More Headlines

 

 

https://sm.asisonline.org/Pages/What-We-Know-Toronto-Vehicle-Attack.aspxDeadly Toronto Vehicle Attack: What we KnowGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p><strong>What we know so far:</strong></p><p></p><p></p><p></p><ul><li><p>​Ten people died and 15 were injured on Monday when a man deliberately drove a van onto a sidewalk crowded with pedestrians in Toronto. The attack occurred around 1:30 p.m. local time</p></li><li><p>Police say the suspect is 25 year-old Alek Minassian, who was arrested after an intense standoff with officers in the minutes following the attack. He was seen pointing an object at law enforcement, but no shots were fired during the arrest.</p></li><li><p>Canadian news source CBC says the<a href="http://www.cbc.ca/news/politics/federal-leaders-respond-van-incident-1.4631909" target="_blank"> attack is not part of a larger threat to national security</a>, according to the country's Public Safety Minister Ralph Goodale. </p></li><li><p>Car rental company<a href="https://www.reuters.com/article/us-canada-van/driver-kills-10-injures-15-plowing-van-into-toronto-sidewalk-crowd-idUSKBN1HU2IY" target="_blank"> Ryder System Inc. confirmed that one of the company's rental vehicles​</a> had been involved in the attack, Reuters reports. Ryder spokeswoman Claudia Panfil said that the company was cooperating with authorities.​</p></li><li><p>Toronto Deputy Police Chief Peter Yuen said there would be <a href="http://www.bbc.com/news/world-us-canada-43873804" target="_blank">"a long investigation" following the attack</a>, according to the BBC, and said that hotlines had been set up for victims' families and for witnesses. He has asked for any additional witnesses who have not come forward to contact law enforcement.</p></li></ul><p></p><p></p><p><strong>Vehicle Attacks on the Rise</strong></p><p>Deadly vehicle attacks have been used by terrorists in recent years, and USA Today has<a href="https://www.usatoday.com/story/news/world/2018/04/23/list-fatal-vehicle-attacks/544603002/" target="_blank"> published a list ​</a>of some of these incidents over the last four years. </p><p></p><p></p><div></div><div></div><div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:25%;"><strong>Location</strong></td><td class="ms-rteTable-default" style="width:25%;"><strong>Killed</strong></td><td class="ms-rteTable-default" style="width:25%;"><strong>Injured</strong></td><td class="ms-rteTable-default" style="width:25%;"><strong>Date</strong></td></tr><tr><td class="ms-rteTable-default">Houston</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">3</td><td class="ms-rteTable-default">March 2018</td></tr><tr><td class="ms-rteTable-default">NYC Hookah Bar</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">7</td><td class="ms-rteTable-default">December 2017</td></tr><tr><td class="ms-rteTable-default">Barcelona, Spain</td><td class="ms-rteTable-default">14</td><td class="ms-rteTable-default">100</td><td class="ms-rteTable-default">August 2017</td></tr><tr><td class="ms-rteTable-default">Times Square, NYC</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">22</td><td class="ms-rteTable-default">May 2017</td></tr><tr><td class="ms-rteTable-default">London Bridge, U.K. </td><td class="ms-rteTable-default">8</td><td class="ms-rteTable-default">48</td><td class="ms-rteTable-default">June 2017</td></tr><tr><td class="ms-rteTable-default">Westminister Bridge, U.K. </td><td class="ms-rteTable-default">5</td><td class="ms-rteTable-default">50</td><td class="ms-rteTable-default">March 2017</td></tr><tr><td class="ms-rteTable-default">Berlin, Germany</td><td class="ms-rteTable-default">12</td><td class="ms-rteTable-default">50</td><td class="ms-rteTable-default">December 2016</td></tr><tr><td class="ms-rteTable-default">Ohio</td><td class="ms-rteTable-default">-</td><td class="ms-rteTable-default">14</td><td class="ms-rteTable-default">November 2016</td></tr><tr><td class="ms-rteTable-default">Nice, France</td><td class="ms-rteTable-default">86</td><td class="ms-rteTable-default">Several Hundred</td><td class="ms-rteTable-default">June 2016</td></tr><tr><td class="ms-rteTable-default">Valence, France</td><td class="ms-rteTable-default">-</td><td class="ms-rteTable-default">2</td><td class="ms-rteTable-default">January 2016</td></tr><tr><td class="ms-rteTable-default">Quebec</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">1</td><td class="ms-rteTable-default">October 2014</td></tr></tbody></table></div>
https://sm.asisonline.org/Pages/Access-Control-for-Healthcare-and-Nursing-Facilities.aspxAccess Control for Healthcare and Nursing FacilitiesGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Access control within the healthcare industry—particularly in hospitals and nursing homes—requires a unique approach, encompassing not only main entrance doors, but also internal entrances and exits based on location and access level. And more than that, these facilities must manage large quantities of data, making data management a critical component of a comprehensive security plan.  </p><p>Security managers can work to secure these components by seamlessly integrating systems together. For example, various doors and locks can be programmed to activate at specific times and rules can be applied based on time of day, shift changes, specific department access, and more. Healthcare facilities also look for the ability to control access remotely through mobile applications, confirm identity quickly and easily, and program varying levels of access for visitors, patients, doctors, and staff. These facilities also require oversight 24 hours a day, seven days a week, which can be a challenge for security directors. </p><p>Similarly, nursing homes require robust access control to protect patients and high-value assets, such as medical equipment and prescription medications, from internal and external theft. Additionally, some nursing home patients require more robust monitoring, meaning that access control points and video surveillance must work together to enable administrators to monitor incoming and outgoing patients, visitors, and staff. </p><p>Both kinds of facilities must be careful with sensitive materials, such as narcotics and sterile environments, that require added protection and protocols. Medical files and controlled substances must be protected by electronic access-controlled cabinet locks to provide hospitals and administrators with the required audit trail in case of a breach. </p><p>Video surveillance in nursing homes is a critical component of a comprehensive security solution. Its usefulness centers around operational efficiencies such as managing deliveries of important goods, monitoring food preparation, ensuring proper care of patients, and overseeing the constant flow of people coming in and out of a facility. Video also becomes important in the event of an incident for investigative purposes. </p><p><strong>Putting it All Together</strong></p><p>A large healthcare organization must take the safety and security of patients—and their personal information—seriously. Implementing a security management system (SMS) can integrate a facility's access control technologies, digital video, and alarm monitoring systems into a single, streamlined solution. </p><p>Going even further, in many large enterprise organizations, multiple databases can be incorporated into an SMS, including a human resources software program. The result is the ability to streamline data input with the push of a button. For example, when an employee is terminated, access is automatically revoked when an HR manager changes the person's employment from "active" to "inactive." This means the integration of data requires only a single update to control access across the campus. </p><p>The need for integration will continue to drive innovation in access control, not only for security systems, but also for human resources, directory software tools, and event management programs. Busy facilities and their administrators require the ability to grant permissions in a way that not only saves time and energy on manual input, but also makes changing permissions easy and efficient.  </p><p>Also important to a healthcare facility is the protection of personal information from prying eyes and hackers, which means access to records must be heavily protected. In many facilities, biometrics are being used—via iris or fingerprint scanners—to protect important information from would-be hackers. This way, only authorized users have access to the information. Additionally, IT departments within these facilities are working closely with security leaders to ensure that networks are as secure as possible to protect from ransomware attacks, which have plagued the healthcare industry in the last few years.  </p><p><strong>Locking Down </strong></p><p>Lockdown capabilities are paramount within today's healthcare settings, driving access control manufacturers to provide solutions that make it easy for security directors to control access quickly and efficiently in the event of an emergency. End users are also looking for mobility, and having a mobile application to help grant access, freeze access, or change permissions easily is important in this vertical market, along with the ability for security teams and professionals to move freely throughout the facility.  </p><p>One area where this is critical is in nursing homes. These entities must provide loved ones with the knowledge and peace of mind that their family members are safe while balancing freedom with security. In some instances, patients with dementia or Alzheimer's require additional, around-the-clock care that can be extended to the entrances and exits of a facility. In turn, nursing homes must invest in the ability to lock down a facility to keep patients from exiting without notifying staff, while also providing the welcoming environment that facilities hope to foster. Certain access control systems allow caregivers within a nursing home facility to let visitors in and out with the touch of a button, while keeping at-risk patients from exiting the facility.  </p><p>Healthcare facilities must provide safety and security for visitors, patients, staff, and assets. The ability to lock down portions of a hospital or an entire facility is crucial to its ongoing operations. Additionally, having a system in place that allows security officials to communicate these rules quickly and efficiently through an easy-to-use interface is key to adhering to the rules and regulations that govern healthcare facilities. Access control is critical to the success of security programs, and being able to integrate with data management platforms can make this task easier than ever before.  </p><p><em>Kim Loy is director of Technology and Communications at Vanderbilt Industries.</em></p>
https://sm.asisonline.org/Pages/YouTube-HQ-Shooting-What-We-Know-So-Far.aspxASIS Physical Security Council Reacts to YouTube ShootingGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><strong>YouTube Headquarters Perimeter Security Questioned</strong><br></p><p>​By Lilly Chapa​<br></p><p>The ability of the shooter to gain access to YouTube's office courtyard via the parking garage raises questions about the building's physical security. ASIS International Physical Security Council secretary <a href="https://www.linkedin.com/in/dave-pedreira-daoc-cdt-cspm-fdai-leed-green-assoc-7a533110/" target="_blank">David Pedreira​</a>, a Distinguished Architectural Openings Consultant (DAOC) and door opening consultant for ASSA ABLOY, tells Security Management that when it comes to Deter, De​tect, and Delay security principles, the role of perimeter security is to deter—and that didn't happen at YouTube headquarters.<br></p><p>"I wonder why there wasn't more electrified locking access control doors to keep people out at the parking garage," Pedreira says. "Why was it free entry, why was she able to get right in?"</p><p>With properly-function fail-secure electrified locking devices at perimeter points of entry, authorized personnel would gain entry through an access control card or their mobile device, and visitors would be rerouted. Pedreira notes that many companies leave doors unlocked during normal business hours to cater to visitors.</p><p>"In this day and age, we don't need to do that," Pedreira says. "There's video doorbells, there's so much that could be done with intercoms and video surveillance cameras that could easily be set up so that a visitor could be at any location and be allowed in via the remote unlocking of a door."</p><p>Pedreira advises organizations to make sure all points of ingress are locked regardless of business hours, but to make sure points of ingress are never blocked, which would prevent the quick escape of people ​during an incident like Tuesday's shooting.</p><p>After the shooting, YouTube released a statement saying that ​the shooter entered through the parking garage to the outside courtyard, and committed the violence there. "Thanks to the security protections in place, she never entered the building itself," the statement said. ​However, one employee tweeted after the shooting that he had seen blood stains on the floor and stairs of the building. ​​</p><p>The shooter exhibited unusual behavior in the days following up to the incident, leaving her home in San Diego and staying in her car in Mountain View. Her family filed a missing person report in San Diego on Saturday, and when officers found her sleeping in her car, she told them she had left home due to family issues. Mountain View police said they contacted her family to let them know she had been found. She also visited a gun range prior to carrying out the shooting Tuesday afternoon.</p><p>Pedreira notes that when it comes to these types of events, hindsight is 20/20 and the police appear to hav​e acted appropriately.  "So she was sleeping in her car, how would they know of her intent unless her handgun was visible on the dash or something?" he asks. Even then, "who would think that all of a sudden, just because she has a grudge against YouTube, she's going to take out a handgun and attack their office?" he asks.</p><p><strong>What We Know So Far:</strong></p><ul><li><p>A shooting at the YouTube headquarters in San Bruno, California, occurred on Tuesday morning around 12:46 p.m. local time.  </p></li><li><p>The assailant has been identified as<a href="https://www.cnn.com/2018/04/04/us/youtube-hq-shooting/index.html" target="_blank"> Nasim Najafi Aghdam, 39, of San Diego.</a> The Iranian-born woman blogged about veganism and made heated claims online that YouTube was limiting viewers of her videos, CNN reports.</p></li><li><p>"We know she was upset with YouTube, and now we've determined that was the motive," San Bruno Police Chief Ed Barberini said. </p></li><li><p><a href="https://www.washingtonpost.com/news/post-nation/wp/2018/04/04/youtube-shooting-suspect-was-upset-with-some-of-the-practices-or-policies-the-company-had-police-say/?utm_term=.2673a7a48b24" target="_blank">Aghdam had an encounter with police in Mountain View, California</a>, in the early hours before the shooting when they found her sleeping in her car, "but did not set off any alarms during their interaction," the<em> Washington Post </em>reports. She then went on to a gun range to practice shooting. </p></li><li><p>Using a 9mm semiautomatic handgun, Aghdam critically wounded a man and seriously injured two women. Two of the three victims been released from the hospital. The shooter appeared to target her victims at random at the campus that houses about 2,000 employees, according to police. </p></li><li><p>Her<a href="https://www.cnbc.com/2018/04/04/youtube-shooter-was-vegan-blogger-who-accused-site-of-discrimination.html" target="_blank"> family says they warned police before the shooting.</a> "Californian media reported that Aghdam's family had warned authorities that she could target YouTube prior to the shooting," according to CNBC. "The San Jose Mercury News quoted her father, Ismail Aghdam, as saying he had told police that she might go to YouTube's headquarters because she 'hated'​ the company."                </p></li></ul><div><p><strong><br></strong> </p><p><strong>FBI Data: Female Shooters are Rare  </strong></p><p><strong><img class="ms-rtePosition-2" src="/ASIS%20SM%20Article%20Images/nasim-aghdam%20headshot.jpg" alt="" style="margin:5px;width:440px;height:240px;" /></strong></p><p>As CNN reports, FBI data shows that <a href="https://www.cnn.com/2018/04/04/health/female-shooters-youtube/index.html" target="_blank">female active shooters are rare.​</a> Only 220 U.S. active shooter incidents identified by the Bureau between 2000 to 2016–roughly four percent–were carried out by women. </p><p>"The women in those shootings were usually armed with handguns and opened fire inside colleges, businesses, their current or former workplaces, according to the list," the article states. </p><p>In addition, 2016 FBI data shows only 7.6 percent of murder offenders that year were female.</p><p>The YouTube shooting may not end up being classified as a mass shooting, as one victim has been released and two remain in the hospital. ​</p></div><div>                                                                                                                                                                        <strong><em> Photo: San Bruno Police Department</em></strong></div><p><strong>Google Announces Security Increases at YouTube Offices Around the Globe</strong></p><p>Google announced on<a href="https://twitter.com/Google_Comms/status/981669726593019904/photo/1?ref_src=twsrc%5etfw&ref_url=https://www.cnbc.com/2018/04/05/youtube-to-increase-security-at-its-offices-worldwide-after-shooting.html"> Twitter that it will increase security at its YouTube offices </a>around the globe after the shooting at the video platform's headquarters in San Bruno, California. The attack, which took place around 12:46 p.m. local time, left three people wounded. A female assailant–identified as Nasim Najafi Aghdam, 39, of San Diego–entered the campus's courtyard through a parking garage. Soon after police responded, she was dead of a self-inflicted gunshot wound. Internet giant Google, which owns YouTube, said in a statement that Tuesday evening's events were "shocking and disturbing," and also praised San Bruno law enforcement as well as YouTube employees for "acts of heroism" during the attack. The company is also encouraging employees to take time off work to recover, and ensures that "wellness services are readily available." </p><p>​</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 43cc8fa0-fcc6-4ec3-a833-770583ef80ed" id="div_43cc8fa0-fcc6-4ec3-a833-770583ef80ed"></div><div id="vid_43cc8fa0-fcc6-4ec3-a833-770583ef80ed" style="display:none;"></div></div>​
https://sm.asisonline.org/Pages/Personnel Peril.aspxPersonnel PerilGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When employees steal proprietary information, they don't just cause headaches for the organization—they erode confidence in the trustworthiness of screened employees and vetted business partners. Following the recent spate of high-profile incidents—including leaks by U.S. National Security Agency contractor Edward Snowden in 2013, violent attacks on Fort Hood by Major Nidal Hasan in 2009, and Washington Navy Yard shooter Aaron Alexis in 2013—the U.S. government determined that existing vetting processes and security standards for sensitive programs were inadequate. Key policy changes were implemented, including a new requirement for government organizations and certain government contractors to establish an insider threat program. The requirements changed the way government-affiliated organizations approached employee management and codified existing insider threat practices.</p><p>What does that mean for private sector organizations, even if they don't work with the government? Certain features of a U.S. Department of Defense (DoD)-style insider threat program may be relatively easy to implement and offer considerable security enhancements. Traditional administrative and physical security practices—locked doors, alarm systems, and inventory controls—are focused externally and are largely ineffective at preventing employees and other authorized persons from committing harmful acts.</p><p>Integrating an insider threat policy with employee and event best practices can create a well-rounded employee management program that benefits workers and the organization. Educating employees on how to recognize and report potential insider threat information can also have a positive effect on the organization's culture and emphasize everyone's role in keeping a safe, secure work environment.</p><p>Concurrent Technologies Corporation (CTC), an independent, nonprofit organization that conducts applied scientific research and development for government and industry, faced this exact challenge upon the creation of a nuclear research facility. </p><p>With industrial space and laboratories in five states, and more than 25 percent of employees telecommuting, CTC's potential insider threat profile is typical among many technology companies in the United States. Protection of sensitive government programs, client information, and intellectual property is paramount to success in a highly competitive environment.  </p><p>But the August 2017 establishment of CTC's Center for Advanced Nuclear Manufacturing (CANM) in Johnstown, Pennsylvania, created new insider threat challenges that CTC had to address. The CANM is designed to bring fabrication technology and materials expertise to the emerging next generation of commercial nuclear power plants and will conduct business only with private sector organizations that are working on small nuclear reactors. While CTC works with both industry and sensitive government programs—and must abide by federal insider threat policies—it wanted CANM to have a government-grade insider threat program that would defend against all kinds of manmade threats—from petty theft to intellectual property issues to event management.   </p><p>A planned ribbon cutting and open house event at the CANM would place about 75 visitors in close proximity to CTC's intellectual property and advanced technology—and would serve as the first real test of the organization's new insider threat policy. ​</p><h4>Tailoring a Solution</h4><p>The FBI, U.S. Department of Homeland Security (DHS), and U.S. Defense Security Service provide tools for industry organizations to develop insider threat programs, including online training courses and brochures available through public websites. The tools identify specific behaviors that may indicate the presence of an insider threat.  </p><p>Simply educating employees on what to watch for may improve the chances of averting a workplace incident. Other insider threat program features, such as information sharing and incident reporting, could also prove beneficial. Initiatives can be tailored to fit the organization, and security practitioners may find that their programs already include parts of the overall insider threat framework outlined in government directives.  </p><p>This was true for CTC as it began to build a more robust insider threat program. While the organization had taken an informal approach to communicating potential employee issues, it was nowhere near the formalized program needed. To make sure the program covered all threats, CTC created an insider threat working group.</p><p><strong>Comprehensive support. </strong>An insider threat program relies on buy-in throughout the organization. A single official with authority to develop policies and procedures should be appointed to manage the program. He or she should also be responsible for determining when to report substantive insider threat information to law enforcement and other entities outside the organization.</p><p>CTC appointed an insider threat program official and established a working group with membership based on relevant roles, including representatives from security, human resources, IT, executive management, and ethics and compliance. The working group conducted several program reviews and established the types of activities to watch out for or report. </p><p>The group also ensured that all employees completed awareness training in the time leading up to the CANM open house and helped foster a culture of communication so that employees would not hesitate to report concerns about visitors or fellow employees. Line employees are often the first to sense that something is off—if they notice changes in an employee's routine or behavior, they should know how to safely and effectively communicate the information to team leaders without fear of retribution. </p><p>Security staff and senior managers stood ready to work with department managers and labor representatives to reduce or eliminate social barriers to reporting. Reporting policy violations and unusual or suspicious behavior must not be viewed as tattling. Instead, it should be emphasized that timely reporting may save the company or business unit from significant financial loss, unfair competition, or even a tragic incident.</p><p><strong>Team approach. </strong>Effective information sharing and collaboration among security stakeholders in the organization are essential for a stalwart insider threat program. Functional leaders—like the ones in CTC's insider threat working group—typically monitor organizational performance in areas relevant to detecting a potential insider threat. For example, larger organizations usually rely on a CISO to detect violation or circumvention of policies regarding systems access, file transfers, software installation, and other network activities. Likewise, the human resources department should track, analyze, and share information on trends in employee misconduct, including harassment complaints and drug testing. In reviewing such information, the team must take care to protect employee privacy and focus only on security-relevant factors that might create concerns of an insider threat and identify needed adjustments in policies and training. </p><p>For special events and unusual situations, organizations should not shy away from reaching out for help. The CTC insider threat program's leader contacted the FBI private sector coordinator, Defense Security Service representatives, and local law enforcement officials several weeks before the open house to inform them about the event and to obtain updated threat information. The FBI coordinator participated in an event rehearsal and walkthrough, and provided a tailored counterintelligence briefing to CANM engineers, program managers, and support staff, offering specific recommendations to limit risk while accomplishing overall open house objectives.  </p><p><strong>Training. </strong>Employees should feel that they share a common security interest—success for themselves and for the entire organization requires their commitment to protecting intellectual property, proprietary information, and other valuable resources. Leaders must emphasize these points and encourage employees to actively support security programs and procedures. Employee commitment and loyalty to a common cause cannot be assumed, particularly in industries that experience high employee turnover. </p><p>Training employees to watch for specific activities and behaviors that may indicate an insider threat is the key to viable information reporting within the organization. Employees tend to recognize differences in a coworker's attitude, work ethic, or behavior well before an incident occurs, so they must know when and how to report concerns. Employees must also know how to recognize suspicious emails, scams, phishing attempts, and social engineering tricks to avoid becoming an unwitting insider or being coerced into providing information or other assistance. Training should also emphasize the importance of following basic rules aimed at mitigating risk, such as locking or switching off computer workstations when unattended.  </p><p>CANM employees were trained in traditional insider threat identification messages but were also given tips on identifying and reporting suspicious behavior at the open house event. </p><p>Because engineers, program managers, and event staff integrated security best practices into their job requirements, enhanced security was everywhere yet remained unseen at the event.</p><p><strong>Written plans. </strong>The insider threat working group at CTC identified all written guidance regarding employee behavior, from harassment policies and timekeeping systems to travel plans and procedures and integrated it into the plan. The insider threat program features a risk mitigation plan that identifies insider threat stakeholders, roles and responsibilities, resources, policies, and procedures. The team of stakeholders meet periodically to review the plan, share and assess potential insider threat information, and determine additional actions needed to protect people, operations, intellectual property, and other resources.</p><p>For example, at a stakeholder meeting, someone in charge of travel finances might point out that the rental car budget for the previous month was 20 percent larger than normal. Human resources personnel can revisit employee travel dates and potentially identify excessive use of rental vehicles for personal travel. The same insider threat reporting procedures should be followed to address the problem. ​</p><h4>Redefining Insider Threats</h4><p>CTC's reevaluation and preparation paid off—the open house event went smoothly for staff and visitors alike. </p><p>CTC security officials are also reaping longer-term benefits from the CANM experience. For example, the department is improving its approach to training by conducting lunchtime seminars and more personal interviews with employees to reinforce the significant role that each employee plays in countering insider threats, even if security is not their primary role.</p><p>In addition to the CANM program, other business changes prompted CTC to reassess potential threats and strengthen routine security procedures. New contracts with government clients outside the DoD brought new requirements and concerns for protecting sensitive information processed and stored on company networks. The company invested in new equipment, and other areas of business development brought increased interaction with international customers—along with added challenges for ensuring compliance with American export laws. </p><p>By thinking outside the box in regard to an insider threat, CDC was able to create a well-rounded employee management policy that is capable of addressing a variety of organizational concerns. Addressing a wide scope of potentially problematic employee-related activity—not just intellectual property or workplace violence concerns—through an insider threat lens strengthens the entire program and makes it more adaptable for addressing other business concerns.</p><p>As an example, security staff worked with shop floor staff and project managers to revise the facility's access control plan. Doors to certain industrial areas within the 250,000-square foot CANM were closed to employees who did not have a clear need for access. Facility access hours were restricted for many employees, and a proximity card in addition to a six-digit PIN is now required to use doors that are not routinely monitored. Process owners and senior managers fully grasped the need for such procedural changes and strongly supported the recommendations. </p><p>As international business contacts expanded, the security, contracts, and export compliance departments worked closely with program managers to ensure that export licenses encompass all international dealings involving protected technologies. The company's enterprise visitor system, internally developed in 2012 and upgraded in 2015, electronically routes international visit requests for coordination and approval. This ensures that the right managers and technicians are informed, projects are shrouded, or operations are suspended or rescheduled as needed.            </p><p>With such low- or no-cost security enhancements in place, establishing an insider threat program required only a modest effort to formalize plans and procedures, chartering a working group, and expanding existing training. Other corporations working exclusively or extensively with government contracts can engineer similar results.  </p><p>Increasing awareness of insider threats and encouraging employees to report suspicious behavior and policy violations has directly led to improved overall security. For example, information received in recent months from frontline employees has enabled managers to correct internal issues and mitigate vulnerabilities in how the company purchases, inventories, and accounts for low-cost supplies, equipment, and bench tools. Workers in the affected areas recognize how the changes reduce risk of pilferage and unauthorized use of company assets. Minimizing such losses helps the company control overhead costs, remain competitive, and protect jobs and salaries.     </p><p>If an organization is unaccustomed to a regimen of safety and security rules during daily business operations, it may take months to evolve a security culture where employees are likely to bring their concerns forward and key supervisors can evaluate information and respond effectively. The advantages of starting now almost certainly outweigh the risk of what could come later.  </p><h4>Sidebar: How Nuclear-Level Security Influenced Today’s Insider Threat Programs​<br></h4><p></p><p>Concerns about insider threats are not new. In the mid-1940s, during the highly secretive Manhattan Project—the United States' efforts to develop the world's first atomic weapons—leaders were most concerned that a trusted insider could be blackmailed or tempted to commit espionage for money. Losing atomic secrets to enemies could have drastic—and deadly—consequences. The art of protecting critical research, test activities, materiel and weapons production, and plans for use of nuclear weapons was woven into the Manhattan Project and remains a hallmark of security within U.S. Department of Defense (DoD) nuclear programs.</p><p>The personnel clearance process and the personnel reliability program (PRP) have been central in addressing insider threats to nuclear capabilities since the 1960s. Clearance processes are designed to screen people for trustworthiness and must be strictly followed prior to granting an individual access to classified nuclear design information, plans, capabilities, or operating procedures. A personnel clearance is based on favorable evaluation of factors such as the person's demonstrated financial responsibility, personal conduct, and allegiance to the United States. Cleared individuals are reinvestigated periodically to ensure continued access is appropriate. Those in unusually sensitive and critical positions may be subjected to polygraphs.   </p><p>The PRP is an added layer of administrative security comprising procedures, automated notifications, tiered supervision, and other checks designed to ensure workers are mentally and physically fit at the time they perform critical tasks, such as nuclear command and control, maintenance, or armed security. PRP requirements and standards are risk averse—the slightest concern may result in temporary suspension from normal duties until circumstances change or a problem is resolved. A common reason for temporary suspension from duties under the PRP is use of prescription medication, which may cause drowsiness. Minor disciplinary infractions may also result in PRP suspension, triggering security measures that block access to restricted facilities and information systems.</p><p>Together, clearance processes and the PRP foster a heightened safety and security environment where workers are dutybound to report relevant information about themselves and others to appropriate authorities. Such an environment is essential based on the destructive power and political significance of the nuclear arsenal. Senior government and military personnel hold leaders within the nuclear community accountable for evaluating conditions that may detract from anyone's assigned tasks under PRP. For example, removal of the responsible unit commander is often the outcome of failure to properly adhere to PRP guidelines.    </p><p>Historically, these stringent screening and reliability standards are seldom applied to government and contractor enterprises outside nuclear communities. Since 2013, however, government officials have increasingly acknowledged the threat of insiders. Personnel clearance processes are now bolstered with additional screening and random selection for background checks between the traditional timespans for periodic reinvestigation. Additionally, government clearance adjudicators may now review and consider social media information when determining overall eligibility for access to national security information.</p><p>A series of U.S. Department of Homeland Security and DoD documents and guidelines mandate insider threat programs for agencies and certain contractors but stop short of requiring self-reporting measures such as those associated with the DoD PRP due to cost, legal concerns, and other practical considerations. A PRP-like mindset, however, can be encouraged within any operation where inattention to detail, slowed reaction time, or lapse in judgment could result in injury, death, or unacceptable material or financial loss.​</p><p><br> </p><p><em>Ronald R. Newsom, CPP, is a retired U.S. Air Force officer now employed with Concurrent Technologies Corporation, a recipient of the DoD 2017 Colonel James S. Cogswell Award for sustained excellence in industrial security. Newsom is a member of ASIS International. He also serves as the Chair of the National Classification Management Society's Appalachian Chapter.    ​ ​</em></p>
https://sm.asisonline.org/Pages/Take-No-Chances.aspxTake No ChancesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Security processes are working properly if nothing happens, as the adage goes—much to the chagrin of the security manager looking for buy-in from the C-suite. But if something does go wrong at an organization, the error lies in either the company's risk profile or its implementation of mitigation procedures. Using risk management principles to create a risk profile and implement procedures to mitigate those risks should leave no gray areas for an incident to occur, says Doug Powell, CPP, PSP, security project manager at BC Hydro. Security Management sat down with Powell, the 2017 recipient of the Roy N. Bordes Council Memb er of Excellence Award, to discuss how to create a mitigation program that only gets stronger after a security incident.​</p><h4>Weigh the Risks…</h4><p>A basic tenet of risk management principles is understanding what risks an organization faces by conducting a thorough risk assessment. "For me, nothing should happen in the security program in terms of making key decisions around protection principles until you've been through your risk management exercise, which will do two things for you: tell you where you have gaps or weaknesses, and what the priority is for addressing those," Powell says. </p><p>Look for the risks that are high-probability, low-impact—such as copper theft—and low-probability, high-impact—such as a terror attack—and build a protection plan that primarily addresses those, Powell says. </p><p>"You use that prioritization to get funding," he explains. "I tell people there's a broad spectrum of risks you have to consider, but there are two that you focus on that I call the board-level risks—the ones the board would be interested in because they could bring down the company."​</p><h4>…And Use Them to Build a Strategy</h4><p>Establishing those risk categories will not only help get buy-in from the C-suite but frame the company's security strategy.</p><p>"You should never say something like, 'well, the copper losses are so small that we're not going to deal with this at all,' in the same way you're not going to say that you'll never likely be attacked by terrorists so let's not worry about it," Powell says. "With that in place, you should have an effective mitigation strategy on the table."​</p><h4>Flesh Out the Baseline…</h4><p>While getting buy-in may rely on emphasizing the impact a risk can have on business operations, the security team needs to have a well-rounded understanding of the risk itself. Powell illustrates the distinction by using an example of how protesters might affect critical infrastructure.</p><p>"It's one thing to say that there's risk of work being disrupted or of a pipeline being taken out of service by protesters, but it's quite another thing to say that in the context of who these protesters are," according to Powell. </p><p>"You have one level of protesters who are just people concerned about the environment, but all they really do is write letters to the government and show up and carry picket signs to let you know they are concerned. The more extreme groups are the ones that would come with explosives or physically confront your workers or who would blockade machinery," Powell explains.</p><p>While these two groups of people both fall under the protester category, the risks they present—and how to respond to them—are vastly different.</p><p>"You have to understand the characteristics of your adversaries before you can adequately plot the seriousness of the risk," Powell explains. "Would it be serious if our pipeline got blown up? You bet it would. But who has the capability to do that? Are they on our radar? And what's the probability that we would ever interact with them? There's a bit more than just saying it's a bad thing if it happens."​</p><h4>…And Keep It Updated</h4><p>Don't let an incident be the impetus for conducting a new risk assessment. Creating a governance model will facilitate regular reviews of the risk assessment and how it is conducted.</p><p>"If you do it well at the head end, you should be mitigating to those standards," Powell says. "Risk doesn't happen once a year, it's an ongoing process where you establish the baseline, mitigate to the baseline, and start watching your environment to see if anything bad is coming at you that you should be taking seriously because the world is dynamic."</p><p>Consistent monitoring of threats allows the mitigation strategy to be adjusted before weaknesses are discovered and exploited.</p><p>"The monitoring aspect is critical, and after an incident you might say that the reason your mitigation plan failed is you simply didn't monitor your environment enough to realize there were new risk indicators you should have picked up," Powell says. "The risk management process is dynamic, it never stops, it's continually evolving, and whether something happens to cause you to reevaluate or whether you reevaluate because that's your normal practice, that has to happen."</p><h4>Establish a Process…</h4><p>Through risk management, a security incident occurs when the risk assessment was not accurate, or the mitigation processes were not properly carried out. After an incident, security managers should never feel blindsided—they must identify the shortcomings in their processes.</p><p>"When something critical happens, the first thing you will do is go back to your risk profile and ask yourself some key questions," Powell advises. "Did we get it right? Did we miss something? How did this incident occur if in fact we had our risk profile correct? Or did our mitigation planning not match well with the risk profile we had developed? If we had this assessed as low-risk but it happened anyway, maybe we got something wrong. If it was high-risk and it happened anyway, what was the cause?"</p><p>If the security program matches the risk profile and an incident still occurred, it's time for the organization to change the baseline.</p><p>"Did we understand our adversary?" Powell asks. "Was it someone we anticipated or someone we didn't anticipate? If it was someone we anticipated, how did they get in to do this thing without our being able to stop it or understand that they were even going to do it? Do we have the right security in place, did we do the right analysis on the adversarial groups in the first place? What did we miss? Are there new players in town? Is there something going on in another country that we weren't aware of or ignored because we didn't think it impacted us over here in our part of the world?"</p><p>And, if it turns out that the risk profile was inaccurate despite proper governance and maintenance, don't just update it—understand why it was wrong. "Look at whether your intelligence programs or social media monitoring are robust enough," Powell suggests.</p><p>"If you had 10 or 100 metal theft incidents in a month, you want to go back and ask why this is continuing to happen," Powell notes. "We've already assessed it as a risk and tried to mitigate it. For me, the two things are intrinsically connected. If you're performing risk management well, then your mitigation programs should mirror that assessment. If it doesn't, there's a problem, and that's what this review process does, it gets you into the problem."​</p><h4>…And Use It Consistently</h4><p>Whether it's copper theft or a terrorist attack, the incident management process should be carried out in the same way.</p><p>"That should always be a typical incident management process for any kind of event," Powell says. "What varies is input, but the methodology has got to be identical. If it's metal theft, it's a pretty simple thing—we have some thieves, they broke into a substation, removed ground wires, and as a result this happened. What can we do to mitigate that happening at other substations in the future? </p><p>If it's a terrorist attack, of course a lot more people will be involved, and you'll be asking some very challenging questions. The process becomes a lot more complex because the potential for damage or consequence value is much higher, but the methodology has to be the same all the time."</p><p>"Overall, whether you're looking at a security breach that happened because you exposed your cables and the bad guys were able to cut them or whether it was a new, more dangerous group coming at you that you weren't aware of, or because you neglected to identify the risk appropriately—all of this has to go into that evaluative process after something happens," Powell says. "Then you have to reestablish your baseline, so you're going back into that risk analysis and move to mitigate it according to what that new baseline is. If something bad happens that's what you do—go back to the baseline and discover what went wrong, and once you know, you seek to mitigate it to the new baseline." </p>
https://sm.asisonline.org/Pages/Active-Assailant,-Unarmed-Officer.aspxActive Assailant, Unarmed OfficerGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The concept that small acts can have large ramifications is called the butterfly effect. The phrase, based on a thesis by American mathematician and meteorologist Edward Lorenz, refers to the idea that a butterfly's wings could create tiny changes in the atmosphere that may ultimately delay, accelerate, or even prevent the occurrence of a tornado in another location.</p><p>The level of awareness exhibited by security personnel can have a butterfly effect on an active assailant's perception of risk. Active shooter attacks often end when the perpetrator is apprehended or killed by law enforcement, or when the attacker commits suicide—rarely do assailants run or escape. Having security guards onsite may mitigate the chances of an attack, but this type of embedded response is no guarantee that the attacker will be deterred or stopped.  </p><p>In the case of the Orlando Pulse Nightclub massacre, for example, there was a uniformed Orlando police officer onsite providing security. At Mandalay Bay where a gunman opened fire on the crowd below, killing 59 people, a security officer exchanged gunfire with the assailant during the massacre. And most recently, an armed school resource officer was on campus during the February shooting that killed 17 people at a high school in Parkland, Florida. </p><p>However, security officers can also focus on the events that occur before an attack. People who intend to commit violence often give themselves away by their physical appearance or behavior. By engaging people with simple hospitality principles, a security officer is more likely to observe warning signs. This enhanced awareness allows the guard to implement security methods that may deter the attacker. </p><p>Even when the worst-case scenario occurs, a security officer's situational awareness is critical. Early detection enables officers to respond more quickly and help others by providing instructions that can mitigate the attack. By observing physical and behavioral cues, acting upon concerns, and implementing effective response methods, unarmed guards can help prevent or mitigate active assailant attacks.​</p><h4>Preattack Indicators </h4><p>Because most attacks represent the killer's first and last act of violence, the assailant often exhibits telltale signs of the incident to come. With little to no prior criminal record or experience in extreme violence, they may show behavioral and physical indicators that give their bad intentions away. Looking out for these early warning signs, or preattack indicators (PAINs), can alert the security practitioner to potential trouble and possibly thwart attacks. </p><p>PAINs are physical actions that include movement patterns, carried objects, appearance, or dress. They are also behavioral elements, such as facial expressions or demeanor. PAINs do not automatically indicate danger, because they can be consistent with perfectly innocent explanations. By carefully and prudently observing people who are determined not to be a danger, the officer can learn how to better distinguish future threats.</p><p>In the rare instances when PAINs are associated with imminent danger and immediate action is required, awareness will greatly improve response, because the element of surprise that may elicit the fight-or-flight response is removed. </p><p><strong>Normalcy bias.</strong> Trying to look for someone in a crowd who could be an attacker is like looking for a needle in a stack of needles. Since active assailant attacks are rare, there is a tendency to discredit PAINs in favor of the norm. Effective security requires a certain level of paranoia that avoids the "it can't happen here" mentality.</p><p>Establishing a thorough understanding of what is normal allows the guard to have a baseline. Then the security officer remains alert and vigilant during normal activities, and can easily transition to a heightened state of alert when a change occurs to the baseline.</p><p><strong>Customer service.</strong> Proactivity on the part of the guard is not to be confused with aggression, because customer service is still a priority. Security should view each person as a customer, not a suspect, until a significant change to the baseline occurs. Professional and nonthreatening behavior from security is more likely to elicit cooperation. </p><p>In customer service, the 10-5 Rule is a gold standard. The rule states that when the staff member is within 10 feet of guests, staff should make eye contact and smile to acknowledge them. Within five feet of a guest, a sincere greeting or friendly gesture should accompany the eye contact and smile. </p><p>The 10-5 Rule reminds others of the presence of a professional security force while keeping the security officer engaged with visitors. </p><p>Making eye contact with a person is an effective first step to determine if a basic level of mutual trust exists. At around 10 feet, make brief eye contact with a pleasant demeanor, then scan for PAINs. (See infographic, page 41.)</p><p>If PAINs are observed, engage the person in a focused conversation. In this context, professionalism is key. A focused conversation should not resemble interrogation. </p><p><strong>Active engagement.</strong> The purpose of a focused conversation is to determine if the person poses a risk. A polite "where are you heading?" to learn that person's trip story can be an effective conversation starter.  </p><p>There are two types of trip stories—past and future. A past trip means the person has completed the purpose of the trip, and a future trip means the person is on their way to a specific place. This basic framework helps the officer determine whether the trip story is verifiable by providing specific details of sights seen and actions taken. A vague, unverifiable trip story does not indicate imminent violence, but it does indicate deception.</p><p>Officers should expect occasional negative reactions and be prepared to encounter individuals who refuse to cooperate. Appropriate measures should be taken to deal with such persons, including asking for another officer to help and continuing to question the individual.</p><p><strong>Low-risk groups.</strong> Just as there are universal indicators of imminent danger, there are groups of people that, absent an overt hostile act, can be statistically discounted as a threat. These low-risk groups can be removed from the 10-5 Rule, including families, children, people older than 70 years, known guests of the facility, and people known and trusted by the officer. </p><p><strong>High-risk people. </strong>After the focused conversation, those not eliminated as a possible threat must be monitored. Ideally, the person can be denied access and escorted out of the area. If not, supervisors need to be alerted and the person should be followed by an officer. Using video surveillance is also a possibility. The officer should be prepared to document their concerns and articulate—based on PAINs and the focused conversation—why the person was considered a threat.</p><p>If it becomes apparent that the person is dangerous, immediate action should be taken. The first step is to alert others and request assistance. The following actions will be based upon the perceived threat and the location. Options may range from initiating heightened security procedures and observing the subject to an immediate evacuation of the area.​</p><h4>Attack Response</h4><p>Regardless of the specific factors leading up to the situation, it is imperative that security officers understand how to respond to a violent attack.  </p><p>Some responses require compartmentalizing occupants away from the assailant, which is associated with the lockdown concept. However, not all situations call for these measures. Lockdown or compartmentalization is a valid tactic, but it lacks the flexibility needed to adequately mitigate all active assailant attacks. A lockdown does not help people in areas that cannot be secured or those having direct contact with the perpetrator. In an active assailant attack, these are the people at the greatest risk.</p><p>Not every human-based threat or intrusion requires Run. Hide. Fight. decisions. Under these far more common nonactive shooter events, using the word "lockdown" can cause a high percentage of occupants to falsely assume there is an active shooter, creating unnecessary panic and anxiety. Instead, these scenarios require heightened security procedures.</p><p><strong>Heightened procedures. </strong>Situations requiring heightened security can range from a threat of school or workplace violence to civil unrest. What measures are taken to increase security depend on several factors, including the nature of the threat, the mission of the facility, the architecture and layout of the facility, and law enforcement presence or response time. </p><p>Based on these factors, leaders must determine which measures are most prudent given the circumstances, and security officers should be prepared to guide facility occupants. </p><p>When necessary, guards should communicate the fact that security has been heightened in simple language, such as "Attention, guests: we have a situation that requires heightened security. Please move inside a secure location." These messages get people's attention without causing unnecessary panic. Additional information can be shared as needed. </p><p><strong>Attacks.</strong> All leading U.S. federal preparedness and response organizations, including the U.S. Department of Homeland Security, the U.S. Department of Education, and the U.S. Department of Justice, recommend the option-based Run. Hide. Fight. approach. This recommendation is not limited to U.S. government agencies—Run. Hide. Fight. can be applied to many organizations and settings.</p><p>When deciding which option is best, determining whether the guard has direct or indirect contact with the shooter is essential. Direct contact means there are no barriers between the guard's location and the attacker, and the assailant is close enough to pose immediate danger.</p><p>With indirect contact, the attacker is inside or near the facility or general area, but distance or barriers delay the attacker's ability to cause harm.</p><p>After determining the level of contact, the survival options of the protocol are applied. The guard should also be prepared to advise those around him or her on which option to choose and to assist others. </p><p>Given their large presence at events, facilities, schools, and other venues, both armed and unarmed security officers play a critical role in preventing and mitigating active assailant attacks.</p><p>Because the killer is likely to have a target location for the attack in mind—whether it be a school cafeteria, concert, or church service—the presence of trained, engaged, and aware security can disrupt the attack. </p><p>Unarmed guards have a variety of tools at their disposal to protect the public and mitigate potentially dangerous situations. With a combination of active observance, engaged conversation, and–when necessary–heightened security procedures, security personnel can serve as a major deterrent against those who intend to commit harm.  </p><p><em>Brad Spicer is the founder of SafePlans, a firm specializing in all-hazards emergency preparedness technology and active shooter defense training. He is an army veteran with 20 years of state and local law enforcement service and is a member of the ASIS School Safety and Security Council. He can be reached at brad@safeplans.com.</em></p>
https://sm.asisonline.org/Pages/On-a-Sea-of-Risk.aspxOn a Sea of RiskGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The maritime sector, one of the world's most critical infrastructures, is vulnerable to a variety of security threats. But in this environment, many organizations have difficulty analyzing a crucial issue: which levels of risk are acceptable? The answer can shift; a disaster can transform an organization's perspective.</p><p>This article is aimed at assisting those who are exploring the question of acceptable levels of risk, and how those risks might be mitigated, in the maritime sector. To that end, it discusses the information that informs a risk analysis: breakdowns of potential bad actors, their tactics and targets, sector weaknesses, and appropriate protection strategies. </p><p>First, common threat actors and motives are explored. Second, the tactics and targets of these actors are examined, as well as the vulnerabilities of the maritime sector that could be exploited by these criminals. </p><p>Third comes a discussion of the existing security measures used to protect the maritime sector against attacks, followed by ideas about effective security measures and related emergency management initiatives.  ​</p><h4>Actors and Motives</h4><p>Threat actors may include current, prospective, or former employees of shipping companies and seaports, or third-party contractors such as trucking agents and train conductors. Maritime staff and contractors are not always fully vetted, particularly when positions are filled overseas. In the more extreme cases, they may be mentally ill, violent ex-felons, or even terrorists, serving in various posts such as merchant mariners, longshoremen, and tractor-trailer drivers. </p><p><strong>Nonemployees may also be threat actors.</strong> These may include strangers with criminal records, such as smugglers or pirates, or even terrorists. Some of these people are or were in a platonic or intimate relationship with an employee or third-party contractor. </p><p>Experts have identified a variety of motives used by employees and nonemployees to justify their violent actions. A 2012 article "Maritime Terrorism and Piracy" in Global Security Studies reports that many threat actors simply seek monetary gain for themselves or are reacting to a loss of economic stability. Other threat actors believe that they are victims of personal violations, such as stress from overwork, humiliation by a supervisor, loss of their job, or recent harm to their family, and seek revenge by spreading fear, distrust, and distress. </p><p>Still other perpetrators seek to make others aware of their political agenda. In some of these cases, they seek to harass or embarrass a particular government, as a means of influencing decisions of and legislation in that country.  </p><p>The motives of threat actors may be solidified into action in one of several ways. The most typical route to a commission of crime, or radicalization to terrorism, is when someone from a minority group feels marginalized to the degree that avenues of change outside of crime or violence are no longer viewed as likely or possible, according to a 2005 study "The Staircase to Terrorism" in the American Psychologist. </p><p>In these cases, violence is perpetrated because the threat actor does not believe that the current situation could be improved through politics or laws. Often, these views are shared by family and friends, who sympathize with the victimized and disenfranchised in a society. Consequently, the threat actor's decisions and beliefs, including the belief that violence is not an immoral alternative to achieving certain goals, are influenced by the actor's friends and family, as argued in the 2014 book The Psychology of Terrorism by John Horgan. Moreover, by identifying with and joining other criminals or terrorists, the perpetrator stands to gain both social and psychological rewards, Horgan explains.  ​</p><h4>Tactics and Targets</h4><p>Threats in the maritime environment are varied, and threat actors have targeted the maritime sector through a range of tactics. These include the use of containers to hide explosives, terrorists, or contraband; criminals and terrorists posing as employees; and cyberattacks involving ship navigation, cargo databases, and other systems, such as life support.</p><p><strong>Cargo security.</strong> In the past, criminals and terrorists have often transported illicit items like weapons (and even weapons of mass destruction) using an innocuous-looking vessel such as a fishing trawler, according to the chapter "Applying Risk Assessment to Secure the Containerized Supply Chain" in the 2007 book Managing Critical Infrastructure Risks edited by Igor Linkov, Richard J. Wenning, and Gregory A. Kiker.</p><p>Terrorists can also target cargo security by tampering with a legitimate consignment or by assuming a legitimate trading identity and using it to ship a dangerous consignment. In terms of the former, there have been instances where terrorists hide in cargo containers to gain access to ports. </p><p>In 2004, for example, two terrorists in Israel hid inside a cargo container for several hours before an attack so they could bypass the extensive security procedures at the Ashdod Port. These terrorists were successful in detonating their explosive devices. Ten people were killed and 16 injured, according to the 2008 Police Executive Research Forum report, Protecting America's Ports: Promising Practices. This incident brought home the lesson that inadequate cargo security poses legitimate threats in the maritime sector. </p><p><strong>Ship stability.</strong> However, ports are not the only vulnerable maritime environment. Another major concern is a container ship's stability–that is, the ability of a loaded ship to remain on an even keel. Because containers have different weights and sizes, the seafaring ability of the ship becomes compromised if the ship is not properly loaded, and it may even become damaged or capsize.  </p><p>To avoid this, shippers use computers to perform a stability analysis shoreside, and the ship is then loaded according to a configuration consistent with the analysis, with a record sent to the crew before the ship leaves the port. Given this process, criminals may devise a method to hack this analysis during the loading process so that it produces a configuration that would ultimately leave the ship unstable, which could cause damage to the vessel and endanger the lives of the crew.</p><p><strong>Fire suppressants.</strong> Another concern for container ships is fire. Ship containers located in holds (as opposed to above deck) are generally protected by large carbon dioxide fire suppression systems. As a suppressant, carbon dioxide has many virtues. It is odorless, it leaves no residue, and generally it will not damage cargo in any way. It also does not conduct electricity. But carbon dioxide also has a large liability–it is highly toxic to humans at the concentrations necessary to be deployed in the total flooding applications for which it is used. </p><p>To date, these stability and fire systems have not been exploited by threat actors, but accidents happen. According to the U.S. Environmental Protection Agency's report Carbon Dioxide as a Fire Suppressant: Examining the Risks, between 1975 and 2000 there were 20 incidents involving the accidental shipboard discharge of carbon dioxide fire suppression systems on nonmilitary ships in the United States and Canada that resulted in 19 deaths and 73 injuries. The automation of commercial ship systems could also be exploited by threat actors in the future, either electronically or by motivated individuals with knowledge of the systems.</p><p><strong>Insider threat. </strong>Another security threat is posed by insiders. Many positions in the maritime sector are vulnerable to potential insider threats from those who obtain employment, or pose as an employee, with the malicious intent to access critical infrastructure. Harm may be caused by these real or impersonated employees in a port or on a ship, including those working as sanitation workers, cabin stewards, equipment operators, office administrators, and even security personnel. Such positions may be used for drug trafficking, human trafficking, smuggling, and even espionage, and they may be desirable for infiltration leading up to a terrorist attack. ​</p><h4>Cyberattacks Onboard</h4><p>Finally, cybercriminals can use malicious software or malware to gain access to maritime systems, modify data, and cause damage. </p><p>Cyberattacks can also be used to gain unauthorized access to systems and data. According to The Guidelines on Cyber Security Onboard Ships, issued in June 2017 by BIMCO—an international association of shipowners and operators—criminals, terrorists, foreign states, and insiders can use malware or hire others to hack and use malware to compromise port and ship cybersystems. These threat actors may target maritime communications, ship navigation, and cargo tracking systems.</p><p>For example, in Antwerp, Belgium, in 2013, hackers hired by drug traffickers gained unauthorized access into port systems that controlled the movement and location of containers and modified the data. This allowed drivers hired by the organized criminals to access the port and pick up cargo where the drugs were hidden.</p><p>Moreover, ships are increasingly using systems that rely on digitization, integration, and automation. That creates a need for more cyber risk management on board, according to BIMCO's new guidance. As technology continues to develop, information technology and operational technology onboard ships are being networked together and, more and more frequently, connected to the Internet.  </p><p>This growing practice brings greater risk of unauthorized access or malicious attacks to ships' systems and networks. Risks may also occur when personnel access systems on board, such as by introducing malware via a piece of removable media.  </p><p>Given these risks, the safety, environmental, and commercial consequences of not being prepared for a cyber incident may be significant. Responding to the increased cyberthreat, a coalition of international shipping organizations, with support from a wide range of stakeholders, came together to issue new BIMCO guidelines.​</p><h4>Existing Security </h4><p>Currently, there is a range of security measures used for protection in the maritime sector. These measures include advanced tracking and notification systems, credentials for mariners, and the vetting of employees.</p><p>In addition, U.S. regulations such as the 24-Hour Advanced Manifest Rule (AMR) and the 96-Hour Advanced Notice of Arrival to the National Vessel Movement Center give appropriate government agencies the opportunity to intervene early to prevent criminal activities, including potential terrorist attacks.  </p><p><strong>Assessments and credentials.</strong> The U.S. Coast Guard (USCG) has taken a lead role in maintaining a risk assessment system that reviews top-secret elements to determine which ships may require boarding and extensive review before they are allowed entry into U.S. waters. The U.S. government also determines which foreign ports are unable to provide adequate measures to ensure that ships and cargo coming from those locales are reasonably secure. Sometimes, the government maintains a presence in these potentially problematic ports.</p><p>Under the treaties and customs of the maritime world, the International Maritime Organization's Safety of Life at Sea (SOLAS) has developed a series of measures to ensure confidence in the integrity of the credentials issued to mariners. Although the advent of Merchant Mariner Credentials, issued by the USCG, is mostly focused on safety rather than security, this is starting to change.  </p><p>The USCG issues these credentials in accordance with the guidelines of the International Convention on Standards of Training. Two additional credentials include the certifications under the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers, which is issued to U.S. seafarers to show evidence of a mariner's education, training, competencies, and proficiencies; and the Transportation Worker Identification Card, a tamper-resistant, biometric credential issued by the U.S. Transportation Security Administration, which is required to enter a secure area in a port or on a vessel in the United States.  </p><p>These processes have allowed for greater scrutiny over mariners and other personnel who work in maritime centers, ports, and infrastructure projects.  </p><p><strong>Vetting. </strong>The security of U.S. ports, however, also depends on the depth of the vetting process for employees who have gained these credentials. According to the Seafarers International Union, if a foreign employee has met the necessary requirements of the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers, he or she is permitted to work on a U.S. flag vessel if no other qualified U.S. crewman is available. There have been instances of improperly credentialed individuals that caused ships to be held in port for failing to meet safety standards, but not due to security risks. And, a captain may learn inadvertently that one of the employees on board is in fact a felon who bypassed the vetting system. </p><p>According to "Hiding Behind the Flag," a series of articles on the website of PBS Frontline in 2004, The Kingdom of Tonga as a Flag of Convenience country was closed for security reasons after it was found to be selling passports for as much as $60,000. Moreover, U.S. intelligence agencies believed that Tongan ships were part of Osama bin Laden's "navy." In 2002, Israeli commandos boarded a Tongan ship and found 50 tons of weapons on board.  </p><p>Two more Tongan ships were later caught with illegal Pakistani immigrants on board carrying large quantities of cash, maps, and false passports. U.S. intelligence officials suspected links to al Qaeda; although the evidence of these links was never revealed. Shortly after these incidents, Tonga's cabinet closed the Ship's Registry, headquartered in Greece.      ​</p><h4>Emergency Management</h4><p>A final essential element of defense-in-depth measures is the emergency management plan. In the maritime sector, it is important to have different types of emergency management plans for mitigating hazards and vulnerabilities to ensure people's safety and reduce property losses. These emergency management plans include, but are not limited to, hazard awareness, emergency preparedness and response, evacuation, and risk communication. </p><p>The effective implementation of an emergency management plan requires that all involved have proper training and are given exercises to ensure the viability of existing plans. Unfortunately, this is not always the case. In April 2014, the Sewol ferry disaster in South Korea killed 304 people; nearly all of them schoolchildren. Even though the vessel took about three hours to sink, many of those on board never received evacuation orders, demonstrating a clear failure of the emergency management plan.</p><p>According to<em> Fundamentals of Emergency Management,</em> a book issued by the U.S. Federal Emergency Management Agency (FEMA) in 2006, there are three types of exercises—tabletop, functional, and full-scale—that may be used to train personnel in dealing with emergency situations. A tabletop exercise is conducted in the classroom or conference room and is based on a limited scenario that allows participants to provide a verbal description of possible responses to contingencies. The advantage of this type of exercise is that it allows the evaluator, usually the controller, to determine the staff's ability to resolve the problem. </p><p>A functional exercise tests one or more functions in an emergency plan in a field setting designed to approximate disaster conditions. Due to the complexity of a functional exercise, multiple evaluators are required to assess the staff's performance, and coordination among multiple evaluators is needed to verify satisfactory performance by the staff. </p><p>Finally, a full-scale exercise tests all aspects and all organizational participants in an emergency operation plan in a realistic field setting. Regardless of which type of training exercise used, effectiveness is determined by its ability to teach strategies to all the participants. </p><p>Plans, strategies, and exercises should not be stagnant. It is necessary to update all of these periodically. Modification should not wait for a scheduled time, because waiting to revise a strategy might prove to be disastrous. Threats are growing in number and complexity, and security must not fall behind in keeping up with them.  ​</p><p><br></p><h4>Sidebar: Disaster Subcultures<br></h4><p>The process of assessing maritime risk, and risk acceptability, can be influenced by cultural or subcultural factors specific to a community of practice. For instance, The Netherlands faces a persistent threat of flooding. To adapt, the Dutch have developed a disaster subculture, or a set of cultural tools to deal with this recurrent hazard, according to the 2014 study "Flood Disaster Subcultures in The Netherlands" in the journal Natural Hazards.</p><p>In the study, the authors examined how two local communities in the Dutch lowlands developed a disaster subculture toward the prospect of flooding. Locals developed a range of early detection and mitigation tools that made them feel confident in their ability to respond. "Both communities are not afraid of flooding and feel experienced, prepared and knowledgeable enough to cope self-sufficiently," the authors write. </p><p>However, given the communities' past success with flood response, authorities also spread messages that reflect an "attitude of defiance," the authors write. For example, some officials communicated that by 2025, high-water levels will no longer be an issue, and residents will no longer have to worry about flooding. While that attitude does not dominate overall, it has become part of the disaster subculture.</p><p>Another example is the 2012 wrecking of the Costa Concordia cruise ship near the shore of the Isola del Giglio in Italy. The accident occurred when the ship's captain, while performing a sail-by salute (a slow passage of the ship close to shore, and a common cruise-industry subculture practice for showing off the ship and impressing local residents), hit a rock and killed 32 people.  </p><p>Sail-by salutes have been part of the maritime culture since ancient times. However, this cultural practice does increase accident risk. Thus, the practice also illustrates the need for those in the maritime sector to consider human factors when making decisions about acceptable levels of risks and threats.​​</p><h4>​Sidebar: Response Artistry​​<br></h4><p></p><p>Even when emergency response plans are developed and tested, the reality is that there are situations faced by security and emergency managers that must be resolved through flexibility and improvisation. An unwillingness to be open to change and attentive to the social and physical environment may result in a failure to reduce risk.</p><p>The unfolding of an actual disaster often creates parameters that could never be included in a plan, particularly when the threat faced is new. For example, the waterborne evacuation of lower Manhattan following the  9/11 attacks was entirely improvised. This innovative method, as discussed in the 2016 book, American Dunkirk: The Waterborne Evacuation of Manhattan on 9/11 by James Kendra and Tricia Wachtendorf, encourages the reader to reconsider the relationship between planning and creativity.</p><p>The authors advocate for two concepts. One is a change in mindset so that improvisation is not considered the result of a plan failure, but instead as a method for getting acclimated to a changing social and technical environment. </p><p> The second concept is for more training designed to enhance creativity. Even though some people tend to be creative on their own, oftentimes their natural creativity is stifled. </p><p>Hence, security and emergency managers should embrace creativity and improvisation as tools that may be used to help minimize the consequences of any disaster.</p><p><br></p><p><em>​Dr. Marie-Helen Maras and Dr. Lauren R. Shapiro are associate professors at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. Drs. Lucia Velotti, Susan Pickman, Hung-Lung Wei, and Robert Till, all of John Jay College, contributed to this article.​</em></p>
https://sm.asisonline.org/Pages/Stopping-Distracted-Driving.aspxBehind the Wheel: Stopping Distracted DrivingGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p>It was another quiet night at the rail yard. Leon, a security officer, was making his usual rounds in the SUV provided by the rail company. </p><p>As he turned the car around a corner, his cell phone slipped out of the cup holder. He grabbed it and placed it on his lap. But as the SUV's wheel hit a bump, the phone fell to the floor next to his right foot. With the car still in motion, Leon reached down and fumbled unsuccessfully for the phone. </p><p>In the process, his foot slid from the brake and hit the accelerator—propelling the SUV into a shipping container.</p><p>Fortunately, Leon was not injured. But his client's vehicle didn't fare so well. How was he going to explain the crumpled front end to his manager at his contract security firm?</p><p>When it comes to accidents like this, there is usually a straightforward explanation: distraction. According to the U.S. Centers for Disease Control, distracted driving is involved in up to 52 percent of typical driving activities. </p><p>Accidents involving distracted driving injured around 390,000 and killed 3,477 people in 2015, according to the National Highway Traffic Safety Administration. And the U.S. Occupational Safety and Health Administration ranks auto accidents as one of the top causes of workplace death. </p><p>Despite the widespread availability of safer vehicles, traffic deaths are on the rise in general. The National Safety Council reported traffic deaths topped 40,000 in 2016, a 6 percent increase over the previous year, and making that year the first since 2007 when more than 40,000 Americans died in motor vehicle crashes.</p><p>Distraction may be an obvious culprit, but it is not a simple one. A distracted employee driver is a symptom of a businesswide problem. Considering the threats security officers deal with daily, a mundane task such as driving may not register as an urgent concern. But driving is a serious threat.</p><p>Unsafe driving habits are a real threat that warrant a reasoned response. Security firms should have policies and procedures in place for training, monitoring, and other processes that reinforce a safe driving culture. Attending to driver safety is crucial for security firms looking to protect their workforce—and their bottom line. ​</p><h4>Distracted Driving</h4><p>When most people think of distracted driving, they likely picture someone with one hand on the wheel and the other on his or her smartphone. Though cell phones are a popular form of distraction, distracted driving is defined as any situation in which the driver is not attending to the operation of the vehicle.</p><p>Broadly, distracted driving takes three forms: manual, visual, and cognitive. Manual distractions take the driver's hands from the wheel, visual distractions take the driver's eyes from the road, and cognitive distractions take the driver's mind from the task of driving. </p><p>For example, turning to talk to someone in the backseat of a vehicle is a visual and cognitive distraction. The driver's mind is on the conversation and his or her eyes are turned from the windshield. </p><p>Digital distractions are particularly nefarious because they combine all forms of distraction. The driver's hands, eyes, and mind are all occupied with the phone or GPS unit, rather than focused on the act of driving.</p><p>In the claims the author's company reviews, it sees evidence of distracted driving where no device was involved. </p><p>In one recent incident, no distraction was involved other than cars on the road. An officer was driving at night during a significant portion of her patrol. As her late shift drew to an end, she became concerned about a car and motorcycle speeding behind her and began watching them in her rearview mirror. Before she knew what was happening, her patrol vehicle ran into a tree. The vehicle was totaled; the officer was fortunate to walk away with a minor injury.</p><p>This claim also revealed other ways to think of distracted driving—as either an unintended action or a decision. This officer made a decision—to watch the rearview mirror rather than the road—but she was likely suffering the unintended consequences of fatigue. Often, drivers take these actions and make these decisions over and over again with little consequence, until it's too late.​</p><h4>Unforeseen Consequences</h4><p>Unsafe driving habits threaten officers' safety and other drivers on the road. That threat to physical safety should be everyone's primary concern, but another concern that cannot be overlooked is the financial consequences.</p><p>Executives might think "that's why we have insurance," and a good commercial auto insurance policy helps cover legal fees, bodily injury claims, and damage to other vehicles in an accident.</p><p>But that still leaves organizations without patrol cars for several weeks in the event of a crash. They will still need to pay the deductible and for the consequences of productivity lost to time spent in litigation. </p><p>They may also need to pay a workers' compensation claim or hire a new employee. And firms may pay higher insurance premiums for years to come—if they are even able to secure a commercial auto policy.</p><p>Businesses can also be held responsible for an employee's irresponsible driving behavior. Take, for example, the case of an accident caused by an employee's distracted driving in which another driver is killed. The family could bring a wrongful death suit against the employer. If the company did not have a policy in place forbidding texting, or if it failed to review a driver's U.S. state motor vehicle record (MVR), it could be added to the lawsuit and be liable.</p><p>Plus, organizations are likely to lose the trust of their clients. One of the most pervasive consequences of an accident caused by employee negligence is damage to a company's reputation. Considering that security professionals are tasked with protection, distracted driving is counter to the job description. If an accident involving a company vehicle makes the evening news, that company's logo is portrayed in a troubling context—one that does not convey safety and security.​</p><h4>What Employers Can Do</h4><p>Understanding the consequences and sources of distracted driving helps point us in the right direction. With a comprehensive employee driving strategy, companies can create a safe driving culture, which depends on the following four practices.</p><p><strong>Define and enforce hiring policies. </strong>Sometimes it's said that businesses "hire the problem." That's because many employee-based accidents could have been predicted based on past driving behavior; a person's driving history is the best indicator of his or her future driving performance.</p><p>U.S. employers can access a job candidate's driving history through an MVR. They should consider the entirety of a candidate's driving history, for every state in which he or she has lived, but pay particular attention to red flags like driving under the influence. A company may adopt other red flag standards that preclude a candidate from a job involving driving, such as five moving violations in the past three years.</p><p>Road tests should also be a part of the hiring process for positions that require driving. This gives hiring managers the ability to review a candidate's key driving behaviors, like seatbelt use, signaling, and stopping completely. </p><p>While reviewing candidates' performances and MVRs, employers should ask themselves, "If we held no auto insurance, would I still hire this person?" If the answer is no, employers should heavily consider that in the hiring decision.</p><p><strong>Establish policies and procedures</strong>. A written employee driving policy is the foundation of a safe driving culture. This provides concise prohibitions against specific distractions, such as texting, eating, and smoking, as well as clear guidelines for alternative actions, such as pulling over in a rest area to make a phone call.</p><p>It should include consequences and disciplinary measures, as well as how these measures escalate with multiple violations. Because it deals with the condition of employment, a lawyer and senior management should be involved in reviewing and shaping this policy.</p><p>These policies do not just apply to on-the-ground officers. Managers should make it easy for employees to follow driving guidelines. </p><p>For example, only call an employee on patrol when he or she is not scheduled to be behind the wheel. Practicing what is preached helps create a safety culture. </p><p>Furthermore, it's helpful to have procedures for regularly reassessing the competency of employee drivers. A twice-yearly ride along or road test reinforces key driving skills and enforces the employee driving policy.</p><p><strong>Monitor vehicles. </strong>Another way to enforce driving policies is through monitoring. Telematics devices are in widespread use and for good reason. They are easily installed and provide a way for a vehicle to communicate with managers, sharing location information and red flag behaviors like hard braking or speeding.</p><p>Other technologies are useful for combating digital distractions. Tools like Cell Control block the use of cell phones or GPS devices within a company vehicle.</p><p><strong>Maintain documentation. </strong>One relatively low-tech tactic goes a long way towards protecting officers on the road and a company's reputation: sticking to a regular vehicle maintenance schedule. </p><p>Employees can get involved in this, submitting a monthly report on vehicle performance that can identify problems before they become real trouble. </p><p>Not only does this prevent the obvious—breakdown and malfunction—but it can be the best defense a company has when accused of negligence after an accident. If enforced and documented properly, both regular maintenance and employee driving policies can counter claims of negligence and help control claims costs.</p><p>These four practices are far more than cost-saving measures. The entire reputation of the security business is based on safety. A safe driving culture will go far in supporting the reputation of officers and the business as a whole.  </p><p><em>Tory Brownyard is the president of Brownyard Group. For more information, contact tbrownyard@brownyard.com. ​​</em></p>
https://sm.asisonline.org/Pages/April-2018-ASIS-News.aspxApril 2018 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Introducing Global Security Exchange</h4><p>GLOBAL SECURITY EXCHANGE (GSX) is the new name for the ASIS International Annual Seminar and Exhibits, the security industry's flagship educational and networking event. The move reflects the Society's commitment to unite the full spectrum of security—cyber and operational security professionals from all verticals across the private and public sectors, allied organizations and partners, and the industry's leading service and solution providers—for the most comprehensive security event in the world. </p><p>"GSX is setting a new bar for education, networking, and security product and service excellence—addressing the issues critical to all sectors of the global marketplace," says Ron Rosenbaum, chief global marketing and business development officer at ASIS International. "The new name, branding, and messaging reflect the global nature of our event, as well as our commitment to facilitating the exchange of ideas, best practices, and product and service innovations among all industry professionals."</p><p>Registration for GSX opened in March with strong numbers, due in part to high levels of engagement on social media and positive buzz stemming from the brand reveal.</p><p>"Global Security Exchange will build upon the change and reinvention introduced at ASIS 2017," says 2018 ASIS President Richard E. Chase, CPP, PCI, PSP. "What won't change is our commitment to reinvesting, promoting, and furthering the security profession year-round. This is a source of great professional pride, and a clear brand differentiator between GSX and other industry events." </p><p>GSX will continue to offer best-in-class education, networking, and business-building opportunities that provide ongoing benefits for attendees and exhibitors alike. The education—led by ASIS, InfraGard, and ISSA subject matter experts—will deliver an immersive and interactive learning environment for security professionals at all experience levels. </p><p>"We believe learning shouldn't be reserved for the classroom," Rosenbaum says. "It's important for attendees to get hands-on access to new and emerging technologies, as well as ideas and insights that offer new perspectives on current and looming challenges. With immersive reality, robotics, and drone demos, as well as expanded Impact Learning Theater and Career Center programming, GSX will transform the traditional exhibit hall format to provide the industry's most robust and engaging technology and solutions experience."</p><p>Building on more than six decades of event excellence, GSX will take place September 23-27 in Las Vegas, Nevada, USA. For more information and to register, visit gsx.org.​</p><h4>Upcoming Global Events</h4><p><strong>ASIS Europe 2018</strong></p><p>April 18-20</p><p>Rotterdam, The Netherlands</p><p>Big Data and artificial intelligence are main themes of ASIS Europe 2018—"Blurred Boundaries—Clear Risks." Opening keynote speaker Tom Raftery, global vice president, futurist, and IoT evangelist, SAP, will set the tone for the conference with his insight into the business opportunities presented by Big Data, artificial intelligence, and automation. Classroom training sessions will provide concise, practical learning.</p><p>The free Show Pass, available until April 17, includes access to education sessions in the Technology and Solutions Track, coaching and advice at the ASIS Europe Career Centre, and the networking hub of the exhibition floor. Full information and registration is on the event website asiseurope.org. </p><p><strong>11th Annual CSO Summit</strong></p><p>April 29-May 1</p><p>Minneapolis, Minnesota, USA</p><p>CSOs, policymakers, and global thought leaders will gather at the 11th Annual CSO Summit for strategic-level discussions, executive development, and exclusive networking opportunities. </p><p>Taking place at Target Plaza Commons in Minneapolis, this forum will feature futurist Scott Klososky; executive coach Angela Scalpello; a behind-the-scenes tour of the U.S. Bank Stadium, home of the Minnesota Vikings; and sessions on security risk management, leadership skills, and the changing technology landscape. </p><p>This event is open only to CSO Center members and those eligible for CSO Center membership. Learn more and register at asisonline.org/CSOSummit. </p><p><strong>28th New York City Security Conference & Expo</strong></p><p>May 16-17</p><p>New York, New York, USA</p><p>The Northeast's most anticipated security event will bring together 2,200+ security professionals for two days of valuable networking opportunities, an exhibit floor showcasing solutions from 110+ exhibitors, and expert-led education sessions examining critical issues and trends in enterprise risk and public safety.</p><p>Thought leaders will speak on drone and artificial intelligence technologies, protecting soft targets, and how enterprise security risk management can turn security into a business enabler.</p><p>Special events during the conference include an opening reception on the expo floor and a luncheon honoring the ASIS New York Chapter's Person of the Year—His Eminence, Timothy Cardinal Dolan, Archbishop of New York. For more information and to register, visit asisonline.org/nyc2018.​</p><h4>Early Careerist Job Study</h4><p>ASIS International is conducting a job analysis study to determine the body of knowledge needed by those new to or transitioning into the security management field. </p><p>In January, a panel of security professionals developed a list of knowledge and skill statements and determined the overall domains of practice in which these statements belong. To ensure that the profession agrees with the panel's recommendations, a survey will be sent to all ASIS members in early April to validate the work of this panel. Based on the results of the survey, ASIS will decide if this newly developed body of knowledge can be used to create a new certification program. </p><p>This new certification is envisioned to be the first rung on a security management professional's career ladder. ASIS encourages all members—especially those new to the field and professionals who hire those new to the field—to complete this survey and help advance the creation of this important stepping stone into the profession.​</p><h4>ASIS INTERNATIONAL CUP 2018 KICKS OFF</h4><p>The ASIS International Cup rewards individuals who recruit the largest number of new members to ASIS from March through June. The single highest recruiter will receive a free all-access pass to GSX, September 23-27 in Las Vegas, a three-night hotel reservation, and $500 towards GSX travel expenses.</p><p>The second-place prize is a $500 Amazon gift card, and the third-place prize is a $250 Amazon gift card. All recruiters will earn an entry into a drawing for gift cards to WorldSoccerShop.com. In 2017, the winner, Ronald Lee Martin, CPP, recruited 13 new members. </p><p>To learn more and to locate recruitment tools, visit asisonline.org/InternationalCup. Get in the game and win big!​</p><h4>ASIS Life Members</h4><p>ASIS congratulates Dennis G. Byerly, CPP, and Andrew Wyczlinski, CPP, who have been granted lifetime membership to ASIS. </p><p>Byerly has been a member of ASIS for 27 years. He has been a longtime member of the Commercial Real Estate Council, and he served as a council vice chair for multiple terms. He was also a member of the Critical Infrastructure Working Group. </p><p>Wyczlinski has belonged to ASIS since 1977. He has been an active member of the National Capital Chapter; the Dayton, Ohio, Chapter; the San Antonio Chapter; and now the North Texas Chapter. In addition, he was a founding member and chapter chair for the Fredericksburg/Quantico Chapter. ​</p><h4>Member Book Review</h4><p><strong>Private Investigation and Homeland Security. By Daniel J. Benny. CRC Press; crcpress.com; 181 pages; $79.95.</strong></p><p>In the popular media, private investigators are frequently portrayed as shadowy and unprincipled gumshoes working cases on cheating spouses and sitting in cars on stakeouts. This may be true to a small degree, but in his book, <em>Private Investigation and Homeland Security, </em>Daniel J. Benny makes a strong case for broadening the scope of private investigator services into the homeland security arena.</p><p>A quick glance through the book's comprehensive table of contents provides the reader with a preview of all things relating to the private investigation—from establishing an investigative business to countering cyberattacks and implementing technical systems. </p><p>Much of the homeland security investigation how-to content re­lates to various components of phys­ical security and background investigations. The author includes an ancillary section on security consulting, which encompasses a broad discussion of intrusion detection systems, access control, and locking devices. At times readers may struggle to connect the dots as the author introduces varied content that may not seem relevant to the subject at hand.</p><p>The author could have neatly pack­aged the seemingly disparate physical security and investigative components of the book together for the readers by probing into the importance of the partnership between law enforcement and the private sector. The private sector owns and protects 85 percent of the nation's infrastructure, while local law enforcement often possesses threat information regarding infrastructure. Thus, to effectively protect the homeland's infrastructure, law enforcement and the private sector must continue to work collaboratively, because neither possesses the necessary resources to do so alone. </p><p>There is plenty of knowledge that can be used by investigators and general security practitioners alike. While the book covers a multitude of security-oriented topics, readers may find themselves questioning the relevance of some content. The appendices comprise nearly 30 percent of the book and cite some narrowly focused regulatory statutes, including New York security guard and Virginia private investigator training outlines.</p><p>This book would best serve one who is contemplating a foray into the private investigative industry or a more advanced practitioner who wishes to broaden investigative service offerings. </p><p><em>Reviewer: Doug Beaver, CPP, is chair of the ASIS Cultural Properties Council and a member of the Global Terrorism and Political Instability Council. He is the director of security for the National Museum of Women in the Arts in Washington, D.C. ​</em></p>
https://sm.asisonline.org/Pages/Mobilizing-the-Force.aspxMobilizing the ForceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A Services Group (ASG) provides clients with everything from risk assessment and security systems installation to industrial cleaning and security guard services.</p><p>The industries it serves include hospitals, manufacturing, retail locations, and warehouses.</p><p>A smaller company, with about 1,300 security personnel, ASG is often tasked with large requests from its customers, and it relies on technology to help accomplish its goals. </p><p>"Clients will often ask us to take on projects that really fall outside our scope and area of operation," says Gene Enlow, vice president of ASG. "We find it hard to do those if we have to fully mobilize with an area manager and an office." </p><p>Rather than hiring a large security presence in each client location, ASG has been managing its security staff with guard tour management services for many years. But the technologies it used in the past did not stand up to the weather the checkpoints were exposed to, and went up in price over time. </p><p>"There have been systems around for years, and we've used several. The problem usually ends up being durability or cost," Enlow says.</p><p>About a year ago, ASG developed a relationship with Mobotour, a guard touring service based on smartphone technology. </p><p>Mobotour allows the customer to set up simple checkpoints anywhere throughout the client site. These check-ins show that guards were present at a certain place, at a specific time and date. Mobotour's app, downloadable from any app store, is accessed through the guard's smartphone.<img src="/ASIS%20SM%20Callout%20Images/0418%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:644px;" /> </p><p>"With Mobotour, it's so simple. It's a piece of equipment that you're going to use anyway," Enlow says. "You're not adding all these other electronic tools—none of the bulky expensive equipment that tends to break down and fail."  </p><p>From an administrative portal, the customer tailors the application to fit the needs ​of its guard force. Mobotour sends stickers to ASG for placement around customer sites. These stickers, which are slightly bigger than a postage stamp, are weatherproof and have a QR code. Each code can be named in the portal to indicate where it's placed, such as "front gate" or "loading dock." </p><p>"We literally peel it off and stick it to the surface in the area we want to make sure we've inspected," Enlow notes. "They're weatherproof, they can be out in the elements, that doesn't seem to bother them, and they're unobtrusive." </p><p>The stickers are placed at various points throughout the customer site. When the guard on patrol scans the code, the app logs the time, date, guard, and location in a report log for that client site. </p><p>"When Mobotour generates the report, we can see that whoever was onsite—regardless of whether we had a manager or supervisor there—has actually gone to these locations and made scans," Enlow explains. "They were there, and they were there at a specific time." </p><p>The app also has an incident reporting feature that allows the guard to attach media, such as a photo or video, from anything out of the ordinary or pertinent that they encounter. </p><p>"We patrol some truck storage yards where product is stored on trailers. When our guards come across a trailer that's unsealed or a door that's open, they'll attach a photo," Enlow notes. "It could be tree limbs or fallen trees, downed power lines, or it could be where they find doors or windows that are forced open." </p><p>When the clients receive the photograph or video via email, they can follow up with ASG directly. All the incidents are documented and included in the daily report. Enlow adds that the checkpoints can be moved around easily. "We can put it wherever we want it and have it running very quickly." </p><p>The client has the option of retaining the reports and the data transmitted through Mobotour indefinitely. </p><p>ASG trains the guards on Mobotour, but Enlow says the technology comes naturally to the force, given their understanding of smartphones. </p><p>"It's just a matter of letting them know, 'this is what you do with the phone, these are the points the customer wants scanned,'" he says. "It's a matter of point and shoot." </p><p>About 400 guards from ASG currently use the app. Enlow adds that the price was a major factor in choosing Mobotour. </p><p>"With my buying power, a smartphone probably costs me $40 to $50 a month. And then the cost of the Mobotour scan points and their service is so cost-effective," he says. "It's really the most cost-effective product I've put in the field yet." </p><p>Given the product's scalability, ASG may use Mobotour to manage its other services as well. "We're trying to explore ways that we can use that product in some of our other places, like janitorial," he notes.</p><p>Enlow adds that Mobotour has provided excellent customer service along the way, and the company's chief growth officer sat down with ASG to tailor the app to its specific needs. </p><p>"Their service is great," Enlow says. "You call them and they're on top of it within a matter of minutes, trying to get things done for you."</p><p>Recently, Enlow was on the phone with a potential client that runs a hospitality property. The property owner was concerned about ensuring that its facilities were secure, given the attacks on hotel and entertainment venues in recent years. Enlow was confident iterating that Mobotour provides the level of accountability the owner was looking for. </p><p>"Mobotour makes us look better to the client, and it is a major selling point," Enlow says. "We tell the client, 'We can document what our guards do in simple terms, we can make the documentation available to you, and you really don't have to jump through any hoops to do it.'"</p><p><em>For more information: Jon Mitchell, jon@mobotour.com, www.mobotour.com, 404.273.7631 ​</em></p>
https://sm.asisonline.org/Pages/The-Problem-with-Bots.aspxThe Problem with BotsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It all started with a video game. Three college-age friends—Paras Jha, Josiah White, and Dalton Norman—wanted to gain an advantage in Minecraft, so they developed a powerful, and elaborate, method to do so.</p><p>Minecraft is a game where users create their own worlds and experiences by digging and building 3D blocks. One unique element of the game is that within the platform itself, players can link to individual-hosted servers to play in a multiplayer mode.</p><p>Hosting a server and renting space to other players is a lucrative business; some individuals make $100,000 a month, according to an investigation by WIRED.</p><p>To tap into this market, Jha, White, and Norman created a malware that scanned the Web for Internet of Things (IoT) devices that used default security settings for usernames and passwords. The malware then infiltrated the devices, which became part of a botnet army made up of 600,000 devices at its peak strength. </p><p>That botnet was dubbed Mirai, and it was used to launch a distributed denial of service (DDoS) attack against French hosting provider OVH in September 2016. It was so powerful that traditional DDoS mitigation techniques were ineffective against it. </p><p>Then, just after the OVH attack, Mirai hit security reporter Brian Krebs' website, Krebs on Security, kicking it offline for more than four days with an attack that peaked at 623 gigabytes per second, according to Krebs' account.<img src="/ASIS%20SM%20Callout%20Images/0418%20Cyber%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:305px;" /></p><p>Authorities and researchers began to investigate the Mirai botnet, and soon began asking why—in addition to its targets—it was hitting Minecraft servers. They later determined that OVH was hit because it provided a service that helped mitigate DDoS attacks against Minecraft, and they ultimately discovered the three friends behind the botnet.</p><p>They confessed to creating the botnet as part of a scheme to allow people to pay to use it to push players off specific Minecraft servers in hopes that they would then pay to use an alternative server. Jha, White, and Norman all pled guilty to a variety of charges in December 2017, after Mirai's source code was released on the Internet. </p><p>While Mirai was unique in its scope, it was just one of hundreds of botnets that are active today and impacting organizations' networks in real time. For instance, cyber firm Fortinet's​ Threat Landscape Report Q2 2017 detected 243 unique botnets that were active, with 993 daily communications per firm.  </p><p>Fortinet found that approximately 45 percent of firms detected one type of botnet in their environment, while 25 percent saw two, and 10 percent saw three. Most of these botnets were detected in the telecommunications and carrier sector. </p><p>"Our data shows the majority of firms in our sample have one or two different botnets active in their environment at any given time," according to Fortinet's report. "Some, however, have 10 or more. And many of those frequently communicate with external hosts."</p><p>Because of this widescale activity, U.S. President Donald Trump included a section in his May 2017 cybersecurity executive order directing the secretaries of homeland security and commerce to assess actions that could be taken to "drastically reduce" the number of botnet attacks.</p><p>The secretaries were instructed to identify and promote action by stakeholders to improve the resilience of the Internet and communications ecosystem, and to "encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks," in other words, botnets, according to the executive order.</p><p>In January 2018, the secretaries completed the first step of that process by issuing a draft report for public comment, Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.</p><p>The secretaries solicited input for the report by hosting a workshop, publishing a request for comment, and initiating an inquiry through the president's National Security Telecommunications Advisory Committee (NSTAC). They also consulted with the U.S. Departments of Defense, Justice, and State, as well as the FBI, the Federal Communications Commission, the Federal Trade Commission, and others.</p><p>"Botnets threaten to undermine the Internet ecosystem, as well as the promise of next-generation technologies," said David Redl, assistant secretary for communications and information and the administrator for the National Telecommunications and Information Administration, in a statement. "This report clearly demonstrates the urgency of the problem, and this administration's commitment to taking on these threats and creating a more secure and sustainable Internet."</p><p>For instance, the report found that botnets are being used for a variety of malicious activities, including DDoS attacks, ransomware attacks, and propaganda campaigns carried out via social media.</p><p>These attacks, according to the NSTAC, threaten the "security and resilience" of U.S. communications ecosystems and the Internet, as well as its critical infrastructure. The NSTAC also assessed that IoT devices will be used by threat actors to launch global automated attacks.</p><p>"With new botnets that capitalize on the sheer number of IoT devices, DDoS attacks have grown in size to more than one terabit per second, outstripping expectations," according to the report. "As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved."</p><p>One prime example of the impact botnets have on the Internet is the Mirai botnet. In addition to its attacks on Minecraft servers, it was used to launch a massive DDoS attack on domain name service provider DYN, effectively shutting down the Internet on the East Coast of the United States for several hours.</p><p>"While the original Mirai variant was relatively simple, exploiting weak device passwords, more sophisticated botnets have followed; for example, the Reaper botnet uses known code vulnerabilities to exploit a long list of devices," the report explained. "The Mirai and Reaper botnets clearly demonstrate the risks posed by botnets of this size and scope, as well as the expected innovation and increased scale and complexity of future attacks."</p><p>The report identified six themes that pose opportunities and challenges to reducing the threat of automated, distributed attacks carried out by botnets, including that they are a global problem; effective tools exist to combat them, but are not widely used; products need to be secured at all stages of their lifecycle; education and awareness are needed; market incentives are misaligned; and botnet attacks are an ecosystemwide challenge.</p><p>"Botnets represent a systemwide threat that no single stakeholder, not even the federal government, can address alone," said Walter G. Copan, undersecretary of commerce for standards and technology, in a statement. "The report recommends a comprehensive way for the public and private sectors, as well as our international partners, to work together and strengthen our defenses."</p><p>These actions take the form of five goals in the secretaries' report: identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace; promote innovation in the infrastructure for dynamic adaptation to evolving threats; promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior; build coalitions between the security, infrastructure, and operational technology communities; and increase awareness and education across the ecosystem.</p><p>One of the main points in the report is the lack of security built into the increasing number of IoT devices on the marketplace. Many manufacturers continue to release unsecure devices because there are no requirements—or incentives—for them to release better products.</p><p>To combat this, the report recommends that the U.S. federal government adopt security standards for all devices it purchases. Doing so, the report argues, would push the marketplace to create more secure products without imposing new regulations or relying on a legislative solution.</p><p>"The federal government can use acquisition rules and procurement guidelines to amplify the market signal by requiring certain security features or properties," the report explains. "The private sector could establish an assessment and labeling mechanism for products that comply with the home profile. The private sector could also work with existing programs or establish new programs to evaluate products that comply with the industry profile."</p><p>While this is a move in the right direction, Michael Marriott—research analyst at Digital Shadows—says it is not enough to change the marketplace because so many IoT devices are developed outside of the United States. These products are then sold to an international market where they can be compromised to become part of a botnet.</p><p>"Making sure manufacturers are thinking about these types of considerations is important," Marriott says. "But there are devices developed outside the United States, so other approaches are needed as well."</p><p>John Dickson, CISSP, principal at Denim Group and a former U.S. Air Force officer who served in the Air Force Information Warfare Center, also expressed disappointment in the report, saying it was "completely devoid of specific policy ideas and recommendations."</p><p>For instance, Dickson says he would have liked to have seen more specific recommendations for the telecommunications and Internet service providers (ISPs) who have a major role in mitigating DDoS attacks carried out by botnets.</p><p>The report touches on the role that ISPs play, and it limits its recommendations to increased information sharing between ISPs and their partners to "achieve more timely and effective sharing of actionable threat information both domestically and globally."</p><p>This, Dickson says, is not enough. Instead, he would have preferred to see recommendations to block specific types of traffic or to monitor traffic to prevent botnet attacks. </p><p>"There is an incentive for telcos to do this—reducing spurious traffic on their networks," according to Dickson. "But they're likely to say there's a cost associated with doing that, which will be passed on to users."</p><p>Countries with more government control of ISPs have shown how this can work, Dickson says. For instance, countries like China and Saudi Arabia—which have greater government control of the Internet in general—have been more effective in preventing botnet attacks because they're able to block them from getting in.</p><p>"We don't have government control of our telcos anymore—it's much more Wild Wild West with more players and a bigger network," Dickson says of the U.S. system, making it more vulnerable to botnet attacks. </p><p>Security Management reached out to AT&T and Verizon for their reactions to the report, but neither of the companies responded. And as of press time, there were no public comments on the draft report.</p><p>The report was open for public comment until February 12, and its final recommendations are due to be submitted to President Trump by May 11.   ​</p>
https://sm.asisonline.org/Pages/Seeing-Double.aspxSeeing DoubleGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The U.S. Embassy in Afghanistan sent out an uncharacteristically specific security alert on a Thursday afternoon in January: Extremist groups were plotting attacks on hotels in Kabul where foreigners were known to congregate. Stay alert in locations frequented by Westerners, the alert advised, and carry a charged cell phone. </p><p>Two days later, six gunmen carried out a 15-hour attack at Kabul's Hotel Intercontinental, killing at least 22 people before they were overtaken by Afghan forces. About 160 guests were rescued from the attack, which was claimed by the Taliban.</p><p> The attack kicked off nine days of deadly ping-ponging between regional rivals ISIS and the Taliban. Two days after the hotel attack, members of ISIS stormed the compound of aid group Save the Children in Jalalabad, killing four ​workers. </p><p>Five days later, Taliban militants drove an ambulance packed with explosives near a hospital in Kabul and detonated it, killing more than 100. And just two days after that—on a day that was intended to be a day of mourning for the previous attacks—ISIS carried out an attack on a military base in Kabul that killed 11. </p><p>The spate of attacks, which resulted in the deaths of more than 130 people, raised questions about the motivations of both the Taliban and ISIS in the region, the effectiveness of Kabul's fortified perimeter, and the role of private security in preventing such attacks—if they can get a chance.</p><p>Although the targets seem disparate—foreigners at a hotel, international aid workers at a compound, locals out and about in the city center, and security forces at a military academy—three of the sites have something in common: they have been attacked by extremist forces before.<img src="/ASIS%20SM%20Callout%20Images/0418%20NS%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> </p><p>While information about the methods and motivations of the attackers and the response by Afghan forces is slow to come to light, comparing the recent attacks with the ones from years past can reveal what has changed in Afghanistan—and what hasn't.</p><p>Hotel Intercontinental. Afghanistan's first international luxury hotel sits perched on top of a hill in western Kabul, projecting a fortresslike presence. The hotel was originally developed in the 1960s by InterContinental Hotels Group but has had no association with the chain since 1980, although it retains the name and logo. Scott Stewart, vice president of tactical analysis at Stratfor, notes that the use of the InterContinental brand might confuse tourists who think they will be getting a certain level of security. </p><p>In fact, the luxury hotel made the unusual move from using Afghan-provided security forces to private security just three weeks before the January attack. The timing of the exchange has raised questions about what role, if any, the new security team played in the attack.</p><p>Private security firms have been banned in Afghanistan since 2010 due to concerns about tribalism and a lack of oversight surrounding the personnel and weaponry brought into the country by private contractors. </p><p>Instead, the Afghan Ministry of Interior (MoI) provides police officers to guard checkpoints and businesses, although diplomatic facilities with existing private security can keep their contracts. </p><p>Mike O'Rourke, owner and CEO of consulting company Advanced Operational Concepts, says that before the rules were changed, many security contractors went unchecked and were run like warlord militias. "It was a big concern that they were more of a threat than a help," O'Rourke adds. </p><p>However, the MoI security personnel have come under scrutiny as well. Last summer, Afghan president Ashraf Ghani called the MoI "the heart of corruption in the security sector" and promised reform. </p><p>O'Rourke agrees that corruption is an issue, citing a high-level client conducting business in Afghanistan who wanted his own private security detail. The individual's solution was to bribe the MoI to name his security personnel as police officers. </p><p>"He had his trusted members as his personal security, but under the authority of the Afghan government," O'Rourke notes.</p><p>Afghan officials are still unsure why and how the transfer of the Intercontinental's security operations from the MoI to a private contractor occurred. </p><p>Preliminary reports found that the hotel's security personnel were largely unresponsive to the attack that occurred after militants bypassed two security checkpoints. Additionally, some of the attackers may have been able to access hotel guests via the kitchen, raising concerns about help from insiders.</p><p>The January attack appears to have been carried out by the Haqqani network—a Pakistan-based group aligned with the Taliban—and may have targeted foreigners. At least 14 of the 22 people killed were foreigners.</p><p>"One of the things that was very interesting in this attack is the limited death toll—these guys were specifically trying to avoid Afghan casualties," Stewart says. "There have been anecdotal accounts of them sparing several peoples' lives when they said they were Afghan."</p><p>Indeed, a Taliban spokesperson said that the attack had initially been planned for earlier in the week, but the hotel was hosting a wedding party and the attackers wanted to avoid civilian casualties.</p><p>Stewart came to a similar conclusion about the June 2011 attack on Hotel Intercontinental, in which several Taliban militants in suicide vests raided the compound, killing 12 people in an eight-hour period before they were killed. </p><p>In an article he wrote for Stratfor in 2011, Stewart pointed out that such attacks by the Taliban may have a relatively low death toll but strive to make sure the threat they pose is not forgotten. The 2011 attack was carried out while officials met in the hotel to discuss the transfer of security from international forces to Afghans—an event that the Taliban disapproved of.</p><p>Seven years later, Stewart says the core motives behind the attacks on the hotel haven't changed—they were intended to send a message. </p><p>"They really are trying to make a specific point and target a specific target," he says. "That also helps set themselves apart from ISIS in Afghanistan, which has a tendency to conduct more indiscriminate attacks. It's this counterinsurgency idea of winning hearts and minds—the Haqqanis and Taliban are playing the same card, trying to win hearts and minds and not using the same kind of over-the-top brutality that ISIS tends to use."</p><p>City center. The devastating blast occurred during rush hour in what is supposed to be one of the safest parts of the city. In an area with hospitals, schools, and local government and diplomatic buildings, police presence is heavy to provide heightened security. </p><p>The ambulance driven by the attackers was able to bypass the first checkpoint after claiming they were carrying a patient, but once they were stopped by officials at the second checkpoint, they detonated the bombs stored in the vehicle.</p><p>The Taliban claimed responsibility for the attack, although the U.S. government believes the Haqqani were the masterminds, according to officials. </p><p>"I think we need to understand that the Haqqanis just have very good tradecraft and connections—they have repeatedly shown the capability of getting small groups of terrorists into Kabul, and weapons for them," Stewart notes. "Despite the security that's in place, the Haqqanis have a long history of planning and executing these kinds of attacks, and that doesn't seem to be ending at all. They're very resourceful, adaptive attackers."</p><p>A Taliban spokesman said the aim of the attack was in response to U.S. President Donald Trump's recently announced plans to step up American involvement in the region. The Taliban also targeted police officers. But experts note that, given the location of the scheme, significant civilian casualties were bound to occur.</p><p>In fact, this attack was the deadliest to take place in Kabul since last year's bombing in the same area. That May 2017 attack killed more than 150 people less than a mile away from where the recent attack took place. Attackers detonated a bomb that was smuggled into the fortified area in a tanker truck used to clean out septic systems. No group has claimed the attack, but—once again—Haqqani forces are suspected. </p><p>Protests against the government occurred in the days following the 2017 attack, and O'Rourke says the more recent bombing may have had the same underlying intent—to sow discord between the Afghan government and citizens.</p><p>"The fact that these attacks are taking place in Kabul, and taking so many lives, shakes public confidence in the ability of President Ghani's government to keep Afghans safe in their nation's capital," O'Rourke says. "To me, making the government look ineffective is the strategic goal of these attacks. A colleague of mine is in Kabul now and the Afghans he talks to primarily blame their government, but they also believe the U.S.-led coalition could be doing more to improve security."</p><p>Military academy. ISIS carried out an early-morning attack against Afghan soldiers guarding a military academy. The attackers were armed with suicide vests, rocket-propelled grenades, and automatic weapons. It took five hours to subdue the five militants at the outer gates of the academy, and 11 Afghan soldiers were killed in the process. </p><p>Local officials say that the attack was not targeting the academy itself but the security forces at the perimeters. </p><p>The military base sustained another attack just last October, when a lone suicide bomber targeted a bus full of Afghan army cadets leaving the academy. Fifteen cadets were killed, and the Taliban claimed that attack. Like the recent ambush, the attack was carried out along the outer perimeter of the base, targeting a smaller group of soldiers instead of the hundreds within the facility. </p><p>The October attack was also a one-two punch by ISIS and the Taliban—less than 24 hours before the Taliban targeted the military academy, ISIS attacked a Shia Muslim mosque, killing more than 50 people. </p><p>Looking ahead. The fact that the same groups are carrying out the same attacks on the same places is not lost on Afghan citizens. Protests similar to those following the diplomatic quarter bombing last year sprang up after the recent nine days of carnage, with calls for a more secure city and a different approach to combating extremism.</p><p>And while the attack on the Intercontinental has raised questions about the role of private security in Kabul, O'Rourke says he believes that it shows the need for more regulation is overdue.</p><p>"I don't know if it's going to tighten the reins or there will be more of a call for a private security industry where people can get their own vetted people licensed," O'Rourke says. "Not knowing the particulars at the Intercontinental, I don't know where they came from or who vetted them, nor do we know if it was a failure of private security or they were complicit in the attack."</p><p>It will take pressure from foreign governments and businesses to influence a change in the rules surrounding the use of private security forces, O'Rourke notes. Until then, locals and travelers alike will have to be extremely careful.</p><p>"If foreigners are going to go to Afghanistan and do business there and stay in places like the Intercontinental, and they can't rely on vetted security forces, they have to know they're accepting a great deal of risk," O'Rourke says.</p><p>Stewart agrees, suggesting practical travel security tips like staying in a lower floor on a hotel for ease of escape and packing items such as door wedges and smoke hoods in case of an emergency.</p><p>"People need to make sure they do good due diligence on those hotels before they book them in those kinds of conflict zones to make sure they have adequate security," Stewart says. "Additionally, they just really need to be prepared to take action. Be prepared to go into active shooter mode—the avoid, deny, defend approach. At the Intercontinental, it sounds like many people were able to flee or deny the attackers access to their location and survive despite the hours these guys were in this hotel."</p><p>Meanwhile, both the Taliban and ISIS continue to gain footholds in Afghanistan. One of the captured militants from the military academy attack led officials to an ISIS hideout in Kabul, filled with bombs, equipment, and plans to carry out three more attacks. And extensive research by the BBC reveals that the Taliban is active in 70 percent of the country, contradicting Afghan officials' declarations that it only has a presence in rural areas. </p><p>"Additional successful attacks will further erode popular confidence in the current government," O'Rourke says. "This loss of trust might be seen at the polls if Afghanistan manages to hold the parliamentary elections scheduled for this summer." ​</p>
https://sm.asisonline.org/Pages/The-Land-of-Plunder.aspxThe Land of Plunder?GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>For some, the idea of a corrupt state brings to mind a distant kleptocracy, rife with graft and embezzlement and absent any accountability, in which an elite few use their positions and connections to loot the public till.  </p><p>But now, more and more Amer­icans are seeing increased corruption closer to home, according to recent studies and expert opinion. </p><p>Nearly six in 10 Americans (58 percent) say that the level of corruption in the United States has increased in the past 12 months. In contrast, only about a third of Americans (34 percent) said the same back in January 2016, according to the U.S. Corruption Barometer 2017, a recent study conducted by Transparency International (TI). TI is a global organization aimed at fighting corruption; it has chapters in more than 100 countries.</p><p>In general, the TI report finds that the United States faces "a wide range of domestic challenges related to the abuse of entrusted power for private gain," which is TI's definition of corruption. </p><p>Trust in the U.S. federal government is low; the study found that 44 percent of Americans believe that "most" or "all" officials in the White House, including the president, are corrupt—up from 36 percent in 2016.​</p><p>"That's a significant increase. We don't usually see the White House reaching these kinds of figures," explains Zoë Reiter, an interim representative to the United States and senior project leader with TI.<img src="/ASIS%20SM%20Callout%20Images/0418%20NT%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> </p><p>The survey reflects a good "horizontal sample" of the U.S. population, and so the finding that almost half believe that corruption is pervasive among White House officials is "cause for concern," she says. "What it's telling you is there's a real loss of trust in our public institutions," she adds.</p><p>And the feds are not the only ones suffering from perceptions of corruption. Another report on U.S. corruption, issued in December by the Business Anti-Corruption Portal, found that 25 percent of Americans believe that their local government officials are corrupt. </p><p>The Anti-Corruption Portal, endorsed and sponsored by the European Commission, is an online resource for anti-corruption compliance. The portal is maintained by GAN Integrity Solutions, a professional services firm that specializes in compliance solutions.</p><p>GAN CEO Thomas Sehested says the increase in the perception of corruption is not surprising, given the current political climate and the frequent media stories about the inquiries into the Trump administration. </p><p>"The ongoing investigations into conflicts of interest and collusion of President Trump and his associates are having an impact on public sentiment," Sehested explains. "All of the news at the federal level is certainly trickling down to local governments, whether fairly or unfairly."</p><p>However, Sehested, who is also familiar with the TI report, says he was surprised by the sheer speed of the change. </p><p>"The most surprising was the increase in public sentiment around overall government corruption," he explains. "It was to be expected with all the headlines, but it has taken hold faster than initially thought."</p><p>The TI study also measured perceived corruption levels in specific U.S. institutions, and these varied. On the most corrupt end is the U.S. federal government; 38 percent of Americans say that most or all members of Congress are corrupt, and 44 percent (as mentioned above) say the same about White House officials. On the other end are judges and magistrates; only 16 percent of respondents say that most or all are corrupt. </p><p>Police are also near the low corruption end, but this finding differs with race. Overall, 20 percent of respondents believe that most or all U.S. police are corrupt, but almost one-third of African-Americans surveyed perceive the police as highly corrupt.</p><p>In terms of the specific types of corruption, respondents in the TI study say that their key issues of concern include the influence of wealthy individuals over the government; pay-to-play politics and the revolving door between elected officials and industry lobbyists; and the abuse of the U.S. financial system by both local elites and foreign officials on the take. </p><p>Such issues can create a vicious cycle. "Corruption and inequality can create fertile ground for populist leaders, but populist politics do little to actually stop corruption," the report says. "The findings of the U.S. Corruption Barometer 2017 reinforce this message."</p><p>In an interview, Reiter offers clarification; she says that the problem is not so much populism per se as leaders who make political promises that play on voters' fears and economic vulnerability, then leave them unfulfilled once they reach office. </p><p>Respondents also take a bleak view when it comes to government efforts—or lack thereof—in fighting corruption: nearly 7 out of 10 respondents (up from about half in 2016) say they believe the government is failing to fight corruption, the study found. </p><p>And when asked why they might not report corruption themselves, 55 percent of respondents (up from 31 percent in 2016) say fear of retaliation is the main reason. Still, 74 percent say they believe ordinary people can make a difference in opposing corruption.</p><p>On that front, TI makes five recommendations that government leaders can work toward to fight corruption. First, make all political spending truly transparent, so that the public can read about contributions online in real time. </p><p>Second, block the government-industry revolving door so that high-level government officials cannot easily become corporate lobbyists and draw on their connections. </p><p>Third, prevent the use of anonymous shell companies, which can be vehicles for illicit activity. Fourth, reinforce the independence and oversight capabilities of the U.S. Office of Government Ethics, and implement and improve regulations protecting whistleblowers who expose corruption by the government and its contractors. Fifth, give citizens more access to information about government operations, to empower the public to fight corruption.</p><p>As for private sector firms, Sehested recommends a practice that some CSOs and security departments are already involved in—implementing a properly designed corporate compliance program that includes well-defined training and policies, along with a due diligence program that allows the organization to continuously monitor all third parties.</p><p>Also, companies should encourage, and protect, whistleblowers. </p><p>"Making it easy for employees to report on any corruption that they are witness to, without risk of retaliation, is critical," Sehested says. </p><p>Moreover, it is important that all of these programs are documented and readily reported on in a single location. </p><p>"Self-reporting can save an organization significant amounts of money on potential fines," he explains, "and ongoing reporting allows the compliance team to take proactive actions against corruption, as opposed to waiting for something bad to happen." ​</p>
https://sm.asisonline.org/Pages/The-Price-of-Destruction.aspxThe Price of DestructionGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​"In 2017, the U.S. experienced a rare combination of high disaster frequency, disaster cost, and diversity of weather and climate extreme events," the U.S. National Oceanic and Atmospheric Administration (NOAA) says in a recent report.  "Billion-dollar disasters occurred in six of the seven disaster event categories we analyze."</p><p>The final tally of destruction, calculated by NOAA's National Centers for Environmental Information, is a record breaker. Disasters caused $306 billion in total damage in 2017, making it the costliest U.S. disaster year since the agency started keeping track in 1980. The previous record was $215 billion (adjusted for inflation) in 2005, the year of Hurricanes Katrina, Rita, Dennis, and Wilma. </p><p>What made 2017 so costly? The bulk of the damage, $265 billion, came from Hurricanes Harvey, Irma, and Marie, which wreaked havoc on areas in the southern United States, the Caribbean, and Puerto Rico. The costliest was Harvey, which incurred $125 billion in damage, second only to Katrina's $160 billion in damage. </p><p>Billion-dollar disasters are nothing new; since 1980, the United States has suffered 215 disasters costing $1 billion or more, for a total of more than $1.2 trillion in damage, according to NOAA. But one of the features that distinguished 2017 was the quantity of billion-dollar disasters—16, which tied 2011 for highest number of events. </p><p>These 16 disasters varied in nature. They began with a tornado and storms in the southern states, California flooding, and a damaging freeze in the Southeast. That spring brought a drought to the Dakotas and Montana. Hailstorms and severe weather came to Colorado in May and Minnesota in June. Western wildfires occurred in the summer and fall. The big trio of hurricanes hit in August and September.</p><p>Although hurricanes were the costliest disasters, wildfires were also exceptionally damaging. The fires burned more than 9.8 million acres, with cumulative costs approaching $18 billion. This was triple the previous wildfire cost record of $6 billion in 1991, according to NOAA.</p><p>Finally, one reason behind the damage increases is that there are more homes and businesses in harm's way. </p><p>"The increase in population and mat­erial wealth over the last several decades are an important factor for the increased damage potential," the report says. "…Many population centers and infrastructure exist in vulnerable areas like coasts and river floodplains, while building codes are often insufficient in reducing damage from extreme events." ​</p>
https://sm.asisonline.org/Pages/Four-Trends-That-Will-Shape-Recruiting-in-2018.aspxFour Trends That Will Shape Recruiting in 2018GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>​</em><em>Security Management </em>has partnered with the Society for Human Resource Management (SHRM) to bring you relevant articles on key management topics and strategies​. This article by Roy Maurer discusses ​what diversity and inclusion means in building a workforce.</p><p>--</p><p>This year, more employers ​hope to make progress in building inclusive workplaces through diversity recruiting efforts and will continue to experiment with new interviewing and selection techniques, according to experts.<br></p><p>Over 9,000 recruiters and hiring managers across the globe identified these trends, among others, as being the most impactful when surveyed by LinkedIn for the professional networking site's <a href="https://news.linkedin.com/2018/1/global-recruiting-trends-2018" target="_blank">Global Recruiting Trends 2018</a> report.</p><p>LinkedIn found more than half of companies already embrace recruiting for diversity, while novel interviewing and selection techniques have generated interest but not enough to knock the traditional, one-on-one interview off its pedestal.​</p><h4>It's Not Diversity Without Inclusion</h4><p>Building a diverse team will be more than a nice-to-have, becoming a required leadership skillset, said Ashley Goldsmith, chief people officer for Workday, a finance and HR software company based in Pleasanton, Calif. "This new requirement will also be measurable with performance metrics tied to the makeup of teams," she said.</p><p>Some fundamental ways that recruiters can improve diversity in their organizations include conducting outreach in local communities; wording job postings to target diverse groups; showcasing diversity in recruitment marketing and interview panels; training interviewers about unconscious bias; and involving employee resource groups in the sourcing, recruiting and hiring process.</p><p>"Pretty much universally, this topic seems to be critical for most organizations, especially around gender balance," said Brendan Browne, LinkedIn's vice president of talent acquisition. He added that understanding how to source from diverse talent pools, trying to prevent bias in the assessment and hiring process, and evaluating workplace culture for inclusion are major steps employers can take to increase diversity.</p><p>More practitioners are realizing that hiring for diversity is not enough. Employers risk employee disengagement and attrition if diverse hires don't feel included and accepted.</p><p>"It doesn't matter that you hired more women or more of whatever it is you needed to look like a United Colors of Benetton ad," said Tim Sackett, SHRM-SCP, a recruiting industry thought leader and the president of HRU Technical Resources, an IT and engineering staffing firm in Lansing, Mich. "If those you hired don't feel like a part of the organization, you'll never keep them anyway."</p><p>This level of diversity is really hard, Sackett added. Practicing inclusion takes an entire overhaul of a company's culture and ongoing maintenance. "It's actually easy to check boxes and get to a point where you'll look politically correct as it relates to the diversity of your employees. It's super hard to get to a point where people feel like they truly belong."</p><p><a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/build-inclusive-culture-recruiting-diversity.aspx" target="_blank">HR needs to take a hard look at the organizational culture</a> to make sure that differing opinions are respected and people are encouraged to be themselves.</p><h4>Modifying Interviewing, Selection</h4><p>Traditional interviewing is costly and takes too long, and typical selection criteria don't result in effective candidate evaluations anyway, according to experts.</p><p>"It's kind of a disaster when you spend 20 hours of company time interviewing someone," Browne said. "Do candidates really need to meet with 10 or 12 people? If you've ever been on an interview and had to come back three or four or five times and meet more and more and more people, it's exhausting."</p><p>Instead, forward-looking companies are exploring <a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/predictive-assessments-insight-candidates-potential.aspx">skills assessments</a>, <a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/talent-auditions-interviewing-practices.aspx">job tryouts</a> and <a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/ditch-resumes-hire-for-learning-ability.aspx">hiring for potential instead of experience</a>. LinkedIn found that a majority of employers are interested in using:</p><p></p><ul><li><p>Online soft skills assessments that measure traits like teamwork and curiosity.<br></p></li><li><p>Job auditions, where candidates are paid to do real work while supervisors observe them. <br></p></li><li><p><a href="https://www.shrm.org/ResourcesAndTools/hr-topics/talent-acquisition/pages/team-interviewing-best-practices.aspx" target="_blank">Informal team interviews with potential co-workers</a>, where both sides have a chance to talk about the role and gauge whether there is a fit.<br></p></li></ul><p></p><p>Selection criteria are also undergoing a refresh. More employers struggling to find perfect candidates will adopt the mantra of hiring for attitude and training for technical skills, experts believe. "Not bei​ng 100-percent qualified is no longer a deal-breaker," said Matt Ferguson, CEO of talent acquisition solutions company CareerBuilder. He referenced a recent CareerBuilder survey that showed 66 percent of organizations plan to train new workers who may not have all the required skills but show potential to excel.</p><p>"While hard skills reign in sectors like technology and health care, less-teachable soft skills will continue to be critically important—even in a more technology-driven work environment," said Alan Stukalsky, chief digital officer for Randstad North America, the U.S. division of the global staffing and HR services provider. "Employers will increasingly focus on training new hires, especially when they find the culture fit they are looking for or superb soft skills."</p><p>That's exactly what Maren Hogan, CEO of Red Branch Media, an Omaha, Neb.-based B2B marketing firm for HR technology, does. "When I hire people, I'm not hiring a job description," she said. "When I'm looking to add another employee to my team, I'm looking at their attitude, how they approach communication with me, what it is that moves them and how they work best. Do they value learning and skill development?"</p><p>In addition to prehire assessments and informal group evaluations, Hogan recommended mapping out the type of personality you want in the role. "Considering what traits will provide value to your organization will give you a candidate persona that can lead everything—from where you advertise the job to the language used in the ad itself."</p><p><em>© 2018, SHRM. This article is reprinted from <a href="https://shrm.org/" target="_blank">https://shrm.org​</a> with permission from SHRM. All rights reserved. ​​ ​​</em><br></p>
https://sm.asisonline.org/Pages/Shooting-at-Maryland-High-School-Leaves-One-Dead;-SRO-Ends-Threat.aspxShooting at Maryland High School Leaves One Dead; SRO Ends ThreatGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>A shooting at a <a href="https://www.cnn.com/2018/03/20/us/great-mills-high-school-shooting/index.html" target="_blank">Maryland high school has left one person dead ​</a>and two injured, all before a school resource officer engaged the gunman and ended the threat. </p><p>St. Mary’s County Sheriff Tim Cameron told CNN a male student is in stable condition and a female student in critical condition after the incident. The shooter was later pronounced dead. </p><p> “The school resource officer fired a round at the shooter, and the shooter fired a round as well, but the officer was not injured,” CNN reports.</p><p>In an email to <em>​Security Management </em>magazine, Mo Canady, executive director of the National Association of School Resource Officers, says the organization is "very pleased with the actions of the SRO."​<br></p><p>The gunman has been identified as Austin Wyatt Rollins, 17; the sheriff's office says it is unclear whether he died of a self-inflicted gunshot wound or from the SRO's bullet. The investigation is ongoing.​</p><p>Original reports said that three people had been injured in the shooting at Great Mills High School; the campus was on lockdown for a brief time and students were evacuated to a nearby school that served as a reunification center. <br></p><p>FBI’s Baltimore field officer posted on Twitter that its agents are on the scene of the incident, as well as agents from the U.S. Federal Bureau of Alcohol, Tobacco, and Firearms. The FBI is requesting anyone with information related to the shooting contact its office.<br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read aba8ff05-a954-4f54-8d80-09249b9cfeb6" id="div_aba8ff05-a954-4f54-8d80-09249b9cfeb6" unselectable="on"></div><div id="vid_aba8ff05-a954-4f54-8d80-09249b9cfeb6" unselectable="on" style="display:none;"></div></div><span style="font-style:normal;font-variant:normal;font-weight:400;font-size:13px;line-height:19.5px;font-family:segoe_uiregular, arial, sans-serif;text-align:left;color:#333333;text-transform:none;text-indent:0px;letter-spacing:normal;text-decoration:none;word-spacing:0px;white-space:normal;orphans:2;font-stretch:normal;float:none;background-color:transparent;display:inline !important;">As CNN reports, this sho</span><span style="font-style:normal;font-variant:normal;font-weight:400;font-size:13px;line-height:19.5px;font-family:segoe_uiregular, arial, sans-serif;text-align:left;color:#333333;text-transform:none;text-indent:0px;letter-spacing:normal;text-decoration:none;word-spacing:0px;white-space:normal;orphans:2;font-stretch:normal;float:none;background-color:transparent;display:inline !important;">oting is the 17th at a school in the United States this year. </span>The school had drilled for this type of situation a couple times in the past​, according to a student who called the media outlet from inside the school during the lockdown.<div><br> </div>
https://sm.asisonline.org/Pages/Starting-from-the-End---Creating-a-Master-Security-Plan.aspxStarting from the End: Creating a Master Security PlanGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​My grandfather once told me, "If you build a levee six feet high but the water rises to seven, you've wasted 100 percent of your investment. But if you build that levee to eight feet, and the water rises to seven, no one will care about the over-investment."</p><p>A good master security plan helps you spec and budget for that seven-foot flood with an eight-foot levee. And ultimately, a good plan leads to a good security system.  </p><p><em>That's what one of our clients, a large private university in the Puget Sound region of Washington State, discovered when we went through the planning process for its access control and video surveillance system. In developing the master security plan, we realized that just expanding the existing systems would not meet the school's future needs, and updating the systems as an interim step would ultimately be more expensive than putting in new systems.</em><em>  </em></p><p>So how should a security manager develop an effective plan? Here are my suggestions for best practices in creating a master security plan, based on 30 years' experience in the facility vulnerability sector.</p><p><strong>Start at the End</strong></p><p>Where do you want to be in five, 10, or 15 years? Once that is established, work backwards from there. If you have a vision for your security plan, you can build in enough flexibility to get there without having to rip and replace every few years, and you can identify long-term cost savings and operational efficiencies along the way. </p><p>For example, what if, someday, your access control system could interact with the IT system to enhance network logins? Or if the video surveillance system could automatically release the car gate when the correct license plate is read? </p><p><em>Looking at the ultimate goals of our university client, we discovered that what managers really wanted was an integrated video and access control system, with higher-resolution security cameras. While that decision meant delaying implementation of some access points and cameras, choosing flexibility was a better long-term decision to meet the organization's security goals.</em></p><p><strong>Keep Going Broader</strong></p><p>Once you have your video surveillance and access control needs handled, look for additional opportunities and vulnerabilities.  For example, look at how you can leverage existing video data for business goals, such as reducing inventory waste or worker productivity. Look for ways to integrate systems to reduce security headcount. Integrate physical security with cybersecurity systems to reduce human-created security vulnerabilities. Think big so you can do more than protect; you also help your business thrive.</p><p><em>In our example, the college wanted to ultimately create a single card that would act as a student ID, a food service card, a library card, and an access control card. While this integration would save money down the line, we needed to bring several different departments together to make sure that their interests would align. We ended up selecting a slightly more expensive card than it had been using—but the selected card had a proximity chip, a chip for financial information, and a bar code for library information. Everyone got what they wanted, and the cost was lower than purchasing four separate cards.</em></p><p><strong>​Ask the Hard Questions</strong></p><p>These are the questions that are hard to consider because the answers may be embarrassing, or they require negotiations between groups, or they require more resources. Some examples follow. </p><ul><li>Are there hidden security flaws in our facility? How do we find them?  </li><li>What are the known issues and what capacity for the unknowns should we build in? </li><li>What have we learned from past crises? ​</li><li>Where do we think emerging threats will come from?</li><li>How do we navigate between competing agendas?</li><br></ul><p><em>College administrators had to consider choices such as spending on beautiful landscaping versus creating a safe environment. Other hard questions arose. For example, one department wanted a single-use card, but others preferred a multi-use card. </em></p><p><strong>​Focus on the Future</strong> </p><p>Make sure your plan will help you grow. That means searching for products that can be integrated, that are scalable, and that can segment data and reports. It may also mean installing a larger conduit than you currently need or choosing the vendor that has a scalable architecture. And it requires investing more today to save on ongoing maintenance and configuration costs tomorrow.</p><p><em>In the college's case, its existing video surveillance system was entirely centralized and was not capable of communicating with the access control system. It couldn't record high enough quality images to meet the ultimate surveillance goals.</em><em>  </em><em>The access control system also had issues. It was at the end of its lifecycle and would not be supported within a few years, and its software was antiquated and incapable of integration with other systems.</em><em>  </em></p><p><em>For the college, the least expensive decision today would have meant a lot more investment in the future. Thus, we oversized the new server to handle additional video surveillance needs in the future. In addition, as the college added new buildings, we made sure they were integrating a higher wire volume than current needs, as well as building in access control during construction. This last element can reduce access control costs dramatically.</em></p><p>When you apply these best practices in developing master security plans, you make better decisions.  </p><p><em>Erick Slabaugh has more than 30 years of experience in the specialty contracting industry and is a serial entrepreneur.  He is CEO and majority stockholder of Absco Solutions and founder and CEO of FCP Insight, a SaaS business solution for specialty contractors.</em>​</p>
https://sm.asisonline.org/Pages/ESTRATEGIAS-DE-CONTENCIÓN.aspx​ESTRATEGIAS DE CONTENCIÓN​GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p style="text-align:justify;">Más de 200 laboratorios en los Estados Unidos de América llevan a cabo investigaciones sobre patógenos peligrosos, tales como la bacteria del ántrax y el virus del Ébola. A éstos se les llama laboratorios de alta contención. En ocasiones, ocurren en ellos lapsos de seguridad.</p><p style="text-align:justify;">Por ejemplo, en Mayo de 2015, el Departamento de Defensa de USA (DoD) descubrió que uno de sus laboratorios había envíado inadvertidamente bacterias vivas de ántrax a cerca de otros 200 laboratorios alrededor del mundo, a lo largo de 12 años.</p><p style="text-align:justify;">Luego, a fines de 2016, el Departamento de Seguridad Nacional (DHS) descubrió que un laboratorio privado había envíado involuntariamente una forma potencialmente letal de ricina a uno de sus centros de entrenamiento en múltiples ocasiones desde el 2011. (Para un mayor trasfondo de Security Management sobre brechas a la seguridad de laboratorios, vea "Lax Lab Safety", de Noviembre de 2014)</p><p style="text-align:justify;">Dados estos lapsos, la Oficina de Responsabilidad Gubernamental (GAO) examinó recientemente la supervisión de esos laboratorios. Bajo el sistema actual, los laboratorios de alta contención son regulados por el Programa Federal de Agentes Selectos, el cual fue establecido para regular el uso y traslado de agentes selectos en respuesta a las preocupaciones de seguridad que siguieron a los ataques bioterroristas de los 1990 y principios de los 2000.</p><p style="text-align:justify;">Dos agencias comparten las responsabilidades de supervisión de este programa: la División de Agentes y Toxinas Selectos de los Centros para e Control y Prevención de Enfermedades (CDC) y los Servicios de Agentes Selectos en la Agricultura dentro del Servicio de Inspección de Salud de Animales y Plantas (APHIS).</p><p style="text-align:justify;">Para medir este control, la GAO formuló cinco elementos clave para la supervisión efectiva de programas en los que eventos adversos de baja probabilidad (tales como un derrame tóxico) podrían tener efectos trascendentales.</p><p style="text-align:justify;"><strong>Independencia.</strong> La organización conduciendo la supervisión debería ser estructuralmente distinta y separada de las entidades que observa.</p><p style="text-align:justify;"><strong>Habilidad para realizar revisiones.</strong> La organización debería tener el acceso y el conocimiento de trabajo necesarios para auditar el cumplimiento de los requisitos. </p><p style="text-align:justify;"><strong>Experticia técnica.</strong> La organización debería contar con suficiente personal con la pericia necesaria para realizar evaluaciones sólidas de seguridad contra delitos y accidentes.</p><p style="text-align:justify;"><strong>Transparencia.</strong> La organización debería proveer acceso a información clave, cuando sea aplicable, a aquellos mayormente afectado por las operaciones.</p><p style="text-align:justify;"><strong>Autoridad de imposición.</strong> La organización debería tener una autoridad clara y suficiente para requerirle a las entidades que alcancen el cumplimiento de los requisitos.</p><p style="text-align:justify;">El informe de la GAO se concentró en dos preguntas. ¿Tiene el Programa de Agentes Selectos una supervisión efectiva, y guían sus documentos de planificación estratégica a sus esfuerzos de supervisión? ¿Qué formas de promover una supervisión efectiva han empleado otros países y sectores reguladores seleccionados (tales como el Reino Unido o Canadá)?</p><p style="text-align:justify;">En primer lugar, la GAO manifestó que la supervisión del Programa de Agentes Selectos resulta a veces inadecuada. El programa no es siempre estructuralmente distinto y separado de los laboratorios que observa,  por lo que no cumple con el componente clave de independencia.</p><p style="text-align:justify;">El programa también se quedó corto en el área de realizar revisiones, exhibió la GAO. No había garantías de que las revisiones del programa estaban apuntando a las actividades de más alto riesgo porque el programa no había evaluado qué actividades eran las que posaban un mayor riesgo. Además, el programa no cuenta con documentos compartidos de planificación estratégica, tales como un plan de trabajo en conjunto para guiar sus esfuerzos de supervisión colectiva.</p><p style="text-align:justify;">En segundo lugar, el reporte determinó que el programa podría aprender de otros países cuando se habla de supervisión.</p><p style="text-align:justify;">Por ejemplo, el cuerpo Ejecutivo de Seguridad y Salud del Reino Unido, que vigila a los laboratorios que trabajan con patógenos, es una agencia gubernamental independiente, separada de todos los laboratorios que supervisa.</p><p style="text-align:justify;">Y cuando llega el momento de las revisiones, los reguladores de tanto el Reino Unido como Canadá emplean un enfoque basado en los riesgos, al evaluar laboratorios y luego apuntar a aquellos que conducen actividades de alto riesgo o tienen una historia documentada de problemas de desempeño.</p><p>En respuesta al informe, los Departamentos de Agricultura y de Servicios Humanos y Salud demarcarán las acciones que van a tomar para mejorar su supervisión.</p><p><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Managemen<em>t is not responsible for errors in translation. Readers can refer to the</em><a href="/Pages/Employee-Theft.aspx" target="_blank"><em> </em></a><a href="/Pages/Containment-Strategies.aspx" target="_blank"><em>original English version h​​ere​.</em></a><br></p>
https://sm.asisonline.org/Pages/Missed-Deadline.aspxMissed DeadlineGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>It's always tempting to put off till tomorrow what could be done today—especially if there are several years between now and the time that a goal needs to be accomplished.</p><p>​Such is the case with the upcoming European Union General Data Protection Regulation (GDPR) compliance deadline on May 25, 2018, when regulators will begin to issue fines to companies not abiding by the regulation's vast new privacy and security requirements.</p><p>"It is like a truck fast approaching us," says Ann LaFrance, partner and coleader of Squire Patton Boggs' Data Privacy and Cybersecurity practice. "We're getting an avalanche now of interest and requests for proposals, and clients are really now starting to focus on this. Why they waited till the last six months? Who knows. But at least they are now seriously starting to focus."</p><p>The GDPR was first drafted in 2012 as part of the EU's push for a Digital Single Market. The regulation lays out the rights EU citizens have in regard to their personal data and how data controllers and processors respect those rights. The regulation guarantees EU citizens the right to be forgotten, easier access to personal data, data portability, data breach requirements, data protection by design and default, and stronger enforcement of those requirements.</p><p>The EU Parliament approved the regulation in April 2016, and Jan Philipp Albrecht—who steered the legislation through—called it a victory for consumers and businesses alike.<img src="/ASIS%20SM%20Callout%20Images/0318%20Cyber%20Fact%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:277px;" /></p><p>"The General Data Protection Regulation makes a high-uniform level of data protection throughout the EU a reality," he said in a statement. "Citizens will be able to decide for themselves which personal information they want to share. The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty, and fairer competition."</p><p>Organizations that conduct business in Europe were given a little more than two years to become compliant with the new regulation, before fines of up to 4 percent of global turnover kick in. During that window, the Article 29 Working Party—as well as other advisory bodies—have issued guidance about how to implement GDPR. On May 25, the working party will be succeeded by the European Data Protection Board (EDPB) to ensure that GDPR is consistently applied throughout the EU.</p><p>"To achieve this, the EDPB will be empowered to issue opinions or authorizations regarding a variety of matters, such as Binding Corporate Rules, certification criteria, and codes of conduct used by companies; to adopt binding decisions, especially to ensure consistency between supervisory authorities; and to issue opinions and guidance on relevant issues concerning the interpretation and application of the GDPR," according to a fact sheet.</p><p>And while organizations have had two years to come into compliance, LaFrance says she is doubtful that most companies will be fully compliant by the deadline. </p><p>One reason is that many businesses may wrongly assume that the GDPR does not apply to them because they're not based in Europe. Others, LaFrance says, do not understand the scope of GDPR and are struggling to become compliant.</p><p>"The problem is there's cognitive dissonance about what GDPR is all about," she explains. Non-EU based companies "think that it's mainly about IT security, IT systems, and security around them, and in fact that's only one piece of the overall pie."</p><p>Instead, GDPR cuts to the heart of what those systems do—store and transfer data—and requires organizations to integrate privacy and security into their overall business processes. For instance, GDPR requires organizations to map their data and how it's collected.</p><p>"This is a very expensive exercise these companies are going to have to go through, and they don't really understand before they get started the breadth of the task ahead of them," LaFrance says. "So, when they hire you and you start telling them this, there's an 'OMG' moment."</p><p>Because of these factors, LaFrance says some small businesses with less data might be compliant by the deadline, but most organizations will not be. Companies will also have to reassess their third-party vendors to ensure agreements with them are GDPR compliant, which can be a time-consuming process.</p><p>"The normal company will have 20 or 30 outsourcing agreements," LaFrance says. "And you've got to go through and renegotiate all of those agreements so that they are GDPR compliant. It's a huge task. And it could be very expensive because the counter party might say, 'Yeah, we'll sign up for that but it's going to cost you more.'"</p><p>And in fact, companies are expecting to spend billions on GDPR compliance over the next year, according to the International Association of Privacy Professionals (IAPP) Annual Privacy Governance Report. </p><p>The report—sponsored by Ernst & Young—surveys roughly 600 privacy professionals about their size of staff, priorities, and expenditures for the year. In the 2017 survey, IAPP Content Director Sam Pfeifle says respondents indicated that the global 500 will spend $7.8 billion on GDPR compliance out of a combined annual revenue of $26 trillion.</p><p>"It's not a huge number—we're not trying to say this is equivalent to Sarbanes Oxley," Pfeifle says, but he adds that it is a massive increase from 2001 when IAPP was created and organizations were only spending millions on privacy. </p><p>"It wasn't a thing unless you were in the healthcare space or in financial services," he adds. And typically, these organizations had a small department that was compliance focused and working with development teams at the later stages of development.</p><p>"It was really just people bringing you something at the end of the product development lifecycle and asking: 'Is this legal?'" he says. "You'd say, 'Yeah, it's legal.' You'd check the box and off you'd go."</p><p>GDPR, on the other hand, requires that privacy and security be built into all business processes. To do this, companies are spending in a variety of ways, including adjusting the products and services they deliver.</p><p>For instance, Pfeifle gives the example of checking into a hotel and signing up for complimentary Wi-Fi. In the past, when guests would go through that process they would fill out a form that had a prechecked box indicating they wanted to receive promotional emails from the hotel. They would have to opt-out not to receive those emails.</p><p>"In the GDPR, you have privacy by default," Pfeifle says. "Which means that you cannot precheck those boxes. So, someone is going to have to go and recode that page to make it so that box is not prechecked."</p><p>For smaller companies, that could be a low spend, but for large corporations that are consumer facing—like Amazon—that could be vastly more expensive.</p><p>The other areas that organizations are spending on to become GDPR compliant include staffing, such as internal staff to conduct privacy impact assessments, and outside counsel and consultants that specialize in privacy and privacy management technology.</p><p>"We're now seeing software packages that are specifically designed for managing privacy impact assessments—you can assign tasks, you can do reporting, you can have threat dashboards," Pfeifle says. "A lot of them mimic security management software."</p><p>These efforts are helping organizations move towards compliance, which is critical: only 40 percent of those surveyed by IAPP said they expected to be compliant with GDPR by the deadline.</p><p>"More important than being compliant is being able to demonstrate that you're making the attempt," Pfeifle says. "If a regulator showed up at your door and said, 'Show us you are compliant with the GDPR,' how would you do that? That's what the GDPR asks you to do."</p><p>LaFrance's views mirror Pfeifle's, because—in her opinion—regulators will be looking for organizations to make a good faith effort towards compliance. </p><p>"For the most part, if you've made a good faith effort to get a plan in place and you've taken the steps that you can between now and May to really get the ship moving in the right direction with a plan to sort things out by the end of the year, you'll be given a good pat on the back by any regulator that is going to do a spot audit of your records," she explains.</p><p>Some companies, however, might face more scrutiny after the deadline than others, such as those that are consumer facing and, if compromised, could create significant legal or economic consequences for consumers.</p><p>"I think they'll also consider whether there have been complaints by individuals or if there have been a number of reported data breaches," LaFrance says. "Regulators might look then to see if there have been lots of repeat offenders, and then go and do an audit. I imagine they will try to start with the obvious."  ​</p>
https://sm.asisonline.org/Pages/March-2018-ASIS-News.aspxMarch 2018 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Leadership Conference Sets the Course</h4><p>More than 200 ASIS volunteer leaders—council presidents, chapter chairs, Board members, and more—gathered at the Ritz-Carlton Pentagon City in Arlington, Virginia, USA, January 17-19 for the Society's annual leadership workshop and conference.</p><p>Over the course of three days, ASIS leadership helped develop strategic priorities and participated in sessions matching the conference theme: Educate. Engage. Empower. Attendees heard from diversity and inclusion experts and studied best practices for successfully managing volunteers.</p><p>The program included an update on the ASIS Strategic Plan from ASIS International CEO Peter J. O'Neil, CAE, and Senior Manager Adam Savino. O'Neil and Savino touched upon progress made regarding Board directives, which include branding, global network, professional competency, organization and operations performance, knowledge and learning, and enterprise security risk management. </p><p>The ASIS Foundation's Scouting the Future research workshop identified issues that today's security managers consider most important in the years ahead. Attendees were presented with 15 different change drivers affecting the security industry, and were asked to choose which of these topics they consider most pressing. Their responses will inform ASIS Foundation research over the coming months.</p><p>On January 18 the Society held its Annual Business Meeting. ASIS International Chairman of the Board Thomas J. Langer, CPP, began by honoring David C. Davis, CPP, and Darryl Branham, CPP, for their service on the Board of Directors. Next, more volunteer leaders were honored for their extraordinary service to the Society. Bob Oatman, CPP, was named the 2017 Council Chairman of the Year for his leadership of the Executive Protection Council. Marco Meza Sandoval, Region 7C, was named 2017 Regional Vice President of the Year, and Bob Johnson, CPP, Group 5, was named 2017 Senior Regional Vice President of the Year. </p><p>Christina Duffey, CPP, presented the treasurer's report, which provided an overview of the financial health of ASIS, and 2018 President Dick Chase, CPP, PCI, PSP, outlined his priorities for 2018. </p><p>Evening events included a Casino Night, which raised more than $5,000 for the ASIS Foundation, and the President's Reception, which celebrated the start of Chase's tenure as president.  </p><p>The conference concluded with a presentation by the FBI and volunteer roundtables. To view event pictures, visit flickr.com/asisinternational.​</p><h4>Certification Program Enhancements</h4><p>Together with the new ASIS website launch in late January, the Society introduced a new certification application process that makes it easier for candidates to understand exam requirements and apply for certification. The Professional Certification Board implemented several changes to its policies in support of the new application process.</p><p>Newly certified professionals' three-year certification cycle begins on the day they pass the exam and ends three years later, at the end of that month. Those whose cycles end on December 31 will continue to have their cycles end at the close of the calendar year. </p><p>Those who sit for the exam three times during their two-year testing eligibility period without passing it may reapply as soon as their eligibility period expires (but at least 90 days after their third attempt). Previously, candidates had to wait 18 months from the time of the third attempt.</p><p>As part of the new user-friendly recertification application process, ASIS staff will no longer verify each continuing professional education credit (CPE) as it is reported. As before, certificants will use the online application to keep track of CPEs as they are earned. When they submit their recertification applications, the CPEs will be reviewed all at once.</p><p>The grace period for recertifying after a certification cycle ends has been reduced from one year to three months. Additionally, all CPEs must be completed during the three-year cycle (none during the grace period). </p><p>"These changes will make it easier than ever for security professionals to become certified and stay certified," says ASIS International Certification Director Gayle Rosnick. "These updates will help lay the groundwork to support a larger and broader pool of certificants in the years to come."</p><p>In addition, the Certification Department has received Board approval to begin investigating an early-career certification. In January a dozen early careerists attended a two-day program at ASIS headquarters to determine the relevant competencies for a new early-career security management certification. Work will continue on this initiative throughout 2018.</p><p>For more information or to learn how you can pursue ASIS board certification, visit asisonline.org.​ </p><h4>Lifetime Certifications</h4><p>Congratulations to these individuals who have achieved lifetime certification.</p><p>•             Krishnamoorthy Arunasalam, CPP</p><p>•             Paul Stewart Barker, CPP</p><p>•             Fred A. Buran, CPP</p><p>•             Dennis G. Byerly, CPP</p><p>•             Jose E. Campos, CPP</p><p>•             Salvatore P. DeCarlo, Jr., CPP</p><p>•             Cheryl D. Elliott, CPP, PCI</p><p>•             Jeffrey J. Haykin, CPP</p><p>•             Pearse Healy, CPP</p><p>•             Eugene Hermanny, CPP</p><p>•             Dan Jenkins, CPP</p><p>•             Garrett J. Ochalek, CPP</p><p>•             Shirley A. Pierini, CPP, PCI</p><p>•             Robert C. Quigley, CPP</p><p>•             Craig P. Remsburg, CPP</p><p>•             Thomas J. Rohr, Sr., CPP</p><p>•             John R. Ryan, CPP</p><p>•             Kathleen A. Sowder, CPP</p><p>•             Scott Wells, CPP</p><p>•             Ian G. Wing, CPP</p><p>•             Christopher D. Yokley, CPP​</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Manager's Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security</em>. By Brian J. Allen, CPP, and Rachelle Loyear. Rothstein Publishing; Rothstein.com; ebook; $14.49.</p><p>The security landscape is evolving at an enormous speed. Volatility, uncertainty, complexity, and ambiguity are the new normal. So, how do you address security challenges in such an environment? The answer is through enterprise security risk management (ESRM), an integrated risk-based approach to managing security risks. It brings together cyber, information, physical security, asset management, and business continuity. ASIS has made ESRM a global strategic priority.</p><p>In the <em>Manager's Guide to Enterprise Security Risk Management,</em> authors Allen and Loyear provide a comprehensive overview of the principles and applications underlying the ESRM philosophy. They set the stage in the first part of the book with an introduction to ESRM and share some important insights on the differences between traditional security and the ESRM approach, illustrating their points with examples.</p><p>The second part of the book guides the reader through the implementation of an ESRM program. One excellent chapter promotes design thinking as a conceptual model for ESRM. A design thinking approach can provide a unique platform for innovation and overcoming new security challenges.</p><p>Finally, the book provides insights and strategies to ensure the success of the ESRM program. It explains what an executive needs to know about ESRM, and gives readers the tools to succeed.</p><p>In sum, this guide accomplishes exactly what it set out to do—provide security leaders and managers with the principles and applications to explore, design, implement, and secure the success of an ESRM program. </p><p>Note: The authors of this book recently published a more detailed look at ESRM in <em>Enterprise Security Risk Management: Concepts and Applications</em>, also published by Rothstein.</p><p><em>Reviewer: Rachid Kerkab has almost two decades of experience in criminology, security strategy, risk, and resilience. He is a member of ASIS. ​</em></p>
https://sm.asisonline.org/Pages/Four-Challenges-Facing-Aviation-Security.aspxFour Challenges Facing Aviation SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Anthony McGinty, CPP, is a Senior Intelligence Analyst with CSRA Inc., contracted to Los Angeles International Airport. He is a member of the ASIS Global Terrorism, Political Instability, and International Crime Council. </p><p><strong>1. Airports as cities.</strong> Traditional city problems are finding their way into airports—the homeless, the mentally ill, drug abuse, petty and complex crime, and civil disobedience. For law enforcement and security agencies, the challenge is to simultaneously perform first-responder duties while identifying high-consequence threats to aviation operations. Both require specific, distinct skill sets. Security directors need to balance assets, personnel, and operations to mitigate both public disorder and homeland security risks.</p><p><strong>2. International terrorism.</strong> Commercial aviation will remain an attractive target for militant groups and extremists. The public side of airports—curbside to security screening—is vulnerable to an array of terrorist attacks, including active shooters, luggage filled with explosives, weaponized drones, and vehicle ramming. Thousands of militants, technically proficient and ideologically motivated, who are returning from the failing ISIS caliphate may regroup under new flags, join al Qaeda affiliates, or act independently. </p><p><strong>3. In-flight disruptions. </strong>On a weekly basis, media reports and Internet videos display the latest outrage inside aircraft cabins—brawling, drunken rants, sexual assaults, and defying flight attendants. This trend of in-flight disputes and violence at 35,000 feet is potentially dangerous. Short of placing a security officer on board, solutions may involve institutional changes in the flight crew-to-passenger relationship. For example, instances of human traffickers using commercial airlines are so common now that flight crews are being trained to spot indicators and act. This is a further example of the changing role of flight crews from comforters to enforcers.</p><p><strong>4. Insider threat. </strong>Terrorist groups may enlist airport employees to circumvent security screening—especially employees with direct access to aircraft. Employees have also smuggled drugs, weapons, and other contraband. Just one radicalized or disgruntled employee can commit an act that leads to a catastrophic incident, which makes addressing insider threats a priority. Airports and airlines are implementing their own strategies to mitigate this threat. Mostly, this effort has involved security screening of all—or select—employees prior to entering restricted zones. Technology may support this effort as well. New analytics capabilities embedded in video and access control systems can provide a sophisticated surveillance tool. Self-policing with a rigorous, internal "See Something, Say Something" effort is essential.   ​</p>
https://sm.asisonline.org/Pages/Book-Review---Supply-Chain-Security.aspxBook Review: Supply Chain SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>​Butterworth-Heinemann; Elsevier.com; 200 pages; $49.95.</em></p><p>Anyone who intends to enter the realm of supply chains and logistics must read <em>Global Supply Chain Security and Management. </em>Author Darren Prokop brings vast experience in the academic and practical worlds of supply chain management to this book. He goes the extra mile to package a tremendous amount of critical information in a compact volume to produce an easy-to-read narrative and valuable reference guide to these types of global operations.  </p><p>Not only does the book identify the threats of today and tomorrow, it also provides useful insight on how to combat them. Going beyond the issues of insider/outsider theft and shipping damage, Prokop redefines the threat to include terrorism and natural disasters. He adds key chapters on topics of human and natural threats, information technology, and risk mitigation. </p><p>Prokop introduces the concept of game theory in the synergies between players in the global shipping arena, and he explains how a competitive situation may morph into a cooperative one. He points out the dual role that government plays in the global shipping effort—serving as both a policing agent and a supply chain partner. Key take-aways include recent U.S. regulatory decisions, the latest technologies for securing infrastructures, and up-to-date theories and techniques of industrial organization and security.</p><p>This book is an excellent tool for faculty and students of security management and supply chain management. Security practitioners in other disciplines would do well to add it to their professional libraries, as well.</p><p><em>Reviewer: Terry Lee Wettig, CPP, is an independent security consultant who served 10 years as director of risk management with Brink's Incorporated. A retired U.S. Air Force chief master sergeant, he is currently a doctoral candidate specializing in organizational psychology. He is an ASIS member. ​</em></p>
https://sm.asisonline.org/Pages/Coachable-Employees.aspxCoachable EmployeesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The latest <em>State of the American Workplace</em> report, the Gallup company's look at management practices in the U.S. workplace, contains some grim news. A clear majority of employees are not engaged with their jobs, and employers are finding it increasingly hard to retain quality workers. "The very practice of management no longer works," Gallup Chairman and CEO Jim Clifton says in the report, which was published last year.</p><p>But the experts at Gallup also argue that employee engagement and retention can be markedly improved—through effective coaching. Managers who are effective coaches often possess certain abilities and attributes: they are usually clear and insightful explainers; they have an aptitude for building on an employee's strengths; they are adept at working with different learning styles; and they can maintain patience in the face of mistakes.</p><p>But effective coaching is a two-way process. And just as talented coaches share certain traits, employees who are highly coachable often possess a cluster of certain qualities and abilities. These attributes can be thought of as "green flags"—indicators that the employee is driven and prepared to grow and improve on their existing skill sets, to learn new skills, and to "correct performance without resentment," in the words of legendary UCLA basketball coach John Wooden.</p><p>In the security field, these green flags can include demonstrated honesty, adaptability to change, intellectual curiosity and love of learning, interpersonal skills, attention to detail, problem-solving abilities, resourceful thinking, safety awareness, a reasonable level of suspiciousness, and emotional intelligence.</p><p>Smart security managers have realized that these green flags often serve as predictors of future success, and so they have focused on fine tuning this list of qualities and attributes. It has value in the screening and hiring process, as well as in managing employees once they are hired, especially in organizations that are going through performance changes or improvements.</p><p>And being coachable is not just important for front-line security workers. Managers, too, need to remain coachable, so that they can continue to improve and grow, and ultimately become better coaches.  </p><p>The following examples are taken from real-world situations in the security industry—the names of the managers have been changed—and illustrate these concepts. They provide best practice guidance for security leaders on what to look for in terms of an employee's coachable potential, and how managers can also benefit from becoming more coachable themselves. ​</p><h4>Success via Coachability</h4><p>John Smith worked in the criminal justice public sector for a little over 20 years in the Midwest. Under his leadership, his department achieved and maintained accreditation, with high scores on all metrics. Turnover in John's department was low; he had helped build a positive team atmosphere with high levels of employee engagement and job satisfaction.</p><p>Still, John silently complained to himself about being overworked and underpaid. One day, he saw a security director position advertised by a privately owned security company in the Omaha area. He decided it was time for him to put up or shut up, and see if he could get paid his real worth. So, John moved forward on this new opportunity, and in so doing stumbled upon the importance of coachability.</p><p>As it happened, the owner of the security company in question also ran the largest maid service franchise in the world and was a graduate of Harvard Business School. John was applying for the position of general manager; the previous general manager was a retired FBI agent who at first dazzled the owner with his training and work history, but soon showed that he lacked the main ingredient the owner needed to grow the security company—coachability. And so, it wasn't long before both decided to end the relationship.</p><p>Conversely, John possessed a few green flags of coachability the owner wanted to see in the applicant for his open general manager position—adaptability, intellectual curiosity, and a penchant for further learning and improvement.</p><p>During the interview and candidate evaluation process, these qualities became evident to the owner. For example, John discussed how he had adjusted to living in a foreign country during his public-sector career. Before that, he had successfully changed careers from mental health to corrections. He had completed his master's degree, which reflected an interest in further learning. He demonstrated that he was interested in moving from a safe, structured public service job to the greater unknowns of the private sector, where he would have to think on his feet and create the structure that worked best for the company. Throughout the interview, John asked insightful questions that showed strong intellectual curiosity. </p><p>These attributes made the owner feel he was hiring what he needed most—a security manager whom he could mentor so that the manager would develop his own coaching skills to build the right workforce. </p><p>John got the job, and went on to a second career in the private sector, where he thrived for another 20 years. He was especially successful in recruiting and hiring an impressive team to grow the business. In hiring, he didn't look for clones of himself in terms of education, skill sets, and temperament. Rather, the common denominator he did look for was an insatiable drive to learn, grow, and improve, which was usually accompanied by high engagement with and passion for the work.​</p><h4>Coachability for Managers</h4><p>As a security manager for a medium-sized corporation on the East Coast, Mary Jones learned the importance of coachability and how it complemented the two-way management style she had learned in earlier training. </p><p>She decided to take on her company's two-pronged problem of hiring and retention; she set her sights on reducing the failures of bad hiring and the costs of high turnover. Mary realized that identifying the green flags of highly coachable applicants went a long way toward making better hires, and she became proficient in determining this by asking probing questions during the interview process. </p><p>One such question was: "When you start a new job, do you prefer to look for opportunities to apply what you already know from past experience, or do you try to learn something new about what you don't know? Tell me about how you learned about which way to approach a job to get the best results?"</p><p>Another question was: "Tell me about a situation in which you thought you knew how to solve a difficult problem, but, as it turned out, you didn't. What did you learn from this experience, and what did you change in your approach to problem solving? Another follow-up question she used was: "How do you think problem-solving skills can be best developed with new employees? Is that the way you would have liked to have been taught, or do you have other ideas on this?" </p><p>She then helped her HR manager become adept at this type of interviewing, so the manager could use it when interviewing security officers. She started by explaining the value of using real live work scenarios to see how the applicant would respond based on his or her past failures at work. She also told the manager of the frequent good results of asking open-ended questions versus closed-ended ones. At that point they did some question planning and interviewing together to demonstrate and practice how this style of interviewing would get better results. Mary's efforts did not stop there.</p><p> Once hiring had improved, Mary also wanted to improve the retention rate of coachable employees. Thus, she developed a custom-designed training program by gathering new ideas from a variety of resources and programs from professional HR organizations that were available online for free, and then carefully updating ideas from few of her own coaching and counseling training programs. </p><p>She then provided summary information about this new training to all her supervisors, aimed at rekindling their own coachability, which would help the supervisors learn how to better identify coachable employees at the same time. The training was well-received and everyone was motivated towards a common goal.  </p><p>Under Mary's efforts, managers learned how to hire employees with excellent coachability potential by asking better questions and spotting tell-tale answers. Supervisors learned how to improve their coaching abilities by practicing new mediation strategies. And employees were able to improve upon the coachability potential they first brought to the job. This was a win-win-win for Mary, her supervisors, and the company at large. ​</p><h4>Assessing Coachability</h4><p>During Bob Miller's long career in security management, his understanding of the importance of coachability evolved, and an examination of this evolution reveals some guidance for managers assessing coachability. </p><p>Early on, Bob discovered that there was an X-factor in an employee's ultimate success that was just as important as the knowledge, skills, and abilities that are asked for on the application for federal jobs. Bob's discovery was in part due to his own self-awareness—he was aware of his own insatiable drive to become better at whatever he was doing, and this helped him spot the same drive in the applicants he screened and interviewed. </p><p>Given his belief in the great value of coachability, he revised the hiring process he had traditionally used. He discarded practices he now considered time-wasters, such as checking references about the candidate's honesty and dependability, verifying prior work history and education, and administering psychological testing. Using the Occam's razor principle, he ended up with the one prevailing trait that he found was most predictive of success (after the applicant's résumés proved baseline professional competency)—an openness to learning, growing, and improving.</p><p>From here, Bob designed a behavioral interview with a set of telling questions designed to get revealing answers regarding a person's drive to succeed as a security officer or supervisor. In most cases, this drive starts with the candidate's acceptance that they do not know it all already, so the interview questions were also designed to gauge if that acceptance had been established. Given the unknowns and new developments of security work today, this type of acceptance is critical to future success. </p><p>Bob constructed his list of probative interview questions so that it would be difficult for applicants to hide behind hypothetical or general, unrevealing answers. He first posed a set of written questions, so the candidate could take some time to think and draw on their most relevant past experiences. Then during the interview, Bob and the candidate could discuss these preliminary answers in more detail, so that the applicant's coachability could be assessed.  </p><p>In terms of specifics, the written list of questions started out asking applicants about past failures and how they overcame them. Then, during discussion, candidates were asked for examples of how they had used common sense to get results in previous situations, areas in which they felt they could improve, what they liked and disliked about their best supervisor, and what they thought an employee had to demonstrate to be successful in security work. Further discussion of the answers to these five simple questions proved to be revealing, and an effective means to assessing coachability potential in the applicants. </p><p>The good answers included ones with enough detail to face-validate their actual occurrence, such as "I liked my previous supervisor's patience with me when I didn't succeed at a task delegated to me. She gave me some useful feedback and immediate suggestions to improve the next time. What I didn't like about her was that she was always busy and difficult to get time with. However, I guess I should have mentioned this problem to her."  </p><p>The bad answers lacked such detail, or even sidestepped the question, such as, "I didn't really get to know my supervisor that well," or "I'd rather not get into that." Of course when the applicant couldn't stop listing all the previous supervisor's faults and was not able to come up with any good things to say about the supervisor, that was a big red flag of cynicism in his coachability.</p><p>The process worked well, but Bob, being of a continuous improvement mindset, knew he wasn't finished in his efforts to perfect his assessment method for determining what level of coachability each applicant was bringing to the job. Interviewing is like standardized testing; eventually, the best answers to even the most highly guarded LSAT questions become common knowledge. Bob anticipated this would eventually happen with his coachability assessment questions, so he continued to revise them to stay ahead of the curve. For example, one question that consistently showed value was, "Tell me about the best sports or activities coach you had in school, and what do you think made him so successful?" He revised this by expanding it, and it yielded even greater value: "What characteristics of this coach have you applied in your own life?"​</p><h4>Removing Obstacles </h4><p>Can a security employee be taught to be coachable? Security manager Michelle Palmer wanted to explore this possibility with her direct reports. Many members of her staff did not seem to see the value in coachability, or why it was necessary. Fortunately, Michelle knew the importance of explaining concepts well enough to sell them, thus removing the resistance. </p><p>She realized that one of the main roadblocks for her employees was their natural defensiveness in receiving feedback about themselves. She decided to use personal examples to make her explanations more effective. For example, she shared how she personally overcame her own obstacles in becoming more coachable, including her original unwillingness to share her own vulnerabilities, to become more open to different perspectives other than her own, and to accept the risk that came with experimenting with new behaviors.</p><p>In her managing, Michelle also employed another lesson she learned previously in becoming more coachable. She replaced her usual relaxed approach in some staff interactions with a more assertive posture. For example, in giving feedback to others, she often replaced "you," such as in "it would be good if you did this differently," with "I," such as in "I would like you to try doing this in such-and-such way." This shift had a positive effect; staff members became much less defensive, and better listeners. </p><p>Finally, Michelle's instruction was made more effective by a key realization—all she thought she knew to be true about the security profession wasn't necessarily so. Her own growth had been somewhat stalled by this limiting perspective, and once she was free from it, she could better communicate the value of staying open to new ideas and continuous growth and improvement. ​</p><h4>Coaching the Future</h4><p>If a security manager is successful in hiring coachable employees, and can help existing staff remain coachable, a culture and system of proactive performance improvement can be maintained in the security department. In such a culture, managers and employees continue learning and improving.   </p><p><em>William Cottringer, PhD, Certified Homeland Security (CHS) level III, is executive Vice-president for Employee Relations for Puget Sound Security Patrol, Inc., in Bellevue, Washington, and adjunct professor in criminal justice at Northwest University. ​</em></p>
https://sm.asisonline.org/Pages/The-Fraudians-Slip-In.aspxThe Fraudians Slip InGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Fraud is thriving these days, and many of its practitioners have acquired daunting levels of skill and ingenuity for reading the current operational environment, finding weak links, and adjusting their methods to maximize the likelihood of successful scams, experts say.</p><p>"They are as skilled in committing these frauds as any skilled person is in any field of endeavor," says Alan Brill, a director with Kroll's cybersecurity and investigations practice. "They are criminals, but you have to respect the level of skill that they have, to know what you are up against."  </p><p>This fraudulent activity is affecting more and more companies, according to a new study. About two-thirds of U.S. companies reported an increase in fraud attempts over the past 12 months, according to The Fifth Annual Fraud Report: A New Landscape Emerges, a study issued by IDology, an Atlanta-based identity verification firm. Last year, fewer than half (42 percent) of U.S. companies reported such a rise.</p><p>And it's not only the sheer number of fraud attempts that is changing. Methods used in perpetrating fraud are evolving, too. </p><p>"The biggest challenge faced by businesses in the fight against fraud has been the continually shift­ing tactics used by fraudsters," reads the study, which finds that 71 percent of organizations cite "shifting fraud tactics" as their greatest challenge. </p><p>Use of fraudulent credit, debit, and prepaid cards is still the most prevalent type, with 65 percent of respondents saying that it is the most common method in their industry. However, there are signs that it is starting to decrease. That 65 percent figure is actually down from the 73 percent of respondents who cited that fraud type in last year's survey. </p><p>According to the report, the reason behind this decrease is the widespread adoption of EMV chip cards, which have reduced point-of-sale fraud. With chips making it harder to commit this type of fraud, more criminals are shifting to an online environment, where the customer is not present. "They will try to find the path of least resistance," IDology CEO John Dancu says.<img src="/ASIS%20SM%20Callout%20Images/0318%20NT%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:573px;" /></p><p>There's another driving factor behind the shifts in the fraud landscape, and it has to do with how nimbly the fraud­sters share knowledge. "They are really good at communicating among themselves," Dancu says. Sometimes, they will discuss methods on the Dark Web; this keeps them situationally aware and helps them change methods if necessary. </p><p>Some are also not shy with expressing pride of craft. "When they find a weak link, they are happy to tell everybody else about it," Dancu explains. "If you're on the Dark Web or their other forums, you can see the interactions and the professional enjoyment that they have in letting other people know what they have discovered. It's about being The Man." </p><p>Those dark websites and other places where fraudsters sell information and data are pretty sophisticated enterprises, Brill says. "There is a comradeship among people who do this. They do meet at the marketplaces, and these marketplaces don't look that different from eBay, with vendors getting rated by people that buy from them," he explains. Some vendors even offer BOGO specials, he adds.</p><p>As is true with most fields of endeavor, this increased professionalization brings about more specialization. So, some fraudsters specialize in malware, some in the monetization or selling of breached data, and some in "social engineering"—knowing how to get to the right entry point to access information, Brill explains.  </p><p>He offered the following example of a social engineering specialist. These days, many banks frequently advertise how effective they are in protecting customers against fraud. In this environment, it may then be no surprise if one day you get a phone call from Visa security, with the caller informing you that your card was just charged with suspicious activity—$300 from an adults-only emporium in Las Vegas. Horrified, you deny the charge and ask for it to be cancelled, and so you gladly give your card information, Social Security number, and date of birth when the caller asks if they can verify you as the cardholder. </p><p>But what you might not realize is that you just handed over your information to a criminal posing as security. This type of thief takes advantage of the expectations created by frequent bank commercials that promote their quick security operations. "In effect, you have been primed for a social engineering hit," Brill says.</p><p>Although the study finds that customer-present credit card fraud may be decreasing, it also finds that synthetic identity fraud (SIF) is a growing problem. In an SIF scam, a combination of real and fabricated identity information is often used to create a new identity. Thirty-one percent of businesses in the report say SIF has increased, and 58 percent are "extremely" or "very" worried about it. Helping to drive this problem is the recent flood of major data breaches, which gives criminals more identity data to use.</p><p>In Kroll's investigations practice, Brill is seeing a big increase in the following type of case. A fraudster obtains the Social Security number of a young child in the aftermath of a data breach, then uses it with other information to open a few credit accounts, including one or more credit cards. </p><p>The scammer then exploits the accounts for years, with charges that are never repaid and lapse into default. Finally, the young child becomes old enough to apply for a credit card, or a lease on an apartment, and is surprised to find out that his or her credit rating is abysmal. </p><p>Marcus Christian, an attorney in Mayer Brown's White Collar Defense & Compliance group, also sees SIF as an increasing problem. Christian, a former prosecutor in the U.S. Attorney's Office for the Southern District of Florida, has heard reports that some of the criminal organizations in South Florida have been shifting away from selling narcotics and toward identity scams. "The money is as good as, if not better than, the drug trade," he says. In addition, it is often perceived as a less dangerous practice, and through connections in local school systems and banks, these criminals can obtain stolen data, he adds.  </p><p>The second-most cited type of fraud in the report—first-party or friendly fraud—is also on the rise, with 51 percent of respondents saying they have been a victim of it, nearly double the percentage (26 percent) of respondents who cited it in last year's survey. </p><p>First-party or friendly fraud generally describes fraud committed by individuals using their own accounts. These types of fraudsters might make an online purchase and then dispute the charge after the merchandise has been received, or they might open credit card accounts with the intention of maximizing charges and then lapsing into default to avoid full repayment. </p><p>One reason first-party fraud is increasing, the study finds, is that it is difficult to foil; it is hard to disprove false claims that ordered merchandise was never received, for example. However, experts say that big data applications hold some potential in this area as a security tool, because they can be used to recognize patterns of excessive refund requests and other telling information.</p><p>Finally, Dorcu says that another cause for optimism in the fight against fraud is that an increasing number of companies are realizing the importance of working together. Fraud is a serious issue for companies regardless of industry, and since the perpetrators are sharing information and strategies, those fighting fraud need to do the same, under a consortium mindset.   </p><p>"Getting connected and talking with peers is really an important part of solving the problem," Dorcu says. "Be flexible, be collaborative, and be open-minded to what's going on out there." ​</p>
https://sm.asisonline.org/Pages/Paving-the-Way.aspxPaving the WayGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​For the citizens of Jayuya, Puerto Rico, December 15 came and went without fanfare—and in the dark. The U.S. territory's governor, Ricardo Rosselló, had estimated that 95 percent of Puerto Rico would have power back by mid-December following the devastation brought by Hurricane Maria in September. As of press time, that estimate had been extended to February.</p><p>Lilo Pozzo, an associate professor of chemical engineering at the University of Washington, traveled to Jayuya, Puerto Rico, in November with a group of students to assess the impact of extended power outages on public health. Due to its remote, mountainous location, the municipality was still largely without power, and Pozzo's group found that people with respiratory problems were greatly impacted.</p><p>"The overall message was that the people with respiratory ailments were in the worst condition because they weren't necessarily evacuated like patients that had more evident health problems, so these people with chronic conditions essentially stayed behind, and they are suffering because they can't power their devices to run therapies," Pozzo explains.</p><p>She describes people who are unable to operate their sleep apnea machines or administer asthma treatments. Those who need oxygen now have to wait for tanks to be delivered to the municipality because their standalone oxygen machines could not be charged. The main clinic in town had borrowed a generator after its first one broke down, but can only provide essential services due to concerns of damaging the current generator. All vaccinations and refrigerated medications were spoiled, and citizens with mobility issues or sensitive diets have also been affected. </p><p>The city's two major factories have also continued to operate by running generators, which Pozzo says is expensive and inefficient. The townspeople are fearful that it will be difficult for the factories to continue operations if conditions don't improve quickly or if extended power outages following natural disasters become the norm. "If you get hurricanes every year, that's going to change their economic calculations and could potentially create loss of workforce," Pozzo notes. </p><p>Despite the dire situations in part of Puerto Rico, power restoration has been slow due to a process fraught with politics and finger pointing between the territory's leaders and the U.S. federal government about the amount of aid that should be provided. However, Puerto Rico's power system was in trouble long before Hurricane Maria hit. </p><p>In the days following the territory's brush with Hurricane Irma in early September, which briefly knocked out power for a million people, investors became more vocal about privatizing the territory's struggling power grid. The Puerto Rico Electric Power Authority (PREPA), the largest public utility in the United States, had declared bankruptcy in July, and what little maintenance it was conducting on the island's power grid fizzled. Politicians, energy experts, and other stakeholders acknowledged that the grid might not hold up much longer without serious changes.</p><p>And then, two weeks later, Hurricane Maria made landfall in Puerto Rico as a Category 4 storm.</p><p>The entire island lost power. Several neighborhoods were destroyed. Most communication networks across the island were crippled. Fresh food and potable water became scarce. The official death toll in Puerto Rico is 64, but estimates suggest more than 1,000 people may have died from the storm and its aftermath. As of early January, 43 percent of the island still had no power, and more than 200,000 citizens have left their darkened communities for the continental United States.</p><p>"Puerto Rico is being supported to a large degree by U.S. power companies right now, but that's not sustainable," explains Mark Weatherford, chief cybersecurity strategist at vArmour. "That's why there needs to be a long-term plan here, but it's going to cost money. This is going to be a test of our nation in what we're willing to support to rebuild a state that was already teetering on bankruptcy."<img src="/ASIS%20SM%20Callout%20Images/0318%20NS%20Chart.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:562px;" /></p><p>When Hurricanes Harvey and Irma struck Texas and Florida last fall, power crews and equipment rolled in from other U.S. states to get the affected regions up and running. But the sheer magnitude of Hurricane Maria's damage to Puerto Rico—and its island location—made it difficult for other U.S. utility companies to lend a hand, says Daniel Kirschen, an engineering professor at the University of Washington and a member of the Clean Energy Institute.</p><p>"Typically, utilities are eager to help each other in those situations because of the mindset that this time it's your turn, but the next time it might be mine," Kirschen says. "So these companies are usually very willing to lend crews for repairs. Now, of course, Puerto Rico is an island so it's harder to organize sending crews down there, which on top of all the other problems has made recovery more difficult."</p><p>Brian Harrell, CPP, the vice president of security at AlertEnterprise and former director of critical infrastructure protection at the North American Electric Reliability Corporation (NERC), details what is involved in sending crews to repair Puerto Rico's power grid. Workers and tools must be flown to the island, and heavy equipment such as bucket trucks, transformers, and wires must be transported on ships, which makes the logistics of recovery difficult. Upon arrival, crews must manage downed lines, clear debris from roads, and fully repair the system, he says.</p><p>"During the aftermath of such devastation, it is imperative that safety and security is established on the ground," Harrell says. "Before critical infrastructure can be repaired and restored, it's vital that line crews, aid workers, and emergency personnel feel safe while conducting their jobs."</p><p>But as each power line is restrung to bring electricity back to the island, experts are pointing out the opportunity to build a more resilient, smarter power grid that will prevent future catastrophic damage to Puerto Rico's infrastructure—but nobody has come up with a plan.</p><p>"Given the complete destruction of the island's power system, an opportunity has also presented itself to modernize the way electricity is generated, along with how it can be efficiently transmitted with newer technology," Harrell adds. "A key to preventing this type of destruction from ever happening again will be to build resilience and redundancy into the system."</p><p>Stuart McCafferty, president and CEO of GridIntellect and a National Institute of Standards and Technology (NIST) community resilience fellow for electrical power infrastructure, says that Puerto Rico needs to move beyond its reliance on fossil fuels, which are expensive and unsustainable. </p><p>McCafferty has been involved in the U.S. smart grid initiative since the beginning, creating the first smart grid maturity model for the U.S. Department of Energy (DOE) and a tool to evaluate a grid's resiliency. He says that while continental U.S. energy providers and government officials embraced the shift towards a smarter grid, there was a disconnect when it came to waterlocked states and territories. Hawaii has paved its own way by working with DOE to develop an unprecedented clean energy initiative in 2008—drawing the majority of the state's energy from renewable resources. Puerto Rico had made no effort to update its infrastructure. </p><p>Despite the critical situation in Puerto Rico right now, McCafferty says that the territory has an "incredible opportunity" to build localized power grids that are self-reliant and will not allow downed transmission lines to knock out power for the entire island. </p><p>Weatherford agrees. "With an aging infrastructure like that, unfortunately the only thing they will be able to do is rebuild from ground zero," he says. "They need to start over, and the good news is this gives them the opportunity to build a 21st century infrastructure—but it's going to cost a lot of money to do that."</p><p>Although PREPA is cash-strapped, McCafferty says money can come from federal grants and labs, venture capital, angel investors, and self-funded corporations. However, a sorely-needed roadmap for the territory's power grid is nowhere in sight, even as legacy infrastructure is being repaired. </p><p>"I don't see anyone coming up with any real solutions because of the financial issues and mismanagement of the grid by the operator," McCafferty explains. "Puerto Rico needs a roadmap, and it doesn't even have to be based on any of the financial needs. Once you've got that laid out, then you can start prioritizing and identifying the funding mechanisms to make that happen."</p><p>Weatherford suggests setting up temporary generators and small microgrids to keep the lights on for citizens while officials go back to the drawing board to figure out a more resilient solution. "Use temporary money to keep the lights on, and use long-term capital to rebuild the infrastructure," he says. A robust microgrid system, which would keep power outages isolated, paired with renewable energy such as solar and wind power, would be an ideal setup, he says. </p><p>Kirschen, who studies how to effectively deploy repair crews to restore critical infrastructure, agrees that redesigning the grid is not going to happen overnight, and crews need to focus on rebuilding what they can of the existing infrastructure. </p><p>"We're not at a point where we can generate quite enough power with solar generation to satisfy all the island's needs," Kirschen says. "What I see is a combination of a traditional grid built to a higher standard so it can withstand hurricanes and other disasters, combined with local microgrids designed to survive these hurricanes, so that if the main grid is broken for a while, you can still meet the emergency medical and essential needs until the main grid is repaired. It's particularly important in Puerto Rico because the landscape is rugged and there are some really remote areas that are hard to reach. Therefore repairing the grids to reach those areas will take time, so having one of those small emergency microgrids can be extremely useful."</p><p>Pozzo says that a solution for remote areas like Jayuya that would provide critical services during an emergency would be ideal. "You're not restoring power to everybody, but you're at the very least able to maintain the critical needs, storing medicine, providing power to people with medical devices," she says. "I believe that if the town had distributed independent systems—it could be clean energy but could also run on generators that are larger and more effective—they would fare much better, just because they could focus on repairs in a more localized way.</p><p>Part of Pozzo's research in Jayuya was quantifying exactly how much energy it would take to meet the critical needs of the entire community to better prepare emergency shelters to handle future power outages.</p><p>"We're analyzing ideas where you could invest in providing power to schools that could serve as shelters, so you need to understand how patients are distributed in a community and whether they are able to get to the shelters to have their needs met and how much energy would be necessary to satisfy the number of patients that would go there," she explains. The academic paper on her team's findings will be published in the spring. </p><p>"Climate change is happening—we're going to get natural disasters more frequently and more severely, so we have to make sure that our infrastructure is built to a standard that is appropriate for these natural disasters," Kirschen says. ​ ​</p>
https://sm.asisonline.org/Pages/Fair-and-Neutral.aspxFair & NeutralGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The recent flood of sexual harassment allegations in the United States, from Hollywood to Capitol Hill to New York City, has given people around the world new confidence to publicly denounce sexual harassment and other types of misconduct.</p><p>One powerful example is the Twitter hashtag, #MeToo, which has now been used by more than 1.7 million people in 85 countries to speak out and name their harassers. The allegations have resulted in tangible change: in the past several months dozens of public figures, accused of behaviors ranging from inappropriate harassment to sexual assault, have been fired or forced to resign from high-profile positions.</p><p>This remarkable spike in firings is also an extension of a longer-term development. Over the past five years, 5.3 percent of CEOs globally have been forcibly removed due to ethical lapses, including harassment, according to a PricewaterhouseCoopers study. In the United States, that's a 102 percent increase from the previous five years. And during last year alone—before the #MeToo movement—harassment cost U.S. companies more than $160 million in U.S. Equal Employment Opportunity Commission (EEOC) settlements, an all-time high. </p><p>Some say these unprecedented developments represent nothing short of a social revolution, one that will have serious ramifications for employers. After the news of allegations against Hollywood mogul Harvey Weinstein came out, the EEOC saw a fourfold increase in visitors to the sexual harassment section of its website. This trend demonstrates that employers must be prepared for the possibility that harassment complaints within their organizations may increase, and they must have effective policies and procedures for responding and acting on them.  </p><p>When these accusations come out, many organizations are quick to end established relationships with the person being accused—usually to protect the enterprise and the brand, but also to show support for those reporting the allegations. However, it is important to remember that conducting a competent investigation to uncover the truth is vital. It protects the enterprise and all parties involved, and it will encourage other victims of misconduct to come forward.</p><p>This article explores how employers, employees, and those commissioned to investigate allegations of misconduct can develop proactive procedures to ensure that the rights of all parties are equally considered in every investigation. Establishing such informed procedures mitigates the risk of civil action, while demonstrating a commitment to fairness.​</p><h4>Understanding the Offenses</h4><p>There are generally three classifications of sex-related incidents: harassment, sexual harassment, and sexual assault. The following is a breakdown of how the three are legally defined in the United States.</p><p><strong>Harassment. </strong>Harassment is a form of employment discrimination that violates Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act of 1967 (ADEA), and the Americans with Disabilities Act of 1990 (ADA).</p><p>According to the EEOC, harassment is unwelcome conduct that is based on race, color, religion, sex (including pregnancy), national origin, age (40 or older), disability, or genetic information. Harassment becomes unlawful in either of two situations—when enduring the offensive conduct becomes a condition of continued employment, or when the conduct is severe or pervasive enough to create a work environment that a reasonable person would consider intimidating, hostile, or abusive. Petty slights, annoyances, and isolated incidents (unless extremely serious) usually do not rise to the level of illegality.</p><p>Anti-discrimination laws also prohibit harassment against individuals in retaliation for filing a discrimination charge, testifying, or participating in any way in an investigation, proceeding, or lawsuit under these laws. Similarly, harassment in retaliation against somebody who is opposing employment practices that they reasonably believe discriminate against individuals and violate these laws, is also prohibited.  </p><p>What constitutes offensive conduct? It often includes, but is not limited to, offensive jokes, slurs, epithets or name calling, physical assaults or threats, intimidation, ridicule or mockery, insults or put-downs, offensive objects or pictures, and interference with work performance. </p><p>Harassment can occur in a variety of circumstances and settings. The harasser may directly supervise the victim, or he or she may work in a different area of the enterprise. The harasser may also be a vendor, contractor, or agent of the employer. The victim may be a workplace invitee who is not employed with the company. And the victim does not have to be the person harassed; he or she can be anyone affected by the offensive conduct. Finally, it is important to remember that unlawful harassment may occur without economic injury to, or discharge of, the victim. </p><p><strong>Sexual harassment.</strong> Harassment sometimes escalates to sexual harassment, which includes unwelcome sexual advances, requests for sexual favors, and other types of verbal or physical harassment of a sexual nature.</p><p>Sexual harassment is defined as either quid pro quo or hostile environment. According to the EEOC guidelines, quid pro quo harassment occurs when an individual's rejection of or submission to unwanted conduct is used as the basis for employment decisions affecting that individual. Hostile environment harassment occurs when submission to unwelcome sexual conduct is made (either explicitly or implicitly) a term or condition of an individual's employment. </p><p>However, the line is often unclear regarding quid pro quo and hostile environment harassment claims. For example, hostile environment harassment may acquire characteristics of quid pro quo harassment if the offending supervisor abuses his or her authority over employment decisions to force the victim to endure or participate in unwanted sexual conduct.</p><p> Sexual harassment may culminate in a retaliatory discharge if the victim tells the harasser or employer that he or she will no longer submit to harassment, and is then fired in retaliation for this protest. Under these circumstances, it is appropriate to conclude that both harassment and retaliation in violation of U.S. federal law have occurred, according to the EEOC.</p><p><strong>Sexual assaults. </strong>Sexual harassment can sometimes turn into a sex crime. These crimes can range from rape and battery to other criminal offenses, and they call for law enforcement investigation and potential criminal prosecution. Too often, employers and their investigative teams fail to recognize that the victim is reporting a crime, not just work-related harassment.​</p><h4>Abuse Patterns</h4><p>Sexual harassers and offenders frequently demonstrate certain patterns of misconduct. Perpetrators often leverage their power and control over the victims, especially if the victim is an employee. In fact, some offenders carefully seek victims they believe to be vulnerable, who have too much to lose to report inappropriate behavior.</p><p>In these cases, the perpetrator may use intimidation tactics to demonstrate control over the victim's position with the enterprise. Moreover, he or she may engage in emotional abuse, especially if the victim feels trapped because he or she needs the job.  </p><p>A major warning sign is an attempt to isolate the victim. This may start when the one with the power communicates a desire to mentor and help the intended target. Then, the mentoring may progress so that moments of emotional intimacy are created. This can make the victims feel as if they voluntarily put themselves in the situation by sharing personal experiences. Moreover, if the victim shares some intimate secrets in these conversations, the perpetrator may later use them for emotional blackmail, to secure the victim's silence. Sometimes, the victim discusses personal relationships, which may lead to sexual revelations. Once the hook is set, the harasser can make the victim feel complicit in an inappropriate workplace emotional or physical affair, but that does not minimize the seriousness of the harasser's behavior.</p><p>If confronted, offenders often take pains to minimize questionable conduct. They may say they were only joking or blame the victim (or others) for the offensive behavior. They will usually deny any wrongdoing during initial interviews, because they know it is their word versus the word of a powerless victim. They may posture their power to further intimidate the victim: "I've been with the company for years and am well-respected. No one will believe you!" </p><p>And in some cases, offenders will use their position of authority and apply economic pressure. Executives often have the power to promote, demote, or sabotage a subordinate's career path. For abusers, these can be powerful tools of oppression to wield, because victims often feel that no one will believe them, and they cannot afford to lose earning power. ​</p><h4>Conducting Investigations</h4><p>Creating and conducting a neutral and fair investigation is critical to the successful resolution of harassment complaints, but employers must be careful. </p><p>As a framework, it is important for organizations to establish investigation-related policies, procedures, and an enterprisewide training program, and to maintain a culture that encourages victims to report misconduct.</p><p>Most enterprises in these situations turn to outside experts, especially when working with legal counsel. Here, experience is crucial; skilled investigators who have years of experience conducting sensitive investigations of sexual misconduct are valuable assets. Too often, inexperienced investigators leave the employer with no evidence and a "he said, she said" inconclusive finding. By keeping some important investigative steps in mind, security professionals can maximize the likelihood of reaching a conclusive investigative result.</p><p>First, do not discount any reports of harassment or misconduct. Often victims will hint about less offensive conduct to "test the waters." In these cases, the victim may want to know that you care and will believe him or her before they disclose the full seriousness of the conduct. </p><p>Of course, this does not mean everyone reporting misconduct is telling the truth, or the whole truth. In some instances, accusers may use claims as a preemptive measure to avoid being disciplined or discharged, because they have been forewarned that their performance or conduct has not met expectations. In these situations, the supervisor should be accompanied by an HR representative or other neutral supervisor in disciplinary meetings.</p><p>Similarly, a witness should be present when the accuser is interviewed. To help understand the accuser's version of events, security managers should ask questions that help clarify encounters, but should avoid leading questions. Never blame the victim for failing to report the matter earlier.</p><p>Sometimes, counsel may request that the interviews be video recorded with the consent of those being interviewed. Video recording interviews is a good way to memorialize important statements, but you must be prepared to meet resistance to this request. In case of such resistance, you may explain that video recording is standard procedure, and that it avoids misunderstandings about what was said and helps properly document any remedial actions required by law. </p><p>Often, the victim begins the conversation with the statement, "Can I confide in you about a problem?" However, security managers can never commit to secrecy, because they may be compelled to report what they are told. So, the answer must be on point, such as, "Mary, you clearly came to me because you know I care. Tell me what's on your mind and I'll tell you what the next steps are that I can take." </p><p>In interviewing the victim, one of the most critical questions that is often overlooked is, "Whom have you confided in about this matter?" More often than not, victims of sexual misconduct share with trusted confidants. So, ask victims what they revealed, and when they shared the information. This will provide important witnesses who can help corroborate the victim's integrity. Be careful about immediately believing reports of misconduct that occurred years ago without corroborative testimony or evidence. It does not mean the accuser is being untruthful, but time diminishes evidence and memories.​</p><h4>Interviewing the Accused</h4><p>Interviewing the accused is another important step. Too often the accused is interviewed too early in the investigation, before all circumstances are known. Another common misstep is asking closed-ended questions that can make it easier to deny the allegations, such as, "Did you touch Mary in your office last week?" </p><p>Questions that are open-ended but targeted are critical to helping determine the truth, and developing them in advance can help determine a successful outcome. </p><p>During the process, it is imperative that the accused and accuser be separated to avoid claims of retaliation. Communicate clearly to the accused that he or she is not to speak to the accuser, or engage in any behavior that may be interpreted as unlawful retaliation. If the accuser is a direct report of the accused, the latter should be transferred. Transferring the accuser to another manager, absent written consent by the victim to be reassigned, can result in a claim of retaliation.</p><p>Preserving evidence is vital to the investigation. Emails, text messages, voice mails, work schedules, diaries, and other evidence must be properly documented and preserved. Practicing this consistently is often the key to uncovering evidence that proves or disproves the allegations. </p><p>Finally, remember that documentation is the investigator's salvation. Every step, every interview, and every finding should be clearly documented. The investigation must be fair and neutral to all parties. Decisionmakers will draw conclusions based on the investigative findings; the investigator's  role is to assemble the facts, so they can fully inform the conclusions. ​</p><h4>Employer Liability </h4><p>The employer is automatically liable for harassment by a supervisor that results in a negative employment action such as termination, failure to promote or hire, or loss of wages. If the supervisor's harassment results in a hostile work environment, the employer can avoid liability only if it can prove that it reasonably tried to prevent and promptly correct the harassing behavior, and that the employee unreasonably failed to take advantage of any preventive or corrective opportunities provided by the employer.</p><p>The employer will be liable for harassment by nonsupervisory employees or nonemployees over whom it has control (for example, independent contractors or customers on the premises) if it knew, or should have known, about the harassment and failed to take prompt and appropriate corrective action.</p><p>When investigating allegations of harassment, the EEOC looks at the entire record, including the nature of the conduct and the context in which the alleged incidents occurred. A determination of whether harassment is severe or pervasive enough to be illegal is made on a case-by-case basis.​</p><h4>Prevention is Key</h4><p>Prevention is the best tool to mitigate harassment in the workplace. Establish clear anti-harassment policies and procedures, provide training at all levels, and take immediate and appropriate action when an employee complains. Clearly communicate to employees that unwelcome harassing and sexual misconduct will not be tolerated. In addition, employees should be encouraged to both inform the harasser directly that the conduct is unwelcome and must stop, and report harassment to management at an early stage to prevent its escalation.</p><p>Employers should strive to create an environment and a work culture in which employees feel free to raise concerns and are confident that those concerns will be addressed. The result will be a positive workplace where all personnel are valued.​</p><h4>A Rush to Judgment</h4><p>As seen in recent events, employers are often quick to distance themselves from the accused prior to any investigation. This response hurts the enterprise and brand, because it sends a message of a rush to judgment, or damage control. The first public response, if any, is to communicate that the company takes all allegations seriously, conducts a thorough investigation, and then takes effective remedial steps.</p><p>The EEOC does not demand termination, but it does require that companies take effective remedial steps. Termination may be warranted, but the investigation will determine the ultimate disciplinary measures. Ask the accuser what he or she thinks should happen to the perpetrator. Listening to this proposed solution often mitigates the risk of civil claims, because the accuser was part of the investigation, apprised of the findings, and involved in determining the appropriate remedial steps.</p><p>If your organization has not equipped itself to perform a thorough and fair investigation, it may decide instead on a hasty termination, or an immediate distancing from the accused. This is a mistake. If made, the next time you get to hear a response from the accused may be in a deposition in a costly and highly public civil lawsuit. Or worse, in a criminal court.  </p><p><br></p><h4>Sidebar: Questioning the Accused</h4><p> </p><p>Here are some examples of open-ended questions, along with warning flags that can lead an investigator into a more useful inquiry:</p><p> What does Mary know about you personally?</p><ul><li><p>The accused shares intimate details that superiors have little reason to know about their employees.</p></li><li><p>The accused blames the employee for wanting to meet alone.</p></li></ul><p> </p><p>Why should we not believe Mary?</p><ul><li><p>The accused may come in armed with reasons she cannot be believed, even though previous evaluations about Mary have been stellar.</p></li><li><p>The accused may use rank, length of service, and position as reasons to believe him or her, instead of answering the question directly.</p></li></ul><p> </p><p>How many times have you met with Mary alone in the past six months?</p><ul><li><p>The accused makes excuses for meeting with the employee alone.</p></li><li><p>The accused blames the employee for wanting to meet alone.</p></li><li><p>The accused claims to have a bad memory and can't recall how many times he or she has met with the employee alone, much less the context and content of such meetings.</p></li></ul><p> </p><p>Assume a supervisor apologizes, gets help, and pays Mary for counseling. What would you like to see a company do?</p><ul><li><p>The accused often uses this question to agree that these steps should be taken; which is generally a tacit admission that he or she engaged in the behavior.</p></li><li><p>The accused does not believe the supervisor should be harshly punished.</p></li></ul><p> </p><p>What did Mary share with you about her life?</p><ul><li><p>The accused shares intimate details that superiors have little reason to know about their employees.</p></li></ul><p> </p><p>Who should we interview about Mary and what will they say?</p><ul><li><p>The accused attacks Mary by listing all the reasons she cannot be believed, while being unable to name potential witnesses. He or she may name trusted colleagues who can comment only about his or her performance and who have little information about Mary.</p></li></ul><p> </p><p>What do you believe Mary has said about you?</p><ul><li><p>The accused reveals personal or intimate information.</p></li><li><p>The response of the accused mirrors the statement that the accuser provided about the misconduct.</p></li></ul><p> </p><p>Tell me everything you know about Mary.</p><ul><li><p>The accused quickly tells you information designed to discredit the victim that has never been reported or documented.</p></li><li><p>The accused knows too much about Mary's personal life.</p></li></ul><p> </p><p>Assume we believe Mary, what do you think should happen?</p><ul><li><p>Often, a perpetrator seeks mercy or a second chance.</p></li><li><p>The accused personalizes the outcome to minimize the chances of being dismissed or publicly ridiculed.</p></li></ul><p> </p><p>When we interview past and present employees, how many will say that you talked about private or sexual matters?</p><ul><li><p>Instead of an immediate and clear denial, the accused will have difficulty remembering.</p></li><li><p>The accused attempts to throw other employees under the proverbial bus, although no problems were previously reported.​</p></li></ul><p><em>Steven C. Millwee, CPP, is the founder, president, and CEO of SecurTest, Inc., a background screening and investigative consulting firm. Millwee was the 2002 president of ASIS International. He is a frequent expert witness in sexual harassment cases, and is the author of several harassment and sexual assault biographical questionnaires for use in investigations. ​ ​</em></p>
https://sm.asisonline.org/Pages/Weapons-in-the-Workplace.aspxWeapons in the WorkplaceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In late 2017, a photograph surfaced of three construction workers from American Sewer Services carrying weapons on a job site in Milwaukee. In the photo, two men clearly displayed their weapons in holsters, while another held a pistol in his hand.</p><p>As a result, the three construction workers were fired. The city of Milwaukee cited its policy that prohibits employees from bringing weapons to their jobs, including employees of subcontractors. </p><p>One gun advocate defended the workers and said the geographic area where they carried their weapons was "infamous" for its crime rate, The Blaze reported.  </p><p>On the other end of the spectrum, a Wisconsin state legislator told the media outlet that carrying guns openly on the job was "irresponsible." </p><p>While the city of Milwaukee has a clear policy on guns, for most private employers, the issue is anything but cut-and-dried. There is currently no U.S. federal law regulating weapons at private workplaces, but many state legislatures have taken up the cause of protecting the Second Amendment rights of employees while on the job. These laws, which are typically designed to protect employees' individual rights to possess concealed firearms, vary in terms of their restrictions and make it tough for employers operating in multiple U.S. states to implement one weapons policy across the board. </p><p>Workplace shootings have become increasingly common in the United States over the last few decades. The number of these incidents rose 15 percent in 2015 to 354 shootings, according to the latest numbers from the U.S. Bureau of Labor Statistics, and resulting homicides grew by 2 percent that year.  </p><p>Gun advocates cite such cases as reasons to allow guns in the workplace, while critics say these shootings are exactly why employers should ban firearms. As the debate rages on, employers are left grappling with the question of how to comply with state law and institute their own policies that promote a safe work environment. </p><p>While there are many legal twists and turns surrounding the issue, security practitioners must deal with the question of how current laws affect their responsibility to keep employees and property safe from external and internal threats. </p><p>By understanding the legal landscape surrounding firearms on work property, and ensuring that existing policies and procedures properly address workplace violence, security professionals can help promote a safe work environment without infringing on the legal rights of their employees.  ​</p><h4>Parking Lot Laws<img src="/ASIS%20SM%20Callout%20Images/0318%20Cover%20Story%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:369px;height:572px;" /> </h4><p>Most commonly, workplace gun laws allow employees the right to have firearms in their locked, private vehicles while parked on company-owned property. Additional obligations may be placed on the employer, such as a prohibition on searching vehicles and discriminating against an employee because he or she is a gun owner. </p><p>Twenty-three U.S. states provide some level of protection for employees who bring their firearms to company property. These so-called "parking lot laws" were part of an effort by state legislatures in the early 2000s to allow workers to exercise their Second Amendment rights at work, with some restrictions. </p><p>For example, often the gun must be locked in the trunk or glove box, or be hidden from view through the vehicle's windows. But the business community sees many issues with these laws and fears they will have a far-reaching impact on both employee safety and legal liability.</p><p>Parking lot laws vary in the level of protection they offer gun owners. Most prohibit employers from asking workers if they own guns, and from firing employees for owning firearms. These laws frequently conflict with existing workplace policies, which limit the employee's ability to bring firearms to work. </p><p>Oklahoma was the first U.S. state to pass a parking lot law when it amended legislation in 2004 to protect firearm owners from weapons prohibitions in workplace parking lots. </p><p>In 2002, an Oklahoma employer terminated several employees for having guns in their vehicles, which were parked on the employer's property. In response to the outcry that followed, the Oklahoma legislature amended the Oklahoma Self-Defense Act to ban employers from establishing any policy or rule that has the effect of prohibiting employees from transporting and storing firearms in a locked vehicle that is parked in employers' lots. </p><p>This caused great concern among the business community, which felt certain that the law would not survive legal scrutiny. In response, a group of Oklahoma employers challenged the state law, arguing that the legislation conflicted with the U.S. Occupational Safety and Health Administration (OSHA) general duty clause, also known as the Occupational Safety and Health Act of 1970 (OSH Act), a U.S. federal law. </p><p>The plaintiffs argued that the general duty clause says employers must maintain a safe and secure workplace free of violence, and preempts any existing U.S. state law. The U.S. District Court for the Northern District of Oklahoma agreed with the employers.</p><p>The district court reasoned that under the general duty clause, gun-related workplace violence is a "recognized hazard." Therefore, any employer allowing firearms in the workplace lot may be in violation of U.S. federal law by promoting an unsafe workplace.</p><p>The case went to the U.S. Court of Appeals for the Tenth Circuit, which reversed the decision. The court reasoned that "OSHA has not indicated in any way that employers should prohibit firearms from company parking lots," according to court documents. "OSHA's website, guidelines, and citation history do not speak at all to any such prohibition." </p><p>Because OSHA does not indicate that employers should prohibit firearms from company parking lots, the appellate court ruled that there is no U.S. federal law that would preempt Oklahoma's amendment to the Self-Defense Act. </p><p>This initial case was a signal that employers would not be able to simply dismiss these laws by citing safety and security concerns or by arguing that U.S. federal regulations created an obligation to keep the workplace free of employees' weapons.​</p><h4>Employee Rights</h4><p>More lawsuits can be expected regarding employee termination based on gun-free workplace policies. An intriguing case comes out of the state of Florida, which passed a comprehensive law in 2008 that prohibits public and private employers from discriminating against any employee, customer, or invitee for exercising the right to keep and bear arms. </p><p>Under the Florida law, employers are barred from many actions, including: prohibiting employees or invitees from possessing legally owned firearms in their vehicles; inquiring about the presence of a firearm in the employee or invitee's vehicles; searching a private motor vehicle; and taking any action against an employee or invitee based on any verbal or written statement regarding the possession of a firearm in a private vehicle. </p><p>The law also says that companies are barred from conditioning employment on the following: whether an employee or prospective employee holds a concealed-weapons permit; an agreement by the employee or prospective employee that forbids the employee from keeping a legal firearm locked in his or her vehicle when the firearm is kept for lawful purposes; or prohibiting any employee or invitee from entering the parking lot because the employee or invitee's vehicle contains a legal firearm. </p><p>Finally, the law bars employers from terminating or otherwise discriminating against an employee or expelling an invitee for exercising the right to keep and bear arms or to exercise self-defense, so long as the firearm is not exhibited on company property for any reason other than lawful defensive purposes.</p><p>In December 2015, an employee who worked for Universal theme park in Orlando, Florida, had a concealed weapon in his vehicle in the employee parking garage. The employee, who had worked for Universal since 1993, commonly left his gun in his car at work. One day, the handgun was stolen from his vehicle, and he reported it to the police.</p><p>When park officials learned that he had a firearm on company property, they terminated him, claiming that he had violated Universal's gun-free zone policy. </p><p>The employee sued Universal in Orange County Circuit Court, citing the 2008 law. The lawsuit argued that he had an express right to bring his gun onto the lot and leave it in his vehicle. </p><p>Universal claimed that the Florida law didn't apply because schools and prisons are exempt from state weapons policies, and Universal has a program for school children on its property. Before the litigation could play out, Universal gave the employee his job back in April 2016 and he withdrew the lawsuit, the Orlando Sentinel reported. </p><p>Comparable cases have been filed in similar circumstances in other states. In Kentucky, a man was fired from UPS Supply Chain Solutions in May 2013 for transferring a gun lawfully stored in his personal vehicle to another worker's personal vehicle. </p><p>The man, who had a concealed carry permit, said he experienced car trouble on the way to work, and moved the weapon because he was taking his car to be repaired. The fellow employee storing his weapon as a favor soon became uncomfortable and reported it to his supervisor. </p><p>The company then placed the employee on suspension and eventually fired him, citing that its policy only allowed for weapons inside a private vehicle. The company claimed that by removing the gun from his personal vehicle, he violated the workplace policy. </p><p> In the lawsuit, the employee claimed that under a Kentucky Revised Statute, a firearm may be "removed from the vehicle or handled" when it is done so in "defense of property." </p><p>But the court ruled that the employee was attempting to interpret their law too broadly. "However inclined we might be to believe that such an exception would be a good thing, we decline to construe the term 'defense of property' as broadly as the employee suggests," the court wrote. (Holly v. UPS Supply Chain Solutions, Inc., U.S. Court of Appeals for the Sixth Circuit, March 2017)  ​</p><h4>Employer Protections</h4><p>Several U.S. states have included some liability protections to provide conditional immunity to employers that comply with their state's guns-at-work law. This is mainly in response to the business community's outcry over what liability they will face for workplace violence involving guns on their property. </p><p>For example, under Georgia law, an employer is not liable for any criminal or civil action for damages arising from an occurrence involving the transportation, storage, possession, or use of a firearm, including theft of the firearm, unless the employer commits a criminal act involving a firearm, or if the employer knew the person using the firearm would commit a criminal act on the employer's premises. </p><p>While the Georgia law provides some cover for employers, it also leaves them vulnerable to lawsuits if they knew the person would commit an act of violence. This raises many questions as to how to handle someone who may have violent tendencies. How do you restrict that person's access to firearms in his or her vehicle? Can you terminate him or her based on that assumption alone? </p><p>Policies. Although these laws at face value complicate certain aspects of workplace violence policies and active shooter response plans, there are many steps that employers can take. Most importantly, security practitioners should educate themselves on relevant U.S. state guidelines, and confer with their general counsel on these issues to avoid unknowingly breaking the law. </p><p>For example, signs that read "no weapons" in parking lots are illegal in some U.S. states in certain circumstances. Knowing the limitations will allow companies to properly respond without risking legal liability.</p><p>If located in a state with current legal provisions for weapons in the workplace, companies should educate their workers on the boundaries of that law. For example, some employees will unintentionally assume they have greater rights, such as open-carry or storing the weapon inside the workplace. </p><p>Workplace violence. Policies on workplace violence should include a thorough explanation of relevant state law regarding guns on workplace property. Employers should be comprehensive in creating policies that outline how to report and respond to employees who are potentially violent or otherwise pose a threat to the safety of others. </p><p>Many employers lose their conditional immunity in a workplace shooting or incident if the perpetrator was someone who had a history of violence, or was otherwise known to the employer to be a threat. </p><p>In U.S. states that make provisions for weapons on workplace property, conducting high-risk terminations are of greater concern. Employees who store weapons in their cars, abiding by the law, could inadvertently become a threat during termination. </p><p>When firing any individual considered to be high-risk, companies should consider providing a security escort to the parking lot. Security should ensure that the former employee has left the property, and front desk or other reception team members should be alerted that the person is not allowed back on the premises. Organizations should train security officers, as well as human resource employees, in the use of de-escalation techniques.  </p><p>Finally, for workplaces that must comply with parking lot laws, there are several steps that will help protect the employer while respecting the legal rights of employees. </p><p>Organizations may consider increasing security in parking areas, such as adding an access control point; conducting patrols around the building and in parking lots; installing or enhancing video surveillance systems; and implementing proper lighting. </p><p>In some cases, bag searches or mag­neto­­meters may be installed at building entry points, but legal requirements should be checked before implementing such measures. Deterring the carriage of weapons outside the vehicle will generally serve as a reminder of the law and keep both employers and employees safe. </p><p>At first glance, the laws surrounding weapons in the workplace may seem like a jigsaw puzzle that is difficult to comprehend, but there are steps employers can take to ensure that assets and people are protected. Understanding the law and establishing strong policies within the employers' legal rights will ensure that workplaces abide by the law while keeping their assets and people safe.  </p><p><em>Eddie Sorrells, CPP, PCI, PSP, is chief operating officer and general counsel at DSI Security Services in Dothan, Alabama. He is the author of Security Litigation: Best Practices for Managing and Preventing Security-Related Lawsuits. He can be reached at esorrells@dsisecurity.com. ​</em></p>
https://sm.asisonline.org/Pages/March-2018-Industry-News.aspxMarch 2018 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​BOOTH COMPETITION</h4><p>B.I.G. Enterprises, Inc., inspired both licensed architects and architects-in-training to vie for top prizes in its inaugural 2017 B.I.G. Architectural Booth Design contest. More than 13,000 invitations were sent to current or former students of the 81 universities in the U.S. recognized by either the National Architectural Accrediting Board or the Association of Collegiate Schools of Architecture. Entries came from alumni and undergrads as far away as Malaysia, Colombia, and Albania.</p><p>Two award-winning U.S. architects judged the final field of 15 sketches, which were selected based on the buildability of the ideas. The judges praised the combination of indoor and sheltered outdoor space in the submissions. They found that the contest uncovered a broad slice of architectural ideas appropriate to the idea of a guard shelter, whether through a modern approach, a retro vibe, playfulness, or another theme.</p><p>The top cash prizes went to Colombian Roberto Caputo for first place, American Benjamin Garcia for second place, and Albanian Frida Vokshi for third place. In the image above, Caputo's design is second from the left in the top row; Garcia's design is on the far right on the bottom row. </p><p>"We are pleased to offer these new designs to our customers and look forward to discussing an application for each one of them," says B.I.G. Vice President Dave King.</p><h4>PARTNERSHIPS AND DEALS</h4><p>Abloy UK and Bristol Maid supplied Queen Elizabeth Hospital Birmingham with PROTEC2 CLIQ and Traka21 advanced key management systems to improve the security of medicines.</p><p>Agent Video Intelligence announced that its innoVi cloud-based video analytics integrate with Amazon Kinesis Video Streams, a service to capture, process, and store video streams for analytics and machine learning. </p><p>Allstate Insurance is working with Carpe Data to apply highly predictive online data to claims processing.</p><p>Astrophysics Inc. selected Bell and Howell to help increase its service reach and capabilities as the company expands in the United States and Canada.</p><p>BIO-key International, Inc., reported that CyberCore Technologies will deploy BIO-key's ID Director for Windows software authentication platform.</p><p>Captis Intelligence will provide Rite Aid with asset protection support service from its corporate office in Los Angeles.</p><p>The CNL Software Technology Alliance Program will integrate Jacques Technologies' IP Communications Systems with the IPSecurityCenter PSIM integrated situation management solution.</p><p>Confidex Ltd. was selected to supply smart tickets to Strömma Finland, the operator of Helsinki Card, which provides access to attractions and museums around the capital of Finland.</p><p>Cyberbit supplied ISE Systems with a Cyberbit range for its Cybersecurity Training Center in Paris.</p><p>Delta Scientific is working with Knight Brothers Pty. Ltd. in Sydney, Australia, to provide security professionals and public space operators with crash-rated vehicle mitigation solutions.</p><p>DNA and Tosibox will provide DNA real estate customers an advanced data security solution for monitoring building automation systems.</p><p>The Electronic Healthcare Network Accreditation Commission is collaborating with OmniSystems, Inc., to offer its accreditation programs, cybersecurity framework, and consultative services to customers in the United Kingdom, the Caribbean, and other markets.</p><p>Mphasis selected Fortinet to deliver advanced threat protection and secure data networks in virtualized platform to service its customers. </p><p>Galaxy Control Systems enhanced the level of integration between its System Galaxy Access Control and Cloud Concierge products and Schlage NDE and LE wireless locks from Allegion.</p><p>Hikvision USA Inc. worked with integrator Holmes Security Systems to provide a security system for The Lodge at Operation Inasmuch men's shelter in Fayetteville, North Carolina. </p><p>ImageWare Systems, Inc., and Secure Channels, Inc., are enhancing the Entertainment Security Operations Center with multifactor biometric authentication.</p><p>InfoArmor, Inc., announced that Baird of Milwaukee, Wisconsin, will offer PrivacyArmor identity protection as an employer-sponsored benefit to its employees.</p><p>Jumio announced a partnership with Meed to provide remote ID verification services for its package of financial services.</p><p>Kastle Systems International announced that its KastlePresence is offered at Cushman & Wakefield's 1401 Eye Street premier office building in Washington, D.C. It allows staff and tenants to use smartphones to access the building's perimeter, elevators, and suites.</p><p>Kroll announced a partnership with the Center for Internet Security.</p><p>Savelberg care center in Gouda, The Netherlands, chose the Conview Care solution from Leertouwer. It includes video surveillance, sound and motion detection, and electronic bracelets.</p><p>Leidos and SecurityMatters will provide passive monitoring capabilities to enhance cybersecurity for industrial and critical infrastructure networks.</p><p>Magal Security Systems, Ltd., will provide integrated security solutions for a major seaport in East Africa as a subcontractor for Toyota Tsusho Corporation. </p><p>BNP Paribas is using the AEOS Security Management Platform from Nedap.</p><p>On the Move Systems announced that its subsidiary Robotic Assistance Devices will supply intelligent robotic solutions through Allied Universal to supplement security professionals and drive efficiency.</p><p>Park Assist installed its M4 camera-based parking guidance systems at Cherry Creek Shopping Center in Denver, Colorado.</p><p>The Louvre in Abu Dhabi is using a Rasilient surveillance video storage system solution.</p><p>Salient CRGT, Inc., partnered with Kaseware to integrate its Voyager Query for Law Enforcement within the Kaseware investigative case management system.</p><p>The Vienna University of Economics and Business worked with Siemens AG Austria to create a networked video system using SeeTec video management software. </p><p>Thales announced that Kashing Ltd. is deploying its payShield 9000 hardware security module to secure online e-commerce and mobile point of sale card readers.</p><p>TruTag Technologies is providing its TruTag on-dose identity solution to the Daily Wellness Company, a nutraceutical manufacturer. The TruTag solution is covert and edible.​</p><h4>GOVERNMENT CONTRACTS</h4><p>The Texas Department of Information Resources awarded AT&T a contract to offer managed security services statewide.</p><p>Charlotte-Mecklenburg Police Department purchased TASER X2 Smart Weapons from Axon.</p><p>BIO-key was selected to provide a biometric solution for the Province of British Columbia.</p><p>Bruker will deliver RAID M-100 hand-held chemical detectors to the U.S. National Guard.</p><p>Centigon France was selected by SCANIA to protect truck cabins for the Danish Armed Forces.</p><p>The U.S. Army Corps of Engineers selected the CH2M-Merrick Joint Venture to support the Missile Defense Agency's Ballistic Missile Defense Program with electronic and physical security design.</p><p>The Philippines Land Transport Office is issuing 500,000 biometric licenses per month, using a system from DERMALOG.</p><p>Design Interactive ScreenADAPT, a visual search training program, is being used at the Portland Airport.</p><p>The Seagull unmanned surface vessel from Elbit Systems performed mine countermeasures in a joint exercise between the Israeli Navy and the British Royal Navy.</p><p>FoxGuard Solutions, Inc., was awarded a grant from the U.S. Department of Defense (DoD) to develop a cybersecurity platform to protect military installations across the world.</p><p>Herta will install facial recognition solutions in the city of Phuket, Thailand, as part of a safe city initiative.</p><p>MacAulay-Brown, Inc., was awarded a task order to help the U.S. Air Force Research Lab streamline business applications and software across the enterprise.</p><p>Milestone Systems video management software and Axis Communications network video cameras are helping protect Las Ramblas in Cayala City, Guatemala. EMC Isilon servers provide the data storage.</p><p>MSA Safety provided state-of-the-art G1 self-contained breathing apparatus to the Chicago Fire Department.</p><p>Orion Communications announced that the Massachusetts State Police selected its AgencyWeb solution to streamline scheduling, deployment of resources, training, supply management, and asset tracking.</p><p>Sullivan County Emergency Communications District in Tennessee transitioned to PowerPhone's Total Response solution.</p><p>RADWIN announced that Antwerp Police in Belgium chose its JET Point-to-Multipoint solutions to build a video surveillance network.</p><p>The Brazilian Ministry of Education is using the ANDRE Advanced Near-field Detection Receiver from Research Electronics International to detect cheating at standardized testing.</p><p>Siklu Inc. announced that its MultiHaul radios were selected by Wichita, Kansas, to provide wireless connectivity for cameras deployed in the city's Old Town district. </p><p>Threat Sketch was awarded a contract from the National Institute for Hometown Security and the U.S. Department of Homeland Security to help develop innovative solutions for the critical infrastructure community.</p><p>Wireless video experts xG Technology, Inc., will supply hand-held intelligence, surveillance, and reconnaissance devices to the U.S. Army.</p><h4>AWARDS AND CERTIFICATIONS</h4><p>Hosting company 3W Infra achieved compliance with ISO 27001 and PCI-DSS standards, according to audit company Noordbeek B.V.</p><p>A+ Technology & Security Solutions was named 2017 Education Partner of the Year by Axis Communications.</p><p>Akoustis Technologies, Inc., announced that its wafer fabrication facility in Canandaigua, New York, achieved ISO 9001:2015 certification. It also received new patents related to its piezoelectric materials, resonators, RF filters, and their applications.</p><p>Arxys Software Orchestrated Storage is now a Milestone Certified Solution.</p><p>Convergint Technologies was named 2017 National Systems Integrator of the Year by Axis Communications.</p><p>Detection Technology was granted ISO 9001:2015 and ISO 14001:2015 </p><p>certification.</p><p>Hanwha Techwin's high-performance chipset Wisenet 5 won the Grand Prize at the High-Tech Safety Industry Product and Technology Awards 2017.</p><p>G4S Secure Solutions (USA) was named Outstanding Philanthropic Corporation by the Association of Fundraising Professionals of Palm Beach County. </p><p>IdeaScale announced its FedRAMP authorization.</p><p>Lieberman Software Corporation announced that its Rapid Enterprise Defense Identity Management is certified for Microsoft Azure Government. </p><p>Mimecast Limited was named one of the Top Places to Work in Massachusetts by The Boston Globe.</p><p>Little Caesars Arena, home of the Detroit Red Wings and Detroit Pistons, received SAFETY Act Certification from the U.S. Department of Homeland Security. The arena is managed and operated by Olympia Entertainment.</p><p>The VARIO2 IP Hybrid Illuminator from Raytec won an award for Innovative Achievement (Video Surveillance) at the Detektor International Awards 2017.</p><p>Rohde & Schwarz achieved U.S. Transportation Security Administration certification for Its R&S QPS200 Security Scanner.</p><p>RSA announced that its NetWitness Suite was added to the U.S. Department of Defense Information Network Approved Product List.</p><p>Cloudera named Securonix Inc. the Cloudera APAC Technology Partner of the Year.</p><p>SmartMetric announced that its biometric card is protected by five new patents.</p><p>Suprema was recognized with the Best Product Award in the ID & Access Control category at the Detektor Awards.</p><p>VIPRE Security won the Channelnomics Innovation Award. </p><p>Votiro received the Common Criteria Certification from the Australian Signals Directorate following evaluation by BAE Systems.</p><h4>ANNOUNCEMENTS</h4><p>Alarm Lock Systems, a division of NAPCO, launched a new website at www.alarmlock.com.</p><p>The Alliance for Cyber Risk Governance introduced its risk framework initiative at its inaugural conference. The alliance plans to establish four working groups responsible for expanding on the initial recommendations.</p><p>Former Massachusetts Governor Michael Dukakis and Tuan Nguyen founded the Artificial Intelligence World Society to foster the ethical development, implementation, and advancement of artificial intelligence.</p><p>Quebec's Bureau de la Sécurité Privée launched a new website at www.bspquebec.ca/en as an essential reference portal for the private security industry.</p><p>Cisco and INTERPOL agreed to share threat intelligence as the first step in jointly fighting cybercrime.</p><p>The Cloud Security Alliance released the CSA Code of Conduct for GDPR Compliance, which provides guidance in complying with the European General Data Protection Regulation. </p><p>Contemporary Services Corporation renamed its Las Vegas employee training center in honor of an employee, Erick Silva, who was fatally shot during the attack on the Route 91 Harvest Festival.</p><p>Datacenter.com announced the official opening of its Amsterdam flagship colocation data center.</p><p>Ernst & Young LLP acquired E-STET, which will join its Fraud Investigation and Dispute Services.</p><p>Exterro Inc. announced a new educational website to educate lawyers on the e-discovery implications within the Federal Rules of Civil Procedure.</p><p>The Special Investigations Unit of the International Centre for Sport Security established a confidential Sport Integrity Hotline to help athletes, fans, and others report misconduct and sport integrity issues in the United States and Canada.</p><p>Karamba Security was invited to join the Automotive-Information and Sharing Analysis Center (Auto-ISAC).</p><p>KOLOGIK acquired the assets of COPsnyc of Dallas, Texas, to create a law enforcement regional data sharing network across Texas, Louisiana, and Mississippi.</p><p>The National Electrical Manufacturers Association and the Industrial Internet Consortium formed a formal liaison to advance the Industrial Internet of Things.</p><p>Midpoint Security is offering a free edition of CredoID access control software, which is compatible with HID VertX controllers, Edge IP readers, Mercury controllers, Suprema biometric IP, and wireless Aperio locks by Assa Abloy. </p><p>The mobotour team is seeking three individuals to serve on the company's advisory board—one in middle school, one in high school, and one in college. Learn more at mobotour.com/mobotour_advisoryboard_contest.</p><p>Nuctech launched a new branch in Rotterdam, The Netherlands.</p><p>The Ministry of Community Safety and Correctional Services in Ontario, Canada, used 16 ODSecurity Soter RS Body Scanners to perform 139,600 scans in 2017, yielding 4,774 positive scans that uncovered mobile phones, weapons, and drugs.</p><p>Ontario Power Generation and more than 30 partner organizations successfully completed a large-scale, emergency preparedness exercise at Pickering Nuclear Generating Station.</p><p>The Security Industry Association created the Autonomous Security Robots Working Group.</p><p>SecurityMetrics released the 2018 Guide to HIPAA Compliance to help explain HIPAA requirements.</p><p>Traffic & Parking Control Company opened a Minnesota Service Center in White Bear Lake, Minnesota. ​</p>
https://sm.asisonline.org/Pages/Securing-Special-Events.aspxSecuring Special EventsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Whether hosted at a sports arena, outdoors, a convention center, or elsewhere, security practitioners are frequently called upon to provide support to large-scale events with sizeable crowds. Preexisting event security plans may exist, and will dictate the type of resources or response to be applied to the event. In other cases, security personnel receive a task to provide protection or security without much in the way of instruction, information, or coordination.</p><p>Whatever the nature of the event, security professionals are responsible for conducting a coherent planning process that addresses the needs of the specific event and outlines what resources will be needed. Practitioners should understand the potential hazards, risks, and threats that may be encountered during all phases of the event. </p><p>Any organization with experience in successfully hosting events will understand the importance of preparation for high levels of security and protection. Senior management and event planners must also understand the need to follow a structured planning process that take into account the general security requirements, access control measures, and emergency action plans.</p><p>While some events have a high profile because of VIPs, celebrities, and politicians on-hand, they have nowhere near the number of attendees, spectators, and protestors that global conferences, conventions, or major sporting events do. But regardless of the size, time, or type of event, security planning for any gathering should be embarked upon as early as possible. With so much in terms of stakeholders, logistics, and multiple venues or activities, the process can seem daunting, especially if events span several days or weeks.</p><p>The event-planning steps outlined below were successfully employed and have been refined for use in any organization engaged in security, safety or protective operations.  </p><p><strong>Analyze. </strong>Regardless of the size and scope of the gathering, once you receive notice of an event or function, the analytic process should be initiated. Make a list of the five W's–who, what, why, where, and when–surrounding the event. Security should involve the same level of planning and coordination for every event, whether it be internally held function, or an external operation connected to a major event. </p><p><strong>What is the event?</strong> In cases where the event is a largescale one with multiagency, multi organizational resources, you will likely be part of a task force or committee that comes together to prepare a comprehensive plan in concert with one another. If you are a single security coordinator preparing resources for a small scale, single venue, short duration event, you should still prepare a plan.  </p><p>Notwithstanding the dimension, size or scope of the event or function, the risk or threat could be quite elevated depending upon the type of activity and what organizations or people are involved. Conduct research on previous events that are similar to gain an understanding of any lessons learned, resources applied, and previous threats or concerns. Questions to consider for the "what" aspect include: Will there be alcohol served, will children be present, will there be any high risk physical activities, will outside media be present, is the event open to the public?  All of these considerations help determine resources that you may need.</p><p><strong>Who is involved in the event? </strong>With the Republican National Convention (RNC), DNC, and other political events, the pre-planning processes for each takes consideration exactly who may be attending. Consultations with event planners, local law enforcement, and even previous hosts and attendees will lead you to consider several questions; How many are expected? Are there any at risk, special groups or those requiring special accommodation, support or resources?  Who are groups or individuals that may be targeted here?  Are there any VIPs attending? Have the attendees or participants been threatened or attacked in the past? Are they the subject of any controversy or concern? </p><p>You should conduct a brief review researching news, legal findings, and law enforcement bulletins related to the group(s) or event you will be supporting. For VIP guests, prepare to liaise with other government or security organizations as well as conduct walk-throughs. The "who" should consider not only the participants, speakers, and attendees, but the potential threats as well. Who owns and operates the venue? Are they a potential target? Who are their neighbors, what is co-located or nearby that may be of concern? Who are the groups or individuals that may attempt to infiltrate or would intend to do your event harm? Can they be identified?  Is there active intelligence on their modus operandi? Although the Republican National Convention in Cleveland was considered to have a higher potential for risk, the very same levels of diligence, intelligence, and preparation were applied to other similar events. </p><p><strong>Why is the event occurring? </strong>Is the event a one-time gathering, conference, or rally, or is it reoccurring? Is there a political or religious agenda? The "why" question may determine the need for involvement or engagement from government or public safety agencies. In some cases, the "why" may lead you to relinquish certain duties to another organization, or to advise against the event taking place altogether.  Although it may be easier to stop everything, restrict an event, or bow out of it completely, you should conduct the planning process so that you can explain concerns, document issues, and identify any pitfalls.  In the case of the 2016 RNC in Cleveland, the why was well known.  Recognizing that the RNC was going to occur, media would need to work and report on location and protestors and agitators would be present, security personnel initiated planning with direct contact and inputs from local law enforcement and area oriented experts, and although there were innumerous concerns, each was carefully analyzed and mitigated for.</p><p><strong>Where is the event taking place? </strong>In many cases, the event venue–whether a sports arena, convention center, arena, park, or major hotel–may already have security plan templates, as well as the staffing and service personnel for the function or event. Familiarize yourself with any plans, diagrams, or maps that are available and incorporate them into your planning documents, as well as alarms, security measures, or emergency action pans that the venue has. The where will require a site survey; the best practice is to employ a comprehensive checklist discussed later in this article.</p><p>The RNC presented a number of unique challenges when it came to the location. Many press venues and public access parties were located along a corridor contained within the secondary perimeter next to the "press chute" and main access point for staff and media entry.  This of course, created additional concerns with potential protest activity and crowd control issues. Being flexible is important. The Security Team must remain honest in their assessment and impart knowledge and decisions based on best application of security and safety rather than emotion or convenience. Having the ability to effect rapid planning processes and shift on a moment's notice is essential.  At times, matters beyond the control of the coordinating staff and events planners can result in a late change of venue, forcing the need for a new site survey and security assessment.  Such changes can be frustrating, but often present opportunities for improvements in security or additional unanticipated resources.  </p><p><strong>When is the event occurring</strong><strong>?</strong> The exact date, time and duration of the event will have an effect on your planning process. In some cases, events are planned for years in advance and in a deliberate and well documented process.  In others, you may face a situation where a CEO elects to have a gathering of corporate VIP leaders for a special get together or breakaway meeting at a private function.  The "when" will drive how much planning you can conduct and what resources you can bring to bear.  </p><p><strong>Pre-brief. </strong>At this stage, assemble your team, advise them on the 5 W's you have so far, and begin to address what resources may be required. During this time you can conduct an analysis of the mission or detail, the event participants both internal and external, the personnel you have available, the planning time you expect to need and the date and time of event execution.  Some security practitioners use a backwards planning process where you prepare a timeline working backwards from "zero hour" or "time on target" (TOT) at the activity to the full plan and movement schedule related to the execution of the event as depicted below.</p><p><strong><img src="/ASIS%20SM%20Callout%20Images/table%201.JPG" class="ms-rtePosition-1" alt="" style="margin:5px;width:658px;height:461px;" />Tentative plan.</strong> It is important to look at the location with a critical eye as early as possible in planning process, and preferably with your event or venue specialists. They will be able to tell you what their desired end states are, where they will locate certain activities or resources and then you, in turn, will be able to identify any risk or threat associated with the intended activity at the location.<strong> </strong>The use of a Pre-Deployment Site Survey (PDSS), which is a comprehensive checklist that allows you to undertake a full review of the location(s) to be used, is highly recommended.<br><strong><br>Coordination</strong>. The coordination does not need to wait for the plan to be complete.  Leaders or managers should communicate their plans and send out the people to conduct necessary coordination.  As the plan evolves or things change, the leadership should communicate and instruct on course corrections.  Hold people accountable, and ensure you are getting feedback in a timely manner on tasks requiring coordination.</p><p><strong>Observation</strong>. Inspection and reconnaissance of the venue is essential to the plan.  You will not be able to truly gain awareness of the location or concerns regarding safety and security without physically inspecting the scene. When possible, inspect the location at the same times of day and days of the week it will be used.  A weekday morning inspection on a of a park venue that gets massive influx of pedestrians on weekends serves no purpose if you are planning for a Saturday event.  Photograph, sketch and get schematics or diagrams if possible. Include views of exits, access-ways, map routes, roadways, and streets nearby to determine any construction, detours, or other transportation concerns.  Have a route plan; map distances and time to separate venues, hospitals or other emergency resources.</p><p>For larger events you will need to visit several times and conduct full walk-throughs. Set up a visit with security and or public safety entities partnering with you on the event. They can assist with knowledge of any police, fire, or EMS concerns related to the venue. A threat rating for the area is extremely useful, which should include complete analysis of crime, political threat, health or environmental threat or other risks based on current open source or formal intelligence, local knowledge, or debriefs and law enforcement bulletins.</p><p><strong>Plan completion and supervision. </strong>As you meet with coordinators or planners, you should be able to complete the major muscle movements of the plan. Put it together and initiate the 'pen to paper' phase incorporating your findings from the reconnaissance and preparation phases. Conduct a pre-briefing with your team and key stakeholders to determine if there are any gaps or issues that have not been resolved. Consider a "walk-through-talk-through" with personnel from each area–coordination, communications, logistics, and execution–to ensure that their respective areas are addressed. </p><p>At this point, your pre-event site security survey questions should be answered. You can now complete the plan with enough information to understand operational requirements and application of resources and how you will manage them. </p><p>Having a comprehensive plan with exhaustive detail and diagramming may not be needed for each and every event or activity. But the more you put into your event planning processes, the more you will prepare your organization to succeed in events of any size.</p><p>Whether you are a small security provider or a manager for a Fortune 100 company, you should recognize the value that effective planning has on the security of your events. The fruits of your labor will pay off huge dividends in terms of your ability to respond to potential emergencies or incidents. </p><p><img src="/ASIS%20SM%20Callout%20Images/road%20closures.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:377px;height:490px;" /><br></p><p><br></p><p><img src="file:///C:/Users/Holly.Stowell/AppData/Local/Temp/1/msohtmlclip1/01/clip_image002.jpg" alt="" style="width:422px;margin:5px;" /> </p><p> </p><p><strong><em>Updated maps of potential protest routes, street closures, and venue access points were received from local Law enforcement and briefed on a daily basis.</em></strong></p><p><br></p><p><br></p><p><br></p><p><img src="/ASIS%20SM%20Callout%20Images/crowd%20jany.png" class="ms-rtePosition-1" alt="" style="margin:5px;" /><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><strong><em>A view from the Bloomberg Cleveland RNC studio where thousands of protestors congregated. These were dispersed by police after brief confrontations but caused significant congestion and control issues at the venue.</em></strong></p><p>​</p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><img src="/ASIS%20SM%20Callout%20Images/protestor.JPG" class="ms-rtePosition-1" alt="" style="margin:5px;width:387px;" /><strong><em><br></em></strong></p><p><strong><em><br></em></strong></p><p><strong><em><br></em></strong></p><p><strong><em>Protestors often attempted to infiltrate venues and would approach areas deliberately. Despite the presence of both uniformed police and several plain clothes security personnel, this protestor cautiously moved about attempting to find an entry to the venue. Frequent searches of the exterior areas were conducted, and in this case a long sharpened screwdriver was found in the plant box this subject had been leaning against. Careful and constant monitoring by security staff for secreted weapons and people hiding in alleys and alcoves led to a number of detentions and removals.</em></strong><br></p><p> ​</p><p><span style="background-color:#ffffff;"><br></span></p><p><span style="background-color:#ffffff;"><br></span></p><p><span style="background-color:#ffffff;"><br></span></p><p><span style="background-color:#ffffff;"><br></span></p><p><span style="background-color:#ffffff;"><br></span></p><p><span style="background-color:#ffffff;"><br></span></p><p><span style="background-color:#ffffff;"><img src="/ASIS%20SM%20Callout%20Images/jany%20protesters.png" class="ms-rtePosition-2" alt="" style="margin:5px;" /><br></span></p><p><span style="background-color:#ffffff;"><br></span></p><p><span style="background-color:#ffffff;">​<strong><em>Phil</em></strong></span><span style="background-color:#ffffff;"><strong><em>ad</em></strong></span><span style="background-color:#ffffff;"><strong><em>elphia DNC - No matter the height or type of barriers, protestors or infiltrators will attempt to scale or breach.</em></strong></span><strong>​​</strong><br></p><p> </p><p><span style="font-family:calibri, sans-serif;font-size:10pt;"><br></span></p><p><span style="font-family:calibri, sans-serif;font-size:10pt;"><br></span></p><p><span style="font-family:calibri, sans-serif;font-size:10pt;"><br></span></p><p><span style="font-family:calibri, sans-serif;font-size:10pt;"><br></span></p><p><br></p><p><span style="font-size:10pt;line-height:115%;font-family:calibri, sans-serif;"><img src="/ASIS%20SM%20Callout%20Images/snapshot.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:490px;height:320px;" /><br></span></p><p><span style="font-size:10pt;line-height:115%;font-family:calibri, sans-serif;"><strong><em>A complete execution plan to include outside resources and security assets should be prepared and briefed along with 24 hour snapshots to show coverage plans for each venue.​​</em></strong></span></p><p><em style="font-family:calibri, sans-serif;font-size:10pt;"><img src="/ASIS%20SM%20Callout%20Images/Execution.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:413px;height:314px;" /><br></em></p><p><br></p><p><br></p><p><em style="font-family:calibri, sans-serif;font-size:10pt;"><br></em></p><p><em style="font-family:calibri, sans-serif;font-size:10pt;"><br></em></p><p><em style="font-family:calibri, sans-serif;font-size:10pt;"><br></em></p><p><em style="font-family:calibri, sans-serif;font-size:10pt;"><br></em></p><p><em style="font-family:calibri, sans-serif;font-size:10pt;"><br></em></p><p><span style="font-family:calibri, sans-serif;font-size:10pt;"><br></span></p><p><strong><em>The author has put together several table templates mentioned the article and has made them available to readers here: <a href="/ASIS%20SM%20Documents/Jany%20Tables.docx" target="_blank">Jany Tables.docx</a>​</em></strong></p><p><span style="font-size:10pt;line-height:115%;font-family:calibri, sans-serif;"></span><em style="font-family:calibri, sans-serif;font-size:10pt;">​Eduardo Jany is the executive officer for Global Security Operations at Bloomberg LP Global Security Operations and director for physical security in the Americas. He manages protective operations and physical security for more than 19,000 people at over 190 locations internationally.</em></p>
https://sm.asisonline.org/Pages/Florida-Governor-Unveils-Major-School-Security-Plan-In-Wake-Of-Shooting.aspxFlorida Governor Unveils Major School Security Plan In Wake Of ShootingGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Just more than one week after the shooting at Marjory Stoneman Douglas High School, Florida Governor Rick Scott introduced a wide-ranging plan to increase school security and prevent gun violence.​</p><p>In an appearance on Friday morning, Scott called for a <a href="https://www.flgov.com/2018/02/23/gov-scott-announces-major-action-plan-to-keep-florida-students-safe-following-tragic-parkland-shooting/" target="_blank">$450 million school security plan​</a>, prohibitions for people under 21 and the mentally ill to purchase guns, and a ban on bump stocks—a measure also supported by U.S. President Donald Trump.</p><p>"I've broken my action plan down into three sections. Gun laws, school safety, and mental health," Scott said. "We must get this done in the next two weeks."</p><p>Scott, and other Florida officials, have faced increasing pressure in the wake of the Marjory Stoneman shooting, which left 17 dead and numerous others wounded when a former student opened fire at the Parkland, Florida, high school with an AR-15.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 0beeb51a-da5b-48a1-bc9a-65071ef5cfc3" id="div_0beeb51a-da5b-48a1-bc9a-65071ef5cfc3"></div><div id="vid_0beeb51a-da5b-48a1-bc9a-65071ef5cfc3" style="display:none;"></div></div>​​<h4>School Securit​y</h4><p>"The goal of this plan of action is to make massive changes in protecting our schools, provide significantly more resources for mental health, and do everything we can to keep guns out of the hands of those dealing with mental problems or threatening harm to themselves or others," Scott said.</p><p>As part of the $450 million investment in school security, Scott called for a mandatory law enforcement officer in every Florida public school. The officer would either be a sworn sheriff's deputy or police officer, and present during all hours that students are on campus. </p><p>"The size of the campus should be a factor in determining staffing levels by the county sheriff's office, and I am proposing at least one law enforcement officer for every 1,000 students," Scott said. "This must be implemented by the start of the 2018 school year."</p><p>Additionally, Scott proposed requiring mandatory active shooter training for all public schools during the first week of each semester. Faculty and students would be required to participate in the drills, and local sheriff's offices would approve the training.</p><p>"We are also increasing funding in the Safe Schools Allocation to address specific school safety needs within each school district," Scott said. "This includes school hardening measures like metal detectors, bullet-proof glass, steel doors, and upgraded locks."</p><p>As part of this effort, the Florida Department of Education with the Florida Department of Law Enforcement would provide minimum school safety and security standards by July 1 to all school districts in the state. Then, schools would create school safety plans that would be submitted by July 1 of each year to their local county sheriff's office for approval.</p><p>"Once all plans and requests for school hardening have been approved by the county sheriff's office, in consultation with local police, plans will be forwarded to the Department of Education by the school district to receive any state funds," Scott added.</p><p>Under the plan, schools would also be required to have a threat assessment team that includes one teacher, a local law enforcement officer, a human resource officer, a principal, a Department of Juvenile Justice representative, and a Department of Children and Families officer to meet monthly to review potential threats to students and staff at the school. </p><p>"We will also require each school district that receives a Safe Schools Allocation to enter into an agreement with the local sheriff's office, the Department of Juvenile Justice, the Department of Children and Families, the Department of Law Enforcement, and any community behavioral health provider for the purpose of sharing information," Scott said. "That will allow us to better coordinate services in order to provide prevention or intervention strategies."</p><p>Scott's plan, however, did not advocate for arming teachers to address active shooters in school shootings. The omission marked a break with a proposal by U.S. President Donald Trump following the shooting that select teachers should be trained and receive a bonus for being armed.</p><p>But Scott did advocate for $50 million for mental health initiatives to expand mental health service teams to serve youth and young adults through counseling, crisis management, and other services. Sheriff's offices would also be required to have a Department of Children and Families case manager embedded in their department to work as a crisis welfare worker for repeat cases.</p><h4>Firearms</h4><p>Scott said he will work to create a new program called the Violent Threat Restraining Order, which would be used to prevent "violent or mentally ill" people from purchasing guns.</p><p>"This will allow a court to prohibit a violent or mentally ill person from purchasing or possessing a firearm or any other weapon when either a family member, community welfare expert, or law enforcement officer files a sworn request, and presents evidence to the court of a threat of violence involving firearms or other weapons," Scott said. "There would be speedy due process for the accused and any fraudulent or false statements would face criminal penalties."</p><p>When introducing his plan, Scott referenced the alleged shooter in the Marjory Stoneman shooting—Nikolas Cruz—who legally purchased the AR-15 he used to carry out the shooting, despite receiving 39 visits from police, being expelled from school, and being reported to the FBI as a possible school shooter.</p><p>"And yet, he was never put on the list to be denied the ability to buy a gun, and his guns were never removed from him," Scott said.</p><p>The governor said he would use Florida's Baker Act to place restrictions on mentally ill individuals to purchase firearms. Individuals would also be prohibited from purchasing firearms if they are subject to injunctions for protection against talking, cyberstalking, dating violence, repeat violence, sexual violence, or domestic violence."</p><p>"If a court involuntarily commits someone because they are a risk to themselves or others, they would be required to surrender all firearms and not regain their right to purchase or possess a firearm until a court hearing," Scott said. "We are also proposing a minimum 60-day period before individuals can ask a court to restore access to firearms."</p><p>Additionally, Florida would prohibit firearm purchases to individuals under the age of 21—with exceptions for active duty and reserve military and their spouses, National Guard members, and law enforcement.</p><p>"There is nothing more important than the safety of our children," Scott said. "Our kids deserve nothing less. Fortunately, our economy is booming, and we have the resources to protect our schools and our students. And if providing this funding means we won't be able to cut taxes this year—so be it. And if we have to give up some of the projects we all hold near and dear—so be it."</p><p>Scott will now work to push his plan through the Florida state legislature, which has support from both state Democrats and Republicans, according to <em><a href="https://www.nytimes.com/2018/02/23/us/florida-gun-control.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=a-lede-package-region&region=top-news&WT.nav=top-news" target="_blank">The New York Times.</a></em></p><p>"Going further than the governor's plan, lawmakers said they would seek to impose a three-day waiting period on all firearms purchases, which now exist only for handguns," the Times reports. "They also would create a statewide commission to investigate the school shooting in Parkland, including a number of failures by the authorities."</p>
https://sm.asisonline.org/Pages/Student’s-Impressive-Behavior-During-Tragic-Shooting-Shows-Importance-of-Training,-Expert-Says.aspxExpert: Students' Impressive Behavior in Tragic Shooting Shows Importance of TrainingGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<em>1:30 p.m. ET Thursday</em>​</p><p>The tragic shooting at Marjory Stoneman Douglas High School in Parkland, Florida, held a few lessons for security professionals, says an expert and member of the ASIS International School Safety and Security Council.</p><p>First and foremost, the incident illustrated the importance of preparation, which may have saved some lives, says John Woodmansee, a security, environmental health and safety coordinator for the Connecticut Department of Education. According to various news reports, the shooter pulled the fire alarm on site, with the apparent intention of causing students to leave the building and come into harm's way. </p><p>The students' response to the fire alarm reflected substantial training, Woodmansee explains. "It seemed like they had obviously done a tremendous amount of fire drills," he says. It's important to maintain some type of order in these situations so that panic and chaos do not prevail, he adds. </p><p>Then, when students started to realize that a shooter was on the loose, "other training kicked in" and they transitioned, he continues. Many seemed adept at shelter-in place procedures, as they found safe places to hole up and hide, locking themselves into classrooms and closets, according to the news reports. This reflected staff preparation that the students took seriously.</p><p>"That's one of the big lessons learned from this," Woodmansee explains. "They had training, they had (performed) drills—and different style of drills." It's important to realize that previous active shooter incidents have illustrated the effectiveness of such shelter-in-place actions, and so the preparation and following actions may have saved some lives, he says. However, he also cautions that "it's hard to say until they see the final information on what was effective and not effective."</p><p>Also impressive was the compassion and care expressed for others by students in the aftermath of the shooting, Woodmansee says. Part of incident preparation includes "building a community," so that "someone has a relationship with every student," and potential outcasts can be brought into the fold. </p><p>In the case of the Parkland shooting, the alleged gunman Nikolas Cruz, 19, was an expelled student from the school and has been described as a troubled loner with an obsessive interest in weapons. </p><p>According to Woodmansee, identifying and following up on such students can be part of the work done by a facility's threat assessment team. Although the team will do much work on assessing physical security vulnerabilities, it can also consider who might be a threat based on community members' concerns. "There can be someone on the team who looks at individuals who may need to be further evaluated," he says. </p><p>In the end, there is no magic bullet for effective preparation, so a multi-disciplinary approach, supported by dialogue and discussion, is needed, Woodmansee says: "No one way seems to be the answer."  ​</p>
https://sm.asisonline.org/Pages/Multiple-Fatalities-Reported-at-South-Florida-High-School-Shooting.aspxMultiple Fatalities Reported at South Florida High School ShootingGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>What We Know So Far about the Florida High School Shooting</h4><ul><li><p>17 people including students and adults were killed when a gunman pulled a fire alarm and then opened fire at Marjory Stoneman Douglas High School, about an hour northwest of Miami. Fifteen people were wounded.</p></li><li><p>The gunman has been identified as 19-year old Nikolas Cruz, a former student who was expelled from the school for disciplinary reasons </p></li><li><p>Cruz was <a href="https://www.npr.org/sections/thetwo-way/2018/02/14/585908507/what-we-know-about-the-florida-school-shooting-suspect" target="_blank">heavily armed</a> and was believed to be carrying an AR-15 rifle and "countless magazines," as well as smoke grenades and a gas mask. </p></li><li><p>The shooter has been <a href="https://www.npr.org/sections/thetwo-way/2018/02/15/586009751/florida-shooting-suspect-set-to-appear-in-court-on-17-murder-charges" target="_blank">charged with 17 counts of premeditated murder</a> and is expected in court this afternoon. </p></li><li><p><a href="http://www.miamiherald.com/news/local/community/broward/article200126034.html" target="_blank">The <em>Miami Herald </em>reports</a> Cruz was a "troubled teen with few friends and an obsessive interest in weapons. Administrators considered him enough of a potential threat that one teacher said a warning was emailed last year against allowing him on the campus with a backpack."</p></li><li><p>Two tips about Cruz had been <a href="https://www.cnn.com/2018/02/15/us/nikolas-cruz-fbi-warned/index.html" target="_blank">passed along to the FBI</a>, but they were never passed on to local law enforcement. </p></li><li><p>The shooting is the deadliest on a school campus since the Sandy Hook massacre in Newtown, Connecticut, in December 2012.</p></li><li><p>Cruz and his biological brother were adopted by a family after their mother and her husband passed away. The two boys later moved in with a family friend. The adoptive family's attorney, <a href="http://time.com/5159134/who-is-the-florida-shooter-parkland-nicolas-cruz/" target="_blank">James Lewis, says</a> the family had "no idea, no predilection….they had no clue that this kid was dangerous." </p></li><li><p>The shooter's family allowed him to have a gun but <a href="https://www.cnn.com/2018/02/14/us/nikolas-cruz-florida-shooting-suspect/index.html" target="_blank">established rules around it</a>, including that it had to remain locked up.</p></li><li><p>Meanwhile, Broward's sheriff is responding to <a href="http://abcnews.go.com/US/students-parents-desperate-answers-police-investigate-florida-school/story?id=53103817" target="_blank">several copycat threats </a>that were called in to South Florida schools today. </p></li><li><p>Information about some of the victims—including their heroic actions—<a href="http://www.sun-sentinel.com/local/broward/parkland/florida-school-shooting/fl-sp-douglas-shooting-victim-aaron-feis-20180214-story.html">has begun to emerge</a>, and officials say a full list of the victims and a shooting timeline will be released today. </p></li><li><p>The Associated Press reports that a white nationalist group has confirmed Cruz is a member. "The leader of a white nationalist militia called the Republic of Florida said Cruz was a member of his group and participated in exercises in Tallahassee," according to the article. ​</p></li></ul><p><em>Security Management </em>​will continue to update this article as new information emerges.​<br></p><h4>ASIS International Launching Active Assailant Program</h4><p><em>12:15 p.m. ET Thursday</em><br></p><p>In the coming days, ASIS International will roll out a content program around the active assailant topic. The series will include expert input on how to prepare for, mitigate, and respond to these attacks. An upcoming article in <em>Security Management </em>will explore how unarmed guards can play a crucial role in defending against active assailants. The March Security Management podcast will feature interviews with members from the ASIS School Safety and Security Council. Upcoming "Ask the Expert" webinar series will further discuss the topic, as well as an upcoming classroom program. ​<a href="https://www.asisonline.org/publications--resources/security-topics/active-shooter/" target="_blank">Click here for a current list of ASIS resources on active assailant​</a>.</p><p><br></p><p><img src="/ASIS%20SM%20Callout%20Images/U.S.%20President%20Trump.jpg" alt="" style="margin:5px;width:854px;height:571px;" /><br></p><h4>​trump addresses nation, says school safety is 'Top priority'</h4><p><em>12:10 p.m ET </em><em>Thursday</em><br></p><p>U.S. President Donald Trump addressed the nation this morning in the wake of a mass shooting at a Florida high school that left 17 dead and 14 injured. </p><p>“No child, no teacher, should ever be in danger at an American school,” Trump said in his remarks on the shooting at Marjory Stoneman Douglas High School in Parkland, Florida. “No parent should ever have to fear for their sons and daughters when they kiss them goodbye. Each person who was stolen from us yesterday had a life ahead of them, a life filled with wonders and beauty, potential and promise.”</p><p>The gunman allegedly responsible for the shooting has been identified as Nikolas Cruz, a 19-year-old student who’d been expelled from the school, according to <em><a href="https://www.nytimes.com/2018/02/14/us/parkland-school-shooting.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=a-lede-package-region&region=top-news&WT.nav=top-news" target="_blank">The New York Times.</a></em> Cruz was enrolled at another Broward County school at the time of the shooting, and authorities told the Times they’d already discovered material on his social media accounts that was “very, very disturbing.”</p><p>Trump said that he has been in contact with Florida Governor Rick Scott, as well as the Florida attorney general and Broward County sheriff. He plans on visiting Parkland, Florida, to meet with families and local officials, but did not say when this visit would occur.</p><p>Trump also said that his administration is working closely with local authorities to investigate the shooting and “learn everything we can” about the incident. He then plans to work with state and local leaders to tackle the issue of mental health and school security.</p><p>Making schools safer is “our top priority,” Trump said, adding that it’s not enough to take actions “that make us feel like we’re making a difference—we need to make a difference.”</p><p>Trump’s comments on mental health, however, contradicted earlier actions that his administration has taken in regard to individuals with mental illness and firearms. Shortly after taking office in February 2017, Trump signed a bill into law that rolled back previous regulations that made it more difficult for individuals with mental illnesses to purchase guns.</p><p>“The rule, which was finalized in December 2016, added people receiving Social Security checks for mental illnesses and people deemed unfit to handle their own financial affairs to the national background check database,”<a href="https://www.nbcnews.com/news/us-news/trump-signs-bill-revoking-obama-era-gun-checks-people-mental-n727221" target="_blank"> NBC News reports.</a></p><h4>​Multiple Fatalities Reported at South Florida High School Shooting</h4><p><em>5 p.m. ET Wednesday</em><br></p><p>Numerous people are dead and injured after a mass shooting at a south Florida high school Wednesday, officials said. The Broward County Sheriff's Office said there are at least 14 victims but did not say how many of those were injured or killed, USA Today reports.</p><p>The gunman was taken into custody nearly two hours after the shooting was reported, authorities said. </p><p>The shooting happened about 2 p.m. at Marjory Stoneman Douglas High School in Parkland, Florida, which is about 30 miles northwest of Fort Lauderdale, according to the Coral Springs Police Department.</p><p>Broward County Public Schools Superintendent Robert Runcie said "multiple fatalities" have been reported. "It's a horrific situation. It's just a horrible day for us," he said. "...This is a day we prayed would never happen in our county." </p><p>Runcie said every high school in the county has a police presence, adding there are typically two officers at every school. Margate Fire Chief Dan Booker told the <em>Miami Herald</em> that the shooting was a mass casualty incident. He said more than 20 were hurt, although he could not confirm exactly how many have been injured or how many were shot.</p><p>The school district released a statement explaining the shooting happened close to dismissal time. When students heard what sounded like gunfire, the school was placed on lockdown. ​</p>
https://sm.asisonline.org/Pages/Cybersecurity-for-Remote-Workers.aspxCybersecurity for Remote WorkersGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Today, half of U.S. workers hold jobs that allow them to work remotely at least part of the time, according to a 2016 study from <a href="http://globalworkplaceanalytics.com/telecommuting-statistics">Global Workplace Analytics</a>. Additionally, the number of people who work from home full-time, not counting those who are self-employed, has grown by 115 percent since 2005.</p><p>It's no secret that cybersecurity threats are on the rise across the board, and according to the <a href="https://www.sciencedaily.com/releases/2017/07/170731134133.htm">American Statistical Association</a>, the financial burden of cyberattacks will rise from $400 billion a year to $2.1 trillion by 2019. It's not uncommon now for companies of all sizes, even large corporations that invest millions in data protection, to be compromised. As more employees log on to servers and networks outside the office, it's even more imperative than ever that they be protected—and for employers to enforce cybersecurity protocols.</p><p>It's not unusual for an employee to enjoy a latte at a local bistro while working on a company laptop. The worker might log onto the public Wi-Fi, which is wide open to hackers. There are several common ways hackers take advantage of open Wi-Fi networks, including creating their own public Wi-Fi network that looks legitimate. The fake Wi-Fi is a way to monitor users' online activity. So, if the employee joins, a hacker can view credit card numbers, passwords, emails, and other sensitive company data. Human error unfortunately leads to many lapses in security and may put the company at significant risk of a cyberattack.</p><p>Here are five steps businesses can take to mitigate the security risk posed by a remote workforce.</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p><strong>1. Use and continually update anti-virus and anti-malware software. </strong>Some anti-virus software companies use independent test laboratories, like ICSA Labs or West Coast Labs, for certification. Check for these labels when considering a purchase. Independent lab tests and reviews from technology magazines can help you choose software. </p><p>Once the platforms are in place, run updates or patches as they are released to ensure that company data stays safe.</p><p><strong>2. Train employees on proper security protocols.</strong> When working remotely and logging on to the company's private network, the first thing to remember is to use a Virtual Private Network (VPN). VPNs function much like a firewall for online information, allowing users to securely access and share data remotely through public networks.</p><p>Additionally, teach employees to recognize system vulnerabilities and threats to business operations from email communications, internal platforms, and external websites. Train employees to be alert for suspicious activity on their digital devices. If they believe they have accidently revealed sensitive information about your company, make sure they are comfortable reporting it to their supervisor immediately, as well as to network administrators or the IT department. The sooner IT can investigate and clean the computer, the better are the chances to prevent damage to the infected device and others on the network.</p><p><strong>3. Establish and enforce a strict password policy.</strong> Make sure passwords are strong, and ensure that employees use different passwords across platforms.</p><p>What makes a password strong? Historically, best practices have included using complicated passwords with numbers, special characters, and random letters, and using different passwords for each application and website. That is not necessarily today's password protocol, as discovered in the latest research done by The National Institute of Standards and Technology (NIST), which revised its guidelines on creating passwords in June 2017.</p><p>The good news is NIST aims to make everyone's digital life easier while keeping security threats at bay. NIST's advice? Make passwords obscure, unexplainable, and as long as possible, but memorable. Phrases, lowercase letters, and an unexpected combination of typical English words work well and confound automated systems. One humorous example is cartoonist Randall Munroe's password, "correct horse battery staple," all written as one word. He calculated it would take 550 years to crack—and <em>The Wall Street Journal </em>reported this to be true and verified by computer security specialists. </p><p>Perhaps most surprisingly, passwords never need to expire, according to NIST. The organization's new guidelines are based on finding that previous password tips negatively affected users and did not do much to boost security. And most people don't change their passwords very drastically when it's time to do so, often changing only one or two characters to better remember the new entry.</p><p><strong>4. Protect communications by setting up a secure server to encrypt and decrypt communications within the company.</strong></p><p>Consider using encryption software to safeguard files. There are several options to choose from. One type of encryption software processes files and folders, creating impenetrable encrypted versions of each. Another is like a virtual disk drive that, when unlocked, functions like any other type of system drive. However, when locked, files are ultrasecure and inaccessible. </p><p>Other products are cloud-based. While this is most convenient for remote workers, the risk is much greater and more susceptible to an attack than when housed physically onsite on a company server. </p><p>However, additional safety measures can be used. Cryptographers have come up with a security feature called Perfect Forward Secrecy (PFS). PFS automatically and frequently changes keys used to encrypt and decrypt information, so if a device is stolen or hacked, only a small portion of the user's sensitive data is exposed. </p><p><strong>5. Finally, be sure you have adequate cyber liability insurance coverage. </strong>A lot of business owners don't realize that cybercrime isn't covered by their general business liability policies. A general liability policy covers against any third-party claims of things like bodily injury or property damage, but it doesn't extend to things like workers' compensation claims or cyberattacks.  </p><p>In the unfortunate event of a data breach, cyber liability insurance covers risks such as extortion and theft of data. It also covers crisis management in the immediate aftermath, including tech support and public relations. The average cost of an attack is $3.62 million, according to Ponemon Institute, so this safeguard is one of the most important tactics for protecting a company's financial health. </p><p>It's also smart to develop a detailed action plan that your team working remotely can implement immediately in the event of a cyberattack. This will ensure that the company is prepared to take actionable steps, such as communicating details of the breach to employees and implementing required action to minimize further damage. Include various breach scenarios, and provide answers to questions like "Who will deal with the technology aftermath?" and "Who will inform clients?" Test the plan and revisit it regularly—at least annually—to make sure it's up to date.</p></blockquote><p>​It's impossible to eliminate every risk involved in working remotely, but proper precautionary measures can greatly reduce exposure to cyberattacks and other liabilities. Stay abreast of the latest recommendations and advice from experts in the field to be prepared. </p><p><em>Parker Rains is senior vice president and head of Fisher Brown Bottrell's Nashville regional office. A</em><em> wholly owned subsidiary of Trustmark National Bank, </em><em>Fisher Brown Bottrell Insurance is </em><em>a publicly traded financial services company with more than 200 locations in Mississippi, Florida, Tennessee, Alabama, and Texas. </em><em>Contact Rains at </em><a href="mailto:prains@fbbins.com"><em>prains@fbbins.com</em></a><em> </em><a href="mailto:prains@fbbins.com"><em>o</em></a><em>r</em><a href="mailto:prains@fbbins.com"><em> 615-761-6332</em></a><em>, and visit Fisher Brown Bottrell Insurance online at </em><a href="http://www.fbbins.com/"><em>www.fbbins.com</em></a><em>.</em></p><p> </p>
https://sm.asisonline.org/Pages/ENCUENTRA-EL-INCENDIO.aspxEncuentra el IncendioGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p style="text-align:justify;"><em></em>La Universidad de Hawái en Hilo (UHH), fundada en 1941, está ubicada en Isla Grande, la mayor del archipiélago de Hawái. La escuela ofrece 38 áreas de estudio de pregrado y grado, incluyendo un reconocido programa de astronomía, a un público de aproximadamente 3.600 estudiantes.</p><p style="text-align:justify;">Los cielos hawaianos sobre el Océano Pacífico ofrecen una vista espectacular del lugar.</p><p style="text-align:justify;">Pero, además de los magníficos panoramas del <em>campus</em>, el personal de seguridad de la universidad se encontró contemplando frecuentemente paneles de incendio que no funcionaban correctamente, dice Ted LeJeune, gerente de proyectos de UHH.</p><p style="text-align:justify;">Cuando el <em>campus</em> comenzó a realizar grandes renovaciones hace cinco años, el departamento de seguridad se topó con desafíos relacionados con su sistema de alarma contra incendios, el cual funcionaba a través de una señal de radio. "Habíamos comenzando a experimentar problemas con la reflectividad y las inconsistencias del sistema de radio", cuenta LeJeune, "así que estábamos teniendo problemas para pasar nuestras inspecciones anuales contra incendios por parte del jefe de bomberos".</p><p style="text-align:justify;">El sistema contra incendios de la institución incluye paneles que informan intermitentemente a la estación central de la oficina de seguridad de las instalaciones. "Los paneles transmiten señales en intervalos regulares que dicen 'Eh, estoy aquí, estoy bien'", explica LeJeune. "Y siempre que recibamos esa notificación, similar al latido de un corazón, la oficina de seguridad sabe que no tenemos problemas".</p><p style="text-align:justify;">Los paneles de incendio informan de cualquier problema a la estación central, incluyendo detectores de humo disparados, botones de alarma de incendio presionados, y paneles fuera de línea. Cuando, por cualquiera de estos casos, se activa una alarma, "recibimos una notificación inmediata en el área de seguridad indicando que hay un problema en el edificio, y que tenemos que despachar a alguien para investigar", comenta LeJeune.</p><p style="text-align:justify;">En el centro de operaciones de seguridad del <em>campus</em>, el cual está atendido las 24 horas del día, los miembros del equipo de seguridad monitorean una gran pantalla que exhibe el estado actual del sistema de protección contra incendios, así como las alarmas activas. La pantalla permite a los operadores desplazarse entre notificaciones y mantener un registro de los informes. En el caso de un incendio u otro evento de peligro para la vida, se contacta al cuartel de bomberos.</p><p style="text-align:justify;">Los tejados del <em>campus</em> están hechos de acero corrugado. Cuando el sol hawaiano les daba a estos techos, las señales podían verse difuminadas o bloqueadas, causando que el sistema de alarmas de incendio basado en la comunicación por radio informase de forma inconsistente, o no se comunicara para nada. Ésto llevó a una multitud de problemas para el departamento de seguridad de las instalaciones.</p><p style="text-align:justify;">"Estábamos teniendo conectividad intermitente o incluso perdiéndola en algunas de las ubicaciones, a causa de la reflectividad de las señales de radio de nuestros sistemas de tejados", explica LeJeune.</p><p style="text-align:justify;">Además de los problemas de conectividad y transmisión, mantener las viejas unidades de radio era una tarea onerosa: un ingeniero externo tenía que viajar a la universidad para realizar el mantenimiento de los dispositivos.</p><p style="text-align:justify;">Estos desafíos llevaron a una conversación con Digitize, que actualmente es el proveedor detrás de varios aspectos del sistema de seguridad contra incendios del <em>campus</em>. En Otoño de 2016, Digitize sugirió la implementación de equipos de radio "de línea fija" que se enlazan al sistema de Ethernet y de cable de fibra óptica ya existente de la universidad. "Hemos realizado varias mejoras para estabilizar nuestro Internet dentro de los últimos años", manifiesta LeJune, "y añadir Digitize a nuestro sistema de línea fija se sintió como una extensión natural, porque ya contábamos con la red troncal".</p><p style="text-align:justify;">Las unidades de radio de línea fija permiten al usuario final deshacerse del transmisor de frecuencia de los paneles de incendio, y conectarlos ya sea a la Ethernet o al cableado de fibra óptica de las instalaciones. Esta conexión permite que los paneles pueden reportarse a la estación central en cuestión de segundos.</p><p style="text-align:justify;">La UHH lanzó un proyecto piloto en Primavera de 2017 para poner a prueba el nuevo producto en su recientemente renovado edificio de la Facultad de Negocios y Economía. La universidad actualizó su unidad de base en la oficina de seguridad del <em>campus</em> para hospedar tanto la radiofrecuencia original como las entradas de línea fija.</p><p style="text-align:justify;">Durante las pruebas, las unidades de línea fija informaron de forma exitosa y precisa todos los eventos a la estación central. "Nuestro piloto proyecto resultó fantásticamente", afirma LeJeune. "Logramos compaginar nuestra unidad remota [con las de línea fija], y fuimos capaces de comunicarnos claramente con la unidad base y programarla", declara. El instituto también llevó al departamento de bomberos para que observe el nuevo sistema. "Estaban entusiasmados por saber que estábamos obteniendo una red más estable y que seríamos capaces de gestionar y supervisar nuestro sistema de forma más clara."</p><p style="text-align:justify;">Desde la instalación del nuevo sistema, el <em>campus</em> no ha experimentado ningún problema con los reportes de los paneles de alarma de incendio. Durante los meses por venir, la universidad piensa añadir unidades de línea fija al menos a 25 establecimientos. Algunos de los edificios más grandes tendrán sus propias unidades, mientras que grupos de pequeños edificios podrán compartir las unidades, añade LeJeune.</p><p style="text-align:justify;">Con el nuevo sistema, el personal de seguridad de UHH puede realizar el mantenimiento de los paneles por su propia cuenta, en vez de tener que contar con un ingeniero externo. "Digitize nos ha entrenado aquí mismo en la universidad, de modo que podemos no sólo diagnosticar los problemas del sistema sino también extenderlo, y programar las nuevas unidades desde ambos extremos para que la comunicación sea apropiada y consistente", asegura. "La capacidad de trabajar con este sistema de forma interna, así como el entrenamiento que recibimos por parte de Digitize ha significado un gran paso hacia adelante para nosotros."</p><p style="text-align:justify;">LeJeune agrega que el nuevo sistema permite que el área de seguridad se concentre completamente en los asuntos que realmente merecen atención. "Se trata de confiar en que nuestras comunicaciones son constantes, y en que no estamos [constatemente] recibiendo alarmas falsas o de conexión perdida", comenta. "Ésto permite que el personal de seguridad se pueda enfocar en sus tareas asignadas en lugar de perseguir fantasmas o falsas alarmas."</p><p style="text-align:justify;"><em>Para más información, contactar a: Abe Brecher, Digitize. </em><em>www.digitize-inc.com</em><em>; abeb@digitalize-inc.com; +1-973-219-2567</em></p><p style="text-align:justify;"><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Managemen<em>t is not responsible for errors in translation. Readers can refer to the</em><a href="/Pages/Employee-Theft.aspx" target="_blank"><em> </em></a><a href="/Pages/Find-the-Fire.aspx" target="_blank"><em>original English ​version here​.</em></a>​<br></p>
https://sm.asisonline.org/Pages/Book-Review---Mental-Health.aspxBook Review: Mental HealthGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Butterworth-Heinemann; elsevier.com; 370 pages; $125.</p><p>Following a disaster, the issues surrounding the mental health issues affecting both rescuers and survivors are frequently overlooked. <em>Integrating Emergency Management and Disaster Behavioral Health </em>is an excellent exploration of the topic, written by multiple contributors. Looking at mental health from both emergency management and behavioral health perspectives allows the authors to seamlessly transition between these two disciplines and make a convincing argument that both need to be considered throughout each stage of disaster management.  </p><p>While the book sometimes reads like a research paper, the topic is fascinating. The chapters include ample references and diagrams to convey both the seriousness and credibility of the material. Real-world examples illuminate the text. </p><p>Some chapters explore topics in a depth that may be too advanced for general security practitioners, especially those not involved with planning or coordinating emergency response efforts.</p><p>The ideal audience for this book would be emergency managers and those seeking to learn more about this discipline. The book would be a great addition to training courses on the National Incident Management System because those learning about emergency management for the first time would be exposed to the behavioral health implications following a disaster. Individuals working with or studying human behavior, such as clinical psychologists, mental health counselors, and aid workers, will also find value in understanding how people individually and collectively react to the stress of major disasters.</p><p>Overall, this book presents a unique and desperately needed argument for integrating two vital but sometimes distant disciplines. At a time when factions debate over what constitutes mental illness and what such a diagnosis means, this book becomes a timely resource.</p><p><em><strong>Reviewer: Yan Byalik, CPP, </strong>is the security administrator for the City of Newport News, Virginia. He has 16 years of security experience in multiple industries, managing security officers, campus security officers, and special conservators of the peace. Byalik is the assistant regional vice president for ASIS Region 5A in Southeast Virginia. ​</em></p>
https://sm.asisonline.org/Pages/February-2018-ASIS-News.aspxFebruary 2018 ASIS NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Out with the Old, In with the New</h4><p>Have you checked out the new ASIS website, www.asisonline.org?</p><p>Launched late last month, the revitalized site is built with your needs in mind, delivering what you want, when you want it. Gone are the text-heavy web pages, unfriendly navigation, and cumbersome shopping experience. From the top down, all functionality is designed with mobile in mind. </p><p>These strategic design choices along with our new taxonomy and tagging structure will enable quick access to our robust search feature and easy-to-browse navigation. Tap into the expertise of your 35,000+ ASIS peer group in ASIS Connects, our new member-only private community. </p><p>We invite you to visit the site today and explore the host of opportunities to get involved in your global security community. Update your profile at the top-right of the homepage. Indicate areas of interest, add a profile photo, and revisit your communications preferences. January's website upgrade is just the start of a multiphase web update plan. To help inform what the project will look like in the coming months, share your feedback to <a href="mailto:asisfuture@asisonline.org">asisfuture@asisonline.org</a>.​</p><h4>What's Ahead for S&G</h4><p>The ASIS Commission on Standards and Guidelines expanded its membership from 12 members to 28 in 2018, on the heels of its first open application process.</p><p>"Over the last decade, the global security standards landscape has changed dramatically," says Sue Carioti, ASIS vice president of Certification, Standards, and Guidelines. "The ASIS Standards and Guidelines Commission understands and recognizes that change is necessary on multiple levels. To that end, the commission took purposeful steps to broaden its membership composition as well as to institute a new and formal membership application process."</p><p>The 2018 Commission on Standards and Guidelines consists of:</p><p>•             Chair Bernard Greenawalt, CPP, </p><p>Securitas Security Services USA</p><p>•             Vice Chair Eugene Ferraro, CPP, PCI, ForensicPathways, Inc.</p><p>•             Charles Baley, Farmers Group, Inc.</p><p>•             Bruce Braes, CPP, Jacobs</p><p>•             Darryl Branham, CPP, Avnet</p><p>•             Herbert Calderon, CPP, PCI, PSP, CCM2L</p><p>•             Robert Carotenuto, CPP, PCI, PSP, New York Botanical Garden</p><p>•             Werner Cooreman, CPP, PSP, Solvay</p><p>•             Michael Crane, CPP, Securisks</p><p>•             Michael Cummings, CPP, Cummings Security Consulting, LLC</p><p>•             William Daly, Control Risks</p><p>•             David Dodge, CPP, PCI, David Dodge & Associates</p><p>•             Lisa DuBrock, Radian Compliance</p><p>•             Tommy Hansen, CPP, Petroleum Safety Authority</p><p>•             Glen Kitteringham, CPP, Kitteringham Security Group</p><p>•             Ronald Lander, CPP, Ultrasafe Security Solutions</p><p>•             Bryan Leadbetter, CPP, Arconic</p><p>•             Ronald Martin, CPP, Open Security Exchange</p><p>•             Juan Muñoz, CPP, Associated Projects International</p><p>•             Angela Osborne, PCI, Guidepost Solutions</p><p>•             Werner Preining, CPP, Interpool Security</p><p>•             Malcolm Reid, CPP, Brison</p><p>•             Jeffrey Slotnick, CPP, PSP, Setracon Enterprise Security Risk Management Services</p><p>•             J. Kelly Stewart, Newcastle Consulting</p><p>•             Timothy Sutton, CPP, GHG Management, LLC</p><p>•             John Villines, CPP, PCI, PSP, John C. Villines LLC</p><p>•             Roger Warwick, CPP, Pyramid Temi Group</p><p>•             Allan Wick, CPP, PCI, PSP, Tri State Generation & Transmission</p><p> </p><p>The new commission holds a diverse range of security expertise. Its 28 members represent eleven countries. Twenty members are new to the commission in 2018, although 21 have served on past technical committees. Furthermore, 24 are ASIS board certified, and 11 are involved with ASIS councils.</p><p>In 2018, the commission will consider the restructure of Standards and Guidelines programs; form static technical committees to address core security risk management discipline areas; review existing standards and guidelines with an emphasis on relevancy and gap analysis; chart a path forward to begin development of tools, guides, and handbooks; and increase integration in knowledge and learning.</p><p>Three technical committees remain busy in 2018, continuing their work developing standards in the areas of security awareness, private security officer selection and training, and workplace violence prevention and intervention.​</p><h4>Lifetime Members</h4><p>John Sullivant, CPP; Larry K. Stanley, CPP; and Michael J. Fagel have been granted lifetime membership to ASIS. </p><p>Sullivant has been a dedicated member for 31 years and has served as chapter chair, vice chair, and membership chair for the Granite State Chapter. He also authored two published articles in Security Management: "Is America Prepared for Today's Threat?" and "Successful Project Planning."</p><p>Stanley has been a regional vice president, an assistant regional vice president, and a member for 25 years. He also served as chair of the Central West Virginia Chapter.</p><p>Fagel has served on the ASIS School Safety and Security Council, the Fire and Life Safety Council, and the Food Defense and Agriculture Security Council. He was presented with the inaugural ASIS Security Book of the Year Award at the 60th Annual Seminar and Exhibits. Fagel has been an ASIS member since 1982.​</p><h4>Lifetime Certifications</h4><p>The following security professionals have been awarded lifetime certification status. </p><p>•             Andre P. Firlotte, CPP</p><p>•             Rickey Gene Nelson, CPP</p><p>•             Joseph F. Frawley, Jr., CPP</p><p>•             Norman B. Taylor, CPP</p><p>•             Bruce R. Sullivan, CPP</p><p>•             Robert Chicarello, CPP</p><p>•             Mary M. Vavra, CPP</p><p>•             William R. Bogett, CPP</p><p>•             Kirk A. McGee, CPP</p><p>•             Mary M. Vavra, PSP</p><p>•             Huan Chiang Lee, PSP​</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Facility Manager's Guide to Safety and Security</em>. By John Henderson, CPP. CRC Press; crcpress.com; 270 pages; $79.95.</p><p>In many smaller organizations—and those focused on cost-cutting—the facility leader may be tasked with overseeing the company's security function. Professionals in this field often come from engineering or mechanical backgrounds, and they may possess limited knowledge and skills relating to the protection of an organization's physical assets. Author John Henderson, CPP, wrote <em>The Facility Manager's Guide to Safety and Security</em> to address that knowledge gap.</p><p>The author drills into fundamental security concepts, explaining not just what to do, but describing the goal of the task—for example, deterrence, incident response, guard force management, and even crime prevention through environmental design (CPTED). Overall, the book serves as a practical handbook for securing any building, with starting points and programs to steer the manager along the way.</p><p>The text guides the reader through the process of conducting a security assessment, determining a facility's needs, and applying practical solutions. Specific areas of security addressed are lighting, access control, fencing, and fire/life safety. Although targeted towards those who manage buildings for their organizations, the text can serve as a practical guide and overview of physical security for anyone in the industry. </p><p>One excellent section in the book is titled "Not Much Happens Around Here." It addresses the complicated issue of convincing executives to spend dollars on costly security initiatives when the consensus is that there are no real concerns. It is always difficult to measure security's effectiveness when statistics don't indicate true security needs. The author points out that conversations with employees can often provide a clearer picture of concerns and needs. </p><p><em>The Facility Manager's Guide</em> will serve as a valuable tool for leaders new to the responsibility of providing an overall safe and secure environment.</p><p><em><strong>Reviewer: Michael D'Angelo, CPP, </strong>is the principal and lead consultant for Secure Direction Consulting, LLC, a Florida-based independent security consulting firm. He served on the South Miami, Florida, Police Department for more than 20 years, retiring as a major. He currently serves on both the ASIS Healthcare Security Council and the ASIS Transitions Ad Hoc Council.​</em></p><h4>CHAPTER ANNIVERSARIES</h4><p>Congratulations to chapters celebrating milestone anniversaries in the last quarter of 2017.</p><p><strong>40th Anniversary</strong></p><ul><li><p> Texas Gulf Coast<br></p></li><li><p> Greater Lexington<br></p></li></ul><p><strong>15th Anniversary</strong></p><ul><li> Southwestern Ontario<br></li></ul><p>​  ​</p>
https://sm.asisonline.org/Pages/Containment-Strategies.aspxContainment StrategiesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​More than 200 labs in the United States conduct research on hazardous pathogens, such as anthrax bacteria and the Ebola virus. These are called high-containment laboratories. Sometimes, security lapses occur.</p><p>For example, in May 2015, the U.S. Department of Defense (DoD) discovered that a DoD laboratory had inadvertently shipped live anthrax bacteria to nearly 200 other laboratories worldwide over the course of 12 years. </p><p>Then in late 2016, the U.S. Depart­ment of Homeland Security (DHS) discovered that a private laboratory had inadvertently sent a potentially lethal form of ricin to one of its training centers multiple times since 2011. (For more background on lab safety breaches from Security Management, see "Lax Lab Safety," November 2014.)</p><p>Given these lapses, the U.S. Govern­ment Accountability Office (GAO) recently examined the oversight of these labs. Under the current system, high-containment laboratories are regulated by the Federal Select Agent Program, which was established to regulate the use and transfer of select agents in response to security concerns following bioterrorism attacks in the 1990s and early 2000s. </p><p>Two agencies share oversight responsibilities for this program: the Division of Select Agents and Toxins in the Centers for Disease Control and Prevention (CDC) and the Agriculture Select Agent Services within the U.S. Animal and Plant Health Inspection Service (APHIS). </p><p>To measure oversight, the GAO formulated five key elements of effective oversight for programs where low-probability adverse events (such as a toxic spill) could have far-reaching effects.</p><p><strong>Independence.</strong> The organization conducting oversight should be structurally distinct and separate from the entities it oversees.</p><p><strong>Ability to perform reviews.</strong> The organization should have the access and working knowledge necessary to review compliance with requirements.</p><p><strong>Technical expertise. </strong>The organization should have sufficient staff with the expertise to perform sound safety and security assessments.</p><p><strong>Transparency.</strong> The organization should provide access to key information, as applicable, to those most affected by operations.</p><p><strong>Enforcement authority. </strong>The organization should have clear and sufficient authority to require that entities achieve compliance with requirements.</p><p>The GAO's report focused on two questions. Does the Select Agent Program have effective oversight, and do strategic planning documents guide its oversight efforts? What approaches have other selected countries (such as the United Kingdom and Canada) and regulatory sectors used to promote effective oversight?</p><p>On the first count, the GAO found that the Select Agent Program's oversight is sometimes inade​quate. For example, the program is not always structurally distinct and separate from the labs it oversees, so it does not fulfill the key component of independence. </p><p>The program also fell short in the area of performing reviews, the GAO found. There was no assurance that the program's reviews were targeting the highest-risk activities because the program had not assessed which activities pose the highest risk. In addition, the program does not have joint strategic planning documents, including a joint workforce plan, to guide its shared oversight efforts.</p><p>On the second count, the report found that the program could learn from other countries when it came to oversight.  </p><p>For example, the United Kingdom's Health and Safety Executive, which oversees laboratories that work with pathogens, is an independent government agency, distinct from any of the labs it oversees.</p><p>And when it comes time for reviews, regulators in both the United Kingdom and Canada apply a risk-based approach by assessing laboratories, and then targeting those that conduct higher-risk activities or have a documented history of performance issues. </p><p>In response to the report, the U.S. Departments of Agriculture and Health and Human Services will outline actions they will take to improve oversight.   ​</p>
https://sm.asisonline.org/Pages/Spot-the-Shots.aspxSpot the ShotsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Solving a shooting means more than just catching the person who fired the gun. Shell casings left by gunfire often give important clues to investigators, who can trace the casing back to the weapon used to fire it.</p><p>So, when the Denver Police Department deployed shot-spotting technology in its districts with the most gunfire, the department knew it had an opportunity to add to its investigative abilities. </p><p>"When cops go to the scene of a shooting, they are fairly certain there are shell casings in that area, so they try to find them, rather than just rolling by," says Lieutenant Aaron Sanchez of the Denver Police Department. "Because ShotSpotter triangulates to about nine to 25 meters from where the gunshots were heard, the officers go to that specific point, work their way out a little b​it, and then recover those shell casings," he says. </p><p>Detectives can merge the shell casing number with information from the U.S. National Integrated Ballistic Information Network (NIBIN), which tracks weapons usage. Denver's police department has a program with the U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) to submit NIBIN numbers to federal law enforcement.<img src="/ASIS%20SM%20Callout%20Images/0218%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:545px;height:236px;" /> </p><p>"NIBIN is basically the fingerprint of a gun," Sanchez explains. "We set up an entire protocol on how to search for, recover shell casings, and separate them in case there's a couple different weapons, and how to place those into evidence so they go to our ATF contractors." </p><p>ATF then provides Denver police with more information on where that weapon's shell casings have previously been recovered. "We can place that gun at the shooting, and that information goes to whatever investigative team needs it." </p><p>ShotSpotter works by detecting gunfire, which has to hit three different audio sensors installed around the monitored area. When the correct succession of sensors goes off, a ShotSpotter technician reviews the audio to verify it is indeed gunfire. The technician then tells police that there have been shots fired, and an alert is sent out to officers on patrol. </p><p>The department's data analysis unit identified the three geographical areas in Denver where gunfire, 911 calls related to gunshots, and gang violence are the highest. ShotSpotter was installed in those three neighborhoods in January 2015, April 2016, and August 2016, respectively. In January 2018, the department expanded the technology to a fourth neighborhood. </p><p>ShotSpotter sent engineers to install the sensors in the appropriate areas. "ShotSpotter goes throughout the community, and it tries to put the sensors on public locations, but from time to time we have to go into a neighborhood and ask people to put them on their houses," Sanchez says, noting the community was relatively receptive to the installations. "We thought it was going to take time, but within about two days, we had the houses that we needed." </p><p>Even the timing and succession of gunfire have played a role in bringing criminals to justice. ShotSpotter stores the recordings so that investigators can look back as long as the technology has been around. This helped Denver police solve a crime that was close to being ruled as self-defense, Sanchez says.</p><p>At a family gathering in a Denver neighborhood, a man shot another man, who died. The man who survived claimed it was in self-defense, saying he had just been shot moments before by the victim. Homicide detectives knew ShotSpotter was installed in that part of the city, and decided to pull the audio to verify the man's story. </p><p>"So what they hear when they pull out ShotSpotter is one shot fired–boom–that's the shot that shoots the first victim," Sanchez says. "There's then a five-minute gap, and then there's shots fired again." </p><p>Investigators were able to piece together that after being shot, the man had actually left the gathering to obtain a weapon. He came back, and killed the victim. "So now there's premeditation. It wasn't self-defense, and the only way homicide knew that was the differential in time," Sanchez notes. "We brought back all the witnesses who said 'yes, that's the way it happened.'" </p><p>Denver police have access to a mobile app from ShotSpotter available on the iTunes store and Google Play. The app alerts officers when there are shots fired and displays the location on a map. A report view allows officers to review incidents from the last 24 hours, three days, or seven days and listen to the audio. "If the ShotSpotter app is on their phone, officers are getting that information within 30 to 45 seconds from the time shots were fired," Sanchez notes. </p><p>ShotSpotter also keeps a historical record of all gunfire since the time the technology was installed. In one case, a man growing marijuana on his property was arrested for shooting two youths who were trespassing. A witness made the remark that the shooting was "just like last year." Using ShotSpotter's historical record and investigating further, police were able to trace yet another shooting back to the same gunman.  </p><p>In rare cases the technology picks up on a false alert that isn't truly gunfire, like the time a local man set off a propane bomb. In one homicide case, the gunshots set off several sensors when the noise echoed through a canyon, but failed to triangulate. "The sensors picked up the shooting for a mile and a half, but not just three sensors–a whole bunch of sensors," Sanchez notes. The homicide unit was still able to use that information in its investigation. </p><p>Sanchez emphasizes that ShotSpotter combined with other investigative tools is what helps the department solve crimes. "When you just take ShotSpotter for what it is, it detects gunshots…So we're using the technology as part of a bigger investigative strategy."</p><p><em>For more information: Jane Soderberg, jsoderberg@shotspotter.com, www.shotspotter.com, 720.361.6866 ​</em></p>
https://sm.asisonline.org/Pages/A-Cyber-Pipeline.aspxA Cyber PipelineGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​It was a tense moment. Twenty minutes before taking the stage at the 2016 RSA Conference in San Francisco, U.S. Secretary of Defense Ash Carter had signed an agreement to create the first U.S. government bug bounty program.</p><p>"I was sitting in the front row there, just shaking my head and praying everything would work out the way it was supposed to," says Lisa Wiswell, former U.S. Department of Defense (DoD) bureaucracy hacker who oversaw the bug bounty program.</p><p>And work, it did. Dubbed "Hack the Pentagon," the program allowed 1,400 security researchers to hunt down vulnerabilities on designated public-facing DoD websites. More than 250 researchers found and reported those vulnerabilities to the DoD, which paid them a total of $150,000 for their efforts.</p><p>"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," Carter said in a statement. </p><p>Based on the program's success, the DoD launched "Hack the Army" in 2016, followed by "Hack the Air Force" in 2017, to continue to address security vulnerabilities in its systems. This method of crowdsourcing cyber­security is one that many organizations are turning to as they continue to struggle to recruit and retain cyber talent.</p><p>According to the most recent Global Information Workforce Study, the cybersecurity workforce gap is on pace to increase 20 percent from 2015—leaving 1.8 million unfilled positions by 2020.</p><p>"Workers cite a variety of reasons why there are too few information security workers, and these reasons vary regionally; however, globally the most common reason for the worker shortage is a lack of qualified personnel," according to the report's findings. "Nowhere is this trend more common than in North America, where 68 percent of professionals believe there are too few cybersecurity workers in their department, and a majority believes that it is a result of a lack of qualified personnel."</p><p>To help address this issue, study respondents reported that more than one-third of hiring managers globally are planning to increase the size of their departments by 15 percent or more. However, the report found that historically, demand for cybersecurity talent has outpaced the supply—which will continue to exacerbate the current workforce gap if the trend continues.</p><p>"It is clear, as evidenced by the growing number of professionals who feel that there are too few workers in their field, that traditional recruitment channels are not meeting the demand for cybersecurity workers around the world," the report explained. "Hiring managers must, therefore, begin to explore new recruitment channels and find unconventional strategies and techniques to fill the worker gap."</p><p>One technique to fill the worker gap is being used by the FBI, which has a long history of workforce training and development to keep agents—and Bureau staff—at the top of their game to further its mission.</p><p>In an appearance at ASIS 2017, FBI Director Christopher Wray explained that the Bureau has created a training program to identify individuals with cyber aptitude and train them so they have the skills necessary to identify and investigate cybercrime.</p><p>"We can't prevent every attack or punish every hacker, but we can build our capabilities," Wray said. "We're improving the way we do business, blending traditional techniques, assigning work based on cyber experience instead of jurisdiction, so cyber teams can deploy at a moment's notice."</p><p>In an interview, Assistant Section Chief for Cyber Readiness Supervisory Special Agent John Caliano says the FBI is looking internally to beef up all employees' cyber abilities.</p><p>"There is a notional thought that all the cybersmart people are in the Cyber Division," he adds. "There are a lot of very talented people outside the Cyber Division, some have worked in other areas…the goal is to start to pick up in the investigative realm and lift the abilities of all employees, so they have a basic understanding of cyber and digital threats today."</p><p>To do this, the FBI has employees undergo a cyber talent assessment which looks at the skill sets they brought with them when they were hired, the skills they have learned on the job, and their aptitude for formalized and informalized training on cybersecurity and technology. </p><p>The FBI then sorts employees into three categories: beginners, slightly advanced, or advanced. Employees are then sent to outside educational courses, such as those provided by the SANS Institute or partnering universities, to learn more about cybersecurity and bring that knowledge back to the FBI. The FBI also works with the private sector to embed employees to teach them specialized skills, such as how SCADA networks operate.</p><p>In 2016, Caliano says, the FBI identified 270 employees for cyber training who were not part of the Cyber Division. Approximately two-thirds of those employees were categorized as beginners at the outset, and Caliano says the Bureau plans to continue the assessments and training for the foreseeable future.</p><p>And for its specialized teams, the FBI is continuously developing in-house training that will eventually be offered to the entire FBI. </p><p>"One day, all FBI employees will take these courses and pass these courses," he says. "People will understand what depth and defense mean, how to secure networks, and trace IP addresses."</p><p>These specialized teams include its Cyber Action Team (CAT), which is made up of employees who deploy when a major cyber incident occurs. For instance, when the Sony hack occurred in 2013 the initial FBI response team had a few members who were also CAT members who were sent to the scene.</p><p>Once the FBI became aware of the severity of the incident, it sent a full CAT to Sony's headquarters to sit with the network operators to comb through their logs to see how the attack spread.</p><p>While this training provides professional development opportunities to current employees, the FBI is also focused on identifying future talent that can be recruited into the FBI. </p><p>"We can't compete with dollars, but we can compete on mission," Caliano says, adding that the FBI often gets to look at cyber threats and address them in a way that the private sector does not, providing employees a "deeper sense of fulfillment."</p><p>To attract talent, the FBI has a variety of initiatives including an Honors Intern Program open to all college students. It also has a postgraduate program where the FBI will pay for a graduate or doctoral student's degree. It's also reaching out to students at the high school level through its Pay It Forward program, which engages students in math, science, and technology who might show cyber aptitude.</p><p>"We are, as a workforce planning objective, training at schools—driving down to the high school level," Caliano tells Security Management.</p><p>Another new recruiting channel has been championed by Wiswell since she left the DoD in 2017. After leaving the public sector, she went to work at GRIMM, a cybersecurity engineering and consultant firm, as a principal consultant. One of her main responsibilities is to oversee its GRIMM Academic Partnership Program that runs the HAX program.</p><p>Through HAX, undergraduate cybersecurity clubs can participate in friendly competitions and gain hands-on cyber experience. GRIMM has partnered with Penn State University at Altoona's Security Risk Analysis Club and Sheetz Entrepreneurial Fellows Program, the Michigan Technological University (MTU) Red Team, George Mason University Competitive Cyber Club, and the Rochester Institute of Technology's Rochester Cybersecurity Club.</p><p>Throughout the academic year, participants in HAX break into teams to complete programs designed by GRIMM engineer Jamie Geiger that are similar to computer Capture the Flag challenges. While participants have the option to compete individually, Wiswell says she encourages students to create a team to hone their communication skills.</p><p>"A lot of this field has an individualist focus a lot of the time, and what's really needed is the ability to communicate well, both up and down, to work well on teams, and to have effective analytical skills," she explains. "The kinds of things that you learn well by doing these kinds of team-based challenges."</p><p>GRIMM chose these programs in particular to create a talent pipeline for the company, which has offices in the Washington, D.C., area and in Michigan—near two of the universities it's partnered with. By engaging college students through HAX, GRIMM hopes to create a talent pipeline and increase diversity on its own staff.</p><p>"HAX is an effort to do both those things," Wiswell says. "We are kind of do-gooders on one hand. If folks that are participating in the program have no interest in coming to work for GRIMM, that's fine. We just hope that they use their talents and go somewhere."</p><p>That's why the challenges and the experience to connect with people working in cybersecurity are important, according to Wiswell, because it helps students make informed decisions about what they would like to do after graduation.</p><p>"We're trying to think outside the box in ways that students feel very well rounded, so students can make decisions on what sliver of this workforce is most interesting," Wiswell says, explaining that current challenges are focused on Linux and Microsoft systems, but in the future, might include hardware and other areas. </p><p>And to gain even more experience before graduation, Wiswell says she encourages students to take part in bug bounty programs to get connected to companies that might one day hire them.</p><p>"If you already have a lot of good skill and you're trying to hone skill—and make some cash—we think that bug bounty programs are a great way to do that," Wiswell explains to Security Management. "GRIMM is partnered with a couple bug bounty as a service providers to help them get in a broader group of individuals who are interested in participating, as well as companies that could benefit from hosting bug bounties themselves."   ​</p>
https://sm.asisonline.org/Pages/Opening-Up.aspxOpening UpGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The research arm of the U.S. Department of Homeland Security (DHS) needs your help—and it is not afraid to open up about those needs. In a new industry guide, the Science and Technology Directorate (S&T) outlines its six key mission areas and details where its technology is lacking.</p><p>Moreover, the document serves as a call to action to the private sector for its help in discovering and developing technology that will help DHS tackle some of its biggest challenges.</p><p>DHS Senior Industry Advisor Kathleen Kenyon acknowledges that this isn't the first time DHS has reached out to the private sector for help in developing new technologies for government use, but this time around, officials are being more specific—and transparent—about the types of advancements they are willing to invest in.</p><p>"In the past, when we've talked to the private sector, many asked us what we need, and when, and how," Kenyon says. "This time, we took a concerted effort to go into a little more detail, to really explain to industry not only what we need but where we're investing our dollars and the types of technology we are looking for."</p><p>Technology-sharing partnerships between DHS and the private sector have long faced challenges due to slow procurement processes, cancelled contracts, and a lack of detailed communication about exactly what S&T is willing to invest in. The directorate is stepping up its efforts to build a bridge between the public and private sectors—in addition to the industry guide, it's conducting online and in-person outreach efforts. New contract rules that shorten application response times, as well as programs reaching out to nontraditional partners, take away some of the pain associated with working with the government. </p><p>One such effort is the Silicon Valley Innovation Program, which allows startups to apply for a contract and receive government feedback more quickly—many contracts are issued within 10 days, Kenyon says, allowing companies to make investment decisions early on.</p><p>"I do understand the industry's hesitancy to work with the government—we hear that quite a bit—so we want to take that information and translate it into ways that we can be more agile," Kenyon says. "We're trying to be a little quicker when it comes to working with us—speeding up deals and money and how we work and brainstorm together."</p><p>Kenyon stresses that public-private partnerships will be mutually beneficial, allowing private organizations access to government funding and business. Additionally, Kenyon notes that the industry is only as secure as the government, so a more capable public sector means stronger business. </p><p>"Industry leaders like those in ASIS are security professionals who are looking to secure their company and contribute to the larger effort of securing the nation," Kenyon says. "We want to make sure we are really reaching those who can be impactful in their own organizations to help secure the nation."</p><p>S&T's industry guide serves as a touchstone for the private sector and names six mission areas: securing aviation, securing borders, preventing terrorism, protecting from terror attacks, securing cyberspace, and managing incidents. Additionally, the document outlines the types of solutions it seeks from industry partners: future innovations, near-term capabilities, and new applications of existing technologies. </p><p>"The vast majority of what we're looking at is going to be near-term or adapting in some way existing technology, because we have urgent needs right now that our homeland security operators need to have in use and be out in the field," explains Melanie Cummings, deputy director of private-public partnerships. "We know there's a lot of low-hanging fruit out there in terms of sensing and detection technologies that might not be an exact fit for a particular application, but we can modify and combine some things to get them out on the streets."</p><p>This most recent push by DHS S&T to make meaningful connections with private sector manufacturers comes at a time when corporations are far outpacing the government in terms of research and development, Kenyon explains. Additionally, agencies are more often turning to off-the-shelf solutions, and Kenyon envisions a type of marketplace that would allow companies to tweak these solutions to perfectly fit governmental needs, as they would for any client.</p><p>"The private sector is far outpacing us when it comes to research and development and spending billions of dollars more than we are on it, and in some cases they're ahead of us," Kenyon says. "How do we tap into that knowledge base and technology development so that the technology they're developing can also be used by DHS?" </p><p>Kenyon describes the marketplace as one where a product could be used by U.S. Customs and Border Protection agents and commercial companies alike. The U.S. Department of Defense (DoD) has done this successfully for decades, she notes, but DHS's breadth and people-based agencies require more specific products.</p><p>"We have a much more diverse mission set, and that requires us to explain better to our customers and technology developers, and those who also commercialize technology and put it in the marketplace, what our needs are," Kenyon says.</p><p>Donald Zoufal, CPP, an independent consultant with CrowZnest Consulting, Inc., says S&T's efforts are a long time coming—and seem promising.</p><p>"There's always been a lack of communication, particularly on the government side, in terms of clearly articulating what its priorities are," Zoufal tells Security Management. "We don't know what the requirements and priorities are, so it's hard for us to attune our R&D initiatives to meet those requirements. I think this is a really positive step—it's recognition by the government that if they're more clear in providing direction about where they want to put their money, the market will positively respond to that. A lot of times DHS has paid lip service to the notion of partnership, but I see this as a really concrete effort to try to move that forward."</p><p>Zoufal worked at Chicago's Department of Aviation in the early 2000s and said the S&T industry guide touches on challenges he saw in airports—the upgrading of aviation security technology after 9/11 and the off-the-shelf purchases local agencies made to try to solve urgent problems in security.</p><p>"In a nutshell, this addresses a longstanding set of concerns that go back to when I was a security director at O'Hare and Midway, seeing big technology issues as inline baggage screening was brought in to replace other machines," Zoufal explains. "This cooperative spirit is much needed and will benefit the industry in being able to understand the direction the government wants to go in, but also for government to understand that there may be other technologies out there that are able to help."</p><p>S&T is looking ahead, too. The industry guide details its research and development investment outlook through 2021, outlining specific technologies it hopes to invest in.</p><p> "We really want to look at and be aware of what's coming over the horizon, what technologies will be in place in five to 10 years, that are either going to change the way we operate, or that might potentially become threats to the homeland," Cummings notes. </p><p>However, some private sector organizations may be wary of working with the government to develop an idea from the ground up, Zoufal says.</p><p>"Part of the problem with working with the government is that as administrations change, priorities change, so the current priorities may not be the same if there's an administration change in three years," Zoufal explains. "When you think about R&D and the investment of time, money, pace, and the lag to develop a new product, it's a dedicated effort. Businesses tend to plan in long-term strategies, and the government may talk in those terms but oftentimes doesn't plan as well. Better communication will help with that."</p><p>Zoufal, who also teaches a course about homeland security technologies at the University of Chicago, says that the industry guide seems to be a sign of an attitudinal shift at DHS to connect with the private sector. However, the success of the outreach lies in the follow-through, he says.</p><p>"This part is the easy part—information sharing on the front end, brainstorming, discussing it," Zoufal explains. "But at the end of the day, the part of this process that will be the most challenging is addressing technology issues in the procurement cycle. Having technology tested and procured and fielded is the part that's probably more bedeviling than general intelligence about what they are looking for."</p><p>Cummings says that S&T has already begun committing resources to show the private sector that the partnership will be a successful one—from start to finish.</p><p>"We're putting a lot of our programs and non-R&D dollars into making sure that the technologies that we're developing are getting out in the field and being commercialized for those operators and end users who primarily buy in the commercial market," Cummings explains. "Beefing up commercialization, our transfer program, and working with the private sector manufacturing and distribution channels are priorities for us over the next fiscal year."  ​</p>
https://sm.asisonline.org/Pages/How-to-Learn-from-Las-Vegas.aspxHow to Learn from Las VegasGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The Las Vegas massacre on October 1, 2017, surpassed the 2016 Orlando Pulse Nightclub tragedy as the deadliest mass shooting in recent U.S. history. Fifty-eight people lost their lives and hundreds were injured when a gunman rained down automatic weapon fire from the 32nd floor of a hotel suite on concertgoers below.</p><p>Months later, investigators are still struggling to piece together a motive for the tragedy. They classify the shooter as a nondescript, wealthy retiree who spent tens of thousands of dollars gambling at casinos on the very strip he attacked. But these clues offer little insight as to why he would carry out such a deadly rampage. </p><p>In the wake of the tragedy, security professionals must grapple with the known facts surrounding the event, and investigators continue to  revise the timeline of events as details emerge. However, as reported by CBS News, the assailant managed to take nearly two dozen weapons contained in luggage to his room via a freight elevator in the Mandalay Bay Resort and Casino.</p><p>A do not disturb sign hung on the door of his suite for 72 hours after he reportedly checked into the hotel on September 28. He shot out of two windows from the hotel tower after shattering them with a hammerlike device, according to The New York Times. </p><p>The assailant also shot a hotel security guard, who was responding to an open-door alarm on the same floor, around the time he began firing on the crowd.</p><p>Whether or not the hotel and Live Nation Entertainment, Inc.—the event company hosting the concert—met their legal duty of care during these circumstances has yet to be determined, and several lawsuits have been filed by victims. </p><p>Difficult questions regarding security have been raised by the shooting, including whether hotels should apply airport-­style screening measures to guests as they enter the property, and whether it's possible to spot suspicious behavior in guests before an incident occurs.</p><p>As investigators continue to probe into the specifics of the massacre, hospitality, event, and gaming security experts all agree: While the circumstances in the Las Vegas shooting are unlikely to happen the exact same way again, the event underscores the importance of having strong security policies and procedures, staff training, and appropriate technological tools to combat future threats.</p><p><strong>Event safety. </strong>The October shooting ravaged a section of the Las Vegas strip called Vegas Village, which has become a popular spot for festivals and other live events. The gunman attacked concertgoers at the sold-out Route 91 Harvest Festival, which featured country music performers. The event was growing in popularity, and attracted about 25,000 people a day last year, the Los Angeles Times reported. </p><p>Steven Adelman is an attorney at Adelman Law Group, PLLC, and vice president of the Event Safety Alliance, a nonprofit he helped form after a stage collapsed at the Indiana State Fair in 2011, killing seven people. He emphasizes that the Las Vegas shooting and the circumstances surrounding it are unlikely to repeat themselves, and calls the incident a "black swan" event. </p><p>"A black swan is a highly unusual, impactful event—and in retrospect people suddenly think it was inevitable," Adelman says. "Las Vegas fits that profile. There had never been a shooting at a live event venue from a great ele­vation or from an adjacent building."  </p><p>While the University of Texas clock­tower shooting in 1966 in Austin harkens closely to the positioning of the shooter, experts say it does not make what happened from the 32nd floor of the Mandalay Bay Hotel and Casino foreseeable. </p><p>"If we had been talking on September 30, the day before this happened, and you had asked me what the most reasonably foreseeable threat at a live event space is, based on what's happened over the last year…it probably would have involved a truck," he says, referencing the vehicular terrorist attacks that have occurred in cities including Barcelona, New York City, and Stockholm. </p><p>While Vegas may not have been preventable, Adelman underscores the best practices that can be applied to event safety moving forward. </p><p>"When there is an adjacent building to a live event, where someone potentially has a perch over a site where people are gathered, law enforcement and security should have eyes on that building," he notes. "In fact, the smarter trend, if it's in one's control, is to just clear the building." </p><p>At a major event in Phoenix just weeks after the shooting, event organizers did exactly that. Law enforcement cleared a nearby parking structure and used the building to have a crow's nest vantage point over the event. </p><p>"That's the kind of positive learning experience that can be applied from a horrific event like the Vegas shooting," Adelman adds.</p><p>Also, having a no-weapons policy is a simple way to at least deter people carrying guns, Adelman says, but he concedes that enforcing that policy is another matter. When possible, event organizers should limit the points of ingress and egress for attendees, and deploy magnetometers at each of those points. </p><p>"Make sure that applies equally to the production people, and even the talent who are doing set-up," he adds. "Make sure the artists and their entourage all go through these magnetometers and security guard scrutiny while we're at it, because they can have weapons, too." </p><p>Adelman adds that the special event industry could spend all its time and resources focusing on trying to prevent black swan events, and he emphasizes that the key is to triage the reasonably foreseeable risks. </p><p>"You should spend your finite amount of resources addressing the risks that are most likely to happen at whatever venue or event it is that one is talking about," he says. "That's the reasonable thing to do." </p><p><strong>Hotel security. </strong>There is no one-size-fits-all approach for hotels when it comes to their security programs, says Russell Kolins, chair of the ASIS International Hospitality, Entertainment, and Tourism Security Council. </p><p>"Each hotel has its own culture of management, its own corporate attitude, so each hotel is going to address its properties differently than their neighbors next door," Kolins adds. </p><p>This means that each property or hotel chain must constantly reinforce whatever safety protocols it has in place across management, staff, and guests. </p><p>Many hotel properties have policies on weapons, which vary from state to state. Nevada is an open-carry state, though most casinos don't allow patrons carrying a gun to enter the property. Hotels have typically allowed hunters with weapons permits to carry guns to their rooms or store them in lockers. Kolins says a weapons check would have to be conducted on every guest and bag to enforce these policies. </p><p>"If someone wants to get a weapon up to their room, they are going to do it, unless you're inspecting every single bag and every single piece of luggage, including clothing bags," Kolins says. "It's not going to be absolutely controlled." </p><p>Technology already plays a major role in hotels, says Stephen Barth, a professor of hospitality law at the Conrad N. Hilton College of Hotel and Restaurant Management at the University of Houston. </p><p>"Hotels employ a variety of technological measures to enhance security and the smooth flow of business for guests," he says. "We've got significant technology that's helped a lot—being able to track guests that go in and out, making sure a key is changed from guest to guest."</p><p>Barth, founder of hospitalitylawyer.com, argues that adding on more technology for security purposes wouldn't necessarily be rejected by guests, if it's obvious it keeps them safer. </p><p>"Technology for sure needs to be involved in these conversations," he says. "What if every hotel window had a sensor on it so that if the glass was broken, the hotel would know immediately what floor and which room it was in?" </p><p>Management may hesitate initially to go to such measures, but Barth argues that security should keep it in mind as a possible option. "There's going to be resistance, no doubt, but it does seem to me that there is potential," he says. </p><p><strong>Training. </strong>Security experts agree that hotel staff, including housekeeping, engineers, bellhops, and front desk workers are the most likely ones to observe unusual behavior among guests. </p><p>Therefore, training those workers thoroughly and consistently will help reinforce what they can look for as suspicious or possibly harmful behavior. </p><p>"There needs to be ongoing training, so that there is an awareness given to the employees to be the actual eyes and ears for security and management of a property," Kolins says. </p><p>While metal detectors and individual bag checks may be a far-flung approach, staff can be trained on behavioral cues to look for in guests, such as the way someone walks when they may be carrying a weapon. </p><p>"I think the trend now for all the hotels is going to be to take the See Something, Say Something campaign and make it effective," says Darrell Clifton, CPP, executive director of security at Eldorado Resorts in Reno, Nevada, and a member of the ASIS Hospitality, Entertainment, and Tourism Security Council. "Right now it's kind of a shotgun approach. If it's working right, you get 10,000 pieces of data and 9,999 of them are useless, and it's hard to comb through all that."  </p><p>Instead of just repeating the See Something, Say Something mantra, he says that managers should sit down with employees and tell them exactly what to look for, and what to do with that information. </p><p>"Frankly, the housekeepers know what's suspicious better than I do because they see all the different people that come into the hotel," Clifton notes. "They know what looks right and what doesn't look right." </p><p>When it comes to room inspections, Kolins suggests hotels conduct safety checks at least every other day, even if a do not disturb sign is on the door. These check-ins give hotel staff the opportunity to verify that the various sensors in the room are operating properly, such as smoke detectors and carbon monoxide monitors.</p><p>"I think the biggest change with that will be reinforcing that policy, more than creating a new one, for most hotels," Clifton notes, adding that most hotels have policies to check rooms every other day or more often, but have not enforced them consistently. </p><p>As of January, four Disney hotel properties had done away with the do not disturb sign, The New York Times reported, swapping it out for a "room occupied" sign and alerting guests that staff may check on the room. In December, Hilton revised its policy to still allow the signs but will conduct a staff-led alert system if it stays up for more than 24 hours. </p><p>The data collected at these check-ins, as well as any other security concerns reported to management, should all be kept in a log. </p><p>"The security industry is data-driven, and it's very important to record anything that gets reported," Kolins notes. "And on a periodic basis, whether it's a weekly basis or bimonthly basis, the reports should be part of an incident log." </p><p>Down the road, these data points can be connected and lead to an impending threat or other incident, he says. </p><p><strong>Duty of care.</strong> The Las Vegas shooting raises the question of duty of care—the reasonable level of protection a venue is legally obligated to provide its guests—and whether or not Mandalay Bay and Live Nation met that standard. </p><p>A victim who survived the shooting has already filed a lawsuit, and there is the potential for more litigation. In the suit filed against MGM, which owns Mandalay Bay, the plaintiff argues that the hotel failed to "maintain the Mandalay Bay premises in a reasonably safe condition," according to court documents. </p><p>From a legal standpoint, Adelman says the hotel property or venue hosting an event has an obligation to provide a reasonably safe environment for its guests under the circumstances.</p><p>Experts say a number of factors come into play in the legal process, including whether the hotel followed its own security policies and procedures. </p><p>"I think most juries and most judges would argue, at least until now, that the event was not foreseeable in the United States," Barth says.</p><p>Given the fact that the shooter brought in a cache of weapons and fired from a hotel suite, Barth says the property's policies and procedures will come into question. </p><p>"Responding to a particular incident is a part of the duty of care in places of public accommodation like hotels," Barth notes. "So, you would want to consider, what was their protocol for an active shooter situation? Did they have training, what was their communication system setup, what was supposed to happen, and did they in fact follow their training?" </p><p>He adds that the facts surrounding the Vegas shooting as investigators understand them are not necessarily unusual. </p><p>"This fellow in Vegas specifically requested a particular room. In and of itself, that happens all the time in a hotel," Barth says. He adds that people travel to Las Vegas to gamble or party, and often stay up all night and sleep during the day. "This fellow also had a do not disturb sign on his door for 72 hours. Again, that in and of itself is not a big deal, particularly in Vegas." </p><p>The large containers the weapons and other items were stored in wouldn't necessarily sound the alarm bells, he notes. In a city like Las Vegas, convention exhibitors frequently bring large containers to their rooms, and guests who gamble may be protecting valuables such as cash. </p><p>The duty of care applies equally to event venues as it does to hotels, Adelman says. "The main duty for providing a safe and secure environment generally falls on the shoulders of the venue," he points out, noting that the venue should know what its biggest risks are, and what resources are available to address those risks. </p><p>He adds that, when necessary, the location can contract with a private security company or with law enforcement to take on some of the security responsibilities. </p><p>All properties should take an all-hazards approach to security, paying just as much attention to the threat of a natural disaster as an active shooter. "The threat you prepare for probably isn't going to be the precise threat that actually appears on your doorstep," Barth says.  </p><h4>Gaming Community Reacts to Vegas Tragedy​<br></h4><p>Casinos are no strangers to security. With swaths of surveillance cameras, guards, and cash-protection measures, these venues are used to large volumes of people toting valuables. Most gaming properties have no-guns policies, and uniformed and plainclothes security officers keep careful eyes on the property. </p><p>Guests at casinos are looking for privacy and comfort, so hospitality professionals must strike a balance between providing security and making sure their clients feel at ease. </p><p>"Most security has to be unobtrusive, yet effective," says Dave Shepherd with the Readiness Resource Group and a member of the ASIS International Gaming and Wagering Protection Council. "We're not trying to prevent people from crossing a border or boarding an airplane. We have to be very cognizant of the rights of people as they are coming onto the properties." </p><p>In the wake of high-profile incidents, an opportunity arises to engage the C-suite, says Alan Zajic, CPP, with AWZ Consulting and chair of the Gaming and Wagering Protection Council. </p><p>"Any security director knows that when an event like what happened in Las Vegas occurs, your bosses are going to be asking you what you intend to do," he says. "That's the greatest opportunity to say, 'I need a commitment out of you to be able to put some of these programs into place and help protect our employees and our guests.'"</p><p>He explains that gaming properties should prioritize training employees on situational awareness, and proposes a technique. </p><p>"You observe something and investigate it until you understand it," he notes. "If you observe something unusual about a person, you should watch for a while until you understand whether it's legitimate. And if it's not, you investigate."</p><p>These types of training programs are going to become more prevalent in the industry, Zajic says, adding that airport level screening would be too burdensome for hotels and guests alike.</p><p>"Should there be screening or metal detectors inside bell rooms?" he asks. "Those are all kneejerk reactions that I'm not sure are going to float. People are going to be resistant to the invasion of their privacy."​​​</p>
https://sm.asisonline.org/Pages/Paved-with-Good-Intentions.aspxPaved with Good IntentionsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The incentive may have seemed ordinary when Wells Fargo management first issued it. But it led to some extraordinarily negative consequences.</p><p>Wells managers imposed what was sometimes called an "Eight is Great" target for their employees: sell eight accounts per customer. This type of cross-selling, in which bank employees encourage account holders to open another account, take out a credit card, or buy other services, is a common method for companies in the banking industry to increase their revenue. </p><p>But in late 2016, according to news reports and testimony before the U.S. Congress, company representatives publicly conceded that the incentive resulted in disaster. Over a period of at least five years, Wells Fargo employees created more than 1.5 million unauthorized deposit accounts, and at least 500,000 unauthorized credit card applications.</p><h4>Polluted Ecosystem</h4><p>The Wells Fargo case was a clear example of a perverse incentive—an incentive that results in unintended and undesirable consequences contrary to the interests of the in­centive designers.</p><p>For managers, it's important to recognize that all incentives have the potential to turn perverse, says managerial incentive expert Marc Hodak of Farient Advisors. </p><p>"Every incentive to perform is an incentive to cheat. You can't have one without the other," he says. </p><p>In practice, the majority of incentives or performance targets in the business world do not turn perverse, despite the potential to do so. Why so with Wells Fargo? </p><p>Hodak says that a few factors came together in the Wells case, and collectively they sustained a "perverse incentive ecosystem." </p><p>"Any one of the factors individually wouldn't have resulted in the debacle [that happened]," Hodak explains.</p><p>One crucial factor, Hodak says, was an unrealistic goal. While cross selling is common in the industry, eight accounts per customer, even as an aspirational goal, does not seem realistically achievable on a widespread scale.   </p><p>Other factors compounded this problematic goal, Hodak explains. High-level managers were offered lucrative financial rewards if their staff hit the targets, and managers' bonuses were dependent on the degree to which sales goals were achieved. By some accounts, certain Wells managers began checking their progress toward the sales goals twice a day, thus helping to create an office environment that felt like a pressure cooker. </p><p>In addition to rewards for upper management, incentives were also offered at lower levels of the organization, such as promotions and job security for sales staff who fulfilled the performance goals. </p><p>Still, in most other companies, these factors do not blow up into a catastrophic situation, because there is usually some sort of safety valve. For example, some companies have an internal system of controls that flags suspicious activity, such as an unusual surge in new account creation. </p><p>But at Wells Fargo, the situation was not checked internally and it spiraled out of control. Managers communicated to employees that there would be penalties for not reaching the goals, thereby increasing the possibility of risky behavior. And management punished some who complained. </p><p>"The safety valve got short circuited somehow," Hodak says. "The cheats were getting ahead, and the honest were afraid of getting fired."</p><h4>A Variety of Perversities </h4><p>Of course, the Wells Fargo sales goals are not the only type of perverse incentive. While they can take different forms, management experts say that there are a few specific types of incentive that can run into problems. </p><p>One is an undermining metric. This type of metric may fulfill a short-term goal, but it is ultimately not in the organization's long-term interest. </p><p>For example, a company that wants to become more prepared for an active shooter incident may decide to require an annual active shooter training session. Once the session is complete, company leaders then say they have fulfilled their goal.</p><p>But it is possible that the training was ineffective, so the metric has the unintended or perverse effect of convincing managers that the company is prepared, even though it is not. Instead of this metric, the company should focus on performance improvement metrics that can measure the effectiveness of the training. </p><p>Another type of perverse incentive, experts say, can come in the form of budget pressure. Company leaders may indicate to the security manager that proposed budget reductions will be looked favorably upon, because they will save the company money. The security manager may then make personnel cuts that can be covered for in the short term, which are approved by the CEO. But in the long term, they may have the unintended effect of compromising the company's security.   </p><p>Some financial rewards can also become perverse incentives if they alter an employee's motivation. When performance is rewarded with financial compensation, an employee's motivation can change, so that the driving force of his or her behavior becomes the extrinsic motivator of financial reward, not an intrinsic motivation to do good work. </p><p>This can have the unintended effect of decreasing an employee's overall intrinsic motivation, which can hurt performance in other areas. And studies show that reliance on extrinsic motivators can diminish creativity, which is an important component of learning and performance.</p><p>In addition, Hodak says that a performance target is more likely to have perverse effects if it contains an all-or-nothing threshold—that is, employees get a significant reward if they hit a goal of eight accounts per customer, but get nothing if they come close, like selling seven accounts. ​</p><h4>Avoidance Strategies</h4><p>In as much as no one can predict the future, no manager can guarantee that his or her company's incentives will never turn perverse. However, there are strategies for minimizing their likelihood, and in a recent interview with Security Management, veteran security manager Bill Wipprecht offered some best practice guidance. </p><p>Wipprecht was CSO for Wells Fargo for 23 years, until 2010. He was not involved in the incentive situation and was long gone when it came to light; he says he remembers Wells Fargo as a great company and great place to work, albeit with the business ups-and-downs that every firm experiences for creating incentives. </p><p>"I never saw the Wells Fargo incentive as being illegal. It was unethical," he says. </p><p>Wipprecht agrees with the argument that setting an unrealistic goal was one of the key reasons why the Wells incentive turned perverse. And that can sometimes be difficult to avoid, he adds, because most managers have done this at least occasionally in their career. </p><p>He gave the common example of a manager who sits with an underachieving employee in a review and sets an even higher performance goal, even though it seems unrealistic given past performance. </p><p>"Almost every manager has set unrealistic goals and objectives, and asked that the employee meet them," he says.  </p><p>However, the pressure cooker atmosphere that can drive an incentive toward perversity can be avoided if managers self-regulate their own behavior, Wipprecht says. To illustrate, he gave the example of how a security manager deals with vendors.</p><p>"I've had managers call a vendor and beat them to a pulp for minor performance issues," he says. "It's almost abusive, and then what are you going to expect in return?" </p><p>What they might get, he adds, is a vendor who will say anything to avoid that type of abuse in the future, including unrealistic claims about the products or services being used that could lead to unintended negative consequences down the line. </p><p>Attitude checks by security man­agers are also useful in dealing with employees, he adds. Wipprecht re­members how, as CSO, his temp­erament set the tone of the department. When he was happy and smiling, his employees were too; on days when he came into the office in a bad mood, the department darkened. </p><p>"That was the mood for the entire office for the whole day," he says. </p><p>When the manager's darker moods strike, employees are more likely to present issues in a positive light. For example, they may pretend that their performance is higher than it really is, or they may avoid the manager altogether—even though a pressing security issue needs to be discussed. </p><p>Finally, friendly competition among employees may work to increase productivity, but managers need to realize that it's unwise "to set up an overly competitive situation in an organization, rather than a teamwork environment, which is what you want to instill," Wipprecht cautions. </p><p>Along the same lines, perceived favoritism can lead to unintended consequences, because employees may get the sense that the game is rigged, and they need to do something drastic to compete. "If you've got a favorite in the office, it sets a negative tone for the rest of employees," he says.</p><p>In the end, experts say that incentives can still be used in a positive fashion, but managers need to be continually mindful of where they could go wrong. </p><p>"Whenever you put [incentives] in play, you are playing with fire," Hodak says. "Fire is terribly useful, but it can also be dangerous."   ​</p>
https://sm.asisonline.org/Pages/The-Strategic-Leader.aspxThe Strategic LeaderGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In this current era of enterprise security risk management (ESRM), there are no shortages of risks to contend with. Most surveys of the top global business risks identify several that are security-related, including terrorism, cyberthreats, pandemics, national disasters, water security, and government instability or collapse. </p><p>But as ominous a backdrop as these risks may provide, they have not changed one of the fundamental realities of business: all functions within a company compete for a finite set of resources, and senior executives will fund those that are most likely to help fuel growth.  </p><p>Given this reality, the problem for support functions like security is that, certain exceptions aside, they are not seen as revenue generators. As a result, the security department must prove that its efforts are strategically aligned with the objectives of the company, and that they are part of the company's overall growth effort. This demands strategic leadership from the security manager.   </p><p>And such strategic leadership goes beyond being the subject matter expert on all things security. It is not simply about possessing the right kind of knowledge. It is, instead, about being someone able to make that knowledge relevant to, and an integral part of, the company's business goals.  </p><p>To succeed in this effort, security professionals must fully understand the myriad ways security affects the larger company. With that knowledge in mind, they must focus on creating relationships inside and outside the organization that will enable the security function to produce results valued by the company. </p><p>Delivering these valued results often requires the need to think and work differently–that is, to think and work strategically. It demands that security professionals become strategic leaders.</p><p>This article will focus on the need for strategic leadership by security professionals and what that leadership requires–namely, an alignment between the security function and the company's business goals that is only achievable through the effective execution of strategies. It does this by first explaining the concept of strategy, and then offering several examples of strategic leadership to demonstrate how it plays out in the real world of security.​</p><h4>Vision and Execution</h4><p>The concept of strategy emerged more than 2,500 years ago in ancient Greece with a one-dimensional perspective that focused on how generals waged war. Under this concept, a general is responsible for multiple units, on multiple fronts, in multiple battles, over various spans of time. The general's challenge is to provide the vision and preparation for orchestrating the subsequent comprehensive actions. </p><p>The general's strategy, then, consists of an integrated set of choices designed to achieve specific goals. But it is important to remember that strategy is not an accurate term for every important choice that the general faces. </p><p>This is where organizations fail in the business world. Many executives have begun calling everything they do strategic. Too often, strategy becomes a catchall term, used to mean whatever the executive wants it to mean. </p><p>And all too often, the result is that the organization undertakes a collection of business activities that create confusion and undermine credibility because they are not strategically aligned. Sometimes these executives confuse actions or tactics—which are the means by which strategies are executed—with strategies themselves. They are then left to wonder why they failed to achieve their desired goals. </p><p>Strategy addresses how the business intends to engage its environment in pursuit of its desired goals. Without strategy, time and resources will be wasted on piecemeal, disparate activities. Sometimes, managers will fill the void with their own (often parochial) interpretation of what the business should be doing. The result is usually unsuccessful initiatives that are incomplete, disjointed, and confusing.  </p><p>Strategic leadership rises above this confusion. But it does not come easy. Studies show that fewer than one in 10 leaders exhibit strategic skills, a woefully inadequate number. </p><p>It would be a mistake to believe that strategic leadership is only needed in times of crisis. During the good times, strategic leadership is just as important as during the bad times, because it ensures valuable resources are focused on the right areas and in the right ways.</p><p>At its essence, strategic leadership is the ability to learn, anticipate, challenge, interpret, decide, and align organizational capabilities and competing interests in ways that effectively engage the everyday opportunities and problems presented by the competitive environment. It is the ability to translate vision into reality by seeing the bigger picture and longer time horizons, then creating the strategies necessary to achieve goals that deliver valued results.</p><p>Here are five real world examples to illustrate strategic leadership. The first is relatively simple and straightforward, to ease into the concept. The next four are more involved and complex. ​</p><h4>Honing a Process</h4><p>A global security company once had a system for suggestions that required employees to fill out a four-page form each time they had an idea they wished to submit for consideration. </p><p>While the form was lengthy, executives believed the information it solicited was valuable and worth requesting. In a period of four years, 2,500 employees submitted 252 ideas for consideration, or about 63 ideas per year.</p><p>A lower-level manager in one business unit, who found the process frustratingly inefficient, successfully engaged the organization to change it. This manager realized that the information submitted on the four-page form had value to company leaders. But he also knew that if the submission process were made easier, the organization would ultimately receive more ideas, and it would benefit greatly from their implementation. </p><p>The manager's suggested changes were made. Today, anyone at the company can submit a description of an idea for improvement via email, instead of a four-page form. Moreover, rather than waiting for a time-consuming process to unfold, the submitter is allowed to act upon the idea if there is no response by management within 30 days. </p><p>Under the streamlined submission process, employees sent in more than 6,000 ideas for improvement within the first year. When some of these were implemented, organizational performance was enhanced and operating costs reduced. </p><p>This is a textbook example of an individual who looks at the bigger picture, and sees an opportunity to change a process that would lead to a positive outcome. This is strategic leadership.</p><h4>Advancing on Many Fronts</h4><p>A security executive sought an opportunity to show that security was aligned with his company's transformational efforts in ways that would help produce clear and valuable results. </p><p>To do that, the security executive engaged in a brainstorming session with his staff, eventually arriving at a consensus decision to improve the company's access control systems.</p><p> The executive knew this was no small undertaking. However, to have the desired outcome he needed buy-in from employees involved in a range of functions that were both inside and outside the business.  </p><p>He began the process by meeting with people. He met with the finance department to work through the numbers and arrive at a reasonable capital expenditure budget. He met with legal to identify any liability issues that might arise from the new system. He met with human resources to develop a training program in support of the effort. He also held a joint meeting with human resources, operations, and legal to create a new policy to ensure that there would be progressive discipline for any violations.</p><p> He then met with outside suppliers to engage in an open bidding process and ensure the effective delivery of the approved products. He also met with his company's business development group to ensure that the systems would be installed during site redevelopment to enable the costs to be capitalized, and thereby reduce the overall financial impact on the company. Finally, he met with senior management and presented the strategic plan. It was approved. </p><p>What this security executive's experience shows is that the security function must position the business to succeed in a larger sense, through the involvement of the many, not the few. He realized that the new access control system would result in threat reduction combined with increased security visibility, while controlling costs. </p><p>To achieve that positive outcome, the security executive showed an ability to think, act, and influence others in strategic ways. Like the military general cited earlier, he designed a plan of integrated actions, working on several fronts—budgetary, legal, employee training, and logistics—and, in so doing, demonstrated strategic leadership.    ​</p><h4>Imitation is Not Strategic</h4><p>When given the same challenges to improve security, managers may take actions that are not always strategic. </p><p>For example, in an effort to improve security, a manager undertook a formal benchmarking process. In his benchmarking effort, the manager compared the overall security at his company to that of another well-known company, one with a long-standing, well-respected, and well-funded security department.  </p><p>Since this second company was a competitor within the same business industry, a benchmarking comparison seemed apt, and so the manager expected the findings to be relevant to improving security. Flush with information and data, the security manager met with senior management and, in a highly professional set of Powerpoint slides, presented the logic for his budgetary request.  </p><p>Now if we stop there, we might expect that the security manager met with success. After all, it is a common practice in business to identify processes and practices used by other successful firms to understand and recommend competitive positioning. One reason this approach is well regarded in business is that it can be efficient—it can help managers make effective choices by avoiding approaches already judged to be failures by other companies.  </p><p>But contrary to expectation, the security manager's proposal was rejected.</p><p>Although the analysis was logical and the findings sound, the competitor's values, culture, and operational capabilities were drastically different from the manager's company. Senior leaders realized that, although something worked at a competing company, it would likely not work in their company, given the operational differences guided by their company's strategies, core values, and organizational culture. These are important differences because they determine how a company chooses to grow through its current or desired product and geographic markets. Unlike a larger company with greater financial and operational capabilities, a smaller business is often less willing or able to fund new ventures. </p><p>So to imitate another company, particularly an industry leader, is to chase a moving target that captures what was effectively yesterday's success. As mentioned above, identifying practices used by other successful firms can be valuable as a means of understanding competitors. But merely copying other firms, even those of industry leaders, is not strategic. Where a benchmarking effort becomes strategic, however, is when it seeks an adapted approach tailored to the individual needs of the organization. ​</p><h4>A Piece of the Puzzle</h4><p>Those in security who come from law enforcement, the military, or government service should recognize that the strategic role they are expected to play will be different from the one they previously fulfilled.  </p><p>As one security executive once said, things improved when she recognized that success in government life did not necessarily translate into success in a business setting, because business offers fundamentally different challenges. </p><p>In her new business setting, this executive's credibility came by demonstrating an ability to think and act strategically. This occurred early in her transition, when she was asked to help provide input toward improving the background screening process for new hires. This seemingly small-scale involvement actually had the potential for a large-scale impact across the business.</p><p>From her experience in government service, she knew the importance of hiring well, and how it provides longer-term employees who, over time, possess greater institutional knowledge. Consequently, rather than merely offering a single bit of input, she asked for and was given a place on the working group that was developing a better background screening process. </p><p>In this role, she helped develop a screening process that produced strategic and valued results by minimizing turnover, reducing overall costs, and limiting liability exposure.</p><p>With what appeared to be a small involvement in process improvement, this security executive helped deliver a larger benefit to the company. In so doing, she also created relationships that enabled security to meet other challenges that delivered value to the company. Without fanfare and without question, she was a strategic leader. ​</p><h4>Adjusting to Realities </h4><p>A senior security manager had overseen the growth of his firm's security function from humble beginnings. Once part of a small cadre of people responsible for investigations at a company aspiring to get bigger, he had seen the company grow through acquisitions into a business powerhouse. His responsibilities as a security manager grew accordingly.</p><p>As the company opened more offices and plant locations throughout the country, the manager's budget and capital expenditures increased dramatically, in keeping with the need to secure the growing number of sites, assets, and employees. </p><p>However, a companywide satisfaction survey revealed that employees believed the security department was impersonal, bureaucratic, and unresponsive to employee needs. In turn, employees treated security procedures as mere suggestions. </p><p>Based on these findings, the security manager sought to determine the source of the dissatisfaction. He completed a strategic review of the security function, including a small but significant "employee as customer" survey. </p><p>What he discovered was surprising: the problem was rooted in the everyday interactions employees had with the security department, specifically the security officers.</p><p>This struck at a long-standing concern. Controlling costs was one of the company's competitive strategies, and so the decision had been made to outsource the security guard function. But the security review discovered significant problems with this approach. </p><p>Over time, the number of security services firms providing guard services had grown. The company continually sought the lowest-priced local provider, but managing this operation became more and more problematic. </p><p>Hiring and retaining quality officers was particularly difficult; many were poorly paid and inadequately trained, and they felt disenfranchised from the company they served. This all contributed to a costly turnover cycle.</p><p>Recognizing an opportunity for positive change, the security manager recommended to his company that they forgo the use of contract services and make the security officers full-time company employees. He presented a strong argument, complete with sup­porting data.</p><p>Nonetheless, senior management decided that this proposal was counter to the company's cost control strategy. The security manager was told to consider another approach to solve the problem.</p><p>Rather than being defeated by this setback, the manager sought approval from senior management to increase the security services budget to obtain better quality services and reduce the confusion that stemmed from juggling multiple contracts. </p><p>Senior management agreed to a reasonable increase in the security budget, so the security manager began the improvement process by putting the contract out for bid, seeking a single company capable of providing nationwide service in various settings. </p><p>Subsequently, a new security company was awarded the nationwide contract to manage guard services based on a range of factors, including adherence to more professional business attire and a commitment to a process designed to develop and retain effective officers. And the selection of the new services company kept the contract within the budgeted increase provided by senior management.</p><p>A few months after the new services firm was in place, the security department conducted a new survey. Employees reported feeling that company security seemed more professional, more respectful of their needs, and more helpful. Gone was the adversarial attitude, replaced by a feeling of business partnership. And the company maintained its desired level of security, as evidenced by fewer security violations and fewer security issues. </p><p>At its essence, this story illustrates strategic leadership in action. Despite setbacks, the security manager adapted to the situation and aligned security efforts so that they were consistent with his company's cost containment strategy and business needs, and fulfilled the firm's protection and customer service requirements.   ​</p><h4>The Future</h4><p>The only certainty about the future is that it is uncertain, and past success does not guarantee future success. These two maxims, sometimes applied to business in general, certainly apply to the security field. </p><p>Some of the factors driving this uncertainty include advances in technology and the quantity of information being produced; shifting customer needs; internal competition within companies for resources; struggles to maintain profitability as the economy changes and evolves; and the new normal of doing more with less for countless business operations, including security. </p><p>But we also see markets offering greater opportunities to those able to adapt. The ability to influence others to engage in efforts that enable organizational success, while acknowledging the constraints of time and resources, is at the heart of being strategic. It is why security leaders must prove they are capable strategic leaders.</p><p>These leaders recognize situational constraints and adapt to their environment. By necessity and design, they are flexible, and able to adjust their strategies to achieve the stated goals. What they do is measurably tied to goals. </p><p>Their attributes go beyond charisma, experience, and expertise. Aspirations are not enough; businesses want to see results. And results, more often than not, take strategic leadership. </p><p><em><strong>Chris Walker, D.B.A.</strong> (doctor of business adminstration), is a management development consultant and a longtime member of ASIS International. A former law enforcement officer responsible for high-level financial investigations, Walker served as the head of global security for a multibillion dollar division of a Fortune 50 company. He is former executive professor of strategy for Northeastern University. ​ ​</em></p>
https://sm.asisonline.org/Pages/An-Expert-Partnership.aspxAn Expert PartnershipGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was a monumental task. The Ontario Provincial Police (OPP) needed to conduct security assessments of all the courthouses in the province it polices—approximately 100 locations—with only three people to carry out the work.</p><p>In an unprecedented move, Security Assessment Unit Sergeant Laura Meyers, PSP, proposed bringing in outside help from the private sector. Senior executives approved of the idea, and Meyers reached out to the ASIS Toronto Chapter to bring on Michael Thompson, CPP, PCI, PSP, and Gregory Taylor, CPP, PSP. </p><p>Both had public sector experience—Taylor was former military and Thompson a former Toronto police officer. Meyers thought those qualifications, along with their extensive security backgrounds, would not only help them conduct the assessments OPP needed, but also gain the respect of OPP officers they would be working with in the field.</p><p>Her predictions were correct. Taylor and Thompson were well received, and the project was completed on time without exhausting OPP's resources—funding or personnel—to complete. It also marked a new era with OPP in bringing security professionals in-house to assist law enforcement in addressing security threats.​</p><h4>The Mandate</h4><p>In 2007, the province of Ontario issued the Ontario Public Service Physical Operating Policy, which required all public service facilities within the province to complete a physical security threat risk assessment. </p><p>The OPP, which polices more than 1 million square kilometers of land and waterways in Ontario, was subject to this mandate. It's one of North America's largest deployed services with more than 5,800 uniformed officers, 2,400 civilian employees, and 830 auxiliary officers. </p><p>To comply with the mandate, the OPP's four-member Security Assessment Unit was assigned to carry out threat assessments of more than 200 facilities across the province. The four members went to each region and trained OPP staff at the facilities on crime prevention through environmental design (CPTED) strategy and the Royal Canadian Mounted Police's (RCMP) Harmonized Threat Assessment Methodologies. </p><p>"It was like a mass attack for the four-person unit to do that within a couple of years," Meyers says. "By 2011, all [facilities] were visited and threat assessments completed." </p><p>During that time frame, Staff Sergeant Rob Fournier was placed in charge of the newly created OPP Justice Officials Protection and Investigations Section (JOPIS). The section was created in 2009 to ensure the safety and protection of justice officials and to address threats, harassment, and intimidation directed at justice officials.</p><p>The Security Assessment Unit and JOPIS regularly began working together to address threats, and in 2015, JOPIS was instructed to complete physical security threat risk assessments on all justice facilities in the province.</p><p>Meyers and Fournier both knew it would be a major task to carry out the assessments, especially if they had to train additional OPP staff to conduct them. </p><p>"In the police world, when you're building your team you're looking for an individual with a ton of experience," Fournier says. "In the security aspect, we have to use that same premise. Why would you want to be retraining someone in security work, when you can get someone who's been involved for years?"</p><p>Meyers and Fournier were both active in the ASIS Toronto Chapter, so they pitched the idea of contracting out the justice facility assessments to a few security professionals they knew through the chapter.</p><p>The idea was approved, and Meyers and Fournier recruited two security professionals with certifications and backgrounds in the public sector—Thompson and Taylor. ​</p><h4>Justice Site Visits</h4><p>After Thompson and Taylor were brought on board, they traveled to 92 different sites across the province—ranging from remote areas to urban settings, with everything from historic courthouses to courtrooms in mini plazas.</p><p>Their job was to review each site, evaluate the training protocols, and identify any gaps that might pose vulnerabilities, Fournier says. </p><p>Thompson's and Taylor's recommendations were critical at one site in particular following a series of events over a six-month period that impacted the security of the facility in eastern Ontario. </p><p>During that six-month period, a local individual murdered three former lovers. Law enforcement launched an extensive manhunt to locate the person. During that same time frame, an OPP officer was threatened and forced to temporarily relocate for personal safety. And there was another unrelated high-risk threat to an officer at the facility. </p><p>"There were obviously a bunch of people at that older facility, and it needed attention," Fournier says. Thompson and Taylor were able to take the previous threat assessment of the facility and suggest specific actions to take to address the new vulnerabilities due to the heightened threat environment.</p><p>The facility then improved its exterior parking lot lighting, and made other changes that Fournier could not disclose due to security concerns. </p><p>This process of going back to reassess facilities has helped the province distribute its funds to better address security concerns, Fournier says. </p><p>"It's helped paint the picture when we're earmarking where limited funds are going, to say, 'This might not be on your list but it's on ours,' and that helps get things done sooner," he adds.​</p><h4>OPP Sites Revisited</h4><p>While Thompson and Taylor were wrapping up the justice site assessments, the OPP decided to update its original threat assessments that were completed in the wake of the 2007 mandate. </p><p>"Some of the recommendations from that set were dated, not the best security practices," Meyers says. "So, we came up with a criticality schedule—how often we should revisit them…looking at it as a continual working project."</p><p>To carry out this work, OPP once again reached out to the Toronto Chap­ter; this time to Chapter President Patrick Ogilvie, CPP, PSP. Meyers knew that Ogilvie was looking to both build his personal brand as a professional and give back to the community. </p><p>Ogilvie is currently conducting this second round of threat assessments, using the RCMP methodology that was established during the initial round. Having that first set of assessments has been a useful benchmark, Ogilvie says, to score threats and vulnerabilities and then make actionable recommendations for the facilities. </p><p>"Even before I step foot onto a facility, I communicate with commanders that I'm looking for documented evidence or stories of different threats and occurrences," he adds. "I get them thinking not as police officers, but essentially as security people who can identify different threats and vulnerabilities that they have experienced."</p><p>This is because sometimes a security threat hasn't been identified by law enforcement because it is not a deliberate act—such as vandalism—that is intended to harm the facility.</p><p>For instance, Ogilvie says he found that most facilities did not identify building structure or leaks as vulnerabilities.</p><p>"What I found in getting out and talking to [people] was that accidents were happening, natural hazards that could have an impact on our business, and our business is policing," he explains. But because these threats weren't identified, nothing was being done to address or mitigate them.</p><p>Ogilvie has made it a point to educate OPP personnel at the facilities that he's looking at all threats—deliberate acts, accidents, and natural hazards—that could harm the organization. For instance, a leak in the facility could cause structural decay and ultimately become a hazard for personnel inside. </p><p>Thus far, Ogilvie says the OPP officers he's interacted with have been receptive to his suggestions, and Meyers adds that the feedback she's received has been highly positive—including that security deficiencies have been pointed out in a respectful manner.</p><p>Due to the success of the program, Fournier says that several First Nation police services across the province have reached out to OPP for assistance on conducting similar threat assessments. </p><p>Many of these facilities, especially in the northern part of Ontario, are in remote locations and have deteriorated or don't adhere to the same standards as other facilities in Ontario. To address this, OPP is working with the police programs to conduct threat assessments of approximately 15 different sites. </p><p>The Security Assessment Unit has also been called on to provide assistance to Ontario government facilities—overviews, recommendations, and security advice—because they have proved themselves in the field. </p><p>It has also showcased how civilian personnel can be brought in to a law enforcement agency to help in addressing security concerns. </p><p>Ogilvie, Thompson, and Taylor are all under contract right now using existing funding that OPP secured. Down the road, Fournier says he hopes to change a few positions in the Security Assessment Unit to hybrid roles that either a police or civilian security professional could fill.  </p><p><em>Laura Meyers, PSP, is a Sergeant in the Ontario Provincial Police. ​</em><br></p>
https://sm.asisonline.org/Pages/Vote-Integrity.aspxVote IntegrityGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​This year is a midterm election year, with countless political races. All 435 seats of the U.S. House of Representatives are up for grabs, as well as 33 U.S. Senate races. On the state level, 36 gubernatorial elections will be held, and all but four of the 50 states will hold legislative elections.</p><p>But there's another type of race already happening: a race against time. Namely, will officials be able to secure U.S. election systems when voters cast their ballots in November?</p><p>In recent years, election security has emerged as a repeated concern in the United States. The issue vaulted to prominence after the highly contested presidential election of 2000, which led to unprecedented levels of attention regarding voting methods and machines. </p><p>In a 2006 congressional race in Sarasota County, Florida, more than 18,000 votes went uncounted due to electronic voting errors. </p><p>Later, a New York University study examined three types of voting machines that were used in the 2006 elections, finding significant security and reliability vulnerabilities. (For more background from Security Management, see "Will Your Vote Count," May 2008, and "Machine Politics," October 2012.)</p><p>This year's election features another big concern: potential interference from Russia. That country attempted to hack the 2016 presidential election, U.S. officials have said, and concerns persist about a repeat performance. </p><p>"There is no doubt that Russia interfered in our 2016 election, and targeted 21 states' voting systems," U.S. Representative Robert Brady (D-PA) said at a recent Capitol Hill hearing on election security. "And we can expect them to return." </p><p>Brady is cochair of the Congress­ional Task Force on Election Security, which was created last summer to identify solutions that will safeguard elections going forward. The other cochair is U.S. Representative Bennie G. Thompson (D-MS), ranking member of the U.S. House Committee on Homeland Security.</p><p>Brady's comment that voting mach­ines in 21 states were hacked has been confirmed publicly, but authorities have been unwilling to name the states affected. </p><p>However, according to Thomas Hicks, commissioner and vice chair of the U.S. Election Assistance Commission (EAC), the hackers originally approached machines in all 50 states. But some were more locked down than others, so the other 29 states were not hacked. (The EAC is an independent, bipartisan commission charged with developing guidance and adopting voluntary voting system guidelines.)</p><p>"Make no mistake, it's all 50 states that were scanned. And it was just a little bit of—by the foreign actors or whomever—jiggling the handles and trying to get in. But some of those states were prepared enough that hackers weren't able to get in," Hicks said at the hearing. "So, as we prepare for the 2018 election cycle, we want to make sure that, from voter registration lists, to voting machines, to securing the voting equipment after the election, to election night reporting—from A to Z, all those aspects are taken care of." </p><p>To help in the election security effort, EAC representatives have been flying out on a weekly basis to meet with state-level election representatives to advise on security protocols and systemic issues, Hicks said. The EAC has also been working with the U.S. Department of Homeland Security (DHS) to help get information on election security to state and local officials. </p><p>"I think there's a lot more that needs to be done, because I believe that not only are there foreign actors that are looking to mess with our elections, but also folks within our own country who are looking to meddle in our election process," Hicks said.</p><p>Besides the threat of bad actors, U.S. election security faces another risk—aging and outdated equipment. After the disputed 2000 election, Congress passed the Help America Vote Act in 2002, which brought about an equipment update in many states. But some of those machines now need replacing. </p><p>"The equipment that was purchased 15 years ago has come to the end of its life cycle," Hicks said. </p><p>And even some of the older mach­ines that are still in decent operating shape were not designed to withstand the type of cyberattacks and tampering methods that are possible today. "With the older equipment out there, security, if it was thought about at all, was really an afterthought," said Virginia Elections Commissioner Edgardo Cortés at the hearing. </p><p>Voting machine modernization and better voting security is possible, but it takes significant investment, according to Rhode Island Secretary of State Nellie Gorbea. </p><p>At the hearing, she offered her own state as an example, saying that when she took office in 2015 "our voting equipment was on the brink of total failure." </p><p>So, the state invested $10 million in an upgrade, featuring paper ballot optical scanning machines with four layers of security and encryption. </p><p>Besides the equipment upgrade, there was the "second challenge" of building capacity in the public sector to manage election cybersecurity issues, Gorbea explained. It took a 40 percent increase in staff to do this, she added. </p><p>One of the lessons learned from this process, Gorbea said, was that better communication is needed between DHS and state officials regarding topics like threat information sharing. And more officials need to understand that effective cybersecurity does not mean arriving at a specific "destination," but is rather a continuous process of assessment and improvement. </p><p>"Cybersecurity is at the forefront of election conversations at every level of government across the country," she said.  </p><p>Given this, Gorbea said she would "absolutely" be in favor of federally mandated baseline cybersecurity requirements for new voting equipment, especially given the precedent of the Russian hacking in 2016. </p><p>"These attacks are real, and are focused on undermining our representative democracy," she said.</p><p>Besides replacing old voting machines and beefing up cyber defenses, states and localities can take other measures to help ensure that the upcoming midterms are secure, according to a recent report, Nine Solutions to Secure America's Elections, issued by the Center for American Progress, a liberal think tank. </p><p>In the report, Liz Kennedy, director of democracy and government reform at the center, and Danielle Root, voting rights manager for democracy and government report, set out nine tasks to improve election security. </p><p>Although a few, like replace old voting machines, are similar to the measures discussed at the Capitol Hill hearing, others touch on points not raised, such as requiring voter-verified paper ballots or records for every vote cast; conducting robust postelection audits to confirm election outcomes; updating and securing outdated voter registration systems; performing mandatory pre-election testing on all voting machines, as well as continuous vulnerability analysis; and providing federal funding for updating election infrastructure.</p><p>"As it currently exists, America's election infrastructure is dangerously insecure and susceptible to hacking, machine malfunctioning, and Election Day disruption," the authors write. "…It is critical that we begin building our defenses to protect against election intrusions before it is too late." </p><p>Meanwhile, the Defending Digital Democracy program has issued a handbook offering guidance on how political campaigns can help make elections more secure. Written by a wide-range of security experts, including the CSOs of Facebook and Aetna, the Cybersecurity Campaign Playbook offers best-practice guidance on topics like using cloud services, two-factor authentication, and strong passwords.  </p><p>The Defending Digital Democracy program is run by the Belfer Center for Science and International Affairs at the Harvard Kennedy School. The program was established last year, and its leadership includes top campaign officials from both the Republican and Democratic parties.</p><p>"Cyber adversaries don't discriminate. Campaigns at all levels—not just presidential campaigns—have been hacked. You should assume that you are a target," the playbook says.  ​</p>
https://sm.asisonline.org/Pages/Rethinking-the-Intelligence-Cycle-for-the-Private-Sector.aspxRethinking the Intelligence Cycle for the Private SectorGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Successful security risk management involves careful planning and preparedness rather than ad-hoc crisis response. Successful intelligence analysis requires something similar, and for specialists in this field the intelligence cycle serves as a planning and preparedness blueprint. But just as any set of guidelines must be regularly updated to be effective, the intelligence cycle needs to be reevaluated for its new life in corporate security. As a tool that has been perfected in the public sector, the cycle must adapt to private sector realities, including new consumers, new requirements, limited resources, and, at the core, a new mission.</p><p>Learn how to adapt the intelligence cycle to your needs in this <a href="/ASIS%20SM%20Documents/White%20Paper_Intelligence%20Cycle_11-29-17.pdf">white paper authored by Daniil Davydoff</a>.</p><a href="/ASIS%20SM%20Documents/White%20Paper_Intelligence%20Cycle_11-29-17.pdf"><p> </p></a><p></p>
https://sm.asisonline.org/Pages/Speak-the-Language-of-Payroll.aspxSpeak the Language of PayrollGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p></p><p>Payroll in the security service business is not rocket science, but that does not mean it is easy. Paying people for the hours that they work ties into scheduling, time and attendance, industrial relations, human resource management, and billing. </p><p>There are rules to follow, and these rules are not followed just once. Add tens, hundreds, and even thousands of guards to the equation, then mix in tens, hundreds, and even thousands of sites. Each of these sites has rules, realities, regulations, certification requirements, and particularities—as do the respective guards. The potential for errors and pitfalls is huge, and comes with real consequences.</p><p>A well-designed back-office system can help you handle all these variables efficiently and prepare your employees' attendance data so that it integrates easily with your payroll system.</p><p>Still, those who work in sales, operations, training, and human resources should be aware of certain key payroll terms and realities in order to avoid costly pitfalls and better understand costs--even if there is a payroll specialist on staff. Employee pay rate is just a piece of the puzzle, so let's call it the top line. </p><p>Think of the table below as one of those pocket language guides you might carry in a foreign country. My company has clients in both the United States and Canada, so we must be aware of forms and regulations for both countries. </p><table width="100%" class="ms-rteTable-default ms-rte-paste-settablesizes" cellspacing="0"><tbody><tr><td class="ms-rteTable-default"><strong>Term</strong></td><td class="ms-rteTable-default"><strong>Explanation</strong></td></tr><tr><td class="ms-rteTable-default">T4 (Canada)</td><td class="ms-rteTable-default">Employers (resident or non-resident) need to complete form T4, Statement of Remuneration Paid, for employees to whom they have paid "employment income, commissions, taxable allowances and benefits, or any other remuneration."</td></tr><tr><td class="ms-rteTable-default">W-2 (U.S.)</td><td class="ms-rteTable-default">Every employer who pays an employee $600 or more for the year and withholds taxes for services performed must file a Form<strong> </strong>W-2, Wage and Tax Statement, for each employee.</td></tr><tr><td class="ms-rteTable-default">T4A (Canada)</td><td class="ms-rteTable-default">In a calendar year, you may make payments relating to employment, like fees, allowances, or pensions, that total over $500. Or, you may have deducted taxes from such payment. In either case, you must fill out form T4A,<strong> </strong>Statement of Pension, Retirement, Annuity, and Other Income<strong>. </strong>Note that there are exceptions to these rules.</td></tr><tr><td class="ms-rteTable-default">ACA (U.S.)</td><td class="ms-rteTable-default">The Affordable Care Act, or healthcare law, details employer benefits and responsibilities, which vary according to the size and structure of your workforce.​</td></tr><tr><td class="ms-rteTable-default">1099 (U.S.)</td><td class="ms-rteTable-default">The Internal Revenue Service's (IRS) Form 1099-MISC, Miscellaneous Income, needs to be filed for each person who is not an employee and to whom you have paid at least $600 for services performed.</td></tr><tr><td class="ms-rteTable-default">Workers' Compensation (Canada) </td><td class="ms-rteTable-default">Employees who suffer an occupational injury or illness are eligible for workers' compensation benefits. Each province and territory has a board that makes decisions on such claims. (In the United States, workers' compensation is generally handled through private insurance.)</td></tr><tr><td class="ms-rteTable-default">Overtime</td><td class="ms-rteTable-default"><p>Overtime pay (OT) refers to employee wages that need to be paid at higher than the normal rate because the hours worked exceed "the number of hours deemed to constitute a normal workweek or workday."</p><p>OT varies based on jurisdiction, but in general OT can be 1.5 or 2 times a regular wage rate.</p><p>In the United States, salaried people can be entitled to OT if they earn less than the threshold, which is currently $913 per week; however, there are other conditions.</p></td></tr><tr><td class="ms-rteTable-default">Federal Holiday (U.S.) Statutory Holiday (Canada)</td><td class="ms-rteTable-default">This is a holiday authorized by the U.S. federal or Canadian federal and provincial governments, respectively. In addition to government organizations, other business entities may also observe the holiday. Employees required to work on such a holiday may receive wages above their normal rate.</td></tr><tr><td class="ms-rteTable-default">Break/Meal Periods</td><td class="ms-rteTable-default">Break and meal periods are obligatory pauses from work at defined intervals.</td></tr><tr><td class="ms-rteTable-default">Callback/Report-in Pay</td><td class="ms-rteTable-default">If, due to an emergency, an employee is asked to return to work after leaving work or during a paid leave, they earn callback or report-in pay.</td></tr><tr><td class="ms-rteTable-default">Direct Deposit</td><td class="ms-rteTable-default">A direct deposit is a free electronic deposit of funds into one's bank account.</td></tr><tr><td class="ms-rteTable-default">Final Paycheck</td><td class="ms-rteTable-default">When an employee leaves a firm, the final paycheck includes regular wages as well as any unused accumulated annual leave, calculated at the employee's former regular pay rate.</td></tr><tr><td class="ms-rteTable-default">Minimum Wage</td><td class="ms-rteTable-default">The lowest wage rate an employer can legally pay an employee is called the minimum wage.</td></tr><tr><td class="ms-rteTable-default">Minimum Wage - Exemptions</td><td class="ms-rteTable-default">Certain employees, under certain conditions, may not be covered by certain parts of the minimum wage legislation in your jurisdiction. Or, special rules may apply to these employees. Consult your local authority.</td></tr><tr><td class="ms-rteTable-default">Payout of Vacation/Sick Pay</td><td class="ms-rteTable-default"><p>Vacation pay is a supplemental wage payment based on length of service to the company and a percentage of annual wages.</p><p>Sick pay is any amount you pay under a plan to an employee who is unable to work because of sickness or injury. These amounts may be paid by a third party.</p><p>Both payouts are subject to withholding taxes, as if they were regular wage payments.</p></td></tr><tr><td class="ms-rteTable-default">Payroll Deductions</td><td class="ms-rteTable-default">Whether mandatory or voluntary, payroll deductions<strong> </strong>are amounts withheld from an employee's gross wages.​</td></tr></tbody></table><img src="file:///C:/Users/FLORA~1.SZA/AppData/Local/Temp/50/msohtmlclip1/01/clip_image002.png" alt="" style="margin:5px;width:624px;" /><p> </p><p>Considering how much the security service sector depends on quality talent, it is important to get the details of payroll right--first time and every time. </p><p><em>Mark Folmer, CPP, is vice president for the security industry at TrackTik. He is a member of the ASIS Security Services Council and ASIS senior regional vice president for Region 6, Canada. He also serves on the PSC.1 Technical Committee and Working Group.​</em></p><p>​</p>
https://sm.asisonline.org/Pages/Put-Training-to-the-Test.aspxPut Training to the TestGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The classroom door flies open. An emotionally distraught student rushes into the doorway, produces a semiautomatic pistol, presses the muzzle of the gun to his temple with his finger on the trigger, and proclaims, "I can't take it anymore."</p><p>How will the teacher respond to this stressful, high-stakes situation? Will she intervene with verbal tactics or physical ones? Will she inadvertently put other students in danger by reacting too quickly? </p><p>An analysis by school security firm Safe Havens International found that teachers and administrators who had undergone traditional active shooter training were more likely to react to this situation by opting to attack the student or throw things at him, rather than taking the action steps outlined in the school's policies and procedures, such as calling 911 or instigating a lockdown. In other scenarios, trainees reacted in a similar manner that could intensify and aggravate the situation when time allowed for safer policies and procedures to be applied.</p><p>In the wake of high-profile massacres at schools and college campuses, institutions are preparing themselves for the emergency situations with scenario-based training programs. </p><p>The percentage of U.S. public schools that have drilled for an active shooter scenario rose from 47 to 70 percent from 2004 to 2014, according to a study by the National Center for Education Statistics. But the intensive search for solutions to these deadly events can lead to hasty planning and decision making, ultimately resulting in an ineffective response. </p><p>The number of teachers and administrators who opt to attack or otherwise approach the armed perpetrator indicates that current active shooter programs may be overwhelming for participants, causing them to respond to threatening scenarios in a dangerous way. Schools have also become narrowly focused on active shooter scenarios, when most deaths and accidents on campuses do not involve an active shooter. </p><p>Taking these factors into consideration, an all-hazards approach to scenario-based training allows schools to prepare for a range of incidents, including bullying, sexual harassment, and natural disasters. Fidelity testing then allows administrators and teachers to put those plans to the test and see how participants apply the training under stressful scenarios. </p><p>School leaders can then learn to rely on the solid foundational principles of policies and procedures, as well as communications and emergency plans, to diffuse potentially hazardous situations. Using these basic elements of active threat response and evaluating training programs to identify gaps could save lives.​</p><h4>Evaluations</h4><p>During the stress of an actual crisis, people often react differently than they have been trained to do. Fidelity testing of a training program can help determine if there are gaps between what the trainer thinks the trainees will do, and what actions trainees will take in real life. This was the aim of evaluations completed by campus security nonprofit Safe Havens International of Macon, Georgia. </p><p><strong>Methodology.</strong> Analysts conducted the evaluations at more than 1,000 K-12 public, faith-based, independent, and charter schools in 38 states. More than 7,000 one-on-one crisis scenario simulations were conducted by Safe Havens International in a series of school safety, security, and emergency preparedness assessments over the last five years. The participants were observed and scored by analysts who had completed a 16-hour formal training program and one day of field work. </p><p>Prior to running the scenarios, analysts came up with several action steps that should be taken in each scenario. These steps included initiating a lockdown, calling 911, sheltering in place, or pulling the fire alarm, for example. Based on those steps, the analysts developed a standardized scoring system to keep track of participant performance in the scenarios. </p><p>This type of training is known as options-based active shooter training because it gives the participants various responses to choose from. Many popular options-based programs are based on the U.S. Department of Homeland Security's Run. Hide. Fight. approach.  </p><p>Drawing from Safe Havens International's repository of more than 200 audio and video crisis scenarios, analysts ran the simulations and let administrators, support staff, and teachers respond accordingly. These simulations covered a range of scenarios, which were presented in several formats. </p><p>For example, some participants were guided through an audio narration of a school bus taken hostage by an armed student. The audio was paused, and the trainees were asked what they would do next in that situation. </p><p>Similarly, video scenarios depicted potentially violent situations that left participants with a number of choices on how to react. </p><p>In one scenario, a woman screams at staff in the school office while brandishing a claw hammer. In another, a student on a school bus jumps up with a gun and yells, "Nobody move, and nobody gets hurt!" The video is stopped and trainees are prompted to say how they would react. </p><p>Based on action steps that were predetermined to be ideal, analysts then scored the trainees' responses on tablet devices. The scoring was be tailored to individual clients. For instance, if analysts were training a school district that has a police officer on every campus, its response would be different from that of a rural district that does not have a law enforcement officer within 20 miles.</p><p><strong>Results. </strong>The results of the evaluations consistently showed that participants who were provided with options-based active shooter programs had lower scores than those who had not completed any type of training. </p><p>This outcome shows that current active shooter training methods may be overwhelming for administrators and teachers because they provide too much information—prompting them to attack when it is not necessary.</p><p>In an assessment in the northeastern United States, test subjects completed an options-based active shooter training program that was three and a half hours long. Evaluators found that the 63 administrators and staff members from 28 schools missed 628 out of 1,243 critical action steps that should have been implemented. That's more than 50 percent.</p><p>For example, participants failed to initiate or order a lockdown when it was appropriate 70 percent of the time. More than 55 percent of participants failed to call 911 or the school resource officer in scenarios depicting a person with a weapon, and 39 percent of participants failed to pull the fire alarm in situations involving fire. </p><p>During an assessment of a school district in the southwestern United States, 32 people from two groups participated in scenario simulations. One group completed a five-hour live training program based on the Run. Hide. Fight. video, developed by the district's school resource officers. The second group did not receive the training or view the video. </p><p>The simulation results revealed that none of the top five scoring participants had received any type of active shooter training. All five of the lowest scoring participants, on the other hand, had completed the training program. </p><p>The overall score was also significantly lower for the group that had completed training than it was for the untrained group. The lower scoring participants often opted to attack in situations where it was not the best option. </p><p><strong>Opting to attack. </strong>For the scenario described in the beginning of the article, where a student is potentially suicidal, analysts found that in one out of every four incidents, a school employee who had completed an options-based active shooter training would try to throw an object at or attack the student armed with a weapon. </p><p>Many of the participants in the simulations responded by opting to use force for almost any scenario involving a subject depicted with a gun. If the student in question was suicidal, such a reaction could be deadly, possibly leading to the student to shoot himself or others. </p><p>Participants who had not received formal training began talking to the student, encouraging him to put the gun down, and asking if it was okay for the other students in the classroom to leave. These basics of communication are essential in an active suicide threat situation and can help defuse possible violence.  </p><p>Another scenario featured a drunk man who was 75 yards away from a school at the same time that a teacher and her students were 25 yards from the school building at recess. The analysis found that 30 percent of participants playing the teacher chose to approach—and even attack the drunk man—even though he was three-quarters of a football field away from the school.</p><p>The best option in this scenario is for the teacher to instruct the students to go into the school and put themselves in lockdown, then go into the building and ask the office to dial 911. </p><p>In November 2017, a school in Northern California initiated its lockdown procedure when the school secretary heard gunshots nearby. The gunman tried to enter the campus but could not find an open door. Because school faculty followed policies and procedures, countless lives were saved.</p><h4>Active Threat Approach</h4><p>The narrow focus on active shooter incidents has left many schools ill-prepared for other active attacker methods, including edge weapons, acid attacks, and fire. Relying on active shooter training also neglects response to incidents that often go undetected, such as bullying and sexual harassment. </p><p>The Safe Havens International assessments revealed that many K-12 schools lack written protocols for hazardous materials incidents or do not conduct any training or drills for these easy-to-orchestrate, devastating types of attacks. Evaluations also revealed an unwillingness among some school staff to report incidents of sexual harassment.</p><p>Policies and procedures. Edu­cational institutions have written policies and procedures on a range of issues, including bullying, sexual misconduct, signing in visitors, and traffic safety. Scenario-based training will help demonstrate whether staff are prepared to apply those policies appropriately. All staff should be included in this training, including bus drivers, cafeteria employees, and custodial workers.</p><p>Scenario-based training can reveal the gaps between what procedure dictates and what staff would actually do when confronted with a threat. </p><p>For example, in one simulation conducted by Safe Havens International, a student sat in a classroom with a teacher after hours. The teacher stroked the pupil's hair inappropriately and used sexually explicit language. Some custodial staff faced with this scenario responded that they did not feel comfortable reporting what they saw to school administrators. Janitors, who may be more likely to witness such incidents, said they felt an imbalance of power among the staff, leaving them unwilling to speak up. </p><p>Administrators should address such issues by using multiple scenarios related to sexual misconduct to demonstrate to employees that they are not only empowered but required to report these situations. Reviewing these policies and procedures as part of scenario-based training, and incorporating possible threats other than active shooter, will bolster preparation among staff. </p><p><strong>Attack methods. </strong>While mass shootings garner the most media attention, most recent homicides at schools were caused by attacks that did not involve active shooter events, according to Relative Risk of Death on K12 Campuses by school security expert Steven Satterly. </p><p>The 2014 study revealed that of 489 victims murdered on U.S. K-12 campuses from 1998 to 2013, only 62 were killed by active shooters. The Columbine, Sandy Hook, and Red Lake Reservation School shootings made up 74 percent of those 62 deaths.</p><p>Several weapons possibilities exist, and should be acknowledged in training programs, including edged weapons, explosive devices, and fire. </p><p>There have been dozens of mass casualty edged weapons attacks in schools, and serious damage can occur in a matter of minutes. A mass stabbing and slashing incident in Franklin, Pennsylvania, in April 2014 left 21 victims injured when a sophomore began attacking other students in a crowded hallway. Similar attacks have occurred in China, Japan, and Sweden that have killed and seriously injured students and school employees.  </p><p>Acid attacks are occurring more frequently in the United Kingdom, as well as in India, East Africa, Vietnam, and other regions. </p><p>For example, in September 2016, a student rigged a peer's violin case with acid at a high school in Haddington, Scotland. The victim's legs were disfigured as a result.  </p><p>These types of attacks are relatively easy to carry out because acid is inexpensive and can be concealed in bottles that appear harmless. The injuries sustained in these attacks are gruesome and irreversible, and there are concerns that this attack method may become more common in the United States. </p><p>Many active shooter training approaches also fail to address combination attacks, in which the perpetrator uses two or more attack weapons, such as firearms and explosives, firearms and fire, and so forth. </p><p>In the 2013 attack at Arapahoe High School in Colorado, a student shot his classmates and a staff member several times before throwing three Molotov cocktails that set part of the library ablaze. The student then shot himself. </p><p>Combination attack methods can present complications for first responders who may have to decipher where each threat is located and which one to deal with first. These campus attacks demonstrate the danger of training concepts that focus intently on active shooter incidents, while not offering viable options for other extreme attack methodologies.</p><p>There are ways to better prepare school staff to react to violence and reduce the chance of unintended consequences. Scenarios that present a range of threats and situations help trainees learn to react in the most effective manner, and remind them to rely on existing policies. </p><p>Fidelity testing that includes a scoring system for action steps will help determine whether active shooter and active threat training concepts have been received by the faculty. Including all staff members who have contact with students creates an inclusive environment where everyone feels empowered to report misconduct. </p><p>Putting a mirror to current school emergency preparedness will reflect where changes need to be made. If there are significant gaps between the training concept and application of those concepts when reacting unscripted to scenarios, improvements are in order. By applying these principles, schools can prepare themselves for the common emergencies, the worst-case-scenarios, and everything in between.  </p><p>-- </p><h4>​Sidebar: keeping simulations safe<br></h4><p>​Even the most well-intentioned scenario-based training can result in injuries. Training programs that teach throwing of objects, taking people to the floor, punching and kicking, or similar uses of force can wind up hurting trainees and trainers alike.</p><p>At least one popular active shooter training program has resulted in high rates of serious injuries among trainees, according to Jerry D. Loghry, CPP, loss prevention information manager for EMC Insurance.</p><p>Loghry verified that EMC Insurance has paid out more than $1 million in medical bills to school employees for injuries sustained in trainings from one active shooter program over a 22-month time period. In addition, one police department is being sued due to those injuries. </p><p>Instructors can be trained on how to engage participants in use-of-force in a safe way. Reasonable safety measures should be put into place, such as floor mats, and participants should wear protective padding, goggles, and even helmets if necessary. </p><p>Safety rules should be written in advance and observed during training simulations. </p><p>Local law enforcement can be a valuable resource for simulating active threat situations in a safe manner, because police officers complete similar close-quarters combat training on a regular basis. Observing these best practices can help prevent litigation and liability issues, as well as enhance the overall experience of participants and instructors.​</p><h4>sidebar: fidelity Testing<br></h4><p></p><p>For stereo systems, fidelity means that the sound generated by the speakers is nearly identical to the sound of the music that is recorded. In marriage, fidelity means that a person will be faithful to their promises to another.</p><p>In the world of school safety, fidelity indicates a close alignment between what is intended by safety policies, plans, drills, and training, and what people do in reality. Fidelity testing is the best way to verify the level of alignment between intentions and reality.</p><p>In the case of active shooter preparedness, fidelity testing involves efforts to measure whether there is a close match between theory and what people will actually do under the stress of a violent incident.  </p><p>With properly designed active shooter preparedness approaches, practical application under extreme stress should mirror, to a reasonable extent, the theoretical expectations of the approach. If people cannot correctly apply the active shooter survival options they have been provided under simulated conditions, their performance will likely not improve when they are placed under extreme stress. </p><p>A high degree of fidelity helps reduce the distance between what people ideally do under stress and what they are likely to do. A reasonable level of fidelity testing of active shooter survival concepts should document that people are able to:</p><p> </p><p>•             Demonstrate the ability to identify when they are in an active shooter situation.</p><p>•             Apply each option they are taught in an appropriate fashion when tested with scenarios they do not know in advance.</p><p>•             Apply each option under limited time frames with incomplete information.</p><p>•             Demonstrate knowledge of when applying each option would increase rather than decrease danger.  </p><p>•             Demonstrate the ability to identify when they are in a situation involving firearms that is not an active shooter event.</p><p>•             Demonstrate the ability to properly address a wide array of scenarios involving weapons other than firearms.​</p><p>​<br></p><p><em><strong>Michael Dorn </strong>is the CEO of Safe Havens International. He has authored 27 books on school safety and emergency preparedness, and his work has taken him to 11 countries. He has provided post-incident assistance for 12 active shooter incidents at K-12 schools, and helped coauthor a u.s. government IS360 Web training program on active shooter events. He can be reached at mike@weakfish.org ​</em></p>
https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspxHow to Hack a HumanGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It all started innocuously with a Facebook friend request from an attractive woman named Mia Ash. Once her request was accepted, she struck up a conversation about various topics and showed interest in her new friend's work as a cybersecurity expert at one of the world's largest accounting firms.</p><p>Then, one day Mia shared her dream—to start her own company. She had one problem, though; she did not have a website and did not know how to create one. Surely her new friend could use his expertise to help her achieve her dreams by helping her make one? </p><p>Mia said she could send him some text to include on the new site. He agreed, and when he received a file from Mia he opened it—on his work computer. That simple act launched a malware attack against his company resulting in a significant compromise of sensitive data.</p><p>Mia was not a real person, but a care- fully crafted online persona created by a prolific group of Iranian hackers—known as Oilrig—to help this elaborate spear phishing operation succeed. </p><p>Due to his role in cybersecurity, the target was unlikely to have fallen for a standard phishing attack, or even a normal spear phishing operation. He was too well trained for that. But nobody had prepared him for a virtual honey trap, and he fell for the scheme without hesitation.</p><p>This case is a vivid reminder that when cybersecurity measures become difficult to penetrate by technical means, people become the weakest link in a cybersecurity system. It also illustrates how other intelligence tools can be employed to help facilitate cyber espionage.</p><p>While many hackers are merely looking to exploit whatever they can for monetary gain, those engaging in cyber espionage are different. They are often either working directly for a state or large nonstate actor, or as a mercenary contracted by such an actor tasked with obtaining specific information.</p><p>This targeted information typically pertains to traditional espionage objectives, such as weapons systems specifications or the personal information of government employees—like that uncovered in the U.S. Office of Personnel Management hack. </p><p>The information can also be used to further nondefense-related economic objectives, such as China's research and design 863 program, which was created to boost innovation in high-tech sectors in China. </p><p>Given this distinction and context, it is important to understand that hacking operations are just one of the intelligence tools sophisticated cyber espionage actors possess. Hacking can frequently work in conjunction with other intelligence tools to make them more efficient.</p><p>Hacking into the social media accounts or cell phone of a person targeted for a human intelligence recruitment operation can provide a goldmine of information that can greatly assist those determining the best way to approach the target. </p><p>For instance, hacking into a defense contractor's email account could provide important information about the date, time, and place for the testing of a revolutionary new technology. This information could help an intelligence agency focus its satellite imagery, electronic surveillance, and other collection systems on the test site.</p><p>Conversely, intelligence tools can also be used to enable hacking operations. Simply put, if a sophisticated cyber espionage actor wants access to the information contained on a computer system badly enough, and cannot get in using traditional hacking methods, he or she will use other tools to get access to the targeted system. A recent case in Massachusetts illustrates this principle.</p><p>Medrobotics CEO Samuel Straface was leaving his office at about 7:30 p.m. one evening when he noticed a man sitting in a conference room in the medical technology company's secure area, working on what appeared to be three laptop computers.</p><p>Straface did not recognize the man as an employee or contractor, so he asked him what he was doing. The man replied that he had come to the conference room for a meeting with the company's European sales director. Straface informed him that the sales director had been out of the country for three weeks.</p><p>The man then said he was supposed to be meeting with Medrobotics' head of intellectual property. But Straface told him the department head did not have a meeting scheduled for that time. </p><p>Finally, the man claimed that he was there to meet the CEO. Straface then identified himself and more strongly confronted the intruder, who said he was Dong Liu—a lawyer doing patent work for a Chinese law firm. Liu showed Straface a LinkedIn profile that listed him as a senior partner and patent attorney with the law firm of Boss & Young. </p><p>Straface then called the police, who arrested Liu for trespassing and referred the case to the FBI. The Bureau then filed a criminal complaint in the U.S. District Court for the District of Massachusetts, charging Liu with one count of attempted theft of trade secrets and one count of attempted access to a computer without authorization. After his initial court appearance, Liu was ordered held pending trial.</p><p>Straface caught Liu while he was presumably attempting to hack into the company's Wi-Fi network. The password to the firm's guest network was posted on the wall in the conference room, and it is unclear how well it was isolated from the company's secure network. It was also unknown whether malware planted on the guest network could have affected the rest of the company's information technology infrastructure.</p><p>The fact that the Chinese dispatched Liu from Canada to Massachusetts to conduct a black bag job—an age-old intelligence tactic to covertly gain access to a facility—indicates that it had not been able to obtain the information it desired remotely.</p><p>China had clear interest in Medrobotics' proprietary information. Straface told FBI agents that companies from China had been attempting to develop a relationship with the company for about 10 years, according to the FBI affidavit. Straface said he had met with Chinese individuals on about six occasions, but ultimately had no interest in pursuing business with the Chinese.</p><p>Straface also noted that he had always met these individuals in Boston, and had never invited them to his company's headquarters in Raynham, Massachusetts. This decision shows that Straface was aware of Chinese interest in his company's intellectual property and the intent to purloin it. It also shows that he consciously attempted to limit the risk by keeping the individuals away from his facilities. Yet, despite this, they still managed to come to the headquarters.</p><p>Black bag attacks are not the only traditional espionage tool that can be employed to help facilitate a cyberattack. Human intelligence approaches can also be used. </p><p>In traditional espionage operations, hostile intelligence agencies have always targeted code clerks and others with access to communications systems. </p><p>Computer hackers have also targeted humans. Since the dawn of their craft, social engineering—a form of human intelligence—has been widely employed by hackers, such as the Mia Ash virtual honey trap that was part of an elaborate and extended social engineering operation.</p><p>But not all honey traps are virtual. If a sophisticated actor wants access to a system badly enough, he can easily employ a physical honey trap—a very effective way to target members of an IT department to get information from a company's computer system. This is because many of the lowest paid employees at companies—the entry level IT staff—are given access to the company's most valuable information with few internal controls in place to ensure they don't misuse their privileges.</p><p>Using the human intelligence approaches of MICE (money, ideology, compromise, or ego), it would be easy to recruit a member of most IT departments to serve as a spy inside the corporation. Such an agent could be a one-time mass downloader, like Chelsea Manning or Edward Snowden. </p><p>Or the agent could stay in place to serve as an advanced, persistent, internal threat. Most case officers prefer to have an agent who stays in place and provides information during a prolonged period of time, rather than a one-time event.</p><p>IT department personnel are not the only ones susceptible to such recruitment. There are a variety of ways a witting insider could help inject malware into a corporate system, while maintaining plausible deniability. Virtually any employee could be paid to provide his or her user ID and password, or to intentionally click on a phishing link or open a document that will launch malware into the corporate system. </p><p>An insider could also serve as a spotter agent within the company, pointing out potential targets for recruitment by directing his or her handler to employees with marital or financial issues, or an employee who is angry about being passed over for a promotion or choice assignment.</p><p>An inside source could also be valuable in helping design tailored phishing attacks. For instance, knowing that Bob sends Janet a spreadsheet with production data every day, and using past examples of those emails to know how Bob addresses her, would help a hacker fabricate a convincing phishing email.</p><p>Insider threats are not limited only to the recruitment of current employees. There have been many examples of the Chinese and Russians recruiting young college students and directing them to apply for jobs at companies or research institutions in which they have an interest.</p><p>In 2014, for instance, the FBI released a 28-minute video about Glenn Duffie Shriver—an American student in Shanghai who was paid by Chinese intelligence officers and convicted of trying to acquire U.S. defense secrets. The video was designed to warn U.S. students studying abroad about efforts to recruit them for espionage efforts.</p><p>Because of the common emphasis on the cyber aspect of cyber espionage—and the almost total disregard for the role of other espionage tools in facilitating cyberattacks—cyber espionage is often considered to be an information security problem that only technical personnel can address. </p><p>But in the true sense of the term, cyber espionage is a much broader threat that can emanate from many different sources. Therefore, the problem must be addressed in a holistic manner. </p><p>Chief information security officers need to work hand-in-glove with chief security officers, human resources, legal counsel, and others if they hope to protect the companies and departments in their charge. </p><p>When confronted by the threat of sophisticated cyber espionage actors who have a wide variety of tools at their disposal, employees must become a crucial part of their employers' defenses as well. </p><p>Many companies provide cybersecurity training that includes warnings about hacking methods, like phishing and social engineering, but very few provide training on how to spot traditional espionage threats and tactics. This frequently leaves most workers ill prepared to guard themselves against such methods. </p><p>Ultimately, thwarting a sophisticated enemy equipped with a wide array of espionage tools will be possible only with a better informed and more coordinated effort on the part of the entire company.  </p><h4>Sidebar: The Mice and Men Connection</h4><p> </p><p>The main espionage approaches that could be used to target an employee to provide information, network credentials, or to introduce malware can be explained using the KGB acronym of MICE.</p><p>M = Money. In many cases, this does equal cold, hard cash. But it can also include other gifts of financial value—travel, jewelry, vehicles, education, or jobs for family members. Historic examples of spies recruited using this hook include CIA officer Aldrich Ames and the Walker spy ring.</p><p>A recent example of a person recruited using this motivation was U.S. State Department employee Candace Claiborne, who the U.S. Department of Justice charged in March 2017 with receiving cash, electronics, and travel for herself from her Chinese Ministry of State Security handler, as well as free university education and housing for her son.</p><p>I = Ideology. This can include a person who has embraced an ideology such as communism, someone who rejects this ideology, or who otherwise opposes the actions and policies of his or her government.</p><p>Historical examples of this recruitment approach include the Cambridge five spy ring in the United Kingdom and the Rosenbergs, who stole nuclear weapons secrets for the Soviet Union while living in the United States.</p><p>One recent example of an ideologically motivated spy is Ana Montes, who was a senior U.S. Defense Intelligence Agency analyst recruited by the Cuban DGI, who appealed to her Puerto Rican heritage and U.S. policies toward Puerto Rico. Another ideologically motivated spy was Chelsea Manning, a U.S. Army private who stole thousands of classified documents and provided them to WikiLeaks.</p><p>C = Compromise. This can include a wide range of activities that can provide leverage over a person, such as affairs and other sexual indiscretions, black market currency transactions, and other illegal activity. It can also include other leverage that a government can use to place pressure on family members, like imprisoning them or threatening their livelihood.</p><p>Historic examples of this approach include U.S. Marine security guard Clayton Lonetree, who was snared by a Soviet sexual blackmail scheme—a honey trap—in Moscow, and FBI Special Agent James Smith who was compromised by a Chinese honey trap.</p><p>More recently, a Japanese foreign ministry communications officer hung himself in May 2004 after falling into a Chinese honey trap in Shanghai.</p><p>E = Ego. This approach often involves people who are disenchanted after being passed over for a promotion or choice assignment, those who believe they are smarter than everyone else and can get away with the crime, as well as those who do it for excitement.</p><p>Often, ego approaches involve one of the other elements, such as ego and money—"I deserve more money"—or ego and compromise—"I deserve a more attractive lover."</p><p>A recent example is the case of Boeing satellite engineer Gregory Justice, who passed stolen electronic files to an undercover FBI agent he believed was a Russian intelligence officer. While Justice took small sums of money for the information, he was primarily motivated by the excitement of being a spy like one of those in the television series The Americans, of which he was a fan.​</p><p>​<br></p><p><em><strong>Scott Stewart</strong> is vice president of tactical analysis at Stratfor.com and lead analyst for Stratfor Threat Lens, a product that helps corporate security professionals identify, measure, and mitigate risks that emerging threats pose to their people, assets, and interests around the globe.</em></p>
https://sm.asisonline.org/Pages/New-Technology-with-a-Personal-Touch.aspxNew Technology with a Personal TouchGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​As a financial services organization, Northwestern Mutual helps clients plan now to prepare for the future. And at the end of 2014, the Milwaukee-based company took that goal to task when planning a security strategy for a new building in the heart of the city. The 32-story, 1.1 million-square-foot Northwestern Mutual Tower and Commons houses about 2,400 Northwestern Mutual employees and signals a shift in the organization's approach to business.</p><p>"In essence, it was revolutionizing our organization from an insurance and financial investment company into a financial tech-savvy organization," explains Bret DuChateau, corporate security consultant at Northwestern Mutual. "How do we position ourselves over the next few years to build this brand new state-of-the-art building to attract the workforce of the future, and how leading up to that do we design and integrate systems into that building that will set us up for the future?"</p><p>DuChateau has been on Northwestern Mutual's security team since 2004, and the new building presented an opportunity to not only update the technology but position the organization's security approach as one that will be cutting-edge for years to come. </p><p>Key to this concept was considering how technology could augment a physical security presence through digital guest registration systems, data analytics, and streamlined command center protocols. First, however, DuChateau had to get the entire campus on the same security platform.​</p><h4>COME TOGETHER</h4><p>"The tower is a learning center for all of our financial representatives and employees, designed in a very open and collaborative way from an organizational and customer experience standpoint," DuChateau says. "It certainly positions us where we want to be in the future, but is also designed to connect better with the community here in Milwaukee."</p><p>The new facility connects to three existing Northwestern Mutual buildings via skywalk and also boasts a public commons area featuring gardens, restaurants, and coffee shops, and an interactive museum of the organization's history. With the combination of old and new buildings, as well as public and private areas, it was critical for the campus's access control to work as a unified solution.</p><p>"We had multiple campuses all under one corporate security team, but we were talking two different languages," DuChateau explains. "You would have one system and one set of rules at one campus, and one system and set of rules at the other, and there was no data exchange, so you were always trying to manually keep databases in sync. If someone leaves one site, we have to manually take them out of the other site. Just onboarding and offboarding people, manually entering their first name, last name, and employee number in one system, assigning them access, and then turning to the next computer and entering them in another system. I could go on and on."</p><p>Northwestern Mutual chose AMAG Technology for its Symmetry access control enterprise system and Symmetry GUEST visitor management system to streamline the flow of employees and visitors alike throughout the campus. Now with all buildings on the same platform, and the ability to automate several of the processes that had previously been manual, Northwestern Mutual estimates it saves about 14 hours a month when it comes to managing the access control system.</p><p>"You're not only looking at a security process efficiency, but a support process," DuChateau explains. "Now we have dedicated IT teams that help us from an infrastructure standpoint—they don't have to remember which system they are working on, because we're all working on one system across the enterprise. We're in a virtualized server environment so everyone is seeing and touching the same thing, and just from a staffing standpoint, we have people who can bounce between multiple campuses and they are not having to relearn everything."</p><p>Comparing the response to a standard door alarm before and after the technology upgrade shows the efficiency of the new system, DuChateau points out. When multiple security systems were in place, a door alarm would be automatically logged into a database and a patrol officer would be dispatched to where the alarm went off. Employees in the command center would open up an Excel spreadsheet and document the date, time, and location of the alarm and how it was resolved. At the same time, the responding officer would record the same information into his or her own response log.</p><p>"We'd have this incident documented in five or six places," DuChateau notes. "In our traditional mindset a few years ago, we just kept doing it because it was the process. None of the documentation was coalesced into a common system, it was just out there."</p><p>After the AMAG upgrade, the process has become more streamlined. The access control system will register the door alarm and immediately display a notification on video monitors in the command center. The situation can often be resolved just by looking at the video of what is going on, and the system allows employees to document the alarm in the system itself. </p><p>"It's pretty hands-off, we put a heavy lift into the programming," DuChateau says. "We went from logging 1,400 different entries on a shift down to 200 just by taking a step back. When you're saving 800 steps from a shift, that equates to time, so we gained about six hours out of an eight-hour shift by freeing someone up from documenting everything." ​</p><h4>WATCHFUL AND WELCOMING</h4><p>Northwestern Mutual's corporate security team is blended, with about 40 in-house employees and another 40 contracted officers. The organization switched from another contract security provider to G4S at the end of 2016 due to its familiarity with the AMAG systems—AMAG is a subsidiary of G4S.</p><p>"That was a factor in identifying this relationship," DuChateau says. "We could have the benefit of G4S folks coming to us that have familiarity with their own products already, so we don't have to spend as much time as we normally would with someone coming in cold and having to train them on the solutions."</p><p>DuChateau points out that, despite the addition of the tower and commons to the campus, Northwestern Mutual did not need to bring on any additional in-house or contracted security personnel, thanks to the augmented technology.</p><p>"When you talk about opening a 1.1 million-squarefoot addition, you would think that it's a given that we'd need extra security people, but we didn't because we became more efficient," DuChateau says.</p><p>G4S officers have become a more integral part of Northwestern Mutual's security approach and are primarily in charge of the visitor management system, which is critical for the new facility—employees from all over the country flock to the Milwaukee campus every week for training. The increase in traffic required DuChateau to rethink the visitor registration process.</p><p>"We had five buildings that were all interconnected, but we had five separate lobbies, five separate ways to process visitors, five separate ways to get employees in and out, so we wanted to make some conscious decisions on where to direct people," DuChateau explains. "We just built this brand new beautiful tower and connecting commons and training space. Do we have to process visitors at every single building or can we direct them to the tower lobby? If we direct them to one main entry point, then we can deploy technology in these other lobbies and move resources where they're needed. We changed a little bit of behavior and moved some of the operations more towards a centralized location than doing everything everywhere."</p><p>AMAG's visitor management system allows guests to preregister, making it easy for officers to look up the guest and print a barcoded badge that permits visitors access to specified areas. The system also runs guests' names against a list of restricted visitors. DuChateau says that in the future the system will allow preregistered guests to print off a QR code that would produce a badge upon being scanned at the facility. "There are some cool things on the horizon as far as the efficiency standpoint goes," he says.</p><h4>ALL IN THE NUMBERS</h4><p>While DuChateau is glad to have a 21st century, enterprise-level security system in place, he says he is most looking forward to what the system can do for Northwestern Mutual in years to come. Already, data mining has made the security approach more efficient and intuitive.</p><p>"We have two cafeterias on our Milwaukee campus, so we can start gathering access control data and say at 9:30 a.m. here's a snapshot of the number of people on campus, give that to the restaurant team, and they can use it and plan to feed that many people for lunch that day," DuChateau says. "We want to use this data to say, 'okay, are we using our facilities how we had intended three years ago?' We start looking at singular systems, gathering data, and making that data actionable in a business sense. Data is data, but if you don't use it, what good is it for besides investigations?"</p><p>Preregistration data also helps the security team manage the flow of visitors each day. Employees can look at the guest database and estimate when and where large groups of visitors will arrive, and plan accordingly. "We get a couple more laptops, badge printers, and patrol people to help process visitors, versus having a bad customer experience and having 200 people lined up out the door just to get in to a training event that we're hosting," DuChateau explains. </p><p>That's just the tip of the data-mining iceberg, and the more Northwestern Mutual's security arm works with the rest of the organization, the more the data can be employed to the organization's benefit. "Our information resource management and cybersecurity folks look at it from a different perspective, and maybe our privacy people ask how the data is going to be used and what kind of data is gathered," DuChateau says. "Now that we're standardized on an enterprise-class solution, how can that data benefit the business? How can we slice and dice that data down the road? Maybe we can take snapshots of our environment across all of our facilities, not only in Wisconsin but in Arizona and New York—can we feed that information to our workforce planning people?"</p><p>DuChateau says he wants Northwestern Mutual's intelligent security control centers to take the heavy lift off of employees and use built-in analytics to proactively identify strange behavior, and instead use security personnel to respond to exceptions.</p><p>"For the longest time, our control centers had this big screen up with all card access activity in the environment, thousands and thousands of people badging in and out—all of this data is scrolling by and it's just noise," DuChateau says. "Why do we even care what these people are doing in real time? Let's care about the people who are badging into areas that they aren't supposed to be badging into, or someone who has a multifactored device and is putting in the wrong PIN code, and start dealing with the smarter security approach to a secure environment."</p><p>While the new technology and data augment Northwestern Mutual's security posture and reduce the workload on guard services, DuChateau says that does not mean technology will replace people. "Maybe we want to pull some people because we've deployed technology, but we will direct them to a different part of the operation that looks at metrics, or quality assurance, or all of these things that really build up those parts of the program, because we don't have to be so labor intensive on physical access control or checking IDs or things like that—we can look at resource management in a different lens."</p><p>For now, DuChateau says the security team is still getting used to the new facilities and platforms at Northwestern Mutual's Milwaukee campus and is learning to rely on the data the systems collect. But within a few years, he foresees a "phenomenal expansion" of leveraging the platforms to guide the team's efforts.</p><p>"We've really begun to scratch the surface on the potential of all of this technology," DuChateau says. "We're in a good spot because we did it early enough and we have people familiar enough with the technology. Now we can ask, okay, what else can we do and how else can we move the vision of our company forward?" ​</p>