Security and Business Continuity Dashboard Tips

June 4, 2010

In a recent article written by Derek Slater, and posted on the CSO: Security and Risk website, we are offered a baseline model of a dashboard made up of a collection of key feeds that could affect the security and continuity of your organization.

Many of our readers have requested information as to how to streamline the process of awareness regarding information, and current developments relevant to their responsibilities to meet their organization’s IT and physical security, business continuity and disaster preparedness requirements.  We hope this information will satisfy at least some of those requests.

Click here to check out the new CSO Daily Dashboard and read more of Derek Slater’s article for more ideas and tips that with some modifications may work well for your own organization.

Please pass this information along to those individuals in your organization who are responsible for information technology security, physical security, continuity management, business risk assessment and disaster preparedness.

Can you share any of your ideas regarding modifications, additions, or changes to the CSO Daily Dashboard that you would like to see implemented?

Remote Office Advice for Risk Management Teams

May 21, 2010

To assist the rapid response capabilities in the event of a business disruption, many disaster recovery and risk management team members are recommending a remote office component to their Incident or Emergency Response plans for their organizations.  And, in some cases, the entire home office concept is working very well on a regular basis for some organizations more interested in the virtual organization model for their business.

In either case, we recommend that those risk assessment team members refer to a list of “Home Office Safety Tips” from the National Crime Prevention Council (NCPC) that was published recently on the Security Products magazine’s website.  Read more …..

American Idol and Preparedness Issues

May 12, 2010

by: Lisa DuBrock and Don Byrne, Contributing Writers

Over the past six months businesses and communities have been forced to deal with an interesting variety of challenges from underwear bombers and exploding volcanoes to an oil spill that threatens to devastate small coastal towns over a four state area. Now another small community – Mt. Prospect, Illinois — is faced with yet another new challenge – American Idol!

Mt. Prospect is home to Lee DeWyze who will be returning to the Chicago area on Friday May 14^th. Starting with an appearance on “Good Day Chicago”, Mr. DeWyze will spend the day giving local interviews, visiting an AT &T store and speaking at schools. The day will end with a motorcade beginning in Mt. Prospect, Illinois, finishing at the Arlington Park Racetrack in Arlington Heights, IL, where DeWyze will be part of a free concert. 

How should a working community (est. average family income is $67, 946), with slightly over 53,000 people be prepared for the celebrity challenge of American Idol? Is there a crowd control element that needs to be addressed? These are just some of  the questions asked of our team of preparedness and crisis management  experts. The following “American Idol Fans – Crowd Management Checklist” was the result.

We wish Mr DeWyze, Mt. Prospect, and everyone involved with this event a safe and enjoyable time!

American Idol Fans – Crowd Management Checklist

Event Planning
A safe and secure event begins with good planning. Questions to be asked at the outset include:

What are the core activities that comprise the overall event and what are the safety and security implications of each? Here are some examples:

• Is the Chain of Command, especially across different departments and agencies (fire, police, event management, etc.) clear and documented?
• Are the duties and responsibilities of each group clear?
• Is there a system in place that allows event managers to communicate with each other?
• Is there a well publicized and detailed timetable of the various activities including their location, how to travel to and from the event, and a discussion of what to do if weather or other factors cause a serious delay or cancellation? This is especially important if refunding of ticket purchases may be involved.
• Is there sufficient support equipment available to service the needs of the anticipated crowd?
• Will the Media be given special access and setup space for the event? If so, how are their power requirements going to be met and is there a secure area for mobile TV and Radio station equipment?

Event Location and Travel Routes

Will there be a parade or motorcade? (Mt Prospect plans a motorcade.) If so, arrangements must be made to re-route business traffic that would normally use the roads in and around the parade route. Notice must be given to these businesses so as not to disrupt the supply chain of goods to and from local businesses. Other considerations:

• How will access be provided to emergency vehicles if they are needed?
• Will concession stand vendors (e.g., those serving food) have special ingress and egress?
• How will any performers be moved to and from the event? Car, van, bus, helicopter, etc.?
• Where will the performers be housed? When will they arrive and depart – all this information needs to be in the hands of the event planners so notice can be given to the police department and other security groups.
• Parking facilities should be clearly labeled and if these are not directly adjacent to the parade/motorcade route, then shuttle transportation should be available.
• What type of crowd is expected? Will the event attract families with young children and seniors expected; or are teenagers, motorcycle enthusiasts, or anarchists protesting the G8 while discussing the latest repartee between Ryan Seacrest and Simon Cowell – expected? In the former case, perhaps additional handicap and special parking space should be, additional restroom facilities provided, and concession stands alerted to the make-up of the crowd so they can provision their kiosks appropriately.
• Will alcohol be permitted and sold at the event?
• If there is a parade/motorcade, where will it end? This is an important consideration because people may need transportation back to their parking locations? If the crowd doesn’t immediately disperse are there food, drink, and entertainment facilities that can occupy them?
• Are there “feeder” events earlier in the day that will set the tone for the final activities? If so, are these ones that are likely to get the crowd’s adrenaline pumping or will the mood be mellow? The attitude of a crowd after a football game with a rival team is much different than after a flower show or Oldies Concert! 

Physical Surroundings and Weather Conditions

The setting has much to do with establishing the character of the event. For example, will the event(s) be held indoors or outside? Are tickets required or is this a free event? What are the expected weather conditions? All these factors will impact the size of the crowd, their mood, and how long they will linger after the event finishes. Here are some additional items to consider in the context of the venue and weather conditions.

• If the event is being held in-doors, how will crowd movement be managed? Will people be expected to exit from the same direction they entered or will they be routed in a different way to their vehicles/transportation? In either case, good signage is a must!
• Does the setting have any type of public address system for making announcements to the crowd? One key lesson learned when dealing with large scale events is that keeping the crowd advised of delays and the reason for delays helps control tempers and the frustration that builds in the absence of information. Such announcements also help squelch rumors, which can ignite unwanted behavior. 

Security and Safety

While local police officials have overall responsibility for the security of the event, many events will involve the use of untrained or slightly trained security personnel. Here are some things to consider when planning for the safety and security of all attendees.

• The visible presence of police and security personnel can do much to set the tone of the event. Stationing police in full riot gear regalia around the periphery of the event sends a very different message to the crowd than having volunteers in brightly colored T-Shirts or jackets emblazoned with the words Event Management walking around the area.
• Will private security be present? If so their plans should be shared with the local police and all activities coordinated. This information-sharing arrangement should be part of the permit process and contract procedures agreed to by the local authorities, the venue provider, and the event promoter. If performers are involved who have their own security, the plans for moving these individuals to and from the event must be coordinated with local authorities.
• Will there be a crowd-screening process? Some level of screening will take place if tickets are required but even at open events, some review of the crowd to weed out people who are intoxicated, inappropriately dressed, or display other provocative behavior, should be considered. In all cases, if intervention is called for the goals should be to isolate and remove those involved quickly and with as little disruption as possible from public view.
• Local ordinances (example: “No open container alcohol permitted!”) and codes of conduct (“No bare feet.”) should be prominently posted along with other safety codes.
• The integrity and privacy of neighboring property should be respected. 

Roles of the Performer and Promoter

Each performer should be briefed on his or her role in contributing to a safe and secure event. This responsibility should be made clear in the contract between the venue and the promoter who then has responsibility to convey this information to the performer(s). 

While we can’t predict who the next American Idol will be, we can say with confidence that if the guidelines above are followed, whoever wins will be able to focus on performing and not worry about concert safety or security!

Source of information on Lee DeWyse’s trip to the Chicagoland area:  www.journal-topics.com

New Survey Results Claim Security Expertise Not Enough for Successful ESRM

April 14, 2010

In April, the CSO Roundtable of ASIS International released the results of a comprehensive survey of its members and of the ASIS membership.  The survey was meant to demonstrate some level of understanding that the security industry has concerning the adoption of an “Enterprise Security Risk Management” (ESRM) methodology.

The survey, conducted in the fall of 2009, asked for information regarding at least the following areas:

1. What risks were the most challenging?
2. Where do organizational support for ESRM initiatives came from?
3. Which business elements of an organization were included in ESRM?
4. What was security’s role in the ESRM process?
5. Who has ultimate responsibility for risk in the organization?

More than 80 Chief Security Officers, and more than 200 other ASIS members from around the world, responded to the survey.

One of the major findings from the survey was best expressed by Timothy L.Williams, CPP, Dir of Global Security for Caterpillar, and a member of the CSO Roundtable Advisory Board, when he stated, “We learned that traditional security issues are rarely the ones that keep security professionals awake at night; instead, risks such as database theft, network failure and economic problems are top concerns.  We discovered that most CSOs and, indeed, nearly half of non-CSOs, are already deeply involved with evaluating and mitigating non-security risks in their organizations.”

Another survey result claims that CSOs reported the greatest non-security risk they face is the downturn of the economy, followed by business issues such as competition and regulatory pressures. More than half of the CSOs surveyed said they and their security departments were involved in researching, prioritizing, mitigating or evaluating these non-security risks.

Additionally, survey results also indicated that the vast majority of security professionals believe that excellent business management, leadership and communication skills—not security expertise—are the traits that will lead to success in ESRM.

If any of these questions listed above or results stated above appear to reflect similar behaviors in your organization or even a basis for how security standards are established in your organization, then please pass this information along to those internal information security and risk management team members or perhaps, outside security consultants, who are responsible for establishing and maintaining a  level of enterprise security risk management most appropriate to  your organization.

Click here to read the full report.

New Identity Theft Affects 3.3 Million Borrowers

April 1, 2010

In a recent article written by Mary Pilon and published by the Wall Street Journal, it was reported that names, addresses, Social Security numbers and other personal data on borrowers were stolen from the St. Paul, Minn., headquarters of Educational Credit Management Corp. (ECMC), a nonprofit guarantor of federal student loans, during the weekend of March 20-21, 2010.

It was also reported that company and federal officials said they believed last week’s theft of identity data on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowers.

Of some significance is the fact that this was not an IT related breakdown of information security policy or procedure.  As stated and cited in the article, ECMC spokesman Paul Kelash remarked that, “…It was a simple, old-fashioned theft.  It was not a hacker incident.”

This article is a hard reminder to our internal physical security and risk management team members to not overlook the need for constant monitoring and ongoing improvement to both corporate physical and IT related security policies and procedures.

Click here to read the entire article.

Recent Gun Rights Advocacy Stances Should Be On Corporate Security Radar

March 10, 2010

Business continuity management team members must work very closely with their fellow internal corporate security team members concerning the recent activities and demonstrations by those supporting the “Open Carry” movement.  While we recognize that on the surface, it doesn’t sound like much of a traditional security issue, as much as it is politics/NRA/second amendment topic, the potential is that  it certainly can develop into a real challenge for corporate security managers in companies across the United States.

This topic was addressed very well in a recent article written by Goeff Kohl, Editor-in-Chief for the SecurityInfoWatch.com website.  While this topic has been debated for some time now, Mr. Kohl was motivated to write his article based on the fact that the open carry movement was now moving forward with demonstrations to more strongly express its principles on this matter.  This fact was clearly brought to his attention in an article published by The New York Times, on March 7, 2010 and titled “Locked, Loaded, and Ready to Caffeinate”.

 Bottom line is that for the corporate security manager, this movement may well have direct implications.  Certainly the presence of policies about guns on the premises of its business is just one of the issues that must be faced.  Then there is the difference in those policies between employees and customers on the premise.   In addition, the fact that Federal and State laws may well be in conflict with OSHA requirements to maintain a safe work environment is still another concern.

We believe that this issue is an important agenda item for all corporate security manager meetings.  And, in the event that further analysis may determine that a potential business disruption may occur from this issue, then this item should certainly be elevated to be discussed by all business continuity and risk management team members as well.

Click here to read Geoff Kohl’s complete article.

International Disaster Preparation and Prevention Guide Provided by ASIS

March 2, 2010

As a response to some of our reader’s inquiries, and to offer assistance to the managers and members of business continuity and disaster preparation and prevention teams, we suggest that you become familiar with a disaster recovery preparation and planning guide that was released several years ago by the security specialists’ organization called ASIS. Even if you have to update some of its materials to a 2010 level, this guide is full of valuable BC, DR and security related information. 

The guidelines, self-assessment questionnaires and general security and disaster recovery directed information can also be a great addition to an organization’s business continuity plan as well as a valuable reference resource for that organization’s BC and DR related reading library. 

Some of the related information in this guide has been edited from materials provided by the American Red Cross and the Department of Homeland Security. 

As stated in this guide, “With a little planning and a lot of common sense, we can all be better prepared to face the unknown”. 

CLICK HERE to read the entire report.

Preparedness and Situational Awareness New Culture of Corporate Security Plans

February 10, 2010

In a recent article written by Leischen Stelter, and posted on the Security Director News website, a strong case was made whereby detecting terrorism activity is everyone’s responsibility.  This is a message that our business continuity and preparedness teams need to stress and convey within the business continuity plans of their organizations, but, more importantly, to train employees and associates on how to look for and recognize suspicious persons and behaviors.

In this article, Larry Barrett, member of the DHS Office of Bombing Prevention, estimated that “…85% of the U.S. nation’s critical infrastructure is controlled by private corporations.”

Much of the message of this article also comes from the information provided in a recent workshop titled “The Private Sector Counterterrorism Awareness”, sponsored by the Department of Homeland Security (DHS) and hosted by the Maine Emergency Management Agency (MEMA).

Since it has been found that most private companies do not include the potential for terrorist attacks, secondary hazards, and entrapment devices into their business continuity and security risk management plans, we recommend reading this article to better understand if and how your organization must consider these risks before completing their plans.

CLICK HERE to read this article.

Physical Security and IT Security Convergence: Myth or Reality

February 9, 2010

With so much emphasis today being placed on the need for cost reduction(s) in organizations, the topic of evaluating, implementing and executing plans for potentially integrating elements of IT and physical security is often raised as a primary way to eliminate redundancies and lower expenses.   However, we believe a strong element of caution is warranted before this step is taken.

If your organization is considering this option or if your company is too small to have separate departments (i.e. CSO vs CIO) handling physical security and IT security, then a recent article written by George Campbell and posted on the Computerworld website may be worth reading.

This article presents a logical reason for concern for anyone getting caught up in the convergence process for convergence sake and cost reduction motives only.  Mr. Campbell clearly states that “…Convergence of bits of techie stuff is NOT converged corporate security!”  And, he suggests that the convergence debate should seek an appropriate mix of IT services to support and not diminish the stated total corporate physical security functions goals and objectives.

Without such a level of sensitivity by IT  to the needs of the total physical security system requirements, an organization can too easily ignore the needs of other elements in the total security family – i.e. background vetting, due diligence, incident investigation, fraud risk management and safety, compliance and crisis planning and management functions, etc.

In one of the examples stated in the article to stress his point, Mr. Campbell states his concerns that while the IT brethren sweat bullets fixing a cyber attack, all too often they can and do trash evidence critical to the incident investigation process necessary to perform a proper cyber investigation report as it may relate to and include physical security processes and procedures.

If your organization is in the middle of such a debate to converge or not to converge your IT security and physical security functions within your organization, then, we believe that this article is worth reading and adding to your library of reference materials and links on this topic.

CLICK HERE to read the entire article.

February is Earthquake Awareness Month for Missourians

February 1, 2010

 When most of us think of earthquakes, we do not usually think of Missouri – yet – this month of February is Earthquake Awareness Month in Missouri.  This time has been chosen to provide critical information to Missourians about earthquakes in the New Madrid Seismic Zone (NMSZ).

The fact is that many Missourians experience small earthquakes weekly. 

The NMSZ, located in southeastern Missouri, northeastern Arkansas, western Tennessee, western Kentucky and southern Illinois, is the nation’s most active seismic zone east of the Rocky Mountains.  The fault cuts across the Mississippi River in three places and the Ohio River in two places.  More than 200 small earthquakes occur in the zone each year. 

So if your company is located in this seismic zone, you most certainly should be serious about implementing either a business continuity, a disaster recovery or a risk management and preparedness plan as soon as possible for your organization. 

As one of the first activities to search for the resources you would need to develop such a plan, your company should take advantage of and visit the various Missouri governmental departmental websites which are now offering events, information and resources capabilities to help your organization be prepared and ready for such a potential disaster.  

The Missouri Department of Natural Resources, the State Emergency Management Agency (SEMA), and the Missouri Seismic Safety Commission, and, others  will take part in a number of public activities to provide: scientific data about the New Madrid Seismic Zone, mappings for risk assessment, updated potential earthquake risks for citizens, and geologic information about the basics of earthquakes. 

We recommend that you have your risk organizational management teams and employees read a recent article posted on the Environment infoZine website (CLICK HERE) and, go to the following website for more related events and information:   http://dnr.mo.gov/geology.

Next Page »

• 
• 
• 
• 

• Subscribe

  • Subscribe to RSS
  • Comments

• Recent News

  • Career Options and the PS-Prep Program
  • E-Discovery – Compliance and Privacy Challenges
  • “Career Options and the PS-Prep Program” – July 27th, 2010 Webinar Reminder
  • Can Resilience be Enshrined in a Standard?
  • PS-Prep Developing Liability Protection?
  • PS-Prep Career Options Webinar
  • Emergency Plans and Behavioral Accuracy
  • Business Continuity Testing Guidance
  • Federal Cybersecurity Guidelines Document Update Released by NIST
  • Checklist Offered to Mitigate Project Related Risk Factors

• Categories

  • Events
  • Information
    • Auditing
    • Business Continuity Info
    • IT Service Management
    • Organizational Resiliency
    • PS-Prep Program
    • Regulatory Compliance
    • Standards & Best Practices
  • Security
    • Cybersecurity
    • Environmental Security
    • Executive Protection
    • Homeland Security Dpt
    • Information Security
    • Physical Security
    • Regulatory Compliance
    • Safety
  • Tools & Resources
    • Community Projects
      • Forms & Checklists
      • Glossary
    • First Timers
      • FAQs
  • Uncategorized

• Archives

  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009

• What Others Are Reading About

  ANAB ASIS ASIS SPC.1-2009 best practices Business Continuity business continuity management business continuity planning Business Continuity Plans compliance compliance risk contingency planning corporate security crisis management cybersecurity cyber security data breach Department of Homeland Security DHS disaster recovery disaster recovery planning e-Discovery emergency response enterprise risk management FEMA Information Security information systems security network security NFPA 1600 organizational resilience Organizational Resiliency Physical Security preparedness privacy Private Sector Preparedness PS-Prep PS-Prep Program readiness Regulatory Compliance resilience Resiliency risk assessment risk management Security security management security policies Auditing (4)
  Business Continuity Info (89)
  Community Projects (2)
  Cybersecurity (26)
  Environmental Security (2)
  Events (3)
  Executive Protection (1)
  FAQs (1)
  Forms & Checklists (1)
  Glossary (2)
  Homeland Security Dpt (11)
  Information (2)
  Information Security (57)
  IT Service Management (6)
  Organizational Resiliency (12)
  Physical Security (15)
  PS-Prep Program (57)
  Regulatory Compliance (16)
  Regulatory Compliance (9)
  Safety (4)
  Standards & Best Practices (9)
  Tools & Resources (4)
  Uncategorized (2)
  

  WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.