NSA Hearings on the Hill

Posted on June 18, 2013 by Caroline Ramsey-Hamilton

NSA is answering questions this morning about their mega data collection of phone call destinations, before the House Intelligence Committee.

Having worked with NSA for years, I decided to watch the hearings and hear what General Keith Alexander had to say. Of course, I have a family history with congressional hearings.

For myself, I’m in total agreement with NSA that they should be LISTENING, COLLECTING and ANALYZING intelligence so we can know what is happening all over our complex world and be in a position to prevent catastrophic attacks by those terrorists using their religion like a free pass to kill, maim and attack.

My father died over ten years ago, but one of my favorite memories of him is that is, while he was suffering from cancer, he never missed a Congressional hearing. He sat with a TV Tray in front of him, with a stack of monogrammed notepaper, envelopes and stamps.

As the hearings progressed (I especially remember him watching Iran-Contra), he would write to each of the congressmen and senators, telling them how he judged their questions, writing to them about mistakes he thought they made. This was true democracy in action. From his pen right to the powers-that-be. And he took his responsibility in this very seriously.

I hope everyone starts watching, learning and taking their role in our democracy as seriously! An attention-seeking junior technician is having his 5 minutes of fame, and I
hope that the great work of the US intelligence community is not going to be slowed down
or damaged by his thoughtless disclosures. He should start writing letters to HIS elected representatives.

Risk Management and Disaster Recovery Planning

Posted on June 13, 2013 by Caroline Ramsey-Hamilton

This article was recently featured by SecurityInfoWatch on June 13, 2013.

Natural Disasters and Contingency Planning June 12, 2013

Last month, powerful tornadoes ripped through Oklahoma over a 12-day period, leveling buildings and killing more than 40 people in the process. Among the victims were 10 children, seven of whom were killed when a twister stuck an elementary school in the Oklahoma City suburb of Moore. Last fall, Superstorm Sandy struck the northeastern U.S., destroying numerous homes and businesses. The storm also knocked out power and communications for thousands of residents in the region.

The damage left behind in the aftermath of these acts of nature reinforces the need for organizations to incorporate comprehensive natural disaster management policies and procedures in their business continuity plans. Often times, however, security managers become so bogged down in the minutiae of every day operations that their enterprise risk management plans are neglected, rarely ever being updated of practiced.

According to Caroline Hamilton, President of Fort Lauderdale.-based security consulting firm Risk and Security, LLC, natural disaster planning should be a part of every organizations’ risk assessment regardless of their industry or location.

“Natural disasters are part of what you examine when you’re doing any kind of risk assessment on a business, enterprise or facility. It’s a whole category by itself and that includes hurricanes, tornadoes or tsunamis, but it can also be simple things like flooding or chemical leaks or spills that occur in a major city,” said Hamilton.

“When I go in to do an assessment of an organization, the first thing I look at are the controls that they already have in place. These controls are important. They are as important as the threat analysis because the control is going to show you how to mitigate that threat – either how to reduce it or eliminate it so it doesn’t happen at all. Disaster planning is probably about 25 percent of what you do and making sure you can recover no matter what happens is really, really critical.”

Hamilton says one of the most frequent issues she sees in organizations is incomplete risk management and contingency plans. “That happens quite often. Companies have good intentions and they start these plans, but they don’t finish them because they get sidetracked by some other operational or security issue,” said Hamilton. “You have to be disciplined enough to go back and finish them.”

The plans need to be updated and/or revised every year at minimum, according to Hamilton, who also recommends performing drills at least twice year. Drills for natural disasters can also reap benefits for planning and preparing for other types of emergency events. “Something that people don’t normally associate at all with a natural disaster would be an active shooter situation,” said Hamilton. “But I was just at a conference where local police and DHS were there talking about how to deal with active shooters and they said having these evacuation drills and things that you do for a disaster or emergency drill in case of a fire, chemical spill or whatever, that those evacuation drills are very useful in an active shooter scenario too.

A lot of security managers think, ‘active shooter, we’re going to lockdown the whole facility tight.’ Police and DHS are saying exactly the opposite in that they want to open it up completely because they want as many people as possible to exit out of that building. People remember what they practice.”

Michael Crocker, president of Houston-based security consulting firm Michael Crocker, CPP & Associates, Inc., says that organizations also need have someone from the outside review and validate crisis management plans. “I think it is really important to be peer-reviewed,” he says. “If you’re subject matter experts are in-house, you need someone out of the house to look at it and validate it.”

Crocker agrees that business continuity plans should be reviewed frequently and that if there isn’t a third-party making an organization review them on a regular basis, then there needs to be someone within the organization that can be a “champion” for that purpose. “The plans need to be table-topped regularly. Ideally every quarter; you need to update the plans based on new business circumstances,” Crocker said.

Organizations also need to consider the implications to their workforce in the aftermath of a natural disaster. “When you look at a large-scale organization, just generically speaking, people are a key resource that you need to plan for,” says Crocker. “What happens if certain members of your leadership are unavailable? How do you replicate that part of the decision making process and how do you amend it with outside staff or people from other divisions in the company that can fill in during a crisis?”

Crocker says it is also important for small and mid-sized business to think about how they’re going to maintain and store their records, which can be critical to an organization’s recovery efforts. “At a smaller scale organization, you need to be able to have key records replicated somewhere else,” he says. “Have your records in the cloud, in a server farm or at an offsite location where if there was damage to your structure, you don’t lose your business records. Most businesses that lose their records fail within 12 months.”

Following the 2010 oil spill in the Gulf of Mexico, Crocker said many businesses were unable to recoup losses from BP because they couldn’t document their revenue from the previous year.

Because communications are commonly knocked out during natural disasters, experts say it’s also important to consider how communications infrastructure for your organization will be fortified during one of these events, which could extend as far as having an alternate site where operations can be maintained.

“From a technological point of view, I think you need to be able to manage the documents, records and communications for an organization that’s been hit by a natural disaster,” says Crocker. “How are you going to direct the calls? Who’s going to answer those calls? When billings and business communications come in, where are they now going to go and whose going to respond to them? And then there is the ever important IT infrastructure and how are you going to provide the survivors or replacement or outsourced personnel for business continuity access to the IT system?”

Aside from the security director, Hamilton says others that need to be included in business continuity/risk management planning process are the facilities manager, followed by someone in operations and possibly human resources.

“Of course it depends on the type of organization it is,” she explained. “If it is a production plant, whether they are producing Winnie the Pooh dolls or electricity, whoever is in charge of plant production should be involved. If they are in healthcare, they’re going to need someone on the clinical staff who is going to be involved in the process. At a larger company, often times there will be an emergency manager who is designated that is going to come in and help with this planning process. And it is not just a planning process, it is an ongoing process with a life of its own, so it’s planning, doing emergency drills and it’s making sure that when there is a change in something, that it ripples through to the plans.”

Overall, Hamilton doesn’t believe that most organizations are very well prepared for disasters, which is all the more reason why events like the Oklahoma tornadoes and Superstorm Sandy should serve as an impetus to develop and practice business continuity plans.

“It is very unusual for me to go anywhere and find that they have a 100 percent completed plan in place that’s been practiced and is updated,” says Hamilton. “I think the reason for that partly is that we just came out of a recession and so I think that is one of the things that go when things get tight… but now is the time to get back to it and just realize that it is part of your responsibility to safeguard a corporation or business by having complete contingency and disaster planning in place.”

For more about Risk and Disaster Planning, go to www.riskandsecurityllc.com.

Collecting, Mining & Valuing Your Personal Data is Just part of the Information Age!

Posted on June 9, 2013 by Caroline Ramsey-Hamilton

Last week, the media went crazy reporting on the NSA’s collection of phone data on individuals calling foreign countries. But, to me, that’s not so bad, because whether you’re aware of it or not, most of the companies you do business with every day are collecting lots of data about you, including:

How many children you have
Your Job Title
How much yogurt you buy every week
Whether you have health insurance
What music you like
Your age
Whether you have a dog or cat

For example, every time you go to the grocery store, you pull out your frequent buyer card
and hand it over to the Casher. Did you know that by using that card, you allow the grocery store to gather all your personal information about what kind of food you like, whether you use coupons, how much milk you drink every week? And then they look at that data, analyze it, and use it to send you new offers, or even to customize your cash register receipt?

That’s why I don’t use a grocery card!

If you ever buy anything online, those companies also gather and use all your information.
They put data together and decide whether they should make more size 12 or size 14 dresses for every county and state in the USA. They even set their prices partially based on what you were willing to pay last month.

Same for the airlines companies, rental car, and hotel companies. Last February, I traveled a lot and stayed in hotels about 15 days over a 5 week period. So now I am still
getting dozens of online offers for hotel rooms.

I’m not saying this is bad, or that it’s good. It doesn’t bother me, as long as I keep the number of promotional emails at a manageable level, but it is just a little taste of what the future holds, as we will be tracking, matched, aggregating and defined by the data that’s collected on everyone in the future.

Let’s not get so tough on NSA, unless you’re also willing to go after WalMart, Giant Foods, Publix, Safeway, Albertson’s, Amazon, Priceline, Macy’s, Barnes and Noble, and hundreds more!

The Active Shooter Threat – What’s the Right Response? Run Out or Lock Down?

Posted on May 18, 2013 by Caroline Ramsey-Hamilton

I got to sit in on a security group discussion yesterday. It includes both security directors and local law enforcement and It was interesting to see how both groups approached the active shooter scenario differently. Which way is the best? Is there a best?
For law enforcement officers at both the state, city and county level, they want all doors to be unlocked so that all the occupants of a facility, or a hospital, can get out and run for safety as quickly as possible. They say that means more people will survive, not get shot, and it works with the natural human reaction to run away from danger.

Some of the active shooter experts in the room said that active shooter situations should be treated like fire drills, because people are used to fire drills, and they know what to do, because they practice fire drills more frequently than active shooter drills.

For the Security Directors, especially of hospitals, they wanted to be able to lock down if there was an active shooter call in their facility. They felt that there were problems in evacuating quickly, and some were concerned about leaving bed-ridden patients behind while the clinical staff run out of the building. So they advocated locking down all doors instantly.

While the heated discussion continued for almost three hours – at the end there was no
“BEST” solution. Each Security Director or Manager will have to decide for themselves which approach is right for their organization. The important thing is to think it through in advance, prepare people in advance, and take advantage of the great materials that are available to help organizations prepared.

Get more information including videos, training materials, on line courses and more at
http://www.dhs.gov/active-shooter-preparedness.

3 Cleveland Women -The New Front Line of the War on Women

Posted on May 8, 2013 by Caroline Ramsey-Hamilton

For the past 4 days, media attention has been focused on the three Cleveland girls who were abducted close to their homes and kept as prisoners in an old run-down house with neighbors on all sides.

NOW, neighbors tell how they broke down the door to free the women, the little 6-year old girl who came out with them, presumably the child of their abductor, and stories of screams coming from the house over the LAST TEN YEARS.

Besides the obvious curiosity about how they are, how this happened, how they were subdued for so long, and all the salient details, my question is WHY DID THIS HAPPEN, AND WHAT DO WE NEED TO CHANGE TO MAKE SURE IT NEVER HAPPENS AGAIN!

As a security analyst, I have to place some of the blame at the door of the Cleveland police, not that they are different from any other police department in the U.S. Police are trained to catch criminals – that is their reason for being. But it seems that, increasingly, in crimes where women go missing, even a 16-year-old, the search for them never really gets underway. With no speeding car to chase, no easy suspicious person to detain, they stop looking.

Statistics say that about 2300 people go missing every day, over half are men, so that
leaves about 1000 females, and of these, about 70% are young women. so that easy math – about 700 A DAY! or 255,500 EVERY YEAR!

My point is just that the Cleveland Triple Abduction should be a wake up call for parents, citizens AND law enforcement to find a better way to search for these missing girls.

The world has changed – we have cameras, social media, facebook pages, and we need for all of these to be routinely used to find missing girls before we see another case exactly like this one.

Why DHS & FBI Need Google’s Help to Track Terrorists

Posted on April 24, 2013 by Caroline Ramsey-Hamilton

The Boston Marathon bombings were bad enough. The loss of life was terrible, but the runners and their families who lost legs and feet because they wanted to give their Dad a hug at the finish line were worse.

One week later, we all watch with trepidation as the first bomber is killed and the second captured bleeding in a boat in Watertown.

THE MOST TERRIBLE NEWS OF ALL IS THAT IT MIGHT HAVE BEEN PREVENTED!! This is EXACTLY the situation that DHS was supposed to catch. This is EXACTLY why the agencies were ORDERED to share information, and still these guys can tweet all they want, show violent Islamic videos on their web sites and call for Jihad and NOBODY NOTICES!!

This is made even more incomprehensible because the U.S. government was ALERTED BY THE RUSSIANSthat one of them was DANGEROUS.

What do we need to do to get these agencies to start paying attention to these potential terrorists? DO WE NEED TO MAKE THEM WEAR A RED SHIRT?

If the IRS can keep track of every American and in 2 minutes call up their entire history of taxes, and the Department of Labor can calculate your benefit rates in less than 1 minute, and Social Security keep track of all your information – why can’t DHS and the FBI keep a contact database current?

Why can’t they have a person who scans these web sites and Facebook sites for Jihadist pages and then cross-references them with the site’s owner? Why can’t a trip to a violent region of the world trigger a PING, as I heard one congressman call it.

Every company in the world has a simple Contact database on their own customers and suppliers that gives them years of data. WHY CAN’T WE BE PROTECTED FROM THESE TERRORiSTS.

This one wasn’t hiding in the shadows – he was ON SOCIAL MEDIA! He wasn’t locked up in a cabin – he was traveling internationally, his brother was getting a scholarship. And they did this FOR YEARS!!

This intelligence failure is just exactly like 9/11 all over again. These agencies are so procedural that they cannot connect the dots. Ok – they’re human. But we have super computers that CAN connect the dots and do profiles and create alerts…

Maybe we should call Google and get some help. We obviously need it.

Wondering Which Security Controls Offer the Highest Protection for the Least Money?

Posted on April 9, 2013 by Caroline Ramsey-Hamilton

Or, put another way – how to get the Best Bang for the Buck with security.

Security Controls can be incredibly cost effective or astronomically expensive. And when you’re faced with a facility or a school campus, or a system that has to be secured, but you also have a budget to keep in mind – what do you do?

The simple answer is ROI – Return on Investment. This simple calculation compares the Cost of the Proposed Control to the Protection is Provides and that creates the magic ROI Number.

Here’s an example: A hospital near the New Jersey shore wants to create a new emergency ops center. They have the space,
but it would cost about $250,000 to build it out. Here’s what we look at – how often would they use an emergency ops center?

Threat data shows that they would need to use it about 3-6

: Operations Center (OPS)

times a year, including severe storms, thunderstorms and hurricanes.

(After Hurricane Sandy, the hospital was closed for two days because they were not able to resume service right away. As a result, the hospital lost about $2,000,000 per day because it could not bill for any services, none could be provided.)

So we take that lost $2,000,000 per day and say that if we could keep the facility open because we had a better operational center, we could easily save 2 days of revenue which is $4,000,000 for the 2 days, and if it cost us only $ 250,000, and saves us $ 4,000,000, that’s a Return on Investment of SIXTEEN to ONE, 16:1.

Say it saved us 3 days of revenue a year - that’s a ROI of TWENTY-FOUR to ONE, 24:1!

You can get more info by writing to me directly at caroline@riskandsecurityllc.com and requesting a webinar invitation,
or a copy of the video.

Why Giving Oscar Pistorius Bail Today in a South African Court is another blow against Women

Posted on February 22, 2013 by Caroline Ramsey-Hamilton

Violence, assault, battery, and homicide is always more of a problem for women than for men.

Statistics show that men are more likely to BE VIOLENT, and more apt to be aggressive toward women. Because men are the world’s power brokers, and sometimes they try to use that power to dominate the women that they imagine they should be able to control.

The term War On Women is accurate, if you review the facts, and also the sensational details. The Scott Peterson’s murder of his 9-month pregnant wife carrying his unborn son, Connor, and just yesterday, Drew Peterson sentenced for murder of his 3^rd wife, while wife number 4, Stacy, has been missing since 2007.

Remember Josh and Susan Powell? Josh, who killed both his young sons and himself, even though he was never convicted of Susan’s disappearance. And the terrible thing about these high profile crimes is these women were attacked and killed at their most vulnerable, by someone who, at least, initially, loved them.

Even worse, in countries like South Africa, or India, rape is something that happens many times every day. And the rich white guys aren’t the only perps. It’s angry people — no matter how much money they have, where they live, or what their backgrounds are, or their education level.

Certain men seem to regard women as their possessions, like their dogs, or their household help, and so they feel free to abuse them, kick them, break their arms, intimidate them, control them, and if the woman tries to fight back, she is often killed.

No matter how rich Oscar Pistorius is, how great he is for overcoming such a profound handicap, how many medals he won, he, like OJ Simpson, will now be judged for losing his temper and murdering a beautiful young model – who loved him!

And obviously, the Magistrate didn’t agree, because if he did – he would never have granted him bail.

How long does it take for OSHA to develop standards – like for Workplace Violence?

Posted on May 1, 2012 by Caroline

Why OSHA standards take so long to develop

The Government Accountability office reports to Congress on items of interest to Congress and their constituents. One area that was recently examined was how long it takes OSHA to update standards, or develop new standards. Here’s a look at the results:

By: David LaHoda, April 30th, 2012

A report by the U.S. Government Accountability Office (GAO) on why OSHA standards take, on average, more than seven years to complete found that “increased procedural requirements, shifting priorities, and a rigorous standard of judicial review” contributed to the lengthy time frame.

In responding to the GAO report, Randy Rabinowitz, OMB Watch’s director of regulatory policy said: “In the years since its creation, OSHA’s charge to protect workers from harm has been undermined by Kafkaesque demands for additional reviews of existing rules mandated by new statutes and executive orders,” according to The Hill. While OSHA’s internal inability to remain focused on priorities and regulatory follow-through was the counter argument presented by the U.S. Chamber of Commerce.

“While some of the changes, such as improving coordination with other agencies to leverage expertise, are within OSHA’s authority, others call for significant procedural changes that would require amending existing laws,” according tot he GAO report.

The GAO report recommended that that OSHA and NIOSH improve collaboration on researching occupational hazards. In that way OSHA could better “leverage NIOSH expertise in determining the needs for new standards and developing them.”

For the entire 55-page report go to http://www.gao.gov/products/GAO-12-330

Use A Data-Driven Security Program to Transform Organization Security

Posted on February 22, 2012 by Caroline

Data-Driven Security

How to Target, Focus and Prioritize
The Security Program

by Caroline Ramsey-Hamilton

Management has to have Metrics

Management of a security program is no different than management of cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved. Historically, however, security has been run by a few unique professionals, perhaps with a military or law enforcement background and the security program has existed in a vacuum, with few ways to measure it’s effectiveness and value to the organization, except to list what hasn’t happened!

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization. Many security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs.

Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Very recent improvements in security technology, camera technology and its integration with computer networks and information security has allowed a massive amount of data to be collected. Everything from digital images, to incident reporting and tracking, and even internet-based reporting of technical vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be improved or implemented, based on their return on investment.

Security has never been more important to the organization. Many court cases recently have been decided on the basis of whether the organization was using ‘due care’ and utilizing every ‘reasonable’ security precaution. Existence of adequate security has become very important in premises liability cases and will likely become equally important in future litigation.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls. Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1. Determining the value of the assets of the organization, including the facilities, the personnel, products, production facilities, raw materials, transportation, vehicles, information technology equipment, data and information. In additional to quantifying present day replacement value, the sensitivity of various information assets and a determination of their criticality to the main mission of the organization must be determined.

2. Analyzing the Threat Level affecting the organization, including analyzing of incident report logs which would indicate how many potential intrusions have been attempted, as well as an analysis of physical intrusion indicators, such as missing badges, any security incidents, and any indications of industrial espionage which have been reported, either at the facility under review, or at any of the organization’s other facilities. Industry data on intrusions in similar companies or analogous agencies is also very helpful in determining threat level.

Many companies now use reports which quantify threat data, including statistics on criminal activity by exact location, by zip code (such as the Uniform Crime Index) as well as many information sources of weather data, such as NOAA (U.S. National Oceanographic and Atmospheric Administration, various international associations and government agencies.

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the receptionist to the CEO. To ascertain the weaknesses in the way the employees comply with security, there are new electronic survey tools,( like Risk Watch®) which measures security compliance against published standards such as FEMA 426, (How to Protect Buildings Against Terrorist Attacks). control standards. New regulations, like Joint Commission, Behavioral Health and Workplace Violence (OSHA 3148) require such compliance-based
baseline assessment surveys.

4. Identifying potential categories of loss, which would include components like direct losses (damage/destruction), injury or death to either staff or patients/customers/vendors; theft of property or product, theft of data/information, and loss of an organization’s reputation. These loss categories are used to quantify the effect of threats on the organization because you can estimate the loss impact on various functions of the organization.

5. Safeguards (Controls) include all the possible controls that could protect an organization either by reducing the likely of a threat occurring, or reducing the amount of damage that the organization sustains from a threat that materializes. Controls are quantified by:

a. Life Cycle of the Control – How Long They are Good for.

b. Cost to Implement the Control to 100% in the organization

c. Indication of the percentage that the control is already implemented in the organization

By accumulating data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls.

Advantages of a Data-Driven Security Program

The primary advantage of a data driven security program is that it provides support for the security function within the organization by being able to illustrate directly how security not only protects the organizational assets, but also, how the security profile changes over time.

In addition, it becomes possible to benchmark the various plants and facilities against themselves, and against both domestic and international standards, including military standards for the Defense Industrial Base. For example, if a multinational company with facilities and networks around the world can analyze their security based on the principle of a data-driven security program, then they can instantly identify the areas or facilities that have problems and address them much more quickly and effectively than they could if they were depending on a fuzzy, quantitative assessment method. When an organization makes the decision to adopted a more disciplined approach to analyzing security risk, they must also use all the other typical management functions such as planning, development of a budget and incorporation of the plan into the organization’s overall planning.

After the initial baseline risk assessment, and using the input from the analysis, the organization can began to develop implementation strategies to address the vulnerabilities identified in the assessment. As each vulnerability is addressed, cost-effective mitigation strategies can be put in place.

At the same time, the security plans and policies can be measured so that policy changes can be made, if necessary, or training and awareness programs can focus in the areas that need reinforcement with the organization.

The Security director, using his already established budget and implementation timelines for each safeguard, can then manage the improvements, using either internal staff or he can make the decision to outsource the additional controls (or their implementation).

These improvements can be tracked themselves, to establish how effective they are in their individual tasks, and also can be periodically re-assessed to see how the organization’s total security profile has improved.

The first benefits from a data driven security program emerge during this implementation phase because not only can you measure how much more effective the new security configurations are, but there is an additional value-added component of
re-acquainting the employees with the security program and increasing awareness across the organization.

To ensure continued value in the program, collection mechanisms such as automated incident response, threat reporting and vulnerability reviews must be automated. There are new security software programs that evaluate and analyze these types of data and can dramatically increase the effectiveness of a data-driven security program.

This type of data-driven security program creates a security program that becomes a baseline for management to quickly assess the security profile of the entire organization. It makes it easier to provide a safe, and secure workplace for both management and employees, and may decrease the possibility of a workplace violence incident, theft or domestic or international terrorist attack.

This data-based concept of risk management creates a bridge between executive management and the security professionals in the organization who now have an avenue for open communication, discussion and consideration of the role of security throughout the organization.

About the Author

Caroline Ramsey-Hamilton is the founder of Risk Watch International, and a leading security risk assessment expert. She was a Charter member of the National Institute of Standards and Technology’s Risk Management Model Builders Workshop from 1988 to 1995. From 1996-1998, she served on the working group to create a Defensive Information Warfare Risk Management Model, (DIWRM2) under the auspices of the Office of the Secretary of Defense. She was also a member of the National Security Agency’s Risk Rating Workshop and the IBM Data Governance Working Group to create a Data Governance model for the nation’s largest banks.

She has developed specialized risk assessment programs for HIPAA, Information Security, FFIEC, GLBA, Sarbanes Oxley, and corporate security programs including working with The Clearinghouse, large investment banks, the Federal Reserve and a variety of other Federal agencies on Risk Assessment guidelines. In addition, she is a member of the ASIS Physical Security Council, SARMA( the Security Risk Management Association) based inWashington, D.C. Ms. Ramsey-Hamilton is certified in Homeland Security and Anti-Terrorism and recently received a lifetime achievement award from the Anti-Terrorism Accreditation Board and the Maritime Security Council.

Hamilton works around the world on critical risk issues including a new set of risk assessment guidelines for the Nuclear Regulatory Commission, a risk model for airport security and a risk model for medication error with Philadelphia Children’s Hospital.

She has completed Risk Assessments for over twenty-five U.S. government agencies including the Department of Defense, the Technical Support Working Group, and the Nuclear Regulatory Commission, and many healthcare organizations including Cleveland Clinic, HCA, Sheikh Khalifa Medical City, the University of Miami Medical Center and many more. She has written several books and articles over twenty-five different publications.

www.caroline-hamilton.com

caroline.r.hamilton@gmail.com

TWEET: http://twitter.com/riskalert

Caroline Ramsey-Hamilton

Risk and Security Specialist

Tag Archives: Caroline Ramsey-Hamilton