August 30, 2017​</p><h4>Insurance claims concerns​</h4><ul><li><p>Some reports have circulated that homeowners must file claims stemming from damage wrought by Hurricane Harvey by <strong>September 1, 2017</strong>, in order to receive full coverage.</p></li><li><p>Those reports are <strong>not accurate.</strong></p></li><li><p><strong>The change only affects lawsuits, not the claims process</strong>, says Texas Senator Kelly Hancock.</p></li><li><p>A Texas law going in effect on September 1, 2017, involves legal damages that insurance companies must pay policy holders if the companies <strong>deny a claim for, offer a lowball settlement, or are slow to settle</strong> a claim.</p></li><li><p>If a claim is denied, lowballed, or inordinately delayed, and the policy holder goes to court against the insurer and prevails, under the new law the insurer would have to pay the claimant damages plus <strong>an additional 10 percent</strong> (rather than 18 percent under the prior law).</p></li><li><p>Most <strong>Texas homeowners policies don't cover home flooding</strong>, but they do often cover wind damage, vehicle flooding, and other related damage. </p></li><li><p>Most insurance policies that cover flooding in Texas are provided by the <strong>federal government</strong>, which is <strong>not covered</strong> by the new Texas law.</p></li></ul><p>--</p><p>August 29, 2017</p><p>​ASIS International CSO Center members and officials from the U.S. Federal Emergency Management Agency (FEMA) joined a conference call this morning to discuss the latest impacts of Hurricane Harvey on the Houston area and how it is affecting employees and business continuity. These are some of the takeaways.</p><h4>ASIS Activities</h4><ul><li><p>ASIS is supporting those affected by the storm by working with the ASIS Crisis Management and Business Continuity Council to provide <a href="https://www.asisonline.org/About-ASIS/Who-We-Are/Whats-New/Pages/Security-Resources-for-Hurricane-Harvey.aspx" target="_blank">response and recovery resources.​</a></p></li><li><p>The Society is donating $5,000 to the American Red Cross through its Security Cares initiative. To make your own donation, contact the American Red Cross at 1-800-RED CROSS or text HARVEY to 90999 to make a $10 donation for those in need.</p></li></ul><h4>Harvey's Path</h4><ul><li><p>Harvey is expected to loop back through the Gulf Coast and make fall slightly north of Houston and head into Louisiana. </p></li><li><p>At least another foot of rain is expected in the Houston area through Friday, and some areas will receive more than 50 inches of total rainfall.</p></li></ul><h4>FEMA Assessments and Activities</h4><ul><li><p>There are currently about 5,000 people in emergency shelters, and FEMA and the American Red Cross estimate that will grow to 30,000 people over the next several days.</p></li><li><p>FEMA has a million meals and millions of liters of water on hand to distribute as needed.</p></li><li><p>As many as 75,000 homes have been damaged by the storm, and there are about 250,000 homes and businesses without power.</p></li><li><p>FEMA has brought in 9,000 federal workers to the affected areas.</p></li><li><p>About 2,500 FEMA employees are coordinating efforts of some 1,100 urban search-and-rescue teams, as well as 120 swift water rescue teams.</p></li><li><p>Teams are working hand-in-hand with state authorities.</p></li><li><p>Corporations wanting to offer resources and assistance can contact FEMA's National Business Emergency Operations Center at 202-212-8120.</p></li></ul><h4>Issues discussed by CSOs</h4><ul><li><p>The key is making sure that staff and families are safe, sound, and taken care of.</p></li><li><p>Corporations with business operations in the affected area are still focusing on making sure employees are accounted for and providing them assistance as needed. Some are continuing to pay those affected by the storms, even if they can't make it to work. Some corporations also established round-the-clock helplines and are offering financial assistance to employees as needed.</p></li><li><p>Corporations are working to come up with viable criteria with which to assess staff need for financial assistance.</p></li><li><p>A continuing challenge is keeping track of employees who are displaced to cities as far away as Dallas.</p></li><li><p>Most business operations in the affected area have come to a halt, but some corporations have employees who have ridden out the storm at their facilities—either by choice or because they became stranded.</p></li><li><p>Some companies with shift workers made arrangements in advance for people to ride out the storm by setting up shelters onsite or at nearby hotels.</p></li><li><p>Sleep deprivation is becoming an issue—even if someone finished up a 12-hour shift, they can't go home. </p></li><li><p>Some companies are working with their facility's food vendors for extra stock and allow maintenance workers and their families to stay in a hotel across the street from the facility. </p></li><li><p>Some businesses have been able to switch security operations to another facility to provide some relief for onsite shift workers.</p></li><li><p>It's also important to prepare for looting as well as donation, insurance, and home improvement scams. The CSO Center and ASIS will update members on the specific types of these fraudulent activities as they occur.</p></li></ul><h4>Hurricane Harvey Recovery Resources:</h4><ul><li><p><a href="https://www.asisonline.org/About-ASIS/Who-We-Are/Whats-New/Pages/Security-Resources-for-Hurricane-Harvey.aspx">ASIS International Response and Recovery Resources</a></p></li><li><p><a href="https://www.fema.gov/hurricane-harvey?utm_source=hp_promo&utm_medium=web&utm_campaign=disaster">FEMA updates and rumor control</a></p></li><li><p><a href="https://www.consumer.ftc.gov/blog/2017/08/wise-giving-wake-hurricane-harvey">FTC on avoiding charity scams</a></p></li><li><p><a href="https://www.ijet.com/blog/us-more-flooding-predicted-after-hurricane-harvey-devastates-parts-gulf-coast">iJet updates</a></p></li><li><p><a href="https://www.dhs.gov/news-releases/press-releases">DHS updates</a></p></li></ul><h4>Local News Resources:</h4><ul><li><p><a href="http://www.downtowndistrict.org/">Houston Downtown Management District</a></p></li><li><p><a href="http://www.khou.com/">News Station KHOU</a></p></li><li><p><a href="http://abc13.com/">ABC 13 Houston</a></p></li><li><p><a href="http://www.chron.com/news/houston-texas/">Houston Chronicle</a></p></li><li><p><a href="https://drivetexas.org/#/9/29.9878/-95.1385?future=false">Texas Department of Transportation Highway Conditions Map</a></p></li><li><p><a href="http://water.weather.gov/ahps/">National Weather Service flood map</a></p></li><li><p><a href="https://www.harriscountyfws.org/">Harris County rainfall map</a></p></li></ul><h4> How to Help:</h4><ul><li><p><a href="http://www.redcross.org/">American Red Cross donations</a></p></li><li><p><a href="https://www.fema.gov/media-library/assets/documents/28983">FEMA Business Emergency Operations Center</a> – Call at 202-212-8120</p></li><li><p><a href="https://www.fema.gov/about-industry-liaison-program">FEMA Industry Liaison Program</a></p></li><li><p><a href="https://www.bbb.org/council/news-events/news-releases/2017/08/bbb-and-give.org-offer-tips-on-helping-texas-in-the-aftermath-of-hurricane-harvey/">Better Business Bureau's tips on trustworthy charities</a></p></li></ul>
https://sm.asisonline.org/Pages/Harvey-Update-Releasing-Reservoirs-Creates-Ghost-Towns.aspxHarvey Update: Releasing Reservoirs Creates Ghost TownsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>The scope of Hurricane Harvey's impact on the southern United States is hard to grasp, and the end is still far from sight. Since its landfall Friday night, the storm has dropped more than two feet of water in some areas, and the U.S. National Weather Service expects Houston and south Texas will receive up to 50 inches by the time the storm dissipates. </p><p>Houston—the fourth largest city in the United States—has seen devastating flooding, forcing residents to leave their homes and seek shelter. The U.S. Federal Emergency Management Agency estimates that 30,000 people will be displaced from their homes, and that the <a href="https://apnews.com/0a534992afbc4904a3677a2d361ce960?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP_Politics" target="_blank">$3 billion disaster fund</a> will be enough to help with immediate aid—for now.</p><p>Here's what we know so far about the storm's impact:</p><ul><li><p><a href="https://www.washingtonpost.com/news/post-nation/wp/2017/08/28/harvey-may-force-30000-people-into-shelters-while-flooding-will-linger-officials-warn/?utm_term=.8fc4f7aa4165" target="_blank">Eight people are confirmed dead</a> in Texas from Harvey.<br></p></li><li><p>U.S. President Trump is planning to travel to<a href="http://www.cnn.com/2017/08/28/politics/donald-trump-hurricane-harvey-response-texas/index.html" target="_blank"> Texas tomorrow</a> to survey the damage.<br></p></li><li><p>All schools in Houston are closed, as well as several retailers, hospitals, and the U.S. postal service.<br></p></li><li><p>Both of Houston's airports will remain closed to the public until at least <a href="https://www.washingtonpost.com/news/dr-gridlock/wp/2017/08/28/houston-airports-struggle-to-return-to-service-following-hurricane-harvey/?utm_term=.a3d0b86df386" target="_blank">Wednesday</a>.<br></p></li><li><p>Houston 911 received <a href="http://www.cnn.com/2017/08/27/us/harvey-impact-by-the-numbers-trnd/index.html" target="_blank">56,000 calls for help</a> over 15 hours. The average number of calls for a typical day is 8,000. <br></p></li></ul><p>Although Houston has been in the spotlight, cities south of Houston are struggling as well—and are facing a surge of floodwater from Houston. Two dams in the Houston area are being released to control the overflow and provide relief for the city, but officials say it will affect thousands of homes along the reservoirs. </p><p><a href="https://www.washingtonpost.com/news/post-nation/wp/2017/08/28/houston-releases-water-from-two-dams-in-attempt-to-prevent-uncontrolled-overflow/?utm_term=.0e7fd3e7ef67" target="_blank">The dams were released earlier than expected</a> due to rapidly-rising waters that threatened to overflow the reservoirs. "If we don't begin releasing now, the volume of uncontrolled water around the dams will be higher and have a greater impact on the surrounding communities," said Galveston District Commander Col. Lars Zetterstrom around 2:30 a.m. on Monday. "It's going to be better to release the water through the gates directly into Buffalo Bayou as opposed to letting it go around the end and through additional neighborhoods and ultimately into the bayou."</p><p>Cities such as La Grange and Bay City implemented mandatory evacuations Monday morning due to the surge, which could add up to 10 feet of water to the already-flooded streets. Officials warned remaining residents that roads out of the city would be closed, and first response, utility, and other services will be shuttered.</p><p>"This means there will be absolutely no emergency response, including law enforcement, fire, and EMS services, in all areas of the county," the Matagorda County Emergency Operations Center warned residents in a statement. "Basic services, such as food and water, will not be available. Mandatory Evacuations MUST be completed before this deadline."</p><p>The Bay City Police Department posted on<a href="https://www.facebook.com/pg/BayCityTXPD/posts/" target="_blank"> its Facebook page</a> that dispatch centers are completely out of service and encouraged residents to call on nearby counties for assistance.</p><p>Meanwhile, the U.S. Department of Homeland Security has warned of an <a href="http://thehill.com/policy/cybersecurity/348309-dhs-warns-of-harvey-cyber-scams" target="_blank">increase in phishing attacks</a> by cyber criminals posing as charities or insurance agencies. </p>
https://sm.asisonline.org/Pages/LA-IMPORTANCIA-DE-UNA-FUSIÓN.aspxLA IMPORTANCIA DE UNA FUSIÓNGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Durante años, la idea de una fusión entre Universal Services of America y AlliedBarton Security Services tenía completo sentido financiero, más que cualquier otra cosa en el mundo. Los números parecían claros: si las empresas unían sus fuerzas, crearían la compañía de seguridad más grande de Norteamérica, una que podría ofrecer enormes recursos y una gama de servicios en un único punto de compra para aquellos necesitados de servicios tercerizados de seguridad. Además, ambas compañías tenían fortalezas complementarias; por ejemplo, las soluciones integradas de seguridad electrónica de Universal y los guardias de seguridad de AlliedBarton, de combinarse, fortalecerían aún más el encanto de una fusión.</p><p>Aunque la lógica industrial era innegable, hacer realidad la fusión demostró ser una tarea intimidante. Algunas discusiones vacilantes habían tomado lugar por varios años, y en diferentes momentos, cada empresa cortejó a la otra buscando una adquisición, pero ninguna estaba lista para cerrar el trato. El porqué no siempre estaba completamente claro.</p><p>En cualquier circunstancia, existe un gran número de factores que podrían hacer difícil de alcanzar un acuerdo de esta magnitud. Como una fusión de este tipo usualmente comienza con el nivel más alto e involucra al liderazgo de ambas compañías, siempre está presente el riesgo de una lucha por el poder. Ésto puede presentar un obstáculo para los cambios en la gestión: ambos equipos de líderes se enfrentarían buscando la supremacía al decidir asuntos clave de la fusión, tales como el nuevo nombre de la compañía, los títulos de los puestos en la dirección, o la ubicación de la sede central.</p><p>Es más, fusionar dos culturas corporativas diferentes puede resultar bastante escabroso, especialmente cuando las dos compañías han sido competidores por varios años, y ambas están profundamente devotas a su búsqueda de ser el líder de la industria.</p><p>Universal y Allied Barton habían hablado frecuentemente acerca de una unión a lo largo de los años, sin acuerdo fructífero alguno. Pero entonces, una nueva oportunidad apareció, cambiando el panorama y haciendo la fusión posible.​</p><h4>SE ABRE UNA VENTANA</h4><p>En 2015, el Blackstone Group, la entidad de capital de inversión propietaria de AlliedBarton, anunció que vendía la compañía a la firma de inversión francesa Wendel Stock Exchange. Universal Services of America tenía una buena relación con Wendel, por lo que la idea de una fusión bajo su auspicio parecía que tendría un fuerte apoyo de capital de inversión. Ciertamente, ambos socios de capital de Universal, Warbung Pincus y Partrners Group, indicaron que apoyarían una fusión.</p><p>Este nuevo acontecimiento tomó lugar en un ambiente para los negocios que continuaba madurando a favor de una posible fusión. A medida que los márgenes de ganancias en la industria permanecían estrechos, las eficiencias económicas que podrían ser obtenidas a partir de la integración horizontal de las dos compañías y sus fortalezas complementarias se volvían más y más convincentes.</p><p>Por supuesto, todavía había que resolver el asunto de la “lucha por el poder” entre los equipos de líderes que eran competidores mutuos. A veces, este esfuerzo puede ser el más problemático en los niveles más altos de una organización; una fusión entre dos grandes empresas con directores ejecutivos titulares puede convertirse en un choque de egos que no puede ser contenido.</p><p>AlliedBarton y Universal evitaron este conflicto. En el caso de nuestras empresas, ambos CEOs (yo mismo y Bill Whitmore de AlliedBarton) teníamos una relación que parecía fortalecerse a lo largo del tiempo. Me gusta llamarla una relación “feroz y amigable”: ambos éramos intensos competidores en el mercado, pero fuera del campo, siempre nos llevamos bien. Si había dos líderes de compañías rivales que podían unirse exitosamente, éramos nosotros. Aún más, Bill había dejado en claro que estaba dispuesto a abandonar su puesto como director ejecutivo para convertirse en la cabeza de la junta de Allied Universal, de modo que no tendríamos que competir por ese rol en la nueva compañía.</p><p>Dadas estas condiciones, la fusión empezó a cobrar aún más sentido. Luego de casi dos años de serias discusiones, ambas partes decidieron proceder. Universal Services of America y AlliedBarton Security Services anunciaron la fusión al público el 03 de Mayo de 2016. Para el primero de Agosto, la fusión se vio concretada, formando en su resultado Allied Universal, la cual ahora es una compañía que vale US$5,1 billones y emplea a más de 150.000 personas.</p><p>Los desafíos no faltaron en el camino a ese final. Yo creo que nuestra fusión puede servir como un caso de estudio en gestión del cambio, porque atravesamos una gran cantidad de problemas de integración, desde el ajuste cultural y la provisión de personal, hasta los procedimientos y procesos operacionales. Lo que sigue son algunos de los elementos clave del ejercicio de integración, que generó tanto lecciones aprendidas como una guía de mejores prácticas.​</p><h4>DE COMPETIDORES A CAMARADAS</h4><p>Comenzamos con la ayuda de consultores de confianza. El Boston Consulting Group (BCG) se encargó del proceso organizacional, mientras que West Monroe Partners se enfocó en la integración de las tecnologías de la información. Ya que BCG había trabajado con Universal durante nuestras adquisiciones de Guardsmark y de ABM Security, ya nos conocían a nosotros y a nuestro negocio, de modo que pudieron redoblar sus esfuerzos rápidamente para ayudar a desarrollar nuestro plan de integración.</p><p>Dado el alcance del proyecto, nuestro cronograma era ambicioso. En Marzo y Abril, llevamos a cabo un análisis extensivo de cada área funcional de ambas empresas. Los análisis nos proveyeron una perspectiva clara sobre dónde se encontraban las fortalezas y las debilidades de cada organización en términos de alcanzar nuestros objetivos de negocios, como la creación de valor, el servicio al cliente, y el uso de tecnología dentro de nuestra oferta de servicios.</p><p>Luego llegó un período todavía más intenso. Tras anunciar la fusión en Mayo, unos cuantos cientos de ejecutivos de ambas empresas, que habían liderado anteriormente equipos rivales, se reunieron en Dallas durante una semana para realizar un proceso en el que debatieron sobre los componentes claves de la nueva compañía. Los asuntos discutidos incluyeron desde el nuevo nombre y sus valores fundamentales hasta sus áreas de énfasis, discutiendo cada gerencia y cada área individualmente. Por ejemplo, en un caso tuvimos que elegir un proceso de contaduría en vez de otro. Y hubo ocasiones en las que tuvimos que elegir a un único proveedor para un servicio que anteriormente estaba manejado por dos entidades diferentes.</p><p>Una vez que estos parámetros fueron establecidos, atravesamos varios días de entrevistas “uno a uno” en el camino a formar los equipos de líderes para la nueva compañía. Desde el comienzo sabíamos que ésto sería un momento desafiante para muchos. Dado todo lo que estaba en juego, intentamos hacer que el proceso sea tan abierto y transparente como fue posible. Se discutieron los detalles y el cronograma del proceso, incluyendo los arreglos de finiquitación para aquellos que no harían la transición a la nueva organización.</p><p>Durante Mayo, Junio, y Julio, comenzamos las actividades visitando las ubicaciones clave. El proceso que habíamos recién terminado en Dallas fue replicado con los empleados de nivel operativo (aproximadamente 150.000), quienes trabajaban en alrededor de 250 sucursales, varias de las cuales estaban siendo consolidadas. Visitamos todas las oficinas regionales, y tal como hicimos en Dallas, compartimos con los empleados nuestras aspiraciones para la nueva compañía en términos de la cultura deseada, los valores fundamentales, y los planes para alcanzarlas.</p><p>Este proyecto de tres meses de duración fue uno de los componentes más desafiantes de la fusión. Ya que había que muchos puestos a lo largo del país que requerían personal (incluyendo líderes regionales, profesionales de recursos humanos, y responsables de ventas), fue necesaria una enorme cantidad de trabajo de primera línea.</p><p>Tomar estas difíciles decisiones de contratación resultó el aspecto más intenso de la fusión entera. Las presentaciones iniciales de las futuras metas, valores, cultura y objetivos de la nueva compañía fueron bien recibidas y altamente motivadoras. Pero, luego tenías que tener “la conversación” sobre la realidad de que no todos harían la transición a esta nueva fase. Durante estos momentos, se hizo aparente la importancia que una fusión puede tomar en la vida de los empleados.</p><p>También quedó perfectamente claro lo inquietante que el proceso puede ser: además de cumplir con sus responsabilidades actuales de trabajo, los empleados básicamente debían ser “reentrevistados” para sus trabajos, sin ninguna garantía de que obtendrían uno para cuando la fusión haya terminado. Insisto: considerando todo lo que estaba en juego, era imperativo para nosotros ser tan directos, honestos, y transparentes como era posible.</p><h4>EL PROCESO DE INTEGRACIÓN</h4><p>Aunque la consolidación del abastecimiento de personal puede ser la faceta más intensa de este proceso, no se trata del único aspecto desafiante. Fusionar la cultura y los procesos de dos compañías era un proyecto complicado que tuvo una buena porción de sobresaltos y dificultades en el camino.</p><p>Cada organización es única. Hay empresas con valores y perspectivas corporativas similares, como lo eran AlliedBarton y Universal, pero siempre habrá desigualdades en los procesos y las operaciones. Esto incluye diferencias en los estilos de gestión, la distribución de recursos, las estrategias para generar compromiso, y los protocolos de procedimientos.</p><p>Para completar esta parte de la fusión, literalmente delineamos cada función en las operaciones de ambas compañías, comparándolas y encontrando similitudes y diferencias. Desde allí, determinamos la mejor manera de designar cada función para la nueva compañía. En algunos casos, elegimos los procesos de una empresa en lugar de los de la otra; en otras ocasiones, tomamos las cualidades de ambos procesos para crear uno nuevo. En unas cuantas situaciones, decidimos que sería mejor crear un proceso completamente nuevo. Por ejemplo, el área de recursos humanos diseñó nuevos programas de reconocimiento y evaluación de los empleados.</p><p>No quiero endulzar esta parte de la fusión: éstas fueron algunas de las discusiones más complicadas que tuvimos. Ya que los líderes de ambas compañías eran quienes estaban discutiendo estos procesos, era de esperarse que algunos podrían verse un poco cegados y defender la forma de hacer negocios de su propia empresa. Pero, permitir que ésto pase habría hecho que el ejercicio pierda sentido, ya que lo que queríamos era diseñar las funciones de la nueva compañía basándonos en sus cualidades.</p><p>Así que desafiamos a nuestros ejecutivos a que superen sus propias inclinaciones y que aspiren a la objetividad en el momento de pensar cuáles eran los mejores métodos para las operaciones. Ésto resultó en montones de discusiones sinceras y minuciosas que contaban con varios accionistas presentes en cada reunión, para asegurarse de que todos los puntos de vista fueran tomados en cuenta.</p><p>Al final, decidimos tener dos sedes corporativas centrales: una en Conshohocken, Pennsylvania, donde se albergaría a los departamentos de finanzas, nóminas, y facturación; la otra, en Santa Ana, California, centralizaría las áreas de recursos humanos, ventas y mercadotecnia. Adicionalmente, forjamos siete territorios regionales que recibirían apoyo operacional de primera línea por parte de centros de excelencia designados.​</p><h4>CONTINUIDAD DEL NEGOCIO</h4><p>Seis meses luego del anuncio de Mayo, logramos completar la integración de los servicios de seguridad en nuestras siete regiones de los U.S.A (Nordeste, Medio Atlántico, Sureste, Medio Oeste, Central, Noroeste, y Sudoeste) y en Canadá.</p><p>Dado que estas regiones comprendían más de 200 sedes, ésto significaba que habría días de trabajo que se extendían desde las primeras horas de la mañana hasta tarde en la noche, manteniendo un buen ritmo para mantener el proceso en pie y cubrir todas las bases. Agendé reuniones y llamadas con cada región para conversar sobre las áreas que necesitaban mayor concentración y sobre oportunidades para resaltar nuestras nuevas fortalezas. Trabajé con equipos legales y de recursos humanos para perfeccionar las operaciones de negocios y la retención del talento, y dediqué tiempo en el terreno para compartir la visión y misiones de la nueva marca con clientes y empleados. Viajamos alrededor del país para dar a conocer nuestras iniciativas culturales. Estas iniciativas incluían desafiar a los empleados a que se enfoquen en los aspectos positivos de la fusión, a que anticipen cambios que beneficiarían al negocio y a nuestros clientes, y a adoptar las nuevas políticas y programas, aceptándolos.</p><p>Pero una fusión tan grande como ésta viene con sus propios problemas de continuidad del negocio. Nosotros sabíamos bien que sostener las operaciones normalmente y retener el talento sería un desafío durante una integración de tal escala. Dedicamos tanto tiempo, preparación y atención en el negocio regular durante la transición como antes de que la fusión ocurra.</p><p>Aun así, reconocimos la posibilidad de que los clientes se vean preocupados por una posible degradación del servicio al cliente a causa del proceso de fusión. Para nosotros era una prioridad contrarrestar esa línea de pensamiento. Así que, durante la semana del anuncio, contactamos a todos los clientes para explicarles lo que pasaría. Desde la perspectiva del cliente, queríamos que todo quede claro, de modo que no hubiera signos de pregunta en sus mentes respecto a nuestra capacidad de proveer nuestros servicios de siempre. También fuimos directos en lo que respecta a comunicar los beneficios que la fusión generaría para ellos.</p><p>En esencia, les garantizamos a nuestros clientes que sus servicios no se verían interrumpidos. Para ratificar ésto, sostuvimos llamadas diarias de gestión con nuestro equipo de liderazgo, y discutimos todos los problemas y preocupaciones que tenían los clientes. Nos aseguramos de que ningún problema interno pueda entorpecer nuestros servicios externos.​</p><h4>ADQUISICIONES DELANTE</h4><p>Internamente, las fusiones pueden ser una experiencia inquietante para algunos, incluso para los trabajadores que anticipan permanecer en la compañía. Por momentos, los empleados querrán conversar sobre lo que el proceso de fusión significará para ellos, o incluso hablar sobre una oportunidad de trabajo que les surgió en otra organización.</p><p>Esta última situación a veces nos conduce a un dilema. Los empleados son vitales para nuestro éxito y la retención del talento también es fundamental, pero no queríamos hacer que nadie se pierda de oportunidades prometedoras para su carrera. Siempre nos mostramos abiertos y discutimos estos asuntos con la gente, siendo lo más honestos que podemos.</p><p>En general, es una simple realidad económica: las fusiones y las adquisiciones son una norma en muchos sectores de negocio. A pesar de sus momentos complicados, permiten que las empresas crezcan exponencialmente, y se expandan en áreas y mercados que anteriormente estaban fuera de su alcance. Tal vez, la lección final aprendida es que integrar organizaciones y alinear culturas siempre requiere un enfoque absolutamente colaborativo. Ésto no incluye sólo al equipo de liderazgo, sino también a todos los empleados, clientes y accionistas. Todos aquellos que dependen de y de los que depende la compañía deben comprometerse juntos para alcanzar el éxito.</p><p><em>Steve Jones, originalmente el CEO de Universal Services of America, es el CEO de Allied Universal. Mark Tarallo es editor sénior de </em>Security Management.</p><p><em>The translation of this article is provided as a courtesy by </em><em>Ari Yacianci</em><em>. </em>Security Management <em>is not responsible for errors in translation. Readers can refer to the original English version here: <a href="/Pages/The-Meaning-of-a-Merger.aspx" target="_blank">https://sm.asisonline.org/Pages/The-Meaning-of-a-Merger.aspx​.​</a>​</em><br></p>
https://sm.asisonline.org/Pages/Interoperability-for-the-Safe-City-.aspxInteroperability for the Safe City GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​Today's cities often use video management systems or other platforms to view camera footage, protect citizens and property, analyze incidents, evaluate security, and determine appropriate responses to events like natural disasters, disruptions to public transit and other municipal services, and other threats to public safety. <br><br>Cities implementing this connected security approach are typically referred to as safe or smart cities. Most safe cities share a common infrastructure and operate using sensors and cameras over a shared municipal network. Synthesizing information from these sensors and the data from other devices through one interface, government officials and law enforcement are afforded a comprehensive view of a city's security.<strong> </strong></p><p><strong>Integrating the Many Parts of a Safe City</strong></p><p>There are operational challenges that accompany the many systems that are included in a safe city deployment. Interoperability continues to present one of the greatest challenges, particularly with video management systems, video recording devices, and cameras. The most common scenario is that municipalities have several management systems for city operations that were created by different manufacturers, each with proprietary interfaces for integration.<br><br>To connect their different systems together, cities often end up employing a single-vendor "build once and maintain forever" approach, in which the continuing cost for integration of systems becomes prohibitively expensive. In a world where technology and features change quickly, this approach is not practical because it severely limits an end user's ability to try new technology and different vendors' products and requires a substantial financial commitment to specific manufacturers and proprietary interfaces.<br></p><p><strong>Standards in Safe Cities </strong></p><p>ONVIF was founded in 2008 by Axis, Sony, and Bosch to create a global standard for the interface of IP-based physical security products. The organization was developed to provide increased flexibility and greater freedom of choice, so installers and end users can select interoperable products from a variety of different vendors. </p><p>Product interoperability is a driving force behind ONVIF. Interoperability is a simple concept: it is the ability of a product or system to work with another product or system, often from different brands made by different manufacturers. </p><p>ONVIF profiles are subsets of the overall ONVIF specification. They group together sets of related features to make product selection easier for end users, consultants, and systems integrators. Products must be conformant with one (or more) of ONVIF's specific profiles. </p><p><strong><em>ONVIF's current profiles are:</em></strong></p><p><strong></strong></p><p><strong>Profile S</strong> for IP-based video and audio streaming, including:​<br></p><ul><li>Video and audio streaming<br></li><li>Pan-tilt-zoom control and relay output<br></li><li>Video configuration and multicast<br> </li></ul><p><strong>Profile G</strong> for edge storage and retrieval, including:</p><ul><li>Configure, request, and control recording from conformant devices<br></li><li>Receive audio and metadata stream<br></li></ul><p><strong><br>Profile C</strong> for IP-based access control, including:</p><ul><li>Site information and configuration<br></li><li>Event and alarm management<br></li><li>Door access control<br></li></ul><p><strong><br>Profile Q</strong> for easy configuration and advanced security, including:</p><ul><li>Out-of-box functionality<br></li><li>Easy, secure configuration<br></li><li>Secure client/device communications using transport layer security (TLS)<br></li></ul><p><strong><br>Profile A</strong> for Broader Access Control Configuration</p><ul><li>Granting/revoking credentials, creating schedules, changing privileges<br></li><li>Enables integration between access control and IP video management system<br> <br></li></ul><p><strong>Profile T</strong> for Advanced Video Streaming is currently in draft form and is scheduled for initial release in 2018. </p><p>Standards, such as those from ONVIF, provide the common link between disparate components of safe city systems. Designed specifically to overcome the challenges in multi-vendor environments, ONVIF's common interfaces facilitate communication between technologies from different manufacturers and foster an interoperable system environment where system components can be used interchangeably, provided they conform to the ONVIF specification. </p><p>In 2014, ONVIF member company Meyertech helped the city of York, United Kingdom, deploy a safe city solution for the city's public spaces and transportation system. Using Meyertech video management software (VMS) and information management software, the city integrated IP cameras with the many legacy systems for its York Travel and Control Centre command center. </p><p>The city's control room monitors more than 150 cameras from different manufacturers in York, and city representatives reported an immediate impact on crime rates. The integration of legacy and new IP cameras with the new VMS, which interfaced with the information management software, was made possible through ONVIF's video specification. </p><p>A standardized approach for both file format and associated players, which is often a challenge in multi-vendor environments, is also provided by ONVIF, increasing the efficiency of the process and also adding the potential of including metadata—for example, data from an analytic, indicating number of objects, speed of objects, or even colors—in exported materials and reports. Standardized file formats include MPEG4, H.264, and, with Profile T, H.265, which are readable by many standard video players on the market, including Windows Media Player, VLC, DVD players, and many more. </p><p>ONVIF has also released an export file format specification that outlines a defined format for effective export of recorded material and forensics. These specifications together make it possible not only to integrate devices in multi-vendor video security system deployments in safe city environments, but also to offer a common export file format that can streamline post-event investigations where authorities are trying to react as quickly as possible to apprehend suspects or to defuse an ongoing situation.<strong> </strong></p><p>Another ONVIF member, Huawei, is considered a leader in smart city solutions. Huawei's video management system was used in Shanghai, China, as part of the Chinese Ministry of Public Security's safe cities construction initiative. One of the key challenges of the project was to integrate old and new technology. Huawei's VMS uses ONVIF to integrate cameras from manufacturers Dahua, Haikang, Axis, Sony, and others.<strong> </strong></p><p><strong>Multi-Discipline Standards</strong></p><p>A multi-discipline physical security standard that specifies parameters for video surveillance, access control, and other essential operations of a safe city command center would likely increase the prevalence of safe cities even further.</p><p>Many in the broader technology industry see standards as an important component in both safe cities and the Internet of things (IoT). The Institute of Electrical and Electronics Engineers and other standards groups are already working on IoT standards for technology-based industries, and some experts that global IoT standards will be introduced by the end of this year. </p><p>As standards and industries collaborate even further and establish minimum interoperability standards together, the need for a multi-discipline physical security standard will become more urgent. ONVIF envisions that all physical security systems will eventually have the same interfaces for interoperability, and the organization is dedicated to facilitating the work of its members in developing such a multi-discipline standard. </p><p><em>Jonathan Lewit is chairman of the ONVIF Communication Committee.</em></p>