Category Archives: Risk

NSA Hearings on the Hill

Posted on by
Reply

NSA is answering questions this morning about their mega data collection of phone call destinations, before the House Intelligence Committee.

Having worked with NSA for years, I decided to watch the hearings and hear what General Keith Alexander had to say.   Of course, I have a family history with congressional hearings.

For myself, I’m in total agreement with NSA that they should be LISTENING, COLLECTING and ANALYZING intelligence so we can know what is happening all over our complex world and be in a position to prevent catastrophic attacks by those terrorists using their religion like a free pass to kill, maim and attack.

My father died over ten years ago, but one of my favorite memories of him is that is, while he was suffering from cancer, he never missed a Congressional hearing.  He sat with a TV Tray in front of him, with a stack of monogrammed notepaper, envelopes and stamps.

As the hearings progressed (I especially remember him watching Iran-Contra), he would write to each of the congressmen and senators, telling them how he judged their questions, writing to them about mistakes he thought they made.  This was true democracy in action.  From his pen right to the powers-that-be.    And he took his responsibility in this very seriously.

I hope everyone starts watching, learning and taking their role in our democracy as seriously!  An attention-seeking junior technician is having his 5 minutes of fame, and I
hope that the great work of the US intelligence community is not going to be slowed down
or damaged by his thoughtless disclosures. He should start writing letters to HIS elected representatives.

 

The Active Shooter Threat – What’s the Right Response? Run Out or Lock Down?

Posted on by
Reply

I got to sit in on a security group discussion yesterday.  It includes both security directors and local law enforcement and It was interesting to see how both groups approached the active shooter scenario differently.   Which way is the best?  Is there a best?
For law enforcement officers at both the state, city and county level, they want all doors to be unlocked so that all the occupants of a facility, or a hospital, can get out and run for safety as quickly as possible.   They say that means more people will survive, not get shot, and it works with the natural human reaction to run away from danger.

Some of the active shooter experts in the room said that active shooter situations should be treated like fire drills, because people are used to fire drills, and they know what to do, because they practice fire drills more frequently than active shooter drills.

For the Security Directors, especially of hospitals, they wanted to be able to lock down if there was an active shooter call in their facility.  They felt that there were problems in evacuating quickly, and some were concerned about leaving bed-ridden patients behind while the clinical staff run out of the building.  So they advocated locking down all doors instantly.

While the heated discussion continued for almost three hours – at the end there was no
“BEST” solution.  Each Security Director or Manager will have to decide for themselves which approach is right for their organization.  The important thing is to think it through in advance, prepare people in advance, and take advantage of the great materials that are available to help organizations prepared.

Get more information including videos, training materials, on line courses and more at
http://www.dhs.gov/active-shooter-preparedness.

 

 

 

Lack of Security Risk Assessments cited as Contributing to Benghazi Embassy Attack

Posted on by
Reply

Just two weeks ago, we were talking about the lack of coordination between DHS agencies and known intelligence on the brothers responsible.

Now we have the Benghazi Senate hearings, and here is the same problem again – lack of coordination between different parts of the State Department, and with the Defense Department, AND with the CIA and the intelligence community.

Add to this, the appalling cuts in funding for diplomatic security, and a flawed process about what needs to be done about security and protection to our embassies around the world.

“In these tight budget times, the committee has had to make some tough choices to prioritize funding.”, said a GOP aide in The Hill article (GOP cuts to embassy security draw scrutiny), by Alexander Bolton on September 18, 2012.   In spite of the uncertainly of the Arab Spring, the demonstrations every Friday in streets from Bahrain to Tunesia, the embassies had their budgets cut.

Of course, security experts are used to this, security doesn’t directly generate revenue, and it is often one of the first functions on the chopping block.  However, to cut funding to the critical embassy functions in this volatile environment, is obviously a very bad decision on the part of the GOP.

For example, the security risk assessment which are routinely done on these embassies are not done on a systematic basis.  As a risk expert, these security risk assessments should be done WEEKLY, and they should be automated so they can instantly be compared to environments in other embassies, and comparisons made by month, by year, and trends can be tracked.

If we can’t afford to do these assessments and just as important, if we can’t afford to fix the problems that assessments reveal, then we should not have embassies in these places.

The security risk assessments that are done properly must also include complete threat assessments.  ”We need to develop a paradigm for managing risk“, said Gregory Hicks, a Foreign Service Officer who testified today on Capitol Hill.

These paradigms for managing risk already exist and they have been totally ignored by the State Department, which makes it almost impossible to get a clear, unfiltered view of the security situation at any embassy, at any point in time.

At least both sides of the political aisle agree, we do not want this to happen again!  Benghazi is not a political problem, it is a massive security failure problem!

 

3 Cleveland Women -The New Front Line of the War on Women

Posted on by
Reply

For the past 4 days, media attention has been focused on the three Cleveland girls who were abducted close to their homes and kept as prisoners in an old run-down house with neighbors on all sides.

NOW, neighbors tell how they broke down the door to free the women, the little 6-year old girl who came out with them, presumably the child of their abductor, and stories of screams coming from the house over the LAST TEN YEARS.

Besides the obvious curiosity about how they are, how this happened, how they were subdued for so long, and all the salient details, my question is WHY DID THIS HAPPEN, AND WHAT DO WE NEED TO CHANGE TO MAKE SURE IT NEVER HAPPENS AGAIN!

As a security analyst, I have to place some of the blame at the door of the Cleveland police, not that they are different from any other police department in the U.S.  Police are trained to catch criminals – that is their reason for being.   But it seems that, increasingly, in crimes where women go missing, even a 16-year-old, the search for them never really gets underway.  With no speeding car to chase, no easy suspicious person to detain, they stop looking.

Statistics say that about 2300 people go missing every day, over half are men, so that
leaves about 1000 females, and of these, about 70% are young women. so that easy math – about 700 A DAY! or 255,500 EVERY YEAR!

My point is just that the Cleveland Triple Abduction should be a wake up call for parents, citizens AND law enforcement to find a better way to search for these missing girls.

The world has changed – we have cameras, social media, facebook pages, and we need for all of these to be routinely used to find missing girls before we see another case exactly like this one.

 

 

Chemical Weapons – the True December 21st Potential Disaster

Posted on by
Reply

Maybe the Mayan Calendar has forecast a deadly chemical attack that would poison the world, not a pole shift after all.

Know much about chemical weapons?  They are semi-easily dispersed. They can decimate a population in the time it takes a plane to fly overhead.  They are gruesome death.

The U.S. actually keeps track of all chemical weapons – and biologic weapons, too.  Did you know that inspectors all over the world fan out when a nation state fails (and sometime before) and can tell you exactly what it is and where it is kept.

My friends in this business have traveled all over the former Soviet Union, counting the anthrax vials in a deserted laboratory in the middle of a forest, for example, and making careful notes, not just on the location of the now-deserted laboratory, but also checking the state of security for those sites.

Is the facility secured? Is there a guard service?  Are there card access or cypher locks on the doors?  Are the windows locked and secured?  Is there access from the roof?

Is there a tree too close to the roof that could be used for access?

All these plans and assessments can be hauled out at times like these, helping to keep the world safe from chemical and biological weapons.  At least, that’s what we are all hoping, and counting on.

Happy Saturday!!

17-year old imposter does CPR on patient in Kissimee, FL

Posted on by
Reply

Security measures in place are being questioned in Kissimmee, Florida at Osceola Regional Medical Center after clerk passes as a physicians assistant!

Hospital security procedures, including staff screening practices at Osceola Regional Medical Center, are getting a second look after a 17-year-old passed himself off as a physician’s assistant and took part in several exams and procedures, including doing CPR on a patient. The Orlando Sentinel reported that hospital management is reviewing its practices to ensure a similar incident doesn’t occur. The youth was able to secure a hospital ID badge from the human resources department by claiming to need a new one because the surgical practice at which he worked had changed names. In fact, the youth was employed part time as a billing clerk at a doctor’s office. When confronted by staff, the youth said he was working undercover for the sheriff’s department, so they would be unable to check his employment records

Man Makes Meth in his Car in Hospital Parking Lot

Posted on by
Reply

Hospital security cameras showed that a
33-year-old man was making meth in his car in the facility’s
parking lot before the vehicle became engulfed in flames.
The man was burned over 80 percent of his body and
later died of his injuries. The car, which was in the Horizon
Medical Center lot, was captured on security video that
showed the man mixing ingredients just before there was
fireball inside the car. A sheriff’s office detective working
security at Horizon requested assistance to put out the fire.
In examining the site, he noticed canisters and other possible
drug-related items in the car and called the drug task force,
according to news accounts

Severe Tornados and Why We Need to Stay Prepared

Posted on by
Reply

The damage and destruction from the path of a tornado is incredible – and only matched by the sad stories of the survivors, if they are lucky enough to survive.

If there’s one thing that social media has improved – it is the ability of an individual in an affected area to get detailed updated by the minute on a smartphone or over the internet.

The old early warning systems were set up for radio, that was in the days when everyone listened to radios.   I do listen to the radio for maybe 5 minutes a day, in the car, just long enough to put in the CD or connect my ipod.   So the Twitter accounts and iphone-smartphone apps from CNN, the National Weather Service, Weatherbug and dozens more really help to keep people informed.

I often hear news anchors lament the over-availability of information these days, but I think the more access we get to this kind of information and other kinds of info is absolutely a wonderful thing for society and for most people!

If you do live in a tornado-, hurricane- or other disaster-likely area, the Weatherbug app is one of the best because you can set it to actually chirp if severe weather threatens.

As far as risk reduction – being able to protect yourself against major weather events is one of the threats you can more easily eliminate or at least manage.

Are there mor

“Although the average number of April tornadoes steadily increased from 74 a year in the 1950s to 163 a year in the 2000s, nearly all of the increase is of the least powerful tornadoes that may touch down briefly without causing much damage. That suggests better reporting is largely responsible for the increase.

There are, on average, 1,300 tornadoes each year in the United States, which have caused an average of 65 deaths annually in recent years.

The number of tornadoes rated from EF1 to EF5 on the enhanced Fujita scale, used to measure tornado strength, has stayed relatively constant for the past half century at about 500 annually. But in that time the number of confirmed EF0 tornadoes has steadily increased to more than 800 a year from less than 100 a year, said Harold Brooks, a research meteorologist at the National Severe Storms Laboratory. ”

 

 

Use A Data-Driven Security Program to Transform Organization Security

Posted on by
Reply

Data-Driven Security

How to Target, Focus and Prioritize
The Security Program

  by Caroline Ramsey-Hamilton

Management has to have Metrics

Management of a security program is no different than management of cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved. Historically, however, security has been run by a few unique professionals, perhaps with a military or law enforcement background and the security program has existed in a vacuum, with few ways to measure it’s effectiveness and value to the organization, except to list what hasn’t happened!

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization. Many security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs.

Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Very recent improvements in security technology, camera technology and its integration with computer networks and information security has allowed a massive amount of data to be collected.  Everything from digital images, to incident reporting and tracking, and even internet-based reporting of technical vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be improved or implemented, based on their return on investment.

Security has never been more important to the organization. Many court cases recently have been decided on the basis of whether the organization was using ‘due care’ and utilizing every ‘reasonable’ security precaution. Existence of adequate security has become very important in premises liability cases and will likely become equally important in future litigation.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls. Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1. Determining the value of the assets of the organization, including the facilities, the personnel, products, production facilities, raw materials, transportation, vehicles, information technology equipment, data and information. In additional to quantifying present day replacement value, the sensitivity of various information assets and a determination of their criticality to the main mission of the organization must be determined.

2. Analyzing the Threat Level affecting the organization, including analyzing of incident report logs which would indicate how many potential intrusions have been attempted, as well as an analysis of physical intrusion indicators, such as missing badges, any security incidents, and any indications of industrial espionage which have been reported, either at the facility under review, or at any of the organization’s other facilities. Industry data on intrusions in similar companies or analogous agencies is also very helpful in determining threat level.

Many companies now use reports which quantify threat data, including statistics on criminal activity by exact location, by zip code (such as the Uniform Crime Index) as well as many information sources of weather data, such as NOAA (U.S. National Oceanographic and Atmospheric Administration, various international associations and government agencies.

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the receptionist to the CEO.  To ascertain the weaknesses in the way the employees comply with security, there are new electronic survey tools,( like Risk Watch®)  which measures security compliance against published standards such as FEMA 426, (How to Protect Buildings Against Terrorist Attacks). control standards.  New regulations, like Joint Commission, Behavioral Health and Workplace Violence (OSHA 3148) require such compliance-based
baseline assessment surveys.

4. Identifying potential categories of loss, which would include components like direct losses (damage/destruction), injury or death to either staff or patients/customers/vendors; theft of property or product,  theft of data/information,  and loss of an organization’s reputation. These loss categories are used to quantify the effect of threats on the organization because you can estimate the loss impact on various functions of the organization.

5. Safeguards (Controls) include all the possible controls that could protect an organization either by reducing the likely of a threat occurring, or reducing the amount of damage that the organization sustains from a threat that materializes. Controls are quantified by:

a. Life Cycle of the Control – How Long They are Good for.

b. Cost to Implement the Control to 100% in the organization

c. Indication of the percentage that the control is already implemented in the organization

By accumulating data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls.

Advantages of a Data-Driven Security Program

The primary advantage of a data driven security program is that it provides support for the security function within the organization by being able to illustrate directly how security not only protects the organizational assets, but also, how the security profile changes over time.

In addition, it becomes possible to benchmark the various plants and facilities against themselves, and against both domestic and international standards, including military standards for the Defense Industrial Base. For example, if a multinational company with facilities and networks around the world can analyze their security based on the principle of a data-driven security program, then they can instantly identify the areas or facilities that have problems and address them much more quickly and effectively than they could if they were depending on a fuzzy, quantitative assessment method. When an organization makes the decision to adopted a more disciplined approach to analyzing security risk, they must also use all the other typical management functions such as planning, development of a budget and incorporation of the plan into the organization’s overall planning.

After the initial baseline risk assessment, and using the input from the analysis, the organization can began to develop implementation strategies to address the vulnerabilities identified in the assessment. As each vulnerability is addressed, cost-effective mitigation strategies can be put in place.

At the same time,  the security plans and policies can be measured so that policy changes can be made, if necessary, or training and awareness programs can focus in the areas that need reinforcement with the organization.

The Security director, using his already established budget and implementation timelines for each safeguard, can then manage the improvements, using either internal staff or he can make the decision to outsource the additional controls (or their implementation).

These improvements can be tracked themselves, to establish how effective they are in their individual tasks, and also can be periodically re-assessed to see how the organization’s total security profile has improved.

The first benefits from a data driven security program emerge during this implementation phase because not only can you measure how much more effective the new security configurations are, but there is an additional value-added component of
re-acquainting the employees with the security program and increasing awareness across the organization.

To ensure continued value in the program, collection mechanisms such as automated incident response, threat reporting and vulnerability reviews must be automated. There are new security software programs that evaluate and analyze these types of data and can dramatically increase the effectiveness of a data-driven security program.

This type of data-driven security program creates a security program that becomes a baseline for management to quickly assess the security profile of the entire organization.  It makes it easier to provide a safe, and secure workplace for both management and employees, and may decrease the possibility of a workplace violence incident, theft or domestic or international terrorist attack.

This data-based concept of risk management creates a bridge between executive management and the security professionals in the organization who now have an avenue for open communication, discussion and consideration of the role of security throughout the organization.

 

About the Author

Caroline Ramsey-Hamilton is the founder of Risk Watch International, and a leading security risk assessment expert.  She was a Charter member of the National Institute of Standards and Technology’s Risk Management Model Builders Workshop from 1988 to 1995.  From 1996-1998, she served on the working group to create a Defensive Information Warfare Risk Management Model,  (DIWRM2) under the auspices of the Office of the Secretary of Defense.  She was also a member of the National Security Agency’s Risk Rating Workshop and the IBM Data Governance Working Group to create a Data Governance model for the nation’s largest banks.

She has developed specialized risk assessment programs for HIPAA, Information Security, FFIEC, GLBA, Sarbanes Oxley, and corporate security programs including working with The Clearinghouse, large investment banks, the Federal Reserve and a variety of other Federal agencies on Risk Assessment guidelines.   In addition, she is a member of the ASIS Physical Security Council, SARMA( the Security Risk Management Association) based inWashington, D.C.  Ms. Ramsey-Hamilton is certified in Homeland Security and Anti-Terrorism and recently received a lifetime achievement award from the Anti-Terrorism Accreditation Board and the Maritime Security Council.

Hamilton works around the world on critical risk issues including a new set of risk assessment guidelines for the Nuclear Regulatory Commission, a risk model for airport security and a risk model for medication error with Philadelphia Children’s Hospital.

She has completed Risk Assessments for over twenty-five U.S. government agencies including the Department of Defense, the Technical Support Working Group, and the Nuclear Regulatory Commission, and many healthcare organizations including Cleveland Clinic, HCA, Sheikh Khalifa Medical City, the University of Miami Medical Center and many more.  She has written several books and articles over twenty-five different publications.

www.caroline-hamilton.com

caroline.r.hamilton@gmail.com

 

 

TWEET: http://twitter.com/riskalert

Data-Driven Security – Using Metrics to Focus & Target Security Programs

Posted on by
Reply

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.