Enterprise Risk Management

 

 

October 2017 SM Onlinehttps://sm.asisonline.org/Pages/October-2017-SM-Online.aspxOctober 2017 SM OnlineGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-10-01T04:00:00Z<h4>​INSIDER THREATS</h4><p>Forty-nine percent of organizations said they are in the process of creating an insider threat program, but 31 percent still do not have a plan and are not addressing threats through one, according to the SANS survey <em><a href="https://www.sans.org/reading-room/whitepapers/awareness/defending-wrong-enemy-2017-insider-threat-survey-37890" target="_blank">Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey. </a></em>The study concludes that although a greater number of attacks might come from outside the organization, the most serious damage is done with help from the inside. The report highlights the importance of managing internal threats as the key to winning at cybersecurity.</p><h4>EVACUATIONS</h4><p>To prepare for crises, U.S. embassies are required to conduct nine types of evacuation drills each fiscal year, including duck-and-cover, bomb threat, and chemical/biological response. But these requirements are not always met, according to <a href="https://www.gao.gov/products/GAO-17-714%20%E2%80%8B" target="_blank">a recent report by the U.S. Government Accountability Office. </a></p><h4>ASSET SEIZURE </h4><p>The U.S. Department of Justice<a href="https://www.justice.gov/opa/pr/attorney-general-sessions-issues-policy-and-guidelines-federal-adoptions-assets-seized-state" target="_blank"> issued new guidelines</a> on federal adoptions of assets seized by state or local law enforcement. </p><h4>DIVERSE TEAMS<br></h4><p>Increasing workplace diversity is a good business decision, according to <a href="https://hbr.org/2016/11/why-diverse-teams-are-smarter%20%E2%80%8B">a recent article from the Harvard Business Review.</a> It reports that companies with diversity in management are more likely to have financial returns above their industry mean, and diverse teams focus more on facts and are more innovative.</p><h4>PUBLIC SAFETY</h4><p>Canada Minister of Public Safety and Emergency Preparedness Ralph Goodale <a href="https://www.parl.ca/LegisInfo/BillDetails.aspx?Language=E&billId=9057418&View=0%20%E2%80%8B">introduced a bill </a>that would create new oversight measures for the nation’s spy agencies. It would create the National Security and Intelligence Review Agency to review departments and agencies within the Canadian government that have national security functions.</p><h4>MOBILE DEVICES</h4><p>The lack of security on mobile devices off the shelf, combined with usage by federal employees who might handle sensitive information, is a threat to national security, <a href="https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf%20%20%E2%80%8B" target="_blank">according to a U.S. Department of Homeland Security study. </a></p><h4>SCHOOL SAFETY</h4><p><a href="http://www.gallup.com/poll/194693/parents-fears-child-safety-school-unchanged.aspx%20%20%20%E2%80%8B" target="_blank">A Gallup poll </a>based on telephone interviews with a random sample of American parents revealed that the spikes in parents’ fear for their children's safety in the wake of high-profile school shootings have receded.  </p><h4>DRUGS </h4><p>Pharmaceutical manufacturer and generic oxycodone provider Mallinckrodt LLC will pay $35 million <a href="https://www.justice.gov/opa/pr/mallinckrodt-agrees-pay-record-35-million-settlement-failure-report-suspicious-orders%20%E2%80%8B">to settle allegations</a> that it violated provisions of the U.S. Controlled Substances Act.</p><h4>GAG ORDERS</h4><p>A U.S. federal appeals court <a href="http://cdn.ca9.uscourts.gov/datastore/opinions/2017/07/17/16-16067.pdf" target="_blank">upheld rules</a> that allow the FBI to issue surveillance orders to telecommunications firms that prevent them from disclosing the order. </p>

Enterprise Risk Management

 

 

https://sm.asisonline.org/Pages/October-2017-SM-Online.aspx2017-10-01T04:00:00ZOctober 2017 SM Online
https://sm.asisonline.org/Pages/Security-Cares-Aids-the-Dallas-Community.aspx2017-09-25T04:00:00ZSecurity Cares Aids the Dallas Community
https://sm.asisonline.org/Pages/Less-is-More.-A-KISS-Approach-to-ESRM.aspx2017-09-12T04:00:00ZLess is More: A KISS Approach to ESRM
https://sm.asisonline.org/Pages/Five-Insights-on-ESRM.aspx2017-09-01T04:00:00ZFive Insights on ESRM
https://sm.asisonline.org/Pages/Book-Review---Soft-Targets.aspx2017-09-01T04:00:00ZBook Review: Soft Targets
https://sm.asisonline.org/Pages/Calm-in-the-Crucible.aspx2017-09-01T04:00:00ZCalm in the Crucible
https://sm.asisonline.org/Pages/A-Professional-Path.aspx2017-09-01T04:00:00ZA Professional Path
https://sm.asisonline.org/Pages/A-Shift-in-Global-Risk.aspx2017-08-01T04:00:00ZESRM: A Shift in Global Risk
https://sm.asisonline.org/Pages/Action-Needed-To-Better-Manage-Physical-Security-Risks-To-The-National-Mall.aspx2017-07-28T04:00:00ZAction Needed To Better Manage Physical Security Risks To The National Mall
https://sm.asisonline.org/Pages/Report--Most-InfoSec-Professionals-Think-Their-Companies’-Security-Solutions-Are-Outdated.aspx2017-07-14T04:00:00ZReport: Most InfoSec Professionals Think Their Companies’ Security Solutions Are Outdated
https://sm.asisonline.org/Pages/NIST-Releases-Digital-Identity-Guidelines.aspx2017-06-23T04:00:00ZNIST Releases Digital Identity Guidelines
https://sm.asisonline.org/Pages/Book-Review---Info-Risk.aspx2017-05-01T04:00:00ZBook Review: Info Risk
https://sm.asisonline.org/Pages/The-Roots-of-Risk.aspx2017-05-01T04:00:00ZThe Roots of Risk
https://sm.asisonline.org/Pages/Facebook-Takes-Action-To-Limit-Spread-of-Propaganda.aspx2017-04-28T04:00:00ZFacebook Takes Action To Limit Spread of Propaganda
https://sm.asisonline.org/Pages/Cinco-Acontecimientos-que-Moldearon-la-Gestión-de-Crisis.aspx2017-04-12T04:00:00ZCinco Acontecimientos que Moldearon la Gestión de Crisis
https://sm.asisonline.org/Pages/ERM-Best-Practices.aspx2017-04-01T04:00:00ZERM Best Practices
https://sm.asisonline.org/Pages/Book-Review---Enterprise-Risk-Management.aspx2017-03-29T04:00:00ZBook Review: Enterprise Risk Management
https://sm.asisonline.org/Pages/Lessons-in-Liability.aspx2017-03-01T05:00:00ZLessons in Liability
https://sm.asisonline.org/Pages/SM-Online-February-2017.aspx2017-02-01T05:00:00ZSM Online February 2017
https://sm.asisonline.org/Pages/Trade-Secrets-2.0.aspx2017-02-01T05:00:00ZTrade Secrets 2.0

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Less-is-More.-A-KISS-Approach-to-ESRM.aspxLess is More: A KISS Approach to ESRM<p dir="ltr" style="text-align:left;">Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years, and ASIS International has identified it as a strategic focus. But a review of the literature, beginning with the <a href="https://cso.asisonline.org/esrm/Documents/CSORT_ESRM_whitepaper_%20pt%201.pdf">2010 CSO R​​oundtable paper<sup> </sup>on ESRM</a>, raises two issues that could make implementation difficult.</p><p dir="ltr" style="text-align:left;">First, the initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO). Appealing though it might be to have "Head of Risk Management" appended to one's job title, "I'm not busy" is NOT a common refrain among security managers. In many organizations, managing the risks across all security functions—that is, physical, cyber, and information—is already an enormous task, so operational and reputational risk should remain elsewhere. </p><p dir="ltr" style="text-align:left;">The idea that all responsibility for risk should fall to security seems to have tapered off somewhat since the first few papers on ESRM, but security managers will still be better served if they ensure that ESRM focuses on the "S" in the title, security.</p><p dir="ltr" style="text-align:left;">Second, there is often a tendency towards complexity and granularity in ESRM systems where simplicity is more appropriate. Risk management is an area where it is easy to quickly become bogged down in detail, and the drive for more and better data can stymie the process. If we consider the ISO definition of risk as "the effect of uncertainty on objectives" (<a href="https://www.iso.org/standard/44651.html">ISO 73</a>), trying to become more and more specific overlooks the baked-in nature of uncertainty. </p><p dir="ltr" style="text-align:left;">Moreover, when quality data is not available, as is often the case with security issues, trying to analyze risk at a more and more granular level can produce a less-accurate assessment. Granularity and massive amounts of information can be used in Big Data systems, but most organizations don't produce enough security-specific data for that kind of analysis. Even with large amounts of data this can still go wrong. As an example, tinkering at the micro level while assessing the risks in the U.S. mortgage bond markets back in 2008 gave the impression that things were fine, even though all the warning signs were visible (but largely ignored) at the macro level. </p><p dir="ltr" style="text-align:left;"><strong>Moving to ESRM with a KISS Approach</strong></p><p dir="ltr" style="text-align:left;">Although more complicated than a purely security-centric approach, a risk-led approach is an effective way to approach security. This directly links security activities to the organization's overall objectives and goals, integrating security risk with the organization's overall ERM system. This approach also helps bridge the gap with contingency planning, business continuity management, and crisis management, and it significantly improves response and post-event recovery. Moreover, ESRM helps the elements within the security function coordinate more effectively. </p><p dir="ltr" style="text-align:left;">Finally, a robust and effective risk management system also removes a great deal of subjectivity from planning and decision making, which enhances organizational efficiency. In many ways, risk is the common language of business and the sooner we all share that language, the more effective we will be. Investing time and effort into the ESRM system and moving towards a risk-led approach does pay off in the long run.</p><p dir="ltr" style="text-align:left;">So there are real benefits in implementing an ESRM system but these two issues—pushing security to take on a wider risk management role and a tendency towards complexity—could make implementation seem an impossible task and one that many CSOs would find daunting, deterring them from taking this course. However, an ESRM system does not have to be overly complex, nor something that disrupts day-to-day operations. In fact, for most security managers, a KISS approach—keep it simple, security folks—is the best way to tackle ESRM. This does not suggest that there aren't challenges in implementing an ESRM system or that additional work and change won't be necessary. But a KISS approach facilitates implementation and makes the ESRM system much more effective.</p><p dir="ltr" style="text-align:left;">But how can we do this and keep things simple?</p><p dir="ltr" style="text-align:left;">Four basic principles can assist with the implementation of a simple yet effective ESRM program: use a standard approach, start speaking risk, become objectives-led, and accept uncertainty. </p><p dir="ltr" style="text-align:left;"><strong>Use a standard approach to risk management, not one that is security-specific.</strong></p><p dir="ltr" style="text-align:left;">Each business or function will want a solution that is tailored to its needs, but this causes inefficiency when working in a cross-functional environment. Imagine for one second what would happen if every department used its own accounting processes: mayhem, and probably lawsuits, would ensue. This problem could even arise within the security function itself if cybersecurity tried to use one approach to risk management, and asset protection used a different one. </p><p dir="ltr" style="text-align:left;">A robust, comprehensive risk management system will allow room for adjustment at the functional level while still applying a standard approach that can be used across the entire organization. So, rather than finding a security-specific definition for risk, or processes tailored to the department, start with a basic approach to risk management. Ideally, this would mean adopting your organization's existing system and processes that you can adapt to fit the needs of the security team. In some instances, you might need to start from scratch—in that case I would recommend <a href="https://riskademy.co/2017/03/10/twelve-core-elements-for-risk-management/" target="_blank">going back to basic, first principles</a> which can then be scaled up to integrate with a future ERM system.</p><p dir="ltr" style="text-align:left;"><strong>Learn to speak risk.</strong></p><p dir="ltr" style="text-align:left;"><a href="https://riskademy.co/2017/02/24/what-do-you-mean-by-risk/" target="_blank">Risk provides organizations with a common language and mindset</a> that can be applied across departments and functions to help with discussions and decision making. Even within the security function itself, having cyber, information, and physical security teams use a common language will make life easier for the CSO. "Speaking risk" can be more complicated than it might first appear, because terms can be applied differently and <a href="https://riskademy.co/2017/04/03/wdymb-risk-perception-and-risk-communication/" target="_blank">there are some complex influences that affect how we perceive risks.</a> At first, there will be a need for regular clarification on how terms are being used until the correct usage becomes commonplace. Adapting existing materials to suit the new lexicon will also take time, but the ERM system should define the key terms and concepts and these should be adopted as early in the ESRM process as possible. </p><p dir="ltr" style="text-align:left;"><strong>Become objectives-led, rather than assets-focused. </strong></p><p dir="ltr" style="text-align:left;">Using a risk vocabulary doesn't just help with discussions: it also helps change mind-sets and perspectives. If something akin to the ISO definition—that risk is "the effect of uncertainty on objectives"—is used, the focus on objectives should become second nature, which has multiple benefits:</p><ul><li>It allows individuals and teams to practice what the U.S. military calls disciplined initiative: leaders at all levels understand the commander's (in this case the organization's) overall intent and can shape their activities to support that without step-by-step direction.<br><br></li><li>Being objectives-led moves from a reactive to a proactive mindset. Instead of thinking, "<em>x</em> has happened, so we need to do <em>y</em>," organizations can consider "what effect could <em>x </em>have on our objectives?" and act accordingly.<br><br></li><li>Security can better support the organization when mitigation measures and contingency plans are developed with the organization's top-level objective in mind. This is best summed up by something an embassy regional security officer said while discussing security in a higher-risk country: "The best way to keep everyone safe here is to keep them inside [the embassy] but that's not my job. My job is to help them get out there and do their jobs as safely as possible."  ​<br><br></li></ul><p>Becoming objectives-led is not only applicable in day-to-day "peacetime." It is extremely important during the response to an event where a proactive, objectives-led stance will significantly improve the organization's chance of survival.</p><p><strong>Accept uncertainty and avoid over-specification. </strong> </p><p>We are awash with data, email alerts, and warnings that swamp us with information. That can quickly lead to analysis paralysis: if we are presented with every possible permutation, possibility, and outcome for a situation, how can we effectively decide what to do next? From an ESRM perspective, avoiding this paralysis requires two things. </p><p>First, the system should accept uncertainty and avoid trying to become too specific. Ultimately risk management is a decision-making tool that helps put risks into a comparative order, but it doesn't measure risk per se. Trying to measure risk to one or two decimal places is extremely difficult in all but the most well-documented, highly regular, technical systems. If you think about it, an asset assessment that gives you a loss expressed down to single dollars should be taking pocket change into account. However, day-to-day security management has neither that kind of stability nor the data, and there are simply too many variables for that kind of accuracy. The ESRM system should work in broader strokes than the CSO might initially be comfortable with, but that will help remove some of the uncertainty and simplify the assessment and reporting process while still producing useable results.</p><p>Second, information overload is not just something we can experience, it is also something to which we can contribute. Security should therefore avoid swamping the overall ERM system with too much data. Too much information from each department will overwhelm the ERM system and cause paralysis at the organizational level. The risk management system should specify where a departmental risk is severe enough to become an organizational risk and needs elevating, and this should be mirrored in the ESRM system. Again, using broad strokes will also help get the point across as to which risks are a priority without having to overwhelm the senior leadership with every possible security concern.</p><p>In both cases, technology can make things more efficient, but if care isn't taken when designing a technical solution, managing the risk management system can become a major task in its own right.  As mentioned earlier, security managers are not looking for more work to fill their time, so whatever systems are used must be robust, simple, and effective. Even with IT, KISS is still important.</p><p><strong>Summary</strong></p><p>ESRM is a welcome initiative that will embed security management more thoroughly into organizations, add much-needed objectivity to decision making, and improve resilience. However, a tendency towards making ESRM too specialized, or trying to have the CSO lead too much of the overall risk activity, will likely be counterproductive. However, taking a KISS approach will help achieve the overall aim of integrating security into the broader ERM framework while also avoiding these pitfalls. Even within the security function itself, a risk-led approach will provide much-needed coordination between security functions because it gives CSOs and their teams a common language. Although a highly complex, granular system may seem attractive, taking a KISS approach is going to be more straightforward to implement when CSOs and their teams are already working close to capacity. Once the basic ESRM system is in place, the tinkering can begin.</p><p>Whatever specific approach is taken, adhering to the four principles outlined above—use a standard approach, start speaking risk, become objectives-led, and accept uncertainty—<a href="https://riskademy.co/2017/08/16/integrating-a-risk-management-system-into-your-organization/" target="_blank">will help implement an ESRM system</a> that allows the organization to better understand security risks, integrate these into the wider ERM program, and ensure that the security team takes a risk-led approach. </p><p><em>​Andrew Sheves has been a risk, crisis and security consultant for more than 15 years following several years in the military. Both careers have given him the opportunity to find out the hard way that a KISS approach is usually better. He runs the risk consulting firm Tarjuman LLC and operates the </em><a href="https://riskademy.lpages.co/esrm-general-landing-page/" target="_blank"><em>Riskademy</em></a><em> online training school which contains additional information on many of the concepts and ideas outlined above and offers a free introductory course on risk management. He is a member of ASIS.​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Beyond-the-Active-Shooter.aspxBeyond the Active Shooter<p>​Tragically, school shootings are so common that only the most violent and singular capture more than brief attention in the media. One that stands out is a Seattle-area shooting this fall at Marysville-Pilchuck High School that left five teens dead. Fifteen-year-old freshman Jaylen Fryberg opened fire on five fellow students at a cafeteria table on October 24, 2014, with a .40 caliber Beretta, then took his own life. Four of the five victims died of their wounds. Two of the students, one of whom is the sole survivor, were cousins of the shooter. The other three victims, all 14-year-old girls, were friends of Fryberg. He had texted them all inviting them to the lunch table minutes before firing the shots.​</p><p>Several details surrounding the shooting appear anomalous when it comes to school violence, according to experts. Fryberg was a well-liked football player. He was voted homecoming prince just a week before the shooting. In most similar incidents, the perpetrators had been bullied, had a history of violence, or were otherwise isolated from their peers. But Fryberg shot and killed his own friends and family, not anyone who had knowingly caused him pain or suffering. </p><p>An investigation is still ongoing, and there are more questions than answers when it comes to what sparked Fryberg's actions. But the unpredictability of the Marysville-Pilchuk shooting highlights the imperative that schools take a broad approach to safety and security to prevent future tragedies. This article looks at what one school in Weld County, Colorado, is doing to ensure it can rapidly communicate with law enforcement during an active threat. Then, experts discuss how administrators can involve faculty, students, and even parents in a multipronged approach to safety and security. </p><h4>Technology Meets Policy</h4><p>Weld County School District RE-3J in Colorado encompasses 480 square miles along the I-76 corridor that runs through the center of the state. Just five communities occupy this rural area, and only one has a local police department. The community that the high school is located in, Keensburg, does not have stationed law enforcement. "We're dependent on the Weld County Sheriff's Department to be our first responders, and they are located many miles away in Greeley, Colorado," says Greg Rabenhorst, Weld County Public Schools superintendent.  </p><p>The distance makes response time in an emergency crucial at Weld Central High School, home to approximately 640 students and 40 licensed faculty and staff. It also means policies and procedures must be in place so that students and faculty can respond appropriately. </p><p><strong>Response protocol. </strong>The district has worked diligently at establishing safety directives with its students and faculty, according to Rabenhorst. For many years, each building in the school district had its own set of policies and procedures for responding to an incident. But in 2009, the district decided to standardize its response protocols across all schools. It went with those established by the I Love U Guys Foundation, a national nonprofit school safety initiative founded by John-Michael Keyes. Keyes started the initiative after his daughter was taken hostage by an intruder at her high school in Platte Canyon, Connecticut. The last thing she texted her father, after he asked, "R u OK?" was, "I love U Guys." The intruder eventually shot and killed Emily and himself. </p><p>After this tragic event, Keyes began evaluating the way in which schools across the country were equipped to respond to similar crises, and he found that there wasn't a common language among administrators, staff, and students, according to the initiative's website. He began the foundation in 2007 with the help of a 17-person review board that included members from school administrations, nonprofit organizations, government entities, and law enforcement. </p><p>Keyes spoke to Weld County administrators about the foundation in 2009, and they moved to adopt the foundation's protocols across the entire district. The idea is that simple, effective procedures are in place that can be activated at any time by an announcement over the public address system instructing students what to do. The protocols include response procedures for lockout, lockdown, evacuate, and shelter-in-place and are used by more than 5,000 schools throughout the country.</p><p>"You don't want something really complex and difficult in the middle of a crisis, and so it needs to be something that is simple yet effective," says David Miller, principal at Hoff Elementary, another school in the Weld County district.  </p><p> The school district regularly conducts each type of drill throughout the year, and Rabenhorst says the lockout system has actually been activated in a few cases at certain schools. During a shooting at Arapahoe High School near Denver, Colorado, in December 2013, school authorities put the entire district on lockdown. "We didn't know enough about the situation to know what was going on," says Rabenhorst. "You don't know if it's just isolated at that school or across the state." </p><p>In the case of a drill, he notes there's no need to inform parents, because "they expect that they're going to occur with some level of frequency." However, in the case of the lockout procedure that was conducted during the Arapahoe shooting, an automated phone message was sent to all parents' phones to let them know what had happened. This phone system is used to communicate critical messages to parents. </p><p>Rabenhorst says if it weren't for students bringing the information forward, the threats might not have been addressed properly. "We encourage kids to talk, if they hear something that's not right or of a threatening nature of any kind and our kids are doing it," he notes. They also have antibullying programs at all schools, and a hotline number posted where threats or concerns can be anonymously reported.  </p><p>Weld County conducts quarterly safety committee meetings, which are attended by administrators from all six schools, as well as local law enforcement representatives. It also has a districtwide resource officer who spends most of his time at the high school, Rabenhorst notes, and administrators invite him to observe any of the drills that take place at all the campuses. At the meetings, participants go over how drills have been going, as well as any recent developments in school security. For example, the Fryberg shooting in Seattle was a topic at a recent meeting. The grim reality of this shooting led Weld County to review its reunification plan, which is the procedure for reuniting parents and students if a school is evacuated. "What's really important is that we have procedures in place; that you know where you're going, how you're going to communicate where you're going, and that you have... student rosters and contact information," says Rabenhorst. </p><p><strong>Alerts.</strong> While Weld County puts significant effort into its safety and security policies and procedures, the district also wanted to implement a technological solution that could help in the case of an active shooter or related threat. Toward the beginning of 2014, the district started looking into technologies for the high school that might help with this type of emergency response, especially given its distance from the nearest police station.</p><p>One security concern for Weld Central is that it does not have secure entrances, meaning that the school's front doors are unlocked during regular school hours. Rabenhorst says that this is a community choice designed to maintain a more welcoming, open environment. Weld Central does require that visitors check in upon arrival at the school and clearly display their badges. It also conducts background checks for volunteer parents. </p><p>Having unsecured entrances led the school to look for a technology that could guard against an intruder. During the quarterly safety meetings, it also considered the threats that face schools from the inside as well. "We looked at what funds we thought we could allocate for safety and security enhancements, and reviewed what options we had, and we decided that BluePoint was the option we wanted to go with at our high school." </p><p>The BluePoint Alert System works much like a fire alarm. Small blue boxes are mounted throughout the school, and they can be encased in plastic, that lifts easily, to protect against accidental deployment. The system communicates over commercial-grade wireless communication technology and equipment provided by Inovonics. In the event that law enforcement response is required, the clear casing can be lifted off the box and a lever pulled down, setting off an alert at BluePoint's central monitoring station, which subsequently contacts law enforcement. BluePoint has five such stations across the country, all of which operate around the clock. The stations also incorporate redundant systems, including those on the power supply, computer networks, and communications systems.  </p><p>At the same time the alert goes to BluePoint, a phone call is automatically routed through the monitoring station to police dispatch, connecting law enforcement to the school's main phone line so administrators can give additional details on the incident. If no one picks up at the main number, the school's predefined list of numbers to call will be dialed until a person is reached. Generally a principal's cell phone number is included in that contact list, and mobile numbers are called first during after-hours emergencies. </p><p>When the system is deployed, a prerecorded message automatically broadcasts on the school's public address (PA) system, which contains instructions for the lockdown procedure. The wall-mounted units also feature strobe lights, so that in a noisy environment, such as a gym or cafeteria, students and faculty who can't hear the PA message will still know a threat is imminent. The schools hope that a broadcast message in a familiar voice, combined with the strobe lights, will generate less panic than a siren or other type of alarm going off. The strobe lights are also posted on the exterior of the school so anyone outside would know not to enter the building. </p><p>The BluePoint Alert System features a mobile component in the form of a pendant that can be worn by teachers. Weld Central has 12 such pendants, which have been distributed "strategically" among the staff, according to Rabenhorst. These buttons are useful for outdoor and after-school activities. "Some of our staff have them for outdoor PE, so if they're outside and something happens they have access to the notification system," he notes. Pushing the button on the mobile pendant is equivalent to pulling any of the mounted BluePoint levers, sending the same signal to law enforcement and activating all the same protocols.</p><p>The system can also be tied into the IP addresses of any cameras the school may have, and Rabenhorst says Weld Central plans to tie its cameras into that system in the near future. This feature would automatically pull up video from the school for law enforcement when the alarm is deployed. The same feature is accomplished by pressing the emergency button on the mobile pendants. </p><p>Weld Central installed the system in September 2014, right as the school year was beginning. The school has since held training sessions for teachers and students so they know when and how to use the technology. Rabenhorst notes that the district had enough funds to equip only one school with the BluePoint Alert System. Determining where the system could do the most good, Weld Central chose to install the technology at the high school. But school officials hope to deploy the technology at other schools in the district in the future. </p><p>Rabenhorst says the BluePoint Alert System has created an added sense of security for students, faculty, and parents. "This just helps to let them know that we take it seriously and we're willing to put in various features to help strengthen our security," he says. ​</p><h4>The Human Factor</h4><p>As demonstrated in the case of Weld Central, technology can play an important role in school security initiatives. But experts encourage broader programs that include security assessments, regular drills, and a mental health component to foster environments where students feel cared for, and encouraged to report potential hazards. </p><p><strong>Safe environments. </strong>The Seattle-area shooting leaves many lingering questions about why Fryberg would kill his friends and family, and turn the gun on himself. But bullying does not appear to be a factor in that case, leading some experts to urge that looking at the overall climate in schools may go further toward preventing violence than simply dropping in antibullying measures.</p><p>"We always say that if it's a school shooting, the shooter had to have been targeted, and they had to be targeted specifically," says Barbara Coloroso, an author and advocate of antibullying programs. "And that's a myth." She says this myth can lead administrators and even parents to look for the wrong cues when it comes to preventing school violence. Instead of paying special attention only to students who are the victims of bullying, schools must foster a "community of caring" in which all individuals feel their needs are being met. </p><p>"What went wrong with this boy will probably take a while to figure out. And it's interesting that the news will jump right away to, 'oh well probably he was bullied,'" says Coloroso. "But we have to look at it as much more complex, just as we have to look at security in our schools as a much more complex problem that's going to require a complex and in-depth solution." </p><p>She points out that there may have been a disproportionate response at Marysville-Pilchuck, when Fryberg was suspended for physical violence toward another student who had apparently called him "something racist," according to a student witness. Police won't reveal any details about the other student involved, but Coloroso says the school's disciplining procedures must be fair and consistent, and separate bullying from everyday conflict. </p><p><strong>Mental health.</strong> Mental health care is another important factor in establishing safe and secure educational environments, says Carolyn Wolf, an executive partner in the law firm of Abrams, Fensterman, Fensterman, Eisman, Formato, Ferrara & Wolf, LLP. "There has to be training for individuals to be sensitive to it, to understand when a kid says, 'I'm upset,' 'I'm depressed,' or 'I'm thinking of hurting myself,' that somebody takes that seriously and acts on it," she says. </p><p>Wolf, who is director of the firm's mental health law practice, advises schools, college campuses, and workplaces on their approach to violence prevention. She says mental health is a key component to preventing school shootings, but that each time another shooting happens, "the conversation starts, but it doesn't continue, and we just keep learning the same lesson over and over." Many investigations of school and campus violence end up pointing toward individuals who were plagued with mental health issues but did not receive the care they needed, such as the Virginia Tech and Sandy Hook shooters. "There still is a significant stigma associated with mental illness or needing mental health treatments," says Wolf. She points out that it's difficult for parents to admit their child may have a mental illness, but getting the student help while he or she is still a minor can go a long way in preventing tragedies. </p><p>Wolf recommends that schools put more funding toward their counseling programs, as well as training and educating staff about the signs to look for in students who could pose harm to themselves or others. Schools that have set up threat assessment programs and kept them funded, as well as provided services for families who indicate that their loved ones might need mental health care, have seen success, she says. </p><p><strong>Preparedness.</strong> Ken Trump, president of National School Safety and Security Services in Cleveland, echoes the sentiments of Coloroso and Wolf, advising that active shooter training be balanced with other types of programs. By focusing too much on shooting scenarios, schools might miss critical steps and signs when evaluating other threats. "We're finding schools that, because they have that tunnel vision focus on the active shooter, they're missing critical day-to-day training and awareness and focus on day-to-day issues," he says, such as students who are sent home with parents who don't have legal custody. He adds that more schools need to greet and challenge strangers walking their hallways, rather than assuming their presence is authorized.</p><p>Trump recommends that schools "diversify" their drills by altering the times. Some drills should occur at the beginning of the day when most threats tend to manifest themselves, or in the middle of a lunch period. That way, students are kept on their toes and ready to respond no matter what time an incident happens, he says. He notes that even when schools do implement drills, they often compete with other professional development priorities. Trump says that getting drills on the school calendar early is key, as well as conducting at least annual security assessments to keep safety at the forefront of school administrators' minds.</p><p>He points out two school districts that accomplished this and diversified their drills in a simple, cost-effective manner. "The superintendent and assistant superintendent would conduct unannounced visits to schools in their districts, along with their local law enforcement agency partners, and tell the principal upon their arrival to announce a lockdown drill immediately," says Trump. He says this kind of drill was over in less than 10 minutes and everyone was debriefed within 15. They then came up with a list of things that worked well and those that could be tweaked the next time.</p><p>Trump is a proponent of basic security threat assessments that start not with technology but with people. "Engaging your students is a part of that. Empower them to see what they consider to be their security concerns, and they might point out things that are a lot simpler than what [adults] come out with." He notes there have been schools who have students on their school crisis teams. They give the kids a clipboard a couple times during the school year and have them do a school safety assessment from the perspective of the students. "Oftentimes kids identify both gaps in school safety, as well as relatively simple and cost-effective solutions, that adults may never think of," says Trump. ​</p><p><br></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/active-shooter-response-training-manual-0013285.aspxActive Shooter Response Training Manual<div class="body"> <p>School districts and administrators have reacted to school shootings in various ways. Some have addressed security measures and developed plans to involve law enforcement in the continued operations of educational facilities.</p> <p>Author Scott M. Hyderkhan draws on his military and law enforcement experience to create a well-researched, step-by-step guide for encountering an active shooter and coordinating an after action plan. This book does an exceptional job of identifying many scenarios—with varying threat levels, causalities, breaches, movements, and maneuvers—that responders may experience. The author places a strong emphasis on continued training, which cannot be overstated. The reader will come away with a greater appreciation for procedures and teamwork.</p> <p>Hyderkhan’s concise writing style doesn’t overwhelm the reader with superfluous police jargon or complex issues. His book is well-stocked with diagrams that explain movements and individual responsibilities. As an added bonus, the author has included a supplemental compact disk, which contains training videos and PowerPoint presentations.</p> <p>This book is primarily written for military and law enforcement personnel and contains sensitive material. Nevertheless, those in private security will be able to use it as a resource for in-house training.</p> <div style="border-width:medium medium 1pt;border-style:none none solid;border-color:-moz-use-text-color -moz-use-text-color windowtext;padding:0in 0in 1pt;"> <div style="border-width:medium;border-style:none;border-color:-moz-use-text-color;padding:0in;margin:0in 0in 0pt;"> </div> </div> <div style="margin:0in 0in 0pt;"> </div> <div style="margin:0in 0in 0pt;"> <span style="color:#800000;"> <strong>Reviewer:</strong> </span> Dr. Brian L. Royster is an assistant professor at Saint Peter’s University in the Criminal Justice Department. A former state trooper, he is a graduate of the FBI National Academy and a member of ASIS International. </div> <p> </p> </div>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465