Cloud Security

 

 

https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspxTrump’s Cybersecurity Executive Order Well Received by ExpertsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-05-12T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​After months of waiting and leaked drafts, U.S. President Donald Trump signed a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal" target="_blank">cybersecurity executive order </a>yesterday that aims to strengthen U.S. government networks and critical infrastructure.</p><p>The executive order is broken into three parts—securing U.S. government networks, enhancing critical infrastructure cybersecurity, and cybersecurity for the nation—and is an effort to change the course of the U.S. government’s cyber posture, said Tom Bossert, White House homeland security advisor, in a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/press-briefing-principal-deputy-press-secretary-sarah-sanders-and">press briefing on the order.</a><br></p><p>A key element of the executive order is looking at the U.S. government’s cybersecurity as a whole—not as 190 separate agencies, Bossert explained.<br></p><p>“We need to look at the federal government as an enterprise, so that we no longer look at the Office of Personnel Management (OPM) and think, ‘Well, you can defend your OPM network with the money commensurate for the OPM responsibility,’” he said. “OPM, as you know, had the crown jewel, so to speak, of our information and all of our background and security clearances.<br></p><p>“What we’d like to do is look at that and say, ‘That is a very high risk, high cost for us to bear. Maybe we should look at this as an enterprise and put collectively more information in protecting them than we would otherwise put into OPM looking at their relevant importance to the entire government.”​<br></p><h4>Government Networks</h4><p>“The first priority for the president and for our federal government is protecting our federal networks,” Bossert explained. “I think it’s important to start by explaining that we operate those federal networks on behalf of the American people, and they often contain the American people’s information and data, so not defending them is no longer an option. We’ve seen past hacks and past efforts that have succeeded, and we need to do everything we can to prevent that from happening in the future.”</p><p>As part of that effort, the executive order said the president will hold executive department and agency heads accountable for managing cybersecurity risk to their enterprises. Under the order, they will implement risk management measures “commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”<br></p><p>Anthony J. Ferrante, senior managing director in the Global Risk & Investigations Practice at FTI Consulting and former director for cyber incident response at the National Security Council, says he’s glad to see this change in the federal government’s posture.<br></p><p>“In the years following the OPM attack, it is nice to see that the administration recognizes that it operates federal networks on behalf of the American people, and it is a strong move to say that the president is going to hold the heads of departments and agencies accountable for the cybersecurity of their networks,” Ferrante adds.<br></p><p>Additionally, agency and department heads are required to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage their respective organization’s risk. Each agency has been instructed to provide a risk management report to the secretary of the Department of ​​Homeland Security and the director of the Office of Management and Budget (OMB) within 90 days.<br></p><p>“We have practiced one thing and preached another,” Bossert said. “It’s time for us now…to implement the NIST framework. It’s a risk-reduction framework.”<br></p><p>Requiring government agencies to adopt the NIST framework—like the private sector has been encouraged to do—is a positive step, says Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC).<br></p><p>“The acknowledgement of risk acceptance is significant,” Harrell explains. “Within all IT systems, we have the ability to accept, avoid, mitigate, or transfer risk.”<br></p><p>Also part of the executive order’s plan to modernize government IT and manage risk is a directive that agency heads show preference in their procurement for shared IT services, including e-mail, cloud, and cybersecurity services.<br></p><p>“We have 190 agencies that are all trying to develop their own defenses against advanced protection and collection efforts,” Bossert said. “I don’t think that that’s a wise approach.”<br></p><p>Utilizing shared IT services does come with risk, but it will put the federal government in a better position to manage those risks, Bossert added.<br></p><p>“I’m not here to promote for you that the president has signed an executive order and created a cybersecure world in a fortress USA,” he said. “That’s not the answer. But if we don’t move to secure services and shared services, we’re going to be behind the eight ball for a very long time.”<br></p><p>This is a positive step, says Will Ackerly, chief technology officer at Virtru and former lead security architect for the National Security Agency’s (NSA’s) first cross-domain cloud. <br></p><p>“It’s positive if managed well. The risk and threat change with on-premise to cloud,” Ackerly explains. “When you move to Google, you now all of a sudden have many security engineers online on a real-time basis available to essentially protect your data. The trade is, you don’t have the same kind of direct control or insight…into how your data is being accessed.”<br></p><p>Agencies and departments will also have to avoid creating a monoculture, or choosing the same platform across the board,​​ because if there is a problem with the technology or an attack on it, there could be a “massive issue,” Ackerly adds.<br></p><p>Overall, however, utilizing shared services is a step in the right direction as it will free agencies up to “focus on what they’re good at—their core mission—instead of having to figure out over and over the same IT programs,” he says.<br></p><p>The government’s ability to do this successfully, however, will depend on its ability to secure funding and change its purchasing constraints around technology—which may require Congressional action.<br></p><p>“The majority of [these agencies’] budget is spent on legacy systems,” says John Dickson, CISSP, principal at Denim Group and former U.S. Air Force officer who served in the Air Force Information Warfare Center. “If you are spending a lot of money, and 75 percent of that is to maintain what you have, you simply are not going to be able to put a dint in this problem.”<br></p><p>Another area that gives some experts pause, however, is that the agency risk management reports may be classified in full—or in part—and not available to the public. <br></p><p>“Particularly when you’re talking about trying to manage risk across many, many agencies, that requires good information sharing,” Ackerly adds. “I think it can be a lot harder when there isn’t transparency, at least at the core level.”<br></p><p>He also raised concerns about the number of reports and assessments the executive order has asked government officials to compile to analyze the federal government’s cybersecurity posture and path forward. <br></p><p>“A lot of these reports end up sitting on shelves; a lot of work is going to go into producing these things and updating them,” Ackerly says, adding that it might have been a better idea to create a position of a cybersecurity czar to manage this process so there’s “clear central authority that coordinates actions that the CISOs are accountable to…I worry that this might be another paper exercise.”​<br></p><h4>Critical Infrastructure</h4><p>The second portion of the executive order focuses on critical infrastructure cybersecurity and calls for reports to identify ways that agencies could support the cybersecurity efforts of critical infrastructure entities that are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” according to the order.</p><p>In particular, the order asks for the secretaries of energy and homeland security, with the director of national intelligence and local authorities, to assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident.<br></p><p>Harrell says electric utilities are well positioned to aid the government in this effort and provide a report to the president. <br></p><p>“The NERC Grid Security Exercise is a notable example of how the industry has taken cyber threats seriously, and while many lessons have been derived from the national exercise, industry understands the magnitude of a wide-area disruption due to a security event,” Harrell explains. “I would strongly recommend that the Department of Energy reach out to NERC, utilities, and industry trade associations to compile their findings as many lessons-learned have already been documented and acted upon.”<br></p><p>The executive order also calls for the secretaries of commerce and homeland security to identify and promote action by stakeholders to improve the resilience of the telecommunications industry to “dramatically” reduce the number of botnet attacks in the United States. <br></p><p>This will require cooperation from the private sector, particularly from Sprint, AT&T, Verizon, and other carriers, Dickson says. “All the people that are essentially providing Internet and phone connectivity, because there’s certain things they can do in real-time to make it harder for those types of attacks to propagate.”<br></p><p>Not to be ignored, however, are potential strides the government could make with device manufacturers, Ackerly says, who could be encouraged to create devices that are inherently more secure and less likely to be compromised and part of a botnet.​<br></p><p>One action Ackerly says he thinks would be a risky choice for the government would be to encourage active attacks to prevent botnet attacks.</p><p>“The military has authority to do active attacks,” he explains. “I don’t think we want to encourage companies to break the law and respond directly to take down systems that are not their own that are trying to interfere with their services.”</p><h4>National Security</h4><p>The final section of the executive order deals with ensuring that the Internet remains valuable for future generations by deterring cyberattacks and investing in the nation’s future workforce. </p><p>The order calls for the secretaries of state, treasury, defense, commerce, homeland security, and the attorney general, amongst others, to submit a report to the president on the nation’s strategic options for deterring adversaries and protecting Americans from cyber threats. It also requires the secretaries to document a strategy for international cooperation in cybersecurity.<br></p><p>“The Russians are not our only adversary on the Internet, and the Russians are not the only people that operate in a negative way on the Internet,” Bossert said. “The Russians, the Chinese, the Iranians, other nation states are motivated to use cyber capacity and cyber tools to attack our people and our governments and their data.<br></p><p>“That’s something we can no longer abide. We need to establish the rules of the road for proper behavior on the Internet, but we also then need to deter those who don’t want to abide by those rules,” he said.<br></p><p>The executive order also calls for an assessment of the scope of current efforts to educate and train the American cybersecurity workforce of the future to maintain the United States’ competitive advantage.<br></p><p>Harrell says he found this inclusion in the executive order encouraging. “In a world of constant cyberattacks and massive data breaches, cybersecurity is more important today than ever before,” he adds. “As Americans become more dependent on modern technology, the demand to protect the nation’s digital infrastructure will continue to grow. Many organizations are desperate to find qualified security professionals and fill key staff positions. Promoting professional education, training, and STEM classes will start to bridge the cybersecurity workforce gap.”</p>

Cloud Security

 

 

https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts
https://sm.asisonline.org/Pages/Seminar-Sneak-Peek---Moving-to-the-Cloud-Repositions-Security.aspx2016-08-16T04:00:00ZSeminar Sneak Peek: Moving to the Cloud Repositions Security
https://sm.asisonline.org/Pages/New-Data-Rules.aspx2016-08-01T04:00:00ZNew Data Rules
https://sm.asisonline.org/Pages/Operating-Blind.aspx2016-03-01T05:00:00ZOperating Blind
https://sm.asisonline.org/Pages/Privacy-Shield-Is-Here--What-That-Means-For-Your-Company.aspx2016-02-09T05:00:00ZPrivacy Shield Is Here—What This Means For Your Company
https://sm.asisonline.org/Pages/Book-Review---Big-Data.aspx2016-02-01T05:00:00ZBook Review: Big Data
https://sm.asisonline.org/Pages/On-the-Record.aspx2016-01-14T05:00:00ZOn the Record
https://sm.asisonline.org/Pages/Conducir-hacia-el-desastre.aspx2015-07-08T04:00:00ZConducir hacia el desastre
https://sm.asisonline.org/Pages/Building-Cyber-Awareness.aspx2015-05-18T04:00:00ZBuilding Cyber Awareness
https://sm.asisonline.org/Pages/Passing-the-Biometrics-Test.aspx2015-03-01T05:00:00ZPassing the Biometrics Test
https://sm.asisonline.org/Pages/Chain-Reaction.aspx2015-01-01T05:00:00ZChain Reaction
https://sm.asisonline.org/Pages/the-password-problem.aspx2014-12-01T05:00:00ZThe Password Problem
https://sm.asisonline.org/Pages/Cyber-Crusaders.aspx2014-11-01T04:00:00ZCyber Crusaders
https://sm.asisonline.org/Pages/QA-What-are-Today's-Biggest-Malware-Challenges.aspx2014-10-01T04:00:00ZQ&A: What Are Today's Biggest Malware Challenges?
https://sm.asisonline.org/Pages/nsas-actions-threaten-us-economy-and-internet-security-new-report-suggests-0013601.aspx2014-07-29T04:00:00ZNSA's Actions Threaten U.S. Economy and Internet Security, New Report Suggests
https://sm.asisonline.org/Pages/cloud-technology-0012811.aspx2013-10-01T04:00:00ZCloud Technology
https://sm.asisonline.org/Pages/Computing-in-the-Cloud.aspx2013-10-01T04:00:00ZComputing in the Cloud
https://sm.asisonline.org/migration/Pages/computing-cloud-0012789.aspx2013-10-01T04:00:00ZComputing in the Cloud
https://sm.asisonline.org/Pages/experts-weigh-2013-cyberthreats-0011218.aspx2012-12-25T05:00:00ZExperts Weigh In On 2013 Cyberthreats
https://sm.asisonline.org/Pages/cloud-security-implications-file-sharing-site-case-0010835.aspx2012-11-07T05:00:00ZCloud Security Implications in File Sharing Site Case

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Building-Cyber-Awareness.aspxBuilding Cyber Awareness<p>​<span style="line-height:1.5em;">Early in 2009, while working the night shift as a contract security guard, Jesse William McGraw infiltrated more than 14 computers at the North Central Medical Plaza in Dallas, Texas. McGraw, who is the self-proclaimed leader of the hacking group Electronik Tribulation Army, installed a program on the computers that would allow him to remotely access them to launch DDoS (distributed denial of service) attacks on rival hacking organizations’ websites.</span></p><p>Among the computers McGraw hacked into were a nurses’ station computer—which had access to patient information protected by the Health Insurance Portability and Accountability Act (HIPAA)—and a heating, ventilation, and air conditioning computer that controlled the airflow to floors used by the hospital’s surgery center. Over several months in 2009, McGraw further compromised the hospital’s network by installing malicious code and removing security features, making the network even more vulnerable to cyberattacks.</p><p>To document his work, McGraw made a video and audio recording of his “botnet infiltration.” Set to the theme of Mission Impossible, McGraw described his actions: accessing an office and a computer without authorization, inserting a CD containing the 0phcrack program into the computer to bypass security, and inserting a removable storage device, which he claimed contained a malicious code or program. McGraw then posted the video to the Internet, asking other hackers to aid him in conducting a “massive DDoS” on July 4, 2009. </p><p>His online actions attracted the attention of the FBI, which, five days before his planned attack, arrested him on two charges of transmitting malicious code. McGraw pled guilty to the charges and was sentenced to 110 months in federal prison in 2011.</p><p>An attack similar to McGraw’s is even more worrisome now as companies are increasingly using building systems and access control systems that are connected to computers. Between 2011 and 2014, the number of cyber incidents reported to the U.S. Department of Homeland Security (DHS) that involved industrial control systems grew from 140 to 243 incidents—an increase of 74 percent. </p><p>Yet many private and public entities aren’t addressing the cyber risks associated with these systems. In fact, according to a Government Accountability Office (GAO) report, DHS is not assessing or addressing cyber risks to building and access control systems at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) at all.</p><p>“DHS has not developed a strategy, in part, because cyber threats involving these systems are an emerging issue,” the GAO found in its recent report. “By not developing a strategy document for assessing cyber risk to facility and security systems, DHS and, in particular, [the National Protection and Programs Directorate] have not effectively articulated a vision for organizing and prioritizing efforts to address the cyber risk facing federal facilities that DHS is responsible for protecting.”</p><p>Within most federal facilities there are building control systems that monitor and control building operations such as elevators, electrical power, heating, ventilation, and air conditioning. Many of these systems are connected to each other and to the Internet, making them extremely vulnerable to cyberattacks that could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or occupants, the GAO reports. For instance, a cyberattack could allow people to gain unauthorized access to facilities, damage temperature-sensitive equipment, and provide access to information systems.</p><p>And perpetrators aren’t just limited to outside actors; they can also come from insider threats. “Insider threats—which can include disgruntled employees, contractors, or other persons abusing their positions of trust—also represent a significant threat to building and access control systems, given their access to and knowledge of these systems,” the report explains.</p><p>Under the Homeland Security Act of 2002, DHS is required to protect federal facilities as well as people inside those facilities. As part of that responsibility, DHS’s National Protection and Programs Directorate (NPPD) is in charge of strengthening the security and resilience of U.S. physical and cyber-critical infrastructure against terrorist attacks, cyber events, natural disaster, or other catastrophic incidents.</p><p>Yet as a department, DHS lacks a strategy that defines the problem and identifies the roles and responsibilities for cyber risk to building and access control systems, according to the GAO. Also, the report notes that DHS has failed to analyze the necessary resources or identify a methodology for assessing such risk. </p><p>Additionally, the Interagency Security Committee (ISC), the body responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyberthreats to building and access control systems into its Design-Basis Threat report. The report aims to set standards based on leading security practices for all nonmilitary federal facilities to “ensure that agencies have effective physical security programs in place.”</p><p>However, cybersecurity has not been added to the report because “recent active shooter and workplace violence incidents have caused ISC to focus its efforts on policies in those areas first,” according to the GAO report. But the office has reported that “incorporating the cyber threat to building and access control systems in ISC’s Design-Basis Threat report will inform agencies about this threat so they can begin to assess its risk.”</p><p>Furthermore, the General Services Administration (GSA) has not “fully assessed” the risk of a cyberattack on building control systems consistent with the Federal Information Security Management Act of 2002 (FISMA) or its implementation guidelines. According to the GAO’s report, GSA has assessed security controls of building control systems, but has not fully assessed the elements of risk, such as threats, vulnerabilities, and consequences.</p><p>“For example, five of the 20 reports [GAO] reviewed showed that GSA assessed the building control device to determine if a user’s identity and password were required for login, but did not assess the system to determine if password complexity rules were enforced,” the GAO reports. “This could potentially lead to weak or insecure passwords being used to secure building control systems.”</p><p>Coleman Wolf, CPP, security lead for global engineering consulting firm ESD, said he was not surprised by the office’s overall findings. “The part that does surprise me is that some of the assessment that is supposed to go on is not going on, or the plans are not in place to conduct those assessments,” says Wolf, who is also the chair of the ASIS International IT Security Council. “I would expect that on the private sector side, but I just thought there were more stringent plans in place on the federal side.” </p><p>However, Wolf says he doesn’t think there will be a big drive for changes in assessing cyber risk of building systems until it begins to impact people at a personal level in their own homes. “As people start to see these kinds of potential consequences, I think people will start to demand more be done to assess and rectify these kinds of threats,” he predicts.</p><p>While the private sector begins to focus on building control systems, the public sector is complying with GAO’s recommendation that the appropriate government agencies should take steps to assess cyber risks. </p><p>“We [at DHS] are working to develop a strategy for addressing cyber risk to building and access control systems,” says S.Y. Lee, a DHS spokesman. “This strategy will utilize best practices and lessons learned from the private sector experiences of the DHS National Cybersecurity and Communications Integration Center’s Industrial Control systems Cyber Emergency Response Team (CERT).”</p><p>The ISC is also working with DHS’s US-CERT and ISC-CERT to incorporate potential cyber risks to buildings and access control systems into the Design-Basis Threat Report and Countermeasures Appendix. As the next step of the process, ISC will meet with GSA and other agencies to plan a comprehensive review of cyber risks to building access control systems. </p><p>It will then issue additional guidance to its federal partners on appropriate countermeasures in the next annual review of its Design-Basis Threat Report, which is scheduled for release in October 2015, according to a DHS official.</p><p>GSA also agreed with the findings of the report and said it will take “appropriate action” to make sure its assessments of cyber risks to building control systems are compliant with FISMA and implementing guidelines, according to a letter included in the report by Dan Tangherlini, a GSA administrator. </p><p>However, GSA did not respond to requests for comment before press time on what specific actions it planned to take to address cyber risks.</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Hacked-Again.aspxBook Review: Hacked Again<p>​ScottSchober.com Publishing; ScottSchober.com, 202 pages; $34.95</p><p>If you are seeking useful security advice on how to mitigate or prevent cybersecurity breaches, <em>Hacked Again</em> is a good resource to have in your library. </p><p>Author Scott Schober, a business owner and wireless technology expert, discusses pitfalls that all businesses face and the strategies used to mitigate cyberattacks. He discusses malware, email scams, identity theft, social engineering, passwords, and the Dark Web. </p><p> Another important concept is having systems in place to enable information access both as the data breach is occurring and afterwards. Most companies’ IT departments will have an incident response team; however, the individual user needs to know what to do when breached. Schober offers advice for that. </p><p> The abundance of personal information on social media is another concern of the author’s. He states that we are twice as likely to be victims of identity theft from these sites. He also reminds us that no matter how we try to eliminate risk, we’re never completely protected from a cyberattack. </p><p> Many cybersecurity books are more advanced, but Schober’s style is easy to follow, and he explains concepts and theories without confusing the reader. When concepts become overly technical, he incorporates scenarios to explain what these technical terms mean. Students, IT professionals, and novices would benefit from this book. They will learn that everyone must be aware of cybersecurity and stay on top of evolving trends.</p><p>--</p><p><em><strong>Reviewer: Kevin Cassidy</strong> is a professor in the security, fire, and emergency management department at John Jay College of Criminal Justice. He is a member of ASIS.</em><br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/How-to-Build-a-Culture-of-Security.aspxHow to Build a Culture of Security<p>​<span style="line-height:1.5em;">“</span><span style="line-height:1.5em;">Security is everyone’s business” may be a popular truism in the industry, but how many security managers can honestly say this philosophy is practiced by their companies? Some organizations have regular incidents in which employees simply disregard security rules and regulations. Sometimes, even the leaders of a company will disobey security and safety rules out of a sense of entitlement—these rules are for employees, not executives.</span></p><p>These lapses can be costly. It is only when everyone associated with the company adheres to and executes security rules and practices on a daily basis that a firm can credibly claim that it maintains a true culture of security.    </p><p>To determine whether a company encourages an effective security culture, company leaders should start by determining whether it adheres to the appropriate best practices. The security department should develop and communicate security rules, practices, and procedures to employees, contractors, visitors, and vendors. Executives must lead by example and follow all security practices and procedures. Employees must take care of their security responsibilities at work, such as locking their work spaces and computers or asking to see a badge of a person in a secure work area instead of simply holding open an outer perimeter door for a stranger to be polite.   </p><p>If an organization follows most of these procedures, it maintains a robust culture of security. If not, the best practice advice and solutions stated below can be used by security leaders to strengthen security awareness in their companies and develop a culture of security. ​</p><h4>The Assessment</h4><p>A culture of security can only be built on a solid foundation. And that foundation is an effective security program. </p><p>However, if the security program is perceived as inconsistent or unprofessional, an initiative to build a culture of security around it will be doomed from the start. Thus, it is imperative to conduct an initial assessment of the security program to evaluate past security practices and present security operations. </p><p>The assessment must include, but should not be limited to, the following methodology:</p><ul><li><span style="line-height:1.5em;">Conduct interviews with security staff to determine past practices and to engage them in the assessment process.</span><br></li><li><span style="line-height:1.5em;">Review and evaluate existing documents regarding past security missions.</span><br></li><li><span style="line-height:1.5em;">Review and evaluate security staff job descriptions.</span><br></li><li><span style="line-height:1.5em;">Review and evaluate security current procedures, processes, and guidelines. </span><br></li><li><span style="line-height:1.5em;">Review and evaluate the security budget to ensure that it is in line with the mission, and that funded programs are not obsolete.</span><br></li><li><span style="line-height:1.5em;">Spend time working directly with all security staff to obtain first-hand knowledge regarding daily duties. Get to know your people.</span><br></li><li><span style="line-height:1.5em;">Review and evaluate any compliance tasks that have been assigned to security.</span><br></li><li><span style="line-height:1.5em;">Review, evaluate, and coordinate security requirements with heads of departments with security cross-functionality. Conduct collaborative meetings with other department heads and staff on their opinions of security.</span><br></li><li><span style="line-height:1.5em;">Obtain input from executive management on its vision of security.</span><br></li><li><span style="line-height:1.5em;">Define and document your company-specific security missions.</span><br></li><li><span style="line-height:1.5em;">Review the security requirements within these missions and analyze them for potential mission creep.<br></span><span style="line-height:1.5em;"> </span></li></ul><h4>The Blueprint</h4><p>Once past and present security operations have been assessed, organization leaders can plan for the future by improving and refining, based upon the factual analysis that has already been completed.</p><p>The first part of the blueprint process is to develop missions and objectives. This includes enlisting management for direction and involvement and establishing security goals and engaging security team members in ways to accomplish them. This part of the process also includes documenting security mission statements and assigning a leader to each one. These leaders must be capable and willing.</p><p>The second part of the blueprint pro­cess is to standardize operations and document these procedures in a manual of operations. This manual will serve as a central repository of security standard operating procedures and processes that cover core duties and responsibilities throughout the company. </p><p>Once the assessment is completed and the blueprint is in place, security managers must ensure that key attributes of the program are successfully maintained. These attributes include consistent pro­fessionalism, first-rate training and com­munications, a commitment to the program from upper management, and procedures designed to address violations.​</p><h4>Professionalism</h4><p>Professionalism is a crucial component of a strong security culture. The professional security staff and security officers should be a model for the organization’s general population. High standards of conduct should be set; staff and officers should be evaluated; and problems should be weeded out. Most important, security department leaders should live those high standards to set an example for others to follow. </p><p>Specific best practices can ensure that staff members and officers consistently project a strong level of professionalism to other company personnel. One of these is presence. Uniforms, if worn, should be consistent. Officers should engage all persons entering the facility with eye contact. Officers should not be texting or talking on their cell phones, or congregating in an area to smoke and joke.             </p><p>Security leaders must also be careful to prevent “mission creep,” or assigning nonsecurity duties to security personnel. This may distract security staffers from their core duties, to the detriment of the organization’s security culture.  </p><p>For example, one company used the security department to conduct security training as well as training in legal issues, compliance, and ethics. Security’s training duties also included tracking of annual requirements for all of the compliance-based training, for both employees and nonemployees. The two training avenues, employee and nonemployee, were not standardized between departments. Because of the lack of standardization, there were two completely different methods of administering, developing, and tracking training.   </p><p>In this case, the solution was to clearly define the security and human resources missions at the company. Once defined, human resources assumed control of the entire company training program and standardized the administration of training. Security was responsible only for content of any security-related training.​</p><h4>Training</h4><p>A strong security culture requires an effective training program for both existing and future security personnel. In addition, the process should ensure that security personnel are cross-trained in security position responsibilities and missions, to eliminate the potential for gaps in coverage should a critical team member be unavailable. </p><p>For example, if a company’s security missions are asset protection, compliance, and physical access control, the manual of operations would contain a section of step-by-step procedures and guidelines for each. This would allow the asset protection specialist to cover for the physical access control specialist for certain tasks, such as issuing badges, instead of waiting for the access control specialist to return. </p><p>In addition, companies should pay close attention to the processes and standards for granting and tracking access that are documented in the manual of operations. This can be an issue if companies have manual, cumbersome, or archaic methods for granting access. At many companies, this is an area that needs to be addressed. The granting of physical access should be automated to an electronic format.​</p><h4>Communication</h4><p>Communication is one of the critical keys to success in any security program, and it will be part of every component of the program. From the initial assessment of the program to the final phases of the implementation of blueprint plans, all affected parties should be kept informed and aware of the security program and how it will impact their operations at work.  </p><p>One company initiated a report that was sent twice a month via e-mail with the facts of any security incidents, so executives could track important issues. This communication also allowed security to remain within the scope of the executives while maintaining a successful program. As security expanded and implemented new initiatives, these were included in the bimonthly report. </p><p>For their part, the executives of the firm should be involved and engaged early on in the communications effort. Security should offer concise presentations, such as a PowerPoint presentation, that explain how the company benefits from the security program, be it through incident prevention or the preparedness to react and minimize negative impact to the company’s operations. Security goals, objectives, operations, procedures, and mission statements should be effectively communicated across the corporate footprint. Executives should understand the security role in their company and communicate their support for security programs to all company employees.  </p><p>Within the chain of command, the security leader must develop a system of communication to keep executives aware of the challenges faced by the security department and of the programs currently being used to protect the company’s physical assets. For example, at one company I worked at, security mandated monthly luncheon meetings with staff.</p><p>Company executives were also invited to these meetings, which they attended periodically. I documented each of these meetings in formal memoranda, including progress made on issues from the prior month, issues resolved, and problems currently being addressed. These memos were sent up the chain of command for executive review.  </p><p>Annual security awareness training is another effective communications tool. By delivering accurate, updated, and simple instructions regarding security rules, policies, and procedures, the company can effectively ensure that its workforce has been periodically exposed to security standards and the roles and responsibilities in daily operations. Security awareness posters that are updated quarterly can also help in communication efforts.   </p><p> Finally, do not underestimate the power of word of mouth. For any company, there is no stronger security tool than having a workforce that is security- minded and well informed of current security policies, procedures, and daily practices. ​</p><h4>Violations</h4><p>Even with a well-established culture of security, violations of an organization’s security policies will occur.   </p><p>There are slips and breaches even in the most secure environments—some caused by intentional acts; some unintentionally, through malaise or misfortune. And while the people who work for an organization are its greatest asset, they also can be its greatest vulnerability if they decide to inflict harm. They know how the organization operates, and they can circumvent the most sophisticated security systems.  </p><p>For private industry, the enforcement of security program policies requires a company to be fair, firm, and consistent. Take, for example, a company that has a clear security rule that all visitors must be escorted by the company representative who is responsible for the visitor while on premises. If a visitor is found roaming around by himself in a secure area, the employee who brought the visitor to the property should be disciplined.  </p><p>And the discipline should be consistent, whether the employee is the CEO or the janitor. The enforcement should be documented and tracked, to monitor patterns of behavior. If the violation is severe enough that it results in a loss of property or affects employee safety, the matter should be referred to the violator’s manager for evaluation and possible further action. </p><p>Consistent and fair enforcement of the rules across the entire organization will further solidify a culture of security. It will demonstrate that security matters to the organization, and that it plans to ensure that the rules are followed. To expand on an earlier example, if the CEO forgets his or her access badge and either goes home and gets it or signs for a temporary one, the standard is set at the highest level of the company.  </p><p>In the end, success in developing a culture of security at your company will mean the organization has established a robust, comprehensively assessed, and documented security program across the enterprise. Executive leaders are meaningfully engaged, and everyone is educated in the program’s components and follows them. </p><p>--<br></p><p><em><strong>Thomas Trier</strong> served for 25 years as a special agent of the FBI, where he attained the rank of assistant special agent in charge in the intelligence branch of the FBI’s Washington Field Office. Trier has also served as the leader of corporate security for a Midwestern electrical transmission-only utility company. He now provides advisory services through Security Intelligence Consulting L.L.C.</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465