Supply Chain

 

 

https://sm.asisonline.org/Pages/Public-Private-Partnership-Addresses-Supply-Chain-Security.aspxPublic-Private Partnership Addresses Supply Chain SecurityGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-05-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​The U.S. Department of Homeland Security (DHS) issued a binding operational directive in September 2017 to remove all Kaspersky Lab information security products, solutions, and services from all federal government departments and agencies. It was the first time DHS issued an order to remove all of one manufacturer’s software from government systems. </p><p>“This action is based on the information security risks presented by the use of Kaspersky products on federal information systems,” DHS said in a statement on the directive. “Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems.”</p><p>​DHS also issued the order because it was concerned about ties Kaspersky, a Russian company, might have to Russian intelligence agencies.</p><p>“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” DHS explained. </p><p>The department gave federal agencies and departments 30 days to identify all Kaspersky products on their systems. The agencies had to create plans to remove and discontinue use of those products within 60 days, and discontinue and remove those products within 90 days of the notice.</p><p>Following the directive, the U.S. National Defense Authorization Act was enacted in December 2017 to outlaw the use of Kaspersky products within federal agencies and departments. </p><p>Kaspersky denied allegations of ties to the Russian intelligence community and also challenged the U.S. government’s ban of its product in U.S. federal court. The D.C. Circuit Court dismissed Kaspersky’s lawsuit, but CEO Eugene Kaspersky said in a statement that the company would remain committed to “providing the best cybersecurity solutions for our customers globally and saving the world from cyberthreats.”</p><p>After the Kaspersky directive, other companies’ products have come under scrutiny for posing possible security threats to governments and private companies alike. The U.S. government, Japan, and others also put restrictions around the use of Huawei and ZTE products—both manufactured by Chinese companies—citing security concerns. </p><p>The moves also renewed focus on the need to address the supply chain security of information technology products. A lack of such security here could create major risks for end users who install those products in their systems.</p><p>“Traditionally, most organizations have been focused on the hardware and physical aspects of the supply chain—does it have counterfeit parts, was it compromised in manufacturing?” says Tim LeMaster, director of systems engineering at Lookout, a cybersecurity provider. </p><p>But there is growing recognition that software also poses supply chain risks, and LeMaster says many of his clients are increasingly concerned about addressing these risks to their systems. </p><p>Further concerns about supply chain security have been raised due to the creation of 5G—the fifth generation of wireless networking that will be used to connect next-generation technology—that China has invested heavily in developing.  </p><p>Speaking at the RSA Conference in March 2019, Mieke Eoyang, vice president of think tank Third Way’s National Security Program, said that the United States has not invested and planned for the long term to develop its own 5G. </p><p>“If the network owner is not a country that shares our values, what happens to the communications that flow across it?” she asked. </p><h4>The Threat</h4><p>In 2018, the U.S. Government Accountability Office (GAO) assessed the supply chains—“organizations, people, activities, and resources that create and move a product from suppliers to end users”—that U.S. federal agencies use to procure IT systems.</p><p>Threats to these supply chains could include installing intentionally harmful or counterfeit hardware or software; failing to produce or distribute a critical product; relying on malicious or unqualified service providers to perform technical service; or installing hardware or software containing or harboring unintentional vulnerabilities, like defective coding.</p><p>“These threats can have a range of impacts, including allowing adversaries to take control of systems or decreasing the availability of materials needed to develop systems,” the GAO explained. “These threats can be introduced by exploiting vulnerabilities that could exist at multiple points in the supply chain.”</p><p>This is also a major threat area for the United States because its systems rely heavily on IT equipment that is manufactured in foreign nations, often using multiple supply chains. </p><p>“As a result, agencies may have little visibility into, understanding of, or control over how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to ensure the integrity, security, resilience, and quality of the products and services,” according to the GAO’s analysis.</p><p>This poses a major risk for these systems to be manipulated or damaged by foreign nations that are known cyberthreats, including China, Iran, North Korea, and Russia.</p><p>“Threats and vulnerabilities created by these cyberthreat nations, vendors, or suppliers closely linked to cyberthreat nations, and other malicious actors can be sophisticated and difficult to detect and, thus, pose a significant risk to organizations and federal agencies,” the GAO explained. </p><p>For instance, a nation-state could infiltrate the U.S. government supply chain and install software on a device. The nation-state could then use that access to take control of the network the device was connected to, disrupt operations, or launch attacks against other systems. </p><p>The four U.S. national security-related departments—Defense, Energy, Homeland Security, and Justice—all acknowledged risks presented by supply chain vulnerabilities and adopted strategies to address the threat. However, the GAO said that more efforts were needed to address supply chain security as a whole. </p><h4>Re​sponse</h4><p>Shortly after the GAO published its report, DHS announced the creation of its National Risk Management Center. </p><p>“It will employ a more strategic approach to risk management born out of the re-emergence of nation-state threats, our hyperconnected environment, and our survival and its need to effectively and continually collaborate with the private sector,” said former DHS Secretary Kirstjen Nielsen in a speech at the department’s Cybersecurity Summit in July 2018. “…the center will bring together government experts with willing industry partners so that they can influence how we support them. Our goal is to simplify the process—to provide a single point of access to the full range of government activities to defend against cyberthreats.”</p><p>One of the center’s first major efforts would be bringing together government and industry to address supply chain risk. In November 2018, the center launched the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force to develop consensus recommendations that identify and manage risk to the global ICT supply chain. </p><p>“This is a moment when we need increased effort countering strategic risks that we see from—particularly—foreign adversaries in the cybersecurity space, including supply chain,” says Bob Kolasky, director of the National Risk Management Center and task force cochair. “There is an urgency of government and industry coming together to take this threat seriously and come up with solutions to address the threat and reduce risk.”</p><p>The task force consists of 60 representatives from the private sector and government, including members of the intelligence community. Kolasky cochairs the task force with John Miller, vice president of policy and law at the Information Technology Industry Council (ITI), and Robert Mayer, senior vice president for cybersecurity at the USTelecom Association. </p><p>Mayer, who also chairs the DHS Communications Sector Coordinating Council, says that the range of representatives on the task force means there will be broad conversation to generate real progress on supply chain security.</p><p>“Given the recognition now that the supply chain represents a major vector for attacks, especially when you consider the nation-states behind them, there’s a great deal of urgency to have a coordinated strategy and plan to mitigate the risk,” he adds.</p><p>The task force, which has a two-year charter, held an initial meeting after it was created in November 2018. To get the ball rolling, the task force created an inventory of both government and private sector initiatives to address supply chain security to prevent duplication of previous efforts. </p><p>The partial U.S. government shutdown in December and January delayed the database initiative, but Mayer says the task force was on track to have both segments of the inventory completed in March 2019. </p><p>The task force will then use this inventory to inform its future work, which it divided into four initial workstreams that it announced in the spring. </p><p>One workstream is devoted to developing a common framework for bi-directional sharing of supply chain risk information between government and industry. DHS already has a variety of information sharing channels in place to communicate between government and industry, so the task force intends to identify any gaps in sharing about supply chain vulnerabilities.</p><p>“Private entities are constantly evaluating whether there’s risk in things they put in their supply chains or understanding their own risk, and as they’re making their own risks, we want to understand why those decisions are being made so that we can help push that message out that other companies might want to be making similar decisions,” Kolasky adds.</p><p>Another workstream focuses on identifying processes and criteria for threat-based evaluation of ICT supplies, products, and services. This workstream will provide organizations with an understanding of what the criteria are and what the dimensions of supply chain oversight might look like, Mayer says. </p><p>Threat criteria are often based on the party that is assessing the technology, which will make this workstream’s assignment slightly daunting.</p><p>“Somebody in an acquisition role may have one set of parameters they’re interested in from a supply chain perspective; if it’s the end user, they might have another,” Mayer says. “Views change.” </p><p>The information the second workstream identifies on criteria will likely help inform the third workstream: identifying market segments and evaluating criteria, establishing qualified bidder and manufacturer lists. Ideally, this workstream will inform companies about what standards they will need to meet to qualify as a white list bidder.</p><p>The fourth workstream is focused on producing policy recommendations to incentivize purchasing ICT from original manufacturers or authorized sellers. The consensus is that “if you purchase equipment from the original manufacturer or an authorized reseller, instead of buying it” from an unauthorized seller, “you have a better likelihood that the security protocols have been adopted, implemented, and verified,” Mayer says. </p><p>To get companies and agencies to adopt this purchasing pattern, the workstream will look at which incentives will help users make decisions “based on good cyber supply chain risk management,” he adds. </p><p>The task force met several times this spring and plans to release information to the public about its progress beginning this summer, Mayer says. It will also continue looking at the scope of its work and addressing the workstreams’ assignments as the task force evolves.</p><p>“I think what we’ll see is an ongoing process of evolving of the scope, adding new efforts into the equation,” he adds. “There is a desire here to produce products that are actionable and that can actually move the needle.”</p><p>In addition to the workstreams, the task force will also work with the Supply Chain Security Council that was created by the 2018 U.S. Federal Acquisition Act. </p><p>The council focuses on the federal government, tasked with mitigating security risks that could arise from information technology, telecommunications services, and other services the federal government buys. </p><p>The council is responsible for creating criteria to assess threats and vulnerabilities to the supply chain, issuing guidance on risks to the supply chain, as well as publishing guidance on how to address those risks.</p><p>The council must obtain input from the private sector on supply chain risk, and Kolasky says that the task force will be the primary venue for that dialogue. </p><p>Overall, Mayer says it’s important that these conversations are happening and that the private sector—through the council—is included in the process. </p><p>“When the Department of Homeland Security comes to industry and says that they want to partner with industry on making improvements on a critical national security consideration, that’s music to our ears,” Mayer adds. “That’s what we want to see in the public-private partnership collaboration with government.” </p><p>And this partnership is critical for addressing supply chain security and ensuring that the United States has a path forward to make the acquisitions process for private and public entities. In the RSA appearance with Eoyang, Managing Director of the Cyber Readiness Institute Kiersten Todt said it was vital for the United States to address this issue.</p><p>“We don’t want to find ourselves in the position where we’re in the environment that China has defined for us,” she said.  </p><p>Megan Gates is senior editor at Security Management. Contact her at [email protected], Follow her on Twitter: @mgngates.</p><p>__<br></p><h4>What is 5​G?<br></h4><p>The fifth generation of wireless networking technology, dubbed 5G, is predicted to transform the way users work and live because of its increased connectivity benefits.</p><p>“One way to quantify the difference is in terms of download speeds,” according to a Verizon fact sheet. “5G will deliver speeds roughly 20 times faster than what is possible with 4G.”</p><p>This enhanced data transfer speed will allow more technologies to connect to each other, including vehicles, the Industrial Internet of Things, and Smart City networks. The first 5G networks, however, will not be available nationwide in the United States until 2020, according to WIRED’s “Guide to 5G.” And only if there is a major investment in the technology between now and then.</p><p>“To reach the goal of nationwide 5G by 2020, the government must open more wireless spectrum to carriers; the carriers must rapidly expand their infrastructure; and hardware makers need to create a new generation of devices ready to ride the 5G waves,” WIRED explained. ​</p><p>__</p><h4>Who’s On the Task Force?</h4>The U.S. Department of Homeland Security’s National Risk Management Center created the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force in November 2018. <div><br>The task force includes representatives from across government and industry:</div><div><br><ul><li>Accenture</li><li>AT&T</li><li>BSA</li><li>CenturyLink</li><li>Charter Communications</li><li>Cisco Systems</li><li>Comcast</li><li>Cox</li><li>CTIA</li><li>CyberRx</li><li>Cybersecurity Coalition</li><li>Cyxtera</li><li>Dell</li><li>FBI</li><li>Federal Communications Commission</li><li>FireEye</li><li>General Dynamics Information Technology</li><li>General Services Administration</li><li>HP</li><li>IBM</li><li>Iconectiv</li><li>IT-ISAC</li><li>Information Technology Industry Council</li><li>Intel</li><li>Interos Solutions</li><li>Microsoft</li><li>NASA</li><li>National Security Agency</li><li>National Association of Broadcasters</li><li>NCTA</li><li>NTCA</li><li>NTT</li><li>Office of the Comptroller of the Currency</li><li>Palo Alto Networks</li><li>Pioneer</li><li>Samsung</li><li>Sprint</li><li>Threatsketch</li><li>TIA</li><li>T-Mobile</li><li>USTelecom</li><li>U.S. Department of Commerce</li><li>U.S. Department of Defense</li><li>U.S. Department of Energy</li><li>U.S. Department of Homeland Security, CISA</li><li>U.S. Department of Homeland Security, Office of the Chief Procurement Officer</li><li>U.S. Department of Justice</li><li>U.S. Department of the Treasury</li><li>U.S. Nuclear Regulatory Commission</li><li>U.S. Office of the Director of National Intelligence</li><li>U.S. Social Security Administration</li><li>Verizon Wireless<br></li></ul></div>

Supply Chain

 

 

https://sm.asisonline.org/Pages/Public-Private-Partnership-Addresses-Supply-Chain-Security.aspx2019-05-01T04:00:00ZPublic-Private Partnership Addresses Supply Chain Security
https://sm.asisonline.org/Pages/Shooing-off-Copper-Crime-Waves.aspx2018-11-01T04:00:00ZShooing off Copper Crime Waves
https://sm.asisonline.org/Pages/Editors-Note---Supply-and-Demand.aspx2018-11-01T04:00:00ZSupply and Demand
https://sm.asisonline.org/Pages/Disastrously-Unprepared.aspx2018-11-01T04:00:00ZDisastrously Unprepared
https://sm.asisonline.org/Pages/Safer-Shipping.aspx2018-11-01T04:00:00ZSafer Shipping
https://sm.asisonline.org/Pages/Preventing-Port-Problems-.aspx2018-10-01T04:00:00ZPreventing Port Problems
https://sm.asisonline.org/Pages/Raising-the-Bar-Food-Defense.aspx2018-06-01T04:00:00ZRaising the Bar: Food Defense
https://sm.asisonline.org/Pages/Supply-Chain-Company-Makes-Access-Control-a-Priority.aspx2018-06-01T04:00:00ZSupply Chain Company Makes Access Control a Priority
https://sm.asisonline.org/Pages/Book-Review---Supply-Chain-Security.aspx2018-03-01T05:00:00ZBook Review: Supply Chain Security
https://sm.asisonline.org/Pages/Commerce-in-China.aspx2018-02-01T05:00:00ZCommerce in China
https://sm.asisonline.org/Pages/Containment-Strategies.aspx2018-02-01T05:00:00ZContainment Strategies
https://sm.asisonline.org/Pages/The-Dirty-Secret-of-Drug-Diversion.aspx2017-08-01T04:00:00ZThe Dirty Secret of Drug Diversion
https://sm.asisonline.org/Pages/The-Most-Resilient-Countries-in-the-World.aspx2017-05-11T04:00:00ZThe Most Resilient Countries in the World
https://sm.asisonline.org/Pages/Supply-Chain-Strategies.aspx2017-02-01T05:00:00ZSupply Chain Strategies
https://sm.asisonline.org/Pages/The-Usual-Suspects.aspx2016-08-01T04:00:00ZThe Usual Suspects
https://sm.asisonline.org/Pages/Book-Review---Diamond-Mine-Security.aspx2016-07-29T04:00:00ZBook Review: Diamond Mine Security
https://sm.asisonline.org/Pages/In-the-Public-Interest.aspx2016-05-01T04:00:00ZIn the Public Interest
https://sm.asisonline.org/Pages/Slavery-in-the-Supply-Chain.aspx2015-12-17T05:00:00ZSlavery in the Supply Chain
https://sm.asisonline.org/Pages/Port-Protection.aspx2015-02-01T05:00:00ZPort Protection
https://sm.asisonline.org/Pages/Strategic-Shrink-Reduction.aspx2015-02-01T05:00:00ZStrategic Shrink Reduction

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/The-Dirty-Secret-of-Drug-Diversion.aspxThe Dirty Secret of Drug Diversion<p>​Controlled substances were going missing at Hennepin County Medical Center (HCMC), and the hospital’s security investigator, William Leon, was determined to get to the bottom of it. So, at 11 p.m. on a Friday, Leon settled in for a night of observation at the Level I trauma center in Minneapolis, Minnesota. He kept a trained eye on one registered nurse who was suspected of stealing hydromorphone, an opioid pain medication, for her personal use.</p><p>HCMC has cameras set up in the medication room to monitor controlled substances, and Leon watched as the nurse began gathering prescribed medication for a patient in the emergency department. The process, called wasting, requires the healthcare worker to take a fresh vial or syringe full of medication and then dispose of the excess, leaving only the correct dosage—all with a witness present. Leon observed the nurse dispense a syringe of hydromorphone from the medicine cabinet, and, while a fellow nurse was signing off on the withdrawal, she placed the syringe in her pocket and pulled out an identical syringe, which Leon later learned contained saline. The nurse held up the saline syringe and wasted the required amount, tricking her fellow nurse, and left the room.</p><p>At this point, Leon knew exactly what was going on, and watched with increasing alarm as the nurse headed to a patient’s room in the orthopedic area of the hospital. “In that area, I knew immediately, this patient could have a broken bone—they were in intense pain and requiring this medication,” Leon says. “I see a lot of doctors standing around and I’m thinking ‘uh oh, this patient is going to get saline.’”</p><p>Leon raced to the room and saw that the doctors had given the patient the saline the nurse had brought up. “The patient was still screaming in pain and the doctor was frantically asking the nurse, ‘Are you sure you got the right dosage? Are you sure it was hydromorphone?’ and she was insisting she had,” Leon says. He called the doctor and the nurse into the hall and explained that the patient had just gotten saline and still needed the proper pain medication because the nurse had diverted the hydromorphone in the medication room. The doctor went to properly treat the patient and Leon called the nurse manager and the local sheriff’s detective in to begin an official investigation into the nurse’s actions.</p><p>Drug diversion in the United States is a nebulous problem that is widespread but rarely discussed, experts say. Whether in manufacturing plants, retail pharmacies, hospitals, or long-term care facilities, healthcare workers are stealing drugs—typically for their own personal use—and putting themselves, patients, and coworkers at risk. </p><p>“I hate to tell you, but if you have controlled substances and dispense narcotics, you’ve got diversion going on,” says Cherie Mitchell, president of drug diversion software company HelioMetrics. “It’s just a question of whether you know it or not.”</p><p>The scope and frequency of drug diversion is almost impossible to grasp, due in large part to how diversion cases are addressed. A facility that identifies a diversion problem might bring in any combination of players, from private investigators and local law enforcement to state accreditation boards or the U.S. Drug Enforcement Agency (DEA). There is no overarching agency or organization that records every instance of drug diversion in the United States.</p><p>Controlled substance management is dictated by a number of laws, including the U.S. Controlled Substances Act of 1971, which classifies substances based on how they are used and the potential for abuse. It also dictates how the substances are dispensed, and a facility may be fined if it does not comply. </p><p>The closest estimates of drug diversion rates come from people or organizations who dig up the numbers themselves. The Associated Press used government-obtained data in its investigations on drug diversion at U.S. Department of Veterans Affairs (VA) medical centers. Reported incidents of diversion at about 1,200 VA facilities jumped from 272 in 2009 to 2,926 in 2015, the data revealed, and the VA inspector general has opened more than 100 criminal investigations since last October. John Burke, president of the International Health Facility Diversion Association, extrapolated data he obtained from facilities in Ohio to estimate the presence of 37,000 diverters in healthcare facilities across the country each year. </p><p>Mitchell points out that any statistic derived from officially collected data still wouldn’t accurately reflect the extent of drug diversion in the United States. “There’s a lot of people investigators really suspected were diverters but had to be chalked up to sloppy practice due to a lack of concrete evidence, so any statistic is talking about known diverters who are fired for diversion,” she tells <i>Security Management</i>. “Even if you did have a statistic, it would be off because how do you incorporate those so-called sloppy practicers, or diverters who thought they were about to get caught so they quit on you and left? No matter what number you come to, it’s probably bigger in reality.”​</p><h4>Addiction and Diversion</h4><p>Although more people are paying attention to drug diversion due to recent high-profile cases and the current opioid epidemic in the United States, experts say they have been dealing with the same problems their entire careers. </p><p>“I can personally tell you that I dealt with the same issues 15 or 20 years ago that the healthcare arena is facing today, specifically in the drug abuse and diversion by their own hospital healthcare employees,” says Charlie Cichon, executive director of the National Association of Drug Diversion Investigators (NADDI) and a member of the ASIS International Pharmaceutical Security Council. “There are different drugs today, of course, than there were 20 years ago.”</p><p>Susan Hayes has been a private detective for healthcare facilities for more than a decade and says the opioid epidemic has magnified the drug diversion problem in recent years. “The opioid addiction in America has lit my practice on fire,” she says.</p><p>It’s no secret that opioid addiction has reached epidemic levels in the United States. In 2010, hydrocodone prescriptions were filled 131.2 million times at retail pharmacies alone, making it the most commonly prescribed medication, according to the Mayo Clinic. However, those are just the numbers that were legally prescribed—about 75 percent of people who take opioids recreationally get them from a friend or family member. According to the U.S. Centers for Disease Control and Prevention (CDC), approximately 52 people in the United States die every day from overdosing on prescription painkillers.</p><p>Healthcare workers are not immune to the draw of opioids. In fact, up to 15 percent of healthcare workers are addicted to drugs or alcohol, compared to 8 percent of the general population, according to the Mayo Clinic. </p><p>“Healthcare providers are in very stressful jobs,” Hayes says. “They all have problems. Nurses have emotional attachments to patients that they see die. Even orderlies have very stressful physical jobs, they’re lifting patients. Pharmacists can make mistakes that mean life or death. You have people that are already in very stressful situations, and now you give them access to drugs…. I think the combination is almost deadly.”</p><p>While a bottle of 30mg oxycodone tablets can sell on the street for up to 12 times its price in the pharmacy, most drug diverters are addicts using the drugs themselves. Because of this, diversion shouldn’t be considered just a security concern but a patient safety concern, Cichon says. He references several high-profile diversion cases in which the diverters used the same syringe full of medicine on both themselves and their patients, spreading bacterial infections and hepatitis. In one especially egregious case, a traveling medical technician with hepatitis C would inject himself with his patients’ fentanyl and refill the same syringe with saline, ultimately spreading the virus to at least 30 people in two states.</p><p>Unfortunately, experts acknowledge that most diverters don’t get caught until they have been diverting for so long they start to get sloppy. “The people who are your real problem are the people who are hiding in the weeds, not doing enough to get caught, and those are the ones you want to find,” Mitchell says. “The people they are finding now are the people that have the needle in their arm or somebody has reported them. You want to try to find them before that.”​</p><h4>Out of the Loop</h4><p>Hayes details the path of drugs through a hospital: a pharmacy technician orders the medication from a wholesaler, who will deliver them to the hospital pharmacy. The drugs are sorted and stocked in the pharmacy, where they will remain until they are brought up to the patient floors and stored in various types of locking medicine cabinets. When a patient needs medication, a nurse goes to the medicine cabinet and dispenses the drug for the patient. </p><p>Another ASIS International Pharmaceutical Council member—Matthew Murphy, president of Pharma Compliance Group and former DEA special agent—describes this as the closed loop of distribution. “Once a drug is outside of the closed loop, when it gets dispensed from a pharmacy or administered by a doctor, it’s no longer in the purview of DEA rules and regulations,” he explains. Drugs are most likely to be diverted during those times when they are in transit or exchanging hands, outside of the closed loop.</p><p><strong>Wholesalers.</strong> When fulfilling a pharmacy’s request for medication, wholesalers have just as much of a responsibility to notice if something is amiss as the pharmacy does. Whether it’s a retail pharmacy or a hospital pharmacy, wholesalers are responsible for cutting them off if they start to request unusually high amounts of opioids. </p><p>In 2013, retail pharmacy chain Walgreens was charged $80 million—the largest fine in the history of the U.S. Controlled Substances Act—after committing record-keeping and dispensing violations that allowed millions of doses of controlled substances to enter the black market. Cardinal Health, Walgreens’ supplier, was charged $34 million for failing to report suspicious sales of painkillers. One pharmacy in Florida went from ordering 95,800 pills in 2009 to 2.2 million pills in 2011, according to the DEA. </p><p>Hayes says the fine against the wholesaler was a wake-up call, and now suppliers use algorithms to identify unusual spikes in orders of opiates. Wholesalers can even stop the flow of medication to pharmacies if they believe diversion is occurring—which can be disastrous to a trauma center, Hayes notes.</p><p><strong>Pharmacies.</strong> To restock the shelves, pharmacy technicians compile lists of what medications they are low on to send to the wholesalers at the end of each day. Hayes notes that many pharmacies do not conduct a retroactive analysis on what is being purchased—which is why wholesalers must pay attention to any unusual changes in orders. She stresses the importance of constantly mixing up the personnel who order and stock medications. </p><p>“If you’re both ordering and putting away drugs, that’s a bad thing because you can order six bottles when you only need five and keep one for yourself,” Hayes notes. </p><p>Similarly, it is important to rotate who delivers the drugs to the patient floors. “John the technician has been taking the drugs up to the floors for the last 20 years,” Hayes says. “Well gee, did you ever notice that John drives a Mercedes and has two boats and a house on Long Island? He makes $40,000 a year, did you ever do any investigation into why?”</p><p><strong>On the floor. </strong>Experts agree that the most egregious diversion occurs during the wasting and dispensing process in scenarios similar to the incident Leon witnessed at HCMC. Mitchell explains that all hospitals have different wasting procedures—some require nurses to waste the medication immediately, before they even leave the medication rooms, while others may have a 20-minute window. Other hospitals may prohibit nurses from carrying medication in their pockets to prevent theft or switching. ​</p><h4>Investigations</h4><p>Any company involved with controlled substances, whether manufacturing, distributing, or dispensing, must be registered with the DEA and must adhere to certain rules and regulations—which aren’t always easy to follow.</p><p>Murphy, who worked for the DEA for 25 years, now helps companies follow mandates he calls “vague and difficult to interpret.” For example, DEA requires anyone carrying controlled substances to report “the theft or significant loss of any controlled substance within one business day of discovery.”</p><p>“This hospital had 13 vials of morphine that ‘went missing’ and someone called me in to find out why,” Hayes says. “They asked me, ‘Are 13 vials substantial or not? Do I really need to fill out the form?’ I counsel them on what’s substantial because the language is very loose.”</p><p>Depending on the frequency or significance of these or similar forms, the DEA may open an investigation, Murphy explains. “DEA will look at these recordkeeping forms and determine if in fact everything has been filled out correctly, that they have been keeping good records,” he says. “If DEA determines that they are lax or have not been adhering to requirements, there could be anything from a fine to a letter of admonition requiring corrective actions.” In more serious cases, DEA could revoke the registration because the activity or behavior was so egregious that it was determined that the facility is not responsible enough, Murphy explains. If a facility loses its DEA registration, it cannot dispense controlled substances.</p><p>However, DEA does not get involved in every suspected case of diversion. “There are only so many DEA diversion investigators, so they have to prioritize what they get involved with,” Murphy says. “It has to be pretty egregious for them to get involved to seek a revocation or fine.”</p><p>That’s where people like Hayes come in. “They want me to come in instead of DEA or law enforcement,” she explains. “I’m a private citizen, I understand law enforcement procedures, and I can help them get at the root of the problem before they call in law enforcement.” </p><p>After an investigation into a diverter is opened, it is unclear what happens to the offender. Hayes says that she typically gathers evidence and gets a confession from diverters, at which point her client calls in law enforcement to arrest them. Leon, who was in charge of diversion in­vest­igations at HCMC for 20 years before becoming a consultant for HelioMetrics, was able to investigate but not interview suspected diverters. He tells <em>Security Management</em> that he would call in a sheriff’s detective to interview the suspect.</p><p>Although most diverters are fired when their actions are discovered, they are not always arrested—it’s often at the discretion of their employer. Depending on the diverter’s role, state accreditation boards—such as those that license nurses and pharmacists—would be notified and could potentially conduct their own investigations. </p><p>Cichon cautions that some hospitals hoping to avoid bad press and DEA scrutiny may look for loopholes. “We found out through the course of investigations that if someone resigns and was not sanctioned it may not be a reportable action,” he says. “If we allow this person to resign rather than take action against him, then we don’t have to report it.”</p><p>Murphy notes that DEA typically has no role in individual cases of diversion. “If the diverter has a license from one of those state agencies, usually it’s required that they be reported, and then it’s up to the board how they proceed with the personal license of the individual,” he says. The DEA doesn’t regulate the personnel—that’s up to the state and the facility. </p><p>Cichon notes that the lack of standards when addressing diversion makes it more likely that offenders could slip through the cracks and move on to continue diverting drugs at another facility. “Unfortunately, there are different laws and statutes in every state that set up some sort of reporting requirements,” he says. “There are medical boards, nursing boards, pharmacy boards, and not every worker even falls under some sort of licensing board for that state.” ​</p><h4>Staying Ahead</h4><p>Due to the stigma of discovering diverters on staff, many hospitals just aren’t preparing themselves to address the problem proactively, Cichon explains.</p><p>“This is something that is probably happening but we’re not finding it,” he says. “The statistics I’ve seen at hospitals that are being proactive and looking at this are finding at least one person a month who is diverting drugs in their facility. If a 300-bed hospital is finding one person a month, and Hospital B has the same amount of staff and beds and is finding nothing…”</p><p>NADDI has been providing training for hospitals to develop antidiversion policies. Cichon notes that many hospitals throughout the country have no plan in place to actively look for diverters. “As big as the issue is, many of them are still just not being that proactive in looking at the possibility that this is happening in their facility.”</p><p>Cichon encourages a team approach to diversion that acknowledges diversion as a real threat. “Not just security personnel should be involved with the diversion aspect,” he says. “Human resources, pharmacy personnel, security, everyone is being brought into this investigation, because the bigger picture is patient safety. The diverting healthcare worker typically isn’t one who’s going to be selling or diverting his or her drugs on the street, but they are abusing the drugs while they are working.”</p><p>Leon worked hard on diversion prevention at HCMC after discovering a surprising pattern: almost all of the diverters he investigated wanted to be caught. “What got me on this path of prevention was observing the nurses as they would admit to what they did,” he explains. “More often than not the nurses would say, ‘I wanted somebody to stop me. I needed help, didn’t know how to ask for it, and I was hoping somebody would stop me.’ That’s pretty powerful when you’re sitting there listening to this on a consistent basis.”</p><p>Leon implemented mandatory annual training for everyone in the hospital—from food service workers to surgeons—to recognize the warning signs of drug diversion. “If a nurse or anesthesiologist or physician is speaking with you and telling you they are having these issues, then you should say something,” Leon explains. “It’s not doing the wrong thing—you’re helping them, and that’s the message we sent out. Look, these individuals are not bad individuals. Something happened in their lives that led them down this path.”</p><p>Leon also had cameras installed throughout the hospital that allowed him to observe diversion but also kept his investigations accurate. “We had a nurse who was highly suspected of diverting,” he says. “With the cameras I was able to show that she wasn’t diverting, just being sloppy. The employees appreciated the cameras because it showed they weren’t diverting medication, they just made a mistake.”</p><p>Over time, HCMC personnel became more comfortable coming forward with concerns about their coworkers. Before the facility started the annual training, Leon caught at least one diverter a month. Before he retired, he says, that number had dropped to one or two a year.</p><p>“The success of our program at HCMC was the fact that we paid more attention to educating rather than investigating,” Leon says. “You have to keep those investigative skills up, but you have to spend equal amount of time on prevention and awareness.”</p><p>Mitchell points to algorithmic software that can identify a potential diverter long before their peers could. Taking data such as medicine cabinet access, shift hours, time to waste, and departmental access allows software to identify anomalies, such as a nurse whose time to waste is often high, or a doctor who accesses patients’ files after they have been discharged. </p><p>“Most people are using the logs from the medicine cabinets trying to do statistical analysis,” Mitchell explains. “You find out 60 days or six months later, or you don’t see that pattern emerge by just using one or two data sets. That doesn’t help. The goal is to identify these people as quickly as possible so they are no longer a risk to themselves or the patients or anyone they work with.”</p><p>Murphy encourages facilities to be in full DEA compliance to mitigate diversion. “If somebody wants to steal or becomes addicted, they are going to find a way to do it, and sooner or later they are going to get caught, but then there’s a problem because the hospital has to work backwards to determine how much was stolen and reconcile all that,” he says. He also notes the importance of following up internally on each diversion case and figuring out what went wrong, and adjusting procedures to address any lapses. </p><p>“Every entity that has a DEA program should have diversion protocols in place because if they don’t they are playing Russian roulette with theft and loss and their DEA registration,” Murphy says.  ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Strategic-Shrink-Reduction.aspxStrategic Shrink Reduction<p>​<span style="line-height:1.5em;">Security’s long battle against retail theft continues, and it is far from won, but some retailers are making gains. Loss prevention strategies are becoming increasingly more sophisticated, with some retailers leveraging cutting-edge technology, analytics, and an even more engaged workforce to fight thieves and stay one step ahead of always-evolving shoplifting methods.</span></p><p> Global shrink has declined by 4.8 percent in the last year, due in part to an increased focus on loss prevention measures, according to a recent study of retail theft across the world. The report, The Global Retail Theft Barometer 2013-2014, examined the cost of merchandise theft in the global retail industry in 24 countries spread throughout Asia, Europe, North America, and South America.</p><p>What’s driving the progress? One major factor is increased investment in loss prevention programs. The study found clear correlations between how much a country’s retail industry spent on loss prevention and the retail loss rate in that country. Countries with the best shrink reduction rates had spent the most on preventive countermeasures, while those with the highest losses spent the least on prevention.</p><p>This is a lesson that some retailers in the United States could benefit from, says Ernie Deyle, former vice president of loss prevention for CVS/Caremark who now leads the shrink reduction and margin recovery practice for SD Retail Consulting. Deyle says that when he does “triage” work in the field, some stores consider loss prevention an expense area, a place where they minimize spending in hopes of minimizing costs. So the idea that loss prevention is actually a competitive asset area is “usually overlooked,” often to the detriment of the store’s financial bottom line. “When you control loss, you improve your profit,” says Deyle, who helped conduct the study in conjunction with The Smart Cube, a research and analytics firm. </p><p>However, simply spending more money on prevention is not the sole answer to the problem, Deyle adds. The report found that the most effective loss prevention programs are multifaceted: they often combine the strategic use of technology and physical security measures with data analytics.</p><p>For example, a multifaceted program might employ electronic article surveillance (EAS). EAS devices have been shown to be among the most effective of retail security technologies, the report found. But relying on one tactic or device, even one as effective as EAS, is “like putting up a gate with no fence,” Deyle says. </p><p>Instead, multifaceted loss prevention programs may couple an EAS system with a merchandising plan that covers product placement strategies to avoid theft. The merchandising plan might use analytics on loss data to determine things like what shelves are most vulnerable to theft, which items are most likely to be stolen, and when peak theft occurs. Product placement strategies might include the best arrangements and facings for items to minimize theft, Deyle explains. For example, arranging products in a way that takes longer to lift them off the shelf can deter some shoplifters. “They want quick in, quick out, without being noticed,” Deyle says. </p><p>Moreover, loss prevention plans should be constantly evolving. Shoplifters who are foiled will change their practices accordingly, so retailers need to continually change their tactics as well. “It’s about being strategically positioned,” Deyle says. “You need to stay ahead of the curve.” </p><p>While the 4.8 percent global shrink decline is encouraging, retail shrink still costs an estimated $128 billion worldwide, evidence that theft is still a serious problem for the industry, according to the report. The loss is the equivalent of 1.29 percent of sales in each of the 24 countries examined in the study. The annual cost of shrink to households, as passed on from retailers, ranges from $74 to $541, depending on the country. </p><p>Roughly two-thirds of shrinkage worldwide (slightly more than 65 percent) is due to shoplifting, followed by employee theft. In most countries (16 of 24), shoplifting is the biggest cause of shrinkage, but this can vary. For example, in the United States, employee theft ranked first at 43 percent, with shoplifting next at 37 percent. In Norway, a low shrinkage country, administrative losses are the major source of shrinkage.</p><p>Comparatively, shrinkage rates across the 24 countries in the report range from 0.83 percent to 1.7 percent. Mexico recorded the highest rate—1.7 percent—followed by China with 1.53 percent. The lowest shrinkage rates were in Japan, Norway, the United Kingdom, and Turkey. </p><p>In the United States alone, retail theft costs $42 billion annually, equal to an average of $403 per household. Shoplifters and dishonest employees most commonly target products that are easy to conceal and then resell.  Some of the most frequently pilfered items include mobile phones, spirits, fashion accessories and jewelry, makeup products, and computer tablets.  </p><p>Almost all types of U.S. retail stores were hit by employee theft and shoplifting, but the most affected were U.S. discounters, with losses equaling 2.78 percent of sales; pharmacies/drugstores, 2.16 percent; and supermarkets/grocery retailers, 1.38 percent. These three types of stores witnessed the highest shrink rates because of the widespread prevalence of organized retail crime combined with relatively lower loss prevention spending, according to the report. </p><p>While retailers are making progress with sophisticated loss prevention programs, another recent report points the way toward an alternate means of reducing retail shrinkage—by improving the engagement level of the workforce. </p><p>This report, Making the Link: the Role of Employee Engagement in Controlling Retail Losses, surveyed more than 200,000 staff members in 1,570 stores under three European retail chains. Employee engagement was measured across 18 factors, such as “staff believe their ideas and suggestions are taken seriously” and “staff feel appreciated and valued.” Four indicators of retail loss were examined: shrinkage, waste, cash loss, and lost sales driven by out-of-stock merchandise. The report was conducted by ECR Europe’s Shrinkage and On-Shelf Availability Group, with support from the University of Leicester. </p><p>The study found that 15 of the 18 employee engagement factors influenced store loss. It also found that the stores that had the highest loss rate could significantly reduce that rate with a more engaged workforce. The report “graphically highlights the difference that engaged and valued staff can make to retail profitability—not just by providing excellent customer service, but also through a reduction in the many and varied losses retailers experience,” write the authors of the report. (For more on employee engagement best practices, see “The Disengagement Dilemma” on page 52).  </p><p>Like the previous report, Making the Link also found that managers played a pivotal role in keeping employees engaged. To heighten engagement levels and reduce loss, the authors recommended that managers provide more opportunities for staff development, keep staff informed about the organization, solicit staff ideas, and make sure that staff have satisfying, manageable roles. </p><p>“For all the advances in technology and analytics, the importance of employees must not be minimized,” the authors write. “Retailing is fundamentally about people—principally the customer but also the employees tasked to service their needs.”</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/The-Golden-Rule.aspxThe Golden Rule<p>​</p><p>HIGH IN THE ANDES mountains of northern Peru, 375 miles north of the capital city of Lima, is the Yanacocha mine—Latin America’s largest gold mine. The site, which is majority-owned by Colorado-based Newmont Mining Corporation, consists of six open pit mines, four leach pads, and three gold recovery plants. More than 100 small, rural communities fall within its influence area. While communities situated near Yanacocha have been concerned in the past about the mine’s impact on local water supplies and a lack of communication from the company, Lee Langston, Newmont’s regional director of security for South America, says that most concerns are related to employment.</p><p>Tensions over those concerns resulted in a series of protests in August 2006. Farmers blocked the road to Yanacocha for one week, and production at the mine came to a standstill for two days. According to media reports, protestors’ original demand for jobs turned to anger over environmental concerns, and in one violent clash, protestors blocking the road threw stones at police. In the response, one farmer was shot and killed.</p><p>The incident highlights the often strained relationships between local communities and international extractive companies operating abroad. As a result of this and other security conflicts between Newmont and the communities surrounding the mine in recent years, the company is in the process of implementing a new approach to security that recognizes the importance of human rights and community outreach.</p><p>Human Rights<br>The mining industry has an increased awareness of the connection between community relations and security today compared to a decade ago. “I think increasingly there really is a recognition on the part of the mining companies we work with that there is a degree of indivisibility between what you are doing in terms of your community relations or your community investment and security,” says Aidan Davy, a program director for socio-economic contribution for the London-based International Council on Mining & Metals (ICMM), an industry group which counts Newmont among its members.</p><p>Davy attributes the change to the influence of the Voluntary Principles on Security and Human Rights, an initiative of private companies, governments, and nongovernmental organizations (NGOs), that is intended to provide guidance to extractive companies on how they can maintain the safety and security of operations while ensuring respect for human rights.</p><p>The Voluntary Principles, as they are commonly called, were established in 2000 and primarily address three issues: risk assessment, engaging with public security forces, and interacting with private security forces. For each of these issues, the Voluntary Principles provide several guidelines. Signatory organizations commit to abiding by the principles and submit annual reports on activities.</p><p>Extractive companies have historically taken a silo approach to security and community relations, Davy says, but the Voluntary Principles have led to a more synergistic approach. “Instead of taking the view of conventional security that our role is to protect our people and our assets in that order and [that] people outside the fence line or communities may represent a threat to either people or assets, the Voluntary Principles take the view that in legitimately providing security for people and assets, there is a genuine risk that you might compromise the safety, security, and wellbeing of people outside the fence line,” he explains.</p><p>That shift in perspective, he says, has helped companies realize the importance of aligning what they are doing in the security space to what they are doing in the community relations space. “That has had a profound influence, I would say, in terms of sensitizing people to the idea that these matters are closely related,” he says. </p><p>Slow Going<br>Davy admits that there is some public dissatisfaction about the lack of progress in implementation of the Voluntary Principles. “That absolutely is not the fault of companies exclusively,” he says. “I think it’s because, at its heart, the Voluntary Principles rely on a tripartite model of government, civil society, and company collective engagement and collaboration, and at times, I think they’ve failed to move this thing forward in a way that’s been collaborative.”</p><p>Indeed, one of the biggest challenges, according to Langston, is enforcing human rights in a foreign country and in remote areas. “The real challenge is that [we are] a private company, a foreign private company, [so] sometimes if it’s not approached delicately, government institutions can feel that you’re treading into their area of governing,” Langston says.</p><p>Davy says implementation guidance of the Voluntary Principles has also been lacking. “What’s been missing is practical guidance that will help people really move forward with implementation,” he says. An implementation guidance tool is currently being created by a coalition that includes the Voluntary Principles Secretariat, ICMM, the International Finance Corporation, the International Committee for the Red Cross, and the International Petroleum Industry Environmental Conservation Association (IPIECA). The guide should be available within a year, Davy says.</p><p>Newmont, which is an ICMM member, was one of the first companies to sign on to the Voluntary Principles in 2001. But Oxfam America, an NGO participant in the Voluntary Principles, lodged a complaint against the mining company in 2007 with the initiative’s Secretariat. That complaint was in response not only to the protests in 2006 and the death of farmer Isidro Llanos Chavarria but also to allegations later that year of illegal wiretapping, surveillance, and death threats by a private security company employed by Newmont against a prominent human rights activist and outspoken critic of the company.</p><p>Newmont and Oxfam America subsequently agreed to a third-party comprehensive review of Yanacocha’s security management and practices. The review consisted of interviews with company executives, Peruvian National Police authorities, representatives from two of the three hired security companies employed by Yanacocha, NGO personnel, and community leaders.</p><p>A summary of the review of Yanacocha’s security and human rights procedures was released publicly last summer. “The total review identified areas of strong performance as well as the processes that they felt Yanacocha could improve upon,” says Langston. Newmont and Yanacocha analyzed the review and then developed a plan of action to implement the report’s recommendations for a new approach to security and human rights.</p><p>New Action Plan<br>The plan of action that came out of the review included short-term objectives that would be implemented by the end of 2009, medium-term objectives that would be implemented by the end of 2010, and long-term objectives that would be done in 2011. In terms of implementing recommendations for the Yanacocha site, Langston, as regional security director, is responsible for ensuring that they are completed in the timeframe set by the committee.</p><p>One example of a short-term objective is the creation of a Risk Assessment and Conflict Resolution Office. Langston says the company had a similar office before but it was not as effective as it could have been. One problem was that it only addressed complaints filed directly with the office. For instance, if an allegation appeared in the media, it was not considered a legitimate complaint.</p><p>“Well, you have to be reasonable,” Langston says. “If it’s floating around in the media, you better address it as a complaint.” Now the office considers all allegations no matter how they get word of them. “One of our employees can say he heard something in a store, and that would be investigated,” Langston adds.</p><p>Investigations. Yanacocha now investigates all use-of-force incidents. “Anytime any of our security people have an incident, whether it’s with an employee or a contractor or a community member, that is reported and treated just as if it is an allegation so we can determine whether the force used was reasonable or not,” Langston says.</p><p>All such reports undergo a new process of evaluation as well. If the risk level is classified as low, the incident is evaluated by a human rights and security investigation committee, which includes the site security manager as well as representatives from legal and operations. Representatives from other relevant departments are also on the committee.</p><p>For instance, if an incident involves the community, someone from the social responsibility department is there; if an allegation concerns an employee or contractor, a human resources or contracts manager serves on the committee. They assess the allegation and determine whether it has merit.</p><p>If the allegation is deemed legitimate, the committee orders an investigation and picks an investigation team to report back with results and recommendations. The onsite committee must also keep the South American regional board, which mirrors the committee at the site level, informed.</p><p>If the risk level of a complaint is considered medium, the regional-level committee handles it, and if it is a high-risk complaint, corporate, which also has a similar body, investigates.</p><p>Working with police. Because the response time is so long from Cajamarca, a contingent of police officers is stationed at the mine and rotated on a monthly basis. The company pays the police officers a daily stipend and provides lodging and meals and makes a contribution to the police institution for their services as stipulated in a formal memorandum of understanding (MOU).</p><p>In addition, the MOU has provisions for additional response to the mine area if an incident should occur. However, one of Yanacocha’s medium-term objectives is to work with the police to make this MOU more transparent. The police acknowledge on their Web site that they have an agreement with the mine, Langston says, but they do not publish the contents of the MOU, which is important information for the local community to have. </p><p>One of the long-term objectives is to expand the police training to the regional and national levels, but it will take time. “Obviously it’s the state’s responsibility to do this kind of stuff,” Langston says. But, “[i]f we can help them with a reasonable cost to the company, we’re going to do that.”</p><p>The comprehensive review also recommended equipping police forces with nonlethal weapons, Langston says. “We’re not so sure [as a] company that we want to get involved in providing that type of material, because it’s nonlethal, but it’s offensive in nature,” Langston says. Currently the company provides protective gear for police who are stationed at the mine site or who are responding to an incident. These items include helmets, shields, padding, and other riot response equipment.</p><p>Equipping police raises concerns beyond just the cost to the company, Langston says. There are also legal concerns. “We need to be very cognizant of the Foreign Corrupt Practices Act when we talk about equipping people,” he says. “We have to have some means of monitoring the use of that equipment.” </p><p>Another objective the company hopes to meet by the end of this year is the establishment of regular, formal meetings with public security partners, which include the national police as well as the military. Newmont’s security officials currently engage in formal, high-level meetings with these partners at least once a year, but the company is negotiating with Peru’s interior and defense ministries to set up a formal schedule that would include meeting twice a year at the ministry level and quarterly with generals at the regional level.</p><p>The purpose of the meetings is to assess collaboration and discuss ways to improve performance within the framework of the Voluntary Principles. Yanacocha’s security manager, Jose Antonio Rios Pita Diez, CPP, currently meets with local police on a weekly basis.</p><p>Human rights training. In 2008, in an effort to improve the company’s implementation of the Voluntary Principles even before the review was completed, Yanacocha launched two training programs designed to raise awareness among employees and contractors about the importance of respecting human rights. One program is basic training in human rights and provides an overview of relevant initiatives Newmont is involved with, such as the Voluntary Principles and the United Nations Global Compact. Each participant also receives a primer on human rights.</p><p>In the first year, 3,000 participants benefited from the program, including all of the security contractor personnel working for Yanacocha. The program continues on an annual basis.</p><p>The second training program launched the same year is training in the Voluntary Principles. This program targets the mine’s security staff, contractor personnel, and police assigned to the site. Training focuses on ways to ensure the safety of Yanacocha’s employees and operations while respecting human rights. </p><p>In the first year, the training was provided only to security and contractor supervisors and to public security officers assigned to provide support to the operation. In 2009, all security personnel received the training, which includes use-of-force instruction and a code of conduct for law enforcement officers. The training is being extended in 2010 to Newmont’s Conga project, which is also in Peru, and its Merian project in Suriname. </p><p>Community relations. Yanacocha’s security department has also launched a security-community integration program to improve relationships and trust between security personnel and local communities. As a part of the program, security personnel work with security contract personnel, the police, the military, and local businesses and organizations to plan one-day festivals in isolated communities in the mine’s area of influence. Some activities include music provided by the army or police bands, Andean folk dances, lunch prepared and served by security personnel, and social services, such as presentations on family planning, spousal abuse, and hygiene conducted by the police health unit.</p><p>The security department spearheads approximately one event per month, going to a different local village each time. Security personnel and their families attend. Not only do the events build trust between company and contract employees and the communities, but they also improve relations between the state law enforcement personnel and the local Indian communities, Langston says. </p><p>Yanacocha’s Diez says that it is important to venture into the community relations realm, even though others may consider it the work of an external affairs or social responsibility department.</p><p>“We are doing our work in a preventive way because if we have some problems in the road, the problem also will be for the security department and also for our company,” he says. “We are working in a preventive way in order to avoid these kinds of situations.”</p><p>On a regional level, Newmont is working with the Interior Ministry to assist and provide resources to the rondas campesinas, or rural peasant patrols, which have developed over centuries to provide security for their own rural communities. Each local community has its own ronda. Newmont provides them with minor equipment and gear that makes the ronda campesina stand out in the community, such as vests that say “Ronda” and identify the community; flashlights, boots, and some rain gear.</p><p>Results<br>The goal of these community outreach efforts at its simplest was—and is—to “put a face” on security. The hope was that if local residents got to know security personnel as people before there was an incident, then when they showed up on the scene to respond to trouble, the locals might be disgruntled, but they would be “less likely to pick up a rock or a stick and start to assault the guard. And that’s exactly what we’re seeing,” says Langston.</p><p>He says that security personnel are met more cordially on the road and that they now have conversations with members of the communities. Both Langston and Diez say the efforts at Yanacocha are also showing some tangible results. For example, the company experienced 25 roadblocks in 2007 and only one last year. The company also tracks conflicts that involve physical force, and those incidents have dropped from 64 in 2007 to six in 2009.</p><p>Langston has noticed a growing awareness that community relations affect security and vice versa. “Used to be security was checking the lunchbox at the gate, and it’s much more than that now,” he says. “You have to go beyond the fence, and that takes a whole different mind-set and set of skills.”</p><p>Stephanie Berrong is an assistant editor at Security Management.<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465