More Headlines

 

 

https://sm.asisonline.org/Pages/CUATRO-DESAFÍOS-PARA-LA-SEGURIDAD-DE-LA-AVIACIÓN.aspxCuatro Desafíos Para La Seguridad de La AviaciónGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<em style="text-align:justify;">Anthony McGinty, CPP, es un Analista Senior de Inteligencia en CSRA Inc, contratado por el Aeropuerto Internacional de Los Angeles. Es un miembro del Consejo de ASIS sobre Terrorismo Global, Inestabilidad Política y Crimen Internacional.</em></p><p style="text-align:justify;"><strong>1. Aeropuertos como ciudades. </strong>Los problemas tradicionales de las ciudades están encontrando su camino hacia los aeropuertos: la indigencia, los problemas mentales, el abuso de drogas, los delitos menores y complejos, y la desobediencia civil. Para las agencias de seguridad y policiales, el desafío es llevar a cabo las labores del primer respondiente al mismo tiempo que se identifican amenazas de grandes consecuencias para las operaciones de aviación. Ambas funciones requieren de conjuntos de habilidades específicos y diferenciados. Los directores de seguridad tienen que balancear activos, personal y operaciones para mitigar los riesgos tanto de disturbios públicos como para la seguridad nacional.</p><p style="text-align:justify;"><strong>2. Terrorismo internacional. </strong>La aviación comercial se mantendrá como un objetivo atractivo para grupos militantes y extremistas. El lado público de los aeropuertos, bordeando la revisión de seguridad, es vulnerable a un surtido de ataques terroristas, incluyendo tiroteos indiscriminados, equipaje conteniendo explosivos, drones hechos armas, y embestimientos con vehículos. Miles de militantes técnicamente competentes e ideológicamente motivados que están retirándose del califato en caída del ISIS podrían reagruparse bajo nuevas banderas, unirse a afiliados de Al Qaeda, o actuar de forma independiente.</p><p style="text-align:justify;"><strong>3. Perturbaciones en vuelo. </strong>Semanalmente, los informes de los medios y videos de Internet exhiben las más recientes atrocidades dentro de las cabinas de las aeronaves: riñas, diatribas influidas por el alcohol, agresiones sexuales, y resistencia a las instrucciones de los auxiliares de vuelo. Esta tendencia de disputas y violencia durante vuelos a 30.000 pies (10.000 metros) de altura es potencialmente peligrosa. De no alcanzar con colocar un agente de seguridad a bordo, las soluciones pueden incluir cambios institucionales en la relación entre la tripulación y los pasajeros. Por ejemplo, algunas instancias de tráfico de personas utilizando aerolíneas comerciales son tan comunes que ahora las tripulaciones están siendo entrenadas para identificar los indicadores y actuar. Éste es un ejemplo más del cambio de rol de la tripulación, de facilitadores de la comodidad a responsables del cumplimiento de las normas y leyes.</p><p style="text-align:justify;"><strong>4. Amenazas Internas. </strong>Los grupos terroristas podrían enlistar empleados aeropuertarios para eludir las revisiones de seguridad, especialmente empleados con acceso directo a las aeronaves. Algunos empleados también han contrabandeado drogas, armas, y otros elementos. Con tan sólo un empleado radicalizado o descontento ya se puede cometer un acto que lleve a un incidente catastrófico, lo que hace que lidiar con las amenazas internas sea una prioridad. Los aeropuertos y las aerolíneas están implementando sus propias estrategias para mitigar estas amenazas. Mayormente, este esfuerzo ha involucrado investigaciones de seguridad para todos los empleados, o algunos grupos selectos, previas al ingreso a zonas restringidas. La tecnología también puede ser de apoyo en estos esfuerzos. Las nuevas capacidades analíticas embebidas en los sistemas de video y control de accesos ahora pueden proveer una herramienta sofisticada de vigilancia. Asimismo, las políticas propias con rigurosos esfuerzos internos de "Si ves algo, dí algo" son esenciales.</p><p style="text-align:justify;"><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Managemen<em>t is not responsible for errors in translation. Readers can refer to the</em><a href="/Pages/Employee-Theft.aspx" target="_blank"><em> </em></a><a href="/Pages/Four-Challenges-Facing-Aviation-Security.aspx" target="_blank"><em>original English version here​.</em></a>​<br></p>
https://sm.asisonline.org/Pages/June-2018-ASIS-News.aspxJune 2018 ASIS NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​GSX Program Unveiled</h4><p>In April, ASIS revealed a jampacked education lineup for Global Security Exchange (GSX), formerly the ASIS International Annual Seminar and Exhibits. Featuring a record 300-plus sessions led by subject matter experts from ASIS, InfraGard, and Information Systems Security Association (ISSA), the education covers the most pressing issues facing security professionals today. </p><p>The learning covers a diverse range of topics from "Security for Events and Mass Gatherings" and "Digital Data in the Age of Breaches and Theft" to "Selling Security Requirements to the C-Suite." </p><p>Building on the exciting changes launched in 2017, the sessions will be delivered in more modern formats including immersive small group workshops, deep dives, and simulation formats, as well as traditional lectures and panels.</p><p>"With the different tracks GSX offers, it allows you to really hone in on the areas you're interested in," says longtime attendee Brian Reich, CPP, senior vice president and head of global security and investigations, TD Bank. "There are so many options and learning levels that it allows practitioners at every stage of their career to focus in on specific areas of interest and learn something new to better their organization. Combine that with walking around the show floor, and you have new insight into the products and services you're looking for."</p><p>The education continues beyond the classroom. In addition to Career Center and Impact Learning Sessions held directly on the show floor, the GSX exhibit hall doubles as a learning lab environment. Demonstrating innovation in action, more than 550 of the industry's leading solutions providers will showcase new and emerging technologies, such as immersive reality, machine learning, robotics, and drones. In addition, three interactive learning theaters will feature a series of fast-paced presentations that focus on the past (lessons learned), the present (threat analysis, best practices, and benchmarking), and the future (anticipating what's to come). </p><p>GSX takes place September 23-27 in Las Vegas, Nevada. Save up to $200 on the All-Access Pass when you register before June 29. For the complete list of sessions and to view registration packages, visit GSX.org.​</p><h4>WILL I SEE YOU THERE?</h4><p>A personal perspective on GSX18</p><p>By Jeffrey A. Slotnick, CPP, PSP</p><p>"Global Security Exchange (GSX) is coming soon to Las Vegas. Will I see you there?" An interesting question that I often receive from colleagues. I attended my first annual event in 2003 and I have not missed one since. "Why?" you might ask. What motivates me to make the financial investment to attend year after year?</p><p>Simply, it is the personal and professional relationships that continue to grow. It is the new products on the show floor, the great conversations as I travel from one event to the other, the keynote speakers who always motivate me to do better, and the fun! It's a lot of fun!</p><p>But let's take a deeper dive. I have made long-lasting friendships with colleagues from all over the world. I have come to know some of the most knowledgeable and influential people in the industry—who provide perspective from Africa, Central America, South America, the Middle East, and Europe. I do not need to know everything, I just need to know someone who knows what I need. At GSX, I get to confer with 20,000 or more colleagues. Many of these friendships have also led to business because we all want to do business with someone we know and trust.</p><p>I know the vendors of products I use and recommend for my clients. Some of my vendor contacts are relationships I first made in 2003 on the show floor or in a training session or coffee break, and they now work at the executive level in their organization. Now, if I need to know about a product or a new offering, I can simply call the person who is the subject matter expert on that product and receive direct information from design engineers, or even the company's vice president.</p><p>Fun! Did I mention fun? The President's Reception, professional lounges, Foundation activities, golfing, motorcycles, cigars with friends, vendor events, and, yes, the occasional adult beverage.</p><p>So, this is my personal perspective and why I continue to invest in GSX year after year. My budget does not allow me to attend every industry conference. I get the most out of my investment at GSX, from educational opportunities, vendor information, professional development, and friendships. I find it all in one place for five very intense days—and I always return motivated, optimistic, happy, and occasionally with a new project.</p><p>Please feel free to reach out to me on the ASIS Connects community platform to continue the conversation.​</p><h4>WHITE PAPERS</h4><p>Two councils published white papers in the first half of 2018—the Information Technology Security Council's Security on the Internet of Things: An ESRM Perspective and the Cultural Properties Council's Hostile Surveillance Detection for Houses of Worship.</p><p><strong>Internet of Things: An ESRM Perspective</strong></p><p>The idea behind the Internet of Things (IoT) is that we have come to expect our technology to be readily accessible from anywhere via any interface we choose. We want to start our cars from our phone, lock our front door from our computer, or turn on the crockpot from a tablet. To do that, all those devices must be able to communicate with us, with the outside world, and with each other.</p><p>According to the paper, the IoT brings a new level of mobile management to every aspect of consumer and business activities. However, it also provides convenient access for criminals who want to exploit those things. "More access points provide more opportunities for attackers to get in. More communication provides more online traffic to siphon information from. More control provides more ability to hijack that control."</p><p><strong>Surveillance Detection for Houses of Worship</strong></p><p>Terrorists often gather significant pieces of information from open sources such as Google Maps and social media postings. They collect a lot of data about their target of interest and eventually they will conduct physical surveillance. Physical surveillance allows them to study the location, focusing on how they will attack, how they will escape, when the attack will create the most devastation, and what form of attack will be most effective.</p><p>So, how do you know if someone is watching your facility?</p><p>This paper provides tips on what to look for and actionable steps to take to identify and counter surveillance detection of a facility. Although the practices are tailored to houses of worship, the document serves as a valuable guide for all facilities, especially soft targets, that are trying to understand, identify, and mitigate hostile surveillance.</p><p>Both white papers can be found on the ASIS website. Search "Understanding IoT" and "Hostile Surveillance."</p><h4>ASIS EUROPE 2018</h4><p>Rotterdam, The Netherlands, was the site of ASIS Europe 2018, held April 18-20. Themed "Blurred Boundaries—Clear Risks," the conference drew 775 registrants from 52 countries for two days of networking, exploring the exhibit floor, and sampling the 70 educational sessions that discussed issues facing security professionals today and tomorrow. </p><p>Attendees navigated a broad sweep of risks—from the malicious use of the latest emerging technologies to the dangers of low-tech attacks, particularly on soft targets in public spaces. Other topics included the human factor and the insider threat, and ever-present responsibilities like travel risk management and duty of care.</p><p>Two featured speakers—Tom Raftery, global vice president, futurist, and innovation evangelist at SAP, and Scott Klososky, founding partner at Future Point of View—examined the security landscape of our connected, digital future.</p><p>"Terms like Internet of Things and connected devices will soon disappear, because everything being connected will simply become the new normal," says Eduard Emde, CPP, ASIS Europe 2018 conference chair. "We heard that technology is very much the jugular vein of organizations, confirming that for security practitioners, the bottom line is that enterprise security risk management approaches—which cover the full sweep of human, cyber, and physical assets—are essential for supporting our organizations through partnerships and shared strategic objectives."</p><p>On the exhibit floor, innovations ranged from the latest integrated access control and surveillance technology to self-learning cyber defenses and mass communications platforms. Knowledge-driven solutions were also strongly represented, from intelligence and risk analysis to executive protection and workforce training programs.</p><p>ASIS Europe 2019 will take place in Rotterdam March 27-29, 2019. Visit www.asiseurope.org to learn more.</p><h4>CPP STUDY MANUAL</h4><p>ASIS has begun to develop a new study manual for the Certified Protection Professional® (CPP) exam. </p><p>The Society has received a significant amount of feedback relating to the recommended reading materials and the need for content organized in a way that better supports the certification domains. ASIS recognizes the need to address this gap and to provide security practitioners with the tools necessary to facilitate exam preparations and promote professional development and advancement. The project is led by volunteers and staff and launched in May with a call for experts. Stay tuned for updates in the coming months.</p><h4>ASIS TV</h4><p>ASIS is partnering with Chuck Harold of Security Guy Radio/TV to livestream interviews with ASIS members and industry thought leaders throughout 2018, expanding content delivered on ASIS TV via the ASIS Livestream channel. Harold will further showcase member expertise by representing ASIS at select industry tradeshows across the United States.</p><p>"Chuck Harold has decades of security experience and has built a reputation for helping security professionals across the globe make more informed decisions," says Ron Rosenbaum, ASIS chief global marketing and business development officer. "This partnership is an exciting step forward for ASIS as we diversify how we provide information and resources to the profession. These ASIS TV broadcasts offer expanded access to security best practices, engage new audiences, and ensure that industry professionals are able to stay ahead of the security curve."</p><p>In 2018, Harold will broadcast on behalf of ASIS TV from Black Hat USA this August and will conduct interviews from the ASIS booth at the IACP Conference. ASIS TV coverage at Global Security Exchange (GSX) will include livestreaming from the expo floor, key education sessions, and networking events throughout the week.</p><p>"This is a terrific opportunity to showcase the depth and breadth of our industry—the career paths, subject matter expertise, as well as the technical and service innovations that help protect our people, property and information assets," says Harold. "I am excited, honored, and proud to partner with ASIS, and look forward to engaging with the industry in this new capacity." </p><p>View security expert videos at asisonline.org/ASISTV.​</p><h4>ASIS LIFE MEMBERS</h4><p>ASIS congratulates Cheryl D. Elliott, CPP, PCI; James B. Princehorn, CPP; and Harvey M. Stevens, CPP, who have been granted lifetime membership to ASIS.</p><p>Elliott has been a dedicated member of ASIS and the Greater Atlanta Chapter for 20 years. She served on the Professional Certification Board for many of those years, and she is now a member of the Investigations Standards Committee.</p><p>Princehorn, an ASIS member for 28 years, is a member of the Fire and Life Safety Council. He also served the Rochester, New York Chapter as chapter chair and in other leadership positions. Princehorn has also volunteered as a regional vice president, assistant regional vice president, and member of the Awards Committee.</p><p>Stevens served ASIS many years as a member of the Physical Security Council. He spoke at 10 ASIS educational programs during his 32 years as an ASIS member and a member of the New York City Chapter. ​</p><p> </p><h4>Member Book Review</h4><p><em>Security Surveillance Centers: Design, Implementation, and Operation<br></em>By Anthony V. DiSalvatore, CPP, PCI, PSP. CRC Press; crcpress.com;<br>204 pages; $79.95.</p><p>Author Anthony V. DiSalvatore believes that the particular topic of surveillance centers has not gotten the attention it deserves. In<em> Security Surveillance Centers: Design, Implementation, and Operation</em>, he creates a complete resource on the subject in a compact, easy-to-understand format.</p><p>The author offers a history of security surveillance centers. In the beginning, they were usually divided into a security office proper and a monitoring room or dispatch center. For a variety of reasons, among them economics, safety issues, and synergy, they have largely become one. Two points of value emerge in combining them: the economics of avoiding redundancy in the security department and the opportunity for professional development of the monitoring employees, who are given more responsibility and feel more important to the team. </p><p>DiSalvatore lays out exactly what is required for a security surveillance center so that it can be budgeted for accordingly. Among these budget items are design, installation, operation, technology requirements, maintenance, and replacement. He further explains who should be included in the creation of a surveillance center, such as the IT department to not only help develop the system but to partner with security to improve efficiency and trust. </p><p>Besides the budget, the center's incorporation into the overall security plan is important. Various duties, such as key control, monitoring alarms, organizing patrols, and other routine tasks must be accounted for. Managers must prioritize procedures to include what to monitor and how, evacuations, and even fire command, depending on the size and scope of the center. The author winds down with the addition of chapters on ethics, legal issues, auditing of the center, training, and policy. A relevant checklist of potential duties involving a center, test questions, a glossary, and types of forms complete the work. </p><p>Educational, relevant, and easy to understand, this book is a worthwhile read for any mid- to upper-level security manager as well as those who work in security design. </p><p>Reviewer: William F. Eardley IV, M.L.S. (Master of Liberal Studies), has 31 years of experience in security and corrections. He is a member of ASIS International.</p>
https://sm.asisonline.org/Pages/Scanning-the-Schoolyard.aspxScanning the SchoolyardGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Relationships between students and campus law enforcement have been key to establishing an environment of safety and security at Delaware Valley School District, which encompasses 200 square miles in northeastern Pennsylvania.</p><p>"Kids have come to the police officers…and told them about potential threats that we've been able to curtail before they've happened," says Christopher Lordi, director of administrative services for the district.</p><p>About eight years ago, the rural district decided to employ its own sworn police force and hired five officers, including a chief of police. It has since added a sixth.</p><p>"Having a police force not only gives us a presence of an armed person to counteract any issues that we may have, but it also allows us to create relationships with students," Lordi says.  </p><p>The officers are a presence on the three campuses that make up the district. They may be found teaching and conducting Internet safety classes and anti-drug programs. </p><p>"Not only are they our first line of defense, but they're also relationship builders, and they create positive environments where kids will feel comfortable to come and tell them things," Lordi says.​<img src="/ASIS%20SM%20Callout%20Images/0618%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:246px;" /> </p><p>Still, the officers and faculty can't be everywhere at once when incidents do occur, which is why the district installed a camera and video management system (VMS) about 10 years ago. </p><p>"It doesn't matter how many administrators you have, how many teachers you have, how many officers you have," Lordi notes. "They can't be everywhere at once, so the cameras allow us to be in those places when somebody can't." </p><p>As the original cameras and VMS were becoming outdated, Delaware Valley's board was supportive of purchasing a new system. The district worked with integrator Guyette Communications of Plymouth, Pennsylvania, and chose the Vicon Valerus VMS system, as well as approximately 400 cameras, also from Vicon. Installation began in March 2017 and ended just before the new school year began in August. </p><p>The cameras, the majority of which are the 3 megapixel IQeye Alliance dome model, were installed inside and outside of the district's eight buildings. The Vicon Cruiser domes with 30x optical zoom were purchased for the parking lots to better read license plate numbers. Campus police have access to a license plate database, so no license plate recognition software is needed, but Vicon does integrate with such software should customers need that feature. </p><p>In addition to feeding into a central video server at a district-wide monitoring station, each building has its own local recording capability and stores video for a set number of days. </p><p>Delaware Valley is expanding a career and technical education wing, which includes 25,000 square feet of classrooms and workspace. The school plans to install more cameras there.  </p><p>The district police force is responsible for managing the VMS, and each officer has a hardwired PC monitoring station to view video feeds. Campus police also have access to footage via iPhones purchased by the district and use them to see what's going on at their campuses. </p><p>"When we need to view something quickly our officers can go right on their iPhones and view it right from there, which is handy if you don't have the ability to get back to your computer," Lordi says. </p><p>Giving all officers access to the entire district's camera feeds was also crucial. "We did that for backup purposes," he says. "If anything were to happen on one of the campuses, all of the officers—after they secure their buildings—can go on and be the eyes and ears for our officers on those other campuses."</p><p>Soon after the cameras were installed, the new system led to the capture of a thief. In the spring of 2017, when a laptop went missing, the video was reviewed in the general time frame that the incident occurred. It revealed an employee going into an administrative office with a garbage bag, then coming back out. </p><p>"We could zoom in, and you could see that the bag was significantly larger when the employee came out," Lordi notes, adding that the old camera system would not have been clear enough to identify the culprit. The footage was turned over to local police, who apprehended the employee. That person has since resigned. </p><p>The detail captured by the cameras also helped solve an incident in the parking lot. Lordi notes that the main campus is in a high-traffic area, which can attract unwanted activity. </p><p>"We were able to pull the license plate from one person that had an incident on campus...and track the person down," Lordi explains. "It just provides another layer of security, so we know who's on the campus and what time they leave the campus."</p><p>While the district currently hands footage over to law enforcement after the fact, it's working on a memorandum of understanding with local police and hopes to establish a network that allows police to view video from the campuses live. "We're currently working on a strategy to get them involved beforehand," Lordi says. </p><p>With the combination of its police force and the camera system, Delaware Valley has seen a significant reduction in incidents on campus. </p><p>"When our officers first started we had something like 200 to 250 incidents that our administrators were dealing with; I think last year we had 36," he says. </p><p>The Valerus VMS and cameras give campus police and administrators peace of mind about their ability to solve incidents, and ultimately keep students safe. </p><p>"It allows us to feel secure knowing that it's going to be on camera if someone doesn't view or witness it live," Lordi says. "We can always view it on the cameras later."  </p><p><em>For more information: Dee Wellisch, dwellisch@vicon-security.com, www.vicon-security.com, 631.952.2288.</em></p>
https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspxAttacks on the RecordGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was, in the opinion of some experts, a long overdue action. But it finally came. On March 15, 2018, the U.S. federal government issued sanctions against Russia for its interference in the 2016 U.S. elections and malicious cyberattacks on critical infrastructure.</p><p>"The administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyberattacks, and intrusions targeting critical infrastructure," said U.S. Treasury Secretary Steven T. Mnuchin in a statement. "These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia."</p><p>The sanctions targeted five entities and 19 individuals for their roles in these activities and prohibit U.S. persons from engaging in transactions with them. Mnuchin also said that the department intends to impose additional Countering America's Adversaries Through Sanctions Act (CAATSA) sanctions to hold Russian government officials and oligarchs accountable.</p><p>The economic penalties are an attempt to punish Russians for their role in various forms of cyberactivity, including the NotPetya attack, which the White House and the British government have attributed to the Russian military.</p><p>NotPetya "was the most destructive and costly cyberattack in history," Mnuchin said. "The attack resulted in billions of dollars in damage across Europe, Asia, and the United States, and significantly disrupted global shipping, trade, and the production of medicines. Additionally, several hospitals in the United States were unable to create electronic records for more than a week."</p><p>The sanctions were also in response to the efforts of Russian government cyber actors in targeting U.S. government entities and critical infrastructure—including energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors—since at least March 2016. </p><p>Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, says that the United States should be "very concerned" about these attacks.</p><p>"For one, they could cause prolonged electrical outages and blackouts because our electrical grid infrastructure lacks sufficient redundancy to sustain these attacks," Bilogorskiy explains. "In the worst-case scenario, cyberattacks on nuclear power plants could cause them to explode and cost human lives."</p><p>One example of a near-worst-case scenario was the recent incident targeting Schneider's Triconex controllers at Saudi Arabia's power plants. A cyberattack hit its systems, Bilogorskiy says. It was intended to cause an explosion, but an error in the attack's computer code  caused it to fail.</p><p>To educate network defenders on how they can reduce the risk of similar malicious activity in their networks, the U.S. Department of Homeland Security (DHS) and the FBI released a joint technical alert detailing Russia's campaigns to target critical infrastructure. </p><p>"DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks," the alert said. "After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to industrial control systems (ICS)."</p><p>The alert split Russia's activity into two categories for victims: intended targets and staged targets. Russia targeted peripheral organizations, such as trusted third-party suppliers with less-secure networks, that the alert calls staging targets.</p><p>"The threat actors used the staging targets' networks as pivot points and malware repositories when targeting their final intended victims," the alert explained. DHS and the FBI "judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the 'intended target.'"</p><p>Compromising these networks involved conducting reconnaissance, beginning with publicly available information on the intended targets that could be used to conduct spear phishing campaigns.</p><p>"In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information," the alert said. "As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background."</p><p>After obtaining information through reconnaissance, the threat actors weaponized that information to launch spear phishing campaigns against their targets that referred to control systems or process control systems. These campaigns tended to use a contract agreement theme that included the subject "AGREEMENT & Confidential," as well as PDFs labeled "document.pdf."</p><p>"The PDF was not malicious and did not contain any active code," the alert said. "The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password."</p><p>The phishing emails also often referenced industrial control equipment and protocols and used malicious Microsoft Word attachments—like résumés and curricula vitae for industrial control systems personnel—to entice recipients to open them.</p><p>Additionally, the hackers used watering holes to compromise the infrastructure of trusted organizations to reach their intended targets.</p><p>"Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure," the alert said. "Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content."</p><p>The threat actors were then able to collect users' credentials that would allow them to log in to their profiles elsewhere. They also used this access to compromise victims' networks where they were not using multifactor authentication.</p><p>"To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets," according to the alert.</p><p>Once the attackers had gained access to their intended targets, they used that access to infiltrate workstations and servers on corporate networks that contained data on control systems within energy generation facilities. The attackers also copied profile and configuration information for accessing ICS systems. </p><p>This method of compromise is not new and has been demonstrated in cyberattacks on the corporate sector over the past few years, says Tom Patterson, chief trust officer at Unisys.</p><p>"Just as with the Target cyber breach several years ago, they first attacked supply chain partners, which are often less protected, and then used their access to compromise the actual target company," Patterson explains.</p><p>The level of access the attackers were able to gain is concerning, Patterson adds, because it could potentially give them the ability to disrupt functions of critical infrastructure, such as providing heat in the winter. </p><p>"Since many of these ICS devices are connected to corporate networks in today's enterprise, and oftentimes they are older devices built on insecure operating systems, this gives the threat actors and their political or economic masters the ability to disrupt or destroy systems at the push of a button," Patterson says.</p><p>Brian Harrell, CPP, former operations director of the Electricity Information Sharing and Analysis Center and director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC), agrees with Patterson that these kinds of attacks are not new.</p><p>What is new, says Harrell—now president and CSO of the Cutlass Security Group—is that the United States is choosing to acknowledge and attribute the activity, publicly, to Russia. </p><p>"While attribution is often difficult, nation-state actors like Russia likely have the most interest in compromising industrial control networks, not to necessarily take anything, but to prove they can access our systems and cause us to feel unsettled," he explains. </p><p>While the U.S. government has taken the approach to name and shame, Harrell says he thinks its unlikely that the public actions will deter Russia's behavior.</p><p>"Unfortunately, the current DHS alert, legal indictments, sanctions, or public shaming will not have any effect on Russian cyber intrusions," he adds. "However, we must continue to increase pressure until they change their behavior and become a responsible member of the international community."</p><p>In the meantime, the FBI and DHS recommend that network administrators review their IP addresses, domain names, file hashes, and other signatures that were provided in their alert. The agencies also recommended adding certain IP addresses cited in the alert to their watch lists.</p><p>"Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity," according to the alert. </p><p>The two agencies also compiled a list of 28 actions for network administrators to take in response to Russia's activity, including monitoring virtual private networks for abnormal activity, deploying Web and email filters, and segmenting critical networks and control systems from business systems and networks.</p><p>"What DHS is recommending, at the end of the day, are properly built ICS networks, monitored so organizations can detect attacks and are plugged into external threat intelligence, with incident response plans and board-level strategic roadmaps," Patterson says.</p>
https://sm.asisonline.org/Pages/Next-Gen-911.aspxNext-Gen 911GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Overall, 2017 was a landmark year for catastrophic natural disasters in the United States, leading to dozens of deaths and revealing weaknesses in emergency response systems. Two regions were hit particularly hard—the Houston, Texas, area where more than 80 people were killed during a hurricane in August, and northern California where wildfires were responsible for more than 40 deaths in October.</p><p>These multiday disasters were far-reaching and overwhelming—for both citizens and first responders. During the Houston floods, overloaded 911 dispatch centers led hundreds of people to turn to social media for help, and kayak-paddling citizens pitched in to help rescue efforts. Criticism of emergency response during the California wildfires was swift—evacuation warnings during the rapidly evolving blaze were either delayed or nonexistent, and emergency lines were constantly tied up.</p><p>After-action reports by state and local officials are still being conducted, but the emergency communications failures have left citizens, law enforcement, and legislators looking for solutions.</p><p>The question of how people can seamlessly use their phones for a myriad of activities yet not use that same technology when calling 911 has been asked for years as mobile devices have become the standard—more than 80 percent of 911 calls are made from wireless devices. There is a mobile-friendly solution—albeit one that has not been widely adopted. Known as Next Generation 911 (NG911), the program is IP-based and would allow citizens to call, text, and send multimedia transmissions to dispatch centers, which would have enhanced response capabilities. </p><p>Many of the problems experienced during the Texas and California disasters—especially overloaded phone lines—could be avoided with such a system. NG911's enhanced location capabilities and ability to reroute calls to other dispatch centers would allow for more seamless emergency response, especially during high-volume call times.</p><p>While potential for such emergency communications technology improvements has been discussed for almost a decade, there is no federal requirement for dispatch centers to upgrade 911 technology, and it's up to states and localities to implement—and pay for—the new system. Legislation was passed in 2012 that outlines the federal role in helping communities transition to NG911 and calls on the U.S. National Highway Traffic Safety Administration (NHTSA) to coordinate efforts among U.S. federal, state, and local stakeholders. The overarching goal of the legislation is to connect the more than 6,000 independently operating systems in the United States into a nationwide interconnected system with modernized capabilities. </p><p>The U.S. Government Accountability Office (GAO) reviewed these federal efforts—known as the National 911 Program—and found that key challenges include addressing funding, governance, and interoperability and technology concerns. This year, NHTSA is planning to implement a $115 million grant program and outline a roadmap dictating national-level efforts to encourage NG911 adoption at the state and local levels.</p><p>"Collaborating with the appropriate federal agencies to determine federal roles and responsibilities to carry out the roadmap's national-level tasks could reduce barriers to agencies effectively working together to achieve those tasks," the GAO report states. "Furthermore, developing an implementation plan that details how the roadmap's tasks will be achieved would place the National 911 Program in a better position to effectively lead interagency efforts to implement NG911 nationwide."</p><p>At the end of the day, however, it's still up to each of the country's almost 6,000 dispatch centers to make the upgrade, if they choose. A U.S. Federal Communications Commission (FCC) congressional report released at the end of 2017 surveyed almost all states on their NG911 implementation efforts, finding that many were taking some steps to pave the way for the upgrades but they face funding challenges. </p><p>The FCC report details how dispatch centers are raising money to implement NG911 capabilities—a huge hurdle for localities, experts say. The National 911 Program commissioned a study last year assessing the cost of nationwide NG911 implementation, but it has been under review for months and has not been released publicly. However, some officials estimate it will cost $10 billion to implement across the country.</p><p>Officials at each state and locality are taking a different approach to raising money—often a combination of state funding and increased fees for phone subscribers. However, not all money raised so far is dedicated to upgrading 911 services. In 2016, states raised more than $2.7 billion in 911 fees, but only 7 percent of that money was spent on NG911 efforts versus maintaining legacy systems. Additionally, about 5 percent of the money collected was diverted to nonpublic safety uses, the report notes.</p><p>Localities also face challenges collecting subscriber fees. It's up to telecommunications companies to collect the fees and give them to the states and localities that have implemented them, but 20 states lack the ability to audit the companies to make sure they are collecting fees from all applicable subscribers. It's a common concern—counties are required to notify telecom companies of the fee increase and trust they will pay up.</p><p>One county in Nevada—one of the states that is unable to audit telecom companies—has one of 12 emergency communications systems in the United States that is three generations old. In trying to upgrade its system to NG911, the county implemented an increased subscriber fee in 2016 but has not received the expected amount of money due to sporadic telecom payments. The county expected to collect $150,000 for NG911 by now but has only received about $46,000.</p><p>Many localities are waiting for the NHTSA grants to become available, but experts agree that $115 million across almost 6,000 dispatch centers will not go far. In March, representatives of emergency communications organizations requested that Congress consider funding its own grant program for NG911.</p><p>"Without significant federal funding, we are concerned that 911 networks across the country, including in rural and urban areas, will not be upgraded quickly and efficiently," the letter notes.</p><p>"The grants will not cover it all—there will need to be significant local funding," says Andrew Huddleston, an assistant director at the GAO who worked on the NG911 report. "The grants are there to provide financial assistance—that's why we highlighted funding as a key challenge area for the states, because it can be a significant cost."</p><p>Huddleston says he visited several dispatch centers and saw how funding was a challenge for small and large communities alike.</p><p>"It can be more challenging for local governments that might have a smaller tax base, and even for larger ones because they have more infrastructure," Huddleston explains. "We visited a fairly large call center in an urban area that would seem like they had more resources than average, but they did talk about how during the transition time they would have to maintain their legacy 911 system as well as bring the NG911 system online—so basically paying for both while they are transitioning. That's hard from a money perspective."</p><p>Other challenges to nationwide NG911 implementation include interoperability and technology challenges. Thirteen states have deployed IP networks for local emergency services to use, but most dispatch centers remain on legacy networks, the report notes. An estimated 1,800 centers can receive text messages, but there is no data on how often citizens text instead of call emergency services. One Houston emergency operations center reported that it only received a handful of texts during the height of the floods, compared to tens of thousands of calls and hundreds of posts on social media. </p><p>While being NG911, compliant requires a set list of capabilities—securely using additional data for routing and answering calls, processing all types of calls and multimedia, and transferring calls with added data to other call centers or first responders—there are several ways to implement the upgrades. Even if two neighboring states are NG911 compliant, they may not have seamless interoperability if they are using different equipment or software solutions, the GAO report notes.</p><p>"The systems are supposed to be all interconnected—if you call one call center and it's overloaded, that call can be transferred to the next center seamlessly, and they can answer the call, so you still get emergency response and not put on hold," Huddleston says. "To be able to do those things you have to have interoperability. There are multiple software solutions that could be employed for NG911, so that's definitely something state and local governments will need to be willing to consider."</p><p>An IP-based emergency communications system will have to address cybersecurity challenges as well. The FCC report notes that in 2016, just eleven states and the District of Columbia had spent money on cybersecurity for their dispatch centers. Additionally, the GAO report discusses the federal government's role in assisting dispatch centers in strengthening their cybersecurity when switching to the new system. The U.S. Department of Homeland Security (DHS) issued a guide outlining cybersecurity risks of NG911 and what centers could do to mitigate them, the report notes.</p><p>"We talked about cyber risk because we're moving to an IT system, and that opens potential for different kinds of attacks than you'd have with the traditional 911 system," Huddleston explains. </p><p>Indeed, Baltimore's computer-based 911 system experienced outages in March due to a ransomware attack. The program that the city uses automatically populates the caller's location and dispatches the emergency responders closest to the caller, but the attack shut down the system for about 24 hours, requiring call centers to manually dispatch first responders.</p><p>Another challenge facing dispatch centers is setting up technology and guidelines for dealing with photos and videos sent through NG911. None of the states that GAO spoke with were processing multimedia through their 911 systems due to concerns related to privacy, liability, and the ability to store and manage the data.</p><p>"We highlighted multimedia as a challenge, since one of the intentions of NG911 is to allow not just voice calls but also video or images to be part of what citizens can share when they're trying to contact 911," Huddleston says. "But that creates challenges on the end of the 911 call centers—what do they do with the video? They have protocol for phone calls, but video is a different beast in terms of what to look for if there are privacy concerns."</p>
https://sm.asisonline.org/Pages/Far-Distant-Clearings.aspxFar Distant ClearingsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​To all those looking to obtain a U.S. federal security clearance, you may have a bit of waiting to do. There are approximately 704,000 people ahead of you in the queue.  </p><p>Executive branch agencies are unable to investigate and process personnel security clearances in a timely manner, says the U.S. Government Accountability Office (GAO), which found that, by September 2017, there was a backlog of more than 700,000 cases. Clearance expert Evan Lesser, president of ClearanceJobs.com, put the backlog number at around 704,000.</p><p>"The backlog is a huge issue. It is a national security concern, without a doubt," Lesser tells Security Management.  </p><p>Others agree with Lesser. In January, the GAO added the governmentwide security clearance process to its "high-risk list" of government programs. Although the agency plans to do a regular update of the risk list in early 2019, in this case it decided to announce a special early addition, given the importance of the clearance process. According to U.S. Comptroller General Gene Dodaro, the process is crucial in minimizing the likelihood of classified information disclosures, and also in ensuring that information about individuals with questionable behavior is identified and assessed.</p><p>Security clearance reform is not a new subject in Washington. Roughly a decade ago, the GAO put the Personnel Security Clearance Program (then administered by the U.S. Department of Defense) on its risk list, in large part because the time frame to receive a clearance was averaging 128 days. But by 2010, after clearance time was reduced to about 49 days, the GAO removed the high-risk designation. </p><p>But processing times have been rising steadily. In 2012, 73 percent of U.S. federal agencies did not meet clearance timeliness objectives. In 2016, that number rose to 98 percent, the GAO found. </p><p>Now, for the first quarter of 2018, processing times for Top Secret security clearances were 534 days, and 221 days for Secret and Confidential security clearances. "That's one of the main reasons for the 700,000 backlog," Lesser says. "Companies are throwing their hands up. They can't wait [534] days. It's truly a mess."</p><p>The process can also be frustrating for the applicant, especially a first-timer. There is no real feedback loop in the process, so many applicants wait with no idea of how long it will ultimately take. "A lot of them don't want to wait around for the clearance to finish, and they wind up exiting that process," Lesser says. And some applicants "get spooked" that the interminable delays must mean that the government has found out something dark and disturbing about their background.</p><p>"It's a big, big problem. It gives the government a black eye, so to speak. It's a bit of a public relations issue," Lesser says.</p><p>Besides the backlog and the processing delays, GAO also identified several other problems with the current clearance process: a lack of long-term goals for increasing investigator capacity to address the backlog; a failure to identify milestones for establishing government­wide performance measures to ensure quality background investigations; delays in completing key clearance reform initiatives; and concerns about a new information technology system for the personnel security clearance process.</p><p>One of the big reasons for clearance delays is that the investigation and adjudication processes are spread out across the government. Currently, the National Background Investigation Bureau (NBIB), the main investigative arm of the government, provides 95 percent of the investigations; the FBI conducts background investigations for White House staff. </p><p>But once investigations are complete, the NBIB turns over the file to the requesting agency, which then makes the decision on the clearance. Although the adjudication guidelines are similar for all agencies, the criteria are applied differently. So, an applicant may apply for an intelligence community clearance with the CIA and be denied, but afterwards apply for a similar position with the Department of Energy, and have the clearance granted.</p><p>For at least a few decades, DoD has used interim clearances as a temporary measure, so that new personnel can start working without having to wait until full clearance is granted. But with the recent delays, some employees have been working under interim clearances for a year or more. "That is not good," Lesser says. "That's a bit of a risk."</p><p>This potential risk involved in interim clearance situations came into focus for many in February, after former White House Staff Secretary Rob Porter resigned under fire after domestic abuse allegations by two former wives became public. When Porter resigned, he had been working in his position (which gave him access to some classified materials) for a year and had not yet been granted full clearance. </p><p>Episodes such as this have spurred some lawmakers on Capitol Hill to push harder for legislation aimed at bolstering the clearance reform process. In mid-March, the U.S. Senate passed the Securely Expediting Clearances Through Reporting Transparency (SECRET) Act, which is aimed at addressing problems in the security clearance process to ensure both classified information protection and reasonable clearance times. </p><p>The legislation is an expanded version of a bill that passed the U.S. House last year. If the House now approves the Senate's expanded version, it will then go to President Trump to be signed into law.  </p><p>"This [clearance] backlog can hurt our local economy and is a threat to our national security. In addition, recent reports of individuals in the Executive Office of the President holding security clearances when they shouldn't have are very concerning," U.S. Rep. Steve Knight (R-CA), the bill's sponsor, said in a statement. "The SECRET Act addresses both of these concerns by improving accountability and encouraging more responsive processing of clearances."</p><p>Meanwhile, other reform efforts at federal agencies will likely continue. In an interview, Lesser singled out a few endeavors that he believes could make a significant difference. Although hiring more background investigators will never solve the problem by itself, it could at least be part of a broader solution, he explains. Moreover, investigators are now allowed to use social media information in their investigations, and this new source could speed up investigations, he adds. </p><p>Lesser also argues for deploying a better prioritization system on the backlog of 700,000-plus clearances. For example, clearances for positions with the greatest national security impact should be moved to the front of the line. In addition, having more reciprocity of clearance among agencies, so each branch would not have to do a separate adjudication of each investigation, could also help. </p><p>And a reform effort that involves a form of continuous evaluation may also hold promise, Lesser explains. The idea here is to keep loose tabs on clearance holders, so that potentially disturbing activities could be detected in near-real time, rather than conducting entire reinvestigations every time a clearance needs to be renewed. </p><p>Finally, many have pushed for IT modernization, and this could also help. Some of the security clearance process is "stuck in the 1950s," with investigators driving to-and-fro for face-to-face interviews, and generating reams of pen-and-ink notes. </p><p>"You'd be shocked," Lesser says.</p>
https://sm.asisonline.org/Pages/Lost-in-Transit.aspxLost in TransitGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was a busy morning in Dec­ember 2017 as a woman board­­ed the Lond­on Under­­ground's Central Line service. While she was on the train, Malcolm Schwartz, 19, also boarded. He approach­ed her and ex­posed himself, press­ing into her.</p><p>The next month, Schwartz board­­ed the Underground again and assaulted two women, touching and pressing himself against them inappropriately. Later in Jan­uary, Schwartz once again rode the Underground and stood closely behind a woman, touching her inappropriately as the train traveled through London.</p><p>All four women reported their experiences to the police, and the British Transport Police's Sexual Offences Unit was able to use their reports to trace Schwartz. He was apprehended and pleaded guilty to four counts of sexual assault. </p><p>"Schwartz's behavior was perverse," said DC Thomas O'Regan from the police's Sexual Offences Unit in a press release. "Over a two-month period of time, he traveled on busy Central Line trains assaulting women for his own sexual gratification. His conduct was outrageous, and I am pleased we were able to catch him."</p><p>As part of the punishment for his crimes, Schwartz is now banned from using the London Underground and Docklands Light Railway network and prohibited from sitting next to women traveling alone that he does not know.</p><p>"This complex case demonstrates the true value in reporting unwanted sexual behavior to police," O'Regan said. "The victims each provided us with clear accounts of what happened, enabling us to clearly identify Schwartz as the perpetrator. Reports such as theirs help us catch offenders and ensure that justice is delivered."</p><p>But just a few years earlier, those reports might not have been made. A 2013 survey by Transport for London (TfL)—London's transit authority—found that one in 10 of its customers experienced unwanted sexual behavior while using the system. Yet, 90 percent of those individuals did not report the incidents to the police.</p><p>TfL's findings mirrored a wider trend in transit security—that unwanted sexual behavior is pervasive, and few victims ever report the incidents to the authorities. These incidents can also act as barriers for women who want to use public transit but feel unsafe doing so.</p><p>"The lack of personal security, or the inability to use public transport without the fear of being victimized—whether on public transport, walking to or from a transit facility or stop, or waiting at a bus, transit stop, or station platform—can substantially decrease the attractiveness and thus the use of public transit," according to the Global Mobility Report, published by the World Bank partnership Sustainable Mobility for All in 2017. </p><p><em>Security Management</em> took a look at how two major transportation systems are addressing sexual harassment and unwanted sexual behavior in their systems in an effort to increase reporting and catch perpetrators.</p><h4>The London Approach</h4><p>TfL is responsible for the daily operations of London's transportation network and managing London's main roads. Its system includes the London Underground, London Buses, Docklands Light Railway, London Overground, TfL Rail, London Trams, London River Services, London Dial-a-Ride, Victoria Coach Station, Santander Cycles, and the Emirates Air Line.</p><p>The system serves more than 8.8 million people, according to its most recent annual report, with 31 million services provided. It has more than 12,000 CCTV cameras and 3,000 officers from the British Transport Police and Metropolitan Police Service that are dedicated to policing its network to keep customers safe. </p><p>Additionally, its frontline police officers and TfL on-street enforcement officers have received training and briefing on tackling unwanted sexual behavior on public transportation.</p><p>Senior Operational Policy Manager of Compliance, Policing, and On-Street Services Mandy McGregor says TfL knew that sexual offences were widely underreported in society in general and thought this might also be the case for public transportation in London.</p><p>In 2013, Tfl conducted its first safety and security survey, which asked people if they had experienced unwanted sexual behavior in the past and if they reported it. Unwanted sexual behavior included staring, groping, rubbing, masturbating, ejaculating, flashing, and taking up-skirt photos with covert cameras.</p><p>"Unwanted sexual behavior is anything that makes you uncomfortable," McGregor says. "You don't have to prove that it was a criminal offense or intentional to report it, we can investigate that for you."</p><p>After the survey was conducted and analyzed, TfL found that one in 10 people had experienced unwanted sexual behavior, but of those victims 90 percent did not report it to authorities.</p><p>To better understand why people weren't reporting these incidents, TfL conducted further research into the survey and discovered four main barriers to reporting.</p><p>The first was normalization, McGregor says, explaining that "some of these behaviors have become so prevalent in society that they have become normalized and are often seen as a social nuisance rather than a more serious problem."</p><p>The second barrier was internalization, a coping mechanism that can be used both in the moment and after an incident occurs.</p><p>"The experience is unpleasant, but threat of escalation often means that people don't respond in the moment; they either ignore it or pretend not to hear it," she explains.</p><p>The other barriers were lack of awareness of the reporting process and a lack of credibility, McGregor says.</p><p>"Very few people believed that reporting an unwanted sexual behavior will result in justice, as they perceived there to be a low chance of the perpetrator being caught," she explains.</p><p>Using these insights, TfL crafted a campaign designed to overcome these barriers to reporting by showing that reports matter and will be investigated. The campaign, called "Report it to Stop it," was rolled out on posters, social media, videos, and case studies. It encourages people to report instances of unwanted sexual behavior on public transport through a variety of means, including calling a dedicated criminal reporting line, texting 61016, or speaking directly to a police officer or TfL staff.</p><p>Since its release in April 2015, the campaign films and case studies have been watched more than 35 million times on YouTube. McGregor says the campaign has also reached young people through educational sessions in schools and universities.</p><p>"In its first year in the market, the campaign had a 59 percent recognition rate amongst its target audience and 64 percent of people agree that they are likely to consider reporting," she adds. </p><p>Since the campaign was implemented, TfL has seen a "significant increase" in reports of unwanted sexual behavior in the system. For instance, roughly one year after the campaign was released, TfL saw a 36 percent increase in the number of reported instances.</p><p>"Between April and December 2015, 1,603 reports were made to the police, compared to 1,117 in the same period in 2014," TfL said in a press release. "These reports resulted in a 40 percent increase in arrests for offenses, including rubbing, groping, masturbation, leering, sexual comments, indecent acts, or the taking of photographs without consent."</p><p>"It's also helped trigger a national dialogue on sexual harassment—raising awareness that unwanted sexual behavior should never be accepted as part of the everyday lives of women and girls," McGregor says. </p><p>TfL continues to use the "Report it to Stop it" campaign, which McGregor says will continue to evolve until TfL feels that unwanted sexual behavior has been "stamped out" of the network.</p><p>"Every report the police receive helps to build a picture of the offender, so they can be caught and brought to justice," she explains. "Since we launched the 'Report it to Stop it' campaign, we've seen a large increase in the number of people feeling confident to report and, in turn, higher numbers of reports, arrests, and conviction rates."</p><h4>The D.C. Approach</h4><p>In 1976, an interstate compact created the Washington Metropolitan Area Transit Authority (Metro) to develop a regional transportation system that would serve the Washington, D.C., area. </p><p>Metro now has 91 stations across 117 miles of track, and 1,500 Metro­buses that serve a population of ap­proximately 4 million people in a 1,500-square mile jurisdiction spread across Maryland, Virginia, and Washington, D.C.</p><p>Metro also has a sworn police force that investigates crimes, including sexual harassment, that occur on the transit system. Personnel are aided by a robust camera system. Transit police and frontline staff receive special training to handle reports of sexual harassment in the system. </p><p>"Frontline employees are the ones that interact most with the customers, and typically if an officer is not around, we encourage people to report an incident to a Metro employee," says Sherri Ly, spokesperson for Metro. "It's important that our frontline employees also have that training and understanding, when they are dealing with customers reporting incidents of harassment."</p><p>In 2015, Metro—like TfL before it—began to suspect that instances of sexual harassment were underreported on its system. To assess the situation, it partnered with Collective Action DC and Stop Street Harassment to conduct its first comprehensive transit safety survey.</p><p>Metro wanted to find out "how do reports of harassment on our system compare to other public transportation?" Ly says. "And what we found was that it's comparable to what we see nationwide."</p><p>Through the effort, Metro found that roughly 20 percent of surveyed people had experienced sexual harassment on public transportation—women were three times more likely than men to experience sexual harassment. Of those incidents, 77 percent of people never reported them.</p><p>Metro also found that 41 percent of survey participants were familiar with its antiharassment awareness campaign at the time. Those who were familiar with it were twice as likely to report an incident of harassment.</p><p>Taking these findings into account, Metro once again partnered with Collective Action DC and Stop Street Harassment to create a new sexual harassment awareness campaign for its system. The new campaign uses the slogans "You have a right to speak up" and "You deserve to be treated with respect."</p><p>The idea behind the campaign is that everyone who rides Metro deserves to be treated with respect, Ly says. "And we want people to know that anyone who feels that they've been the victim of harassment should report that incident."</p><p>The campaign also features a di­verse group of individuals, designed to reflect Metro's diverse ridership—men, women, and members of the LGBTQ community, from various ethnic backgrounds.</p><p>"We wanted to be inclusive," Ly explains. "Harassment doesn't just impact one race, one gender. Everyone, regardless of what your background is, deserves to ride the system and be treated with respect."</p><p>In addition to creating a new awareness campaign, Metro also created the option for individuals to report sexual harassment incidents and remain anonymous.</p><p>"With harassment and sexual harassment, a lot of times people might be uncomfortable reporting those and having to give their name, so this is a way for someone who wants to remain anonymous to report through our portal, and we will still investigate those claims," Ly adds.</p><p>Individuals can now report incidents via Metro's Web portal, email, text, or in person at a Metro station to any frontline employee or police officer. </p><p>Following the rollout of the campaign in 2017, Ly says Metro has seen an increase in the number of sexual harassment incidents reported. There were 61 reported incidents to its sexual harassment portals in 2017, compared to just 37 the previous year, according to Metro's Semi-Annual Security Report. Of those incidents, 34 were harassment, 16 were criminal nonsexual incidents, and 11 criminal incidents—down from 16 in 2016.</p><p>"We think it's a good thing that we are seeing more and more people reporting, but at the same time you're seeing the number of incidents that rise to the level of criminal declining because we're also sending a message to those that might think about doing some like this that it's not okay," Ly says. "We're putting them on notice—that we take these things seriously, and that if a crime has occurred, we will investigate and hopefully find the person responsible."  </p>
https://sm.asisonline.org/Pages/Taking-Off.aspxTaking OffGP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The year 2016 marked a surge in excitement surrounding how unmanned aerial vehicles (UAVs), or drones, could be used commercially. Amazon had just made its first product delivery by drone. Countries began passing drone regulation measures in response to the availability of UAVs and in anticipation of continued industry growth. Re- search institutes predicted spending on drones to double by 2020; the security industry was expected to be one of the top adopters of drone technology.</p><p>But, despite the hype, security practitioners have been hesitant to adopt the technology and fully integrate it into their security programs.</p><p>"Interest level is off the charts," says Lew Pincus, senior vice president of system solutions at Hoverfly. "There's a lot of new technology, but also that doubt when it's new—security directors tend to be averse to new technology and taking on new risks that are unknown."</p><p>A combination of the seemingly endless possibilities of drone technology, the overwhelming task of acquiring a drone, gaining buy-in, creating operating procedures, and following federal regulations may be giving the security industry pause.</p><p>There's also a lingering perception that UAVs are intimidating, futuristic technology that's meant to take the place of security officers and more traditional security technology. Pincus encourages security managers to consider drones not as an automated instrument meant to replace personnel, but as another tool in their security toolbox, much like cameras or video analytics.</p><p>"I really see it in all sorts of applications, but not replacing security guards as much as augmenting them," Pincus explains. "You still need a response component."</p><p>And, just like any other piece of equipment in the workplace, training is imperative for a successful—and efficient—rollout of a new program, says Josh Olds, cofounder and vice president of operations at the Unmanned Safety Institute. This is especially true for drones flown in the United States, where the U.S.</p><p>Federal Aviation Administration (FAA) has a longstanding set of regulations dictating how aircraft are flown.</p><p>"In this particular industry, it's not just a piece of equipment, it's being flown in the national airspace, which is regulated by the FAA and presents a whole new complexity to the operation," Olds says. "If for some reason an individual isn't properly trained and improperly uses the technology, you can be looking at serious injury, or privacy and ethics violations."</p><p>Olds has a background as a commercial pilot and uses that knowledge to train organizations on how to use drones and properly merge the technology into their operations. Like Pincus, he has seen some hesitation from the security industry to embrace drones.</p><p>"I think a lot of the hesitation comes from the reality that there is a new liability that is being taken on," Olds says. "There's a big facet of this industry that is worried about the risks that come with operating unmanned aircraft. When you're talking about the ability to fly an aircraft that weighs 55 pounds—that's a significant system. If that were to fall out of the sky, it poses a major hazard."</p><p>Despite such concerns, Olds and Pincus agree that the benefits outweigh the challenges of integrating drones into a security organization.</p><p>"The ability to see and get actionable intelligence in the air above where security is being done is very exciting and new to the industry," Pincus says. "And with respect to the active shooter threats at concerts and events—I think the Las Vegas shooting put the spotlight on how vulnerable outdoor events and spectator sports are. Having an eye in the sky has become important for public safety."</p><p>Olds says that the key to successfully integrating a drone into an existing safety ecosystem is establishing a strong foundation.</p><p>"If you build the right foundation from the start, a program becomes easily scalable," Olds says. "In the security sector, there are a lot of different aircraft that meet different needs. It's important to understand the business use case, what you're going to use the equipment for, and being able to scale from that."      </p><p>Pincus agrees, noting that planning for how to integrate a drone into a security program should begin before the vehicle is purchased.</p><p>"Setting up a program requires putting all the pieces together of purchasing the right kind of drone—do you need a free-flying drone or a tethered one?" Pincus says. "What is the overall goal, what are you trying to do with a drone? You need to do a review of your site security plan and figure out where UAVs fit into that plan by assessing the threatscape."</p><p>Pincus recommends using case management reports, crime statistics, and other data to determine what kind of drone is needed, whether it's a free-flying drone that can be used periodically along a perimeter to check for anomalies, or a static, persistent aerial view for long stretches of time. Whether or not the drone can be integrated into the existing security operations center should also be considered, he says.</p><p> Another aspect of building a strong program foundation involves in-depth training, which covers far more than just how to operate the equipment, Olds notes.</p><p>"We look at training from an aviation perspective—it's like ground school, you get them educated on airspace, weather, and different facets that affect the operations of the aircraft," Olds explains. "But then you have to train them on the ability to use their crew, the ability to make decisions while in flight—what are the emergency procedures? Education is key to implementation—and that's not even talking about the physical, hands- on training."</p><p>Once a security program has purchased the drone that best fits their needs and has undergone training, the next hurdle is becoming FAA compliant. The agency enacted regulations for drones that include obtaining certificates of authorization to operate the drone. An organization may need to obtain waivers from the FAA, including allowances to fly at night, beyond line of sight, or near airports.</p><p>Olds acknowledges that being FAA compliant may feel restricting to security managers who want to use them in those situations that require waivers.</p><p>"The true business use of this application of technology is beyond line of sight or other situations that require waivers. and all the FAA is trying to do is make sure that if a company is implementing this technology in a more complex way—which brings on more risks and hazards—that they are doing it in as safe a way as possible," Olds says.</p><p>Olds urges security directors to consider FAA's larger role in maintaining the national airspace, and the challenges that come with creating regulations for a rapidly growing industry with a wide array of applications and technology.</p><p>"What the FAA has done is take a stairstep approach to regulations in the industry," Olds explains. "The waiver process that is in place to ensure that when an organization says they're going to fly at night, or beyond line of sight, FAA is able to say, 'How are we going to ensure the safety of manned traffic that is already existing in that airspace?'"</p><p>Pincus says he believes federal UAV regulations will continue to evolve as more industries adopt the technology. Tools such as video analytics, facial recognition, and data collection that are currently used in integrated surveillance systems could be placed onboard the drone, allowing it to analyze situations—and sound the alarm—in real time.</p><p>"There's some of that type of soft- ware available, but it will become more important to tie it in to video management systems and security operations or alarm centers," Pincus explains. "That's where I see the industry going." ​</p>
https://sm.asisonline.org/Pages/On-Premise-vs-the-Cloud.aspxOn-Premise vs the CloudGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Facilities across all industries face an increasing number of security threats, from theft and vandalism, to violent crime, to terrorism. Whether a healthcare provider, school, university, or Fortune 500 business, it's critical to constantly seek new and inventive ways to improve security.  </p><p>In recent years, the cloud has transformed how physical security systems are controlled and managed. Storing security data off-site in centralized data centers delivers several advantages, including automatic data backup and redundancy, robust cybersecurity protections, and automatic software updates without significant up-front capital investment. For mission-critical security functions like access control, these advantages alone are extremely attractive on many levels.</p><p>However, while many end users are embracing cloud-based access control solutions, there is a large percentage who still want an on-premise access control solution. What is the difference between a cloud-based and on-premise access control solution? What are the benefits and challenges with each solution? And is there a benefit to implementing some combination of both?</p><p><strong>On-Site Access Control </strong></p><p>Traditionally, access control software platforms are implemented locally, employing on-site servers that are managed daily by internal security, IT personnel, or both. While this option does provide direct control over access control operations in terms of management and control, it does require the internal adoption of the platform as part of the user's responsibility for regular maintenance.</p><p>In many cases, a security integrator will provide scheduled maintenance and updates via on-site visits or remote access to your server, which involves additional costs, but are often well worth the investment. There's no doubt that this traditional on-site access control model is proven to be a highly effective physical security solution and will continue to fulfill a core security objective for users around the world. However, it involves capital investment for software and hardware, as well as third party costs for ad-hoc or contracted services, which can put high performance on-site access control solutions out of reach for many organizations that need it. </p><p><strong>Cloud-Based Access Control</strong></p><p>Deploying access control via the cloud represents an increasingly important alternative to traditional on-premise access control solutions based on its overall cost and performance benefits. It is also flexible in terms of deployment options.</p><p>Option one is an on-site, user-managed, cloud-based system. The customer purchases or leases the equipment from an authorized reseller or integrator who installs the system and provides training. This option also typically includes a service and maintenance contract with the installing reseller or integrator as part of the hardware sale or lease. The end-user's security team is responsible for all programming activity on a dedicated PC (or multiple PCs), including entering, deleting, or modifying names; scheduling; generating reports; and running backup and software updates. The list of functions can also include ID badging as part of the cloud software offering.</p><p>Option two is a remote cloud-based, user-managed integrated system where the equipment is purchased or leased from a reseller or integrator who installs the hardware and provides training. The access control software is in the cloud, and is managed, along with the supporting infrastructure by the installing reseller or integrator. All backup, software upgrades, system monitoring, programming, scheduled door locking and unlocking, report generation, and other vital access control actions are performed remotely by the reseller or integrator around the clock. In this scenario, the user typically only manages the simple day-to-day functions of entering, deleting, or modifying names, and sometimes badging, through a Web portal that can be accessed remotely. </p><p>In option three, the user still purchases or leases the necessary hardware from reseller or integrator who also installs the system and provides training. The software resides in the cloud and is completely administered and managed directly from the access control solution provider or manufacturer who maintains the system remotely. </p><p>Both user-managed options above may work well if the user has limited or no IT personnel, as often is the case with franchise locations, smaller retail stores, K-12 schools, or property management sites. With these user-managed options, each location can handle the day to day functions, but reports, applying patches and updates, backup, and other group functions are all handled in the cloud by the host. These cloud-based solutions can also be accessed at any time and from any device by the user's security team. </p><p>One of the distinct advantages of cloud-based access control is that it requires limited, if any, initial capital investment. When implemented using leased hardware and software, all system costs are amortized over the duration of the contract, which eliminates many of the budgeting obstacles faced by both large and small organizations. Additionally, the low cost of entry allows companies with limited physical security budgets and resources to deploy highly sophisticated access control solutions that would otherwise not be affordable. </p><p><strong>A Hybrid System</strong></p><p>There are many security end users who are embracing a mixture of several solutions, deploying a hybrid access control solution that combines on-premise and cloud-based access control solutions. These solutions can be either remote or user managed and allow the integration of new or legacy hardware. There are several operational and cost benefits with this scenario because a hybrid solution offers the ability to keep costs low while transitioning from legacy systems to new access control solutions. A hybrid access control solution also provides opportunities for integrations with related systems such as alarm monitoring, intrusion detection, elevator control, badging, video verification, time and attendance, and more. </p><p>So which access control option is best for you? There is no one answer. The versatility of these new access control choices means you select what you need based on your terms. </p><p><em>Lukas Le is director of cloud services for Galaxy Control Systems.</em>​</p>
https://sm.asisonline.org/Pages/Multiple-Fatalities-In-Texas-School-Shooting.aspxMultiple Fatalities in Texas School ShootingGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​what we know<br></h4><ul><li><p>​​A shooter opened fire at Santa Fe High School in Santa Fe, Texas, at approximately 7:45 a.m. Friday morning.<br></p></li><li><p>Ten people were killed and 10 were injured in the shooting.</p></li><li><p>Police have a suspect in custody. He has been identified as Dimitrios Pagourtzis, 17.</p></li><li><p>The shooter was armed with a shotgun and a .38 revolver.</p></li><li><p>Explosive devices were found in the high school and the surrounding community. Local authorities are urging community members to report "suspicious packages" by calling 911.<br>​<br></p></li></ul><h4>Death toll rises to 10, Texas Governor Abbott Confirms</h4><p><strong>UPDATE 3:25 p.m. ET, May 18, 2018</strong></p><p>Ten people were killed and ten more injured in the Santa Fe High School shooting on Friday, Texas Governor Greg Abbott confirmed in a press conference this afternoon.</p><p>"We grieve for the victims who lost their lives at Santa Fe High School and we pray for the families that are suffering and the families that will continue to suffer in the days to come," Abbott said. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read a7bd421a-4909-4cec-8cb4-303485e118ec" id="div_a7bd421a-4909-4cec-8cb4-303485e118ec"></div><div id="vid_a7bd421a-4909-4cec-8cb4-303485e118ec" style="display:none;"></div></div><p>He also confirmed more information about the suspected shooter, Dimitrios Pagourtzis, including that authorities have discovered evidence on his computer, phone, and in a notebook that he intended to carry out a shooting and commit suicide. Before he was able to commit suicide, however, Pagourtzis allegedly turned himself over to the authorities and was taken into custody.</p><p>To carry out the shooting, the gunman was armed with a shotgun and a .38 revolver. Abbott said the shooter took these firearms from his father, who had obtained them legally. There was no evidence at the time of the press conference that the father knew his son had taken the weapons.</p><p>Abbott also said that authorities were interviewing two people of interest, but declined to release any additional identifying information about them. </p><p>While those interviews are ongoing, authorities are continuing to sweep Santa Fe High School for explosive devices and are searching two residences and a vehicle associated with the gunman. Law enforcement is proceeding with caution, Abbott said, due to the risk of discovering additional explosive devices that could pose harm to investigators.</p><p>In addition to conducting a full investigation into the shooting--with the goal of prosecuting the gunman--Abbott said he will be working with the Texas legislature and other state officials to set up roundtable discussions. They will discuss "swift solutions to prevent tragedies like this from ever happening again," he explained. </p><p>Future actions could include taking legal action to keep guns out of the hands of those that pose an immediate danger, enhancing background checks, increasing resources for school security, and funding initiatives to address mental illness and gun violence. </p><p>Abbott said his goal is to work together to create laws that "protect Second Amendment rights but ensure that our communities, and our schools, are safer."</p><h4>Suspect in custody identified </h4><p><strong>UPDATE 2:55 p.m. ET, May 18, 2018</strong></p><p>An official briefed on the investigation <a href="https://www.usatoday.com/story/news/nation-now/2018/05/18/active-shooter-santa-fe-high-school-texas-galveston-county/622507002/" target="_blank">told USA TODAY </a>that the suspect in custody for the Santa Fe High School shooting is 17-year-old Dimitrios Pagourtzis. </p><p>"The suspect was armed with at least one rifle or shotgun, but the first official cautioned that there could be other weapons related to the incident, though not yet recovered," according to USA TODAY.</p><p>Authorities have detained another individual as they continue to investigate the shooting. However, more information about who that individual is has not been confirmed. </p><h4>explosive devices found near high school, surrounding area</h4><p><strong>UPDATE </strong>1:00 p.m. ET, May 18, 2018</p><p>The Santa Fe Independent School District announced that explosive devices were found in Santa Fe High School and the surrounding area.</p><p>"Because of the threat of explsive items, community members should be on the look-out for suspicious packages and anything that looks out of place," the district said via a statement to Twitter.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 9a07da69-b1fe-43c3-b3ad-03bc8d525366" id="div_9a07da69-b1fe-43c3-b3ad-03bc8d525366"></div><div id="vid_9a07da69-b1fe-43c3-b3ad-03bc8d525366" style="display:none;"></div></div><p>The district is urging anyone who sees something suspicious to call 911 and wait for authorities to respond. </p><p>Multiple authorities, including the FBI, ATF, Texas Department of Public Safety, and local law enforcement are on the ground responding to the situation.</p><h4>Trump Gives a statement on shooting</h4><p><strong>UPDATE 12:20 p.m. ET, May 18, 2018</strong></p><p>In an appearance at the White House this morning, U.S. President Donald Trump said he is monitoring the situation in Santa Fe, Texas, and reiterated that school safety is a top priority.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read dafcca1a-ccdf-44fb-a8de-f6305bf275b7" id="div_dafcca1a-ccdf-44fb-a8de-f6305bf275b7"></div><div id="vid_dafcca1a-ccdf-44fb-a8de-f6305bf275b7" style="display:none;"></div></div><p>"My administration is determined to do everything in our power to protect our students, secure our schools, and keep weapons out of the hands of those who pose a threat to themselvs and to others," Trump said. "Everyone must work together at every level of government to keep our children safe."</p><h4>Multiple fatalities texas school shooting</h4><p><strong>UPDATE 11:30 a.m. ET, May 18, 2018</strong></p><p><br>A shooter at a Texas high school killed at least eight people and injured multiple others on Friday morning. Authorities have a suspect in custody, and said it is no longer an active shooter situation.</p><p> Police responded to shots fired at Santa Fe High School in Santa Fe, Texas, after a gunman opened fire around 7:45 a.m. when the school day was beginning. </p><p> “Witnesses described students running from the school as they heard gunshots; they also described hearing an alarm at the school, though the sequence of events wasn’t immediately clear,” <a href="https://www.cnn.com/2018/05/18/us/texas-school-shooting/index.html">according to CNN.</a></p><p> Authorities have not released the identity of the suspect in custody or of any of the victims. However, <em>The New York Times</em> reports that an officer working for the Santa Fe school district as a school resource officer was <a href="https://www.nytimes.com/2018/05/18/us/school-shooting-santa-fe-texas.html?action=Click&contentCollection=BreakingNews&contentID=66998236&pgtype=Homepage" target="_blank">injured during the shooting. </a></p><p> The shooting is the third school shooting in the past week, and the 22nd mass shooting in the United States since the beginning of 2018, CNN said.</p><p> Both the U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives, and the Harris County Sheriff’s Office are on the scene to investigate the incident. Security Management will continue to update this post as more information is confirmed.</p><p> In response to the incident, ASIS International has made soft target and active shooter <a href="https://www.asisonline.org/publications--resources/security-topics/active-shooter/" target="_blank">resources available for security professionals.</a> They include white papers, webinars, book excerpts, and recorded conference sessions designed to help deter, prevent, and minimize future attacks.</p><p><br> </p>
https://sm.asisonline.org/Pages/Bully-Bosses-Can-Inflict-More-Damage-with-Negative-References.aspxBully Bosses Can Inflict More Damage with Negative ReferencesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Employees trying to escape a bullying boss, and even those who have managed to land a new position, may be surprised to learn that their workplace nemesis is causing further damage by providing negative job references.</p><p>HR departments similarly may not realize that supervisors are disregarding company policies against giving references that go beyond confirming job titles and employment dates.</p><p>With prospective employers often bypassing human resources and calling supervisors for references, bully bosses can and do impair employees' future job prospects, experts say.</p><p>"In the good old days, the references were HR, and in many cases, in many companies, HR still is the traditional venue. But we've seen a marked shift of interest in calling the former supervisors," said Jeff Shane, president of reference-checking firm Allison & Taylor. "Hiring managers have long since figured out that supervisors tend to be far more talkative."</p><p>Job seekers often wrongly believe that their current or former employers will say nothing negative and do no more than confirm employment, Shane said.</p><p>Many supervisors, however, never receive company training on how to respond to employee reference checks, while many others forget or ignore the policy, he added. His Rochester, Mich.-based firm checks references on behalf of job seekers, compiles reports on responses from former employers, and, if necessary, sends cease-and-desist letters to companies violating policies or even laws by supplying negative references that cross the line into misrepresentations or lies and that could be construed as defamation.</p><p>"We call a great many supervisors as references for individuals. The vast majority of the time, the supervisor has something to say" beyond titles and employment dates; their reviews, even if sincere, often are less than optimal. "In many instances, they know exactly what they're doing" and that the employee is unlikely to ever find out if the negative review caused a missed opportunity, Shane said.</p><p>Nearly half of all reference checks that Allison & Taylor conducts contain some degree of negativity, he said. Even a supervisor who gives an employee a positive letter of recommendation will sometimes go "180 degrees in another direction" when called for a reference, he said.</p><p>Smart firms wanting to avoid litigation coach bosses to give only employment dates, said Gary Namie, Ph.D., co-founder of the Workplace Bullying Institute, which refers bullying targets to Allison & Taylor to learn about feedback from a current or former employer. Often the news confirms a candidate's fear, and "a great many of our clients are totally shocked and devastated" by what is found.</p><p>Job seekers may try to avoid a supervisor's risky review by asking co-workers or others to vouch for them, but people checking references typically believe, incorrectly, that a boss is the most trustworthy source of information on an applicant, Namie said.</p><p>"The person who was bullied doesn't stand a chance if the bully boss is loose-lipped," he added. "These supervisors who are bullies because of their own narcissism are eager to talk and tear this person down." Workplace bullies have reason to lie about their own actions, he added.</p><p>Some vindictive bullies even go so far as to track a bully target who leaves the company and to spread negative comments about the worker to new supervisors, according to Namie and Shane.</p><p>"They can continue to make that person's life very difficult," Shane said.</p><p>Namie's institute considers workplace bullying—repeated mistreatment and abusive conduct—a national epidemic, with 60.4 million Americans affected. Namie says employers are failing to take responsibility for preventing and eliminating it.</p><p>Bosses account for more than 60 percent of workplace bullies, the organization's 2017 survey found.</p><p>Even a supervisor who doesn't provide an overtly negative review can use meaningful pauses and tone to convey a damaging opinion. "Many times, the tone of voice of the reference will speak volumes about their level of enthusiasm or lack thereof for the person we are calling on behalf of," Shane said.</p><p>Online reference-check provider SkillSurvey aims to eliminate both the "tone" problem and situations where references go off the record to unfairly harm a job seeker's chances through its software-based rating system.</p><p>Job applicants must enter more than two references, who then rate applicants in several areas, with all responses kept in confidence and provided to the hiring organization in a report that averages all of the references' ratings. Five is the norm, often with a mix of supervisors and colleagues, according to SkillSurvey CEO Ray Bixler. The references are all provided online—with names removed, ratings averaged and no calls made.</p><p>If four of five references give glowing reviews while a fifth gives lower ratings, the prospective employer might call the applicant in and ask about it, Bixler said. "At least at the very minimum, the client is able to start making decisions of whether it was a rogue reference."</p><p>Many applicants enter more than five references, which can further reduce the damage a bullying boss might inflict, Bixler said. </p><p><em>Dinah Wisenberg Brin is a freelance writer based in Philadelphia covering workplace issues, entrepreneurs, health care, personal finance and logistics.<br><em>© 2018, SHRM. This article is reprinted from <a href="https://shrm.org/" target="_blank">https://shrm.org​</a> with permission from SHRM. All rights reserved. ​​ ​​ ​</em><br></em></p>
https://sm.asisonline.org/Pages/The-Science-of-Organizing-Security.aspxThe Science of Organizing SecurityGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Open any publication, blog, newscast, or other media today and expect to be inundated with developments in technology. Artificial intelligence, machine learning, and computing power are propelling a tsunami of changes to the work environment and to society. Marketing wizards will use euphemisms like big data, IoT and other witticisms to describe complex technologies in simple terms. Yet we know that technology advances will drive unique evolutions, most assuredly in the security of things.<br></p><p>Guarding, fraud detection, cyber security, facial recognition, and many other areas will see significant advancements in the short-term. However, one critical success factor to advancing asset protection in large corporations is what I call the "technology" of organizing to secure a company's people, critical information and business strategy. </p><p><span style="background-color:#ffffff;"><strong>Cognitive </strong></span><span style="background-color:#ffffff;"></span><span style="background-color:#ffffff;"><strong>Convergence</strong></span><span style="background-color:#ffffff;"><strong>™</strong></span><br>Take, for example, the cyber war that rages across the Internet every day—stealthy, ubiquitous, and deadly silent in attempts to steal governmental secrets and relentlessly target American corporations. The many publicized losses are staggering.<br></p><p>Companies talk about converging cyber and physical security, but I believe Cognitive Convergence™​ is even more important. Fighting the cyber war necessitates that companies know how to organize to properly defend themselves from current and emerging risks. Instead, many companies' enterprise security roles and responsibilities are diffused among various departments, where IT may be focused on technology costs, while HR is looking after background checks or exit interviews. Security is handling investigations and legal, audit, and environmental health and safety are accountable for other aspects of security.</p><p><br>Sometimes chief information officers are not equipped to fully understand cyber risks and are ill prepared to work with law enforcement agencies without a gaggle of lawyers to direct almost every step. Often, the lawyers require a quick remedial training course on cybersecurity themselves and fear (with some justification) that turning over information to the U.S. government during an attack may come back and bite them.<br><br>In one company, for example, an internal audit fraud investigation was underway targeting an individual who was actually an insider planted in the corporation to develop intelligence on the best way to attack that company's network. This same person was simultaneously being investigated by the security organization, which suspected he was stealing proprietary information. Neither department knew of the other's activity until the employee was fired. </p><p>Cognitive <span style="background-color:#ffffff;">Convergence</span><span style="background-color:#ffffff;">™</span><span style="background-color:#ffffff;">​</span>​ ends these obstacles to cybersecurity. It means bringing together the intellectual horsepower of numerous departments and business units and assimilating the right intelligence for risk-aware decision making and unified security across the enterprise. Having a comprehensive written strategy that details who has accountability for various aspects of protecting enterprise assets and how these professionals are going to collaborate for end-to-end, proactive risk management is fundamental to building this culture.</p><p><strong>Partnerships and Best Practices</strong><br>Another imperative is having the United States government partner effectively with the private-sector, which owns and operates 85 percent of the critical infrastructure and resources of the United States according to the Federal Government in its Information Sharing Environment. When a crisis happens, it's simply too complex, cumbersome, and time-consuming for companies to reach out to the FBI, U.S. Department of Defense, U.S. Department of Homeland Security, or other agencies, without having a preestablished contact person. Instead, companies need a safe harbor, single point of contact for liaison with the U.S. government regarding cyber intrusion matters.<br><br>Law enforcement and intelligence agencies also try to improve the country's cybersecurity position, but they too must work through huge bureaucracies and often don't understand how to bridge their knowledge with the corporate world. They are cautious, as they should be, about sharing classified information—even when security or legal staff need it for business-savvy consultation to senior management.<br><br>At the same time, the security industry should consider adding more business risk managers to corporate roles to balance the experience of second career professionals from law enforcement agencies who may be trained to chase the crime rather than remediate the business risk. Security associations can create a coalition that provides American companies with nontechnical advice that board members and business leaders can rely on to act quickly and decisively. Software providers, too, can partner with companies to improve IT hygiene that detects vulnerabilities faster and more reliably. More and more, bringing together security and technology professionals with governmental entities, law enforcement, and business leaders will become essential to building platforms and cybersecurity regulations based on best practices and collegial understandings that are truly effective in fighting this war.</p><p><strong>Pay It Forward</strong><br>At the same time, each of us has a responsibility to help prepare the next generation. Let's bring people together in trade or industrial associations, educational institutions, and other ways to promote soft skills such as communications and teamwork. Kudos to ASIS International for launching a publication specific to educating security leaders about the risks and rewards of cybersecurity and other technologies. I equally welcome a companion theme for security professionals to become business-savvy collaborators and mentors, serving as catalysts within their own organizations and among future generations. </p><p>It's like building an airplane in flight and winning the cyber war in the United States will demand: </p><ul><li><p>A clear directive to U.S. public-private boards of directors and government agencies that mandates respective roles and responsibilities and assures one safe harbor for American companies who seek support when breaches occur. <br></p></li><li><p>That American corporations that influence Washington and impose corporate mandates to ensure taking up the fight responsibly. <br></p></li><li><p>Corporate leaders who organize around different departmental priorities, leadership styles and cultures to combat and mitigate cyber risks that have the capacity to undo them all. <br></p></li></ul><p>To win this war, each of us must master the technology of organizing vertically, horizontally, and sometimes sideways in landing this plane safely. <br></p><p><em>Tim Williams, CPP, MBA is vice chairman, Pinkerton, a global provider of corporate risk management services and solutions. He has served in Fortune 50 corporations for more than 36 years as chief security officer or in consulting roles, managing enterprise security risk. He is a past president of ASIS International and founding member of the </em><a href="https://gsrma.net/" target="_blank"><span style="text-decoration:underline;"><em>Global Security Risk Management Alliance</em></span></a><em>.​</em><br></p>
https://sm.asisonline.org/Pages/Assessing-the-Safety-of-Chemical-Facilities.aspxAn Explosive Act: Assessing the Safety of Chemical FacilitiesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Just before Hurricane Harvey made landfall on Friday, August 25, 2017, chemical manufacturer Arkema made the decision to shut down its plant in Crosby, Texas, to brace for the storm. The plant soon lost power and received almost 40 inches of rain by Monday afternoon, causing heavy flooding that inundated its backup generators. A small crew of 11 people remained on site to monitor the storm damage and the safety of the organic peroxides that were stored at the plant.</p><p>These chemicals needed to be stored at a low temperature. But after the plant's backup generators were flooded, refrigeration failed. So, the crew transferred the chemicals from their current storage in warehouses into diesel-powered refrigerated containers and continued to monitor the situation—which worsened as the rain continued to pour down.</p><p>With the water continuing to rise, Arkema was forced to make another difficult decision: evacuate the plant and the 1.5-mile radius around it.</p><p>"Arkema is limited in what it can do to address the site conditions until the storm abates," the company said in a press release. "We are monitoring the temperature of each refrigeration container remotely. At this time, while we do not believe there is any imminent danger, the potential for a chemical reaction leading to a fire and/or explosion within the site confines is real."</p><p>To reduce the threat of an explosion injuring others, Arkema worked with the U.S. Department of Homeland Security (DHS) and the State of Texas to continue to monitor the situation. They soon realized that while the chemicals were not fully igniting as they began to warm up, they were beginning to degrade. To address the threat, Arkema decided to ignite the containers the chemicals were housed in to eliminate the threat of an uncontrolled blast.</p><p> "This decision was made by Arkema Inc. in full coordination with unified command," the company said. "These measures do not pose any additional risk to the community, and both Arkema and members of the unified command believe this is the safest approach."</p><p>While the situation in Crosby was not ideal, it showed how facilities that manufacture, store, and transport chemicals in the United States are embracing a new mindset towards security and planning how to handle the worst-case scenario when it happens—whether it is a power outage or a terror attack.</p><p>One effort that's helping to spearhead this mindset is DHS's Chemical Facility Anti-Terrorism Standards (CFATS) program, which has sought to address and mitigate the threat of chemicals since its inception in 2007. </p><p> "In 2007, chemical security was fairly new and people weren't really sure what it meant," says CFATS Acting Director Amy Graydon. "We've since been able to foster this environment of chemical security."</p><p>But that environment could be in danger if Congress does not reauthorize the CFATS program, which is set to expire in January 2019. </p><p>"We think that reauthorization is the key to reducing the threat of terrorists using chemicals," Graydon explains. "We think that the program has really reduced the risks and is an important element of making the country more secure."</p><h4>CFATS Basics</h4><p>In the 2007 DHS Approp­riations Act, Congress required the agency to create regulations that established risk-based performance standards for chemical facilities that present high levels of risk. DHS was also mandated to subject these facilities to vulnerability assessments and require them to develop and implement site security plans.</p><p>To do this, DHS worked with industry to create the CFATS program—which is part of its Infrastructure Security Compliance Division (ISCD). The program identifies and regulates facilities that possess chemicals of interest at specific concentrations and quantities.</p><p>These concentrations and quantities are listed in what's referred to as Appendix A of the CFATS regulation. More than 300 chemicals are included, along with their screening threshold quantities. The chemicals are also categorized into three groups depending on the potential security threat of the substances: release, theft or diversion, and sabotage.</p><p>Facilities that meet or exceed the screening threshold quantities for chemicals of interest listed in Appendix A are required to report their possessions to DHS via a questionnaire called a Top-Screen.</p><p>ISCD then reviews that Top-Screen and notifies facilities if they are considered high risk and ranks them into Tier 1, 2, 3, or 4—with Tier 1 the highest. As of February 2018, ISCD had received Top-Screens from more than 40,000 facilities and determined that roughly 3,500 of those are high risk and must comply with CFATS.</p><p>Facilities that are tiered then must submit a Security Vulnerability Assessment and a Site Security Plan, or an Alternative Security Plan, that meets risk-based performance standards detailed in the CFATS regulation. These standards address factors such as perimeter security, access control, personnel security, and cybersecurity. The stringency of the requirements varies based on what tier a facility falls into, and facilities can create their own security plans—rather than having CFATS create a prescriptive security plan for them.</p><p>Once the plans have been submitted, ISCD inspectors perform a facilities inspection before approving the plans for implementation. </p><p>This process has proved beneficial to facility operators, says Jennifer Gibson, vice president of regulatory affairs for the National Association of Chemical Distributors.</p><p>"Those visits, while cumbersome, allowed for a lot of back and forth, getting clarity on what the agency was looking for," Gibson explains. "Usually it turned out that a facility would make changes to its plan, based on that inspection."</p><p>After inspectors approve the plans, facilities are expected to implement them. If they do not, they can be ordered to cease operations or issued a civil fine, with a maximum penalty of $33,333 per day per violation, as of February 2018.</p><p>Facilities are also required to resubmit their Top-Screen if they have a change in holdings, such as using new chemicals of interest for business processes.</p><p>"It could be that they may need some other security measures because we look at the type of chemical and its risks," Graydon says. "So, for theft and diversion, we're worried that a terrorist could be intentionally trying to either steal or divert the chemical for misuse; whereas for release, it's that the terrorist would be coming to the facility to cause a release."</p><p>During its first five years, CFATS did not approve a single facility site security plan. But since then, it has made major strides and completely eliminated its backlog to move into the compliance phase of the program. Now, approximately 140 inspectors are visiting sites based on risk—there is no mandated requirement for how often inspections occur.</p><p>"We have the compliance inspection index, and it takes into consideration a facility's tier, the number of planned measures that a facility has, and the amount of time since the last inspection," Graydon says. "So, we can get to folks in an appropriate manner." </p><h4>CFATS Changes</h4><p>After CFATS was up and running, some members of Congress and the chemical sector expressed concerns about the program. Primarily, concerns centered around the "administrative burden associated with the development of facility security plans and the pace of DHS efforts to process and approve them," according to a U.S. Government Accountability Office (GAO) report. </p><p>Congress addressed these concerns by passing the Protecting and Securing Chemical Facilities from Terrorists Attacks Act in 2014. It reauthorized the CFATS program and created an Expedited Approval Program (EAP), a voluntary option for Tier 3 and 4 facilities regulated under CFATS.</p><p>The EAP allows DHS to identify specific security measures that meet the risk-based performance standards of CFATS that facilities must implement to be compliant. </p><p>For example, release facilities would have to certify that their emergency equipment included at least one of the following: a redundant radio system that's interoperable with law enforcement and first responders, at least one backup communications system, an emergency notification system, an automated control system or process safeguards to place critical assets in a "safe and stable condition," or emergency safe-shutdown procedures.</p><p>"The EAP is expected to reduce the time and burden on smaller chemical companies, which may lack the compliance infrastructure and resources of large chemical facilities," GAO said. </p><p>CFATS implemented the EAP in June 2015. But as of April 2017, GAO found that only two organizations of 2,496 eligible facilities had used the EAP. </p><p>"Officials representing the two EAP chemical facilities told us that their companies involve small operations that store a single chemical of interest on site and do not have staff with extensive experience or expertise in chemical security," GAO reported. </p><p>Representatives from the two facilities also said they used the EAP because it helped them reduce the time and cost to prepare and submit their site security plans.</p><p>"For example, the contractor who prepared the site security plan for one of the two EAP facilities said that the facility probably saved $2,500 to $3,500 in consulting fees by using the EAP instead of a standard security plan."</p><p>Ultimately, only one of these organizations followed through with the EAP process because the other was later re-tiered and no longer considered a high-risk facility subject to CFATS.</p><p>Since the GAO report was issued, 16 facilities have used the EAP and Graydon says she is optimistic that more facilities will use the program moving forward.</p><p>"We think that only two facilities might have taken advantage of the EAP program because of where all facilities were in the process already by the time it rolled out," she adds. "Most facilities had already completed their site security plans or their alternative security programs."</p><p>Graydon's sentiments echo GAO's analysis, which found that the timing of EAP's implementation, its prescriptive nature, the lack of an authorization inspection, and a certification form requirement may have initially hindered participation in the program.</p><p>"DHS conducts in-person authorization inspections to confirm that security plans address risks under the standard process, but does not conduct them under the expedited program," GAO said. "DHS officials noted that some facilities may prefer having this inspection because it provides them useful information."</p><p>Since the EAP's rollout, CFATS has made other changes to the program that might also affect participation. For instance, DHS updated the online tool that facilities use to send data to ISCD for their Top-Screen to make it a much more streamlined process.</p><p>"We really took the opportunity to streamline and bring it up into the 21st century so we were using smart tools with logic," Graydon says. "We were able to reduce some duplicative questions, reducing the time it would take people by 50 percent—down to six hours."</p><p>This streamlining effort cascaded throughout CFATS data collection processes, dropping the time it took to complete a security vulnerability assessment from 65 hours to 2.5 hours, and site security plans from 225 hours to 20 hours.</p><p>"We were able to do that because the reauthorization had given us the stability to move forward," Graydon says. "The reauthorization gave not only industry the stability it needed to make capital investments…it gave us the opportunity to make some internal changes as well."</p><p>CFATS also launched a re-tiering effort looking at 27,000 facilities' initial Top-Screens from 2007 and 2008, and asking them to resubmit. It then re-tiered some facilities by incorporating threat and vulnerability into the overall tiering methodology, which is not public.</p><p>"We refined what we were looking at, particularly for facilities for theft and diversion," Graydon says. "We were able to incorporate some inherent vulnerability in that." For instance, Graydon gave the example of looking at the portability of chemicals and taking that into account when determining the risk level for a facility.</p><p>"It would be easier to steal a vial than a big tank; we were able to model the actual amount of the chemicals…," and include them in the tiering methodology, Graydon adds.</p><p>In a recent hearing before the U.S. House Homeland Security Subcommittee on Cybersecurity & Infrastructure Protection, Chet Thompson—president of the American Fuel and Petrochemical Manufacturers—said the re-tiering effort was an improvement on the old system.</p><p>"Folks believe risks are being better assessed, and a number of our facilities have been re-tiered," he explained. </p><p>However, Kirsten Meskill, director of corporate security for BASF Corporation, testifying on behalf of the American Chemistry Council (ACC), said that while ACC has seen a reduction in higher-risk facilities under the re-tiering, there's still a lack of transparency in the process.</p><p>"We don't know how these risk tierings were applied to the general sites," she said, adding that—from her perspective—there was no way to know whether the new method is addressing "real risks out there."</p><p>To address this, panelists at the hearing suggested that the GAO be brought in to review the new CFATS tiering methodology and issue a report on its effectiveness.​</p><h4>Future of CFATS</h4><p>Despite some complaints about lack of transparency, all the panelists at the subcommittee hearing were in favor of reauthorizing the CFATS program. </p><p>"Any lapse in the program would be a serious concern to us," said Pete Mutschler, environment, health, and safety director for CHS Inc., adding that it would be "highly disruptive to both the industry and the regulated community" if CFATS were allowed to lapse and then be reinstated.</p><p>Mutschler said he was in favor of a multiyear reauthorization for CFATS to provide certainty to the regulated community so it can make "long-term investments" in security to comply with the program.</p><p>Doug Leigh, who serves as manager of legislative affairs for the National Association of Chemical Distributors, says that his members are also in favor of a lengthy reauthorization for the CFATS program. </p><p>"The last thing we want to see is a three-month reauthorization," Leigh says. "It would be going backwards instead of going forwards."</p><p>Graydon says she is optimistic about CFATS being reauthorized by Congress, due to its track record over the past several years in improving processes and reducing risk.</p><p>"We feel that we have demonstrated that we are a smart regulatory program—that we look for efficiencies," Graydon explains. "We are able to incorporate lessons learned, and we would like permanent or long-term reauthorization to make sure we have continued stability for industry and the program to continue to make efficiencies."</p><p>As of <em>Security Management'</em>s press time, no member of Congress had introduced a bill to reauthorize the CFATS program. </p>
https://sm.asisonline.org/Pages/How-to-Lead-a-Diverse-Security-Workforce.aspxHow to Lead a Diverse Security WorkforceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​We live in a time of increasing conflict and tension. The clash of civilizations, a frequent topic in college classrooms, seems to be playing out in vivid high definition on news channels across the globe. In nations around the world, citizens are verbally squaring off against friends and neighbors over political, racial, and social differences.</p><p>Security and public safety organizations are tasked with keeping the peace in our tumultuous societies. And these organizations are becoming as diverse as the communities they represent. As a result, many of these organizations' leaders—such as security managers—find themselves in the challenging situation of motivating and leading teams comprising individuals from an array of different racial, cultural, and ideological backgrounds. </p><p>This type of leadership is difficult. It often takes place in an environment unsettled by nearly constant and instantaneous communication. And in many workplaces, tension and the potential for conflict are increasing, for several reasons. </p><p>For one, the country's changing demographics and economic challenges mean that there are four generations of workers sharing offices today. This leads to a diverse pool of employees with widely varying generational morals, behaviors, and values. </p><p>In addition, nearly half of all Millennials come from ethnic minority groups. Given their diverse cultural backgrounds, these younger individuals may have differing views on sensitive workplace issues compared to their older and more traditional Baby Boomer colleagues, or even members of Generation X. </p><p>To some extent, each member of the team will view these issues through their own cultural identity. And so, issues involving whether or not they support or oppose recent shifts in societal norms can spur differences in opinion, which may create tension. Even worse, the manager may inadvertently trigger a conflict by taking a side. After all, managers too belong to a specific culture, ethnicity, or generational identity.  </p><p>With that in mind, what follows are some suggested best practices to help security managers lead a diverse workforce in today's chaotic environment. Of course, when sensitive issues arise in the workplace, there are no magic solutions or actions that guarantee successful resolution. However, keeping these principles in mind will help managers maintain self-awareness, fairness, and diplomacy. They will also help managers to be mindful of common human biases that can creep into actions and how to steer clear of them through honest self-examination.    ​</p><h4>Respect Differences</h4><p>I've known my best friend since we were freshmen in college, and we agree on most issues. Furthermore, when we do disagree, we've never fought over it. That has held true in the almost two decades we have known each other.</p><p>However, soon after last year's controversial rally in Charlottesville ended in the death of a civilian and two police officers, we found ourselves in a debate over the preservation of Civil War monuments and the broader national crisis between law enforcement and communities of color. </p><p>Prior to that debate, the racially related differences between us had ranged from invisible to comical. But as the discussion heated up, I found that even two close friends who stood as best men at each other's weddings could still stumble into a perilous debate over their own cultural identities. I found that a Russian-Jewish immigrant and an African-American Jew could have widely divergent perspectives on the same events, despite significant similarities in our affinities, beliefs, and value systems.   </p><p>My experience is applicable to workplace relationships. The viewpoint of your employees is as real to them as yours is to you; ignoring or demeaning their perspective can lead to deteriorating relationships. My best friend and I pushed through our disagreement in a few days, due to the history of trust and mutual respect that we had built together. Imagine the damage that could be done between people who barely know each other, or between managers and new team members who are complete strangers.</p><p>Thus, security leaders should be careful in these situations. When potentially sensitive cultural or political matters arise, managers should be mindful not to express opinions in a way that implies that those with differing opinions are stupid or lazy. Conversely, managers who find ways to express that they respect differing views, and find them legitimate, are often rewarded with stronger and more respectful relationships with staff.  </p><p>We can learn a lot about how to respect differing viewpoints from good security educators. Students will often interject personal feelings into discussions, especially on use-of-force topics, and these feelings may vary from student to student, which presents a challenging situation for the instructor. A good security educator might respond by accepting the feeling of the student, and then providing additional information about an alternate explanation.</p><p>Thus, the teacher may respond as follows. "Sure, I can see how it may seem that the officer's actions were inappropriate in this incident. However, if you consider legal precedence for cases like this, the officer's actions, while perhaps not ideal, were nonetheless legal."  ​</p><h4>Focus on Actions</h4><p>We must accept that the world is changing, and that our workplace employs a variety of people from a multitude of backgrounds. We will encounter people in the workplace who are different from us—different formative experiences, different cultural mores, different outlooks and perspectives on what is happening around them. </p><p>Being different is neither good nor bad, it just is. Managers should not prejudge their employees based on how they look or dress, where they came from, or what they seem to value in life. All that is important is their performance in the workplace and whether they are a productive member of the team.</p><p>Don't think of someone as a bad employee or a good employee. Focus on their actions and whether the actions are productive or disruptive to the organization. Keep evaluating these actions fairly, and do not allow yourself to fall back on lazy stereotyping.   </p><p>Here is an illustrative example. In my work as a security manager in the public sector, we worked with a community center that had some gang violence issues, such as fights on the basketball court, and similar altercations. As a result, we began looking for an athletic young man to hire as a security officer for the facility, because everyone assumed that's what it would take to control those patrons. </p><p>As it happened, our most effective security officer was an older female, who acted like a compassionate parental figure to the teens and young adults in the facility. She earned their respect, and they followed her instructions without question.  ​</p><h4>Foil Favoritism </h4><p>Allowing emotions to cloud your judgment is a dangerous trap for any manager. Managers may believe that a team member is underperforming when the underlying issue is not poor performance, but disagreement on certain issues. Conversely, I have watched poorly performing team members receive red carpet treatment because of their friendship with the boss. </p><p>This can be especially troubling when the manager shares demographic characteristics with the favored team member—whether that be religion, race, or cultural background—or shows favoritism to an employee who is of the opposite sex. Even if there is no tangible preferential treatment, the perception of special treatment may be damaging to a manager's credibility. The recent spike in media attention to matters of race and gender relations has made this an even more sensitive, and potentially fraught, issue. And any actual discrimination based on a protected class could violate company policies and federal Title IX laws in the United States.</p><p>Management decisions must be made with the clarity of rational reasoning and unbiased performance evaluations. This is impossible to achieve when emotions are clouding judgment. Good managers try to combat this in themselves. They assign work based on the strengths of the employees and judge their employees based on the results that they have produced.  </p><p><strong>Equal access.</strong> Everyone wants to be "cool with their boss," and it is almost a status symbol when someone can say that they get regular time with the boss to pitch their ideas. It takes patience and an open mind to maintain an open-door policy, but the benefits can be tremendous. As a security manager, I have avoided potentially catastrophic employee relations issues because someone walked into my office and said, "hey sir, I just wanted to talk to you about something that kind of bothers me…"  </p><p>However, it is only human for people to prefer spending time with people like themselves. Security managers are not immune to these biases, and some employees may get more and longer meetings with the boss than others. This can cause resentment and discord among staff. Thus, its important for managers to remember that, no matter how enjoyable it is to talk to particular employees, everyone on the team is unique and they all bring valuable perspectives to the organization. </p><p><strong>Opinion sharing.</strong> With generational and cultural diversity comes a greater diversity of opinion. Members of your team may have varying views on prominent issues in the news, be it immigration, gun rights, gay marriage, and performance evaluations of political leaders. In general, the security workplace should not be a venue for discussing, arguing, or advocating these opinions.  </p><p>An employee's right to have an opinion about cultural or political topics conflicts with another employee's right not to have to listen to it while at work. Managers who want to avoid confrontations over these sensitive topics should refrain from discussing them at work and strive to maintain a comfortable atmosphere in the workplace. This can occasionally require some sort of intervening action. </p><p>I remember coming into our security dispatch center the morning after Barack Obama was elected U.S. president to find two of my dispatchers in a debate over whether the country was now better or worse. One officer, a former union boss from New York, was expressing his view that he could now die peacefully because he had lived to see the first black president of the United States. The other officer was terrified that his world as he had known it was over, and that the country was on the verge of collapse. </p><p>Quickly, their disagreement spiraled into a heated argument on the issue of racism—whether it had contributed to the election result or whether it would now spike given the victor. Because the conversation potentially affected not only the relationship of the two officers but also the safety of our operations, I decided to move one officer to another part of the facility for the rest of the shift, to ensure a cool-down period.  </p><p>The broader lesson from that experience was the need for clear HR policies that discourage employees from engaging in potentially volatile nonwork-related conversations. Such policies should not focus on topics of conversation as much as on the potential for disruption, reduced performance, or discriminatory behavior. </p><p>For example, the policy should not prohibit discussions of a specific issue or election, but should prohibit any behavior that leads to disruption and loss of employee productivity. Thus, two coworkers can have a polite conversation about a political topic and not violate policy, but should their conversation dissolve into rude or inappropriate behavior, management has the policy to support shutting it down.​</p><h4>Toggle the Fun Switch</h4><p>Security can be a stressful and emotionally draining profession. Officers in the field may deal with hours of boredom interrupted by moments of potentially life-threatening terror. Those based in the office may stress over risk management, scheduling snafus, and broken contracts. In any workplace, there must be an opportunity for people to blow off stress, recharge, and to get back to work. </p><p>This can include interactions when it is okay to be silly and activities that let people have fun. Managers should be able to flip that switch in a way that is recognizable and comfortable for employees. That also means that managers can allow lighter discussions and playful arguments, as long as it is clear they are respectful and that sensitivities are not being trampled. Security managers must also know when to stop such interactions if they become inappropriate or contested.     </p><p>For example, allowing employees to banter about their favorite sports teams and last night's game, or the merits of recent movies and performers, can be a natural way to build comradery and make collaboration in the workplace more natural. The manager can participate in the fun, but at the same time be ready to stop the discussion if conversations dissolve into anger or otherwise become unprofessional. For example, a manager should never allow friendly bantering to turn to conversations that include name-calling, racial slurs, sexist expressions, or other language that may be offensive to any team member. Employees may have different standards of offensiveness, so the manager should ensure that the language is appropriate for all.  </p><p>Sometimes, employees try to encourage their manager to offer opinions in debates. This can be an attempt to seek validation by the boss. This can be a tricky situation that should be approached cautiously. No matter which side you pick, you may alienate someone. In a friendly debate over favorite sports teams or favorite foods, this is not a big deal. But in a civil, experience-based discussion that involves issues like discrimination, taking a side could have lasting consequences on your relationship with those on the other side. Sometimes, it is wisest to defer, based on the sensitivity of the issue.  </p><p>Finally, a small percentage of employees are drawn to conflict and drama and politics in the workplace for different reasons. In these cases, the manager should be careful of being lured into a debate by an employee with an agenda, such as a desire to undermine the supervisor's credibility with the rest of the team.</p><p><strong>Consider Gender Issues</strong></p><p>Accepting responsibility is a key tenet of leadership. A good manager remains humble and accepts that no one is perfect and all make mistakes. Mistakes that involve office diversity and inclusion can be costly, and the longer they are allowed to fester, the worse the consequences will be. </p><p>For example, when I was an ROTC unit commander, I was conducting a uniform inspection on a unit of about a dozen cadets. I stopped in front of the third or fourth cadet in the line, and, as always, I inspected from top to bottom. Although I was standing in front of the cadet, I called out the chin hair that needed to be shaved off. The cadet then punched me in chest and stormed out of formation. </p><p>I had not realized the cadet was a female until after I made the comment; I was so focused on avoiding favoritism that I was deliberately not paying attention to the gender of the cadet I was inspecting. My immediate reaction was indignation that she had punched me, and then had left my formation. It took several hours for me to come to the realization that her actions were the result of mine. I had insulted a cadet in front of her peers.</p><p>It took the better part of a week for me to apologize and receive forgiveness from her. The damage that I incurred with the rest of her unit lasted much longer. Some of her peers who thought I had done this on purpose started losing respect for me altogether.</p><p>The possibility for similar unintentional mistakes exists in the security workplace setting.  </p><p>Consider what would happen if a manager who routinely referred to their employees by Mr. and Ms., or sir and ma'am, was assigned an employee who identified as gender neutral, or was undergoing gender reassignment at the time of employment. Would that employee feel discriminated against if they were the only one who was referred to by their name only? How would the team feel if the manager started referring to everyone by their first name, due to the arrival of that one new employee?</p><p>The solution to scenarios like these often lies in cutting through any miscommunications and going directly to the source. In my case, I had to accept responsibility for my mistake, and when I approached the cadet I both apologized and explained what had happened. Once she forgave me, she became the person that helped others understand that this was an honest mistake. In the workplace, as part of the onboarding process, the manager should consult the employee on how they would like to be addressed. The employee's validation of the manager's approach will be visible to the other employees in the office, and miscommunication may be avoided. </p><p><strong>Catch Up to the Future</strong></p><p>Societal norms are being reevaluated and changed so rapidly that some people have not had time to realize that their actions or words in the workplace might not be appropriate. Moreover, the widespread availability of video-capable technology and the speed with which video can be spread have created an environment where management's actions or inactions can be immediately evaluated and judged by their own employees and the media, leading to more serious consequences for those who cannot find a way to work together with their diverse team.  </p><p>Diversity, while challenging, is the source of a great team's strength, because it provides multiple unique perspectives, skill sets, and strengths to the organization at large. Those managers who can accept and encourage diversity, and are willing to make the effort to maintain an environment in which all team members can comfortably thrive, will find their units to be stronger and more successful than their competition.</p><p><em>Yan Byalik, CPP, is the security administrator for the City of Newport News, Virginia, and has been working in the security industry in both public and private sectors since 2001.</em></p>
https://sm.asisonline.org/Pages/Taking-Flight.aspxTaking FlightGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In rural Grant County, Washington, public utility security personnel don't just protect remote substations—they help respond to the community's emergency calls. However, after one concerning encounter, it was clear something had to change—and security managers looked to the sky for solutions.</p><p>The Grant County Public Utilities Department (PUD) security leadership team gathered last March to review a disturbing incident from the previous night: a PUD security officer had responded to reports of a man seemingly under the influence firing a weapon indiscriminately in a nearby town. It's not unusual for PUD security personnel to respond to calls that do not pertain to the utilities because of the rural location and geography of the area, and that night the unarmed officer arrived at the scene of the disturbance before law enforcement. Fortunately, he was able to keep the man calm until police arrived, and the event ended without incident. Upon review, however, it was clear that the security officer could have been in harm's way.</p><p>"We have issues with people being on a substance, or domestic violence calls that we are first responders to, because law enforcement is a long way away," says Nick Weber, ​CPP, PSP, security manager for Grant County PUD. "We've had the patrol vehicle dented when residents kicked it, someone firing off weapons, and we just thought, 'how could we do this better?'" The team discussed solutions and initially joked about using a drone to mitigate problems. However, with more consideration, Weber said the idea began to gain traction. Using an off-the-shelf drone, the PUD could train its contract security officers to scope out a potentially perilous situation before endangering themselves, reducing response time. The drone could even be used for preemptive security assessments of the county's critical infrastructure.</p><p>"We had issues dealing with having unarmed security forces being placed into harm's way in order to solve issues related to the human environment, as well as looking for ways to better use our time and resources to conduct security assessments of substations, dams, and other critical buildings," says then physical security supervisor Brady Phelps, CPP, PSP. "We wanted to explore the challenges and opportunities that drones could present." Phelps—who now works as an auditor for the Western Electricity Coordinating Council—along with Weber and contract guard services account manager George Hainer began to flesh out the plan.​</p><h4>In the Industry</h4><p>The use of drones for security purposes is steadily picking up steam. As of summer 2016, more than 2,000 organizations had applied for commercial exemptions through the U.S. Federal Aviation Administration (FAA) to use drones for emergency management, security, or risk management, according to the Association for Unmanned Vehicle Systems International. And an IFSEC Global report notes that the international security market for drones will grow to $10 billion by 2020. </p><p>But applications for commercial exemptions don't lead to drone programs overnight, and Grant County PUD's security team was unaware of any other electric utility companies that used drones for emergency response augmentation. The Grant County Sheriff's Department had been using drones for investigations for about six months, and the PUD was able to turn to it for licensing advice later in the process, but first had to outline a program—and get buy-in.</p><p>"We were concerned about the optics that the security department is buying toys—other departments could complain because some of the things we do in security are cool and there's some jealousy," Hainer explains. "There were also concerns about wasting money. We talked with our boss and agreed we'd create strict usage policies, as well as safety and security standards, and went ahead with our budget to buy three hobby-level drones as a test."</p><p>While the potential for drones seems endless, Phelps stresses the importance of fully understanding their capabilities and limits to explain possibilities to those granting approval without making unrealistic promises. And while the drones were primarily going to be used for security operations, PUD wanted to share the wealth with other critical infrastructure departments in the county.</p><p>"Establishing that firm understanding of the drones' capability helped us go to other departments that have needs," Phelps explains. "We wanted to see how the line department could use it, how the dam could use it, so we went to their leadership and said that we have this tool and we want to share it. It eliminated those internal optics by showing that this is a tool for business and we'd like to help you solve problems. That went a long way to get buy-in from the whole organization."</p><p>As part of a demonstration, the PUD team worked with the county's dam department to conduct an assessment of an embankment via drone. What would normally take three or four hours and involve exposing workers to dangerous conditions took seven minutes and captured clear 4K video that allowed for easy assessment. ​</p><h4>Regulations and Beyond</h4><p>Before the PUD could begin deploying its drones regularly, it had to meet several criteria imposed by the U.S. government. Unlike individual hobbyists, organizations or public entities have to apply for commercial exemptions through the FAA. Additionally, PUD wanted the ability to fly the drones out of its line of sight and at night, which also required waivers. Another challenge was determining who was going to fly the drones—all operators must be certified by the FAA, which could be time consuming and would reduce the pool of people who could use the technology. "It's a big problem for some guards with no clue about airplanes and passing that test," Hainer notes.</p><p>After consulting with the Grant County Sheriff's Department, Hainer—who has previously held a private pilot's license—began the process to become FAA certified as the pilot in command for the team, allowing him to conduct flights and train others. PUD is still waiting on another FAA certificate that would allow the team to certify its own pilots. </p><p>During the extensive certifications process, another unforeseen challenge came up—the PUD contract security officers who typically respond to emergencies filed a grievance through their union that the drone program would take their work away. To address this issue, the PUD security team agreed that, in addition to Hainer, about 14 contract guards would be trained to operate the drones. "There's a great chance that they are going to need the drones more often than one of us internally," Hainer notes.</p><p>Weber detailed the team's efforts to assure executives that the program wouldn't be misused—one of the drones' greatest use cases might be one of its greatest challenges. One of PUD's key patrol zones is the land along either side of the Columbia River—a 50-mile stretch with only one public crossing.</p><p>"Murphy's Law tends to hold true in that patrol zone with reported incidents inordinately happening on the opposite side of the river from our patrol officer, making one or two miles away a 30-plus minute response time by vehicle," Weber notes. Responding to a call with a drone would allow security to gain situational awareness within 10 minutes and understand what kind of additional response might be needed. "Do we need to go and pick up trash or is it a violent felony?" he says.</p><p>However, one executive raised concerns about using the drones along the river during the high-volume summer months when they are most needed—what happens if a security officer decides to use a drone to follow around a boatful of teenage girls in bikinis?</p><p>"That's a valid concern," Hainer says. "There will be strict requirements for what kind of event would launch the drone, the creation of a flight plan, coordinating with Security Operations Center—especially near critical infrastructure. Every flight is going to have a lot of paperwork to make sure it's never misused." </p><p>PUD agreed to tightly restrict usage to situations where the drone would be significantly more efficient or keep personnel out of harm's way, Weber says. When a call comes in to the Security Operations Center, officials would need to document justification and a flight plan before dispatching a drone, as well as notify utilities if the flight path is within 400 meters of a power plant, transmission line, or substation. "These controls provide reasonable assurance to our senior leadership that the drones will only be operated by trained personnel and have a documented business purpose for each flight," Weber notes.</p><p>While the drone emergency response program is still in the early stages—PUD is waiting on the rest of the FAA certifications and waivers, and Hainer is training the guards on drone operation—the team has already begun to conduct safety assessments for itself and other departments, such as the dam assessment. </p><p>"Right now, we're using imagery via Google Earth for threat assessments and there's a lag on what's accurate—a couple areas don't have up-to-date imagery, and some others are low quality," Hainer notes. "We'd be launching the drone, using a program that compiles the aerial imagery for use in response plans and threat assessments, and it's much more accurate and higher quality."</p><p>Weber says that the team is most excited about the reduced response time and potential to keep security personnel safe, but the drone program will have more practical uses too. PUD plans on using drones to keep tabs on remote substations and transmission lines, instead of relying on costly cameras or roving vehicle surveillance. Phelps points out that drones can also be used to make sure that the sites remain compliant. </p><p>"We're one of the first groups in the electric industry to do this, and there's no roadmap," Weber says. "The sheriff's department has been a great help because they're six months ahead of us with their program, and our risk department that is in charge of insurance is comfortable with it because of all the benefits."</p><p>The team says it is pleased that the program will be launched in time for the busy summer months along the river, and staff members are looking forward to discovering what other applications drones have for both security and critical infrastructure.</p><p>"The limitations will be set not by the FAA, but by imagination," Hainer says. "Drones will provide a lot more opportunity than threat." </p>
https://sm.asisonline.org/Pages/May-2018-ASIS-News.aspxMay 2018 ASIS NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Big Event Coming to the Big Apple</h4><p>More than 2,200 security and law enforcement professionals will convene in New York City for the ASIS International 28th New York City Security Conference and Expo May 16-17 at the Jacob K. Javits Convention Center.</p><p>The conference will open Wednesday at 8:00 a.m. with a keynote address from Scott Morrison, head of global crisis management and command centers for JPMorgan Chase & Co. He will share his thoughts on emerging trends from terror attacks to kidnapping, and from cybersecurity to intellectual theft.</p><p>Two days of peer-developed education will address some of today's most pressing security challenges, including a full day of learning focused on active assailant prevention and response. Conference sessions include:​</p><p><strong>Drone Technology</strong></p><p>Take a closer look at the current state of drone technology and explore industry trends from all angles.</p><p><strong>Get Your Seat at the Table</strong></p><p>Through the lens of enterprise security risk management (ESRM), security becomes an organization's roadmap for meaningful, effective risk management.</p><p><strong>Securing an Open Office</strong> </p><p>Facebook Chief Global Security Officer Nick Lovrien will explain how Facebook developed a collaborative open office environment while attempting to mitigate risk. </p><p><strong>Active Threat and Culture</strong></p><p>This session examines the cultural differences between an organization that values the "spend" vs. those that look at security as an expense that needs to be slashed.</p><p><strong>Vehicle Attacks</strong></p><p>No community is immune from vehicular terrorist attacks, which have recently caused 204 deaths and 861 injuries in the U.S. and abroad. How can they be deterred?</p><p>Besides paid conference registration, attendees can choose a free expo-only pass that includes access to the exhibit hall on both days, daily receptions and coffee breaks on the exhibit floor, and career coaching services.</p><p>The ASIS New York City Chapter will honor His Eminence Timothy Cardinal Dolan, Archbishop of New York, as the NYC Chapter Person of the Year. Dolan, whose career in the Catholic Church spans more than 40 years, will be honored for his dedication to the people of New York. Always a popular event, the Person of the Year Luncheon will be held at noon on Thursday, May 17. Tickets to this event are included with conference registration. To learn more, go to asisonline.org/nyc2018.​</p><h4>Globalization Update</h4><p>In April, ASIS International members received an update about the work underway in support of the Society's globalization initiative and the impact of this work on 2018 Board elections. President Richard E. Chase, CPP, PCI, PSP, sent the following letter to members last month.</p><p>Fellow members,</p><p>I am pleased to provide an update on the progress made to fully globalize ASIS International. Our 2017-2021 strategic plan identified improving the ASIS Global Network as one of five key priorities. It's understood that the future success of ASIS is dependent on our ability to be relevant to members around the globe, across all markets, and at every step of the career ladder. This can only be done by employing innovative solutions that foster collaboration and easy sharing of information locally, regionally, and worldwide.</p><p>In 2017,  the Globalization Task Force, composed of a diverse cross section of volunteer leaders, was established to evaluate common practices of other global nonprofit organization management models and identify changes we could make to our organizational structure. Led by 2018 Board Treasurer Godfried Hendriks, CPP, this important work, which included reviewing and redefining roles and responsibilities for our chapter and regions, council, and regional advisory council leaders with an aim to "flatten" our leadership structure, will allow the Society to be more deliberate and nimble in how we deliver our products and services. And most importantly, to create an inclusive volunteer leadership structure that truly reflects the diversity of our membership.</p><p>Through this undertaking, it became clear that we needed to not only rethink our volunteer structure, but also how we select our governing leadership positions—specifically, the ASIS International Board of Directors. </p><p>In March, a Presidential Governance Task Force was established to reevaluate the ASIS board nominations process and overall board governance with an eye towards global diversity, inclusion, and selection criteria, which targets a proportionate representation of the association's members and the overall depth of experience of directors' backgrounds. </p><p>Co-chaired by President-Elect Christina Duffey, CPP, and 2018 Board Secretary John Petruzzi, CPP, this task force is working under an expedited timeline, with a goal of delivering recommendations—including director job descriptions and creation of a governance committee—by January 2019. As such, the Board passed a motion to forgo Board elections in 2018. This will provide an opportunity for the task force to complete its work and to ensure the Board of Directors reflects the global membership it represents in 2019 and beyond. </p><p>Later this summer, we will be providing more details on the Globalization Task Force recommendations. This is an exciting time for the Society as we continue to implement our member-driven strategic objectives. As always, we encourage you to email asisfuture@asisonline.org to share your feedback.</p><p> </p><h4>ASIS Brings Top Business Education to Spain</h4><p><em>Effective Management for Security Professionals 2-5 July, 2018 Madrid, Spain</em></p><p> Looking to take the next step in developing your business acumen? Security executives are invited to attend a four-day executive education program in Madrid, Spain. The theme is Establishing the Security Role as an Enabler for Business Success.</p><p>Presented by IE Business School in collaboration with ASIS International, this course provides an opportunity for mid-career to senior security managers to take a deep dive into the central areas of management, enhancing their effectiveness in the corporate environment and enabling them to align their expertise with the organization's security requirements. It focuses on:</p><p>•             Leading in Uncertainty</p><p>•             Creating a Strategic Mindset</p><p>•             Applying Financial Information</p><p>•             Negotiation</p><p> Prior to the program, registrants will be granted access to the IE Online Campus to prepare classwork and readings and facilitate their campus learning experience. Once on site, the class will participate in interactive lectures, debates, group work, case studies, and role play.</p><p>"Today, companies and organizations are looking for professionals who are highly trained not only in enterprise security risk management, but also in business," says program director Juan Muñoz, CPP, ASIS Spain Chapter chair. "For years now, the role of chief security officer has been progressively evolving. It is precisely in this context where the Effective Management for Security Professionals course reaches its main added value as a business executive education tool."</p><p>ASIS members save significantly on their registration fees. Additionally, registrants will receive 40 CPEs for their participation. New this year: Members of the CSO Center receive an additional 5 percent discount off the member fee. See details at https://www.asisonline.org/ie.  ​</p><h4>International Buyer Program Delivers Global to GSX</h4><p>Security professionals outside North America who are looking to participate in the most anticipated security event of the year can start planning their travel now.</p><p>Global Security Exchange (GSX), formerly the ASIS International Annual Seminar and Exhibits, is proud to once again participate in the U.S. Department of Commerce's International Buyer Program (IBP). </p><p>The IBP is a government–industry partnership that brings global buyers to the United States for business-to-business opportunities with U.S. firms at major industry trade shows. GSX's participation in this event demonstrates the importance of the event to the security industry worldwide. </p><p>According to the department's website, "every year, the IBP results in approximately a billion dollars in new business for U.S. companies, and increased international attendance for participating U.S. trade show organizers."</p><p>International attendees are encouraged to join an IBP delegation and take advantage of special registration rates and benefits—available only to participants. To register with an official IBP delegation, contact the commercial service specialist at your local U.S. Embassy or Consulate to discuss attending GSX 2018 and receive a special registration code. To learn more about the International Buyer Program, visit <a href="http://www.gsx.org/IBP">www.gsx.org/IBP</a>.​</p><h4>Executive Protection Council Spotlight</h4><p>Launched in 2015, the Executive Protection Council is one of the newest ASIS councils. In the years since its creation, the council has more than doubled in size, with 40 members representing organizations as diverse as Northrop Grumman, Facebook, McDonald's, Time Warner Cable, and PayPal, to name a few. Each member is driven to share expertise and affirm executive protection's place in the security profession. </p><p>Executive protection (EP) is a specialized field of security that Council Chair Bob Oatman, CPP, says has grown dramatically in recent years: "The profession itself has existed in government since the days of Lincoln—Secret Service, security details for mayors and governors, and the like. The private sector is where big change is taking place. Hollywood A-listers, corporate executives, and their families—they're recognizing the need for what we do. We wouldn't have a standing council if companies weren't engaged in having EP as part of their security program. We're business enablers. We protect the brand. We help people in the C-suite get where they need to go."</p><p>Oatman has been conducting a two-day EP classroom training with ASIS since 1998. When the Society launched a certificate for the program in 2013, the council's founding members saw it as a significant validation that EP has a place in the broader security community. They approached ASIS about forming a council, and now enjoy an increased reach to share EP best practices.</p><p>The council will sponsor an education session this September at Global Security Exchange (GSX), formerly the ASIS International Annual Seminar and Exhibits, where it has sponsored sessions each of the last three years. At this year's session, in a simulation titled "The Trilogy of Executive Protection—Making the Case," council members will present attendees with an EP problem. In groups, attendees will workshop and develop a pitch to sell their EP solution to mock executives.</p><p>In addition to its classroom program, the council has also produced a webinar, contributed an article to Security Management, and developed a proposal for the potential development of an ASIS standard or guideline around executive protection.</p><p>The council also engages in outreach to keep ASIS members up to date on its initiatives. Its biannual newsletter, which shares council updates and touches upon important EP themes, is available in both English and Spanish. The latest issue, available within ASIS Connects, includes articles on the unique rewards and challenges of working in EP and the council's proposed standard or guideline. The council has also appointed liaisons to the Young Professionals, Women in Security, Transitions Ad Hoc Council, and Critical Infrastructure Working Group. </p><p>To learn more about executive protection or to engage with council members or find their latest newsletter, visit ASIS Connects and search for Executive Protection.​</p><h4>Life Members</h4><p>Raymond L. Dean, Sultan H. Alzahrani, and Herbert M. Kaltz, CPP, have been granted lifetime membership to ASIS. </p><p>Dean has been a member of the New York City Chapter since 1981, and he served as the chapter's chair, vice chair, and secretary. In 2011, Dean was awarded the Presidential Award of Merit by ASIS. He is a two-time recipient of the Eugene Casey Award for dedicated service to the NYC Chapter, plus he won the chapter's Joseph Spillane Lifetime Achievement Award in 2017. </p><p>Alzahrani joined ASIS more than 30 years ago and has been an active member of the Dhahran, Saudi Arabia Chapter, serving as its chair multiple times. He has also been a regional vice president and assistant regional vice president for many years. </p><p>Kaltz has been a dedicated member of ASIS for more than 32 years. He provided service to the ASIS Detroit Chapter as a chapter chair, vice chair, secretary, and communications chair. ​</p><p> </p><h4>ESRM in Action</h4><p>In 2016, ASIS made enterprise security risk management (ESRM) an organizational priority and has begun infusing this management philosophy into all the Society's programs and services. In the months ahead, we will provide updates, as well as showcase how members are implementing ESRM in their organizations.</p><p><em>By Jon Harris, CPP, PSP</em></p><p>Our "aha" moment came during the ESRM tabletop exercise at the ASIS conference in Dallas last year. My colleague and I realized we were omitting critical components from our risk evaluation process, and therefore missing an opportunity to add significant value to our company. We had a business continuity program, emergency response processes, workplace violence prevention program, and facility risk assessments—the miss was that they were not connected and were too focused on the security aspects of our organization.</p><p>By taking a step back and reframing our entire program within the structure of ESRM, we were able to focus our efforts towards the areas of greatest operational risk, using the existing programs we had in place and providing valuable intelligence to the business. Additionally, we broadened the purview of our assessment to the entire organization—from the supply chain, to operating facilities, and through our service organizations.</p><p>Here are our recommendations:</p><p><strong>Get started</strong>. Taking too much time to analyze and come up with the perfect approach will stall your efforts. The process is organic and will evolve over time; continuous improvement is a critical facet of the program and must be embraced. </p><p><strong>Invite everyone to the party.</strong> The greatest value will come with the broadest inclusion and participation. </p><p><strong>Make it simple. </strong>We distilled our mission down to four words: Keep the doors open. At the end of the day, that was our focus and being successful in all the components of our program would deliver that output. The simplicity of the message allowed for an easy delivery to all levels of the organization.</p><p>While the program is still in its infancy, we are excited about our progress to date and the long-term prospects. ESRM has been transformative for how we proactively approach our security program and visibly increase its value to the organization.</p><h4>Member Book Review</h4><p><em>Can I See Your Hands: A Guide to Situational Awareness, Personal Risk Management, Resilience and Security.</em> By Gav Schneider, CPP. Universal Publishers; universal-publishers.com; 226 pages; $27.95. </p><p>Dr. Gav Schneider is a South African martial artist who teaches security workshops. His new book <em>Can I See Your Hands </em>stands on the shoulders of well-known legends in the violence prevention and threat assessment arenas, including police response trainer Dave Grossman (who wrote the Foreword) and Hollywood security guru Gavin de Becker.</p><p>Schneider starts with the familiar concept that there are three groups in the world: sheep, wolves, and shepherds. This book is definitely for the latter. Creating awareness of violent situations and developing personal risk management skills are his overarching themes. He uses models and acronyms to remind readers to avoid denial and to create and train for survival strategies.</p><p>He goes back in time to reference Jeff Cooper's color codes: Conditions White, Yellow, Orange, and Red (and Black in actual war-time combat). He has created his own model, the "Three Point Check System" (3PC-S), which focuses on scanning the Place, the People in the area, and Planned incident actions and Contingency plans. </p><p>The author espouses the use of the Run. Hide. Fight. concept for active assailants as a doable contingency plan. But during a violent attack, you must be able to activate what he calls "Adrenal Response Management." This means controlling stress through repetitive physical and mental training for protection, awareness, and to manage the stress response that can paralyze people in life-threatening situations.</p><p>While most content is familiar, the final chapter, which gives new information on the consequences of having to use physical or deadly force against someone, is the most valuable part of the book. The mental fallout of using force is not often discussed, and it's a vital part of surviving the encounter.</p><p>The slim book is easy to understand, with a useful summary at the end of each chapter. The appendix offers information for protection at home, away from home, and in cyberspace. An index would have been helpful, and adding workplace protection concepts would have been useful. All in all, readers who want to ramp up their pre-attack awareness will learn how to do it. </p><p>Reviewer: ASIS member Dr. Steve Albrecht, CPP, is a Colorado Springs-based author, trainer, and threat management consultant.</p>
https://sm.asisonline.org/Pages/Giving-Security-Credit.aspxGiving Security CreditGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​With 47 branches, 570,000 members, and more than 220 ATM locations, VyStar Credit Union is the 19th largest credit union in the United States. As a growing business, the bank—headquartered in Jacksonville, Florida—must grapple with physical security concerns, as well as the ever-present threat of fraud, says James McDonald, CPP, security operations manager for VyStar. "Information is just as valuable, or more valuable, than anything someone can physically take from the branch," he notes.</p><p>Video is a critical component of financial fraud investigations. If a transaction is determined to be fraudulent, having video evidence that captures the face and actions of the perpetrator is paramount. To aid in this process, the credit union upgraded all its cameras from analog to IP but was still searching for a more robust video surveillance and storage solution as it expanded its footprint. McDonald was especially interested in 360-degree camera models but found the cost prohibitive. </p><p> In addition, VyStar wanted cameras that could capture teller transactions from beginning to end and correlate the video with data from the transaction. This streamlines activity for the fraud department when investigating cases. "It's important for us to have something to match with the transaction; a camera that allows you to watch a perpetrator's movements from the time they get in to the time they get out," McDonald says. </p><p>The credit union ultimately chose a 360-degree camera model from OnCam Grandeye, the EVO-05, which integrates with a video management system (VMS) from Verint Systems Inc. Beginning in January 2017, VyStar installed the cameras at its present locations and migrated existing video to the new server. VyStar chose the Evolution 05 Mini model for indoors, which is less noticeable. On building exteriors, it installed the larger model, along with a sunshield and casing that protects the camera from the elements.<img src="/ASIS%20SM%20Callout%20Images/0518%20Case%20Study%20Stats.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:630px;height:237px;" /> </p><p>Existing branches are in the process of being converted to the new systems, and all newly constructed branches are built with the technologies. "Right now, we have converted almost half of our branches to Verint and OnCam," McDonald says.  </p><p>The cameras have motion detection capability to monitor threats after business hours. A motion detection alert is also sent through the VMS to operators in a monitoring location. </p><p>VyStar strategically placed the cameras where they can capture transactions at the various branch locations, as well as keep a close eye on ATM activity. "If we have someone that's just standing there from a distance, looking for a vulnerable target, we get an alert on that right through the VMS system," McDonald notes.</p><p>With the 360-degree cameras, McDonald says the bank gets more coverage than regular fixed cameras, which only have a 60-degree field of view. The bank replaced 200 existing cameras with just 52 OnCam devices.</p><p>"By placing an outdoor 360-degree camera on the corner of a building that has an ATM, you have one camera that covers all avenues of approach," he says. "We're also able to look out for our members when incidents happen in the parking lot away from the ATM."</p><p>The cameras and any incoming alerts are monitored from one of three VyStar campus locations via Verint's VMS, Vid-Center. Branch management has access to its local cameras as well. Using Evidence Center from Verint, the camera captures the entire customer-teller transaction, and integrates with VyStar's IT system to match it to the transaction data. "We map every single transaction that happens in VyStar, and it's tied directly to a camera," McDonald says. </p><p>Last year alone, VyStar captured more than 10 million transactions using the cameras and VMS. The fraud department recently told McDonald that its efficiency had improved by 80 percent since Verint and OnCam products were installed.</p><p>"We know we aren't going to prevent every instance of fraud; the criminals are always going to be thinking of new ways, and the biggest thing we can do is deny the perpetrator time," McDonald says. "Verint and Oncam allow us to deny them that time." </p><p>A map feature within Vid-Center allows the customer to add a blueprint of its locations and match cameras to their positions. The VMS can also integrate with access control systems to capture video as customers and employees come and go. </p><p>VyStar has a seven-day retention period for all raw video. McDonald says he keeps any video that was triggered by a motion sensor past those seven days and retains bank transactions video for more than a year. </p><p>The branch DVR recorders retain video at the local level, which makes handing footage over to law enforcement simple. In case of a network outage, no footage is lost, which McDonald says is crucial for the financial sector. While the VyStar system can manage all cameras from a single location and push updates and patches to the cameras, it can also allow branches to control their cameras individually. "In a large environment like an airport, it's perfectly feasible to pipe all your cameras back to a server and manage them from a single location," he notes. "When you're someone like us, spread out geographically, having that edge DVR that acts like a mini-server at each branch is a valuable tool." </p><p>VyStar plans to have its existing branches 100 percent converted to the OnCam and Verint technologies by the end of 2019. </p><p>"From an end user standpoint, when you have limited budget and limited resources, and you have one camera that can do the job of three," McDonald says, "it saves bandwidth, time, and maintenance, and it gives an overall picture of the scene that you just can't get with one conventional camera."  </p><p><em>For more information: David Wedel, dwedel@oncamgrandeye.com, 612.325.6259, Matthew Hubbard, Matthew.Hubbard@verint.com, www.verint.com, 443.722.9611</em></p>
https://sm.asisonline.org/Pages/Cyber-as-Statecraft.aspxCyber as StatecraftGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​As organizers prepared to kick off the 2018 Winter Olympics with an opening ceremony in Pyeongchang, South Korea, featuring performers and thousands of athletes from around the world, security personnel were also hard at work behind the scenes.</p><p>Specifically, the cybersecurity team, which was responding to a cyberattack that would ultimately cause the official Winter Olympics website to be taken offline and disrupt TV and Internet systems for 12 hours. </p><p>The cyber team was able to mitigate and eventually stop the attack, which Cisco's Talos Intelligence blog assessed was designed to disrupt one of the most globally anticipated events of the year. "During destructive attacks like these there often has to be a thought given to the nature of the attack," according to Talos' analysis. "Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony."</p><p>A post-incident investigation would later claim that Russia was behind the cyberattack, which was designed to appear to originate in North Korea. Some speculated that Russia targeted the Olympics because it was banned from participating in the 2018 games due to a major doping scandal involving its athletes and drug testing facilities.</p><p>The hack demonstrates a new threat era where world powers are increasingly using cyber means to further their goals or punish others for their actions. "The use of cyberattacks as a foreign policy tool outside of military conflict has been mostly limited to sporadic lower-level attacks," said U.S. Director of National Intelligence Daniel R. Coats in the annual Worldwide Threat Assessment of the U.S. Intelligence Community. "Russia, Iran, and North Korea, however, are testing more aggressive cyberattacks that pose growing threats to the United States and U.S. partners."</p><p>The assessment found that the "risk of interstate conflict" is now higher than at any time since the end of the Cold War, and that actors will use any means necessary—including cyber—to influence and shape outcomes. </p><p>"The risk is growing that some adversaries will conduct cyberattacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war," Coats wrote.</p><p>Adversaries that pose the greatest risk to the United States and its allies on the cyber front are Russia, China, Iran, and North Korea. </p><p>"These states are using cyber operations as a low-cost tool of statecraft, and we assess that they will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations," according to Coats' analysis.</p><p>Russia. At the forefront of the intelligence community's list is Russia, which Coats said would likely conduct "bolder and more disruptive" cyber operations in 2018, using Ukraine as a testing ground. </p><p>The intelligence community has also expressed concern about Russia's efforts to influence or interfere with elections in the United States, France, Germany, and the United Kingdom. In a hearing before the U.S. Senate Intelligence Committee, all six U.S. intelligence agencies said they view Russia as a threat to the 2018 midterm elections. </p><p>"We have seen Russian activity and intentions to have an impact on the next election cycle," said CIA Director Mike Pompeo in his testimony, and Coats added that he has not seen a change in Russia's behavior since the 2016 election cycle when it engaged in a social media influence campaign (See Security Management "Cyber War Games," April 2017).</p><p>Following the U.S. presidential election in 2016, France and Germany saw Russia engage in similar social media efforts in an attempt to influence the outcomes of their elections.</p><p>Despite this threat, U.S. President Donald Trump has not directed National Security Agency (NSA) and Cyber Command Director Admiral Mike Rogers to prevent these kinds of attacks. However, some agencies have begun working in that direction. "Based on the authority that I have as a commander, I've directed the national mission force to begin some specific work…using the authorities I retain as a mission commander in this space," Rogers said, adding that he could only go into more detail in a classified setting.</p><p>In addition to its activity around elections, Coats also said Russia is likely to continue its activities in Ukraine, including disrupting its energy-distribution networks, hack-and-leak influence operations, distributed denial of service attacks, and false flag operations.</p><p>"In the next year, Russian intelligence and security services will continue to probe U.S. and allied critical infrastructures, as well as target the United States, NATO, and allies for insights into U.S. policy," Coats said in his assessment.</p><p>China. Along with the threat from Russia, Coats also said that China will likely use cyber espionage to support its national security priorities. </p><p>"Most detected Chinese cyber operations against U.S. private industry are focused on cleared defense contractors or IT and communications firms whose products and services support government and private sector networks worldwide," Coats wrote. "China since 2015 has been advancing its cyber attack capabilities by integrating its military cyberattack and espionage resources in the Strategic Support Force (SSF), which it established in 2015."</p><p>While many details about the SSF are unknown, research by the RAND Corporation found that it was designed to integrate China's space program and cyber and electronic warfare capabilities.  </p><p>"…the creation of the SSF suggests that information warfare, including space warfare, long identified by [China's] analysts as a critical element of future military operations, appears to have entered a new phase of development…one in which an emphasis on space and information warfare, long-range precision strikes, and the requirements associated with conducting operations at greater distances from China has necessitated the establishment of a new and different type of organization," it said in its recent report, The Creation of the PLA Strategic Support Force and Its Implications for Chinese Military Space Operations.</p><p>Iran. While Iran has not been publicly linked to any major cyberattacks, the U.S. intelligence community predicts that it will continue to engage in cyber activity. Specifically, Coats' assessment said Iran will focus on penetrating U.S. and allied networks to position itself for future attacks.</p><p>"Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations, despite Iran's recent restraint from conducting cyberattacks on the United States or Western allies," Coats wrote. "Iran's cyberattacks against Saudi Arabia in late 2016 and 2017 involved data deletion on dozens of networks across government and the private sector."</p><p>Those attacks, for instance, were on Saudi Aramco and used malware to manipulate corporate safety systems and cause physical damage to company sites, according to analysis by cyber firm FireEye.</p><p>"The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors," FireEye said in a blog post about the incident. "Intrusions of this nature do not necessarily indicate an immediate threat to disrupt targeted systems and may be preparation for a contingency."</p><p>North Korea. As of <em>Security Managemen</em>t's press time, U.S. President Trump had agreed to meet with North Korean Leader Kim Jong-un to discuss denuclearization efforts. However, the intelligence community continues to view the North Korean regime as a threat.</p><p>In its analysis, it said that North Korea would likely use cyber means to raise funds and gather intelligence, or launch attacks on South Korea and the United States. </p><p>For instance, several nations—including the United States—have accused North Korea of developing and launching the WannaCry ransomware attack that spread across the globe, hitting scores of organizations and the healthcare sector. </p><p>"Pyongyang probably has a number of techniques and tools it can use to achieve a range of offensive effects with little or no warning, including distributed denial of service attacks, data deletion, and deployment of ransomware," Coats said in his analysis.</p><p>Other actors. Along with nation-state actors, Coats also expressed concerns about terrorist groups using cyber means to organize, recruit, spread propaganda, raise money, and coordinate operations. ​</p><p>"Given their current capabilities, cyber operations by terrorist groups most likely would result in personally identifiable information disclosures, website defacements, and denial-of-service attacks against poorly protected networks," Coats said.</p><p>Additionally, Coats said that criminals will continue to provide services for hire to enable cybercrime. One recent example of this was Russia's tactic of hiring threat actors to act as trolls to spread propaganda on social media in an effort to influence Western elections.</p><p>"We expect the line between criminal and nation-state activity to become increasingly blurred as states view cyber criminal tools as a relatively inexpensive and deniable means to enable their operations," declared Coats in the threat assessment.</p>
https://sm.asisonline.org/Pages/May-2018-Industry-News.aspxMay 2018 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​OUTDOOR SURVEILLANCE</h4><p>The Musical Instrument Museum (MIM) in Phoenix, Arizona, displays instruments collected from around the world and offers concerts and performances in addition to its conventional and interactive installations.</p><p>To enhance the security of its exterior spaces, the museum recently worked with integrator IES Communications to upgrade its outdoor surveillance system. MIM implemented a variety of Bosch cameras to provide high-quality images of the museum's outdoor areas, which include two parking lots, a courtyard at the main entrance, an additional courtyard at the student entry, an outdoor café, and a seating area. The video system also monitors outdoor special events. Supported by new exterior LED lights, cameras produce full-color images throughout the night. Built-in video analytics alert the museum's security operators to possible risks, such as objects left behind or the gathering of large crowds that may create congestion in an area.</p><p>The museum selected Altronix Pace Ethernet solutions for video transmission over existing cabling and Security Center from Genetec for management and monitoring.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Ted's Pawn in Norwood, Ohio, is using video verification technology from 3xLOGIC, Inc., to reduce false alarms and catch intruders.</p><p>Auth0 was selected by Coinsource to provide authentication for its ATMs.</p><p>Dallmeier security technology is protecting drivers and goods at premium parking areas of Euro Rastpark to combat the theft of vehicles, cargo, and fuel.</p><p>Delta Scientific barriers have been installed at Atlanta's new stadium, home to the Atlanta Falcons. The barriers were installed by Tusco.</p><p>Detection Technology announced that its x-ray detectors helped provide security at the Olympics in Pyeong­chang, South Korea. </p><p>NASCAR named Digital Ally Inc. a Preferred Technology Provider. With this new designation, Digital Ally will provide cameras to enhance security, safety, and the officiating process.</p><p>The ScotRail Alliance purchased Edesix body-worn cameras for frontline staff.</p><p>Honeywell announced that its Xtralis VCA suite of security software is integrated into the Axis Camera Application Platform from Axis Communications Inc.</p><p>Australian law firm Clayton Utz selected the Intapp business acceptance solution as part of its risk management and compliance programs.</p><p>Integrated Biometrics announced that Grupo Neoyama will serve as its primary distributor for Brazil.</p><p>Florida Atlantic University selected the Software House C•CURE 9000 security and event management platform from Johnson Controls. The platform will be used to secure the university's Charles E. Schmidt College of Medicine.</p><p>OnSSI appointed Warren Associates as its manufacturer's representative for northern California and northern and central Nevada.</p><p>Pelco by Schneider Electric and Ipsotek integrated their products to create a solution for managing video and analytics.</p><p>ProSource added two vendors, ICE Cable Systems and MantelMount; the company added Centricity as a group exclusive service partner.</p><p>Guardian Protection Services selected the Qolsys IQ Panel 2 as its next-generation platform following a one-year evaluation period.</p><p>Rackspace collaborated with Cisco to provide advanced protection against evolving threats in the multicloud environment.</p><p>A new partnership between SALTO Systems and Phunware will provide integrated mobile access control platforms with applications for multifamily residential properties.</p><p>Rubicon Labs joined the open source EdgeX Foundry project to unify the IoT market.</p><p>SmartMetric, Inc., appointed Hogier Gartner CIA S.A. as distributor for its biometric security cards within South America.</p><p>Speco Technologies integrated its IP cameras into Synology's Surveillance Station.</p><p>TagMaster North America, Inc., installed readers and hang tags in conjunction with ATS Traffic parking barriers and equipment for the VIP parking at Grey Eagle Casino in Calgary, Alberta, Canada.</p><p>Tangent Academy announced a Pro Partnership with 5.11 Tactical, in which 5.11 Tactical will become the official apparel of Tangent Academy.</p><p>Tech Electronics is partnering with Blue Line Technology to provide threat detection, access control, and concierge applications.</p><p>Transition Networks, Inc., partnered with Milestone Systems to integrate its switches with software into the Milestone Systems XProtect VMS.</p><p>Xtera completed interoperability testing with Infinera, a provider of Intelligent Transport Networks.​</p><h4>GOVERNMENT CONTRACTS</h4><p>Axon Public Safety Australia sold 11,000 Axon Body 2 cameras to the Victoria Police in Australia. </p><p>Drone Aviation Holding Corp. delivered its multi-mission capable tactical Winch Aerostat Small Platform to the U.S. Army.</p><p>The U.S. Coast Guard has conducted approximately 100,000 search-and-rescue operations since 2006 with support from the Rescue 21 Coastal system built by General Dynamics Mission Systems.  </p><p>IndraSoft, Inc., was awarded a multiyear task order by the U.S. Census Bureau to conduct end-to-end fingerprinting and identity proofing of selectees.</p><p>InstantEye Robotics received an order from PMA-263, the U.S. Navy and Marine Corps Small Tactical Unmanned Aircraft Systems Program Office, for additional systems to support deployed Marine infantry squads.</p><p>Mt. Vernon School District in Indiana is deploying the Security Alert Messaging system from iSIGN Media Solutions Inc.</p><p>J&S Franklin's DefenCell products were installed in two separate areas in South Australia for environmental applications including ground stabilization, flood protection, and erosion control.</p><p>Gallant Technologies Inc. successfully transitioned the technology for a non-detonable explosives training aid developed and licensed from the Johns Hopkins University Applied Physics Laboratory under funding from the U.S. Department of Homeland Security Science and Technology Directorate.</p><p>Vicente López, one of the 135 districts that make up the Buenos Aires province, is using cameras made by Pelco, Bosch, and Axis Communications, as well as Milestone XProtect Professional video management software, as part of its surveillance system, which was integrated by Exanet S.A.</p><p>NAPCO Security Technologies, Inc., announced that its Continental Access division products are being used in a project for the Albany County Schools in Wyoming.</p><p>Optim LLC was awarded a five-year, sole-source contract to supply its FreedomView Videoscope to U.S. Customs and Border Patrol to search for illegal contraband hidden in vehicles, containers, and other conveyances. </p><p>Canada granted funds from its Community Resilience Fund to support a Ryerson University research initiative working to evaluate approaches to countering radicalization to violence in Canada.</p><p>The Republic of Kosovo is rolling out a nationwide mobile driver's license solution based on the VeriGO DriveID platform from Veridos.</p><p>VSTEP delivered NAUTIS simulators to the Royal Bahamas Defense Force in cooperation with DAMEN and Alphatron.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>AFL received patent awards for developing products and technologies within the accessories, optical connectivity, and fusion splicing divisions.</p><p>Akoustis Technologies, Inc., announced that its headquarters facility received ISO 9001:2015 certification, completing certification for all company facilities.</p><p>Allot Communications Ltd. was awarded Best Mobile Security Solution in the 2018 Cybersecurity Excellence Awards. </p><p>CNH Industrial's Ulm plant in Germany has achieved Bronze level certification in the World Class Manufacturing program.</p><p>Crestwood Technology Group earned the Counterfeit Avoidance Accreditation Program accreditation AC7402 for supply chain management.</p><p>At Mobile World Congress 2018, Evolved Intelligence was named best supplier of mobile network security solutions.</p><p>G4S announced that its North America Training Institute won three Training and Leadership Awards from HR.com and Leadership Excellence and Development.</p><p>Genetec Inc. was named one of the top employers in Montreal, Canada, by the editors of Mediacorp Canada Inc., for the eleventh consecutive year.</p><p>Just Add Power earned a Top New Technology Award for Video Wall Solutions at ISE 2018 in Amsterdam. </p><p>Jumio announced that its Netverify solution was named the gold winner in the Best Fraud Protection category by the 2018 Cybersecurity Excellence Awards. </p><p>MacAulay-Brown, Inc., renewed and updated its Quality Management System certification for ISO 9001:2015.</p><p>Oncam completed the retesting and documentation of its 360-degree solutions with Milestone XProtect open-platform IP video management software.</p><p>Securonix won multiple awards in multiple categories at this year's Cybersecurity Excellent Awards, including Most Innovative Cybersecurity Company and Best UEBA Product.</p><p>Sielox LLC recognized MCM Integrated Systems as National Business Partner of the Year.​</p><h4>ANNOUNCEMENTS</h4><p>Anixter Inc. is expanding the footprint of its North American flagship distribution Center in Illinois with 30 to 40 percent more storage capacity and new automation technology.</p><p>ASSA ABLOY acquired Phoniro to further develop verticals and scale solutions internationally.</p><p>A group of leading companies launched the Better Identity Coalition to develop policy initiatives that promote the adoption of better solutions for identity verification and authentication. Founding members include Aetna, Bank of America, IDEMIA, JPMorgan Chase, Kabbage, Mastercard, Onfido, PNC Bank, Symantec, US Bank, and Visa.</p><p>BGN Technologies announced that researchers at Ben-Gurion University of the Negev developed a new Light Invariant Video Imaging software technology that can significantly improve picture clarity of cameras in sub-optimal lighting.</p><p>Bosch Security Systems changed its name to Bosch Building Technologies to reflect greater portfolio breadth.</p><p>Bravatek Solutions, Inc., acquired HelpComm, Inc.</p><p>Broco Rankin acquired long-time client Chamberlain Security.</p><p>Camden Door Controls celebrates its 30th anniversary in 2018 with a new rebranding look, spanning a new logo, website, and design of product guides and other collaterals.</p><p>The Cloud Security Alliance released Using Blockchain Technology to Secure Internet of Things, a white paper that explores the capabilities of blockchain technology in facilitating and improving the security of the Internet of Things. </p><p>In support of the #MeToo movement, Continuum GRC is allowing organizations to create a free custom anti-­harassment policy using its IT Audit Machine GRC software.</p><p>Erin Harrington Communications launched a new website at erinharringtoncommunications.com. </p><p>The Florida Center for Cybersecurity (FC2), launched the Florida CyberHub, a virtual environment and shared cybersecurity resource center to support cybersecurity education, workforce development, information sharing, and research across the state.</p><p>Galaxy Integrated Technologies announced that it will provide complimentary, no-charge security assessments for all schools in its service area in New England, New York, and New Jersey. </p><p>The Gaming Standards Association and Gaming Standards Association Europe created a new Technical Committee dedicated to blockchain use. </p><p>Idesco Corp. is celebrating the 75th anniversary of the company. </p><p>IDSecurityOnline.com launched a new STEM Scholarship Program in 2018 to help shape the leaders of tomorrow.</p><p>IEC Electronics will open a new state-of-the-art manufacturing facility in Newark, New York.</p><p>Iron Mountain Incorporated opened a secure, state-of-the-art federal records center in Suitland, Maryland.</p><p>Konica Minolta Business Solutions U.S.A., Inc., acquired VioPoint, Inc., a company specializing in intelligent cybersecurity. </p><p>In 2017, Legrand employees volunteered more than 2,000 hours of their time, as part of the company's Better Communities program.</p><p>Miami-Dade Aviation Department and U.S. Customs and Border Protection hosted a ceremony to celebrate Miami International Airport's newly renovated Concourse E federal inspection facility for international arrivals. The facility provides expedited passport screening via facial recognition. </p><p>Nortek Security & Control introduced a Technician Certification Training Program for dealers, technicians, and integrators.</p><p>The Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalization. Initial signers of the charter are NXP, Siemens, the Munich Security Conference, Airbus, Allianz, Daimler Group, IBM, SGS, and Deutsche Telekom.</p><p>Speco Technologies added new videos to its website regarding its Digital Deterrent.</p><p>TEAM Software, Inc., launched a new Volunteer Time Off program to encourage its employee owners to give back to the community.</p><p>Viakoo joined Spiceworks and is sponsoring the Physical Security Group. </p><p>Vigilant Solutions, announced that a law enforcement agency used its facial recognition and license plate recognition technology in a kidnapping case that helped to locate the missing person and get her to safety. ​</p>
https://sm.asisonline.org/Pages/Space-Jam.aspxSpace JamGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Much of the western United States was put on notice earlier this year when the U.S. Air Force announced that it would be blocking GPS signals on its base south of Las Vegas, Nevada. The tactic—which occurred during an annual month-long military training exercise—could cause air traffic disruption and potentially require flight rerouting due to inconsistent GPS, the notice stated. While the Air Force would not confirm that the GPS disruption was a part of its yearly exercises, experts believe that the military is training its pilots to fly in conditions where GPS signals are inaccurate or nonexistent—a scenario that has become increasingly common.</p><p>Thirty-one satellites currently orbiting the earth transmit signals to civilian and military terrestrial receivers, essentially using time signals to run location-based devices and activities and syncing networks around the world. The satellites—called the GPS constellation—are owned by the United States and operated by the Air Force. Since 1978, the satellites have provided location, navigation, and timing capabilities to the military, and an unencrypted version became available for public use in the 1980s. Over the years, the signals from the GPS constellation have become critical for a variety of applications, including communications, precise time measurements, and critical infrastructure technologies—in addition to its military uses of navigation, target tracking, and missile guidance. </p><p>However, the signal—which is inherently weak—is susce​ptible to outside interference. Anything from space weather to malfunctioning machinery to malicious actors can cause problems with GPS, including blocking the signal—called jamming—and sending false signals, known as spoofing. Even small interferences can cause big headaches.<img src="/ASIS%20SM%20Callout%20Images/0518%20NS%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:466px;" /> </p><p>For example, a man who drove a company car purchased a GPS jammer to keep his boss from knowing his whereabouts, but when he passed near Newark airport in New Jersey, the jammer blocked signals from reaching the air traffic controller system. Although the sale and use of jammers is illegal in the United States, they can be purchased online for less than $50 and can successfully hide a vehicle's location.</p><p>In January 2016, a routine equipment switch caused a series of 13-microsecond timing errors in half of the GPS constellation satellites, which triggered about 12 hours of confusion for computers, networks, and timing devices around the world. </p><p>The U.S. government has referred to GPS as a single point of failure for critical infrastructure and, in 2004, called for the U.S. Department of Transportation to acquire a backup capability for GPS. However, an alternative has never come to fruition. </p><p>U.S. President Donald Trump reemphasized the need for redundancy by including a section in the 2018 National Defense Authorization Act that requires the U.S. Departments of Defense, Transportation, and Homeland Security to demonstrate a GPS backup capability within the next 18 months.</p><p>"We were concerned that the federal government was not doing all of the things it said it would do in order to protect GPS signals, which are being interfered with on a regular basis," says Dana Goward, the president of the Resilient Navigation and Timing Foundation (RNTF). He established the nonprofit in 2013 to protect, toughen, and augment GPS signals. "Since we started, over the last five years, GPS has been interfered with more and more," he notes.</p><p>Goward and other members of RNTF are also members of the National Space-Based Positioning, Navigation, and Timing (PNT) Advisory Board, which has existed since the call for a GPS backup capability was issued in 2004. </p><p>It's hard to tell exactly how big an impact a widespread GPS outage would have on critical infrastructure sectors around the world, but Goward notes that glitches such as the January 2016 blip can foreshadow what systems might be affected. "The implementation and use of GPS signals is so widely spread for so many different things it was never intended to be used for that it's really impossible to outline all the bad things that would happen and the sequence in which they would occur," he says. "But there are some things we do know." </p><p>Say a terrorist plants a high-powered GPS jammer hidden in a suitcase in the middle of a city. Transportation will probably be the first system visibly affected, which could quickly impact an entire metropolitan area, Goward says. Traffic lights will become desynchronized and GPS-based apps will no longer function, creating distracted and dangerous driving conditions. Airplanes and other forms of mass transportation will have to slow down or alter routes to stay in contact with people who can keep them on course. Package delivery routes as well as land, sea, and air-based supply chain operations will be disrupted. "All forms of transportation will be forced to carry less capacity in the area," Goward notes.</p><p>Countless systems that rely on GPS's perfectly synchronized timing—including data networks, financial activities, the electric grid, and other utilities—will slowly become out of sync, causing system failures. </p><p>"When the networks start to fall apart, it's hard to tell how much of a cascading failure you're going to see," Goward notes. "Networks depend on each other. It's really such a vast and hyper complex system, the structures of which are not known and may not be knowable."</p><p>Preventing GPS glitches is a multifaceted challenge. The GPS satellites themselves are fairly resilient—they are replaced on a rotating basis depending on their estimated operational life. Still, mechanical glitches like the one that caused the January 2016 blip are possible. The signals transmitted from the satellites are even weaker than cosmic background noise, and Goward notes that even upgraded equipment won't substantially change the strength.</p><p>"The basic problem is fundamental physics," Goward says. "Satellites are 12,500 miles up in space and powered by solar panels and transmitting all the time—unlike other satellites that can store up their solar power, GPS satellites have to transmit all the time. They will always be really weak and easy to interfere with."</p><p>An inherent area of weakness is the equipment used to receive the GPS signal sent by the satellites—anything from cell phones to networks to military ground stations that encrypt the signal.</p><p>"Most GPS receivers in use right now are very vulnerable to jamming and spoofing," Goward notes. "The technology in terms of antennas and software is available to make them much less susceptible to jamming and spoofing, but it costs a little extra and users don't feel motivated to incorporate anti-jamming and spoofing technology into their receivers and systems, even when they involve and support critical infrastructure like phone and IT networks."</p><p>RNTF is working with the government to establish guidance or best practices to improve GPS receiver security.While a fix is relatively simple, Goward says he doubts most companies will make the upgrade unless they are told to do so or they experience a GPS-induced crisis. "We think that for critical infrastructure applications there's a government role there to advocate for, encourage, and perhaps require users to have the latest anti-jamming and spoofing technology."</p><p>Military-level encrypted GPS signals aren't exempt from jamming or spoofing, either. While the use of a secured ground system to control the broadcast of an encrypted signal, along with military-grade receivers, provides an inherent level of protection, it's not foolproof—and it only works when it's used properly.</p><p>"Because of the encryption, that makes military receivers as a practical matter more difficult to use, so we had seen any number of photographs of military folks in the field with GPS receivers they bought at Walmart strapped to their arms and using them instead of military receivers," Goward notes. Encrypted equipment tends to be stored under lock and key—and is usually unwieldy—making it more cumbersome to use. </p><p>It's suspected that the infamous straying of a U.S. naval ship into Iranian waters in 2016 was a result of the sailors using unencrypted receivers that allowed Iran to spoof the signal and direct them into the country's territory. And headlines were made when the movements of U.S. military personnel at several overseas bases could be tracked via a GPS-based fitness app—no jamming or spoofing required.  </p><p>The U.S. Department of Defense (DoD) is in the middle of upgrading the military ground systems and replacing the current GPS constellation—which is near the end of its intended operational life—but the efforts have faced a series of setbacks. The new generation of satellites, called GPS III, are expected to provide a stronger signal that is more resistant to spoofing and jamming and will permit interoperability with other global navigation systems. But, according to the U.S. Government Accountability Office (GAO), the acquisition and timeline of deploying the new satellites has run into several roadblocks, delaying the launch of the new equipment. </p><p>For example, the first GPS III satellite built, which is slated to become operational in 2019, includes energy storage devices that had not been appropriately tested by the subcontractor. When the Air Force discovered the failure to test the equipment, it made the subcontractor remove the devices from the second and third satellites currently being built, but "decided to accept the first satellite and launch it 'as is' with the questionable capacitors installed," the GAO reports. The rest of the GPS III satellites are expected to be launched and operational—replacing the current devices—by 2021.</p><p>Three components of the upgrade—the new ground control systems, GPS III satellites, and contingency operations programs—are expected to face "numerous challenges" over the next 18 months, GAO notes. "If any of the three programs cannot resolve their challenges, the operation of the first GPS III satellite—and constellation sustainment—may be delayed."</p><p>Meanwhile, Goward and the RNTF are continuing to encourage the government to promote more secure GPS receiver technology and build a backup capability when—not if—the GPS signal fails. </p><p>"We are concerned that the federal government does not have a central point of accountability for protecting GPS," Goward explains. "It's possible that this lack of responsibility and governance will mean that nothing is going to happen until the nation has suffered substantial damage because of the failure to protect, toughen, and augment GPS." ​</p>
https://sm.asisonline.org/Pages/Banks-Balk-on-Bud.aspxBanks Balk on BudGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When seasoned security manager and longtime ASIS International member Brian Gouin started working as a consultant and virtual security manager for a medical marijuana production facility in Maryland, he certainly had some questions about the security challenges that the new gig might pose.  </p><p>Would external theft be a problem?  He had no experience in this sector, and dark visions of criminal cartels stormtrooping the facility to steal product occasionally crossed his mind. Luckily, that never happened.</p><p>"External theft has really not been a big problem. Surprisingly, there has not been a lot of that," says Gouin, who has spent nearly 30 years in the security industry and is currently owner of Strategic Design Services, a firm specializing in security design and project management services.</p><p>Still, the marijuana production facility did employ armed guards, because it held product that was worth at least $5 million. "That's more dollar value than 99 percent of banks in the state," Gouin explains. And since marijuana is so easy to sell, that product can be considered almost the equivalent of cash, he adds.   </p><p>But unlike external theft, internal theft was a problem. Employees sometimes helped themselves to a bit of product "to go" when leaving the facility for the day. Finding ways to screen workers on the way out was difficult. Complicating this matter is that keeping track of the on-hand marijuana supply can be a complex task. "You can't inventory it the way you inventory other products. You have to dry the plant; when you dry the plant, it loses weight," Gouin explains.  </p><p>And working with certain company employees was an unusual experience, even for a veteran security consultant well-accustomed to adjusting to different types of office cultures.  "It's so unique because of the type of person working there. Most of these people five years ago were running from the cops and making this stuff in their basement," Gouin says. "They are naturally distrusting of security."  </p><p>Overall, many of the facility's biggest security challenges stemmed from the fact that it is a nearly all-cash business. The ramifications of this are many. For instance, cash at a thriving marijuana business can accumulate quickly; but when it comes time to deposit the money earned, banks generally do not want to accept huge currency bundles, which can result in scrutiny from federal regulators, Gouin explains.</p><p>Given this, many marijuana businesses are forced to keep significant cash on hand. Some outgoing expenses, like compensation for day workers and certain bills, can be paid in cash, Gouin explains. Much of the rest can be deposited in smaller amounts that are spread out, so the bank will accept them. Of course, transiting large amounts of cash can also be risky, so the operation bought and used an armored vehicle, described by Gouin as "a small vanny-type thing."</p><p>Still, in one way the business that Gouin works for is lucky—it found a local bank that will take its money.  </p><p>Because U.S. federal law still includes marijuana on its Schedule I list of illegal substances, no large "tier one" bank will do business with cannabis companies now, says Joshua Laterman, CEO and founder, National Association of Cannabis Businesses (NACB). This is the "black letter of the law" that means that banks can be charged with crimes like money laundering if funds they have accepted from cannabis companies are mixed with other funds and enter the U.S. federal wire deposit system. This could lead to a federal indictment. </p><p>"No tier one bank enters the sector unless the law changes or some type of [exception] is put into place, like a safe harbor," Laterman says. "There is no cure, full stop."</p><p>This is a significant problem, given the growth and revenue-generating power of the cannabis industry. Going into 2018, nine states and Washington, D.C., had legalized marijuana outright; for medical purposes, marijuana is legal in 29 states and D.C. This year, at least 12 states are poised to consider marijuana legalization; Vermont already did so in January. On the whole, the industry generated $7 billion in revenue in the last 12 months, and this figure is expected to rise to $10 billion this year, according to NACB.</p><p>Given this revenue generation, some local banks (like the one working with Gouin's facility) and credit unions have tried to step in and fill in the vacuum. "It's the only show in town right now," Laterman says. These local banks often charge an extra compliance fee, and they usually just provide an account and some checks, without offering more involved services like credit cards. On the whole, these banks believe that the potential reward is worth the potential risk, and that working with local business is "in service of their mission." </p><p>"It's all very hyper-local," Laterman says. "They do it in a very personal way."</p><p>Nonetheless, these local banks usually cap the amount of deposited funds at $250,000, the limit that the Federal Deposit Insurance Corporation (FDIC) will insure. All things considered, there are not nearly enough of these smaller banks willing to accommodate all the revenue. "It's like trying to handle a two-liter soda with a Dixie cup," Laterman says.  </p><p>Across the northern border, no such problem exists. Canada has legalized marijuana for medicinal purposes throughout the country, and banks and other financial institutions have no problem working in the industry. "You're seeing investment banks, you're seeing accounting firms, and you're seeing law firms who will not do any transactions in the United States, but they are doing a lot in Canada," Laterman explains.</p><p>However, back in the United States, it is possible that there will be some movement on the legal issue in the near future. Some analysts have said that if more states continue to legalize marijuana, it will simply not be tenable for the country to have two sets of applicable law. Congress will have to act and change the banking laws to allow for an exception, so that a licensed marijuana distributor can use the banking system.</p><p>Moreover, what may help drive an effort for a solution is the U.S. government's realization that an industry generating billions in revenue without a banking and finance structure to support it could turn into a security nightmare. </p><p>"The money needs a place to be put, and there's not enough places to put it in. That's a growing public safety risk," Laterman says. California, he adds, holds some promise as a potential solution driver. As part of that state's legalization effort, officials set up a high-powered working group to address the legal issues. "It's a great effort; they are getting great people around the table," Laterman says.</p><p>He adds that NACB, which describes itself as the only self-regulatory organization (SRO) in U.S. cannabis, will continue its work of professionalizing the industry with credentialing, licensing, education, and other such programs. "We need to address the trust and information gaps, and better understand who the players are," Laterman explains. </p><p>Meanwhile, security managers who are curious about what it is like to work in the U.S. cannabis industry may want to check out The Marijuana Project, a novel published by Gouin (under the pen name Brian Laslow) that was in part inspired by his experiences in the industry. </p><p>In the book, security expert Sam Burnett, a conservative family man who runs a security program at a medical marijuana production facility, wrestles with the moral issues of working with the drug while he navigates the dangerous plot twists and turns that the thriller storyline takes him through. Although the book is fiction, the various industry issues and scenarios that the main character, a security expert, is involved with may be of educational value.</p><p>As for the real-life Gouin, who initially wondered if working in the cannabis sector would tarnish his professional reputation, he now says his experience was a positive one for his business: "It gave me another niche." And so his advice for fellow security managers who are interested in following his lead is "go for it"—as long as they do their due diligence beforehand.</p><p>"You have to understand the quirks of the industry," he says. ​</p>
https://sm.asisonline.org/Pages/Response-to-Article-Evolving-Biothreats.aspxResponse to Article: “Evolving Biothreats”GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was with great interest that I read the article "Evolving Biothreats" in the January 2018 edition of <em>Security Management. </em>This particular subject has obviously taken a back seat of late, but it does indeed remain a critical priority issue both in the United States and internationally. In the years since the Anthrax attacks in 2001, the topic of coordinating a biodefense strategy has been studied, analyzed, and presented to the U.S. Congress and the three previous presidential administrations, resulting in very little attention or progress in regards to developing a comprehensive biodefense plan to meet the multiple and diverse threats that we face on a daily basis.  </p><p>The GAO study mentioned in the article appears to clearly highlight some of the critical vulnerabilities within the current configuration of responsibilities. The sheer number of federal, state and local agencies that have individual or overlapping cognizance for the variety of incidents that could present themselves results in the potential of tardiness of action, duplicate accountabilities, and difficulties with basic communication and coordination issues. The number of studies completed since 2001 also highlight these same vulnerabilities. Subsequently, one common recommendation has been to establish an executive (White House) level position that would administer and coordinate the efforts among all the departments and agencies involved in the biodefense strategic plan.  </p><p>One specific study, released in 2011, the Graham-Talent Report Card, focused on the United States' posture relative to the ability to respond and recover from a multitude of biological-related events. The final analysis contained within the study revealed a sobering view of our capabilities and abilities to adequately respond and recover from any of a number of accidental, naturally occurring disease outbreaks and any nefarious acts. Little progress has been made since this landmark study was released.  Anyone having an interest in reading the entire report can find it via the Internet.</p><p>Creating and administering an effective and efficient biodefense strategic plan is exceedingly complex requiring high level government commitment, support, and adequate resources. The high-altitude model for beginning the process is represented in the following diagram.</p><p>Figure 1 Bio-defense strategic planning matrix</p><p>Provided with permission from<span style="text-decoration:underline;">, Applied Laboratory Biorisk and Biosecurity Management Guide; </span>AlphaGraphics, 2015, Kirk R. Wilhelm, 297 pages.​<img src="/ASIS%20SM%20Article%20Images/bio.jpg" alt="" style="margin:5px;" /></p><p>Each discipline obviously has its own unique mission(s), but all will need to communicate and coordinate with other mission responsible partners for intel acquisition and analysis of all known risks, threats, and vulnerabilities, essentially a Biorisk Assessment, which identifies the roadmap for developing all the countermeasures required for operations, biosafety, biosecurity, emergency responses, and recovery. In addition, all the communications and coordination elements must be addressed with agencies and departments required to fulfill the requirements of the overall plan. Obviously, the plan must include state, local, and medical facilities. A significant training and education program needs to be included and implemented for all concerned. </p><p>The herculean effort needed to create and administer a biodefense plan for a country the size of the United States may have contributed to the reluctance of congress and presidential administrations to create a positive action plan. The significant difference remains, that biothreats in all categories within the chart of potential sources have the potential to invoke catastrophic consequences for people, livestock, plants, and our economic prosperity. A biodefense plan must have equal attention to its sister plans for chemical and nuclear threats. The significant differentiation is that biological pathogens are living organisms, constantly mutating and changing virulent characteristics. These pathogens know no boundaries, nor do they possess any political or ideological alliances. I agree completely with the premise of the article and stress the importance that action is required in the near term. </p><p><em>Kirk R. Wilhelm, CPP, is a consultant and subject matter expert in biorisk and biosecurity. He retired from MRIGlobal, where he was senior biosecurity manager.</em></p><p><strong>To read the original article, "Evolving Biothreats,"<a href="/Pages/Evolving-Biothreats.aspx"> click here.</a></strong></p>
https://sm.asisonline.org/Pages/What-We-Know-Toronto-Vehicle-Attack.aspxDeadly Toronto Vehicle Attack: What we KnowGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p><strong>What we know so far:</strong></p><p></p><p></p><p></p><ul><li><p>​Ten people died and 15 were injured on Monday when a man deliberately drove a van onto a sidewalk crowded with pedestrians in Toronto. The attack occurred around 1:30 p.m. local time</p></li><li><p>Police say the suspect is 25 year-old Alek Minassian, who was arrested after an intense standoff with officers in the minutes following the attack. He was seen pointing an object at law enforcement, but no shots were fired during the arrest.</p></li><li><p>Canadian news source CBC says the<a href="http://www.cbc.ca/news/politics/federal-leaders-respond-van-incident-1.4631909" target="_blank"> attack is not part of a larger threat to national security</a>, according to the country's Public Safety Minister Ralph Goodale. </p></li><li><p>Car rental company<a href="https://www.reuters.com/article/us-canada-van/driver-kills-10-injures-15-plowing-van-into-toronto-sidewalk-crowd-idUSKBN1HU2IY" target="_blank"> Ryder System Inc. confirmed that one of the company's rental vehicles​</a> had been involved in the attack, Reuters reports. Ryder spokeswoman Claudia Panfil said that the company was cooperating with authorities.​</p></li><li><p>Toronto Deputy Police Chief Peter Yuen said there would be <a href="http://www.bbc.com/news/world-us-canada-43873804" target="_blank">"a long investigation" following the attack</a>, according to the BBC, and said that hotlines had been set up for victims' families and for witnesses. He has asked for any additional witnesses who have not come forward to contact law enforcement.</p></li></ul><p></p><p></p><p><strong>Vehicle Attacks on the Rise</strong></p><p>Deadly vehicle attacks have been used by terrorists in recent years, and USA Today has<a href="https://www.usatoday.com/story/news/world/2018/04/23/list-fatal-vehicle-attacks/544603002/" target="_blank"> published a list ​</a>of some of these incidents over the last four years. </p><p></p><p></p><div></div><div></div><div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:25%;"><strong>Location</strong></td><td class="ms-rteTable-default" style="width:25%;"><strong>Killed</strong></td><td class="ms-rteTable-default" style="width:25%;"><strong>Injured</strong></td><td class="ms-rteTable-default" style="width:25%;"><strong>Date</strong></td></tr><tr><td class="ms-rteTable-default">Houston</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">3</td><td class="ms-rteTable-default">March 2018</td></tr><tr><td class="ms-rteTable-default">NYC Hookah Bar</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">7</td><td class="ms-rteTable-default">December 2017</td></tr><tr><td class="ms-rteTable-default">Barcelona, Spain</td><td class="ms-rteTable-default">14</td><td class="ms-rteTable-default">100</td><td class="ms-rteTable-default">August 2017</td></tr><tr><td class="ms-rteTable-default">Times Square, NYC</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">22</td><td class="ms-rteTable-default">May 2017</td></tr><tr><td class="ms-rteTable-default">London Bridge, U.K. </td><td class="ms-rteTable-default">8</td><td class="ms-rteTable-default">48</td><td class="ms-rteTable-default">June 2017</td></tr><tr><td class="ms-rteTable-default">Westminister Bridge, U.K. </td><td class="ms-rteTable-default">5</td><td class="ms-rteTable-default">50</td><td class="ms-rteTable-default">March 2017</td></tr><tr><td class="ms-rteTable-default">Berlin, Germany</td><td class="ms-rteTable-default">12</td><td class="ms-rteTable-default">50</td><td class="ms-rteTable-default">December 2016</td></tr><tr><td class="ms-rteTable-default">Ohio</td><td class="ms-rteTable-default">-</td><td class="ms-rteTable-default">14</td><td class="ms-rteTable-default">November 2016</td></tr><tr><td class="ms-rteTable-default">Nice, France</td><td class="ms-rteTable-default">86</td><td class="ms-rteTable-default">Several Hundred</td><td class="ms-rteTable-default">June 2016</td></tr><tr><td class="ms-rteTable-default">Valence, France</td><td class="ms-rteTable-default">-</td><td class="ms-rteTable-default">2</td><td class="ms-rteTable-default">January 2016</td></tr><tr><td class="ms-rteTable-default">Quebec</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">October 2014</td></tr></tbody></table></div>
https://sm.asisonline.org/Pages/Access-Control-for-Healthcare-and-Nursing-Facilities.aspxAccess Control for Healthcare and Nursing FacilitiesGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Access control within the healthcare industry—particularly in hospitals and nursing homes—requires a unique approach, encompassing not only main entrance doors, but also internal entrances and exits based on location and access level. And more than that, these facilities must manage large quantities of data, making data management a critical component of a comprehensive security plan.  </p><p>Security managers can work to secure these components by seamlessly integrating systems together. For example, various doors and locks can be programmed to activate at specific times and rules can be applied based on time of day, shift changes, specific department access, and more. Healthcare facilities also look for the ability to control access remotely through mobile applications, confirm identity quickly and easily, and program varying levels of access for visitors, patients, doctors, and staff. These facilities also require oversight 24 hours a day, seven days a week, which can be a challenge for security directors. </p><p>Similarly, nursing homes require robust access control to protect patients and high-value assets, such as medical equipment and prescription medications, from internal and external theft. Additionally, some nursing home patients require more robust monitoring, meaning that access control points and video surveillance must work together to enable administrators to monitor incoming and outgoing patients, visitors, and staff. </p><p>Both kinds of facilities must be careful with sensitive materials, such as narcotics and sterile environments, that require added protection and protocols. Medical files and controlled substances must be protected by electronic access-controlled cabinet locks to provide hospitals and administrators with the required audit trail in case of a breach. </p><p>Video surveillance in nursing homes is a critical component of a comprehensive security solution. Its usefulness centers around operational efficiencies such as managing deliveries of important goods, monitoring food preparation, ensuring proper care of patients, and overseeing the constant flow of people coming in and out of a facility. Video also becomes important in the event of an incident for investigative purposes. </p><p><strong>Putting it All Together</strong></p><p>A large healthcare organization must take the safety and security of patients—and their personal information—seriously. Implementing a security management system (SMS) can integrate a facility's access control technologies, digital video, and alarm monitoring systems into a single, streamlined solution. </p><p>Going even further, in many large enterprise organizations, multiple databases can be incorporated into an SMS, including a human resources software program. The result is the ability to streamline data input with the push of a button. For example, when an employee is terminated, access is automatically revoked when an HR manager changes the person's employment from "active" to "inactive." This means the integration of data requires only a single update to control access across the campus. </p><p>The need for integration will continue to drive innovation in access control, not only for security systems, but also for human resources, directory software tools, and event management programs. Busy facilities and their administrators require the ability to grant permissions in a way that not only saves time and energy on manual input, but also makes changing permissions easy and efficient.  </p><p>Also important to a healthcare facility is the protection of personal information from prying eyes and hackers, which means access to records must be heavily protected. In many facilities, biometrics are being used—via iris or fingerprint scanners—to protect important information from would-be hackers. This way, only authorized users have access to the information. Additionally, IT departments within these facilities are working closely with security leaders to ensure that networks are as secure as possible to protect from ransomware attacks, which have plagued the healthcare industry in the last few years.  </p><p><strong>Locking Down </strong></p><p>Lockdown capabilities are paramount within today's healthcare settings, driving access control manufacturers to provide solutions that make it easy for security directors to control access quickly and efficiently in the event of an emergency. End users are also looking for mobility, and having a mobile application to help grant access, freeze access, or change permissions easily is important in this vertical market, along with the ability for security teams and professionals to move freely throughout the facility.  </p><p>One area where this is critical is in nursing homes. These entities must provide loved ones with the knowledge and peace of mind that their family members are safe while balancing freedom with security. In some instances, patients with dementia or Alzheimer's require additional, around-the-clock care that can be extended to the entrances and exits of a facility. In turn, nursing homes must invest in the ability to lock down a facility to keep patients from exiting without notifying staff, while also providing the welcoming environment that facilities hope to foster. Certain access control systems allow caregivers within a nursing home facility to let visitors in and out with the touch of a button, while keeping at-risk patients from exiting the facility.  </p><p>Healthcare facilities must provide safety and security for visitors, patients, staff, and assets. The ability to lock down portions of a hospital or an entire facility is crucial to its ongoing operations. Additionally, having a system in place that allows security officials to communicate these rules quickly and efficiently through an easy-to-use interface is key to adhering to the rules and regulations that govern healthcare facilities. Access control is critical to the success of security programs, and being able to integrate with data management platforms can make this task easier than ever before.  </p><p><em>Kim Loy is director of Technology and Communications at Vanderbilt Industries.</em></p>
https://sm.asisonline.org/Pages/YouTube-HQ-Shooting-What-We-Know-So-Far.aspxASIS Physical Security Council Reacts to YouTube ShootingGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><strong>YouTube Headquarters Perimeter Security Questioned</strong><br></p><p>​By Lilly Chapa​<br></p><p>The ability of the shooter to gain access to YouTube's office courtyard via the parking garage raises questions about the building's physical security. ASIS International Physical Security Council secretary <a href="https://www.linkedin.com/in/dave-pedreira-daoc-cdt-cspm-fdai-leed-green-assoc-7a533110/" target="_blank">David Pedreira​</a>, a Distinguished Architectural Openings Consultant (DAOC) and door opening consultant for ASSA ABLOY, tells Security Management that when it comes to Deter, De​tect, and Delay security principles, the role of perimeter security is to deter—and that didn't happen at YouTube headquarters.<br></p><p>"I wonder why there wasn't more electrified locking access control doors to keep people out at the parking garage," Pedreira says. "Why was it free entry, why was she able to get right in?"</p><p>With properly-function fail-secure electrified locking devices at perimeter points of entry, authorized personnel would gain entry through an access control card or their mobile device, and visitors would be rerouted. Pedreira notes that many companies leave doors unlocked during normal business hours to cater to visitors.</p><p>"In this day and age, we don't need to do that," Pedreira says. "There's video doorbells, there's so much that could be done with intercoms and video surveillance cameras that could easily be set up so that a visitor could be at any location and be allowed in via the remote unlocking of a door."</p><p>Pedreira advises organizations to make sure all points of ingress are locked regardless of business hours, but to make sure points of ingress are never blocked, which would prevent the quick escape of people ​during an incident like Tuesday's shooting.</p><p>After the shooting, YouTube released a statement saying that ​the shooter entered through the parking garage to the outside courtyard, and committed the violence there. "Thanks to the security protections in place, she never entered the building itself," the statement said. ​However, one employee tweeted after the shooting that he had seen blood stains on the floor and stairs of the building. ​​</p><p>The shooter exhibited unusual behavior in the days following up to the incident, leaving her home in San Diego and staying in her car in Mountain View. Her family filed a missing person report in San Diego on Saturday, and when officers found her sleeping in her car, she told them she had left home due to family issues. Mountain View police said they contacted her family to let them know she had been found. She also visited a gun range prior to carrying out the shooting Tuesday afternoon.</p><p>Pedreira notes that when it comes to these types of events, hindsight is 20/20 and the police appear to hav​e acted appropriately.  "So she was sleeping in her car, how would they know of her intent unless her handgun was visible on the dash or something?" he asks. Even then, "who would think that all of a sudden, just because she has a grudge against YouTube, she's going to take out a handgun and attack their office?" he asks.</p><p><strong>What We Know So Far:</strong></p><ul><li><p>A shooting at the YouTube headquarters in San Bruno, California, occurred on Tuesday morning around 12:46 p.m. local time.  </p></li><li><p>The assailant has been identified as<a href="https://www.cnn.com/2018/04/04/us/youtube-hq-shooting/index.html" target="_blank"> Nasim Najafi Aghdam, 39, of San Diego.</a> The Iranian-born woman blogged about veganism and made heated claims online that YouTube was limiting viewers of her videos, CNN reports.</p></li><li><p>"We know she was upset with YouTube, and now we've determined that was the motive," San Bruno Police Chief Ed Barberini said. </p></li><li><p><a href="https://www.washingtonpost.com/news/post-nation/wp/2018/04/04/youtube-shooting-suspect-was-upset-with-some-of-the-practices-or-policies-the-company-had-police-say/?utm_term=.2673a7a48b24" target="_blank">Aghdam had an encounter with police in Mountain View, California</a>, in the early hours before the shooting when they found her sleeping in her car, "but did not set off any alarms during their interaction," the<em> Washington Post </em>reports. She then went on to a gun range to practice shooting. </p></li><li><p>Using a 9mm semiautomatic handgun, Aghdam critically wounded a man and seriously injured two women. Two of the three victims been released from the hospital. The shooter appeared to target her victims at random at the campus that houses about 2,000 employees, according to police. </p></li><li><p>Her<a href="https://www.cnbc.com/2018/04/04/youtube-shooter-was-vegan-blogger-who-accused-site-of-discrimination.html" target="_blank"> family says they warned police before the shooting.</a> "Californian media reported that Aghdam's family had warned authorities that she could target YouTube prior to the shooting," according to CNBC. "The San Jose Mercury News quoted her father, Ismail Aghdam, as saying he had told police that she might go to YouTube's headquarters because she 'hated'​ the company."                </p></li></ul><div><p><strong><br></strong> </p><p><strong>FBI Data: Female Shooters are Rare  </strong></p><p><strong><img class="ms-rtePosition-2" src="/ASIS%20SM%20Article%20Images/nasim-aghdam%20headshot.jpg" alt="" style="margin:5px;width:440px;height:240px;" /></strong></p><p>As CNN reports, FBI data shows that <a href="https://www.cnn.com/2018/04/04/health/female-shooters-youtube/index.html" target="_blank">female active shooters are rare.​</a> Only 220 U.S. active shooter incidents identified by the Bureau between 2000 to 2016–roughly four percent–were carried out by women. </p><p>"The women in those shootings were usually armed with handguns and opened fire inside colleges, businesses, their current or former workplaces, according to the list," the article states. </p><p>In addition, 2016 FBI data shows only 7.6 percent of murder offenders that year were female.</p><p>The YouTube shooting may not end up being classified as a mass shooting, as one victim has been released and two remain in the hospital. ​</p></div><div>                                                                                                                                                                        <strong><em> Photo: San Bruno Police Department</em></strong></div><p><strong>Google Announces Security Increases at YouTube Offices Around the Globe</strong></p><p>Google announced on<a href="https://twitter.com/Google_Comms/status/981669726593019904/photo/1?ref_src=twsrc%5etfw&ref_url=https://www.cnbc.com/2018/04/05/youtube-to-increase-security-at-its-offices-worldwide-after-shooting.html"> Twitter that it will increase security at its YouTube offices </a>around the globe after the shooting at the video platform's headquarters in San Bruno, California. The attack, which took place around 12:46 p.m. local time, left three people wounded. A female assailant–identified as Nasim Najafi Aghdam, 39, of San Diego–entered the campus's courtyard through a parking garage. Soon after police responded, she was dead of a self-inflicted gunshot wound. Internet giant Google, which owns YouTube, said in a statement that Tuesday evening's events were "shocking and disturbing," and also praised San Bruno law enforcement as well as YouTube employees for "acts of heroism" during the attack. The company is also encouraging employees to take time off work to recover, and ensures that "wellness services are readily available." </p><p>​</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 43cc8fa0-fcc6-4ec3-a833-770583ef80ed" id="div_43cc8fa0-fcc6-4ec3-a833-770583ef80ed"></div><div id="vid_43cc8fa0-fcc6-4ec3-a833-770583ef80ed" style="display:none;"></div></div>​
https://sm.asisonline.org/Pages/Personnel Peril.aspxPersonnel PerilGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When employees steal proprietary information, they don't just cause headaches for the organization—they erode confidence in the trustworthiness of screened employees and vetted business partners. Following the recent spate of high-profile incidents—including leaks by U.S. National Security Agency contractor Edward Snowden in 2013, violent attacks on Fort Hood by Major Nidal Hasan in 2009, and Washington Navy Yard shooter Aaron Alexis in 2013—the U.S. government determined that existing vetting processes and security standards for sensitive programs were inadequate. Key policy changes were implemented, including a new requirement for government organizations and certain government contractors to establish an insider threat program. The requirements changed the way government-affiliated organizations approached employee management and codified existing insider threat practices.</p><p>What does that mean for private sector organizations, even if they don't work with the government? Certain features of a U.S. Department of Defense (DoD)-style insider threat program may be relatively easy to implement and offer considerable security enhancements. Traditional administrative and physical security practices—locked doors, alarm systems, and inventory controls—are focused externally and are largely ineffective at preventing employees and other authorized persons from committing harmful acts.</p><p>Integrating an insider threat policy with employee and event best practices can create a well-rounded employee management program that benefits workers and the organization. Educating employees on how to recognize and report potential insider threat information can also have a positive effect on the organization's culture and emphasize everyone's role in keeping a safe, secure work environment.</p><p>Concurrent Technologies Corporation (CTC), an independent, nonprofit organization that conducts applied scientific research and development for government and industry, faced this exact challenge upon the creation of a nuclear research facility. </p><p>With industrial space and laboratories in five states, and more than 25 percent of employees telecommuting, CTC's potential insider threat profile is typical among many technology companies in the United States. Protection of sensitive government programs, client information, and intellectual property is paramount to success in a highly competitive environment.  </p><p>But the August 2017 establishment of CTC's Center for Advanced Nuclear Manufacturing (CANM) in Johnstown, Pennsylvania, created new insider threat challenges that CTC had to address. The CANM is designed to bring fabrication technology and materials expertise to the emerging next generation of commercial nuclear power plants and will conduct business only with private sector organizations that are working on small nuclear reactors. While CTC works with both industry and sensitive government programs—and must abide by federal insider threat policies—it wanted CANM to have a government-grade insider threat program that would defend against all kinds of manmade threats—from petty theft to intellectual property issues to event management.   </p><p>A planned ribbon cutting and open house event at the CANM would place about 75 visitors in close proximity to CTC's intellectual property and advanced technology—and would serve as the first real test of the organization's new insider threat policy. ​</p><h4>Tailoring a Solution</h4><p>The FBI, U.S. Department of Homeland Security (DHS), and U.S. Defense Security Service provide tools for industry organizations to develop insider threat programs, including online training courses and brochures available through public websites. The tools identify specific behaviors that may indicate the presence of an insider threat.  </p><p>Simply educating employees on what to watch for may improve the chances of averting a workplace incident. Other insider threat program features, such as information sharing and incident reporting, could also prove beneficial. Initiatives can be tailored to fit the organization, and security practitioners may find that their programs already include parts of the overall insider threat framework outlined in government directives.  </p><p>This was true for CTC as it began to build a more robust insider threat program. While the organization had taken an informal approach to communicating potential employee issues, it was nowhere near the formalized program needed. To make sure the program covered all threats, CTC created an insider threat working group.</p><p><strong>Comprehensive support. </strong>An insider threat program relies on buy-in throughout the organization. A single official with authority to develop policies and procedures should be appointed to manage the program. He or she should also be responsible for determining when to report substantive insider threat information to law enforcement and other entities outside the organization.</p><p>CTC appointed an insider threat program official and established a working group with membership based on relevant roles, including representatives from security, human resources, IT, executive management, and ethics and compliance. The working group conducted several program reviews and established the types of activities to watch out for or report. </p><p>The group also ensured that all employees completed awareness training in the time leading up to the CANM open house and helped foster a culture of communication so that employees would not hesitate to report concerns about visitors or fellow employees. Line employees are often the first to sense that something is off—if they notice changes in an employee's routine or behavior, they should know how to safely and effectively communicate the information to team leaders without fear of retribution. </p><p>Security staff and senior managers stood ready to work with department managers and labor representatives to reduce or eliminate social barriers to reporting. Reporting policy violations and unusual or suspicious behavior must not be viewed as tattling. Instead, it should be emphasized that timely reporting may save the company or business unit from significant financial loss, unfair competition, or even a tragic incident.</p><p><strong>Team approach. </strong>Effective information sharing and collaboration among security stakeholders in the organization are essential for a stalwart insider threat program. Functional leaders—like the ones in CTC's insider threat working group—typically monitor organizational performance in areas relevant to detecting a potential insider threat. For example, larger organizations usually rely on a CISO to detect violation or circumvention of policies regarding systems access, file transfers, software installation, and other network activities. Likewise, the human resources department should track, analyze, and share information on trends in employee misconduct, including harassment complaints and drug testing. In reviewing such information, the team must take care to protect employee privacy and focus only on security-relevant factors that might create concerns of an insider threat and identify needed adjustments in policies and training. </p><p>For special events and unusual situations, organizations should not shy away from reaching out for help. The CTC insider threat program's leader contacted the FBI private sector coordinator, Defense Security Service representatives, and local law enforcement officials several weeks before the open house to inform them about the event and to obtain updated threat information. The FBI coordinator participated in an event rehearsal and walkthrough, and provided a tailored counterintelligence briefing to CANM engineers, program managers, and support staff, offering specific recommendations to limit risk while accomplishing overall open house objectives.  </p><p><strong>Training. </strong>Employees should feel that they share a common security interest—success for themselves and for the entire organization requires their commitment to protecting intellectual property, proprietary information, and other valuable resources. Leaders must emphasize these points and encourage employees to actively support security programs and procedures. Employee commitment and loyalty to a common cause cannot be assumed, particularly in industries that experience high employee turnover. </p><p>Training employees to watch for specific activities and behaviors that may indicate an insider threat is the key to viable information reporting within the organization. Employees tend to recognize differences in a coworker's attitude, work ethic, or behavior well before an incident occurs, so they must know when and how to report concerns. Employees must also know how to recognize suspicious emails, scams, phishing attempts, and social engineering tricks to avoid becoming an unwitting insider or being coerced into providing information or other assistance. Training should also emphasize the importance of following basic rules aimed at mitigating risk, such as locking or switching off computer workstations when unattended.  </p><p>CANM employees were trained in traditional insider threat identification messages but were also given tips on identifying and reporting suspicious behavior at the open house event. </p><p>Because engineers, program managers, and event staff integrated security best practices into their job requirements, enhanced security was everywhere yet remained unseen at the event.</p><p><strong>Written plans. </strong>The insider threat working group at CTC identified all written guidance regarding employee behavior, from harassment policies and timekeeping systems to travel plans and procedures and integrated it into the plan. The insider threat program features a risk mitigation plan that identifies insider threat stakeholders, roles and responsibilities, resources, policies, and procedures. The team of stakeholders meet periodically to review the plan, share and assess potential insider threat information, and determine additional actions needed to protect people, operations, intellectual property, and other resources.</p><p>For example, at a stakeholder meeting, someone in charge of travel finances might point out that the rental car budget for the previous month was 20 percent larger than normal. Human resources personnel can revisit employee travel dates and potentially identify excessive use of rental vehicles for personal travel. The same insider threat reporting procedures should be followed to address the problem. ​</p><h4>Redefining Insider Threats</h4><p>CTC's reevaluation and preparation paid off—the open house event went smoothly for staff and visitors alike. </p><p>CTC security officials are also reaping longer-term benefits from the CANM experience. For example, the department is improving its approach to training by conducting lunchtime seminars and more personal interviews with employees to reinforce the significant role that each employee plays in countering insider threats, even if security is not their primary role.</p><p>In addition to the CANM program, other business changes prompted CTC to reassess potential threats and strengthen routine security procedures. New contracts with government clients outside the DoD brought new requirements and concerns for protecting sensitive information processed and stored on company networks. The company invested in new equipment, and other areas of business development brought increased interaction with international customers—along with added challenges for ensuring compliance with American export laws. </p><p>By thinking outside the box in regard to an insider threat, CDC was able to create a well-rounded employee management policy that is capable of addressing a variety of organizational concerns. Addressing a wide scope of potentially problematic employee-related activity—not just intellectual property or workplace violence concerns—through an insider threat lens strengthens the entire program and makes it more adaptable for addressing other business concerns.</p><p>As an example, security staff worked with shop floor staff and project managers to revise the facility's access control plan. Doors to certain industrial areas within the 250,000-square foot CANM were closed to employees who did not have a clear need for access. Facility access hours were restricted for many employees, and a proximity card in addition to a six-digit PIN is now required to use doors that are not routinely monitored. Process owners and senior managers fully grasped the need for such procedural changes and strongly supported the recommendations. </p><p>As international business contacts expanded, the security, contracts, and export compliance departments worked closely with program managers to ensure that export licenses encompass all international dealings involving protected technologies. The company's enterprise visitor system, internally developed in 2012 and upgraded in 2015, electronically routes international visit requests for coordination and approval. This ensures that the right managers and technicians are informed, projects are shrouded, or operations are suspended or rescheduled as needed.            </p><p>With such low- or no-cost security enhancements in place, establishing an insider threat program required only a modest effort to formalize plans and procedures, chartering a working group, and expanding existing training. Other corporations working exclusively or extensively with government contracts can engineer similar results.  </p><p>Increasing awareness of insider threats and encouraging employees to report suspicious behavior and policy violations has directly led to improved overall security. For example, information received in recent months from frontline employees has enabled managers to correct internal issues and mitigate vulnerabilities in how the company purchases, inventories, and accounts for low-cost supplies, equipment, and bench tools. Workers in the affected areas recognize how the changes reduce risk of pilferage and unauthorized use of company assets. Minimizing such losses helps the company control overhead costs, remain competitive, and protect jobs and salaries.     </p><p>If an organization is unaccustomed to a regimen of safety and security rules during daily business operations, it may take months to evolve a security culture where employees are likely to bring their concerns forward and key supervisors can evaluate information and respond effectively. The advantages of starting now almost certainly outweigh the risk of what could come later.  </p><h4>Sidebar: How Nuclear-Level Security Influenced Today’s Insider Threat Programs​<br></h4><p></p><p>Concerns about insider threats are not new. In the mid-1940s, during the highly secretive Manhattan Project—the United States' efforts to develop the world's first atomic weapons—leaders were most concerned that a trusted insider could be blackmailed or tempted to commit espionage for money. Losing atomic secrets to enemies could have drastic—and deadly—consequences. The art of protecting critical research, test activities, materiel and weapons production, and plans for use of nuclear weapons was woven into the Manhattan Project and remains a hallmark of security within U.S. Department of Defense (DoD) nuclear programs.</p><p>The personnel clearance process and the personnel reliability program (PRP) have been central in addressing insider threats to nuclear capabilities since the 1960s. Clearance processes are designed to screen people for trustworthiness and must be strictly followed prior to granting an individual access to classified nuclear design information, plans, capabilities, or operating procedures. A personnel clearance is based on favorable evaluation of factors such as the person's demonstrated financial responsibility, personal conduct, and allegiance to the United States. Cleared individuals are reinvestigated periodically to ensure continued access is appropriate. Those in unusually sensitive and critical positions may be subjected to polygraphs.   </p><p>The PRP is an added layer of administrative security comprising procedures, automated notifications, tiered supervision, and other checks designed to ensure workers are mentally and physically fit at the time they perform critical tasks, such as nuclear command and control, maintenance, or armed security. PRP requirements and standards are risk averse—the slightest concern may result in temporary suspension from normal duties until circumstances change or a problem is resolved. A common reason for temporary suspension from duties under the PRP is use of prescription medication, which may cause drowsiness. Minor disciplinary infractions may also result in PRP suspension, triggering security measures that block access to restricted facilities and information systems.</p><p>Together, clearance processes and the PRP foster a heightened safety and security environment where workers are dutybound to report relevant information about themselves and others to appropriate authorities. Such an environment is essential based on the destructive power and political significance of the nuclear arsenal. Senior government and military personnel hold leaders within the nuclear community accountable for evaluating conditions that may detract from anyone's assigned tasks under PRP. For example, removal of the responsible unit commander is often the outcome of failure to properly adhere to PRP guidelines.    </p><p>Historically, these stringent screening and reliability standards are seldom applied to government and contractor enterprises outside nuclear communities. Since 2013, however, government officials have increasingly acknowledged the threat of insiders. Personnel clearance processes are now bolstered with additional screening and random selection for background checks between the traditional timespans for periodic reinvestigation. Additionally, government clearance adjudicators may now review and consider social media information when determining overall eligibility for access to national security information.</p><p>A series of U.S. Department of Homeland Security and DoD documents and guidelines mandate insider threat programs for agencies and certain contractors but stop short of requiring self-reporting measures such as those associated with the DoD PRP due to cost, legal concerns, and other practical considerations. A PRP-like mindset, however, can be encouraged within any operation where inattention to detail, slowed reaction time, or lapse in judgment could result in injury, death, or unacceptable material or financial loss.​</p><p><br> </p><p><em>Ronald R. Newsom, CPP, is a retired U.S. Air Force officer now employed with Concurrent Technologies Corporation, a recipient of the DoD 2017 Colonel James S. Cogswell Award for sustained excellence in industrial security. Newsom is a member of ASIS International. He also serves as the Chair of the National Classification Management Society's Appalachian Chapter.    ​ ​</em></p>
https://sm.asisonline.org/Pages/Take-No-Chances.aspxTake No ChancesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Security processes are working properly if nothing happens, as the adage goes—much to the chagrin of the security manager looking for buy-in from the C-suite. But if something does go wrong at an organization, the error lies in either the company's risk profile or its implementation of mitigation procedures. Using risk management principles to create a risk profile and implement procedures to mitigate those risks should leave no gray areas for an incident to occur, says Doug Powell, CPP, PSP, security project manager at BC Hydro. Security Management sat down with Powell, the 2017 recipient of the Roy N. Bordes Council Memb er of Excellence Award, to discuss how to create a mitigation program that only gets stronger after a security incident.​</p><h4>Weigh the Risks…</h4><p>A basic tenet of risk management principles is understanding what risks an organization faces by conducting a thorough risk assessment. "For me, nothing should happen in the security program in terms of making key decisions around protection principles until you've been through your risk management exercise, which will do two things for you: tell you where you have gaps or weaknesses, and what the priority is for addressing those," Powell says. </p><p>Look for the risks that are high-probability, low-impact—such as copper theft—and low-probability, high-impact—such as a terror attack—and build a protection plan that primarily addresses those, Powell says. </p><p>"You use that prioritization to get funding," he explains. "I tell people there's a broad spectrum of risks you have to consider, but there are two that you focus on that I call the board-level risks—the ones the board would be interested in because they could bring down the company."​</p><h4>…And Use Them to Build a Strategy</h4><p>Establishing those risk categories will not only help get buy-in from the C-suite but frame the company's security strategy.</p><p>"You should never say something like, 'well, the copper losses are so small that we're not going to deal with this at all,' in the same way you're not going to say that you'll never likely be attacked by terrorists so let's not worry about it," Powell says. "With that in place, you should have an effective mitigation strategy on the table."​</p><h4>Flesh Out the Baseline…</h4><p>While getting buy-in may rely on emphasizing the impact a risk can have on business operations, the security team needs to have a well-rounded understanding of the risk itself. Powell illustrates the distinction by using an example of how protesters might affect critical infrastructure.</p><p>"It's one thing to say that there's risk of work being disrupted or of a pipeline being taken out of service by protesters, but it's quite another thing to say that in the context of who these protesters are," according to Powell. </p><p>"You have one level of protesters who are just people concerned about the environment, but all they really do is write letters to the government and show up and carry picket signs to let you know they are concerned. The more extreme groups are the ones that would come with explosives or physically confront your workers or who would blockade machinery," Powell explains.</p><p>While these two groups of people both fall under the protester category, the risks they present—and how to respond to them—are vastly different.</p><p>"You have to understand the characteristics of your adversaries before you can adequately plot the seriousness of the risk," Powell explains. "Would it be serious if our pipeline got blown up? You bet it would. But who has the capability to do that? Are they on our radar? And what's the probability that we would ever interact with them? There's a bit more than just saying it's a bad thing if it happens."​</p><h4>…And Keep It Updated</h4><p>Don't let an incident be the impetus for conducting a new risk assessment. Creating a governance model will facilitate regular reviews of the risk assessment and how it is conducted.</p><p>"If you do it well at the head end, you should be mitigating to those standards," Powell says. "Risk doesn't happen once a year, it's an ongoing process where you establish the baseline, mitigate to the baseline, and start watching your environment to see if anything bad is coming at you that you should be taking seriously because the world is dynamic."</p><p>Consistent monitoring of threats allows the mitigation strategy to be adjusted before weaknesses are discovered and exploited.</p><p>"The monitoring aspect is critical, and after an incident you might say that the reason your mitigation plan failed is you simply didn't monitor your environment enough to realize there were new risk indicators you should have picked up," Powell says. "The risk management process is dynamic, it never stops, it's continually evolving, and whether something happens to cause you to reevaluate or whether you reevaluate because that's your normal practice, that has to happen."</p><h4>Establish a Process…</h4><p>Through risk management, a security incident occurs when the risk assessment was not accurate, or the mitigation processes were not properly carried out. After an incident, security managers should never feel blindsided—they must identify the shortcomings in their processes.</p><p>"When something critical happens, the first thing you will do is go back to your risk profile and ask yourself some key questions," Powell advises. "Did we get it right? Did we miss something? How did this incident occur if in fact we had our risk profile correct? Or did our mitigation planning not match well with the risk profile we had developed? If we had this assessed as low-risk but it happened anyway, maybe we got something wrong. If it was high-risk and it happened anyway, what was the cause?"</p><p>If the security program matches the risk profile and an incident still occurred, it's time for the organization to change the baseline.</p><p>"Did we understand our adversary?" Powell asks. "Was it someone we anticipated or someone we didn't anticipate? If it was someone we anticipated, how did they get in to do this thing without our being able to stop it or understand that they were even going to do it? Do we have the right security in place, did we do the right analysis on the adversarial groups in the first place? What did we miss? Are there new players in town? Is there something going on in another country that we weren't aware of or ignored because we didn't think it impacted us over here in our part of the world?"</p><p>And, if it turns out that the risk profile was inaccurate despite proper governance and maintenance, don't just update it—understand why it was wrong. "Look at whether your intelligence programs or social media monitoring are robust enough," Powell suggests.</p><p>"If you had 10 or 100 metal theft incidents in a month, you want to go back and ask why this is continuing to happen," Powell notes. "We've already assessed it as a risk and tried to mitigate it. For me, the two things are intrinsically connected. If you're performing risk management well, then your mitigation programs should mirror that assessment. If it doesn't, there's a problem, and that's what this review process does, it gets you into the problem."​</p><h4>…And Use It Consistently</h4><p>Whether it's copper theft or a terrorist attack, the incident management process should be carried out in the same way.</p><p>"That should always be a typical incident management process for any kind of event," Powell says. "What varies is input, but the methodology has got to be identical. If it's metal theft, it's a pretty simple thing—we have some thieves, they broke into a substation, removed ground wires, and as a result this happened. What can we do to mitigate that happening at other substations in the future? </p><p>If it's a terrorist attack, of course a lot more people will be involved, and you'll be asking some very challenging questions. The process becomes a lot more complex because the potential for damage or consequence value is much higher, but the methodology has to be the same all the time."</p><p>"Overall, whether you're looking at a security breach that happened because you exposed your cables and the bad guys were able to cut them or whether it was a new, more dangerous group coming at you that you weren't aware of, or because you neglected to identify the risk appropriately—all of this has to go into that evaluative process after something happens," Powell says. "Then you have to reestablish your baseline, so you're going back into that risk analysis and move to mitigate it according to what that new baseline is. If something bad happens that's what you do—go back to the baseline and discover what went wrong, and once you know, you seek to mitigate it to the new baseline." </p>
https://sm.asisonline.org/Pages/Active-Assailant,-Unarmed-Officer.aspxActive Assailant, Unarmed OfficerGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The concept that small acts can have large ramifications is called the butterfly effect. The phrase, based on a thesis by American mathematician and meteorologist Edward Lorenz, refers to the idea that a butterfly's wings could create tiny changes in the atmosphere that may ultimately delay, accelerate, or even prevent the occurrence of a tornado in another location.</p><p>The level of awareness exhibited by security personnel can have a butterfly effect on an active assailant's perception of risk. Active shooter attacks often end when the perpetrator is apprehended or killed by law enforcement, or when the attacker commits suicide—rarely do assailants run or escape. Having security guards onsite may mitigate the chances of an attack, but this type of embedded response is no guarantee that the attacker will be deterred or stopped.  </p><p>In the case of the Orlando Pulse Nightclub massacre, for example, there was a uniformed Orlando police officer onsite providing security. At Mandalay Bay where a gunman opened fire on the crowd below, killing 59 people, a security officer exchanged gunfire with the assailant during the massacre. And most recently, an armed school resource officer was on campus during the February shooting that killed 17 people at a high school in Parkland, Florida. </p><p>However, security officers can also focus on the events that occur before an attack. People who intend to commit violence often give themselves away by their physical appearance or behavior. By engaging people with simple hospitality principles, a security officer is more likely to observe warning signs. This enhanced awareness allows the guard to implement security methods that may deter the attacker. </p><p>Even when the worst-case scenario occurs, a security officer's situational awareness is critical. Early detection enables officers to respond more quickly and help others by providing instructions that can mitigate the attack. By observing physical and behavioral cues, acting upon concerns, and implementing effective response methods, unarmed guards can help prevent or mitigate active assailant attacks.​</p><h4>Preattack Indicators </h4><p>Because most attacks represent the killer's first and last act of violence, the assailant often exhibits telltale signs of the incident to come. With little to no prior criminal record or experience in extreme violence, they may show behavioral and physical indicators that give their bad intentions away. Looking out for these early warning signs, or preattack indicators (PAINs), can alert the security practitioner to potential trouble and possibly thwart attacks. </p><p>PAINs are physical actions that include movement patterns, carried objects, appearance, or dress. They are also behavioral elements, such as facial expressions or demeanor. PAINs do not automatically indicate danger, because they can be consistent with perfectly innocent explanations. By carefully and prudently observing people who are determined not to be a danger, the officer can learn how to better distinguish future threats.</p><p>In the rare instances when PAINs are associated with imminent danger and immediate action is required, awareness will greatly improve response, because the element of surprise that may elicit the fight-or-flight response is removed. </p><p><strong>Normalcy bias.</strong> Trying to look for someone in a crowd who could be an attacker is like looking for a needle in a stack of needles. Since active assailant attacks are rare, there is a tendency to discredit PAINs in favor of the norm. Effective security requires a certain level of paranoia that avoids the "it can't happen here" mentality.</p><p>Establishing a thorough understanding of what is normal allows the guard to have a baseline. Then the security officer remains alert and vigilant during normal activities, and can easily transition to a heightened state of alert when a change occurs to the baseline.</p><p><strong>Customer service.</strong> Proactivity on the part of the guard is not to be confused with aggression, because customer service is still a priority. Security should view each person as a customer, not a suspect, until a significant change to the baseline occurs. Professional and nonthreatening behavior from security is more likely to elicit cooperation. </p><p>In customer service, the 10-5 Rule is a gold standard. The rule states that when the staff member is within 10 feet of guests, staff should make eye contact and smile to acknowledge them. Within five feet of a guest, a sincere greeting or friendly gesture should accompany the eye contact and smile. </p><p>The 10-5 Rule reminds others of the presence of a professional security force while keeping the security officer engaged with visitors. </p><p>Making eye contact with a person is an effective first step to determine if a basic level of mutual trust exists. At around 10 feet, make brief eye contact with a pleasant demeanor, then scan for PAINs. (See infographic, page 41.)</p><p>If PAINs are observed, engage the person in a focused conversation. In this context, professionalism is key. A focused conversation should not resemble interrogation. </p><p><strong>Active engagement.</strong> The purpose of a focused conversation is to determine if the person poses a risk. A polite "where are you heading?" to learn that person's trip story can be an effective conversation starter.  </p><p>There are two types of trip stories—past and future. A past trip means the person has completed the purpose of the trip, and a future trip means the person is on their way to a specific place. This basic framework helps the officer determine whether the trip story is verifiable by providing specific details of sights seen and actions taken. A vague, unverifiable trip story does not indicate imminent violence, but it does indicate deception.</p><p>Officers should expect occasional negative reactions and be prepared to encounter individuals who refuse to cooperate. Appropriate measures should be taken to deal with such persons, including asking for another officer to help and continuing to question the individual.</p><p><strong>Low-risk groups.</strong> Just as there are universal indicators of imminent danger, there are groups of people that, absent an overt hostile act, can be statistically discounted as a threat. These low-risk groups can be removed from the 10-5 Rule, including families, children, people older than 70 years, known guests of the facility, and people known and trusted by the officer. </p><p><strong>High-risk people. </strong>After the focused conversation, those not eliminated as a possible threat must be monitored. Ideally, the person can be denied access and escorted out of the area. If not, supervisors need to be alerted and the person should be followed by an officer. Using video surveillance is also a possibility. The officer should be prepared to document their concerns and articulate—based on PAINs and the focused conversation—why the person was considered a threat.</p><p>If it becomes apparent that the person is dangerous, immediate action should be taken. The first step is to alert others and request assistance. The following actions will be based upon the perceived threat and the location. Options may range from initiating heightened security procedures and observing the subject to an immediate evacuation of the area.​</p><h4>Attack Response</h4><p>Regardless of the specific factors leading up to the situation, it is imperative that security officers understand how to respond to a violent attack.  </p><p>Some responses require compartmentalizing occupants away from the assailant, which is associated with the lockdown concept. However, not all situations call for these measures. Lockdown or compartmentalization is a valid tactic, but it lacks the flexibility needed to adequately mitigate all active assailant attacks. A lockdown does not help people in areas that cannot be secured or those having direct contact with the perpetrator. In an active assailant attack, these are the people at the greatest risk.</p><p>Not every human-based threat or intrusion requires Run. Hide. Fight. decisions. Under these far more common nonactive shooter events, using the word "lockdown" can cause a high percentage of occupants to falsely assume there is an active shooter, creating unnecessary panic and anxiety. Instead, these scenarios require heightened security procedures.</p><p><strong>Heightened procedures. </strong>Situations requiring heightened security can range from a threat of school or workplace violence to civil unrest. What measures are taken to increase security depend on several factors, including the nature of the threat, the mission of the facility, the architecture and layout of the facility, and law enforcement presence or response time. </p><p>Based on these factors, leaders must determine which measures are most prudent given the circumstances, and security officers should be prepared to guide facility occupants. </p><p>When necessary, guards should communicate the fact that security has been heightened in simple language, such as "Attention, guests: we have a situation that requires heightened security. Please move inside a secure location." These messages get people's attention without causing unnecessary panic. Additional information can be shared as needed. </p><p><strong>Attacks.</strong> All leading U.S. federal preparedness and response organizations, including the U.S. Department of Homeland Security, the U.S. Department of Education, and the U.S. Department of Justice, recommend the option-based Run. Hide. Fight. approach. This recommendation is not limited to U.S. government agencies—Run. Hide. Fight. can be applied to many organizations and settings.</p><p>When deciding which option is best, determining whether the guard has direct or indirect contact with the shooter is essential. Direct contact means there are no barriers between the guard's location and the attacker, and the assailant is close enough to pose immediate danger.</p><p>With indirect contact, the attacker is inside or near the facility or general area, but distance or barriers delay the attacker's ability to cause harm.</p><p>After determining the level of contact, the survival options of the protocol are applied. The guard should also be prepared to advise those around him or her on which option to choose and to assist others. </p><p>Given their large presence at events, facilities, schools, and other venues, both armed and unarmed security officers play a critical role in preventing and mitigating active assailant attacks.</p><p>Because the killer is likely to have a target location for the attack in mind—whether it be a school cafeteria, concert, or church service—the presence of trained, engaged, and aware security can disrupt the attack. </p><p>Unarmed guards have a variety of tools at their disposal to protect the public and mitigate potentially dangerous situations. With a combination of active observance, engaged conversation, and–when necessary–heightened security procedures, security personnel can serve as a major deterrent against those who intend to commit harm.  </p><p><em>Brad Spicer is the founder of SafePlans, a firm specializing in all-hazards emergency preparedness technology and active shooter defense training. He is an army veteran with 20 years of state and local law enforcement service and is a member of the ASIS School Safety and Security Council. He can be reached at brad@safeplans.com. ​</em></p>
https://sm.asisonline.org/Pages/On-a-Sea-of-Risk.aspxOn a Sea of RiskGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The maritime sector, one of the world's most critical infrastructures, is vulnerable to a variety of security threats. But in this environment, many organizations have difficulty analyzing a crucial issue: which levels of risk are acceptable? The answer can shift; a disaster can transform an organization's perspective.</p><p>This article is aimed at assisting those who are exploring the question of acceptable levels of risk, and how those risks might be mitigated, in the maritime sector. To that end, it discusses the information that informs a risk analysis: breakdowns of potential bad actors, their tactics and targets, sector weaknesses, and appropriate protection strategies. </p><p>First, common threat actors and motives are explored. Second, the tactics and targets of these actors are examined, as well as the vulnerabilities of the maritime sector that could be exploited by these criminals. </p><p>Third comes a discussion of the existing security measures used to protect the maritime sector against attacks, followed by ideas about effective security measures and related emergency management initiatives.  ​</p><h4>Actors and Motives</h4><p>Threat actors may include current, prospective, or former employees of shipping companies and seaports, or third-party contractors such as trucking agents and train conductors. Maritime staff and contractors are not always fully vetted, particularly when positions are filled overseas. In the more extreme cases, they may be mentally ill, violent ex-felons, or even terrorists, serving in various posts such as merchant mariners, longshoremen, and tractor-trailer drivers. </p><p><strong>Nonemployees may also be threat actors.</strong> These may include strangers with criminal records, such as smugglers or pirates, or even terrorists. Some of these people are or were in a platonic or intimate relationship with an employee or third-party contractor. </p><p>Experts have identified a variety of motives used by employees and nonemployees to justify their violent actions. A 2012 article "Maritime Terrorism and Piracy" in Global Security Studies reports that many threat actors simply seek monetary gain for themselves or are reacting to a loss of economic stability. Other threat actors believe that they are victims of personal violations, such as stress from overwork, humiliation by a supervisor, loss of their job, or recent harm to their family, and seek revenge by spreading fear, distrust, and distress. </p><p>Still other perpetrators seek to make others aware of their political agenda. In some of these cases, they seek to harass or embarrass a particular government, as a means of influencing decisions of and legislation in that country.  </p><p>The motives of threat actors may be solidified into action in one of several ways. The most typical route to a commission of crime, or radicalization to terrorism, is when someone from a minority group feels marginalized to the degree that avenues of change outside of crime or violence are no longer viewed as likely or possible, according to a 2005 study "The Staircase to Terrorism" in the American Psychologist. </p><p>In these cases, violence is perpetrated because the threat actor does not believe that the current situation could be improved through politics or laws. Often, these views are shared by family and friends, who sympathize with the victimized and disenfranchised in a society. Consequently, the threat actor's decisions and beliefs, including the belief that violence is not an immoral alternative to achieving certain goals, are influenced by the actor's friends and family, as argued in the 2014 book The Psychology of Terrorism by John Horgan. Moreover, by identifying with and joining other criminals or terrorists, the perpetrator stands to gain both social and psychological rewards, Horgan explains.  ​</p><h4>Tactics and Targets</h4><p>Threats in the maritime environment are varied, and threat actors have targeted the maritime sector through a range of tactics. These include the use of containers to hide explosives, terrorists, or contraband; criminals and terrorists posing as employees; and cyberattacks involving ship navigation, cargo databases, and other systems, such as life support.</p><p><strong>Cargo security.</strong> In the past, criminals and terrorists have often transported illicit items like weapons (and even weapons of mass destruction) using an innocuous-looking vessel such as a fishing trawler, according to the chapter "Applying Risk Assessment to Secure the Containerized Supply Chain" in the 2007 book Managing Critical Infrastructure Risks edited by Igor Linkov, Richard J. Wenning, and Gregory A. Kiker.</p><p>Terrorists can also target cargo security by tampering with a legitimate consignment or by assuming a legitimate trading identity and using it to ship a dangerous consignment. In terms of the former, there have been instances where terrorists hide in cargo containers to gain access to ports. </p><p>In 2004, for example, two terrorists in Israel hid inside a cargo container for several hours before an attack so they could bypass the extensive security procedures at the Ashdod Port. These terrorists were successful in detonating their explosive devices. Ten people were killed and 16 injured, according to the 2008 Police Executive Research Forum report, Protecting America's Ports: Promising Practices. This incident brought home the lesson that inadequate cargo security poses legitimate threats in the maritime sector. </p><p><strong>Ship stability.</strong> However, ports are not the only vulnerable maritime environment. Another major concern is a container ship's stability–that is, the ability of a loaded ship to remain on an even keel. Because containers have different weights and sizes, the seafaring ability of the ship becomes compromised if the ship is not properly loaded, and it may even become damaged or capsize.  </p><p>To avoid this, shippers use computers to perform a stability analysis shoreside, and the ship is then loaded according to a configuration consistent with the analysis, with a record sent to the crew before the ship leaves the port. Given this process, criminals may devise a method to hack this analysis during the loading process so that it produces a configuration that would ultimately leave the ship unstable, which could cause damage to the vessel and endanger the lives of the crew.</p><p><strong>Fire suppressants.</strong> Another concern for container ships is fire. Ship containers located in holds (as opposed to above deck) are generally protected by large carbon dioxide fire suppression systems. As a suppressant, carbon dioxide has many virtues. It is odorless, it leaves no residue, and generally it will not damage cargo in any way. It also does not conduct electricity. But carbon dioxide also has a large liability–it is highly toxic to humans at the concentrations necessary to be deployed in the total flooding applications for which it is used. </p><p>To date, these stability and fire systems have not been exploited by threat actors, but accidents happen. According to the U.S. Environmental Protection Agency's report Carbon Dioxide as a Fire Suppressant: Examining the Risks, between 1975 and 2000 there were 20 incidents involving the accidental shipboard discharge of carbon dioxide fire suppression systems on nonmilitary ships in the United States and Canada that resulted in 19 deaths and 73 injuries. The automation of commercial ship systems could also be exploited by threat actors in the future, either electronically or by motivated individuals with knowledge of the systems.</p><p><strong>Insider threat. </strong>Another security threat is posed by insiders. Many positions in the maritime sector are vulnerable to potential insider threats from those who obtain employment, or pose as an employee, with the malicious intent to access critical infrastructure. Harm may be caused by these real or impersonated employees in a port or on a ship, including those working as sanitation workers, cabin stewards, equipment operators, office administrators, and even security personnel. Such positions may be used for drug trafficking, human trafficking, smuggling, and even espionage, and they may be desirable for infiltration leading up to a terrorist attack. ​</p><h4>Cyberattacks Onboard</h4><p>Finally, cybercriminals can use malicious software or malware to gain access to maritime systems, modify data, and cause damage. </p><p>Cyberattacks can also be used to gain unauthorized access to systems and data. According to The Guidelines on Cyber Security Onboard Ships, issued in June 2017 by BIMCO—an international association of shipowners and operators—criminals, terrorists, foreign states, and insiders can use malware or hire others to hack and use malware to compromise port and ship cybersystems. These threat actors may target maritime communications, ship navigation, and cargo tracking systems.</p><p>For example, in Antwerp, Belgium, in 2013, hackers hired by drug traffickers gained unauthorized access into port systems that controlled the movement and location of containers and modified the data. This allowed drivers hired by the organized criminals to access the port and pick up cargo where the drugs were hidden.</p><p>Moreover, ships are increasingly using systems that rely on digitization, integration, and automation. That creates a need for more cyber risk management on board, according to BIMCO's new guidance. As technology continues to develop, information technology and operational technology onboard ships are being networked together and, more and more frequently, connected to the Internet.  </p><p>This growing practice brings greater risk of unauthorized access or malicious attacks to ships' systems and networks. Risks may also occur when personnel access systems on board, such as by introducing malware via a piece of removable media.  </p><p>Given these risks, the safety, environmental, and commercial consequences of not being prepared for a cyber incident may be significant. Responding to the increased cyberthreat, a coalition of international shipping organizations, with support from a wide range of stakeholders, came together to issue new BIMCO guidelines.​</p><h4>Existing Security </h4><p>Currently, there is a range of security measures used for protection in the maritime sector. These measures include advanced tracking and notification systems, credentials for mariners, and the vetting of employees.</p><p>In addition, U.S. regulations such as the 24-Hour Advanced Manifest Rule (AMR) and the 96-Hour Advanced Notice of Arrival to the National Vessel Movement Center give appropriate government agencies the opportunity to intervene early to prevent criminal activities, including potential terrorist attacks.  </p><p><strong>Assessments and credentials.</strong> The U.S. Coast Guard (USCG) has taken a lead role in maintaining a risk assessment system that reviews top-secret elements to determine which ships may require boarding and extensive review before they are allowed entry into U.S. waters. The U.S. government also determines which foreign ports are unable to provide adequate measures to ensure that ships and cargo coming from those locales are reasonably secure. Sometimes, the government maintains a presence in these potentially problematic ports.</p><p>Under the treaties and customs of the maritime world, the International Maritime Organization's Safety of Life at Sea (SOLAS) has developed a series of measures to ensure confidence in the integrity of the credentials issued to mariners. Although the advent of Merchant Mariner Credentials, issued by the USCG, is mostly focused on safety rather than security, this is starting to change.  </p><p>The USCG issues these credentials in accordance with the guidelines of the International Convention on Standards of Training. Two additional credentials include the certifications under the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers, which is issued to U.S. seafarers to show evidence of a mariner's education, training, competencies, and proficiencies; and the Transportation Worker Identification Card, a tamper-resistant, biometric credential issued by the U.S. Transportation Security Administration, which is required to enter a secure area in a port or on a vessel in the United States.  </p><p>These processes have allowed for greater scrutiny over mariners and other personnel who work in maritime centers, ports, and infrastructure projects.  </p><p><strong>Vetting. </strong>The security of U.S. ports, however, also depends on the depth of the vetting process for employees who have gained these credentials. According to the Seafarers International Union, if a foreign employee has met the necessary requirements of the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers, he or she is permitted to work on a U.S. flag vessel if no other qualified U.S. crewman is available. There have been instances of improperly credentialed individuals that caused ships to be held in port for failing to meet safety standards, but not due to security risks. And, a captain may learn inadvertently that one of the employees on board is in fact a felon who bypassed the vetting system. </p><p>According to "Hiding Behind the Flag," a series of articles on the website of PBS Frontline in 2004, The Kingdom of Tonga as a Flag of Convenience country was closed for security reasons after it was found to be selling passports for as much as $60,000. Moreover, U.S. intelligence agencies believed that Tongan ships were part of Osama bin Laden's "navy." In 2002, Israeli commandos boarded a Tongan ship and found 50 tons of weapons on board.  </p><p>Two more Tongan ships were later caught with illegal Pakistani immigrants on board carrying large quantities of cash, maps, and false passports. U.S. intelligence officials suspected links to al Qaeda; although the evidence of these links was never revealed. Shortly after these incidents, Tonga's cabinet closed the Ship's Registry, headquartered in Greece.      ​</p><h4>Emergency Management</h4><p>A final essential element of defense-in-depth measures is the emergency management plan. In the maritime sector, it is important to have different types of emergency management plans for mitigating hazards and vulnerabilities to ensure people's safety and reduce property losses. These emergency management plans include, but are not limited to, hazard awareness, emergency preparedness and response, evacuation, and risk communication. </p><p>The effective implementation of an emergency management plan requires that all involved have proper training and are given exercises to ensure the viability of existing plans. Unfortunately, this is not always the case. In April 2014, the Sewol ferry disaster in South Korea killed 304 people; nearly all of them schoolchildren. Even though the vessel took about three hours to sink, many of those on board never received evacuation orders, demonstrating a clear failure of the emergency management plan.</p><p>According to<em> Fundamentals of Emergency Management,</em> a book issued by the U.S. Federal Emergency Management Agency (FEMA) in 2006, there are three types of exercises—tabletop, functional, and full-scale—that may be used to train personnel in dealing with emergency situations. A tabletop exercise is conducted in the classroom or conference room and is based on a limited scenario that allows participants to provide a verbal description of possible responses to contingencies. The advantage of this type of exercise is that it allows the evaluator, usually the controller, to determine the staff's ability to resolve the problem. </p><p>A functional exercise tests one or more functions in an emergency plan in a field setting designed to approximate disaster conditions. Due to the complexity of a functional exercise, multiple evaluators are required to assess the staff's performance, and coordination among multiple evaluators is needed to verify satisfactory performance by the staff. </p><p>Finally, a full-scale exercise tests all aspects and all organizational participants in an emergency operation plan in a realistic field setting. Regardless of which type of training exercise used, effectiveness is determined by its ability to teach strategies to all the participants. </p><p>Plans, strategies, and exercises should not be stagnant. It is necessary to update all of these periodically. Modification should not wait for a scheduled time, because waiting to revise a strategy might prove to be disastrous. Threats are growing in number and complexity, and security must not fall behind in keeping up with them.  ​</p><p><br></p><h4>Sidebar: Disaster Subcultures<br></h4><p>The process of assessing maritime risk, and risk acceptability, can be influenced by cultural or subcultural factors specific to a community of practice. For instance, The Netherlands faces a persistent threat of flooding. To adapt, the Dutch have developed a disaster subculture, or a set of cultural tools to deal with this recurrent hazard, according to the 2014 study "Flood Disaster Subcultures in The Netherlands" in the journal Natural Hazards.</p><p>In the study, the authors examined how two local communities in the Dutch lowlands developed a disaster subculture toward the prospect of flooding. Locals developed a range of early detection and mitigation tools that made them feel confident in their ability to respond. "Both communities are not afraid of flooding and feel experienced, prepared and knowledgeable enough to cope self-sufficiently," the authors write. </p><p>However, given the communities' past success with flood response, authorities also spread messages that reflect an "attitude of defiance," the authors write. For example, some officials communicated that by 2025, high-water levels will no longer be an issue, and residents will no longer have to worry about flooding. While that attitude does not dominate overall, it has become part of the disaster subculture.</p><p>Another example is the 2012 wrecking of the Costa Concordia cruise ship near the shore of the Isola del Giglio in Italy. The accident occurred when the ship's captain, while performing a sail-by salute (a slow passage of the ship close to shore, and a common cruise-industry subculture practice for showing off the ship and impressing local residents), hit a rock and killed 32 people.  </p><p>Sail-by salutes have been part of the maritime culture since ancient times. However, this cultural practice does increase accident risk. Thus, the practice also illustrates the need for those in the maritime sector to consider human factors when making decisions about acceptable levels of risks and threats.​​</p><h4>​Sidebar: Response Artistry​​<br></h4><p></p><p>Even when emergency response plans are developed and tested, the reality is that there are situations faced by security and emergency managers that must be resolved through flexibility and improvisation. An unwillingness to be open to change and attentive to the social and physical environment may result in a failure to reduce risk.</p><p>The unfolding of an actual disaster often creates parameters that could never be included in a plan, particularly when the threat faced is new. For example, the waterborne evacuation of lower Manhattan following the  9/11 attacks was entirely improvised. This innovative method, as discussed in the 2016 book, American Dunkirk: The Waterborne Evacuation of Manhattan on 9/11 by James Kendra and Tricia Wachtendorf, encourages the reader to reconsider the relationship between planning and creativity.</p><p>The authors advocate for two concepts. One is a change in mindset so that improvisation is not considered the result of a plan failure, but instead as a method for getting acclimated to a changing social and technical environment. </p><p> The second concept is for more training designed to enhance creativity. Even though some people tend to be creative on their own, oftentimes their natural creativity is stifled. </p><p>Hence, security and emergency managers should embrace creativity and improvisation as tools that may be used to help minimize the consequences of any disaster.</p><p><br></p><p><em>​Dr. Marie-Helen Maras and Dr. Lauren R. Shapiro are associate professors at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. Drs. Lucia Velotti, Susan Pickman, Hung-Lung Wei, and Robert Till, all of John Jay College, contributed to this article.​</em></p>
https://sm.asisonline.org/Pages/Stopping-Distracted-Driving.aspxBehind the Wheel: Stopping Distracted DrivingGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p>It was another quiet night at the rail yard. Leon, a security officer, was making his usual rounds in the SUV provided by the rail company. </p><p>As he turned the car around a corner, his cell phone slipped out of the cup holder. He grabbed it and placed it on his lap. But as the SUV's wheel hit a bump, the phone fell to the floor next to his right foot. With the car still in motion, Leon reached down and fumbled unsuccessfully for the phone. </p><p>In the process, his foot slid from the brake and hit the accelerator—propelling the SUV into a shipping container.</p><p>Fortunately, Leon was not injured. But his client's vehicle didn't fare so well. How was he going to explain the crumpled front end to his manager at his contract security firm?</p><p>When it comes to accidents like this, there is usually a straightforward explanation: distraction. According to the U.S. Centers for Disease Control, distracted driving is involved in up to 52 percent of typical driving activities. </p><p>Accidents involving distracted driving injured around 390,000 and killed 3,477 people in 2015, according to the National Highway Traffic Safety Administration. And the U.S. Occupational Safety and Health Administration ranks auto accidents as one of the top causes of workplace death. </p><p>Despite the widespread availability of safer vehicles, traffic deaths are on the rise in general. The National Safety Council reported traffic deaths topped 40,000 in 2016, a 6 percent increase over the previous year, and making that year the first since 2007 when more than 40,000 Americans died in motor vehicle crashes.</p><p>Distraction may be an obvious culprit, but it is not a simple one. A distracted employee driver is a symptom of a businesswide problem. Considering the threats security officers deal with daily, a mundane task such as driving may not register as an urgent concern. But driving is a serious threat.</p><p>Unsafe driving habits are a real threat that warrant a reasoned response. Security firms should have policies and procedures in place for training, monitoring, and other processes that reinforce a safe driving culture. Attending to driver safety is crucial for security firms looking to protect their workforce—and their bottom line. ​</p><h4>Distracted Driving</h4><p>When most people think of distracted driving, they likely picture someone with one hand on the wheel and the other on his or her smartphone. Though cell phones are a popular form of distraction, distracted driving is defined as any situation in which the driver is not attending to the operation of the vehicle.</p><p>Broadly, distracted driving takes three forms: manual, visual, and cognitive. Manual distractions take the driver's hands from the wheel, visual distractions take the driver's eyes from the road, and cognitive distractions take the driver's mind from the task of driving. </p><p>For example, turning to talk to someone in the backseat of a vehicle is a visual and cognitive distraction. The driver's mind is on the conversation and his or her eyes are turned from the windshield. </p><p>Digital distractions are particularly nefarious because they combine all forms of distraction. The driver's hands, eyes, and mind are all occupied with the phone or GPS unit, rather than focused on the act of driving.</p><p>In the claims the author's company reviews, it sees evidence of distracted driving where no device was involved. </p><p>In one recent incident, no distraction was involved other than cars on the road. An officer was driving at night during a significant portion of her patrol. As her late shift drew to an end, she became concerned about a car and motorcycle speeding behind her and began watching them in her rearview mirror. Before she knew what was happening, her patrol vehicle ran into a tree. The vehicle was totaled; the officer was fortunate to walk away with a minor injury.</p><p>This claim also revealed other ways to think of distracted driving—as either an unintended action or a decision. This officer made a decision—to watch the rearview mirror rather than the road—but she was likely suffering the unintended consequences of fatigue. Often, drivers take these actions and make these decisions over and over again with little consequence, until it's too late.​</p><h4>Unforeseen Consequences</h4><p>Unsafe driving habits threaten officers' safety and other drivers on the road. That threat to physical safety should be everyone's primary concern, but another concern that cannot be overlooked is the financial consequences.</p><p>Executives might think "that's why we have insurance," and a good commercial auto insurance policy helps cover legal fees, bodily injury claims, and damage to other vehicles in an accident.</p><p>But that still leaves organizations without patrol cars for several weeks in the event of a crash. They will still need to pay the deductible and for the consequences of productivity lost to time spent in litigation. </p><p>They may also need to pay a workers' compensation claim or hire a new employee. And firms may pay higher insurance premiums for years to come—if they are even able to secure a commercial auto policy.</p><p>Businesses can also be held responsible for an employee's irresponsible driving behavior. Take, for example, the case of an accident caused by an employee's distracted driving in which another driver is killed. The family could bring a wrongful death suit against the employer. If the company did not have a policy in place forbidding texting, or if it failed to review a driver's U.S. state motor vehicle record (MVR), it could be added to the lawsuit and be liable.</p><p>Plus, organizations are likely to lose the trust of their clients. One of the most pervasive consequences of an accident caused by employee negligence is damage to a company's reputation. Considering that security professionals are tasked with protection, distracted driving is counter to the job description. If an accident involving a company vehicle makes the evening news, that company's logo is portrayed in a troubling context—one that does not convey safety and security.​</p><h4>What Employers Can Do</h4><p>Understanding the consequences and sources of distracted driving helps point us in the right direction. With a comprehensive employee driving strategy, companies can create a safe driving culture, which depends on the following four practices.</p><p><strong>Define and enforce hiring policies. </strong>Sometimes it's said that businesses "hire the problem." That's because many employee-based accidents could have been predicted based on past driving behavior; a person's driving history is the best indicator of his or her future driving performance.</p><p>U.S. employers can access a job candidate's driving history through an MVR. They should consider the entirety of a candidate's driving history, for every state in which he or she has lived, but pay particular attention to red flags like driving under the influence. A company may adopt other red flag standards that preclude a candidate from a job involving driving, such as five moving violations in the past three years.</p><p>Road tests should also be a part of the hiring process for positions that require driving. This gives hiring managers the ability to review a candidate's key driving behaviors, like seatbelt use, signaling, and stopping completely. </p><p>While reviewing candidates' performances and MVRs, employers should ask themselves, "If we held no auto insurance, would I still hire this person?" If the answer is no, employers should heavily consider that in the hiring decision.</p><p><strong>Establish policies and procedures</strong>. A written employee driving policy is the foundation of a safe driving culture. This provides concise prohibitions against specific distractions, such as texting, eating, and smoking, as well as clear guidelines for alternative actions, such as pulling over in a rest area to make a phone call.</p><p>It should include consequences and disciplinary measures, as well as how these measures escalate with multiple violations. Because it deals with the condition of employment, a lawyer and senior management should be involved in reviewing and shaping this policy.</p><p>These policies do not just apply to on-the-ground officers. Managers should make it easy for employees to follow driving guidelines. </p><p>For example, only call an employee on patrol when he or she is not scheduled to be behind the wheel. Practicing what is preached helps create a safety culture. </p><p>Furthermore, it's helpful to have procedures for regularly reassessing the competency of employee drivers. A twice-yearly ride along or road test reinforces key driving skills and enforces the employee driving policy.</p><p><strong>Monitor vehicles. </strong>Another way to enforce driving policies is through monitoring. Telematics devices are in widespread use and for good reason. They are easily installed and provide a way for a vehicle to communicate with managers, sharing location information and red flag behaviors like hard braking or speeding.</p><p>Other technologies are useful for combating digital distractions. Tools like Cell Control block the use of cell phones or GPS devices within a company vehicle.</p><p><strong>Maintain documentation. </strong>One relatively low-tech tactic goes a long way towards protecting officers on the road and a company's reputation: sticking to a regular vehicle maintenance schedule. </p><p>Employees can get involved in this, submitting a monthly report on vehicle performance that can identify problems before they become real trouble. </p><p>Not only does this prevent the obvious—breakdown and malfunction—but it can be the best defense a company has when accused of negligence after an accident. If enforced and documented properly, both regular maintenance and employee driving policies can counter claims of negligence and help control claims costs.</p><p>These four practices are far more than cost-saving measures. The entire reputation of the security business is based on safety. A safe driving culture will go far in supporting the reputation of officers and the business as a whole.  </p><p><em>Tory Brownyard is the president of Brownyard Group. For more information, contact tbrownyard@brownyard.com. ​​</em></p>
https://sm.asisonline.org/Pages/April-2018-ASIS-News.aspxApril 2018 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Introducing Global Security Exchange</h4><p>GLOBAL SECURITY EXCHANGE (GSX) is the new name for the ASIS International Annual Seminar and Exhibits, the security industry's flagship educational and networking event. The move reflects the Society's commitment to unite the full spectrum of security—cyber and operational security professionals from all verticals across the private and public sectors, allied organizations and partners, and the industry's leading service and solution providers—for the most comprehensive security event in the world. </p><p>"GSX is setting a new bar for education, networking, and security product and service excellence—addressing the issues critical to all sectors of the global marketplace," says Ron Rosenbaum, chief global marketing and business development officer at ASIS International. "The new name, branding, and messaging reflect the global nature of our event, as well as our commitment to facilitating the exchange of ideas, best practices, and product and service innovations among all industry professionals."</p><p>Registration for GSX opened in March with strong numbers, due in part to high levels of engagement on social media and positive buzz stemming from the brand reveal.</p><p>"Global Security Exchange will build upon the change and reinvention introduced at ASIS 2017," says 2018 ASIS President Richard E. Chase, CPP, PCI, PSP. "What won't change is our commitment to reinvesting, promoting, and furthering the security profession year-round. This is a source of great professional pride, and a clear brand differentiator between GSX and other industry events." </p><p>GSX will continue to offer best-in-class education, networking, and business-building opportunities that provide ongoing benefits for attendees and exhibitors alike. The education—led by ASIS, InfraGard, and ISSA subject matter experts—will deliver an immersive and interactive learning environment for security professionals at all experience levels. </p><p>"We believe learning shouldn't be reserved for the classroom," Rosenbaum says. "It's important for attendees to get hands-on access to new and emerging technologies, as well as ideas and insights that offer new perspectives on current and looming challenges. With immersive reality, robotics, and drone demos, as well as expanded Impact Learning Theater and Career Center programming, GSX will transform the traditional exhibit hall format to provide the industry's most robust and engaging technology and solutions experience."</p><p>Building on more than six decades of event excellence, GSX will take place September 23-27 in Las Vegas, Nevada, USA. For more information and to register, visit gsx.org.​</p><h4>Upcoming Global Events</h4><p><strong>ASIS Europe 2018</strong></p><p>April 18-20</p><p>Rotterdam, The Netherlands</p><p>Big Data and artificial intelligence are main themes of ASIS Europe 2018—"Blurred Boundaries—Clear Risks." Opening keynote speaker Tom Raftery, global vice president, futurist, and IoT evangelist, SAP, will set the tone for the conference with his insight into the business opportunities presented by Big Data, artificial intelligence, and automation. Classroom training sessions will provide concise, practical learning.</p><p>The free Show Pass, available until April 17, includes access to education sessions in the Technology and Solutions Track, coaching and advice at the ASIS Europe Career Centre, and the networking hub of the exhibition floor. Full information and registration is on the event website asiseurope.org. </p><p><strong>11th Annual CSO Summit</strong></p><p>April 29-May 1</p><p>Minneapolis, Minnesota, USA</p><p>CSOs, policymakers, and global thought leaders will gather at the 11th Annual CSO Summit for strategic-level discussions, executive development, and exclusive networking opportunities. </p><p>Taking place at Target Plaza Commons in Minneapolis, this forum will feature futurist Scott Klososky; executive coach Angela Scalpello; a behind-the-scenes tour of the U.S. Bank Stadium, home of the Minnesota Vikings; and sessions on security risk management, leadership skills, and the changing technology landscape. </p><p>This event is open only to CSO Center members and those eligible for CSO Center membership. Learn more and register at asisonline.org/CSOSummit. </p><p><strong>28th New York City Security Conference & Expo</strong></p><p>May 16-17</p><p>New York, New York, USA</p><p>The Northeast's most anticipated security event will bring together 2,200+ security professionals for two days of valuable networking opportunities, an exhibit floor showcasing solutions from 110+ exhibitors, and expert-led education sessions examining critical issues and trends in enterprise risk and public safety.</p><p>Thought leaders will speak on drone and artificial intelligence technologies, protecting soft targets, and how enterprise security risk management can turn security into a business enabler.</p><p>Special events during the conference include an opening reception on the expo floor and a luncheon honoring the ASIS New York Chapter's Person of the Year—His Eminence, Timothy Cardinal Dolan, Archbishop of New York. For more information and to register, visit asisonline.org/nyc2018.​</p><h4>Early Careerist Job Study</h4><p>ASIS International is conducting a job analysis study to determine the body of knowledge needed by those new to or transitioning into the security management field. </p><p>In January, a panel of security professionals developed a list of knowledge and skill statements and determined the overall domains of practice in which these statements belong. To ensure that the profession agrees with the panel's recommendations, a survey will be sent to all ASIS members in early April to validate the work of this panel. Based on the results of the survey, ASIS will decide if this newly developed body of knowledge can be used to create a new certification program. </p><p>This new certification is envisioned to be the first rung on a security management professional's career ladder. ASIS encourages all members—especially those new to the field and professionals who hire those new to the field—to complete this survey and help advance the creation of this important stepping stone into the profession.​</p><h4>ASIS INTERNATIONAL CUP 2018 KICKS OFF</h4><p>The ASIS International Cup rewards individuals who recruit the largest number of new members to ASIS from March through June. The single highest recruiter will receive a free all-access pass to GSX, September 23-27 in Las Vegas, a three-night hotel reservation, and $500 towards GSX travel expenses.</p><p>The second-place prize is a $500 Amazon gift card, and the third-place prize is a $250 Amazon gift card. All recruiters will earn an entry into a drawing for gift cards to WorldSoccerShop.com. In 2017, the winner, Ronald Lee Martin, CPP, recruited 13 new members. </p><p>To learn more and to locate recruitment tools, visit asisonline.org/InternationalCup. Get in the game and win big!​</p><h4>ASIS Life Members</h4><p>ASIS congratulates Dennis G. Byerly, CPP, and Andrew Wyczlinski, CPP, who have been granted lifetime membership to ASIS. </p><p>Byerly has been a member of ASIS for 27 years. He has been a longtime member of the Commercial Real Estate Council, and he served as a council vice chair for multiple terms. He was also a member of the Critical Infrastructure Working Group. </p><p>Wyczlinski has belonged to ASIS since 1977. He has been an active member of the National Capital Chapter; the Dayton, Ohio, Chapter; the San Antonio Chapter; and now the North Texas Chapter. In addition, he was a founding member and chapter chair for the Fredericksburg/Quantico Chapter. ​</p><h4>Member Book Review</h4><p><strong>Private Investigation and Homeland Security. By Daniel J. Benny. CRC Press; crcpress.com; 181 pages; $79.95.</strong></p><p>In the popular media, private investigators are frequently portrayed as shadowy and unprincipled gumshoes working cases on cheating spouses and sitting in cars on stakeouts. This may be true to a small degree, but in his book, <em>Private Investigation and Homeland Security, </em>Daniel J. Benny makes a strong case for broadening the scope of private investigator services into the homeland security arena.</p><p>A quick glance through the book's comprehensive table of contents provides the reader with a preview of all things relating to the private investigation—from establishing an investigative business to countering cyberattacks and implementing technical systems. </p><p>Much of the homeland security investigation how-to content re­lates to various components of phys­ical security and background investigations. The author includes an ancillary section on security consulting, which encompasses a broad discussion of intrusion detection systems, access control, and locking devices. At times readers may struggle to connect the dots as the author introduces varied content that may not seem relevant to the subject at hand.</p><p>The author could have neatly pack­aged the seemingly disparate physical security and investigative components of the book together for the readers by probing into the importance of the partnership between law enforcement and the private sector. The private sector owns and protects 85 percent of the nation's infrastructure, while local law enforcement often possesses threat information regarding infrastructure. Thus, to effectively protect the homeland's infrastructure, law enforcement and the private sector must continue to work collaboratively, because neither possesses the necessary resources to do so alone. </p><p>There is plenty of knowledge that can be used by investigators and general security practitioners alike. While the book covers a multitude of security-oriented topics, readers may find themselves questioning the relevance of some content. The appendices comprise nearly 30 percent of the book and cite some narrowly focused regulatory statutes, including New York security guard and Virginia private investigator training outlines.</p><p>This book would best serve one who is contemplating a foray into the private investigative industry or a more advanced practitioner who wishes to broaden investigative service offerings. </p><p><em>Reviewer: Doug Beaver, CPP, is chair of the ASIS Cultural Properties Council and a member of the Global Terrorism and Political Instability Council. He is the director of security for the National Museum of Women in the Arts in Washington, D.C. ​</em></p>
https://sm.asisonline.org/Pages/Mobilizing-the-Force.aspxMobilizing the ForceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A Services Group (ASG) provides clients with everything from risk assessment and security systems installation to industrial cleaning and security guard services.</p><p>The industries it serves include hospitals, manufacturing, retail locations, and warehouses.</p><p>A smaller company, with about 1,300 security personnel, ASG is often tasked with large requests from its customers, and it relies on technology to help accomplish its goals. </p><p>"Clients will often ask us to take on projects that really fall outside our scope and area of operation," says Gene Enlow, vice president of ASG. "We find it hard to do those if we have to fully mobilize with an area manager and an office." </p><p>Rather than hiring a large security presence in each client location, ASG has been managing its security staff with guard tour management services for many years. But the technologies it used in the past did not stand up to the weather the checkpoints were exposed to, and went up in price over time. </p><p>"There have been systems around for years, and we've used several. The problem usually ends up being durability or cost," Enlow says.</p><p>About a year ago, ASG developed a relationship with Mobotour, a guard touring service based on smartphone technology. </p><p>Mobotour allows the customer to set up simple checkpoints anywhere throughout the client site. These check-ins show that guards were present at a certain place, at a specific time and date. Mobotour's app, downloadable from any app store, is accessed through the guard's smartphone.<img src="/ASIS%20SM%20Callout%20Images/0418%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:644px;" /> </p><p>"With Mobotour, it's so simple. It's a piece of equipment that you're going to use anyway," Enlow says. "You're not adding all these other electronic tools—none of the bulky expensive equipment that tends to break down and fail."  </p><p>From an administrative portal, the customer tailors the application to fit the needs ​of its guard force. Mobotour sends stickers to ASG for placement around customer sites. These stickers, which are slightly bigger than a postage stamp, are weatherproof and have a QR code. Each code can be named in the portal to indicate where it's placed, such as "front gate" or "loading dock." </p><p>"We literally peel it off and stick it to the surface in the area we want to make sure we've inspected," Enlow notes. "They're weatherproof, they can be out in the elements, that doesn't seem to bother them, and they're unobtrusive." </p><p>The stickers are placed at various points throughout the customer site. When the guard on patrol scans the code, the app logs the time, date, guard, and location in a report log for that client site. </p><p>"When Mobotour generates the report, we can see that whoever was onsite—regardless of whether we had a manager or supervisor there—has actually gone to these locations and made scans," Enlow explains. "They were there, and they were there at a specific time." </p><p>The app also has an incident reporting feature that allows the guard to attach media, such as a photo or video, from anything out of the ordinary or pertinent that they encounter. </p><p>"We patrol some truck storage yards where product is stored on trailers. When our guards come across a trailer that's unsealed or a door that's open, they'll attach a photo," Enlow notes. "It could be tree limbs or fallen trees, downed power lines, or it could be where they find doors or windows that are forced open." </p><p>When the clients receive the photograph or video via email, they can follow up with ASG directly. All the incidents are documented and included in the daily report. Enlow adds that the checkpoints can be moved around easily. "We can put it wherever we want it and have it running very quickly." </p><p>The client has the option of retaining the reports and the data transmitted through Mobotour indefinitely. </p><p>ASG trains the guards on Mobotour, but Enlow says the technology comes naturally to the force, given their understanding of smartphones. </p><p>"It's just a matter of letting them know, 'this is what you do with the phone, these are the points the customer wants scanned,'" he says. "It's a matter of point and shoot." </p><p>About 400 guards from ASG currently use the app. Enlow adds that the price was a major factor in choosing Mobotour. </p><p>"With my buying power, a smartphone probably costs me $40 to $50 a month. And then the cost of the Mobotour scan points and their service is so cost-effective," he says. "It's really the most cost-effective product I've put in the field yet." </p><p>Given the product's scalability, ASG may use Mobotour to manage its other services as well. "We're trying to explore ways that we can use that product in some of our other places, like janitorial," he notes.</p><p>Enlow adds that Mobotour has provided excellent customer service along the way, and the company's chief growth officer sat down with ASG to tailor the app to its specific needs. </p><p>"Their service is great," Enlow says. "You call them and they're on top of it within a matter of minutes, trying to get things done for you."</p><p>Recently, Enlow was on the phone with a potential client that runs a hospitality property. The property owner was concerned about ensuring that its facilities were secure, given the attacks on hotel and entertainment venues in recent years. Enlow was confident iterating that Mobotour provides the level of accountability the owner was looking for. </p><p>"Mobotour makes us look better to the client, and it is a major selling point," Enlow says. "We tell the client, 'We can document what our guards do in simple terms, we can make the documentation available to you, and you really don't have to jump through any hoops to do it.'"</p><p><em>For more information: Jon Mitchell, jon@mobotour.com, www.mobotour.com, 404.273.7631 ​</em></p>
https://sm.asisonline.org/Pages/The-Problem-with-Bots.aspxThe Problem with BotsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It all started with a video game. Three college-age friends—Paras Jha, Josiah White, and Dalton Norman—wanted to gain an advantage in Minecraft, so they developed a powerful, and elaborate, method to do so.</p><p>Minecraft is a game where users create their own worlds and experiences by digging and building 3D blocks. One unique element of the game is that within the platform itself, players can link to individual-hosted servers to play in a multiplayer mode.</p><p>Hosting a server and renting space to other players is a lucrative business; some individuals make $100,000 a month, according to an investigation by WIRED.</p><p>To tap into this market, Jha, White, and Norman created a malware that scanned the Web for Internet of Things (IoT) devices that used default security settings for usernames and passwords. The malware then infiltrated the devices, which became part of a botnet army made up of 600,000 devices at its peak strength. </p><p>That botnet was dubbed Mirai, and it was used to launch a distributed denial of service (DDoS) attack against French hosting provider OVH in September 2016. It was so powerful that traditional DDoS mitigation techniques were ineffective against it. </p><p>Then, just after the OVH attack, Mirai hit security reporter Brian Krebs' website, Krebs on Security, kicking it offline for more than four days with an attack that peaked at 623 gigabytes per second, according to Krebs' account.<img src="/ASIS%20SM%20Callout%20Images/0418%20Cyber%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:305px;" /></p><p>Authorities and researchers began to investigate the Mirai botnet, and soon began asking why—in addition to its targets—it was hitting Minecraft servers. They later determined that OVH was hit because it provided a service that helped mitigate DDoS attacks against Minecraft, and they ultimately discovered the three friends behind the botnet.</p><p>They confessed to creating the botnet as part of a scheme to allow people to pay to use it to push players off specific Minecraft servers in hopes that they would then pay to use an alternative server. Jha, White, and Norman all pled guilty to a variety of charges in December 2017, after Mirai's source code was released on the Internet. </p><p>While Mirai was unique in its scope, it was just one of hundreds of botnets that are active today and impacting organizations' networks in real time. For instance, cyber firm Fortinet's​ Threat Landscape Report Q2 2017 detected 243 unique botnets that were active, with 993 daily communications per firm.  </p><p>Fortinet found that approximately 45 percent of firms detected one type of botnet in their environment, while 25 percent saw two, and 10 percent saw three. Most of these botnets were detected in the telecommunications and carrier sector. </p><p>"Our data shows the majority of firms in our sample have one or two different botnets active in their environment at any given time," according to Fortinet's report. "Some, however, have 10 or more. And many of those frequently communicate with external hosts."</p><p>Because of this widescale activity, U.S. President Donald Trump included a section in his May 2017 cybersecurity executive order directing the secretaries of homeland security and commerce to assess actions that could be taken to "drastically reduce" the number of botnet attacks.</p><p>The secretaries were instructed to identify and promote action by stakeholders to improve the resilience of the Internet and communications ecosystem, and to "encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks," in other words, botnets, according to the executive order.</p><p>In January 2018, the secretaries completed the first step of that process by issuing a draft report for public comment, Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.</p><p>The secretaries solicited input for the report by hosting a workshop, publishing a request for comment, and initiating an inquiry through the president's National Security Telecommunications Advisory Committee (NSTAC). They also consulted with the U.S. Departments of Defense, Justice, and State, as well as the FBI, the Federal Communications Commission, the Federal Trade Commission, and others.</p><p>"Botnets threaten to undermine the Internet ecosystem, as well as the promise of next-generation technologies," said David Redl, assistant secretary for communications and information and the administrator for the National Telecommunications and Information Administration, in a statement. "This report clearly demonstrates the urgency of the problem, and this administration's commitment to taking on these threats and creating a more secure and sustainable Internet."</p><p>For instance, the report found that botnets are being used for a variety of malicious activities, including DDoS attacks, ransomware attacks, and propaganda campaigns carried out via social media.</p><p>These attacks, according to the NSTAC, threaten the "security and resilience" of U.S. communications ecosystems and the Internet, as well as its critical infrastructure. The NSTAC also assessed that IoT devices will be used by threat actors to launch global automated attacks.</p><p>"With new botnets that capitalize on the sheer number of IoT devices, DDoS attacks have grown in size to more than one terabit per second, outstripping expectations," according to the report. "As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved."</p><p>One prime example of the impact botnets have on the Internet is the Mirai botnet. In addition to its attacks on Minecraft servers, it was used to launch a massive DDoS attack on domain name service provider DYN, effectively shutting down the Internet on the East Coast of the United States for several hours.</p><p>"While the original Mirai variant was relatively simple, exploiting weak device passwords, more sophisticated botnets have followed; for example, the Reaper botnet uses known code vulnerabilities to exploit a long list of devices," the report explained. "The Mirai and Reaper botnets clearly demonstrate the risks posed by botnets of this size and scope, as well as the expected innovation and increased scale and complexity of future attacks."</p><p>The report identified six themes that pose opportunities and challenges to reducing the threat of automated, distributed attacks carried out by botnets, including that they are a global problem; effective tools exist to combat them, but are not widely used; products need to be secured at all stages of their lifecycle; education and awareness are needed; market incentives are misaligned; and botnet attacks are an ecosystemwide challenge.</p><p>"Botnets represent a systemwide threat that no single stakeholder, not even the federal government, can address alone," said Walter G. Copan, undersecretary of commerce for standards and technology, in a statement. "The report recommends a comprehensive way for the public and private sectors, as well as our international partners, to work together and strengthen our defenses."</p><p>These actions take the form of five goals in the secretaries' report: identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace; promote innovation in the infrastructure for dynamic adaptation to evolving threats; promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior; build coalitions between the security, infrastructure, and operational technology communities; and increase awareness and education across the ecosystem.</p><p>One of the main points in the report is the lack of security built into the increasing number of IoT devices on the marketplace. Many manufacturers continue to release unsecure devices because there are no requirements—or incentives—for them to release better products.</p><p>To combat this, the report recommends that the U.S. federal government adopt security standards for all devices it purchases. Doing so, the report argues, would push the marketplace to create more secure products without imposing new regulations or relying on a legislative solution.</p><p>"The federal government can use acquisition rules and procurement guidelines to amplify the market signal by requiring certain security features or properties," the report explains. "The private sector could establish an assessment and labeling mechanism for products that comply with the home profile. The private sector could also work with existing programs or establish new programs to evaluate products that comply with the industry profile."</p><p>While this is a move in the right direction, Michael Marriott—research analyst at Digital Shadows—says it is not enough to change the marketplace because so many IoT devices are developed outside of the United States. These products are then sold to an international market where they can be compromised to become part of a botnet.</p><p>"Making sure manufacturers are thinking about these types of considerations is important," Marriott says. "But there are devices developed outside the United States, so other approaches are needed as well."</p><p>John Dickson, CISSP, principal at Denim Group and a former U.S. Air Force officer who served in the Air Force Information Warfare Center, also expressed disappointment in the report, saying it was "completely devoid of specific policy ideas and recommendations."</p><p>For instance, Dickson says he would have liked to have seen more specific recommendations for the telecommunications and Internet service providers (ISPs) who have a major role in mitigating DDoS attacks carried out by botnets.</p><p>The report touches on the role that ISPs play, and it limits its recommendations to increased information sharing between ISPs and their partners to "achieve more timely and effective sharing of actionable threat information both domestically and globally."</p><p>This, Dickson says, is not enough. Instead, he would have preferred to see recommendations to block specific types of traffic or to monitor traffic to prevent botnet attacks. </p><p>"There is an incentive for telcos to do this—reducing spurious traffic on their networks," according to Dickson. "But they're likely to say there's a cost associated with doing that, which will be passed on to users."</p><p>Countries with more government control of ISPs have shown how this can work, Dickson says. For instance, countries like China and Saudi Arabia—which have greater government control of the Internet in general—have been more effective in preventing botnet attacks because they're able to block them from getting in.</p><p>"We don't have government control of our telcos anymore—it's much more Wild Wild West with more players and a bigger network," Dickson says of the U.S. system, making it more vulnerable to botnet attacks. </p><p>Security Management reached out to AT&T and Verizon for their reactions to the report, but neither of the companies responded. And as of press time, there were no public comments on the draft report.</p><p>The report was open for public comment until February 12, and its final recommendations are due to be submitted to President Trump by May 11.   ​</p>
https://sm.asisonline.org/Pages/Seeing-Double.aspxSeeing DoubleGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The U.S. Embassy in Afghanistan sent out an uncharacteristically specific security alert on a Thursday afternoon in January: Extremist groups were plotting attacks on hotels in Kabul where foreigners were known to congregate. Stay alert in locations frequented by Westerners, the alert advised, and carry a charged cell phone. </p><p>Two days later, six gunmen carried out a 15-hour attack at Kabul's Hotel Intercontinental, killing at least 22 people before they were overtaken by Afghan forces. About 160 guests were rescued from the attack, which was claimed by the Taliban.</p><p> The attack kicked off nine days of deadly ping-ponging between regional rivals ISIS and the Taliban. Two days after the hotel attack, members of ISIS stormed the compound of aid group Save the Children in Jalalabad, killing four ​workers. </p><p>Five days later, Taliban militants drove an ambulance packed with explosives near a hospital in Kabul and detonated it, killing more than 100. And just two days after that—on a day that was intended to be a day of mourning for the previous attacks—ISIS carried out an attack on a military base in Kabul that killed 11. </p><p>The spate of attacks, which resulted in the deaths of more than 130 people, raised questions about the motivations of both the Taliban and ISIS in the region, the effectiveness of Kabul's fortified perimeter, and the role of private security in preventing such attacks—if they can get a chance.</p><p>Although the targets seem disparate—foreigners at a hotel, international aid workers at a compound, locals out and about in the city center, and security forces at a military academy—three of the sites have something in common: they have been attacked by extremist forces before.<img src="/ASIS%20SM%20Callout%20Images/0418%20NS%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> </p><p>While information about the methods and motivations of the attackers and the response by Afghan forces is slow to come to light, comparing the recent attacks with the ones from years past can reveal what has changed in Afghanistan—and what hasn't.</p><p>Hotel Intercontinental. Afghanistan's first international luxury hotel sits perched on top of a hill in western Kabul, projecting a fortresslike presence. The hotel was originally developed in the 1960s by InterContinental Hotels Group but has had no association with the chain since 1980, although it retains the name and logo. Scott Stewart, vice president of tactical analysis at Stratfor, notes that the use of the InterContinental brand might confuse tourists who think they will be getting a certain level of security. </p><p>In fact, the luxury hotel made the unusual move from using Afghan-provided security forces to private security just three weeks before the January attack. The timing of the exchange has raised questions about what role, if any, the new security team played in the attack.</p><p>Private security firms have been banned in Afghanistan since 2010 due to concerns about tribalism and a lack of oversight surrounding the personnel and weaponry brought into the country by private contractors. </p><p>Instead, the Afghan Ministry of Interior (MoI) provides police officers to guard checkpoints and businesses, although diplomatic facilities with existing private security can keep their contracts. </p><p>Mike O'Rourke, owner and CEO of consulting company Advanced Operational Concepts, says that before the rules were changed, many security contractors went unchecked and were run like warlord militias. "It was a big concern that they were more of a threat than a help," O'Rourke adds. </p><p>However, the MoI security personnel have come under scrutiny as well. Last summer, Afghan president Ashraf Ghani called the MoI "the heart of corruption in the security sector" and promised reform. </p><p>O'Rourke agrees that corruption is an issue, citing a high-level client conducting business in Afghanistan who wanted his own private security detail. The individual's solution was to bribe the MoI to name his security personnel as police officers. </p><p>"He had his trusted members as his personal security, but under the authority of the Afghan government," O'Rourke notes.</p><p>Afghan officials are still unsure why and how the transfer of the Intercontinental's security operations from the MoI to a private contractor occurred. </p><p>Preliminary reports found that the hotel's security personnel were largely unresponsive to the attack that occurred after militants bypassed two security checkpoints. Additionally, some of the attackers may have been able to access hotel guests via the kitchen, raising concerns about help from insiders.</p><p>The January attack appears to have been carried out by the Haqqani network—a Pakistan-based group aligned with the Taliban—and may have targeted foreigners. At least 14 of the 22 people killed were foreigners.</p><p>"One of the things that was very interesting in this attack is the limited death toll—these guys were specifically trying to avoid Afghan casualties," Stewart says. "There have been anecdotal accounts of them sparing several peoples' lives when they said they were Afghan."</p><p>Indeed, a Taliban spokesperson said that the attack had initially been planned for earlier in the week, but the hotel was hosting a wedding party and the attackers wanted to avoid civilian casualties.</p><p>Stewart came to a similar conclusion about the June 2011 attack on Hotel Intercontinental, in which several Taliban militants in suicide vests raided the compound, killing 12 people in an eight-hour period before they were killed. </p><p>In an article he wrote for Stratfor in 2011, Stewart pointed out that such attacks by the Taliban may have a relatively low death toll but strive to make sure the threat they pose is not forgotten. The 2011 attack was carried out while officials met in the hotel to discuss the transfer of security from international forces to Afghans—an event that the Taliban disapproved of.</p><p>Seven years later, Stewart says the core motives behind the attacks on the hotel haven't changed—they were intended to send a message. </p><p>"They really are trying to make a specific point and target a specific target," he says. "That also helps set themselves apart from ISIS in Afghanistan, which has a tendency to conduct more indiscriminate attacks. It's this counterinsurgency idea of winning hearts and minds—the Haqqanis and Taliban are playing the same card, trying to win hearts and minds and not using the same kind of over-the-top brutality that ISIS tends to use."</p><p>City center. The devastating blast occurred during rush hour in what is supposed to be one of the safest parts of the city. In an area with hospitals, schools, and local government and diplomatic buildings, police presence is heavy to provide heightened security. </p><p>The ambulance driven by the attackers was able to bypass the first checkpoint after claiming they were carrying a patient, but once they were stopped by officials at the second checkpoint, they detonated the bombs stored in the vehicle.</p><p>The Taliban claimed responsibility for the attack, although the U.S. government believes the Haqqani were the masterminds, according to officials. </p><p>"I think we need to understand that the Haqqanis just have very good tradecraft and connections—they have repeatedly shown the capability of getting small groups of terrorists into Kabul, and weapons for them," Stewart notes. "Despite the security that's in place, the Haqqanis have a long history of planning and executing these kinds of attacks, and that doesn't seem to be ending at all. They're very resourceful, adaptive attackers."</p><p>A Taliban spokesman said the aim of the attack was in response to U.S. President Donald Trump's recently announced plans to step up American involvement in the region. The Taliban also targeted police officers. But experts note that, given the location of the scheme, significant civilian casualties were bound to occur.</p><p>In fact, this attack was the deadliest to take place in Kabul since last year's bombing in the same area. That May 2017 attack killed more than 150 people less than a mile away from where the recent attack took place. Attackers detonated a bomb that was smuggled into the fortified area in a tanker truck used to clean out septic systems. No group has claimed the attack, but—once again—Haqqani forces are suspected. </p><p>Protests against the government occurred in the days following the 2017 attack, and O'Rourke says the more recent bombing may have had the same underlying intent—to sow discord between the Afghan government and citizens.</p><p>"The fact that these attacks are taking place in Kabul, and taking so many lives, shakes public confidence in the ability of President Ghani's government to keep Afghans safe in their nation's capital," O'Rourke says. "To me, making the government look ineffective is the strategic goal of these attacks. A colleague of mine is in Kabul now and the Afghans he talks to primarily blame their government, but they also believe the U.S.-led coalition could be doing more to improve security."</p><p>Military academy. ISIS carried out an early-morning attack against Afghan soldiers guarding a military academy. The attackers were armed with suicide vests, rocket-propelled grenades, and automatic weapons. It took five hours to subdue the five militants at the outer gates of the academy, and 11 Afghan soldiers were killed in the process. </p><p>Local officials say that the attack was not targeting the academy itself but the security forces at the perimeters. </p><p>The military base sustained another attack just last October, when a lone suicide bomber targeted a bus full of Afghan army cadets leaving the academy. Fifteen cadets were killed, and the Taliban claimed that attack. Like the recent ambush, the attack was carried out along the outer perimeter of the base, targeting a smaller group of soldiers instead of the hundreds within the facility. </p><p>The October attack was also a one-two punch by ISIS and the Taliban—less than 24 hours before the Taliban targeted the military academy, ISIS attacked a Shia Muslim mosque, killing more than 50 people. </p><p>Looking ahead. The fact that the same groups are carrying out the same attacks on the same places is not lost on Afghan citizens. Protests similar to those following the diplomatic quarter bombing last year sprang up after the recent nine days of carnage, with calls for a more secure city and a different approach to combating extremism.</p><p>And while the attack on the Intercontinental has raised questions about the role of private security in Kabul, O'Rourke says he believes that it shows the need for more regulation is overdue.</p><p>"I don't know if it's going to tighten the reins or there will be more of a call for a private security industry where people can get their own vetted people licensed," O'Rourke says. "Not knowing the particulars at the Intercontinental, I don't know where they came from or who vetted them, nor do we know if it was a failure of private security or they were complicit in the attack."</p><p>It will take pressure from foreign governments and businesses to influence a change in the rules surrounding the use of private security forces, O'Rourke notes. Until then, locals and travelers alike will have to be extremely careful.</p><p>"If foreigners are going to go to Afghanistan and do business there and stay in places like the Intercontinental, and they can't rely on vetted security forces, they have to know they're accepting a great deal of risk," O'Rourke says.</p><p>Stewart agrees, suggesting practical travel security tips like staying in a lower floor on a hotel for ease of escape and packing items such as door wedges and smoke hoods in case of an emergency.</p><p>"People need to make sure they do good due diligence on those hotels before they book them in those kinds of conflict zones to make sure they have adequate security," Stewart says. "Additionally, they just really need to be prepared to take action. Be prepared to go into active shooter mode—the avoid, deny, defend approach. At the Intercontinental, it sounds like many people were able to flee or deny the attackers access to their location and survive despite the hours these guys were in this hotel."</p><p>Meanwhile, both the Taliban and ISIS continue to gain footholds in Afghanistan. One of the captured militants from the military academy attack led officials to an ISIS hideout in Kabul, filled with bombs, equipment, and plans to carry out three more attacks. And extensive research by the BBC reveals that the Taliban is active in 70 percent of the country, contradicting Afghan officials' declarations that it only has a presence in rural areas. </p><p>"Additional successful attacks will further erode popular confidence in the current government," O'Rourke says. "This loss of trust might be seen at the polls if Afghanistan manages to hold the parliamentary elections scheduled for this summer." ​</p>
https://sm.asisonline.org/Pages/The-Land-of-Plunder.aspxThe Land of Plunder?GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>For some, the idea of a corrupt state brings to mind a distant kleptocracy, rife with graft and embezzlement and absent any accountability, in which an elite few use their positions and connections to loot the public till.  </p><p>But now, more and more Amer­icans are seeing increased corruption closer to home, according to recent studies and expert opinion. </p><p>Nearly six in 10 Americans (58 percent) say that the level of corruption in the United States has increased in the past 12 months. In contrast, only about a third of Americans (34 percent) said the same back in January 2016, according to the U.S. Corruption Barometer 2017, a recent study conducted by Transparency International (TI). TI is a global organization aimed at fighting corruption; it has chapters in more than 100 countries.</p><p>In general, the TI report finds that the United States faces "a wide range of domestic challenges related to the abuse of entrusted power for private gain," which is TI's definition of corruption. </p><p>Trust in the U.S. federal government is low; the study found that 44 percent of Americans believe that "most" or "all" officials in the White House, including the president, are corrupt—up from 36 percent in 2016.​</p><p>"That's a significant increase. We don't usually see the White House reaching these kinds of figures," explains Zoë Reiter, an interim representative to the United States and senior project leader with TI.<img src="/ASIS%20SM%20Callout%20Images/0418%20NT%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> </p><p>The survey reflects a good "horizontal sample" of the U.S. population, and so the finding that almost half believe that corruption is pervasive among White House officials is "cause for concern," she says. "What it's telling you is there's a real loss of trust in our public institutions," she adds.</p><p>And the feds are not the only ones suffering from perceptions of corruption. Another report on U.S. corruption, issued in December by the Business Anti-Corruption Portal, found that 25 percent of Americans believe that their local government officials are corrupt. </p><p>The Anti-Corruption Portal, endorsed and sponsored by the European Commission, is an online resource for anti-corruption compliance. The portal is maintained by GAN Integrity Solutions, a professional services firm that specializes in compliance solutions.</p><p>GAN CEO Thomas Sehested says the increase in the perception of corruption is not surprising, given the current political climate and the frequent media stories about the inquiries into the Trump administration. </p><p>"The ongoing investigations into conflicts of interest and collusion of President Trump and his associates are having an impact on public sentiment," Sehested explains. "All of the news at the federal level is certainly trickling down to local governments, whether fairly or unfairly."</p><p>However, Sehested, who is also familiar with the TI report, says he was surprised by the sheer speed of the change. </p><p>"The most surprising was the increase in public sentiment around overall government corruption," he explains. "It was to be expected with all the headlines, but it has taken hold faster than initially thought."</p><p>The TI study also measured perceived corruption levels in specific U.S. institutions, and these varied. On the most corrupt end is the U.S. federal government; 38 percent of Americans say that most or all members of Congress are corrupt, and 44 percent (as mentioned above) say the same about White House officials. On the other end are judges and magistrates; only 16 percent of respondents say that most or all are corrupt. </p><p>Police are also near the low corruption end, but this finding differs with race. Overall, 20 percent of respondents believe that most or all U.S. police are corrupt, but almost one-third of African-Americans surveyed perceive the police as highly corrupt.</p><p>In terms of the specific types of corruption, respondents in the TI study say that their key issues of concern include the influence of wealthy individuals over the government; pay-to-play politics and the revolving door between elected officials and industry lobbyists; and the abuse of the U.S. financial system by both local elites and foreign officials on the take. </p><p>Such issues can create a vicious cycle. "Corruption and inequality can create fertile ground for populist leaders, but populist politics do little to actually stop corruption," the report says. "The findings of the U.S. Corruption Barometer 2017 reinforce this message."</p><p>In an interview, Reiter offers clarification; she says that the problem is not so much populism per se as leaders who make political promises that play on voters' fears and economic vulnerability, then leave them unfulfilled once they reach office. </p><p>Respondents also take a bleak view when it comes to government efforts—or lack thereof—in fighting corruption: nearly 7 out of 10 respondents (up from about half in 2016) say they believe the government is failing to fight corruption, the study found. </p><p>And when asked why they might not report corruption themselves, 55 percent of respondents (up from 31 percent in 2016) say fear of retaliation is the main reason. Still, 74 percent say they believe ordinary people can make a difference in opposing corruption.</p><p>On that front, TI makes five recommendations that government leaders can work toward to fight corruption. First, make all political spending truly transparent, so that the public can read about contributions online in real time. </p><p>Second, block the government-industry revolving door so that high-level government officials cannot easily become corporate lobbyists and draw on their connections. </p><p>Third, prevent the use of anonymous shell companies, which can be vehicles for illicit activity. Fourth, reinforce the independence and oversight capabilities of the U.S. Office of Government Ethics, and implement and improve regulations protecting whistleblowers who expose corruption by the government and its contractors. Fifth, give citizens more access to information about government operations, to empower the public to fight corruption.</p><p>As for private sector firms, Sehested recommends a practice that some CSOs and security departments are already involved in—implementing a properly designed corporate compliance program that includes well-defined training and policies, along with a due diligence program that allows the organization to continuously monitor all third parties.</p><p>Also, companies should encourage, and protect, whistleblowers. </p><p>"Making it easy for employees to report on any corruption that they are witness to, without risk of retaliation, is critical," Sehested says. </p><p>Moreover, it is important that all of these programs are documented and readily reported on in a single location. </p><p>"Self-reporting can save an organization significant amounts of money on potential fines," he explains, "and ongoing reporting allows the compliance team to take proactive actions against corruption, as opposed to waiting for something bad to happen." ​</p>
https://sm.asisonline.org/Pages/The-Price-of-Destruction.aspxThe Price of DestructionGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​"In 2017, the U.S. experienced a rare combination of high disaster frequency, disaster cost, and diversity of weather and climate extreme events," the U.S. National Oceanic and Atmospheric Administration (NOAA) says in a recent report.  "Billion-dollar disasters occurred in six of the seven disaster event categories we analyze."</p><p>The final tally of destruction, calculated by NOAA's National Centers for Environmental Information, is a record breaker. Disasters caused $306 billion in total damage in 2017, making it the costliest U.S. disaster year since the agency started keeping track in 1980. The previous record was $215 billion (adjusted for inflation) in 2005, the year of Hurricanes Katrina, Rita, Dennis, and Wilma. </p><p>What made 2017 so costly? The bulk of the damage, $265 billion, came from Hurricanes Harvey, Irma, and Marie, which wreaked havoc on areas in the southern United States, the Caribbean, and Puerto Rico. The costliest was Harvey, which incurred $125 billion in damage, second only to Katrina's $160 billion in damage. </p><p>Billion-dollar disasters are nothing new; since 1980, the United States has suffered 215 disasters costing $1 billion or more, for a total of more than $1.2 trillion in damage, according to NOAA. But one of the features that distinguished 2017 was the quantity of billion-dollar disasters—16, which tied 2011 for highest number of events. </p><p>These 16 disasters varied in nature. They began with a tornado and storms in the southern states, California flooding, and a damaging freeze in the Southeast. That spring brought a drought to the Dakotas and Montana. Hailstorms and severe weather came to Colorado in May and Minnesota in June. Western wildfires occurred in the summer and fall. The big trio of hurricanes hit in August and September.</p><p>Although hurricanes were the costliest disasters, wildfires were also exceptionally damaging. The fires burned more than 9.8 million acres, with cumulative costs approaching $18 billion. This was triple the previous wildfire cost record of $6 billion in 1991, according to NOAA.</p><p>Finally, one reason behind the damage increases is that there are more homes and businesses in harm's way. </p><p>"The increase in population and mat­erial wealth over the last several decades are an important factor for the increased damage potential," the report says. "…Many population centers and infrastructure exist in vulnerable areas like coasts and river floodplains, while building codes are often insufficient in reducing damage from extreme events." ​</p>
https://sm.asisonline.org/Pages/Four-Trends-That-Will-Shape-Recruiting-in-2018.aspxFour Trends That Will Shape Recruiting in 2018GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>​</em><em>Security Management </em>has partnered with the Society for Human Resource Management (SHRM) to bring you relevant articles on key management topics and strategies​. This article by Roy Maurer discusses ​what diversity and inclusion means in building a workforce.</p><p>--</p><p>This year, more employers ​hope to make progress in building inclusive workplaces through diversity recruiting efforts and will continue to experiment with new interviewing and selection techniques, according to experts.<br></p><p>Over 9,000 recruiters and hiring managers across the globe identified these trends, among others, as being the most impactful when surveyed by LinkedIn for the professional networking site's <a href="https://news.linkedin.com/2018/1/global-recruiting-trends-2018" target="_blank">Global Recruiting Trends 2018</a> report.</p><p>LinkedIn found more than half of companies already embrace recruiting for diversity, while novel interviewing and selection techniques have generated interest but not enough to knock the traditional, one-on-one interview off its pedestal.​</p><h4>It's Not Diversity Without Inclusion</h4><p>Building a diverse team will be more than a nice-to-have, becoming a required leadership skillset, said Ashley Goldsmith, chief people officer for Workday, a finance and HR software company based in Pleasanton, Calif. "This new requirement will also be measurable with performance metrics tied to the makeup of teams," she said.</p><p>Some fundamental ways that recruiters can improve diversity in their organizations include conducting outreach in local communities; wording job postings to target diverse groups; showcasing diversity in recruitment marketing and interview panels; training interviewers about unconscious bias; and involving employee resource groups in the sourcing, recruiting and hiring process.</p><p>"Pretty much universally, this topic seems to be critical for most organizations, especially around gender balance," said Brendan Browne, LinkedIn's vice president of talent acquisition. He added that understanding how to source from diverse talent pools, trying to prevent bias in the assessment and hiring process, and evaluating workplace culture for inclusion are major steps employers can take to increase diversity.</p><p>More practitioners are realizing that hiring for diversity is not enough. Employers risk employee disengagement and attrition if diverse hires don't feel included and accepted.</p><p>"It doesn't matter that you hired more women or more of whatever it is you needed to look like a United Colors of Benetton ad," said Tim Sackett, SHRM-SCP, a recruiting industry thought leader and the president of HRU Technical Resources, an IT and engineering staffing firm in Lansing, Mich. "If those you hired don't feel like a part of the organization, you'll never keep them anyway."</p><p>This level of diversity is really hard, Sackett added. Practicing inclusion takes an entire overhaul of a company's culture and ongoing maintenance. "It's actually easy to check boxes and get to a point where you'll look politically correct as it relates to the diversity of your employees. It's super hard to get to a point where people feel like they truly belong."</p><p><a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/build-inclusive-culture-recruiting-diversity.aspx" target="_blank">HR needs to take a hard look at the organizational culture</a> to make sure that differing opinions are respected and people are encouraged to be themselves.</p><h4>Modifying Interviewing, Selection</h4><p>Traditional interviewing is costly and takes too long, and typical selection criteria don't result in effective candidate evaluations anyway, according to experts.</p><p>"It's kind of a disaster when you spend 20 hours of company time interviewing someone," Browne said. "Do candidates really need to meet with 10 or 12 people? If you've ever been on an interview and had to come back three or four or five times and meet more and more and more people, it's exhausting."</p><p>Instead, forward-looking companies are exploring <a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/predictive-assessments-insight-candidates-potential.aspx">skills assessments</a>, <a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/talent-auditions-interviewing-practices.aspx">job tryouts</a> and <a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/ditch-resumes-hire-for-learning-ability.aspx">hiring for potential instead of experience</a>. LinkedIn found that a majority of employers are interested in using:</p><p></p><ul><li><p>Online soft skills assessments that measure traits like teamwork and curiosity.<br></p></li><li><p>Job auditions, where candidates are paid to do real work while supervisors observe them. <br></p></li><li><p><a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/team-interviewing-best-practices.aspx" target="_blank">Informal team interviews with potential co-workers</a>, where both sides have a chance to talk about the role and gauge whether there is a fit.<br></p></li></ul><p></p><p>Selection criteria are also undergoing a refresh. More employers struggling to find perfect candidates will adopt the mantra of hiring for attitude and training for technical skills, experts believe. "Not bei​ng 100-percent qualified is no longer a deal-breaker," said Matt Ferguson, CEO of talent acquisition solutions company CareerBuilder. He referenced a recent CareerBuilder survey that showed 66 percent of organizations plan to train new workers who may not have all the required skills but show potential to excel.</p><p>"While hard skills reign in sectors like technology and health care, less-teachable soft skills will continue to be critically important—even in a more technology-driven work environment," said Alan Stukalsky, chief digital officer for Randstad North America, the U.S. division of the global staffing and HR services provider. "Employers will increasingly focus on training new hires, especially when they find the culture fit they are looking for or superb soft skills."</p><p>That's exactly what Maren Hogan, CEO of Red Branch Media, an Omaha, Neb.-based B2B marketing firm for HR technology, does. "When I hire people, I'm not hiring a job description," she said. "When I'm looking to add another employee to my team, I'm looking at their attitude, how they approach communication with me, what it is that moves them and how they work best. Do they value learning and skill development?"</p><p>In addition to prehire assessments and informal group evaluations, Hogan recommended mapping out the type of personality you want in the role. "Considering what traits will provide value to your organization will give you a candidate persona that can lead everything—from where you advertise the job to the language used in the ad itself."</p><p><em>© 2018, SHRM. This article is reprinted from <a href="https://shrm.org/" target="_blank">https://shrm.org​</a> with permission from SHRM. All rights reserved. ​​ ​​</em><br></p>
https://sm.asisonline.org/Pages/Shooting-at-Maryland-High-School-Leaves-One-Dead;-SRO-Ends-Threat.aspxShooting at Maryland High School Leaves One Dead; SRO Ends ThreatGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>A shooting at a <a href="https://www.cnn.com/2018/03/20/us/great-mills-high-school-shooting/index.html" target="_blank">Maryland high school has left one person dead ​</a>and two injured, all before a school resource officer engaged the gunman and ended the threat. </p><p>St. Mary’s County Sheriff Tim Cameron told CNN a male student is in stable condition and a female student in critical condition after the incident. The shooter was later pronounced dead. </p><p> “The school resource officer fired a round at the shooter, and the shooter fired a round as well, but the officer was not injured,” CNN reports.</p><p>In an email to <em>​Security Management </em>magazine, Mo Canady, executive director of the National Association of School Resource Officers, says the organization is "very pleased with the actions of the SRO."​<br></p><p>The gunman has been identified as Austin Wyatt Rollins, 17; the sheriff's office says it is unclear whether he died of a self-inflicted gunshot wound or from the SRO's bullet. The investigation is ongoing.​</p><p>Original reports said that three people had been injured in the shooting at Great Mills High School; the campus was on lockdown for a brief time and students were evacuated to a nearby school that served as a reunification center. <br></p><p>FBI’s Baltimore field officer posted on Twitter that its agents are on the scene of the incident, as well as agents from the U.S. Federal Bureau of Alcohol, Tobacco, and Firearms. The FBI is requesting anyone with information related to the shooting contact its office.<br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read aba8ff05-a954-4f54-8d80-09249b9cfeb6" id="div_aba8ff05-a954-4f54-8d80-09249b9cfeb6" unselectable="on"></div><div id="vid_aba8ff05-a954-4f54-8d80-09249b9cfeb6" unselectable="on" style="display:none;"></div></div><span style="font-style:normal;font-variant:normal;font-weight:400;font-size:13px;line-height:19.5px;font-family:segoe_uiregular, arial, sans-serif;text-align:left;color:#333333;text-transform:none;text-indent:0px;letter-spacing:normal;text-decoration:none;word-spacing:0px;white-space:normal;orphans:2;font-stretch:normal;float:none;background-color:transparent;display:inline !important;">As CNN reports, this sho</span><span style="font-style:normal;font-variant:normal;font-weight:400;font-size:13px;line-height:19.5px;font-family:segoe_uiregular, arial, sans-serif;text-align:left;color:#333333;text-transform:none;text-indent:0px;letter-spacing:normal;text-decoration:none;word-spacing:0px;white-space:normal;orphans:2;font-stretch:normal;float:none;background-color:transparent;display:inline !important;">oting is the 17th at a school in the United States this year. </span>The school had drilled for this type of situation a couple times in the past​, according to a student who called the media outlet from inside the school during the lockdown.<div><br> </div>
https://sm.asisonline.org/Pages/Starting-from-the-End---Creating-a-Master-Security-Plan.aspxStarting from the End: Creating a Master Security PlanGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​My grandfather once told me, "If you build a levee six feet high but the water rises to seven, you've wasted 100 percent of your investment. But if you build that levee to eight feet, and the water rises to seven, no one will care about the over-investment."</p><p>A good master security plan helps you spec and budget for that seven-foot flood with an eight-foot levee. And ultimately, a good plan leads to a good security system.  </p><p><em>That's what one of our clients, a large private university in the Puget Sound region of Washington State, discovered when we went through the planning process for its access control and video surveillance system. In developing the master security plan, we realized that just expanding the existing systems would not meet the school's future needs, and updating the systems as an interim step would ultimately be more expensive than putting in new systems.</em><em>  </em></p><p>So how should a security manager develop an effective plan? Here are my suggestions for best practices in creating a master security plan, based on 30 years' experience in the facility vulnerability sector.</p><p><strong>Start at the End</strong></p><p>Where do you want to be in five, 10, or 15 years? Once that is established, work backwards from there. If you have a vision for your security plan, you can build in enough flexibility to get there without having to rip and replace every few years, and you can identify long-term cost savings and operational efficiencies along the way. </p><p>For example, what if, someday, your access control system could interact with the IT system to enhance network logins? Or if the video surveillance system could automatically release the car gate when the correct license plate is read? </p><p><em>Looking at the ultimate goals of our university client, we discovered that what managers really wanted was an integrated video and access control system, with higher-resolution security cameras. While that decision meant delaying implementation of some access points and cameras, choosing flexibility was a better long-term decision to meet the organization's security goals.</em></p><p><strong>Keep Going Broader</strong></p><p>Once you have your video surveillance and access control needs handled, look for additional opportunities and vulnerabilities.  For example, look at how you can leverage existing video data for business goals, such as reducing inventory waste or worker productivity. Look for ways to integrate systems to reduce security headcount. Integrate physical security with cybersecurity systems to reduce human-created security vulnerabilities. Think big so you can do more than protect; you also help your business thrive.</p><p><em>In our example, the college wanted to ultimately create a single card that would act as a student ID, a food service card, a library card, and an access control card. While this integration would save money down the line, we needed to bring several different departments together to make sure that their interests would align. We ended up selecting a slightly more expensive card than it had been using—but the selected card had a proximity chip, a chip for financial information, and a bar code for library information. Everyone got what they wanted, and the cost was lower than purchasing four separate cards.</em></p><p><strong>​Ask the Hard Questions</strong></p><p>These are the questions that are hard to consider because the answers may be embarrassing, or they require negotiations between groups, or they require more resources. Some examples follow. </p><ul><li>Are there hidden security flaws in our facility? How do we find them?  </li><li>What are the known issues and what capacity for the unknowns should we build in? </li><li>What have we learned from past crises? ​</li><li>Where do we think emerging threats will come from?</li><li>How do we navigate between competing agendas?</li><br></ul><p><em>College administrators had to consider choices such as spending on beautiful landscaping versus creating a safe environment. Other hard questions arose. For example, one department wanted a single-use card, but others preferred a multi-use card. </em></p><p><strong>​Focus on the Future</strong> </p><p>Make sure your plan will help you grow. That means searching for products that can be integrated, that are scalable, and that can segment data and reports. It may also mean installing a larger conduit than you currently need or choosing the vendor that has a scalable architecture. And it requires investing more today to save on ongoing maintenance and configuration costs tomorrow.</p><p><em>In the college's case, its existing video surveillance system was entirely centralized and was not capable of communicating with the access control system. It couldn't record high enough quality images to meet the ultimate surveillance goals.</em><em>  </em><em>The access control system also had issues. It was at the end of its lifecycle and would not be supported within a few years, and its software was antiquated and incapable of integration with other systems.</em><em>  </em></p><p><em>For the college, the least expensive decision today would have meant a lot more investment in the future. Thus, we oversized the new server to handle additional video surveillance needs in the future. In addition, as the college added new buildings, we made sure they were integrating a higher wire volume than current needs, as well as building in access control during construction. This last element can reduce access control costs dramatically.</em></p><p>When you apply these best practices in developing master security plans, you make better decisions.  </p><p><em>Erick Slabaugh has more than 30 years of experience in the specialty contracting industry and is a serial entrepreneur.  He is CEO and majority stockholder of Absco Solutions and founder and CEO of FCP Insight, a SaaS business solution for specialty contractors.</em>​</p>
https://sm.asisonline.org/Pages/ESTRATEGIAS-DE-CONTENCIÓN.aspx​ESTRATEGIAS DE CONTENCIÓN​GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p style="text-align:justify;">Más de 200 laboratorios en los Estados Unidos de América llevan a cabo investigaciones sobre patógenos peligrosos, tales como la bacteria del ántrax y el virus del Ébola. A éstos se les llama laboratorios de alta contención. En ocasiones, ocurren en ellos lapsos de seguridad.</p><p style="text-align:justify;">Por ejemplo, en Mayo de 2015, el Departamento de Defensa de USA (DoD) descubrió que uno de sus laboratorios había envíado inadvertidamente bacterias vivas de ántrax a cerca de otros 200 laboratorios alrededor del mundo, a lo largo de 12 años.</p><p style="text-align:justify;">Luego, a fines de 2016, el Departamento de Seguridad Nacional (DHS) descubrió que un laboratorio privado había envíado involuntariamente una forma potencialmente letal de ricina a uno de sus centros de entrenamiento en múltiples ocasiones desde el 2011. (Para un mayor trasfondo de Security Management sobre brechas a la seguridad de laboratorios, vea "Lax Lab Safety", de Noviembre de 2014)</p><p style="text-align:justify;">Dados estos lapsos, la Oficina de Responsabilidad Gubernamental (GAO) examinó recientemente la supervisión de esos laboratorios. Bajo el sistema actual, los laboratorios de alta contención son regulados por el Programa Federal de Agentes Selectos, el cual fue establecido para regular el uso y traslado de agentes selectos en respuesta a las preocupaciones de seguridad que siguieron a los ataques bioterroristas de los 1990 y principios de los 2000.</p><p style="text-align:justify;">Dos agencias comparten las responsabilidades de supervisión de este programa: la División de Agentes y Toxinas Selectos de los Centros para e Control y Prevención de Enfermedades (CDC) y los Servicios de Agentes Selectos en la Agricultura dentro del Servicio de Inspección de Salud de Animales y Plantas (APHIS).</p><p style="text-align:justify;">Para medir este control, la GAO formuló cinco elementos clave para la supervisión efectiva de programas en los que eventos adversos de baja probabilidad (tales como un derrame tóxico) podrían tener efectos trascendentales.</p><p style="text-align:justify;"><strong>Independencia.</strong> La organización conduciendo la supervisión debería ser estructuralmente distinta y separada de las entidades que observa.</p><p style="text-align:justify;"><strong>Habilidad para realizar revisiones.</strong> La organización debería tener el acceso y el conocimiento de trabajo necesarios para auditar el cumplimiento de los requisitos. </p><p style="text-align:justify;"><strong>Experticia técnica.</strong> La organización debería contar con suficiente personal con la pericia necesaria para realizar evaluaciones sólidas de seguridad contra delitos y accidentes.</p><p style="text-align:justify;"><strong>Transparencia.</strong> La organización debería proveer acceso a información clave, cuando sea aplicable, a aquellos mayormente afectado por las operaciones.</p><p style="text-align:justify;"><strong>Autoridad de imposición.</strong> La organización debería tener una autoridad clara y suficiente para requerirle a las entidades que alcancen el cumplimiento de los requisitos.</p><p style="text-align:justify;">El informe de la GAO se concentró en dos preguntas. ¿Tiene el Programa de Agentes Selectos una supervisión efectiva, y guían sus documentos de planificación estratégica a sus esfuerzos de supervisión? ¿Qué formas de promover una supervisión efectiva han empleado otros países y sectores reguladores seleccionados (tales como el Reino Unido o Canadá)?</p><p style="text-align:justify;">En primer lugar, la GAO manifestó que la supervisión del Programa de Agentes Selectos resulta a veces inadecuada. El programa no es siempre estructuralmente distinto y separado de los laboratorios que observa,  por lo que no cumple con el componente clave de independencia.</p><p style="text-align:justify;">El programa también se quedó corto en el área de realizar revisiones, exhibió la GAO. No había garantías de que las revisiones del programa estaban apuntando a las actividades de más alto riesgo porque el programa no había evaluado qué actividades eran las que posaban un mayor riesgo. Además, el programa no cuenta con documentos compartidos de planificación estratégica, tales como un plan de trabajo en conjunto para guiar sus esfuerzos de supervisión colectiva.</p><p style="text-align:justify;">En segundo lugar, el reporte determinó que el programa podría aprender de otros países cuando se habla de supervisión.</p><p style="text-align:justify;">Por ejemplo, el cuerpo Ejecutivo de Seguridad y Salud del Reino Unido, que vigila a los laboratorios que trabajan con patógenos, es una agencia gubernamental independiente, separada de todos los laboratorios que supervisa.</p><p style="text-align:justify;">Y cuando llega el momento de las revisiones, los reguladores de tanto el Reino Unido como Canadá emplean un enfoque basado en los riesgos, al evaluar laboratorios y luego apuntar a aquellos que conducen actividades de alto riesgo o tienen una historia documentada de problemas de desempeño.</p><p>En respuesta al informe, los Departamentos de Agricultura y de Servicios Humanos y Salud demarcarán las acciones que van a tomar para mejorar su supervisión.</p><p><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Managemen<em>t is not responsible for errors in translation. Readers can refer to the</em><a href="/Pages/Employee-Theft.aspx" target="_blank"><em> </em></a><a href="/Pages/Containment-Strategies.aspx" target="_blank"><em>original English version h​​ere​.</em></a><br></p>
https://sm.asisonline.org/Pages/Missed-Deadline.aspxMissed DeadlineGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>It's always tempting to put off till tomorrow what could be done today—especially if there are several years between now and the time that a goal needs to be accomplished.</p><p>​Such is the case with the upcoming European Union General Data Protection Regulation (GDPR) compliance deadline on May 25, 2018, when regulators will begin to issue fines to companies not abiding by the regulation's vast new privacy and security requirements.</p><p>"It is like a truck fast approaching us," says Ann LaFrance, partner and coleader of Squire Patton Boggs' Data Privacy and Cybersecurity practice. "We're getting an avalanche now of interest and requests for proposals, and clients are really now starting to focus on this. Why they waited till the last six months? Who knows. But at least they are now seriously starting to focus."</p><p>The GDPR was first drafted in 2012 as part of the EU's push for a Digital Single Market. The regulation lays out the rights EU citizens have in regard to their personal data and how data controllers and processors respect those rights. The regulation guarantees EU citizens the right to be forgotten, easier access to personal data, data portability, data breach requirements, data protection by design and default, and stronger enforcement of those requirements.</p><p>The EU Parliament approved the regulation in April 2016, and Jan Philipp Albrecht—who steered the legislation through—called it a victory for consumers and businesses alike.<img src="/ASIS%20SM%20Callout%20Images/0318%20Cyber%20Fact%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:277px;" /></p><p>"The General Data Protection Regulation makes a high-uniform level of data protection throughout the EU a reality," he said in a statement. "Citizens will be able to decide for themselves which personal information they want to share. The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty, and fairer competition."</p><p>Organizations that conduct business in Europe were given a little more than two years to become compliant with the new regulation, before fines of up to 4 percent of global turnover kick in. During that window, the Article 29 Working Party—as well as other advisory bodies—have issued guidance about how to implement GDPR. On May 25, the working party will be succeeded by the European Data Protection Board (EDPB) to ensure that GDPR is consistently applied throughout the EU.</p><p>"To achieve this, the EDPB will be empowered to issue opinions or authorizations regarding a variety of matters, such as Binding Corporate Rules, certification criteria, and codes of conduct used by companies; to adopt binding decisions, especially to ensure consistency between supervisory authorities; and to issue opinions and guidance on relevant issues concerning the interpretation and application of the GDPR," according to a fact sheet.</p><p>And while organizations have had two years to come into compliance, LaFrance says she is doubtful that most companies will be fully compliant by the deadline. </p><p>One reason is that many businesses may wrongly assume that the GDPR does not apply to them because they're not based in Europe. Others, LaFrance says, do not understand the scope of GDPR and are struggling to become compliant.</p><p>"The problem is there's cognitive dissonance about what GDPR is all about," she explains. Non-EU based companies "think that it's mainly about IT security, IT systems, and security around them, and in fact that's only one piece of the overall pie."</p><p>Instead, GDPR cuts to the heart of what those systems do—store and transfer data—and requires organizations to integrate privacy and security into their overall business processes. For instance, GDPR requires organizations to map their data and how it's collected.</p><p>"This is a very expensive exercise these companies are going to have to go through, and they don't really understand before they get started the breadth of the task ahead of them," LaFrance says. "So, when they hire you and you start telling them this, there's an 'OMG' moment."</p><p>Because of these factors, LaFrance says some small businesses with less data might be compliant by the deadline, but most organizations will not be. Companies will also have to reassess their third-party vendors to ensure agreements with them are GDPR compliant, which can be a time-consuming process.</p><p>"The normal company will have 20 or 30 outsourcing agreements," LaFrance says. "And you've got to go through and renegotiate all of those agreements so that they are GDPR compliant. It's a huge task. And it could be very expensive because the counter party might say, 'Yeah, we'll sign up for that but it's going to cost you more.'"</p><p>And in fact, companies are expecting to spend billions on GDPR compliance over the next year, according to the International Association of Privacy Professionals (IAPP) Annual Privacy Governance Report. </p><p>The report—sponsored by Ernst & Young—surveys roughly 600 privacy professionals about their size of staff, priorities, and expenditures for the year. In the 2017 survey, IAPP Content Director Sam Pfeifle says respondents indicated that the global 500 will spend $7.8 billion on GDPR compliance out of a combined annual revenue of $26 trillion.</p><p>"It's not a huge number—we're not trying to say this is equivalent to Sarbanes Oxley," Pfeifle says, but he adds that it is a massive increase from 2001 when IAPP was created and organizations were only spending millions on privacy. </p><p>"It wasn't a thing unless you were in the healthcare space or in financial services," he adds. And typically, these organizations had a small department that was compliance focused and working with development teams at the later stages of development.</p><p>"It was really just people bringing you something at the end of the product development lifecycle and asking: 'Is this legal?'" he says. "You'd say, 'Yeah, it's legal.' You'd check the box and off you'd go."</p><p>GDPR, on the other hand, requires that privacy and security be built into all business processes. To do this, companies are spending in a variety of ways, including adjusting the products and services they deliver.</p><p>For instance, Pfeifle gives the example of checking into a hotel and signing up for complimentary Wi-Fi. In the past, when guests would go through that process they would fill out a form that had a prechecked box indicating they wanted to receive promotional emails from the hotel. They would have to opt-out not to receive those emails.</p><p>"In the GDPR, you have privacy by default," Pfeifle says. "Which means that you cannot precheck those boxes. So, someone is going to have to go and recode that page to make it so that box is not prechecked."</p><p>For smaller companies, that could be a low spend, but for large corporations that are consumer facing—like Amazon—that could be vastly more expensive.</p><p>The other areas that organizations are spending on to become GDPR compliant include staffing, such as internal staff to conduct privacy impact assessments, and outside counsel and consultants that specialize in privacy and privacy management technology.</p><p>"We're now seeing software packages that are specifically designed for managing privacy impact assessments—you can assign tasks, you can do reporting, you can have threat dashboards," Pfeifle says. "A lot of them mimic security management software."</p><p>These efforts are helping organizations move towards compliance, which is critical: only 40 percent of those surveyed by IAPP said they expected to be compliant with GDPR by the deadline.</p><p>"More important than being compliant is being able to demonstrate that you're making the attempt," Pfeifle says. "If a regulator showed up at your door and said, 'Show us you are compliant with the GDPR,' how would you do that? That's what the GDPR asks you to do."</p><p>LaFrance's views mirror Pfeifle's, because—in her opinion—regulators will be looking for organizations to make a good faith effort towards compliance. </p><p>"For the most part, if you've made a good faith effort to get a plan in place and you've taken the steps that you can between now and May to really get the ship moving in the right direction with a plan to sort things out by the end of the year, you'll be given a good pat on the back by any regulator that is going to do a spot audit of your records," she explains.</p><p>Some companies, however, might face more scrutiny after the deadline than others, such as those that are consumer facing and, if compromised, could create significant legal or economic consequences for consumers.</p><p>"I think they'll also consider whether there have been complaints by individuals or if there have been a number of reported data breaches," LaFrance says. "Regulators might look then to see if there have been lots of repeat offenders, and then go and do an audit. I imagine they will try to start with the obvious."  ​</p>
https://sm.asisonline.org/Pages/March-2018-ASIS-News.aspxMarch 2018 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Leadership Conference Sets the Course</h4><p>More than 200 ASIS volunteer leaders—council presidents, chapter chairs, Board members, and more—gathered at the Ritz-Carlton Pentagon City in Arlington, Virginia, USA, January 17-19 for the Society's annual leadership workshop and conference.</p><p>Over the course of three days, ASIS leadership helped develop strategic priorities and participated in sessions matching the conference theme: Educate. Engage. Empower. Attendees heard from diversity and inclusion experts and studied best practices for successfully managing volunteers.</p><p>The program included an update on the ASIS Strategic Plan from ASIS International CEO Peter J. O'Neil, CAE, and Senior Manager Adam Savino. O'Neil and Savino touched upon progress made regarding Board directives, which include branding, global network, professional competency, organization and operations performance, knowledge and learning, and enterprise security risk management. </p><p>The ASIS Foundation's Scouting the Future research workshop identified issues that today's security managers consider most important in the years ahead. Attendees were presented with 15 different change drivers affecting the security industry, and were asked to choose which of these topics they consider most pressing. Their responses will inform ASIS Foundation research over the coming months.</p><p>On January 18 the Society held its Annual Business Meeting. ASIS International Chairman of the Board Thomas J. Langer, CPP, began by honoring David C. Davis, CPP, and Darryl Branham, CPP, for their service on the Board of Directors. Next, more volunteer leaders were honored for their extraordinary service to the Society. Bob Oatman, CPP, was named the 2017 Council Chairman of the Year for his leadership of the Executive Protection Council. Marco Meza Sandoval, Region 7C, was named 2017 Regional Vice President of the Year, and Bob Johnson, CPP, Group 5, was named 2017 Senior Regional Vice President of the Year. </p><p>Christina Duffey, CPP, presented the treasurer's report, which provided an overview of the financial health of ASIS, and 2018 President Dick Chase, CPP, PCI, PSP, outlined his priorities for 2018. </p><p>Evening events included a Casino Night, which raised more than $5,000 for the ASIS Foundation, and the President's Reception, which celebrated the start of Chase's tenure as president.  </p><p>The conference concluded with a presentation by the FBI and volunteer roundtables. To view event pictures, visit flickr.com/asisinternational.​</p><h4>Certification Program Enhancements</h4><p>Together with the new ASIS website launch in late January, the Society introduced a new certification application process that makes it easier for candidates to understand exam requirements and apply for certification. The Professional Certification Board implemented several changes to its policies in support of the new application process.</p><p>Newly certified professionals' three-year certification cycle begins on the day they pass the exam and ends three years later, at the end of that month. Those whose cycles end on December 31 will continue to have their cycles end at the close of the calendar year. </p><p>Those who sit for the exam three times during their two-year testing eligibility period without passing it may reapply as soon as their eligibility period expires (but at least 90 days after their third attempt). Previously, candidates had to wait 18 months from the time of the third attempt.</p><p>As part of the new user-friendly recertification application process, ASIS staff will no longer verify each continuing professional education credit (CPE) as it is reported. As before, certificants will use the online application to keep track of CPEs as they are earned. When they submit their recertification applications, the CPEs will be reviewed all at once.</p><p>The grace period for recertifying after a certification cycle ends has been reduced from one year to three months. Additionally, all CPEs must be completed during the three-year cycle (none during the grace period). </p><p>"These changes will make it easier than ever for security professionals to become certified and stay certified," says ASIS International Certification Director Gayle Rosnick. "These updates will help lay the groundwork to support a larger and broader pool of certificants in the years to come."</p><p>In addition, the Certification Department has received Board approval to begin investigating an early-career certification. In January a dozen early careerists attended a two-day program at ASIS headquarters to determine the relevant competencies for a new early-career security management certification. Work will continue on this initiative throughout 2018.</p><p>For more information or to learn how you can pursue ASIS board certification, visit asisonline.org.​ </p><h4>Lifetime Certifications</h4><p>Congratulations to these individuals who have achieved lifetime certification.</p><p>•             Krishnamoorthy Arunasalam, CPP</p><p>•             Paul Stewart Barker, CPP</p><p>•             Fred A. Buran, CPP</p><p>•             Dennis G. Byerly, CPP</p><p>•             Jose E. Campos, CPP</p><p>•             Salvatore P. DeCarlo, Jr., CPP</p><p>•             Cheryl D. Elliott, CPP, PCI</p><p>•             Jeffrey J. Haykin, CPP</p><p>•             Pearse Healy, CPP</p><p>•             Eugene Hermanny, CPP</p><p>•             Dan Jenkins, CPP</p><p>•             Garrett J. Ochalek, CPP</p><p>•             Shirley A. Pierini, CPP, PCI</p><p>•             Robert C. Quigley, CPP</p><p>•             Craig P. Remsburg, CPP</p><p>•             Thomas J. Rohr, Sr., CPP</p><p>•             John R. Ryan, CPP</p><p>•             Kathleen A. Sowder, CPP</p><p>•             Scott Wells, CPP</p><p>•             Ian G. Wing, CPP</p><p>•             Christopher D. Yokley, CPP​</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Manager's Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security</em>. By Brian J. Allen, CPP, and Rachelle Loyear. Rothstein Publishing; Rothstein.com; ebook; $14.49.</p><p>The security landscape is evolving at an enormous speed. Volatility, uncertainty, complexity, and ambiguity are the new normal. So, how do you address security challenges in such an environment? The answer is through enterprise security risk management (ESRM), an integrated risk-based approach to managing security risks. It brings together cyber, information, physical security, asset management, and business continuity. ASIS has made ESRM a global strategic priority.</p><p>In the <em>Manager's Guide to Enterprise Security Risk Management,</em> authors Allen and Loyear provide a comprehensive overview of the principles and applications underlying the ESRM philosophy. They set the stage in the first part of the book with an introduction to ESRM and share some important insights on the differences between traditional security and the ESRM approach, illustrating their points with examples.</p><p>The second part of the book guides the reader through the implementation of an ESRM program. One excellent chapter promotes design thinking as a conceptual model for ESRM. A design thinking approach can provide a unique platform for innovation and overcoming new security challenges.</p><p>Finally, the book provides insights and strategies to ensure the success of the ESRM program. It explains what an executive needs to know about ESRM, and gives readers the tools to succeed.</p><p>In sum, this guide accomplishes exactly what it set out to do—provide security leaders and managers with the principles and applications to explore, design, implement, and secure the success of an ESRM program. </p><p>Note: The authors of this book recently published a more detailed look at ESRM in <em>Enterprise Security Risk Management: Concepts and Applications</em>, also published by Rothstein.</p><p><em>Reviewer: Rachid Kerkab has almost two decades of experience in criminology, security strategy, risk, and resilience. He is a member of ASIS. ​</em></p>
https://sm.asisonline.org/Pages/Four-Challenges-Facing-Aviation-Security.aspxFour Challenges Facing Aviation SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Anthony McGinty, CPP, is a Senior Intelligence Analyst with CSRA Inc., contracted to Los Angeles International Airport. He is a member of the ASIS Global Terrorism, Political Instability, and International Crime Council. </p><p><strong>1. Airports as cities.</strong> Traditional city problems are finding their way into airports—the homeless, the mentally ill, drug abuse, petty and complex crime, and civil disobedience. For law enforcement and security agencies, the challenge is to simultaneously perform first-responder duties while identifying high-consequence threats to aviation operations. Both require specific, distinct skill sets. Security directors need to balance assets, personnel, and operations to mitigate both public disorder and homeland security risks.</p><p><strong>2. International terrorism.</strong> Commercial aviation will remain an attractive target for militant groups and extremists. The public side of airports—curbside to security screening—is vulnerable to an array of terrorist attacks, including active shooters, luggage filled with explosives, weaponized drones, and vehicle ramming. Thousands of militants, technically proficient and ideologically motivated, who are returning from the failing ISIS caliphate may regroup under new flags, join al Qaeda affiliates, or act independently. </p><p><strong>3. In-flight disruptions. </strong>On a weekly basis, media reports and Internet videos display the latest outrage inside aircraft cabins—brawling, drunken rants, sexual assaults, and defying flight attendants. This trend of in-flight disputes and violence at 35,000 feet is potentially dangerous. Short of placing a security officer on board, solutions may involve institutional changes in the flight crew-to-passenger relationship. For example, instances of human traffickers using commercial airlines are so common now that flight crews are being trained to spot indicators and act. This is a further example of the changing role of flight crews from comforters to enforcers.</p><p><strong>4. Insider threat. </strong>Terrorist groups may enlist airport employees to circumvent security screening—especially employees with direct access to aircraft. Employees have also smuggled drugs, weapons, and other contraband. Just one radicalized or disgruntled employee can commit an act that leads to a catastrophic incident, which makes addressing insider threats a priority. Airports and airlines are implementing their own strategies to mitigate this threat. Mostly, this effort has involved security screening of all—or select—employees prior to entering restricted zones. Technology may support this effort as well. New analytics capabilities embedded in video and access control systems can provide a sophisticated surveillance tool. Self-policing with a rigorous, internal "See Something, Say Something" effort is essential.   ​</p>
https://sm.asisonline.org/Pages/Book-Review---Supply-Chain-Security.aspxBook Review: Supply Chain SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>​Butterworth-Heinemann; Elsevier.com; 200 pages; $49.95.</em></p><p>Anyone who intends to enter the realm of supply chains and logistics must read <em>Global Supply Chain Security and Management. </em>Author Darren Prokop brings vast experience in the academic and practical worlds of supply chain management to this book. He goes the extra mile to package a tremendous amount of critical information in a compact volume to produce an easy-to-read narrative and valuable reference guide to these types of global operations.  </p><p>Not only does the book identify the threats of today and tomorrow, it also provides useful insight on how to combat them. Going beyond the issues of insider/outsider theft and shipping damage, Prokop redefines the threat to include terrorism and natural disasters. He adds key chapters on topics of human and natural threats, information technology, and risk mitigation. </p><p>Prokop introduces the concept of game theory in the synergies between players in the global shipping arena, and he explains how a competitive situation may morph into a cooperative one. He points out the dual role that government plays in the global shipping effort—serving as both a policing agent and a supply chain partner. Key take-aways include recent U.S. regulatory decisions, the latest technologies for securing infrastructures, and up-to-date theories and techniques of industrial organization and security.</p><p>This book is an excellent tool for faculty and students of security management and supply chain management. Security practitioners in other disciplines would do well to add it to their professional libraries, as well.</p><p><em>Reviewer: Terry Lee Wettig, CPP, is an independent security consultant who served 10 years as director of risk management with Brink's Incorporated. A retired U.S. Air Force chief master sergeant, he is currently a doctoral candidate specializing in organizational psychology. He is an ASIS member. ​</em></p>
https://sm.asisonline.org/Pages/Coachable-Employees.aspxCoachable EmployeesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The latest <em>State of the American Workplace</em> report, the Gallup company's look at management practices in the U.S. workplace, contains some grim news. A clear majority of employees are not engaged with their jobs, and employers are finding it increasingly hard to retain quality workers. "The very practice of management no longer works," Gallup Chairman and CEO Jim Clifton says in the report, which was published last year.</p><p>But the experts at Gallup also argue that employee engagement and retention can be markedly improved—through effective coaching. Managers who are effective coaches often possess certain abilities and attributes: they are usually clear and insightful explainers; they have an aptitude for building on an employee's strengths; they are adept at working with different learning styles; and they can maintain patience in the face of mistakes.</p><p>But effective coaching is a two-way process. And just as talented coaches share certain traits, employees who are highly coachable often possess a cluster of certain qualities and abilities. These attributes can be thought of as "green flags"—indicators that the employee is driven and prepared to grow and improve on their existing skill sets, to learn new skills, and to "correct performance without resentment," in the words of legendary UCLA basketball coach John Wooden.</p><p>In the security field, these green flags can include demonstrated honesty, adaptability to change, intellectual curiosity and love of learning, interpersonal skills, attention to detail, problem-solving abilities, resourceful thinking, safety awareness, a reasonable level of suspiciousness, and emotional intelligence.</p><p>Smart security managers have realized that these green flags often serve as predictors of future success, and so they have focused on fine tuning this list of qualities and attributes. It has value in the screening and hiring process, as well as in managing employees once they are hired, especially in organizations that are going through performance changes or improvements.</p><p>And being coachable is not just important for front-line security workers. Managers, too, need to remain coachable, so that they can continue to improve and grow, and ultimately become better coaches.  </p><p>The following examples are taken from real-world situations in the security industry—the names of the managers have been changed—and illustrate these concepts. They provide best practice guidance for security leaders on what to look for in terms of an employee's coachable potential, and how managers can also benefit from becoming more coachable themselves. ​</p><h4>Success via Coachability</h4><p>John Smith worked in the criminal justice public sector for a little over 20 years in the Midwest. Under his leadership, his department achieved and maintained accreditation, with high scores on all metrics. Turnover in John's department was low; he had helped build a positive team atmosphere with high levels of employee engagement and job satisfaction.</p><p>Still, John silently complained to himself about being overworked and underpaid. One day, he saw a security director position advertised by a privately owned security company in the Omaha area. He decided it was time for him to put up or shut up, and see if he could get paid his real worth. So, John moved forward on this new opportunity, and in so doing stumbled upon the importance of coachability.</p><p>As it happened, the owner of the security company in question also ran the largest maid service franchise in the world and was a graduate of Harvard Business School. John was applying for the position of general manager; the previous general manager was a retired FBI agent who at first dazzled the owner with his training and work history, but soon showed that he lacked the main ingredient the owner needed to grow the security company—coachability. And so, it wasn't long before both decided to end the relationship.</p><p>Conversely, John possessed a few green flags of coachability the owner wanted to see in the applicant for his open general manager position—adaptability, intellectual curiosity, and a penchant for further learning and improvement.</p><p>During the interview and candidate evaluation process, these qualities became evident to the owner. For example, John discussed how he had adjusted to living in a foreign country during his public-sector career. Before that, he had successfully changed careers from mental health to corrections. He had completed his master's degree, which reflected an interest in further learning. He demonstrated that he was interested in moving from a safe, structured public service job to the greater unknowns of the private sector, where he would have to think on his feet and create the structure that worked best for the company. Throughout the interview, John asked insightful questions that showed strong intellectual curiosity. </p><p>These attributes made the owner feel he was hiring what he needed most—a security manager whom he could mentor so that the manager would develop his own coaching skills to build the right workforce. </p><p>John got the job, and went on to a second career in the private sector, where he thrived for another 20 years. He was especially successful in recruiting and hiring an impressive team to grow the business. In hiring, he didn't look for clones of himself in terms of education, skill sets, and temperament. Rather, the common denominator he did look for was an insatiable drive to learn, grow, and improve, which was usually accompanied by high engagement with and passion for the work.​</p><h4>Coachability for Managers</h4><p>As a security manager for a medium-sized corporation on the East Coast, Mary Jones learned the importance of coachability and how it complemented the two-way management style she had learned in earlier training. </p><p>She decided to take on her company's two-pronged problem of hiring and retention; she set her sights on reducing the failures of bad hiring and the costs of high turnover. Mary realized that identifying the green flags of highly coachable applicants went a long way toward making better hires, and she became proficient in determining this by asking probing questions during the interview process. </p><p>One such question was: "When you start a new job, do you prefer to look for opportunities to apply what you already know from past experience, or do you try to learn something new about what you don't know? Tell me about how you learned about which way to approach a job to get the best results?"</p><p>Another question was: "Tell me about a situation in which you thought you knew how to solve a difficult problem, but, as it turned out, you didn't. What did you learn from this experience, and what did you change in your approach to problem solving? Another follow-up question she used was: "How do you think problem-solving skills can be best developed with new employees? Is that the way you would have liked to have been taught, or do you have other ideas on this?" </p><p>She then helped her HR manager become adept at this type of interviewing, so the manager could use it when interviewing security officers. She started by explaining the value of using real live work scenarios to see how the applicant would respond based on his or her past failures at work. She also told the manager of the frequent good results of asking open-ended questions versus closed-ended ones. At that point they did some question planning and interviewing together to demonstrate and practice how this style of interviewing would get better results. Mary's efforts did not stop there.</p><p> Once hiring had improved, Mary also wanted to improve the retention rate of coachable employees. Thus, she developed a custom-designed training program by gathering new ideas from a variety of resources and programs from professional HR organizations that were available online for free, and then carefully updating ideas from few of her own coaching and counseling training programs. </p><p>She then provided summary information about this new training to all her supervisors, aimed at rekindling their own coachability, which would help the supervisors learn how to better identify coachable employees at the same time. The training was well-received and everyone was motivated towards a common goal.  </p><p>Under Mary's efforts, managers learned how to hire employees with excellent coachability potential by asking better questions and spotting tell-tale answers. Supervisors learned how to improve their coaching abilities by practicing new mediation strategies. And employees were able to improve upon the coachability potential they first brought to the job. This was a win-win-win for Mary, her supervisors, and the company at large. ​</p><h4>Assessing Coachability</h4><p>During Bob Miller's long career in security management, his understanding of the importance of coachability evolved, and an examination of this evolution reveals some guidance for managers assessing coachability. </p><p>Early on, Bob discovered that there was an X-factor in an employee's ultimate success that was just as important as the knowledge, skills, and abilities that are asked for on the application for federal jobs. Bob's discovery was in part due to his own self-awareness—he was aware of his own insatiable drive to become better at whatever he was doing, and this helped him spot the same drive in the applicants he screened and interviewed. </p><p>Given his belief in the great value of coachability, he revised the hiring process he had traditionally used. He discarded practices he now considered time-wasters, such as checking references about the candidate's honesty and dependability, verifying prior work history and education, and administering psychological testing. Using the Occam's razor principle, he ended up with the one prevailing trait that he found was most predictive of success (after the applicant's résumés proved baseline professional competency)—an openness to learning, growing, and improving.</p><p>From here, Bob designed a behavioral interview with a set of telling questions designed to get revealing answers regarding a person's drive to succeed as a security officer or supervisor. In most cases, this drive starts with the candidate's acceptance that they do not know it all already, so the interview questions were also designed to gauge if that acceptance had been established. Given the unknowns and new developments of security work today, this type of acceptance is critical to future success. </p><p>Bob constructed his list of probative interview questions so that it would be difficult for applicants to hide behind hypothetical or general, unrevealing answers. He first posed a set of written questions, so the candidate could take some time to think and draw on their most relevant past experiences. Then during the interview, Bob and the candidate could discuss these preliminary answers in more detail, so that the applicant's coachability could be assessed.  </p><p>In terms of specifics, the written list of questions started out asking applicants about past failures and how they overcame them. Then, during discussion, candidates were asked for examples of how they had used common sense to get results in previous situations, areas in which they felt they could improve, what they liked and disliked about their best supervisor, and what they thought an employee had to demonstrate to be successful in security work. Further discussion of the answers to these five simple questions proved to be revealing, and an effective means to assessing coachability potential in the applicants. </p><p>The good answers included ones with enough detail to face-validate their actual occurrence, such as "I liked my previous supervisor's patience with me when I didn't succeed at a task delegated to me. She gave me some useful feedback and immediate suggestions to improve the next time. What I didn't like about her was that she was always busy and difficult to get time with. However, I guess I should have mentioned this problem to her."  </p><p>The bad answers lacked such detail, or even sidestepped the question, such as, "I didn't really get to know my supervisor that well," or "I'd rather not get into that." Of course when the applicant couldn't stop listing all the previous supervisor's faults and was not able to come up with any good things to say about the supervisor, that was a big red flag of cynicism in his coachability.</p><p>The process worked well, but Bob, being of a continuous improvement mindset, knew he wasn't finished in his efforts to perfect his assessment method for determining what level of coachability each applicant was bringing to the job. Interviewing is like standardized testing; eventually, the best answers to even the most highly guarded LSAT questions become common knowledge. Bob anticipated this would eventually happen with his coachability assessment questions, so he continued to revise them to stay ahead of the curve. For example, one question that consistently showed value was, "Tell me about the best sports or activities coach you had in school, and what do you think made him so successful?" He revised this by expanding it, and it yielded even greater value: "What characteristics of this coach have you applied in your own life?"​</p><h4>Removing Obstacles </h4><p>Can a security employee be taught to be coachable? Security manager Michelle Palmer wanted to explore this possibility with her direct reports. Many members of her staff did not seem to see the value in coachability, or why it was necessary. Fortunately, Michelle knew the importance of explaining concepts well enough to sell them, thus removing the resistance. </p><p>She realized that one of the main roadblocks for her employees was their natural defensiveness in receiving feedback about themselves. She decided to use personal examples to make her explanations more effective. For example, she shared how she personally overcame her own obstacles in becoming more coachable, including her original unwillingness to share her own vulnerabilities, to become more open to different perspectives other than her own, and to accept the risk that came with experimenting with new behaviors.</p><p>In her managing, Michelle also employed another lesson she learned previously in becoming more coachable. She replaced her usual relaxed approach in some staff interactions with a more assertive posture. For example, in giving feedback to others, she often replaced "you," such as in "it would be good if you did this differently," with "I," such as in "I would like you to try doing this in such-and-such way." This shift had a positive effect; staff members became much less defensive, and better listeners. </p><p>Finally, Michelle's instruction was made more effective by a key realization—all she thought she knew to be true about the security profession wasn't necessarily so. Her own growth had been somewhat stalled by this limiting perspective, and once she was free from it, she could better communicate the value of staying open to new ideas and continuous growth and improvement. ​</p><h4>Coaching the Future</h4><p>If a security manager is successful in hiring coachable employees, and can help existing staff remain coachable, a culture and system of proactive performance improvement can be maintained in the security department. In such a culture, managers and employees continue learning and improving.   </p><p><em>William Cottringer, PhD, Certified Homeland Security (CHS) level III, is executive Vice-president for Employee Relations for Puget Sound Security Patrol, Inc., in Bellevue, Washington, and adjunct professor in criminal justice at Northwest University. ​</em></p>
https://sm.asisonline.org/Pages/The-Fraudians-Slip-In.aspxThe Fraudians Slip InGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Fraud is thriving these days, and many of its practitioners have acquired daunting levels of skill and ingenuity for reading the current operational environment, finding weak links, and adjusting their methods to maximize the likelihood of successful scams, experts say.</p><p>"They are as skilled in committing these frauds as any skilled person is in any field of endeavor," says Alan Brill, a director with Kroll's cybersecurity and investigations practice. "They are criminals, but you have to respect the level of skill that they have, to know what you are up against."  </p><p>This fraudulent activity is affecting more and more companies, according to a new study. About two-thirds of U.S. companies reported an increase in fraud attempts over the past 12 months, according to The Fifth Annual Fraud Report: A New Landscape Emerges, a study issued by IDology, an Atlanta-based identity verification firm. Last year, fewer than half (42 percent) of U.S. companies reported such a rise.</p><p>And it's not only the sheer number of fraud attempts that is changing. Methods used in perpetrating fraud are evolving, too. </p><p>"The biggest challenge faced by businesses in the fight against fraud has been the continually shift­ing tactics used by fraudsters," reads the study, which finds that 71 percent of organizations cite "shifting fraud tactics" as their greatest challenge. </p><p>Use of fraudulent credit, debit, and prepaid cards is still the most prevalent type, with 65 percent of respondents saying that it is the most common method in their industry. However, there are signs that it is starting to decrease. That 65 percent figure is actually down from the 73 percent of respondents who cited that fraud type in last year's survey. </p><p>According to the report, the reason behind this decrease is the widespread adoption of EMV chip cards, which have reduced point-of-sale fraud. With chips making it harder to commit this type of fraud, more criminals are shifting to an online environment, where the customer is not present. "They will try to find the path of least resistance," IDology CEO John Dancu says.<img src="/ASIS%20SM%20Callout%20Images/0318%20NT%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:573px;" /></p><p>There's another driving factor behind the shifts in the fraud landscape, and it has to do with how nimbly the fraud­sters share knowledge. "They are really good at communicating among themselves," Dancu says. Sometimes, they will discuss methods on the Dark Web; this keeps them situationally aware and helps them change methods if necessary. </p><p>Some are also not shy with expressing pride of craft. "When they find a weak link, they are happy to tell everybody else about it," Dancu explains. "If you're on the Dark Web or their other forums, you can see the interactions and the professional enjoyment that they have in letting other people know what they have discovered. It's about being The Man." </p><p>Those dark websites and other places where fraudsters sell information and data are pretty sophisticated enterprises, Brill says. "There is a comradeship among people who do this. They do meet at the marketplaces, and these marketplaces don't look that different from eBay, with vendors getting rated by people that buy from them," he explains. Some vendors even offer BOGO specials, he adds.</p><p>As is true with most fields of endeavor, this increased professionalization brings about more specialization. So, some fraudsters specialize in malware, some in the monetization or selling of breached data, and some in "social engineering"—knowing how to get to the right entry point to access information, Brill explains.  </p><p>He offered the following example of a social engineering specialist. These days, many banks frequently advertise how effective they are in protecting customers against fraud. In this environment, it may then be no surprise if one day you get a phone call from Visa security, with the caller informing you that your card was just charged with suspicious activity—$300 from an adults-only emporium in Las Vegas. Horrified, you deny the charge and ask for it to be cancelled, and so you gladly give your card information, Social Security number, and date of birth when the caller asks if they can verify you as the cardholder. </p><p>But what you might not realize is that you just handed over your information to a criminal posing as security. This type of thief takes advantage of the expectations created by frequent bank commercials that promote their quick security operations. "In effect, you have been primed for a social engineering hit," Brill says.</p><p>Although the study finds that customer-present credit card fraud may be decreasing, it also finds that synthetic identity fraud (SIF) is a growing problem. In an SIF scam, a combination of real and fabricated identity information is often used to create a new identity. Thirty-one percent of businesses in the report say SIF has increased, and 58 percent are "extremely" or "very" worried about it. Helping to drive this problem is the recent flood of major data breaches, which gives criminals more identity data to use.</p><p>In Kroll's investigations practice, Brill is seeing a big increase in the following type of case. A fraudster obtains the Social Security number of a young child in the aftermath of a data breach, then uses it with other information to open a few credit accounts, including one or more credit cards. </p><p>The scammer then exploits the accounts for years, with charges that are never repaid and lapse into default. Finally, the young child becomes old enough to apply for a credit card, or a lease on an apartment, and is surprised to find out that his or her credit rating is abysmal. </p><p>Marcus Christian, an attorney in Mayer Brown's White Collar Defense & Compliance group, also sees SIF as an increasing problem. Christian, a former prosecutor in the U.S. Attorney's Office for the Southern District of Florida, has heard reports that some of the criminal organizations in South Florida have been shifting away from selling narcotics and toward identity scams. "The money is as good as, if not better than, the drug trade," he says. In addition, it is often perceived as a less dangerous practice, and through connections in local school systems and banks, these criminals can obtain stolen data, he adds.  </p><p>The second-most cited type of fraud in the report—first-party or friendly fraud—is also on the rise, with 51 percent of respondents saying they have been a victim of it, nearly double the percentage (26 percent) of respondents who cited it in last year's survey. </p><p>First-party or friendly fraud generally describes fraud committed by individuals using their own accounts. These types of fraudsters might make an online purchase and then dispute the charge after the merchandise has been received, or they might open credit card accounts with the intention of maximizing charges and then lapsing into default to avoid full repayment. </p><p>One reason first-party fraud is increasing, the study finds, is that it is difficult to foil; it is hard to disprove false claims that ordered merchandise was never received, for example. However, experts say that big data applications hold some potential in this area as a security tool, because they can be used to recognize patterns of excessive refund requests and other telling information.</p><p>Finally, Dorcu says that another cause for optimism in the fight against fraud is that an increasing number of companies are realizing the importance of working together. Fraud is a serious issue for companies regardless of industry, and since the perpetrators are sharing information and strategies, those fighting fraud need to do the same, under a consortium mindset.   </p><p>"Getting connected and talking with peers is really an important part of solving the problem," Dorcu says. "Be flexible, be collaborative, and be open-minded to what's going on out there." ​</p>
https://sm.asisonline.org/Pages/Paving-the-Way.aspxPaving the WayGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​For the citizens of Jayuya, Puerto Rico, December 15 came and went without fanfare—and in the dark. The U.S. territory's governor, Ricardo Rosselló, had estimated that 95 percent of Puerto Rico would have power back by mid-December following the devastation brought by Hurricane Maria in September. As of press time, that estimate had been extended to February.</p><p>Lilo Pozzo, an associate professor of chemical engineering at the University of Washington, traveled to Jayuya, Puerto Rico, in November with a group of students to assess the impact of extended power outages on public health. Due to its remote, mountainous location, the municipality was still largely without power, and Pozzo's group found that people with respiratory problems were greatly impacted.</p><p>"The overall message was that the people with respiratory ailments were in the worst condition because they weren't necessarily evacuated like patients that had more evident health problems, so these people with chronic conditions essentially stayed behind, and they are suffering because they can't power their devices to run therapies," Pozzo explains.</p><p>She describes people who are unable to operate their sleep apnea machines or administer asthma treatments. Those who need oxygen now have to wait for tanks to be delivered to the municipality because their standalone oxygen machines could not be charged. The main clinic in town had borrowed a generator after its first one broke down, but can only provide essential services due to concerns of damaging the current generator. All vaccinations and refrigerated medications were spoiled, and citizens with mobility issues or sensitive diets have also been affected. </p><p>The city's two major factories have also continued to operate by running generators, which Pozzo says is expensive and inefficient. The townspeople are fearful that it will be difficult for the factories to continue operations if conditions don't improve quickly or if extended power outages following natural disasters become the norm. "If you get hurricanes every year, that's going to change their economic calculations and could potentially create loss of workforce," Pozzo notes. </p><p>Despite the dire situations in part of Puerto Rico, power restoration has been slow due to a process fraught with politics and finger pointing between the territory's leaders and the U.S. federal government about the amount of aid that should be provided. However, Puerto Rico's power system was in trouble long before Hurricane Maria hit. </p><p>In the days following the territory's brush with Hurricane Irma in early September, which briefly knocked out power for a million people, investors became more vocal about privatizing the territory's struggling power grid. The Puerto Rico Electric Power Authority (PREPA), the largest public utility in the United States, had declared bankruptcy in July, and what little maintenance it was conducting on the island's power grid fizzled. Politicians, energy experts, and other stakeholders acknowledged that the grid might not hold up much longer without serious changes.</p><p>And then, two weeks later, Hurricane Maria made landfall in Puerto Rico as a Category 4 storm.</p><p>The entire island lost power. Several neighborhoods were destroyed. Most communication networks across the island were crippled. Fresh food and potable water became scarce. The official death toll in Puerto Rico is 64, but estimates suggest more than 1,000 people may have died from the storm and its aftermath. As of early January, 43 percent of the island still had no power, and more than 200,000 citizens have left their darkened communities for the continental United States.</p><p>"Puerto Rico is being supported to a large degree by U.S. power companies right now, but that's not sustainable," explains Mark Weatherford, chief cybersecurity strategist at vArmour. "That's why there needs to be a long-term plan here, but it's going to cost money. This is going to be a test of our nation in what we're willing to support to rebuild a state that was already teetering on bankruptcy."<img src="/ASIS%20SM%20Callout%20Images/0318%20NS%20Chart.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:562px;" /></p><p>When Hurricanes Harvey and Irma struck Texas and Florida last fall, power crews and equipment rolled in from other U.S. states to get the affected regions up and running. But the sheer magnitude of Hurricane Maria's damage to Puerto Rico—and its island location—made it difficult for other U.S. utility companies to lend a hand, says Daniel Kirschen, an engineering professor at the University of Washington and a member of the Clean Energy Institute.</p><p>"Typically, utilities are eager to help each other in those situations because of the mindset that this time it's your turn, but the next time it might be mine," Kirschen says. "So these companies are usually very willing to lend crews for repairs. Now, of course, Puerto Rico is an island so it's harder to organize sending crews down there, which on top of all the other problems has made recovery more difficult."</p><p>Brian Harrell, CPP, the vice president of security at AlertEnterprise and former director of critical infrastructure protection at the North American Electric Reliability Corporation (NERC), details what is involved in sending crews to repair Puerto Rico's power grid. Workers and tools must be flown to the island, and heavy equipment such as bucket trucks, transformers, and wires must be transported on ships, which makes the logistics of recovery difficult. Upon arrival, crews must manage downed lines, clear debris from roads, and fully repair the system, he says.</p><p>"During the aftermath of such devastation, it is imperative that safety and security is established on the ground," Harrell says. "Before critical infrastructure can be repaired and restored, it's vital that line crews, aid workers, and emergency personnel feel safe while conducting their jobs."</p><p>But as each power line is restrung to bring electricity back to the island, experts are pointing out the opportunity to build a more resilient, smarter power grid that will prevent future catastrophic damage to Puerto Rico's infrastructure—but nobody has come up with a plan.</p><p>"Given the complete destruction of the island's power system, an opportunity has also presented itself to modernize the way electricity is generated, along with how it can be efficiently transmitted with newer technology," Harrell adds. "A key to preventing this type of destruction from ever happening again will be to build resilience and redundancy into the system."</p><p>Stuart McCafferty, president and CEO of GridIntellect and a National Institute of Standards and Technology (NIST) community resilience fellow for electrical power infrastructure, says that Puerto Rico needs to move beyond its reliance on fossil fuels, which are expensive and unsustainable. </p><p>McCafferty has been involved in the U.S. smart grid initiative since the beginning, creating the first smart grid maturity model for the U.S. Department of Energy (DOE) and a tool to evaluate a grid's resiliency. He says that while continental U.S. energy providers and government officials embraced the shift towards a smarter grid, there was a disconnect when it came to waterlocked states and territories. Hawaii has paved its own way by working with DOE to develop an unprecedented clean energy initiative in 2008—drawing the majority of the state's energy from renewable resources. Puerto Rico had made no effort to update its infrastructure. </p><p>Despite the critical situation in Puerto Rico right now, McCafferty says that the territory has an "incredible opportunity" to build localized power grids that are self-reliant and will not allow downed transmission lines to knock out power for the entire island. </p><p>Weatherford agrees. "With an aging infrastructure like that, unfortunately the only thing they will be able to do is rebuild from ground zero," he says. "They need to start over, and the good news is this gives them the opportunity to build a 21st century infrastructure—but it's going to cost a lot of money to do that."</p><p>Although PREPA is cash-strapped, McCafferty says money can come from federal grants and labs, venture capital, angel investors, and self-funded corporations. However, a sorely-needed roadmap for the territory's power grid is nowhere in sight, even as legacy infrastructure is being repaired. </p><p>"I don't see anyone coming up with any real solutions because of the financial issues and mismanagement of the grid by the operator," McCafferty explains. "Puerto Rico needs a roadmap, and it doesn't even have to be based on any of the financial needs. Once you've got that laid out, then you can start prioritizing and identifying the funding mechanisms to make that happen."</p><p>Weatherford suggests setting up temporary generators and small microgrids to keep the lights on for citizens while officials go back to the drawing board to figure out a more resilient solution. "Use temporary money to keep the lights on, and use long-term capital to rebuild the infrastructure," he says. A robust microgrid system, which would keep power outages isolated, paired with renewable energy such as solar and wind power, would be an ideal setup, he says. </p><p>Kirschen, who studies how to effectively deploy repair crews to restore critical infrastructure, agrees that redesigning the grid is not going to happen overnight, and crews need to focus on rebuilding what they can of the existing infrastructure. </p><p>"We're not at a point where we can generate quite enough power with solar generation to satisfy all the island's needs," Kirschen says. "What I see is a combination of a traditional grid built to a higher standard so it can withstand hurricanes and other disasters, combined with local microgrids designed to survive these hurricanes, so that if the main grid is broken for a while, you can still meet the emergency medical and essential needs until the main grid is repaired. It's particularly important in Puerto Rico because the landscape is rugged and there are some really remote areas that are hard to reach. Therefore repairing the grids to reach those areas will take time, so having one of those small emergency microgrids can be extremely useful."</p><p>Pozzo says that a solution for remote areas like Jayuya that would provide critical services during an emergency would be ideal. "You're not restoring power to everybody, but you're at the very least able to maintain the critical needs, storing medicine, providing power to people with medical devices," she says. "I believe that if the town had distributed independent systems—it could be clean energy but could also run on generators that are larger and more effective—they would fare much better, just because they could focus on repairs in a more localized way.</p><p>Part of Pozzo's research in Jayuya was quantifying exactly how much energy it would take to meet the critical needs of the entire community to better prepare emergency shelters to handle future power outages.</p><p>"We're analyzing ideas where you could invest in providing power to schools that could serve as shelters, so you need to understand how patients are distributed in a community and whether they are able to get to the shelters to have their needs met and how much energy would be necessary to satisfy the number of patients that would go there," she explains. The academic paper on her team's findings will be published in the spring. </p><p>"Climate change is happening—we're going to get natural disasters more frequently and more severely, so we have to make sure that our infrastructure is built to a standard that is appropriate for these natural disasters," Kirschen says. ​ ​</p>
https://sm.asisonline.org/Pages/Fair-and-Neutral.aspxFair & NeutralGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The recent flood of sexual harassment allegations in the United States, from Hollywood to Capitol Hill to New York City, has given people around the world new confidence to publicly denounce sexual harassment and other types of misconduct.</p><p>One powerful example is the Twitter hashtag, #MeToo, which has now been used by more than 1.7 million people in 85 countries to speak out and name their harassers. The allegations have resulted in tangible change: in the past several months dozens of public figures, accused of behaviors ranging from inappropriate harassment to sexual assault, have been fired or forced to resign from high-profile positions.</p><p>This remarkable spike in firings is also an extension of a longer-term development. Over the past five years, 5.3 percent of CEOs globally have been forcibly removed due to ethical lapses, including harassment, according to a PricewaterhouseCoopers study. In the United States, that's a 102 percent increase from the previous five years. And during last year alone—before the #MeToo movement—harassment cost U.S. companies more than $160 million in U.S. Equal Employment Opportunity Commission (EEOC) settlements, an all-time high. </p><p>Some say these unprecedented developments represent nothing short of a social revolution, one that will have serious ramifications for employers. After the news of allegations against Hollywood mogul Harvey Weinstein came out, the EEOC saw a fourfold increase in visitors to the sexual harassment section of its website. This trend demonstrates that employers must be prepared for the possibility that harassment complaints within their organizations may increase, and they must have effective policies and procedures for responding and acting on them.  </p><p>When these accusations come out, many organizations are quick to end established relationships with the person being accused—usually to protect the enterprise and the brand, but also to show support for those reporting the allegations. However, it is important to remember that conducting a competent investigation to uncover the truth is vital. It protects the enterprise and all parties involved, and it will encourage other victims of misconduct to come forward.</p><p>This article explores how employers, employees, and those commissioned to investigate allegations of misconduct can develop proactive procedures to ensure that the rights of all parties are equally considered in every investigation. Establishing such informed procedures mitigates the risk of civil action, while demonstrating a commitment to fairness.​</p><h4>Understanding the Offenses</h4><p>There are generally three classifications of sex-related incidents: harassment, sexual harassment, and sexual assault. The following is a breakdown of how the three are legally defined in the United States.</p><p><strong>Harassment. </strong>Harassment is a form of employment discrimination that violates Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act of 1967 (ADEA), and the Americans with Disabilities Act of 1990 (ADA).</p><p>According to the EEOC, harassment is unwelcome conduct that is based on race, color, religion, sex (including pregnancy), national origin, age (40 or older), disability, or genetic information. Harassment becomes unlawful in either of two situations—when enduring the offensive conduct becomes a condition of continued employment, or when the conduct is severe or pervasive enough to create a work environment that a reasonable person would consider intimidating, hostile, or abusive. Petty slights, annoyances, and isolated incidents (unless extremely serious) usually do not rise to the level of illegality.</p><p>Anti-discrimination laws also prohibit harassment against individuals in retaliation for filing a discrimination charge, testifying, or participating in any way in an investigation, proceeding, or lawsuit under these laws. Similarly, harassment in retaliation against somebody who is opposing employment practices that they reasonably believe discriminate against individuals and violate these laws, is also prohibited.  </p><p>What constitutes offensive conduct? It often includes, but is not limited to, offensive jokes, slurs, epithets or name calling, physical assaults or threats, intimidation, ridicule or mockery, insults or put-downs, offensive objects or pictures, and interference with work performance. </p><p>Harassment can occur in a variety of circumstances and settings. The harasser may directly supervise the victim, or he or she may work in a different area of the enterprise. The harasser may also be a vendor, contractor, or agent of the employer. The victim may be a workplace invitee who is not employed with the company. And the victim does not have to be the person harassed; he or she can be anyone affected by the offensive conduct. Finally, it is important to remember that unlawful harassment may occur without economic injury to, or discharge of, the victim. </p><p><strong>Sexual harassment.</strong> Harassment sometimes escalates to sexual harassment, which includes unwelcome sexual advances, requests for sexual favors, and other types of verbal or physical harassment of a sexual nature.</p><p>Sexual harassment is defined as either quid pro quo or hostile environment. According to the EEOC guidelines, quid pro quo harassment occurs when an individual's rejection of or submission to unwanted conduct is used as the basis for employment decisions affecting that individual. Hostile environment harassment occurs when submission to unwelcome sexual conduct is made (either explicitly or implicitly) a term or condition of an individual's employment. </p><p>However, the line is often unclear regarding quid pro quo and hostile environment harassment claims. For example, hostile environment harassment may acquire characteristics of quid pro quo harassment if the offending supervisor abuses his or her authority over employment decisions to force the victim to endure or participate in unwanted sexual conduct.</p><p> Sexual harassment may culminate in a retaliatory discharge if the victim tells the harasser or employer that he or she will no longer submit to harassment, and is then fired in retaliation for this protest. Under these circumstances, it is appropriate to conclude that both harassment and retaliation in violation of U.S. federal law have occurred, according to the EEOC.</p><p><strong>Sexual assaults. </strong>Sexual harassment can sometimes turn into a sex crime. These crimes can range from rape and battery to other criminal offenses, and they call for law enforcement investigation and potential criminal prosecution. Too often, employers and their investigative teams fail to recognize that the victim is reporting a crime, not just work-related harassment.​</p><h4>Abuse Patterns</h4><p>Sexual harassers and offenders frequently demonstrate certain patterns of misconduct. Perpetrators often leverage their power and control over the victims, especially if the victim is an employee. In fact, some offenders carefully seek victims they believe to be vulnerable, who have too much to lose to report inappropriate behavior.</p><p>In these cases, the perpetrator may use intimidation tactics to demonstrate control over the victim's position with the enterprise. Moreover, he or she may engage in emotional abuse, especially if the victim feels trapped because he or she needs the job.  </p><p>A major warning sign is an attempt to isolate the victim. This may start when the one with the power communicates a desire to mentor and help the intended target. Then, the mentoring may progress so that moments of emotional intimacy are created. This can make the victims feel as if they voluntarily put themselves in the situation by sharing personal experiences. Moreover, if the victim shares some intimate secrets in these conversations, the perpetrator may later use them for emotional blackmail, to secure the victim's silence. Sometimes, the victim discusses personal relationships, which may lead to sexual revelations. Once the hook is set, the harasser can make the victim feel complicit in an inappropriate workplace emotional or physical affair, but that does not minimize the seriousness of the harasser's behavior.</p><p>If confronted, offenders often take pains to minimize questionable conduct. They may say they were only joking or blame the victim (or others) for the offensive behavior. They will usually deny any wrongdoing during initial interviews, because they know it is their word versus the word of a powerless victim. They may posture their power to further intimidate the victim: "I've been with the company for years and am well-respected. No one will believe you!" </p><p>And in some cases, offenders will use their position of authority and apply economic pressure. Executives often have the power to promote, demote, or sabotage a subordinate's career path. For abusers, these can be powerful tools of oppression to wield, because victims often feel that no one will believe them, and they cannot afford to lose earning power. ​</p><h4>Conducting Investigations</h4><p>Creating and conducting a neutral and fair investigation is critical to the successful resolution of harassment complaints, but employers must be careful. </p><p>As a framework, it is important for organizations to establish investigation-related policies, procedures, and an enterprisewide training program, and to maintain a culture that encourages victims to report misconduct.</p><p>Most enterprises in these situations turn to outside experts, especially when working with legal counsel. Here, experience is crucial; skilled investigators who have years of experience conducting sensitive investigations of sexual misconduct are valuable assets. Too often, inexperienced investigators leave the employer with no evidence and a "he said, she said" inconclusive finding. By keeping some important investigative steps in mind, security professionals can maximize the likelihood of reaching a conclusive investigative result.</p><p>First, do not discount any reports of harassment or misconduct. Often victims will hint about less offensive conduct to "test the waters." In these cases, the victim may want to know that you care and will believe him or her before they disclose the full seriousness of the conduct. </p><p>Of course, this does not mean everyone reporting misconduct is telling the truth, or the whole truth. In some instances, accusers may use claims as a preemptive measure to avoid being disciplined or discharged, because they have been forewarned that their performance or conduct has not met expectations. In these situations, the supervisor should be accompanied by an HR representative or other neutral supervisor in disciplinary meetings.</p><p>Similarly, a witness should be present when the accuser is interviewed. To help understand the accuser's version of events, security managers should ask questions that help clarify encounters, but should avoid leading questions. Never blame the victim for failing to report the matter earlier.</p><p>Sometimes, counsel may request that the interviews be video recorded with the consent of those being interviewed. Video recording interviews is a good way to memorialize important statements, but you must be prepared to meet resistance to this request. In case of such resistance, you may explain that video recording is standard procedure, and that it avoids misunderstandings about what was said and helps properly document any remedial actions required by law. </p><p>Often, the victim begins the conversation with the statement, "Can I confide in you about a problem?" However, security managers can never commit to secrecy, because they may be compelled to report what they are told. So, the answer must be on point, such as, "Mary, you clearly came to me because you know I care. Tell me what's on your mind and I'll tell you what the next steps are that I can take." </p><p>In interviewing the victim, one of the most critical questions that is often overlooked is, "Whom have you confided in about this matter?" More often than not, victims of sexual misconduct share with trusted confidants. So, ask victims what they revealed, and when they shared the information. This will provide important witnesses who can help corroborate the victim's integrity. Be careful about immediately believing reports of misconduct that occurred years ago without corroborative testimony or evidence. It does not mean the accuser is being untruthful, but time diminishes evidence and memories.​</p><h4>Interviewing the Accused</h4><p>Interviewing the accused is another important step. Too often the accused is interviewed too early in the investigation, before all circumstances are known. Another common misstep is asking closed-ended questions that can make it easier to deny the allegations, such as, "Did you touch Mary in your office last week?" </p><p>Questions that are open-ended but targeted are critical to helping determine the truth, and developing them in advance can help determine a successful outcome. </p><p>During the process, it is imperative that the accused and accuser be separated to avoid claims of retaliation. Communicate clearly to the accused that he or she is not to speak to the accuser, or engage in any behavior that may be interpreted as unlawful retaliation. If the accuser is a direct report of the accused, the latter should be transferred. Transferring the accuser to another manager, absent written consent by the victim to be reassigned, can result in a claim of retaliation.</p><p>Preserving evidence is vital to the investigation. Emails, text messages, voice mails, work schedules, diaries, and other evidence must be properly documented and preserved. Practicing this consistently is often the key to uncovering evidence that proves or disproves the allegations. </p><p>Finally, remember that documentation is the investigator's salvation. Every step, every interview, and every finding should be clearly documented. The investigation must be fair and neutral to all parties. Decisionmakers will draw conclusions based on the investigative findings; the investigator's  role is to assemble the facts, so they can fully inform the conclusions. ​</p><h4>Employer Liability </h4><p>The employer is automatically liable for harassment by a supervisor that results in a negative employment action such as termination, failure to promote or hire, or loss of wages. If the supervisor's harassment results in a hostile work environment, the employer can avoid liability only if it can prove that it reasonably tried to prevent and promptly correct the harassing behavior, and that the employee unreasonably failed to take advantage of any preventive or corrective opportunities provided by the employer.</p><p>The employer will be liable for harassment by nonsupervisory employees or nonemployees over whom it has control (for example, independent contractors or customers on the premises) if it knew, or should have known, about the harassment and failed to take prompt and appropriate corrective action.</p><p>When investigating allegations of harassment, the EEOC looks at the entire record, including the nature of the conduct and the context in which the alleged incidents occurred. A determination of whether harassment is severe or pervasive enough to be illegal is made on a case-by-case basis.​</p><h4>Prevention is Key</h4><p>Prevention is the best tool to mitigate harassment in the workplace. Establish clear anti-harassment policies and procedures, provide training at all levels, and take immediate and appropriate action when an employee complains. Clearly communicate to employees that unwelcome harassing and sexual misconduct will not be tolerated. In addition, employees should be encouraged to both inform the harasser directly that the conduct is unwelcome and must stop, and report harassment to management at an early stage to prevent its escalation.</p><p>Employers should strive to create an environment and a work culture in which employees feel free to raise concerns and are confident that those concerns will be addressed. The result will be a positive workplace where all personnel are valued.​</p><h4>A Rush to Judgment</h4><p>As seen in recent events, employers are often quick to distance themselves from the accused prior to any investigation. This response hurts the enterprise and brand, because it sends a message of a rush to judgment, or damage control. The first public response, if any, is to communicate that the company takes all allegations seriously, conducts a thorough investigation, and then takes effective remedial steps.</p><p>The EEOC does not demand termination, but it does require that companies take effective remedial steps. Termination may be warranted, but the investigation will determine the ultimate disciplinary measures. Ask the accuser what he or she thinks should happen to the perpetrator. Listening to this proposed solution often mitigates the risk of civil claims, because the accuser was part of the investigation, apprised of the findings, and involved in determining the appropriate remedial steps.</p><p>If your organization has not equipped itself to perform a thorough and fair investigation, it may decide instead on a hasty termination, or an immediate distancing from the accused. This is a mistake. If made, the next time you get to hear a response from the accused may be in a deposition in a costly and highly public civil lawsuit. Or worse, in a criminal court.  </p><p><br></p><h4>Sidebar: Questioning the Accused</h4><p> </p><p>Here are some examples of open-ended questions, along with warning flags that can lead an investigator into a more useful inquiry:</p><p> What does Mary know about you personally?</p><ul><li><p>The accused shares intimate details that superiors have little reason to know about their employees.</p></li><li><p>The accused blames the employee for wanting to meet alone.</p></li></ul><p> </p><p>Why should we not believe Mary?</p><ul><li><p>The accused may come in armed with reasons she cannot be believed, even though previous evaluations about Mary have been stellar.</p></li><li><p>The accused may use rank, length of service, and position as reasons to believe him or her, instead of answering the question directly.</p></li></ul><p> </p><p>How many times have you met with Mary alone in the past six months?</p><ul><li><p>The accused makes excuses for meeting with the employee alone.</p></li><li><p>The accused blames the employee for wanting to meet alone.</p></li><li><p>The accused claims to have a bad memory and can't recall how many times he or she has met with the employee alone, much less the context and content of such meetings.</p></li></ul><p> </p><p>Assume a supervisor apologizes, gets help, and pays Mary for counseling. What would you like to see a company do?</p><ul><li><p>The accused often uses this question to agree that these steps should be taken; which is generally a tacit admission that he or she engaged in the behavior.</p></li><li><p>The accused does not believe the supervisor should be harshly punished.</p></li></ul><p> </p><p>What did Mary share with you about her life?</p><ul><li><p>The accused shares intimate details that superiors have little reason to know about their employees.</p></li></ul><p> </p><p>Who should we interview about Mary and what will they say?</p><ul><li><p>The accused attacks Mary by listing all the reasons she cannot be believed, while being unable to name potential witnesses. He or she may name trusted colleagues who can comment only about his or her performance and who have little information about Mary.</p></li></ul><p> </p><p>What do you believe Mary has said about you?</p><ul><li><p>The accused reveals personal or intimate information.</p></li><li><p>The response of the accused mirrors the statement that the accuser provided about the misconduct.</p></li></ul><p> </p><p>Tell me everything you know about Mary.</p><ul><li><p>The accused quickly tells you information designed to discredit the victim that has never been reported or documented.</p></li><li><p>The accused knows too much about Mary's personal life.</p></li></ul><p> </p><p>Assume we believe Mary, what do you think should happen?</p><ul><li><p>Often, a perpetrator seeks mercy or a second chance.</p></li><li><p>The accused personalizes the outcome to minimize the chances of being dismissed or publicly ridiculed.</p></li></ul><p> </p><p>When we interview past and present employees, how many will say that you talked about private or sexual matters?</p><ul><li><p>Instead of an immediate and clear denial, the accused will have difficulty remembering.</p></li><li><p>The accused attempts to throw other employees under the proverbial bus, although no problems were previously reported.​</p></li></ul><p><em>Steven C. Millwee, CPP, is the founder, president, and CEO of SecurTest, Inc., a background screening and investigative consulting firm. Millwee was the 2002 president of ASIS International. He is a frequent expert witness in sexual harassment cases, and is the author of several harassment and sexual assault biographical questionnaires for use in investigations. ​ ​</em></p>
https://sm.asisonline.org/Pages/Weapons-in-the-Workplace.aspxWeapons in the WorkplaceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In late 2017, a photograph surfaced of three construction workers from American Sewer Services carrying weapons on a job site in Milwaukee. In the photo, two men clearly displayed their weapons in holsters, while another held a pistol in his hand.</p><p>As a result, the three construction workers were fired. The city of Milwaukee cited its policy that prohibits employees from bringing weapons to their jobs, including employees of subcontractors. </p><p>One gun advocate defended the workers and said the geographic area where they carried their weapons was "infamous" for its crime rate, The Blaze reported.  </p><p>On the other end of the spectrum, a Wisconsin state legislator told the media outlet that carrying guns openly on the job was "irresponsible." </p><p>While the city of Milwaukee has a clear policy on guns, for most private employers, the issue is anything but cut-and-dried. There is currently no U.S. federal law regulating weapons at private workplaces, but many state legislatures have taken up the cause of protecting the Second Amendment rights of employees while on the job. These laws, which are typically designed to protect employees' individual rights to possess concealed firearms, vary in terms of their restrictions and make it tough for employers operating in multiple U.S. states to implement one weapons policy across the board. </p><p>Workplace shootings have become increasingly common in the United States over the last few decades. The number of these incidents rose 15 percent in 2015 to 354 shootings, according to the latest numbers from the U.S. Bureau of Labor Statistics, and resulting homicides grew by 2 percent that year.  </p><p>Gun advocates cite such cases as reasons to allow guns in the workplace, while critics say these shootings are exactly why employers should ban firearms. As the debate rages on, employers are left grappling with the question of how to comply with state law and institute their own policies that promote a safe work environment. </p><p>While there are many legal twists and turns surrounding the issue, security practitioners must deal with the question of how current laws affect their responsibility to keep employees and property safe from external and internal threats. </p><p>By understanding the legal landscape surrounding firearms on work property, and ensuring that existing policies and procedures properly address workplace violence, security professionals can help promote a safe work environment without infringing on the legal rights of their employees.  ​</p><h4>Parking Lot Laws<img src="/ASIS%20SM%20Callout%20Images/0318%20Cover%20Story%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:369px;height:572px;" /> </h4><p>Most commonly, workplace gun laws allow employees the right to have firearms in their locked, private vehicles while parked on company-owned property. Additional obligations may be placed on the employer, such as a prohibition on searching vehicles and discriminating against an employee because he or she is a gun owner. </p><p>Twenty-three U.S. states provide some level of protection for employees who bring their firearms to company property. These so-called "parking lot laws" were part of an effort by state legislatures in the early 2000s to allow workers to exercise their Second Amendment rights at work, with some restrictions. </p><p>For example, often the gun must be locked in the trunk or glove box, or be hidden from view through the vehicle's windows. But the business community sees many issues with these laws and fears they will have a far-reaching impact on both employee safety and legal liability.</p><p>Parking lot laws vary in the level of protection they offer gun owners. Most prohibit employers from asking workers if they own guns, and from firing employees for owning firearms. These laws frequently conflict with existing workplace policies, which limit the employee's ability to bring firearms to work. </p><p>Oklahoma was the first U.S. state to pass a parking lot law when it amended legislation in 2004 to protect firearm owners from weapons prohibitions in workplace parking lots. </p><p>In 2002, an Oklahoma employer terminated several employees for having guns in their vehicles, which were parked on the employer's property. In response to the outcry that followed, the Oklahoma legislature amended the Oklahoma Self-Defense Act to ban employers from establishing any policy or rule that has the effect of prohibiting employees from transporting and storing firearms in a locked vehicle that is parked in employers' lots. </p><p>This caused great concern among the business community, which felt certain that the law would not survive legal scrutiny. In response, a group of Oklahoma employers challenged the state law, arguing that the legislation conflicted with the U.S. Occupational Safety and Health Administration (OSHA) general duty clause, also known as the Occupational Safety and Health Act of 1970 (OSH Act), a U.S. federal law. </p><p>The plaintiffs argued that the general duty clause says employers must maintain a safe and secure workplace free of violence, and preempts any existing U.S. state law. The U.S. District Court for the Northern District of Oklahoma agreed with the employers.</p><p>The district court reasoned that under the general duty clause, gun-related workplace violence is a "recognized hazard." Therefore, any employer allowing firearms in the workplace lot may be in violation of U.S. federal law by promoting an unsafe workplace.</p><p>The case went to the U.S. Court of Appeals for the Tenth Circuit, which reversed the decision. The court reasoned that "OSHA has not indicated in any way that employers should prohibit firearms from company parking lots," according to court documents. "OSHA's website, guidelines, and citation history do not speak at all to any such prohibition." </p><p>Because OSHA does not indicate that employers should prohibit firearms from company parking lots, the appellate court ruled that there is no U.S. federal law that would preempt Oklahoma's amendment to the Self-Defense Act. </p><p>This initial case was a signal that employers would not be able to simply dismiss these laws by citing safety and security concerns or by arguing that U.S. federal regulations created an obligation to keep the workplace free of employees' weapons.​</p><h4>Employee Rights</h4><p>More lawsuits can be expected regarding employee termination based on gun-free workplace policies. An intriguing case comes out of the state of Florida, which passed a comprehensive law in 2008 that prohibits public and private employers from discriminating against any employee, customer, or invitee for exercising the right to keep and bear arms. </p><p>Under the Florida law, employers are barred from many actions, including: prohibiting employees or invitees from possessing legally owned firearms in their vehicles; inquiring about the presence of a firearm in the employee or invitee's vehicles; searching a private motor vehicle; and taking any action against an employee or invitee based on any verbal or written statement regarding the possession of a firearm in a private vehicle. </p><p>The law also says that companies are barred from conditioning employment on the following: whether an employee or prospective employee holds a concealed-weapons permit; an agreement by the employee or prospective employee that forbids the employee from keeping a legal firearm locked in his or her vehicle when the firearm is kept for lawful purposes; or prohibiting any employee or invitee from entering the parking lot because the employee or invitee's vehicle contains a legal firearm. </p><p>Finally, the law bars employers from terminating or otherwise discriminating against an employee or expelling an invitee for exercising the right to keep and bear arms or to exercise self-defense, so long as the firearm is not exhibited on company property for any reason other than lawful defensive purposes.</p><p>In December 2015, an employee who worked for Universal theme park in Orlando, Florida, had a concealed weapon in his vehicle in the employee parking garage. The employee, who had worked for Universal since 1993, commonly left his gun in his car at work. One day, the handgun was stolen from his vehicle, and he reported it to the police.</p><p>When park officials learned that he had a firearm on company property, they terminated him, claiming that he had violated Universal's gun-free zone policy. </p><p>The employee sued Universal in Orange County Circuit Court, citing the 2008 law. The lawsuit argued that he had an express right to bring his gun onto the lot and leave it in his vehicle. </p><p>Universal claimed that the Florida law didn't apply because schools and prisons are exempt from state weapons policies, and Universal has a program for school children on its property. Before the litigation could play out, Universal gave the employee his job back in April 2016 and he withdrew the lawsuit, the Orlando Sentinel reported. </p><p>Comparable cases have been filed in similar circumstances in other states. In Kentucky, a man was fired from UPS Supply Chain Solutions in May 2013 for transferring a gun lawfully stored in his personal vehicle to another worker's personal vehicle. </p><p>The man, who had a concealed carry permit, said he experienced car trouble on the way to work, and moved the weapon because he was taking his car to be repaired. The fellow employee storing his weapon as a favor soon became uncomfortable and reported it to his supervisor. </p><p>The company then placed the employee on suspension and eventually fired him, citing that its policy only allowed for weapons inside a private vehicle. The company claimed that by removing the gun from his personal vehicle, he violated the workplace policy. </p><p> In the lawsuit, the employee claimed that under a Kentucky Revised Statute, a firearm may be "removed from the vehicle or handled" when it is done so in "defense of property." </p><p>But the court ruled that the employee was attempting to interpret their law too broadly. "However inclined we might be to believe that such an exception would be a good thing, we decline to construe the term 'defense of property' as broadly as the employee suggests," the court wrote. (Holly v. UPS Supply Chain Solutions, Inc., U.S. Court of Appeals for the Sixth Circuit, March 2017)  ​</p><h4>Employer Protections</h4><p>Several U.S. states have included some liability protections to provide conditional immunity to employers that comply with their state's guns-at-work law. This is mainly in response to the business community's outcry over what liability they will face for workplace violence involving guns on their property. </p><p>For example, under Georgia law, an employer is not liable for any criminal or civil action for damages arising from an occurrence involving the transportation, storage, possession, or use of a firearm, including theft of the firearm, unless the employer commits a criminal act involving a firearm, or if the employer knew the person using the firearm would commit a criminal act on the employer's premises. </p><p>While the Georgia law provides some cover for employers, it also leaves them vulnerable to lawsuits if they knew the person would commit an act of violence. This raises many questions as to how to handle someone who may have violent tendencies. How do you restrict that person's access to firearms in his or her vehicle? Can you terminate him or her based on that assumption alone? </p><p>Policies. Although these laws at face value complicate certain aspects of workplace violence policies and active shooter response plans, there are many steps that employers can take. Most importantly, security practitioners should educate themselves on relevant U.S. state guidelines, and confer with their general counsel on these issues to avoid unknowingly breaking the law. </p><p>For example, signs that read "no weapons" in parking lots are illegal in some U.S. states in certain circumstances. Knowing the limitations will allow companies to properly respond without risking legal liability.</p><p>If located in a state with current legal provisions for weapons in the workplace, companies should educate their workers on the boundaries of that law. For example, some employees will unintentionally assume they have greater rights, such as open-carry or storing the weapon inside the workplace. </p><p>Workplace violence. Policies on workplace violence should include a thorough explanation of relevant state law regarding guns on workplace property. Employers should be comprehensive in creating policies that outline how to report and respond to employees who are potentially violent or otherwise pose a threat to the safety of others. </p><p>Many employers lose their conditional immunity in a workplace shooting or incident if the perpetrator was someone who had a history of violence, or was otherwise known to the employer to be a threat. </p><p>In U.S. states that make provisions for weapons on workplace property, conducting high-risk terminations are of greater concern. Employees who store weapons in their cars, abiding by the law, could inadvertently become a threat during termination. </p><p>When firing any individual considered to be high-risk, companies should consider providing a security escort to the parking lot. Security should ensure that the former employee has left the property, and front desk or other reception team members should be alerted that the person is not allowed back on the premises. Organizations should train security officers, as well as human resource employees, in the use of de-escalation techniques.  </p><p>Finally, for workplaces that must comply with parking lot laws, there are several steps that will help protect the employer while respecting the legal rights of employees. </p><p>Organizations may consider increasing security in parking areas, such as adding an access control point; conducting patrols around the building and in parking lots; installing or enhancing video surveillance systems; and implementing proper lighting. </p><p>In some cases, bag searches or mag­neto­­meters may be installed at building entry points, but legal requirements should be checked before implementing such measures. Deterring the carriage of weapons outside the vehicle will generally serve as a reminder of the law and keep both employers and employees safe. </p><p>At first glance, the laws surrounding weapons in the workplace may seem like a jigsaw puzzle that is difficult to comprehend, but there are steps employers can take to ensure that assets and people are protected. Understanding the law and establishing strong policies within the employers' legal rights will ensure that workplaces abide by the law while keeping their assets and people safe.  </p><p><em>Eddie Sorrells, CPP, PCI, PSP, is chief operating officer and general counsel at DSI Security Services in Dothan, Alabama. He is the author of Security Litigation: Best Practices for Managing and Preventing Security-Related Lawsuits. He can be reached at esorrells@dsisecurity.com. ​</em></p>
https://sm.asisonline.org/Pages/March-2018-Industry-News.aspxMarch 2018 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​BOOTH COMPETITION</h4><p>B.I.G. Enterprises, Inc., inspired both licensed architects and architects-in-training to vie for top prizes in its inaugural 2017 B.I.G. Architectural Booth Design contest. More than 13,000 invitations were sent to current or former students of the 81 universities in the U.S. recognized by either the National Architectural Accrediting Board or the Association of Collegiate Schools of Architecture. Entries came from alumni and undergrads as far away as Malaysia, Colombia, and Albania.</p><p>Two award-winning U.S. architects judged the final field of 15 sketches, which were selected based on the buildability of the ideas. The judges praised the combination of indoor and sheltered outdoor space in the submissions. They found that the contest uncovered a broad slice of architectural ideas appropriate to the idea of a guard shelter, whether through a modern approach, a retro vibe, playfulness, or another theme.</p><p>The top cash prizes went to Colombian Roberto Caputo for first place, American Benjamin Garcia for second place, and Albanian Frida Vokshi for third place. In the image above, Caputo's design is second from the left in the top row; Garcia's design is on the far right on the bottom row. </p><p>"We are pleased to offer these new designs to our customers and look forward to discussing an application for each one of them," says B.I.G. Vice President Dave King.</p><h4>PARTNERSHIPS AND DEALS</h4><p>Abloy UK and Bristol Maid supplied Queen Elizabeth Hospital Birmingham with PROTEC2 CLIQ and Traka21 advanced key management systems to improve the security of medicines.</p><p>Agent Video Intelligence announced that its innoVi cloud-based video analytics integrate with Amazon Kinesis Video Streams, a service to capture, process, and store video streams for analytics and machine learning. </p><p>Allstate Insurance is working with Carpe Data to apply highly predictive online data to claims processing.</p><p>Astrophysics Inc. selected Bell and Howell to help increase its service reach and capabilities as the company expands in the United States and Canada.</p><p>BIO-key International, Inc., reported that CyberCore Technologies will deploy BIO-key's ID Director for Windows software authentication platform.</p><p>Captis Intelligence will provide Rite Aid with asset protection support service from its corporate office in Los Angeles.</p><p>The CNL Software Technology Alliance Program will integrate Jacques Technologies' IP Communications Systems with the IPSecurityCenter PSIM integrated situation management solution.</p><p>Confidex Ltd. was selected to supply smart tickets to Strömma Finland, the operator of Helsinki Card, which provides access to attractions and museums around the capital of Finland.</p><p>Cyberbit supplied ISE Systems with a Cyberbit range for its Cybersecurity Training Center in Paris.</p><p>Delta Scientific is working with Knight Brothers Pty. Ltd. in Sydney, Australia, to provide security professionals and public space operators with crash-rated vehicle mitigation solutions.</p><p>DNA and Tosibox will provide DNA real estate customers an advanced data security solution for monitoring building automation systems.</p><p>The Electronic Healthcare Network Accreditation Commission is collaborating with OmniSystems, Inc., to offer its accreditation programs, cybersecurity framework, and consultative services to customers in the United Kingdom, the Caribbean, and other markets.</p><p>Mphasis selected Fortinet to deliver advanced threat protection and secure data networks in virtualized platform to service its customers. </p><p>Galaxy Control Systems enhanced the level of integration between its System Galaxy Access Control and Cloud Concierge products and Schlage NDE and LE wireless locks from Allegion.</p><p>Hikvision USA Inc. worked with integrator Holmes Security Systems to provide a security system for The Lodge at Operation Inasmuch men's shelter in Fayetteville, North Carolina. </p><p>ImageWare Systems, Inc., and Secure Channels, Inc., are enhancing the Entertainment Security Operations Center with multifactor biometric authentication.</p><p>InfoArmor, Inc., announced that Baird of Milwaukee, Wisconsin, will offer PrivacyArmor identity protection as an employer-sponsored benefit to its employees.</p><p>Jumio announced a partnership with Meed to provide remote ID verification services for its package of financial services.</p><p>Kastle Systems International announced that its KastlePresence is offered at Cushman & Wakefield's 1401 Eye Street premier office building in Washington, D.C. It allows staff and tenants to use smartphones to access the building's perimeter, elevators, and suites.</p><p>Kroll announced a partnership with the Center for Internet Security.</p><p>Savelberg care center in Gouda, The Netherlands, chose the Conview Care solution from Leertouwer. It includes video surveillance, sound and motion detection, and electronic bracelets.</p><p>Leidos and SecurityMatters will provide passive monitoring capabilities to enhance cybersecurity for industrial and critical infrastructure networks.</p><p>Magal Security Systems, Ltd., will provide integrated security solutions for a major seaport in East Africa as a subcontractor for Toyota Tsusho Corporation. </p><p>BNP Paribas is using the AEOS Security Management Platform from Nedap.</p><p>On the Move Systems announced that its subsidiary Robotic Assistance Devices will supply intelligent robotic solutions through Allied Universal to supplement security professionals and drive efficiency.</p><p>Park Assist installed its M4 camera-based parking guidance systems at Cherry Creek Shopping Center in Denver, Colorado.</p><p>The Louvre in Abu Dhabi is using a Rasilient surveillance video storage system solution.</p><p>Salient CRGT, Inc., partnered with Kaseware to integrate its Voyager Query for Law Enforcement within the Kaseware investigative case management system.</p><p>The Vienna University of Economics and Business worked with Siemens AG Austria to create a networked video system using SeeTec video management software. </p><p>Thales announced that Kashing Ltd. is deploying its payShield 9000 hardware security module to secure online e-commerce and mobile point of sale card readers.</p><p>TruTag Technologies is providing its TruTag on-dose identity solution to the Daily Wellness Company, a nutraceutical manufacturer. The TruTag solution is covert and edible.​</p><h4>GOVERNMENT CONTRACTS</h4><p>The Texas Department of Information Resources awarded AT&T a contract to offer managed security services statewide.</p><p>Charlotte-Mecklenburg Police Department purchased TASER X2 Smart Weapons from Axon.</p><p>BIO-key was selected to provide a biometric solution for the Province of British Columbia.</p><p>Bruker will deliver RAID M-100 hand-held chemical detectors to the U.S. National Guard.</p><p>Centigon France was selected by SCANIA to protect truck cabins for the Danish Armed Forces.</p><p>The U.S. Army Corps of Engineers selected the CH2M-Merrick Joint Venture to support the Missile Defense Agency's Ballistic Missile Defense Program with electronic and physical security design.</p><p>The Philippines Land Transport Office is issuing 500,000 biometric licenses per month, using a system from DERMALOG.</p><p>Design Interactive ScreenADAPT, a visual search training program, is being used at the Portland Airport.</p><p>The Seagull unmanned surface vessel from Elbit Systems performed mine countermeasures in a joint exercise between the Israeli Navy and the British Royal Navy.</p><p>FoxGuard Solutions, Inc., was awarded a grant from the U.S. Department of Defense (DoD) to develop a cybersecurity platform to protect military installations across the world.</p><p>Herta will install facial recognition solutions in the city of Phuket, Thailand, as part of a safe city initiative.</p><p>MacAulay-Brown, Inc., was awarded a task order to help the U.S. Air Force Research Lab streamline business applications and software across the enterprise.</p><p>Milestone Systems video management software and Axis Communications network video cameras are helping protect Las Ramblas in Cayala City, Guatemala. EMC Isilon servers provide the data storage.</p><p>MSA Safety provided state-of-the-art G1 self-contained breathing apparatus to the Chicago Fire Department.</p><p>Orion Communications announced that the Massachusetts State Police selected its AgencyWeb solution to streamline scheduling, deployment of resources, training, supply management, and asset tracking.</p><p>Sullivan County Emergency Communications District in Tennessee transitioned to PowerPhone's Total Response solution.</p><p>RADWIN announced that Antwerp Police in Belgium chose its JET Point-to-Multipoint solutions to build a video surveillance network.</p><p>The Brazilian Ministry of Education is using the ANDRE Advanced Near-field Detection Receiver from Research Electronics International to detect cheating at standardized testing.</p><p>Siklu Inc. announced that its MultiHaul radios were selected by Wichita, Kansas, to provide wireless connectivity for cameras deployed in the city's Old Town district. </p><p>Threat Sketch was awarded a contract from the National Institute for Hometown Security and the U.S. Department of Homeland Security to help develop innovative solutions for the critical infrastructure community.</p><p>Wireless video experts xG Technology, Inc., will supply hand-held intelligence, surveillance, and reconnaissance devices to the U.S. Army.</p><h4>AWARDS AND CERTIFICATIONS</h4><p>Hosting company 3W Infra achieved compliance with ISO 27001 and PCI-DSS standards, according to audit company Noordbeek B.V.</p><p>A+ Technology & Security Solutions was named 2017 Education Partner of the Year by Axis Communications.</p><p>Akoustis Technologies, Inc., announced that its wafer fabrication facility in Canandaigua, New York, achieved ISO 9001:2015 certification. It also received new patents related to its piezoelectric materials, resonators, RF filters, and their applications.</p><p>Arxys Software Orchestrated Storage is now a Milestone Certified Solution.</p><p>Convergint Technologies was named 2017 National Systems Integrator of the Year by Axis Communications.</p><p>Detection Technology was granted ISO 9001:2015 and ISO 14001:2015 </p><p>certification.</p><p>Hanwha Techwin's high-performance chipset Wisenet 5 won the Grand Prize at the High-Tech Safety Industry Product and Technology Awards 2017.</p><p>G4S Secure Solutions (USA) was named Outstanding Philanthropic Corporation by the Association of Fundraising Professionals of Palm Beach County. </p><p>IdeaScale announced its FedRAMP authorization.</p><p>Lieberman Software Corporation announced that its Rapid Enterprise Defense Identity Management is certified for Microsoft Azure Government. </p><p>Mimecast Limited was named one of the Top Places to Work in Massachusetts by The Boston Globe.</p><p>Little Caesars Arena, home of the Detroit Red Wings and Detroit Pistons, received SAFETY Act Certification from the U.S. Department of Homeland Security. The arena is managed and operated by Olympia Entertainment.</p><p>The VARIO2 IP Hybrid Illuminator from Raytec won an award for Innovative Achievement (Video Surveillance) at the Detektor International Awards 2017.</p><p>Rohde & Schwarz achieved U.S. Transportation Security Administration certification for Its R&S QPS200 Security Scanner.</p><p>RSA announced that its NetWitness Suite was added to the U.S. Department of Defense Information Network Approved Product List.</p><p>Cloudera named Securonix Inc. the Cloudera APAC Technology Partner of the Year.</p><p>SmartMetric announced that its biometric card is protected by five new patents.</p><p>Suprema was recognized with the Best Product Award in the ID & Access Control category at the Detektor Awards.</p><p>VIPRE Security won the Channelnomics Innovation Award. </p><p>Votiro received the Common Criteria Certification from the Australian Signals Directorate following evaluation by BAE Systems.</p><h4>ANNOUNCEMENTS</h4><p>Alarm Lock Systems, a division of NAPCO, launched a new website at www.alarmlock.com.</p><p>The Alliance for Cyber Risk Governance introduced its risk framework initiative at its inaugural conference. The alliance plans to establish four working groups responsible for expanding on the initial recommendations.</p><p>Former Massachusetts Governor Michael Dukakis and Tuan Nguyen founded the Artificial Intelligence World Society to foster the ethical development, implementation, and advancement of artificial intelligence.</p><p>Quebec's Bureau de la Sécurité Privée launched a new website at www.bspquebec.ca/en as an essential reference portal for the private security industry.</p><p>Cisco and INTERPOL agreed to share threat intelligence as the first step in jointly fighting cybercrime.</p><p>The Cloud Security Alliance released the CSA Code of Conduct for GDPR Compliance, which provides guidance in complying with the European General Data Protection Regulation. </p><p>Contemporary Services Corporation renamed its Las Vegas employee training center in honor of an employee, Erick Silva, who was fatally shot during the attack on the Route 91 Harvest Festival.</p><p>Datacenter.com announced the official opening of its Amsterdam flagship colocation data center.</p><p>Ernst & Young LLP acquired E-STET, which will join its Fraud Investigation and Dispute Services.</p><p>Exterro Inc. announced a new educational website to educate lawyers on the e-discovery implications within the Federal Rules of Civil Procedure.</p><p>The Special Investigations Unit of the International Centre for Sport Security established a confidential Sport Integrity Hotline to help athletes, fans, and others report misconduct and sport integrity issues in the United States and Canada.</p><p>Karamba Security was invited to join the Automotive-Information and Sharing Analysis Center (Auto-ISAC).</p><p>KOLOGIK acquired the assets of COPsnyc of Dallas, Texas, to create a law enforcement regional data sharing network across Texas, Louisiana, and Mississippi.</p><p>The National Electrical Manufacturers Association and the Industrial Internet Consortium formed a formal liaison to advance the Industrial Internet of Things.</p><p>Midpoint Security is offering a free edition of CredoID access control software, which is compatible with HID VertX controllers, Edge IP readers, Mercury controllers, Suprema biometric IP, and wireless Aperio locks by Assa Abloy. </p><p>The mobotour team is seeking three individuals to serve on the company's advisory board—one in middle school, one in high school, and one in college. Learn more at mobotour.com/mobotour_advisoryboard_contest.</p><p>Nuctech launched a new branch in Rotterdam, The Netherlands.</p><p>The Ministry of Community Safety and Correctional Services in Ontario, Canada, used 16 ODSecurity Soter RS Body Scanners to perform 139,600 scans in 2017, yielding 4,774 positive scans that uncovered mobile phones, weapons, and drugs.</p><p>Ontario Power Generation and more than 30 partner organizations successfully completed a large-scale, emergency preparedness exercise at Pickering Nuclear Generating Station.</p><p>The Security Industry Association created the Autonomous Security Robots Working Group.</p><p>SecurityMetrics released the 2018 Guide to HIPAA Compliance to help explain HIPAA requirements.</p><p>Traffic & Parking Control Company opened a Minnesota Service Center in White Bear Lake, Minnesota. ​</p>