Security by Industry OCTOBER 1959 | VOL. 3, NO. 4GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-07-01T04:00:00Z<p>​Flashback: OCTOBER 1959 | VOL. 3, NO. 4</p><h4>GOOD SECURITY IS GOOD BUSINESS </h4><p>The year was 1959. The American Society for Industrial Security (now ASIS International) held its fifth annual meeting in Los Angeles. The theme, “Good Industrial Security Is Good Business,” still resonates with ASIS and its members, creating a foundation for today’s focus on enterprise security risk management and its contributions to the business mission.  </p><p>ASIS President Eric Barr spent three weeks each month traveling to ASIS chapters in an effort to grow the Society. He and former president Russell White chartered the European Chapter during a business trip to NATO headquarters that year.</p><div><h4>​CELEBRATION</h4><p>Then, as now, ASIS members knew how to mix business and pleasure. In 1959, a banquet was held at the Cocoanut Grove in Los Angeles’ Ambassador Hotel, a popular venue that was also the scene of several Academy Awards ceremonies. In the ensuing decade, the hotel would be the site of the Robert Kennedy assassination and would close its doors a few years after that.</p></div><div><h4>THE OLDEN DAYS</h4><p>Security Management’s precursor, Industrial Security, was in its third year of publication in 1959. The October issue took on the subject “Security in the Olden Days.” Just imagine how things have changed over the last 60 years. What did security professionals in the ’50s do without the Internet, biometrics, and drones?</p><p><br></p></div> Benefits of Being Smart Amenity of Necessity Intoxication Issue Review: Surgery Center Safety Issues Federal Facilities’s-Gone.aspx2019-04-01T04:00:00ZWhen The Money’s Gone With Yourself To Transhumanism the Sum of Many Parts with Endpoint Management Maladies Trends License to Operate Facilities Tackle an Explosive Problem 2019 Industry News 2019 Industry News 2019 Industry News Back Power to Puerto Rico Global Safety Plan Protects Corporate Travelers Of Safety.aspx2019-01-01T05:00:00ZWellspring Of Safety Bars Provide Students with Shelter in California.aspx2019-06-01T04:00:00ZPush and Hide Post-Parkland Power of Awareness Outpaces Ransomware Attacks Review: Financial Investigations Security Credit for Personal Data Intoxication Issue After Heroism Vacancy for Human Traffickers Review: Casino Security Global Safety Plan Protects Corporate Travelers Owns the San Jose Galleon? Learned from the Notre Dame Fire Ways to Protect Open-Air Art Fight Against Fake Pharmaceuticals Smart Solutions Online Pharmacies on Two Wheels Review: A Practitioner’s Guide to Effective Maritime and Port Security Global Safety Plan Protects Corporate Travelers Prepare for Active Assailants Shipping Port Problems

 You May Also Like... Up with the Digital Edition<div class="body"> <p>Sometimes, with inclement weather, it’s not safe to go outside. If that happens as the calendar turns to November, you might just want to curl up with a good computer and the November digital edition of <em>Security Management</em>. Once you’ve logged in, you’ll find information in “Industry News” about safe rooms for when it’s really not safe to go outside. The slideshow gives you graphics of what these rooms look like—they are amazingly well decked out—and how one company takes special care to consider everything from the toilets to the color scheme so that those sequestered within will be comfortable. </p> <p>In the “Managing” department, you’ll see a video on executive protection training, and in the “International” department, you can watch an interview with the writer/director of a film about pirates, plus see excerpts from the film itself. What’s different here is that he looks at the issue from the perspective of the Somali pirates themselves.</p> <p>In “Technofile,” you’ll learn how companies are trying to protect their reputations online in this new social-media age.</p> <p>In “Homeland Security,” you’ll find out how the utility industry is working creatively to improve resilience of the electrical grid. There’s also an audio interview on how to survive a dirty bomb—yes, it is possible—and there are multilevel charts that show trends in terrorism, accompanied by a map of terrorism data.</p> <p>Also in this issue are the results of our survey on workplace violence. That’s in the “Intelligence” department, along with an audio interview with a consultant who talks about how one client handled a threat to the CEO. </p> <p>In “Case Study,” you’ll read about how the Regional Transportation District in Denver, Colorado, remodeled its security monitoring center and see a slideshow that shows the key elements of the central station as it came together. There’s also an audio interview where the commander of the monitoring center tells how it has helped the police catch criminals.</p> <p>But all of these are just the appetizers. The main course: Three features and a bonus.</p> <p>The first feature explores lessons from the earthquake in Haiti and Japan’s triple whammy of earthquake/tsunami/nuclear meltdown. It tells the story in words, accompanied by two videos, one focused on the big picture and another looking specifically at how one search and rescue team trains for these types of missions. There’s also a slideshow, a sidebar with more on how to rescue employees, an audio interview, and charts and maps.</p> <p>The next two features—one on UAVs (drones), the other on mobile device protection—have a similar cornucopia of offerings that appeal to all the senses. And the bonus gives you charts from our salary survey—plus, for members only, a link to the full 150-page salary survey book, a $135 value.</p> <p>With all that to chew on, you’ll want to spend some quality time with your computer—even if it is safe to go outside.<br> </p> </div>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Very Model of a Modern CSO<span style="line-height:1.5em;">​When J. David Quilter first headed a security department, he was the outsourced director of security. "I was like the third cousin once removed," he remembers. "You sat at your desk. You got a call when all the horses were gone and the barn was burned."</span><p>That was 1996, barely a decade ago, but a world away. Today, Quilter is the director of corporate security at NiSource Inc., which brought him in three years ago in response to 9-11 to build a consistent security program across its 15 operating companies.</p><p>Because NiSource, a natural-gas holding company, is part of the country's critical infrastructure, "security really is a business imperative," says Quilter. Consequently, he now has a dotted line to the chairman on the organizational chart. "I would not join a corporation today if I did not have direct access to the chairman and the executive leadership," he says.</p><p>Quilter's journey is emblematic of the path that all security professionals need to travel if they are to be effective stewards of their companies' assets. The roadmap to this leadership function was laid out last year in the ASIS International Chief Security Officer Guideline. And while it remains a road not yet widely traveled, each year brings with it more movement in that direction.</p><p>"We are seeing now the CSO job as breaking out of its traditional role as second or third tier within the organization," says Stephen W. Walker, general partner, the Foushee Group, Inc., which is in its fourth year of conducting its Security Compensation Survey. They are now reporting directly into whoever has the top administrative role within the organization, he says. "More importantly," he adds, "we are seeing companies start to integrate some of their information systems security into the CSO's office."</p><p>That is moving the corporation toward an enterprise security solution, and "that's where we need to be," says Don W. Walker, CPP, chairman of Securitas Security Services USA, Inc., and chairman of Pinkerton Consulting & Investigations, Inc. Walker served as co-chair of the ASIS Commission on Guidelines.</p><p>But progress has been uneven. "I've seen companies start in the direction where I thought they were going to get their hands around it and then back off for various reasons," he says.</p><p>Impediments have included budget constraints and the business culture. Walker estimates that today less than one-third of the corporate world has its security function set up with the desired enterprisewide model and with a strong CSO working closely with senior management to set and implement security policies.</p><p style="color:#000000;font-family:arial;font-size:12px;line-height:16px;"></p><p><strong>Macro, not micro. </strong><br>Before a company establishes a new chief security officer position or reorganizes its existing security function, it must understand what is at the heart of the guideline's model of a modern CSO.</p><p>"There's this misperception that all we are doing is adding physical or just adding IT," says Jerry Brennan, president of executive search firm Security Management Resources, Inc., who chaired the ASIS committee that wrote the guideline. "This is a governance position. It's not a tactical position, it's not an operational position," he says.</p><p>While the long-term goal is for the CSO title to convey a top-level security position as defined by the guidelines, it may not make sense to put too much emphasis on what the position is called at this early stage. Brennan notes, in fact, that the title can be misleading, because some IT people have simply taken the CSO title, even though they do not have overall responsibility for security. And conversely, many who function as true CSOs do not have the title.</p><p>At least for now, there's been no groundswell of activity to change the titles that heads of security departments have to the uniform CSO moniker. Among the nearly 4,000 U.S. members who responded to the ASIS 2004 Salary Survey, about 665 said they were the top-level security official in their company, but only 6 were CSOs. Among the entire ASIS membership, only about 60 members give CSO as their title.</p><p>Whether a company has someone called the CSO or not doesn't matter, says Andrew Howell, vice president of homeland security policy at the U.S. Chamber of Commerce. "Maybe they should be director of security. What matters is that that person should be empowered to do his or her job."</p><p>The level of authority and reporting lines granted to the head of security is indeed a key aspect of a CSO position under the guideline. It is the key to effectiveness, agrees Kevin Keefe, CSO for Fairpoint Communications, a telecommunications company. If the head of security "doesn't have the ability to mold or shape policy from the boardroom or from the senior staff meeting level, he's hobbled," he says.</p><p>Keefe, who started out in military intelligence and who describes his background as primarily physical security and law enforcement, notes that he has had the CSO title at several companies since the late 1970s. But it had a different meaning, more related to Department of Defense issues.</p><p>Today, though his title is the same, his duties are vastly expanded and his role more closely resembles what the guidelines envision. "We have five separate business regions and each region has someone in charge of safety and security, and I lead the team, so I was given the title CSO," he explains.</p><p>Keefe now describes himself as "a security professional who started out in the industry before IT even existed who has brought himself kicking and screaming into the 21st century." His willingness to grapple with those IT issues and "to surround himself with very very smart people in their field" has given him the ability to be the company's security generalist who can make sure the pieces fit together.</p><p><strong>Reporting lines. </strong><br>At Fairpoint, the CSO reports to the CEO through the vice president of risk management. That's also the reporting model at Marriott International, where Chad Callaghan, CPP, vice president of enterprise loss prevention, and a co-chair of the ASIS Guidelines Commission, heads up a new umbrella group for operational security and safety.</p><p>The group was set up a few months ago to ensure that all related policies and procedures would be looked at with a "total enterprisewide approach" across Marriott's four major business divisions. The formation of the umbrella group puts security in a better position to bring important issues before the CEO and the board, says Callaghan, as does the fact that security now reports to the senior vice president of risk management, rather than HR.</p><p>That's a good reporting arrangement, but not the only one that can achieve the objective of empowerment under the model envisioned by the CSO guideline. In fact, says Brennan, "We were specific in not recommending the title that the position would report to because we cannot anticipate how any company would be structured now or in the future."</p><p>"We tried to word it in such a way that the reporting would be to a senior person that allowed them access to the board of directors and operating committee, as well as send a message to the organization," he notes.</p><p>Some sectors have been more affected by regulatory demands on security than others. In banking, for example, financial institutions are now required to assist law enforcement with detection of money laundering and terrorist financing, and in most cases, the responsibility for suspicious-activity reporting falls with the security group, says P. Kevin Smith, CPP, senior vice president and corporate security director at Chevy Chase Bank.</p><p>"The importance of security has been recognized throughout the organization as the result of these changing responsibilities," says Smith. And that has led to a trend to elevate the chief security position in the financial services industry.</p><p>HIPAA is having a similar effect in the healthcare industry. For example, when Magellan Behavioral Health established its first security program in December 2000, it was directly related to HIPAA, though the department is now also helping the company deal with Sarbanes-Oxley and other issues, says Jeriel S. Garland. Garland, who has a background in law enforcement but who also has a degree in computer studies, was hired to fill the CSO position about a year and a half ago.</p><p>Garland says he still sees a division between traditional security and IT in many companies and in the minds of many security professionals. That's a mind-set that has to be overcome by anyone who aspires to the top slot, he says. "If people are going to become CSOs, they have to understand fundamentals in a lot of different disciplines. They don't have to be able to manipulate a firewall, but they need to know what their people are telling them."</p><p>And in his case, the CSO title is apt. When the program was established, explains Garland, the company "made the decision to put one person in substantial charge of all security activities and designated that person as CSO."</p><p>The position oversees all security activities for the company, including physical, personnel, investigations, and IT. And this year, Garland has the green light to further expand the department's purview to consolidate the company's contingency planning and emergency-response efforts.</p><p>Right now, he says, that responsibility is fragmented, with pieces in IT, pieces in operations. "It's a critical function in business today and deserves someone who is a specialist in that," he says. To achieve that objective, he will be hiring someone to fill a new position of director of disaster recovery and business continuity.</p><p>Garland is not alone in being given greater responsibilities. "It seems like we get a new area of responsibility almost on a monthly basis," says Gordon W. Kettler, executive director of global security for General Motors Corporation since 1990.</p><p>His department's scope includes investigations, crisis management, fire protection, security technology assessment and purchase, contract management, brand protection, VIP protection, global intelligence gathering, loss reporting, and supply chain security.</p><p>The security team also shares responsibility for information security. For example, he explains, "We provide the physical security and investigative activity including forensic investigations, and IT provides support."</p><p style="color:#000000;font-family:arial;font-size:12px;line-height:16px;"></p><p><strong>Business alignment.</strong> <br>Whatever the range of security's duties, the department's prime mission always has to align with the company's. That means being a trusted partner.</p><p>"We get brought into the planning process to figure out what's the best way to go forward with any new service or new product," says Kettler, and security is asked to assist in the due diligence to determine whether a new location is a good place to buy or build a facility. The bottom line is that "we are part of the equation," he says.</p><p>The company's attitude toward security may be due in large part to Kettler's attitude toward the company. Though he has been in the security field for 41 years, working his way up from an entry-level security officer position, and earning a bachelor's and master's degree in criminal justice, he says that he thinks of himself as an automobile executive who does security.</p><p>"It's more important to understand the business than to be a standalone security person and be recognized that way in the business," he says.</p><p>Avaya's Allison concurs, noting that her department's biggest challenge is "to stay completely aligned with the business."</p><p>That business mind-set is another key component of a model CSO as envisioned by the ASIS guidelines. And it is an ongoing challenge to translate that into concrete actions, because business objectives, like security situations, are constantly in flux.</p><p>For example, explains Allison, "we've just acquired three companies, the largest one of them being 5,000 people over in Germany. So we'll have to deal with all the physical security issues of those sites. But we will also have to deal with issues such as: Is this a new technology we've brought in? What are its security requirements? How does that fit in with the company?"</p><p>Being aligned with the business also means being aware of the financial impact. "I make a strong business case for everything I do," says Quilter.</p><p>At GM, says Kettler, the security department follows the same process as other business units to streamline operations. They call it value-stream mapping or determining what is really needed to run and protect an operation. "That doesn't mean skimping on it," he says. "It just means taking waste out."</p><p>Alignment also means taking more of a risk-management approach, analyzing the company's specific situation to make sure that security resources are cost-effectively deployed. "CSOs are getting much better at risk-management concepts of prioritizing and allocating budgets to where it really protects the assets of the corporation," says Walker.</p><p><strong>Pressure points. </strong><br>Being aligned with the business does not, however, mean kowtowing to executives when it comes to important security precautions. And that can mean taking some heat.</p><p>"Of course, everybody will try to second-guess you," says Allison. She gives one example related to the 2004 Summer Olympics in Greece.</p><p>Given the level of concern about a terrorist attack at the time, her department recommended that the CEO not go, and he agreed. Afterwards, when nothing happened, he expressed regrets about having missed a fun event.</p><p>"I said it was great on TV, but what I was able to do through the State Department's Overseas Security Advisory Council was to show him some of the things that they weren't showing on TV where they had issues with hooligans in the Olympic village, fire bombings, and IED incendiary devices," Allison says.</p><p>She stood by her recommendation, and the CEO was satisfied. You have to have that rapport with the CEO, says Allison, and "you have to know when to go up there; you have to know when to call your shots."</p><p>Ultimately, the successful CSO must adroitly combine being a good business partner with being an independent voice capable of telling executives what they do not want to hear. That takes more than a solid knowledge base.</p><p>"Leadership includes taking risk," says Quilter. "If you don't have that level of confidence in your own ability, you need to be a manager.... If you are going to lead, know that there's risk there."</p><p style="color:#000000;font-family:arial;font-size:12px;line-height:16px;"></p><div align="left"><p><strong>Fewer Budget Blues</strong></p></div><p>Security budgets were up 9.1 percent in 2004, compared to 2003, according to the 2004 ASIS U.S. Salary Survey. That supports the view expressed by most of the security professionals interviewed for this article that companies are adequately funding the security function and are being given the additional resources they need to handle the expanding duties arising from new regulations and concerns about terrorism.</p><p>"I have to justify my budget just like everybody else," says Jeriel S. Garland, chief security officer at Magellan Behavioral Health. "But as long as I can justify it, they really haven't turned me down for anything that I thought was significant," he says. That was the general experience of many others as well.</p><p>Of course, security department fortunes are closely tied to their companies' financial success and to the economics of the sector they serve. For example, at Avaya, Inc., the security budget and staffing is starting to trend up, says Marene N. Allison, director of global security, but that's not because the company is spending more on security per revenue dollar, she explains. It is "just because revenue dollars are actually increasing."</p><p>On the flip side, because the telecommunications sector is flat, "we are having to do with a little bit older equipment," says Kevin Keefe, chief security officer at Fairpoint Communications, and the tight budget means sometimes getting "just a single reporting alarm system as opposed to having an Internet or WAN alarm-activated video link."</p><p>Keefe has a long-term goal to have every location linked through the Internet. And that long-term planning is key, says Arnette Heintze, director of security for PepsiCo Beverages and Foods. "You do it a little bit at a time, year after year."</p><p>And you look for ways to "dollarize" the value that security returns to the company. For example, says Heintze, you explain that insider theft costs companies an average of 6 percent and tie that to your own company's revenue. Ultimately, if the company is serious about security, he says, senior executives will be willing to bear the expense of security in return for the benefits.</p><p> <img width="328" src="" height="300" alt="" style="margin:5px;" /> </p><p> <img width="333" src="" height="301" alt="" style="margin:5px;" /> </p><p> <img width="319" src="" height="298" alt="" style="margin:5px;" /> </p><p> <img width="315" src="" height="219" alt="" style="margin:5px;" /> </p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Makers’ Protection Prescription<p>As I gulped down a couple of Tylenol tablets while writing this article on security at pharmaceutical facilities in Puerto Rico, I remembered that the pills were, coincidentally, made at the very location I was describing. Before researching this topic, I would not have known that all of Johnson & Johnson’s Tylenol tablets are manufactured in the U.S. commonwealth of Puerto Rico, an archipelago located east of the Dominican Republic, 1,000 miles southeast of Miami.</p><p>Chances are good that you too have swallowed, inserted, or injected medicine that has originated in Puerto Rico, because 16 of the top 20 best-selling drugs in the United States are made in Puerto Rico, according to the government-run Puerto Rico Industrial Development Company and the private Pharmaceutical Industry Association of Puerto Rico. Many other countries around the world import drugs from the commonwealth as well. Eight drugs other than Tylenol are manufactured exclusively there.</p><p>More than 60 pharmaceutical plants dot the 3,500 square miles of Puerto Rico’s main island, ranging from Mayaguez on the western tip to Fajardo on the east coast. All of the U.S.-based heavyweights are there, along with some European counterparts: Pfizer, Bristol-Myers Squibb, Merck Sharp & Dohme, Amgen, Johnson & Johnson, Abbott Labs, Wyeth, Schering-Plough, Eli Lilly, AstraZeneca, and GlaxoSmithKline. They churn out powerhouse drugs such as the cholesterol-lowering medications Lipitor (Pfizer) and Zocor (Merck), the antibiotic Zithromax (Pfizer), and the antipsychotic Zyprexa (Eli Lilly). Despite being fierce competitors at the drugstore, these companies collaborate closely on their security.</p><p>The following is a look at how these companies are battling one of their top concerns, terrorism, and how they are preparing for the worst through emergency planning.</p><p><strong>Antiterrorism</strong><br> The pharmaceutical industry as a whole has been mentioned by the Department of Homeland Security as being a potentially soft target. In Puerto Rico, the danger is expected to come, if it arises, from foreign terrorists, explains Luis Fernandez, regional security director, corporate security, technical operations, Puerto Rico, at Bristol-Myers. He and others say that it is far less likely that an attack would come from home-grown agitators because so many locals are dependent on the chemical and drug industries.</p><p>The presence of foreign terrorists is more than theoretical. The FBI and other federal agencies have documented that foreign terrorists travel through Puerto Rico to go elsewhere, he says.</p><p>“Puerto Rico isn’t under a [specific] threat, but we want to dissuade” terrorism, says Jose A. Cruz, CPP, security manager at Abbot Laboratories.</p><p>Abbott Labs is one of several pharmaceutical campuses in the coastal village of Barceloneta, which is about a 45-minute drive west from San Juan. Wooed by favorable tax laws, Pfizer was the first to arrive in Barceloneta in 1973, with Abbott, Bristol-Myers, and Merck following later.</p><p>Pharmaceutical plants cluster in various locations around the island, with Barceloneta being one. Over in Carolina, just a cough and a sneeze east of the capital city, AstraZeneca, Wyeth, and Eli Lilly plants form another hive.</p><p>This practice of collocating facilities creates both problems and benefits. One negative is that it puts many dangerous chemicals in proximity to one another. Ammonia, chlorine, dimethyl sulfide, and sulfuric acid, all used in the pharmaceutical production process, are potential weapons in a terrorist attack (or potential hazards in an accidental release).</p><p>“You could have a scenario where tank farms [where chemicals are stored] are attacked,” says Cruz. “You don’t need to build a WMD [weapon of mass destruction]; this is a WMD in a tank.”</p><p>On the plus side, however, the close proximity of campuses helps the facilities coordinate their security efforts. Every security professional interviewed for this story remarked on the extraordinary security cooperation among companies that are bitter rivals in the marketplace.</p><p>“There’s lots of sharing of experience, sharing of best practices,” says Jose Aponte, CPP, security manager at AstraZeneca. “We see ourselves as a working team even as we’re competitors.”</p><p>Collectively, they have developed antiterrorism programs that consist of these primary elements: general staff awareness, security staff awareness focused on countersurveillance, and targeted use of technology for perimeter protection and general physical security.</p><p><strong>Security awareness.</strong> </p><p>Everything begins with instilling a sense of responsibility for security in all members of the staff, from product inspectors to loading dock personnel. The training begins at week one of the job, where new hires at all of the companies interviewed receive a course on security awareness that lasts for at least an hour, sometimes significantly longer.</p><p>Issues addressed include workplace violence, employee theft, improper access to sites, and diversion/counterfeiting, but antiterrorism is always a significant component of the classes. A primary aspect of the lesson is the importance of observation, of detecting when something is out of place or just doesn’t look right.</p><p>The emphasis on awareness doesn’t end at orientation. At Merck, for example, employees receive a steady flow of security-related e-mail tips and updates, says Security Manager José M. Sampayo, such as advisories when internal access procedures have changed.</p><p>At Bristol-Myers, says Fernandez, “Our mandate is that we have a responsibility to provide training to the whole plant population.” To that end, refresher training is provided monthly. At “town hall meetings,” general staff and security personnel discuss incidents that have occurred in the company and how workers dealt with them. These yield lessons for improving security vigilance.</p><p>Under federal law, contractors who move about these facilities unescorted must receive security instruction, and awareness training is a large component of that. Under the Occupational Safety and Health Act, all visitors must be escorted at all times. At Merck and elsewhere, anyone who will be traveling unaccompanied on the property must receive security awareness training.</p><p>Because employees may consider security briefings to be drudgery, some companies attempt to make them enjoyable. Sampayo says Merck holds an annual security awareness week in which lessons are inculcated through hands-on demonstrations, colorful speakers, engaging exhibits, and lively video. Other members of the Pharmaceutical Industry Association of Puerto Rico have recently followed suit in holding more entertaining security events, he says.</p><p><strong>Countersurveillance.</strong> </p><p>While all staff members are encouraged to keep their eyes out for anomalies, the contract guard forces are even more highly trained in what clues to look for as indications of possible terrorist planning or industrial espionage; this is the art of countersurveillance: always keep your eyes open.</p><p>At Merck, Sampayo says that his contract force looks for indicators such as cars pulling over near the plants or passersby snapping photographs. If activity raises concerns, the company will send out a patrol to ensure that nothing untoward is afoot. Suspicions are promptly reported to the authorities. “Even a low-flying helicopter might be reported to the FBI, Sampayo says.</p><p>In January, says Abbott Labs’ Cruz, he got a call from a security officer who had intercepted someone just outside the fence line of one of the campuses. The person had been videotaping the property. Concerned about possible surveillance, Cruz interviewed the cameraman.</p><p>It turned out that he was a television reporter looking for footage for a report he was doing on layoffs in the pharmaceutical industry. Cruz called the station the reporter worked for to verify the story and concluded he wasn’t a threat.</p><p>Countersurveillance is a common topic of discussion at the private monthly meetings of the security subcommittee of the Pharmaceutical Industry Association of Puerto Rico. Members share concerns, findings of suspicious activity, and suggestions for improvements in techniques.</p><p>If an incident or specific threat occurs, countersurveillance, along with other antiterrorist measures, is ratcheted up in accordance with the color-coded Homeland Security Advisory System.</p><p><strong>Layered protection.</strong> </p><p>Pharmaceutical campuses in Puerto Rico can span hundreds of acres. The typical plant secures this territory by establishing concentric rings of physical protection. Plants also use overlapping layers of human and technological protective measures. These measures achieve multiple purposes—deterring theft, ensuring quality control, and reducing the risk of a terrorist attack.</p><p>It starts at the perimeter, where there is typically both an outer and inner security fence. Sensors are aligned along the fencing, and they are set to send alarms to the central control station if any suspicious activity is detected.</p><p>Augmenting both physical patrols and the data that sensors can provide, some campuses have “virtual patrols” conducted by digital cameras posted along the perimeter. (Whenever a Puerto Rican company wants to use CCTV, it must notify its staff and anyone entering the property.) Typical for the industry are long-range, low-light cameras that operate well at night. Cameras tie with alarms to provide the central station with video of activity at any alarm point.</p><p><em>Natural terrain.</em> Companies also take advantage of the natural terrain in considering how their perimeter is secured. For example, campuses in Barceloneta are ensconced among limestone mogotes, conical hills that rise to about 160 feet. This rough terrain is difficult to traverse, and presents an imposing barrier to any type of vehicle bomb.</p><p>Some campuses intentionally leave a portion of their land undeveloped to create a buffer zone of mogotes and surrounding inhospitable land. This natural landscaping also buffers the outside world from any leak, explosion, or fire on the property.</p><p>The mogotes could also be seen as offering cover for someone looking to sneak onto the property. However, that person would have to navigate dense foliage and rough terrain, then at minimum, scale a barbed-wire-topped fence equipped with sensors to get into production areas.</p><p><em>Access controls.</em> To get into or out of the property, vehicles must pass through controlled entry points, where some inspection and ID process is typical. For example, Bristol-Myers has a program in which all vehicles entering and leaving the plants get scrutinized by security staff.</p><p>Officers check drivers’ credentials and compare shipping manifests to the actual content of the vehicle. The program primarily identifies theft, but it is an excellent deterrent against an attempted truck bombing.</p><p>A few years ago, Fernandez says, a comparison of a manifest and the contents of a truck revealed the presence of 14 extra pallets of Pravachol, a cholesterol-lowering drug, worth $1.7 million. To identify the discrepancy, a worker had to snake through tightly packed boxes on the truck.</p><p>The company recovered the goods, and the fallout from the incident—including the firing of some Bristol-Myers staff—sent a strong message about security. That kind of message is helpful for deterring terrorism as well, says Fernandez.</p><p><em>Inner defenses. </em>Moving inward from the perimeter, cameras also help to surveil other key points, such as the chemical-storage facilities, called tank farms, which are typically placed well inside the campus perimeter. For example, the Bristol-Myers tank farm in Humacao, which is located on the east coast of the main island, is patrolled by guards and cameras and ringed by a 16-foot alarmed fence that uses a photoelectric beam system to detect intruders.</p><p>Quality control. Integrity of the manufacturing process, while a safety issue, also has security components. “Contamination of product by terrorists is always a concern,” says Fernandez of Bristol-Myers. Accordingly, Bristol-Myers has full CCTV coverage in all of its production lines, an access control system that limits entry to the production floor, and alarm systems in the production areas.</p><p>Quality control departments constantly test for integrity. For example, before Bristol-Myers’ product leaves the premises, it goes into a numbered, sealed container. If the seal is broken, the number on that seal is reported back to the plant so that the company can figure out which batch of product may have to be kept off store shelves. Merck has a similar quality control program.</p><p>The types and quantities of the chemicals on site, as well as the potential for pharmaceutical plants to attract terrorists, make emergency preparedness planning essential. In fact, a tapestry of laws and regulations require these companies to have certain measures in place. For example, the Occupational Safety and Health Administration requires each site to have emergency response brigades.</p><p>Pharmaceutical companies work closely with the community and with each other to prevent and prepare for disasters. Much of this effort occurs through a local Community Awareness and Emergency Response (CAER) group, operated in conjunction with local fire departments. (CAER groups are required of companies that wish to adhere to the American Chemistry Council’s CAER Code of Management Practices, intended to ensure that each facility has adequate emergency response capability.) The local CAER group typically coordinates one mock disaster scenario per year and conducts an annual tabletop exercise. Individual companies augment these with their own full-scale exercises for responding to spills, fires, and other crises.</p><p>The CAER group also reaches out to children through schools and camps. A couple of years ago, for example, members of the Bristol-Myers Squibb emergency response team in the town of Manatí were among those at a CAER outreach activity at the Antonio Velez Alvarado Elementary School. The members displayed emergency equipment and educated the children and teachers on fire prevention.</p><p>CAER is also the point of contact in a real emergency. If any facility has an emergency, staff knows to notify (via phone or radio) CAER, which will put out the word to the members, requesting specific equipment or expertise that the afflicted facility might not have. For example, Merck sends members of its fire brigade to a special school in Texas where they learn the latest techniques in emergency preparedness. For its part, Abbott Labs has specialized nuclear and chemical detectors, says Cruz.</p><p>This cooperation depends on the goodwill of the various emergency brigades, and the companies work to foster positive relationships. From time to time, groups of brigades will hold joint family days involving food and friendly competitions, including tug of war and rapid dressing in a hazmat suit. These informal contacts break down barriers and ensure that personnel from different companies will be familiar with each other in an emergency situation.</p><p>Pharmaceutical companies also contribute extensively to the knowledge base of local emergency responders. AstraZeneca works closely with the community, says Aponte. Like Merck, Astra-Zeneca brings first responders to its sites to familiarize them with the layout and activities there. They train with the staff emergency response team.</p><p>The situation is similar at Merck. Instead of private industry depending on the government to offer training or resources, it’s the other way around, Sampayo says. “We offered them training in 2005 for local, state, and municipal police in the northern region.”</p><p>Merck brought in about 50 or 60 officers, walked them through plant operations, and showed them how the company responds to leaks, spills, fires, and explosions. After three or four days of intensive training, the officers went through a full-dress mock drill where they responded to simulated disasters. The exercise was complete with a smoke machine, fire trucks, hazmat suits, and ambulances. “The whole idea was to familiarize them,” Sampayo says, so they would know how to deal with a spill or other scenario.</p><p>“These are courses that are not taught in the police academy in Puerto Rico,” he explains. “The police are first responders, but if they’re not properly trained, they will become the first victims.”</p><p>Eventually, Sampayo says, he would like to conduct advanced training for this group of officers and repeat the basic training for a new cadre of police. The ultimate objective is to put all the elements in place for the right kind of chain reaction if a real accident or attack occurs at a chemical facility.</p><p><strong>SYNOPSIS</strong></p><p>Puerto Rico has become home to a prominent pharmaceutical industry; more than 60 pharmaceutical plants dot the 3,500 square miles of Puerto Rico’s main island. Chief among the industry’s security worries is the risk that the chemicals they handle could be used as explosives should they fall into the wrong hands.</p><p>Many of the pharmaceutical campuses in Puerto Rico cover hundreds of acres, making perimeter protection a major concern. The typical plant, say experts, uses concentric rings of protection—specifically, outer and inner perimeter fencing. Random guard patrols also surveil the perimeter. Tank farms receive special attention.</p><p>The types and quantities of chemicals on site, and the potential for pharmaceutical plants to attract terrorists, make emergency preparedness planning essential. Pharmaceutical companies work closely with the community and with each other to prevent and prepare for disasters. They do this through local Community Awareness and Emergency Response (CAER) groups, operated in conjunction with local fire departments.</p><p>Do This, Don’t Do That<br> Pharmaceutical companies face the challenge of complying with a host of overlapping regulatory schemes. While each has its purpose, and all of the requirements may be well-intentioned, they can lead to some redundancy. For example, one security manager’s facilities were inspected at least ten times in 2006 alone. (He did not complain about it, but merely cited it as evidence of how strict the requirements are.) Here’s a look at some of the compliance regimes with which companies must deal.</p><p>The Customs-Trade Partnership Against Terrorism (C-TPAT) program is designed to give companies an incentive to raise security standards. Companies that meet standards of supply-chain security get through U.S. Customs and Border Protection faster, saving time and money. Validation teams from C-TPAT go on site at pharmaceutical firms that want to be C-TPAT members; they conduct detailed reviews of personnel and physical security, access controls, conveyance security, manifest procedures, and other areas.</p><p>Other government agencies—such as the Food and Drug Administration, the Department of Transportation, and the Drug Enforcement Administration, to name a few—have security regulations that apply to the pharmaceutical industry as well. For example, FDA regulations attempt to ensure the integrity of pharmaceutical products. Some regulations are designed to prevent terrorists from tampering with the drug supply.</p><p>Some companies also comply with the American Chemistry Council’s Responsible Care Security Code, which calls on companies that use or work with chemicals to conduct comprehensive vulnerability assessments of their facilities, put in place security enhancements, and obtain independent verification that those enhancements have been made.</p><p>More regulatory hurdles are on their way. As this issue went to press, DHS had received comments on its draft interim rules on antiterrorism security requirements for chemical facilities. (The rules were passed pursuant to the DHS Appropriations Act of 2007.) Those rules would require chemical facilities that present a “high level of security risk” to conduct vulnerability assessments and develop and implement site security plans based on those assessments. (The final rule was released April 4, 2007.)</p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465