Cybersecurity

 

 

https://sm.asisonline.org/Pages/Cyber-Goals-Past-Due.aspxCyber Goals: Past DueGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-08-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​On May 15, 2018, the U.S. Department of Homeland Security (DHS) released its cybersecurity strategy for the next five years.</p><p>"The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," said DHS Secretary Kirstjen Nielsen in a statement on the strategy's release. "Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself."</p><p>Between 2006 and 2015, the number of cyber incidents on U.S. federal government systems that were reported to DHS increased more than tenfold—including the massive Office of Personnel Management breach that compromised the records of more than 4 million U.S. federal employees and affected 22 million people.</p><p>"The growing interconnection of cyber and physical systems within critical infrastructure also creates the potential risk for malicious cyber activity to result in direct physical consequences," according to DHS. "For example, the December 2015 overriding of controls in the Ukrainian electric grid resulted in widespread loss of power."</p><p>More recent incidents, such as WannaCry and NotPetya, have also demonstrated the threat of using the Internet of Things to conduct cyberattacks with far-reaching consequences.</p><p>Because of this, Nielsen said DHS is "rethinking its approach" to cybersecurity to confront systemic risks by issuing its strategy guide. The guide was a requirement under the National Defense Authorization Act of 2017 and lays out a five-part approach to manage national cyber risk: identifying risk, reducing vulnerability, reducing threat, mitigating consequences, and enabling cybersecurity outcomes.</p><p>"Through our efforts to accomplish seven identified goals across these five pillars, we work to ensure the availability of critical national functions and to foster efficiency, innovation, trustworthy communication, and economic prosperity in ways consistent with our national values and that protect privacy and civil liberties," DHS said.</p><p>To understand the cybersecurity landscape and its risks, and address vulnerabilities, threats, and consequences of DHS's cybersecurity activities, the department must first be able to identify risks. </p><p>The department's first goal in this pillar of its strategy is to assess cybersecurity risks so it understands the "evolving national cybersecurity risk posture to inform and prioritize risk management activities," according to the strategy.</p><p>To do this, DHS said it plans to work with stakeholders—sector-specific agencies, nonfederal cybersecurity firms, and others—to understand trends in threats, vulnerabilities, interdependencies, and potential consequences so the department can prioritize its activities and budget accordingly.</p><p>"DHS must also take stock of gaps in national analytic capabilities and risk management efforts to ensure a robust understanding of the effectiveness of cybersecurity efforts," the strategy explained. "We must anticipate the changes that future technological innovation will bring, ensure long-term preparedness, and prevent a 'failure of imagination.'"</p><p>As part of this goal, DHS has set specific objectives, including identifying evolving cybersecurity risks that affect economic security, public health, and national security; identifying and creating plans to address gaps in analytic capabilities; and developing plans and scenarios for future technology deployments that could be disruptive.</p><p>Another pillar of DHS's strategy is to reduce the vulnerability of U.S. federal agencies across the board. </p><p>"DHS leads the effort to secure the federal enterprise and must use all available mechanisms to ensure that every agency maintains an adequate level of cybersecurity, commensurate with its own risks and with those of the larger enterprise," according to the strategy.</p><p>To assist the rest of the U.S. federal government, DHS will work with the Office of Management and Budget (OMB) to address systemic risks and interdependencies between agencies. </p><p>"DHS must also support agency efforts to reduce their vulnerabilities to cyber threats by providing tailored capabilities, tools, and services to protect legacy systems, as well as cloud and shared infrastructure," the strategy explained. "Within its own systems, DHS must continue to adopt new technologies and serve as a model for other agencies in the implementation of cybersecurity best practices."</p><p>As part of this pillar, DHS laid out sub-objectives to more clearly define how it will achieve this goal. These include developing and implementing a clear governance model for U.S. federal cybersecurity; issuing new or revised policies and recommendations to ensure adequate cybersecurity across the enterprise; and providing agencies with integrated and operationally relevant information necessary to understand and manage their cyber risk.</p><p>One example of this in action prior to the release of the strategy was DHS's binding operational directive 18-01, which required U.S. federal agencies to increase their email and Web security. Specifically, DHS mandated that agencies implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) for their email systems. (See "Spoofing the CEO," Security Management, October 2016.)</p><p>Another goal of this pillar of the strategy is to protect critical infrastructure by partnering with stakeholders to ensure national cybersecurity risks are managed. This partnership is key because a majority of the critical infrastructure in the United States is owned and operated by the private sector.</p><p>"DHS must partner with key stakeholders, including sector specific agencies and the private sector, to drive better cybersecurity by promoting the development and adoption of best practices and international standards, by providing services like risk assessments and other technical offerings, and by improving engagement efforts to advance cybersecurity risk management efforts," the strategy stated. </p><p>An example of this in action was DHS's response to the 2017 WannaCry ransomware attack. During the attack, DHS's National Protection and Programs Directorate partnered with other agencies and the private sector to help U.S. hospitals—a major target of WannaCry—ensure their systems were not vulnerable to the malware. It also released an unclassified technical alert to help defenders defeat the malware and prevent is spread.</p><p>In addition to reducing vulnerability, DHS's strategy also outlines a goal to reduce threats in cyberspace overall. </p><p>"In partnership with other law enforcement agencies, DHS must prevent cyber crime and disrupt criminals and criminal organizations who use cyberspace to carry out their illicit activities and leverage identified threat activity and trends to inform national risk management efforts," the strategy explained.</p><p>To do this, DHS will create investigative priorities related to illicit cyber activity, identify and conduct high-impact investigations of cybercrimes by transnational criminal organizations, disrupt online marketplaces for malicious cyber activity, and develop options to disrupt, counter, and deter transnational criminal organizations.</p><p>The final portions of the DHS strategy are to mitigate consequences and enable cybersecurity outcomes. </p><p>With the rise of cybercrime and illicit cyberactivity, DHS must have a role in limiting the impact of significant cyber incidents, the department said. </p><p>"Many cyber incidents do not require a national response," the strategy explained. "But when they do, DHS plays a unique role in responding to cyber incidents to mitigate potential consequences by providing technical assistance to affected entities and other assets that are at risk and investigating the underlying crimes."</p><p>DHS took this role, for example, in July 2017 when the U.S. Secret Service—part of DHS—worked with international law enforcement to arrest a Russian national who allegedly operated BTC-e.</p><p>"From 2011 to 2017, BTC-e is alleged with facilitating over $4 billion worth of Bitcoin transactions worldwide for cyber criminals engaging in computer hacking, identity theft, ransomware, public corruption, and narcotics distribution," DHS said. "Researchers estimate approximately 95 percent of ransomware payments were laundered through BTC-e."</p><p>While the strategy is an important framework for the U.S. federal government, it has been met with criticism. </p><p>Ray DeMeo, chief operating officer of Virsec, says the DHS strategy is high-level and is missing an implementation plan.</p><p>"One of the document's guiding principles is to foster innovation and agility—this is a big ask, where existing time horizons must be reduced from years down to months," DeMeo says. "We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happening daily, if we are going to change the asymmetric nature of today's threat landscape."</p><p>DeMeo also says he will be looking for more information from DHS—a department with a domestic mandate—about how it intends to address cybersecurity globally.</p><p>"The reality is that a large portion of Internet crime is driven from the international Wild West, from areas with lax law enforcement or actional nation-state sponsorship," he explains. "This problem is as much diplomatic as it is technological."</p><p>Two of the most vocal critics have been U.S. Representative Bennie G. Thompson (D-MS), ranking member of the House Homeland Security Committee, and U.S. Representative Cedric L. Richmond (D-LA), ranking member of the Cybersecurity and Infrastructure Protection Subcommittee and author of the legislation that originally mandated the strategy.</p><p>In a joint statement, Thompson and Richmond said the strategy is overly focused on policies and procedures that DHS needs to develop further. </p><p>"It also fails to mention—at any point—one of the most pressing cybersecurity challenges of the moment: election security," they said. "The fact is, because of the department's failure to adhere to the statutorily-mandated deadline, it lost time and missed opportunities to make progress maturing its cybersecurity posture and capabilities."</p><p>The congressmen added that they hoped to see more information about how DHS plans to implement its strategy in another report, which is due to Congress by August 15, 2018.</p><p>"In particular, we expect it will provide greater detail on the roles and responsibilities that components will undertake, a description of any new authorities it needs to fulfill its mission to secure federal networks, as well as an explanation of what resources the department will need," Thompson and Richmond said.</p><p>As of <em>Security Management</em>'s press time, DHS had not submitted an implementation plan to Congress. ​</p>

 

 

https://sm.asisonline.org/Pages/Blockchain-Buzz.aspx2018-07-01T04:00:00ZBlockchain Buzz
https://sm.asisonline.org/Pages/On-Premise-vs-the-Cloud.aspx2018-05-25T04:00:00ZOn-Premise vs the Cloud
https://sm.asisonline.org/Pages/Book-Review---Mastering-Bitcoin.aspx2018-05-01T04:00:00ZBook Review: Mastering Bitcoin

 

 

https://sm.asisonline.org/Pages/Cyber-Goals-Past-Due.aspx2018-08-01T04:00:00ZCyber Goals: Past Due
https://sm.asisonline.org/Pages/Critical-Risk-Management.aspx2018-08-01T04:00:00ZCritical Risk Management
https://sm.asisonline.org/Pages/Bridging-Worlds.aspx2018-07-01T04:00:00ZBridging Worlds

 

 

https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspx2018-06-01T04:00:00ZAttacks on the Record
https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspx2018-01-01T05:00:00ZHow to Hack a Human
https://sm.asisonline.org/Pages/A-New-Social-World.aspx2017-12-01T05:00:00ZA New Social World

 

 

https://sm.asisonline.org/Pages/Book-Review---Credit-Card-Fraud.aspx2018-07-01T04:00:00ZBook Review: Credit Card Fraud
https://sm.asisonline.org/Pages/Artificial-Adversaries.aspx2018-06-01T04:00:00ZArtificial Adversaries
https://sm.asisonline.org/Pages/Cyber-as-Statecraft.aspx2018-05-01T04:00:00ZCyber as Statecraft

 

 

https://sm.asisonline.org/Pages/Cybersecurity-for-Remote-Workers.aspx2018-02-12T05:00:00ZCybersecurity for Remote Workers
https://sm.asisonline.org/Pages/Mobile-Mayhem.aspx2017-10-01T04:00:00ZMobile Mayhem
https://sm.asisonline.org/Pages/AI-The-Force-Multiplier.aspx2017-09-01T04:00:00ZAI: The Force Multiplier

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Cyber-Trends.aspxCyber Trends<p>​<span style="line-height:1.5em;">The security industry changes daily. And it’s fair to say that cybersecurity is changing even more rapidly as new threats, new attack methods, and new technologies continuously emerge. This means that cybersecurity professionals need to stay up to date as the threat landscape rapidly evolves to ensure that they are ready to meet the challenges of modern- day data security. Here, we look at some of the major issues that these professionals will be tasked with over the course of the remaining year and heading into 2017.</span></p><p>Brexit. In a historic decision in June, the United Kingdom voted to leave the European Union (EU)—a decision commonly known as Brexit. Approximately 52 percent of the population voted to leave the EU, while 48 percent voted to remain—including all of Scotland and a large portion of the population in Northern Ireland.</p><p>While immediate concerns were focused on the economic upheaval, Brexit will also have an impact on data sharing and data privacy agreements that the United Kingdom was previously part of as a member of the EU and its digital single market.</p><p>One major area of regulation that will need to be ironed out is around the EU General Data Protection Regulation (GDPR), which is scheduled to go into effect in 2018. It creates new privacy rights for EU citizens and requirements for businesses that handle EU citizens’ data (for more on this, read “Cybersecurity” from our August issue).</p><p>When the United Kingdom exits the EU, Britain may no longer be subject to the GDPR and may have to adopt its own framework. </p><p>Furthermore, the EU and the United States had negotiated for months to create the Privacy Shield program, which was designed to replace the Safe Harbor agreement that was previously ruled invalid by the EU. The United Kingdom’s exit from the EU, however, means that it may not be covered by Privacy Shield—which went into effect earlier this year.</p><p>Brexit could also be the catalyst to create a different framework altogether, says Yorgen Edholm, CEO of Accellion, a private cloud solutions company based in the United States.</p><p>“The one EU effort we have looked at very carefully is the new Safe Harbor agreement—Privacy Shield,” Edholm says. “I think the United Kingdom can say, ‘We have two options; we’re going to piggyback off of what the EU is doing, or we’re going to do something else with the United States.’”</p><p><strong>Talent shortage</strong>. Another major concern related to Brexit is whether the United Kingdom will be able to recruit talented cybersecurity workers. A recent study highlighted the lack of “digital skills” among people in Britain, which has looked to the EU to recruit employees to fill the void, according to a report by the Science and Technology Committee that was presented to the House of Commons earlier this year.</p><p>“Removing a flow of talent and expertise from Europe could deprive U.K. tech companies of an essential ingredient for sustained growth,” the International Business Times reported before the Brexit referendum. “Additionally, given that Britain’s tech scene—especially in London—is quite multicultural, start-up founders worry that leaving the European Union will make it much harder to hire the best employees.”</p><p>And this is not just a U.K. problem. Globally, 94 percent of executives reported that they are having trouble finding skilled candidates for cybersecurity jobs, according to a recent survey by the Information Systems Audit and Control Association (ISACA). </p><p>This problem, which is not a new one, is unlikely to go away anytime soon. The 2015 (ISC)² Global Information Security Workforce Study projected that by 2020, there will be 1.5 million unfilled information security positions. </p><p>“Signs of strain within security operations due to workforce shortage are materializing,” the report explained. “Configuration mistakes and oversights, for example, were identified by the survey respondents as a material concern. Also, remediation time following system or data compromises is steadily getting longer.”</p><p>This, in turn, results in IT security professionals increasingly cornered into a reactionary role of identifying compromises and addressing security concerns as they arise, instead of proactively mitigating the contributing factors, according to the report.</p><p>To combat this, many information security departments are increasing expenditures on security tools and technologies, and for managed and professional security service providers to augment existing staff.</p><p>However, more needs to be done to attract qualified workers to the cybersecurity industry. One new effort to do this was announced by Cisco earlier this year. The company will invest $10 million in a Global Security Scholarship and make enhancements to its security certification portfolio to help close the industry skills gap. </p><p>“Many CEOs across the globe tell us their ability to innovate is hampered by their security concerns in the digital world,” said Jeanne Beliveau-Dunn, vice president and general manager of Cisco Services in a statement. “This creates a big future demand for skill sets that don’t exist at scale today. We developed this scholarship program to help jump-start the development of new talent.”</p><p>The scholarship is a two-year program that is designed in partnership with Cisco Authorized Learning Partners to address the critical skills deficit and provide on-the-job readiness needed to meet current and future challenges of network security, according to a press release. As part of the scholarship program, Cisco also plans to offer training, mentoring, and certifications that align with the job of an analyst in a security operations center.</p><p>Scholarship awards became available on August 1 and are available to applicants who meet certain qualifications until the end of July 2017. To be considered for a scholarship, applicants must be at least 18, proficient in English, and have basic competency in one area, such as three years of combined experience in approved U.S. military job roles or Windows expertise.</p><p>Part of Cisco’s efforts will also concentrate on diversifying the IT security workforce so it includes veterans, women, and those just at the start of their careers. Reaching this audience is critically important, says David Shearer, CEO of (ISC)².</p><p>“New young people are not coming into the workforce,” Shearer explains. “That’s not a one- or two-year fix. Only 6 percent of the industry is below the age of 30. That’s a train wreck.”</p><p>Instead, the median age for information security professionals is 42, and workers are 90 percent male. These individuals are working longer hours, which can create problems with burnout and may cause many to move into a different career path “because the grind of the pace of the work is too much.”</p><p><strong>Accountability. </strong>The talent shortage, paired with the rise of cyber incidents, is also placing additional pressure on IT and security executives to communicate actionable data to their boards of directors—or risk termination, a new report says.</p><p>Research of U.S. corporations by Bay Dynamics, a cyber risk analytics company, found that “59 percent of board members say that one or more IT security executives will lose their job as a result of failing to provide useful, actionable information.”</p><p>This may be because boards are placing an ever-higher value on cybersecurity, with 89 percent of board members reporting that they are very involved in making cyber risk decisions for their organizations. </p><p>Twenty-six percent of board members also reported that cyber risks were their highest priority, while other risks, like financial, legal, regulatory, and competitive risks were termed “highest priority” by only 16 to 22 percent of surveyed members.</p><p>Coupled with that, the report found that 34 percent of board members indicated that they would provide warnings that improvements in reporting would need to be made before firing <span style="line-height:1.5em;">a</span><span style="line-height:1.5em;">n executive.</span></p><p>But the report also highlighted “significant contradictions, such as while the majority (70 percent) of board members say they understand everything they’re being told by IT and security executives in their presentations, more than half believe the data presented is too technical.”</p><p>Overall, however, the report shows that boards are engaged and holding IT and security executives accountable for reducing risk, said Ryan Stolte, chief technology officer at Bay Dynamics, in a statement.</p><p>“Companies are headed in the right direction when it comes to managing their cyber risk,” Stolte explained. “However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbooks and making decisions based on the same set of requirements.”</p><p><strong>Encryption. </strong>By the end of this year, 65 to 70 percent of Internet traffic will be encrypted in most markets, according to a report by Sandvine, an intelligent broadband networks company. This year, 2016, was a major milestone in the life of encryption as companies from Apple to Facebook to Twitter to cloud service providers to WhatsApp embraced encryption across the board.</p><p>However, this move has ramifications for corporate security, which can’t always see what’s happening in its network due to encrypted traffic, and for law enforcement as it loses its ability to gather certain kinds of digital evidence—an issue the FBI terms “Going Dark.”</p><p>“The issue for us is the inability to get access to digital evidence,” says Sasha Cohen O’Connell, the FBI chief policy advisor for science and technology. “This is not a situation where the U.S. Department of Justice is looking for new authorities; it is about exercising the authority we already have…and our inability to access content data, even with due process.”</p><p>To combat this, the FBI has gone to court against private companies to demand access to encrypted data, such as when it filed suit against Apple to gain access to an iPhone 5c used by one of the San Bernardino, California, shooters.</p><p>It has also been encouraging companies to use a form of encryption it terms provider access—where, for example, the data is encrypted on a smartphone but the smartphone’s manufacturer has the key to decrypt that data if it’s served with a court order to do so.</p><p>This approach, however, has been met with criticism by technical experts who say that introducing that access point into encrypted data is making it vulnerable. </p><p>“Academically, they are correct,” O’Connell says. “Any entry point, no matter how managed, does introduce vulnerability. Of course it does. But over in the real world, where we use real products every day that for convenience, for advertising, for spam tracking, for a thousand reasons that make sense to us, we’re still within a reasonable risk or what the market has accepted as a risk.”</p><p>For more on the FBI’s stance on encryption and Going Dark, visit Security Management’s website for an exclusive interview with O’Connell.  </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/July-2018-ASIS-News.aspxJuly 2018 ASIS News<h4>​GSX Promises Vegas Flair</h4><p>World-class networking is a hallmark of the ASIS annual event. In Las Vegas this September, the Society is pulling out all the stops for Global Security Exchange (GSX), formerly the Annual Seminar and Exhibits. From bowling to luncheons to a reception at Drai's Nightclub, GSX offers countless opportunities to forge new connections and cement existing relationships at the industry's premier networking events.</p><p>Kick off the week on Sunday, September 23, by teaming up with friends and colleagues for the ASIS Foundation Golf Tournament at Bali Hai Golf Club, located next to the Las Vegas Strip. Registration includes breakfast, player gifts, and a buffet lunch, with event proceeds benefiting the ASIS Foundation. </p><p>On Sunday evening, the popular Brooklyn Bowl will be transformed into the GSX Opening Night Celebration. Don your bowling shoes and join thousands of peers for a fun-filled night of food, music, and catching up with friends. </p><p>The U.S. Outstanding Security Performance Awards (OSPAs) Luncheon on Monday provides an opportunity to celebrate excellence across the industry—from young professionals to managers to consultants, and more. The deadline to enter for U.S. OSPAs consideration is July 23. Apply at us.theospas.com/enter.</p><p>In addition to opportunities to connect with colleagues in the halls and while perusing the exhibits, the ASIS International Happy Hour on Tuesday on the show floor will celebrate the end of the first day of exhibits. Grab a drink and relive the highlights of the day.</p><p>Close the week in style at the annual President's Reception at Drai's Nightclub. At one of Las Vegas's most exclusive venues, guests will be treated to an evening of live entertainment, food and drinks, networking, and a view of the Strip from the 11th story capstone of the Cromwell hotel.</p><p>Register for an All-Access Pass before August 10 and save $100 on your ticket to these events and more. Visit GSX.org/register to sign up.​</p><h4>SECOND QUARTER GLOBAL EVENTS</h4><p>Excitement is building towards GSX this September in Las Vegas, as evidenced by the energy at the following events that took place in the second quarter of 2018. </p><p><strong>CSO Summit</strong></p><p>Transparency battles. Global rules in flux. Artificial intelligence. </p><p>Global chief security officers and deputies who attended the 11th Annual CSO Summit April 29 through May 1 at Target Plaza Commons in Minneapolis, Minnesota, grappled with how these and other change drivers will affect the security profession. </p><p>While key conversations and experiences—such as a private security tour of U.S. Bank Stadium—were prevalent, at center stage was a forward-looking agenda aiming to make sure security executives adapt and remain relevant to their organizations. </p><p>Futurist and cybersecurity professional Scott Klososky led off the conference by emphasizing that security leaders are responsible for looking into the future and—before anyone else—understanding how the world, their industry, and their businesses are changing, especially with an eye toward future risk. </p><p>For every cutting-edge technology solution or strategic advantage discussed throughout the event, there was equal and appropriate caution regarding unintended consequences. </p><p>For example, artificial intelligence will help security by enabling analysis of logarithmically more data, such as using HR records to identify insider threats, but it has to be implemented properly and with auditability because it can lead to algorithmic bias—that is, it could systematically discriminate against certain groups.</p><p>A common theme across the two days was to define security initiatives in terms of drivers and enablers of business and savings, rather than as sunk costs. Speakers shared examples of strategies they used to calculate the cost savings of implementing new security projects to justify those programs to the C-suite. </p><p>Another common theme was that the path forward for corporate security, and sustainable success in business, requires effective implementation of enterprise security risk management (ESRM), where the organization formally and holistically manages risk. </p><p>This can go hand-in-hand with a DevSecOps approach, where all employees are empowered to contribute to organizational safety and security, especially as it becomes more difficult to centralize response to the growing activities and vast data sources generated by modern business processes and systems.</p><p>CSOs and their deputies will have the opportunity to continue exploring the evolution of these change drivers and attend exclusive educational sessions in the CSO track at GSX in September. </p><p><strong>ASIS NYC</strong></p><p>Thousands of security and law enforcement professionals gathered at the Jacob K. Javits Center May 16 and 17 for the ASIS 28th New York City Security Conference and Expo to dive into networking, education, and exhibits at the Northeast's leading security event.</p><p>The event started with a Security Rocks welcome party at the Hard Rock Cafe on Tuesday evening. Live entertainment set the scene for fun and networking worthy of the Big Apple.</p><p>Conference education began Wednesday morning with a keynote from JPMorgan Chase Crisis Management Head Scott Morrison, who discussed emerging threats and trends. </p><p>The emerging trends theme continued throughout the day, via a panel discussing the legal and practical applications of drone technologies, a crash course on implementing ESRM to earn security a "seat at the table," and a talk from Facebook Chief Global Security Officer Nick Lovrien, who explored the challenges associated with securing Facebook's open office environment.</p><p>Thursday's education focused on active assailant attacks, with sessions devoted to emergency preparedness and vehicle-involved attacks. At Thursday's Person of the Year Luncheon, the ASIS New York City Chapter honored His Eminence Timothy Cardinal Dolan for his service to the people of New York.</p><p>On both days, a bustling expo floor provided attendees the opportunity to meet with some of the region's foremost solutions providers.</p><p><strong>ASIS Toronto Best Practices</strong></p><p>ASIS Toronto's largest educational event of the year, the 2018 Best Practices Seminar held on April 19, was its largest ever, with a full house of 200 attendees and speakers. It was the 25th annual seminar for the chapter.</p><p>For the first time, the event was held in the Grand Banking Hall of the Dominion Bank building at One King West in downtown Toronto. Attendees enjoyed a jam-packed day of presentations set against the historic ballroom's dramatic backdrop.</p><p>Themed #SecurityEmerging, the seminar featured topical sessions including hyperloop, ESRM, and cannabis. John Minster, physical security manager, TD Bank, discussed video analytics, demonstrating examples of how to apply basic analytics in a variety of real-world applications, with measurable results to the organization. The day concluded with a panel of experts who discussed the role of the security professional in dealing with workplace sexual assault. </p><p>The 26th Annual Best Practices Seminar will be held on April 11, 2019. Visit asistoronto.org for details.​</p><h4>ESRM: MID-YEAR UPDATE</h4><p>By Tim McCreight, CPP, and Rachelle Loyear.</p><p>The ASIS ESRM Initiative is now at its halfway point for 2018. During the leadership sessions held in Washington, D.C., in January, ASIS made it clear that enterprise security risk management (ESRM) is a priority for the Society today, and into our future. As co-chairs of this important work, we are pleased to share a status report detailing the efforts to infuse ESRM into the Society's programs and services. </p><p>It is with great pride we can say that in the past six months, the ESRM Initiative has accomplished a number of significant achievements. Four value streams were established, each led by a subject matter expert and a representative from the ASIS Board of Directors. </p><p>They focus on Education, Standards and Guidelines, Marketing/Branding, and Maturity Model Tool. We are already seeing the fruits of these groups' labor with the following initiatives well underway:</p><p>•   Education. An ESRM webinar, including definitions and key points, was developed to ensure that all the ESRM presenters at Global Security Exchange (GSX) are "singing from the same songbook." In addition, a draft glossary of terms has been created and an ESRM 101 training will be available by GSX. </p><p>•   Standards and Guidelines. A draft ESRM guideline is on track to be completed by GSX. This document outlines an approach to security program management using risk principles to link an organization's security practice to its mission and goals. The working guideline also describes the concept of ESRM, including its four principal elements, as well as additional steps security professionals can take to strengthen an ESRM effort, bring it to maturity, and maintain it over time. </p><p>•   Maturity Model Tool. Require­ments for the tool have been established and a request for proposal for a supplier has been disseminated. </p><p>•   Marketing and Branding. An ESRM slide deck was distributed to all chapter and council leaders, and several articles have been written detailing the need for security professionals to apply ESRM within their organizations. </p><p>There is a great deal of rigor and project management going on behind the scenes within the ESRM Initiative, and it shows. The value streams are all on track to deliver their key project updates by GSX, and there will be a number of educational sessions at GSX to showcase some of the deliverables, including a pre-conference program workshop.</p><p>Check the GSX program guide to see all the ESRM sessions for 2018, and feel free to contact us at esrm@asisonline.org if you have questions or would like more information on any of the value streams.</p><p>Tim McCreight, CPP, is ESRM Initiative board sponsor, and Rachelle Loyear is ESRM Initiative program manager.​</p><h4>EXECUTIVE PROGRAM</h4><p>Wharton/ASIS Program for Security Executives: Making the Business Case for Security.</p><p>October 21-26.</p><p>Philadelphia, Pennsylvania.</p><p>With so many new threats confronting today's organizations, corporations are challenged by competing security priorities, as well as how to invest their resources wisely. </p><p>How do they best protect their employees and their organizations' networks and data from harm? As a security professional, how do you communicate the security story so leaders fully understand the costs, benefits, and risks of not having a comprehensive strategy?</p><p>Designed for senior security leaders, the Wharton/ASIS Program for Security Executives will enhance participants' business acumen and effectiveness in key areas of strategy, negotiation, critical thinking, and managing change. Attendees will gain the leadership and management skills needed to help them work more effectively and communicate the bottom-line impact of security decisions to the C-suite—so security priorities can be moved forward. </p><p>Through interactive lectures, exercises, and case studies, both in the classroom and in smaller work groups, this custom-designed program will enable participants to create effective security strategies in a fast-changing, global environment. Attendees will come away with a strategic toolbox that will help put these business skills into immediate practice, as well as recognition of their own leadership and communication strengths.</p><p>ASIS members save $1,000 (and CSO Center members qualify for an additional discount) on the regular program fee—which includes all meals and accommodations. Visit asisonline.org/wharton to learn more and apply.​</p><h4>IT SECURITY COUNCIL SPOTLIGHT</h4><p>"Cybersecurity is like painting a bridge," says ASIS Information Technology Security Council Vice Chair Robert Raffaele, CPP. "As soon as you decide on a practice and implement it, it's time to start over again. The technology advances so rapidly that documented best practices can quickly become obsolete."</p><p>The IT Security Council carries the unique burden of sharing its members' world-class information security expertise in forms that won't be outdated by the time they reach their audience.</p><p>Earlier this year, the council published Security on the Internet of Things: An Enterprise Security Risk Management Perspective, a white paper examining risks security professionals need to keep in mind as today's devices become more and more connected.</p><p>Given the nature of IT security, the council emphasizes person-to-person knowledge-sharing—timely advice delivered when it's needed most. This September, the council will sponsor  11 education sessions at GSX. These sessions will cover topics like cyber terrorism, mobile device security, cybersecurity for physical security professionals, emerging technologies, safe cities, and more.</p><p>The council also offers itself as a yearlong resource, connecting security professionals with the appropriate council members and trusted industry experts needed to tackle real-time IT security problems.</p><p>"In security, trust is such a big factor," says 2018 Council Chair Jeff Sieben, CPP. "It's so much easier to rely on a particular process when that process has been vetted by someone you trust. As a council, we're happy to be that bridge between members and the reliable, immediate information they need."</p><p>Sieben says the council's role is to be a consultative body of subject matter experts. </p><p>"This council's greatest asset is members who stay current and are available to talk about current topics," he says. "Our members are plugged into the greater IT security sphere, contributing to ISACA, ISSA, SIA, (ISC)2, and more."</p><p>To consult with the IT Security Council, email council leadership or message a council member on ASIS Connects. The full council roster can be found on the council's community page. Search "Information Technology Security Council."​</p><h4>ASIS LIFE MEMBERS</h4><p>ASIS congratulates Eduardo Martinez Fulgencio, CPP; Leonard A. Rosen; and H. John Bates, CPP; who were granted lifetime ASIS membership.</p><p>Fulgencio served as an ASIS assistant regional vice president for many years. He also held the positions of chapter newsletter chair, chapter chair, treasurer, and chapter program chair for the Philippines Chapter of ASIS. He has been a member of ASIS for more than two decades.</p><p>Rosen and Bates were automatically honored with the lifetime award for their continuous membership of more than 50 years. ASIS is grateful for their loyalty for more than half a century.  ​ </p><h4>MEMBER BOOK REVIEW</h4><p><em>Private Security and the Law, Fifth Edition</em>. By Charles P. Nemeth. CRC Press; crcpress.com; 739 pages; $89.95.</p><p>As the security profession makes strides in education and training, there is a concurrent need for books that light the path. Dr. Charles Nemeth has written such a book: <em>Private Security and the Law. </em>This fifth edition is a big one, both in size and what it has to say. The author has significant experience as both a security practitioner and a scholar. In this book, he nimbly toggles between the two worlds, presenting a viewpoint that is unbiased and comprehensive.  </p><p>Nemeth acknowledges the tension between public policing and private security, while showing how the two can work symbiotically. The first chapter presents the historical underpinnings of the profession, giving a rich history of private security protection. </p><p>The next chapters focus on regulation and licensing; the law of arrest, search, and seizure; civil causes of action; criminal culpability and the private security industry; and evidentiary issues. These chapters help the reader understand how complex areas of the law relate to the security profession.  </p><p>As both an attorney and a professor of security management, I would refer to this book because it presents statutory and common law elements and legal explanations in a straightforward manner, while also presenting case law and helpful study questions. I appreciate the standout inserts that allow readers to update their knowledge, as well as the citations of websites, handy tables, charts, and sample forms sprinkled throughout the book.</p><p>Bringing it all together are Chapter 7, a model for cooperation between public and private law enforcement, and Chapter 8, a compilation of seminal case law. Nemeth has this to say about the roles of public policing and private security: "Factionalism is surely not a fixed state for either side of the policing model. What appears more likely on the horizon is the recognition that these are two armies operating under one flag."</p><p>I highly recommend this book for the classroom, the security practitioner seeking to know more about the law, and the lawyer representing a security provider as a client. This fifth edition is a monumental work, deserving of space in the libraries of students, lawyers, and security professionals.</p><p><em>Reviewer: Lydia R. Wilson, CPP, is an attorney admitted to practice law in Virginia, New York, and Florida. She is a member of the ASIS Information Asset Protection and Pre-Employment Screening Council.</em></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Scanning-the-Schoolyard.aspxScanning the Schoolyard<p>​Relationships between students and campus law enforcement have been key to establishing an environment of safety and security at Delaware Valley School District, which encompasses 200 square miles in northeastern Pennsylvania.</p><p>"Kids have come to the police officers…and told them about potential threats that we've been able to curtail before they've happened," says Christopher Lordi, director of administrative services for the district.</p><p>About eight years ago, the rural district decided to employ its own sworn police force and hired five officers, including a chief of police. It has since added a sixth.</p><p>"Having a police force not only gives us a presence of an armed person to counteract any issues that we may have, but it also allows us to create relationships with students," Lordi says.  </p><p>The officers are a presence on the three campuses that make up the district. They may be found teaching and conducting Internet safety classes and anti-drug programs. </p><p>"Not only are they our first line of defense, but they're also relationship builders, and they create positive environments where kids will feel comfortable to come and tell them things," Lordi says.​<img src="/ASIS%20SM%20Callout%20Images/0618%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:246px;" /> </p><p>Still, the officers and faculty can't be everywhere at once when incidents do occur, which is why the district installed a camera and video management system (VMS) about 10 years ago. </p><p>"It doesn't matter how many administrators you have, how many teachers you have, how many officers you have," Lordi notes. "They can't be everywhere at once, so the cameras allow us to be in those places when somebody can't." </p><p>As the original cameras and VMS were becoming outdated, Delaware Valley's board was supportive of purchasing a new system. The district worked with integrator Guyette Communications of Plymouth, Pennsylvania, and chose the Vicon Valerus VMS system, as well as approximately 400 cameras, also from Vicon. Installation began in March 2017 and ended just before the new school year began in August. </p><p>The cameras, the majority of which are the 3 megapixel IQeye Alliance dome model, were installed inside and outside of the district's eight buildings. The Vicon Cruiser domes with 30x optical zoom were purchased for the parking lots to better read license plate numbers. Campus police have access to a license plate database, so no license plate recognition software is needed, but Vicon does integrate with such software should customers need that feature. </p><p>In addition to feeding into a central video server at a district-wide monitoring station, each building has its own local recording capability and stores video for a set number of days. </p><p>Delaware Valley is expanding a career and technical education wing, which includes 25,000 square feet of classrooms and workspace. The school plans to install more cameras there.  </p><p>The district police force is responsible for managing the VMS, and each officer has a hardwired PC monitoring station to view video feeds. Campus police also have access to footage via iPhones purchased by the district and use them to see what's going on at their campuses. </p><p>"When we need to view something quickly our officers can go right on their iPhones and view it right from there, which is handy if you don't have the ability to get back to your computer," Lordi says. </p><p>Giving all officers access to the entire district's camera feeds was also crucial. "We did that for backup purposes," he says. "If anything were to happen on one of the campuses, all of the officers—after they secure their buildings—can go on and be the eyes and ears for our officers on those other campuses."</p><p>Soon after the cameras were installed, the new system led to the capture of a thief. In the spring of 2017, when a laptop went missing, the video was reviewed in the general time frame that the incident occurred. It revealed an employee going into an administrative office with a garbage bag, then coming back out. </p><p>"We could zoom in, and you could see that the bag was significantly larger when the employee came out," Lordi notes, adding that the old camera system would not have been clear enough to identify the culprit. The footage was turned over to local police, who apprehended the employee. That person has since resigned. </p><p>The detail captured by the cameras also helped solve an incident in the parking lot. Lordi notes that the main campus is in a high-traffic area, which can attract unwanted activity. </p><p>"We were able to pull the license plate from one person that had an incident on campus...and track the person down," Lordi explains. "It just provides another layer of security, so we know who's on the campus and what time they leave the campus."</p><p>While the district currently hands footage over to law enforcement after the fact, it's working on a memorandum of understanding with local police and hopes to establish a network that allows police to view video from the campuses live. "We're currently working on a strategy to get them involved beforehand," Lordi says. </p><p>With the combination of its police force and the camera system, Delaware Valley has seen a significant reduction in incidents on campus. </p><p>"When our officers first started we had something like 200 to 250 incidents that our administrators were dealing with; I think last year we had 36," he says. </p><p>The Valerus VMS and cameras give campus police and administrators peace of mind about their ability to solve incidents, and ultimately keep students safe. </p><p>"It allows us to feel secure knowing that it's going to be on camera if someone doesn't view or witness it live," Lordi says. "We can always view it on the cameras later."  </p><p><em>For more information: Dee Wellisch, dwellisch@vicon-security.com, www.vicon-security.com, 631.952.2288. ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465